appcheck-severity-determination-fix Use v4, v3, v2 cvss vectors for severity

[dogboat]

Description

This patch updates the AppCheck web scanner parser to set severity by checking the various CVSS vectors (possibly) supplied by the tool. In order, it test the cvss_v4_vector, cvss_v3_vector, and then cvss_vector to determine what the the "correct" severity is.

Test results

Tests updated to reflect this change.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the handling of data from the AppCheck web application scanner, with a particular emphasis on enhancing the accuracy and reliability of CVSS data processing, including updates to the appcheck.py, test_appcheck_web_application_scanner_parser.py, and base.py files.

Expand for full summary

Summary:

The provided code changes focus on improving the handling of data from the AppCheck web application scanner, with a particular emphasis on enhancing the accuracy and reliability of CVSS (Common Vulnerability Scoring System) data processing. The changes include updates to the appcheck.py file, the test_appcheck_web_application_scanner_parser.py file, and the base.py file.

The key improvements include:

1. Expanding the parse_details method to handle a wider range of data types in the value parameter, which improves the flexibility and robustness of the parser.
2. Enhancing the CVSS score to severity mapping, CVSS vector parsing, and severity determination logic to ensure accurate assessment of vulnerability severity.
3. Improving the parsing and setting of endpoints associated with findings, providing more comprehensive vulnerability data.
4. Centralizing the processing of complete finding items in the process_whole_item method.

These changes enhance the application security capabilities of the AppCheck Web Application Scanner parser by improving its ability to accurately process and interpret CVSS data, which is a crucial component of vulnerability assessment and management. Additionally, the improvements to endpoint parsing and overall finding processing contribute to the overall reliability and usefulness of the tool.

Files Changed:

1. dojo/tools/appcheck_web_application_scanner/engines/appcheck.py: This file has been updated to improve the handling of request and response data extracted from the AppCheck scanner, enhancing the tool's ability to provide insights into identified vulnerabilities.
2. unittests/tools/test_appcheck_web_application_scanner_parser.py: The changes in this file focus on improving the parsing of CVSS vectors and the mapping of CVSS scores to severity levels, ensuring more accurate vulnerability assessment.
3. dojo/tools/appcheck_web_application_scanner/engines/base.py: The changes in this file are centered around enhancing the handling of CVSS data, including score to severity mapping, vector parsing, and severity determination. These improvements contribute to the overall reliability and accuracy of the vulnerability data processing.
4. unittests/scans/appcheck_web_application_scanner/appcheck_web_application_scanner_many_vul.json: This file contains a report of multiple vulnerabilities found in a web application, which can be used to test the AppCheck Web Application Scanner parser's ability to correctly identify and categorize security issues.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[dogboat]

[sc-7546]