Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ruff): Fix RUF039 for v0.8.0 #11326

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix(ruff): Fix RUF039 for v0.8.0 #11326

wants to merge 1 commit into from
+21 −21

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Nov 25, 2024

Fix #11311

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request focuses on improving the reliability and security of various security scanning and reporting tools integrated with the DefectDojo application, primarily by updating regular expressions used to extract and parse security-related information, enhancing password validation rules, and implementing comprehensive automated tests to ensure the reliability and security of the scan import functionality.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the reliability and security of various security scanning and reporting tools integrated with the DefectDojo application. The changes primarily involve updates to the regular expressions used to extract and parse important security-related information, such as CWE (Common Weakness Enumeration) and CVE (Common Vulnerabilities and Exposures) identifiers.

The key security-related improvements include:

  1. Enhancing the robustness of regular expressions to prevent potential issues like regular expression denial of service (ReDoS) attacks and ensure more accurate extraction of security-relevant data.
  2. Improving the handling and normalization of vulnerability identifiers (VIDs) from different sources, such as CVE, KHV, KSV, and KCV.
  3. Updating the password validation rules to enforce stronger password requirements and prevent the use of commonly used passwords.
  4. Implementing comprehensive automated tests to ensure the reliability and security of the scan import functionality in the DefectDojo application.

Overall, these changes demonstrate a strong focus on improving the security and robustness of the DefectDojo platform, which is an important component in the application security ecosystem.

Files Changed:

  1. dojo/tools/burp_enterprise/parser.py: The regular expression used to search for CWE identifiers has been updated to use a more robust pattern, reducing the risk of regular expression denial of service (ReDoS) attacks.
  2. dojo/tools/appcheck_web_application_scanner/engines/base.py: The regular expression used to detect CVE identifiers has been updated to use the fullmatch() method instead of match(), ensuring more accurate CVE extraction.
  3. dojo/management/commands/rename_mend_findings.py: The script for renaming Mend findings includes improvements to the handling of CVE and CWE information, as well as better logging and error handling.
  4. dojo/tools/burp_graphql/parser.py: The get_cwe function has been updated to use a more robust regular expression pattern for extracting CWE identifiers.
  5. dojo/tools/qualys_webapp/parser.py: The regular expression used to extract the CWE number has been updated to use a raw string literal, improving its robustness.
  6. dojo/tools/nexpose/parser.py: The regular expression used to sanitize the service name in the tags field has been updated to use a raw string literal.
  7. dojo/tools/microfocus_webinspect/parser.py: The regular expression used to extract the CWE number from the classification identifier has been improved.
  8. dojo/tools/npm_audit/parser.py: The censor_path_hashes() function has been updated to use a more robust regular expression pattern to match and replace the 64-character hexadecimal hashes in the file paths.
  9. dojo/tools/sarif/parser.py: The regular expression used to match CVE identifiers has been updated to use a raw string literal.
  10. dojo/tools/sonarqube/soprasteria_helper.py: The regular expression used to extract the CWE identifier has been updated to use a raw string literal.
  11. dojo/tools/veracode/xml_parser.py: The regular expression used to extract the CWE identifier has been improved.
  12. dojo/tools/trivy_operator/uniform_vulnid.py: The code includes updates to the regular expressions used to normalize the format of vulnerability IDs.
  13. dojo/tools/wapiti/parser.py: The regular expression used to extract the CWE identifier has been updated to use a raw string literal.
  14. requirements-lint.txt: The version of the ruff linting tool has been updated to a newer version.
  15. dojo/user/validators.py: The password validation rules have been updated, including the use of raw string literals for regular expressions and the implementation of the DojoCommonPasswordValidator class.
  16. tests/Import_scanner_test.py: The test suite for the "Import Scan Results" functionality has been updated to improve the reliability and robustness of the scan import process.

Code Analysis

We ran 9 analyzers against 16 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
integration_tests parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kiblik @cneill @mtesauro