Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(parser: generic): Allow epss_* parameters #11293

Open
wants to merge 1 commit into
base: bugfix
Choose a base branch
from
Open

feat(parser: generic): Allow epss_* parameters #11293

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 19, 2024

When the users are using "Generic Findings Import", it does not allow them to set epss_score and epss_percentile. This is only because of the historical reason (limitation of allowed fields has been implemented before epss_* was added to Findings.

Context: https://owasp.slack.com/archives/C2P5BA8MN/p1732001998945879

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The provided code change adds two new fields, "epss_score" and "epss_percentile", to the list of allowed fields in the _get_test_json method of the GenericJSONParser class, which requires proper input validation and sanitization to maintain a secure and robust parsing mechanism for the imported data.

Expand for full summary

Summary:

The provided code change adds two new fields, "epss_score" and "epss_percentile", to the list of allowed fields in the _get_test_json method of the GenericJSONParser class. From an application security perspective, the addition of these new fields is not inherently concerning, as they are likely related to the EPSS (Exploitability Prediction Score System) metric, which can provide valuable information about the security vulnerabilities being imported.

However, it's crucial to ensure that the parser properly validates and sanitizes the input data for these new fields to prevent potential security issues, such as injection attacks or other types of data manipulation. Additionally, the parser should ensure that the values of these fields are within expected ranges and do not contain any malicious content. By implementing proper input validation and sanitization, the application can maintain a secure and robust parsing mechanism for the imported data.

Files Changed:

  • dojo/tools/generic/json_parser.py: The code change adds the "epss_score" and "epss_percentile" fields to the list of allowed fields in the _get_test_json method of the GenericJSONParser class. This change is likely to provide more detailed information about the security vulnerabilities being imported, but it's important to ensure that the parser properly validates and sanitizes the input data for these new fields to prevent potential security issues.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@kiblik kiblik marked this pull request as ready for review November 20, 2024 09:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship hblankenship approved these changes

@cneill cneill cneill approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kiblik @cneill @hblankenship @Maffooch