Merge pull request #10125 from DefectDojo/bugfix

Merge Bugfix into Dev for 2.34.0
DefectDojo · May 6, 2024 · 576f053 · 576f053
2 parents e420d02 + 3cf8ce7
commit 576f053
Show file tree

Hide file tree

Showing 11 changed files with 1,175 additions and 16 deletions.
diff --git a/docs/content/en/integrations/social-authentication.md b/docs/content/en/integrations/social-authentication.md
@@ -15,7 +15,7 @@ leverage Auth0 to authenticate users on DefectDojo.
 2.  On the new application set the following fields:
     -   Name: "Defectdojo"
     -   Allowed Callback URLs:
-        [https://the_hostname_you_have_dojo_deployed:your_server_port/complete/auth0/](https://the_hostname_you_have_dojo_deployed:your_server_port/complete/auth0/)
+        **https://the_hostname_you_have_dojo_deployed:your_server_port/complete/auth0/**
 3.  Copy the following info from the application:
     -   Domain
     -   Client ID
@@ -175,7 +175,7 @@ user, such as 'superuser'.
 
     -   <http://localhost:8080/complete/azuread-tenant-oauth2/>
     -   **OR**
-    -   [https://the_hostname_you_have_dojo_deployed:your_server_port/complete/azuread-tenant-oauth2/](https://the_hostname_you_have_dojo_deployed:your_server_port/complete/azuread-tenant-oauth2/)
+    -   **https://the_hostname_you_have_dojo_deployed:your_server_port/complete/azuread-tenant-oauth2/**
 
 4.  Edit the settings (see [Configuration]({{< ref "/getting_started/configuration" >}})) with the following
     information:
@@ -236,13 +236,13 @@ Follow along below.
 
     -   <https://gitlab.com/profile/applications>
     -   **OR**
-    -   [https://the_hostname_you_have_gitlab_deployed:your_gitlab_port/profile/applications](https://the_hostname_you_have_gitlab_deployed:your_gitlab_port/profile/applications)
+    -   **https://the_hostname_you_have_gitlab_deployed:your_gitlab_port/profile/applications**
 
 2. Choose a name for your application
 3. For the Redirect URI, enter the DefectDojo URL with the following
     format
 
-    -   [https://the_hostname_you_have_dojo_deployed:your_server_port/complete/gitlab/](https://the_hostname_you_have_dojo_deployed:your_server_port/complete/gitlab/)
+    -   **https://the_hostname_you_have_dojo_deployed:your_server_port/complete/gitlab/**
 
 4. Edit the settings (see [Configuration]({{< ref "/getting_started/configuration" >}})) with the following
     information:
@@ -331,7 +331,7 @@ Optionally, you *can* set `DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT` in order t
 2. Choose a name for your application
 3. For the Redirect URI, enter the DefectDojo URL with the following
     format
-    -   [https://the_hostname_you_have_dojo_deployed:your_server_port/complete/github-enterprise/](https://the_hostname_you_have_dojo_deployed:your_server_port/complete/github-enterprise/)
+    -   **https://the_hostname_you_have_dojo_deployed:your_server_port/complete/github-enterprise/**
 4. Edit the settings (see [Configuration]({{< ref "/getting_started/configuration" >}})) with the following
     information:
     {{< highlight python >}}  

diff --git a/dojo/tools/awssecurityhub/compliance.py b/dojo/tools/awssecurityhub/compliance.py
@@ -8,13 +8,24 @@ def get_item(self, finding: dict, test):
         finding_id = finding.get("Id", "")
         title = finding.get("Title", "")
         severity = finding.get("Severity", {}).get("Label", "INFORMATIONAL").title()
+        resource_arns = []
+        for resource in finding.get("Resources", []):
+            if arn := resource.get("Id"):
+                resource_arns.append(arn)
         mitigation = ""
         impact = []
         references = []
         unsaved_vulnerability_ids = []
         epss_score = None
         mitigation = finding.get("Remediation", {}).get("Recommendation", {}).get("Text", "")
-        description = "This is a Security Hub Finding \n" + finding.get("Description", "")
+        mitigation += "\n" + finding.get("Remediation", {}).get("Recommendation", {}).get("Url", "")
+        description = "This is a Security Hub Finding \n" + finding.get("Description", "") + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        description += f"**Resource IDs:** {', '.join(set(resource_arns))}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        if finding.get('Region'):
+            description += f"**Region:** {finding.get('Region', '')}\n"
+        description += f"**Generator ID:** {finding.get('GeneratorId', '')}\n"
         if finding.get("Compliance", {}).get("Status", "PASSED") == "PASSED":
             is_Mitigated = True
             active = False

diff --git a/dojo/tools/awssecurityhub/guardduty.py b/dojo/tools/awssecurityhub/guardduty.py
@@ -16,7 +16,7 @@ def get_item(self, finding: dict, test):
         mitigations = finding.get("FindingProviderFields", {}).get("Types")
         for mitigate in mitigations:
             mitigation += mitigate + "\n"
-        mitigation += "https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html"
+        mitigation += "[https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html)"
         active = True
         if finding.get("RecordState") == "ACTIVE":
             is_Mitigated = False
@@ -30,10 +30,14 @@ def get_item(self, finding: dict, test):
                     mitigated = datetime.strptime(finding.get("LastObservedAt"), "%Y-%m-%dT%H:%M:%fZ")
             else:
                 mitigated = datetime.utcnow()
-        description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}"
-        description += f"SourceURL: {finding.get('SourceUrl', '')}\n"
-        description += f"AwsAccountId: {finding.get('AwsAccountId', '')}\n"
-        description += f"Region: {finding.get('Region', '')}\n"
+        description = f"This is a GuardDuty Finding\n{finding.get('Description', '')}" + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        if finding.get('SourceUrl'):
+            sourceurl = "[" + finding.get('SourceUrl') + "](" + finding.get('SourceUrl') + ")"
+            description += f"**SourceURL:** {sourceurl}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        description += f"**Region:** {finding.get('Region', '')}\n"
+        description += f"**Generator ID:** {finding.get('GeneratorId', '')}\n"
         title_suffix = ""
         hosts = []
         for resource in finding.get("Resources", []):

diff --git a/dojo/tools/awssecurityhub/inspector.py b/dojo/tools/awssecurityhub/inspector.py
@@ -13,7 +13,10 @@ def get_item(self, finding: dict, test):
         references = []
         unsaved_vulnerability_ids = []
         epss_score = None
-        description = f"This is an Inspector Finding\n{finding.get('Description', '')}"
+        description = f"This is an Inspector Finding\n{finding.get('Description', '')}" + "\n"
+        description += f"**AWS Finding ARN:** {finding_id}\n"
+        description += f"**AwsAccountId:** {finding.get('AwsAccountId', '')}\n"
+        description += f"**Region:** {finding.get('Region', '')}\n"
         vulnerabilities = finding.get("Vulnerabilities", [])
         for vulnerability in vulnerabilities:
             # Save the CVE if it is present

diff --git a/dojo/tools/hcl_appscan/parser.py b/dojo/tools/hcl_appscan/parser.py
@@ -16,7 +16,9 @@ def get_description_for_scan_types(self, scan_type):
         return "Import XML output of HCL AppScan."
 
     def xmltreehelper(self, input):
-        if "\n" in input.text:
+        if input.text is None:
+            output = None
+        elif "\n" in input.text:
             output = ""
             for i in input:
                 output = output + " " + i.text
@@ -40,7 +42,10 @@ def get_findings(self, file, test):
                     match item.tag:
                         case 'severity':
                             output = self.xmltreehelper(item)
-                            severity = output.strip(" ").capitalize()
+                            if output is None:
+                                severity = "Info"
+                            else:
+                                severity = output.strip(" ").capitalize()
                         case 'cwe':
                             cwe = int(self.xmltreehelper(item))
                         case 'remediation':

diff --git a/dojo/tools/redhatsatellite/parser.py b/dojo/tools/redhatsatellite/parser.py
@@ -63,13 +63,13 @@ def get_findings(self, filename, test):
             description += "**installable:** " + str(installable) + "\n"
             description += "**bugs:** " + str(bugs) + "\n"
             description += "**module_streams:** " + str(module_streams) + "\n"
+            description += "**packages:** " + ', '.join(packages)
             find = Finding(
                 title=title,
                 test=test,
                 description=description,
                 severity=self.severity_mapping(input=severity),
                 mitigation=solution,
-                component_name=packages,
                 dynamic_finding=True,
             )
             if errata_id is not None: