Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid hash code generation for findings / get_vulnerability_ids() returns empty string #11620

Open
1 of 3 tasks
wmfabsch opened this issue Jan 23, 2025 · 1 comment
Open
1 of 3 tasks

Invalid hash code generation for findings / get_vulnerability_ids() returns empty string #11620

wmfabsch opened this issue Jan 23, 2025 · 1 comment
Labels
bug

Comments

@wmfabsch
Copy link

Bug description
The method get_vulnerability_ids() in "Finding" (dojo/models.py) returns an empty string if certain conditions are met.
If both self.id is None and self.unsaved_vulnerability_ids != True are met, then get_vulnerability_ids() only prints "finding has no unsaved vulnerability references" and afterwards returns an empty string.
This leads to invalid hash code calculations, which messes with the deduplication in my use case.
We create findings via the API within tests of type Dependency Track Finding Packaging Format (FPF) Export. For those the fields component_name, component_version and vulnerability_ids are used for the hash code generation. As vulnerability_ids is an empty string, the deduplication that uses the hash codes does not work properly.

Steps to reproduce

  1. Create product and engagement
  2. Create test ("Dependency Track Finding Packaging Format (FPF) Export")
  3. Import finding via the API (POST /api/v2/findings)
curl -X 'POST' \
  'https://defectdojoinstance.domain/api/v2/findings/' \
  -H 'accept: application/json' \
  -H 'Authorization: Token XXX' \
  -H 'Content-Type: application/json' \
  -H 'X-CSRFTOKEN: XXX' \
  -d '{
    "test": XXX,
    "found_by": [
      1
    ],
    "vulnerability_ids": [
      {
        "vulnerability_id": "CVE-2021-31226"
      }
    ],
    "title": "Finding title",
    "description": "Description",
    "references": "",
    "severity": "High",
    "numerical_severity": "S4",
    "impact": "",
    "service": "",
    "file_path": "unknown",
    "component_name": "Component",
    "component_version": "4.0.0",
    "active": true,
    "verified": false,
    "static_finding": true,
    "dynamic_finding": false,
    "tags": [],
    "cwe": 787,
    "cvssv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAV:A",
    "cvssv3_score": "8.8"
}'
  1. Verify behaviour in logs or observe that other findings with the same component_name and component_version receive the same hash_code.

Expected behavior
I expect that this method returns the vulnerability_ids in all cases and thus hash_codes are properly generated.

Deployment method (select with an X)

  • Docker Compose
  • Kubernetes
  • GoDojo

Environment information

  • Operating System: Debian 12
  • DefectDojo version (see footer) or commit message: 2.39.0-debian (has not been fixed yet in the master branch)

Logs

[pid: 27|app: -|req: -/-] 10.0.2.2 (-) {64 vars in 1251 bytes} [Thu Jan 23 09:24:22 2025] POST /api/v2/findings/ => generated 144 bytes in 30 msecs (HTTP/1.0 400) 8 headers in 255 bytes (1 switches on core 1)
[...]
[23/Jan/2025 09:24:46] DEBUG [dojo.api_v2.serializers:215] data as json: []
[23/Jan/2025 09:24:46] DEBUG [titlecase:201] Finding Title
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2145] using HASHCODE_FIELDS_PER_SCANNER for test_type.name: Dependency Track Finding Packaging Format (FPF) Export
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2153] HASHCODE_FIELDS_PER_SCANNER is: ['component_name', 'component_version', 'vulnerability_ids']
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2780] computing hash_code for finding id None based on: component_name, component_version, vulnerability_ids
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2797] component_name : Component
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2797] component_version : 4.0.0
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2817] finding has no unsaved vulnerability references
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2793] vulnerability_ids : 
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:2798] compute_hash_code - fields_to_hash = Component4.0.0
[23/Jan/2025 09:24:46] DEBUG [dojo.models:2863] fields_to_hash      : Component4.0.0
[23/Jan/2025 09:24:46] DEBUG [dojo.models:2864] fields_to_hash lower: component4.0.0
[23/Jan/2025 09:24:46] DEBUG [dojo.specific-loggers.deduplication:3339] Hash_code computed for finding: 98e6cea0653d566203f6721ec20581ae20a82cd1606e35ba4ac879e53129f7cd
@wmfabsch wmfabsch added the bug label Jan 23, 2025
@valentijnscholten
Copy link
Member

It looks indeed that when creating findings manually via the API the unsaved_vulnerability_ids is not set.

@Maffooch Maffooch mentioned this issue Feb 5, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@valentijnscholten @wmfabsch