chore: reorganize dedupe code #14641
Merged
DryRunSecurity / Cross-Site Scripting Analyzer
succeeded
Apr 14, 2026 in 25s
DryRun Security
Details
Cross-Site Scripting Analyzer Findings: 2 detected
⚠️ Potential Cross-Site Scripting dojo/tools/anchore_grype/parser.py (click for details)
| Type | Potential Cross-Site Scripting |
| Description | The code builds markdown-like strings by directly interpolating variables (vuln_datasource, vuln_urls, rel_datasource, rel_urls) into finding_references without any escaping or sanitization. If any of these values can contain attacker-controlled input and are later rendered into an HTML context without escaping (or rendered as raw HTML), this allows injection of malicious markup/JS (XSS). |
| Filename | dojo/tools/anchore_grype/parser.py |
| CodeLink | django-DefectDojo/dojo/tools/anchore_grype/parser.py Lines 144 to 147 in 1b18585 |
⚠️ Potential Cross-Site Scripting dojo/tools/cargo_audit/parser.py (click for details)
| Type | Potential Cross-Site Scripting |
| Description | The patch builds Markdown/HTML-like strings by interpolating advisory fields (description, categories, affected function names/versions, references) directly into formatted text without any escaping or sanitization. If those advisory fields can contain attacker-controlled input and are later rendered into HTML with auto-escaping disabled (or converted from Markdown to HTML without sanitization), this can lead to XSS. |
| Filename | dojo/tools/cargo_audit/parser.py |
| CodeLink | django-DefectDojo/dojo/tools/cargo_audit/parser.py Lines 83 to 86 in 1b18585 |
Loading