Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 fix Acunetix date #11206 #11207

Merged
merged 4 commits into from
Nov 11, 2024
Merged

🐛 fix Acunetix date #11206 #11207

merged 4 commits into from
Nov 11, 2024

Conversation

manuel-sommer
Copy link
Contributor

@github-actions github-actions bot added the parser label Nov 7, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 7, 2024
edited
Loading

DryRun Security Summary

This pull request focuses on improving the parsing and handling of Acunetix security scan reports within the Dojo application security platform, including updates to date parsing logic, addition of a new test case, and addressing a security vulnerability related to the PHPSESSID cookie.

Expand for full summary

Summary:

The code changes in this pull request appear to be focused on improving the parsing and handling of Acunetix security scan reports within the Dojo application security platform. The key changes include:

  1. Updating the date parsing logic in the parse_acunetix_xml.py and parse_acunetix360_json.py files to correctly handle the date format used in the Acunetix reports.
  2. Adding a new test case in the test_acunetix_parser.py file to verify the parsing of an Acunetix scan file with a specific issue (ID 11206).
  3. Addressing a security vulnerability identified by the Acunetix360 scanner, where the PHPSESSID cookie was not marked as HttpOnly, which could potentially lead to session hijacking attacks.

From an application security perspective, these changes are generally positive and help to improve the accuracy, reliability, and security of the Acunetix report parsing functionality within the Dojo platform. The changes do not appear to introduce any significant security risks or concerns.

Files Changed:

  1. dojo/tools/acunetix/parse_acunetix_xml.py: The changes in this file update the date parsing logic to correctly handle the "DD/MM/YYYY" date format used in Acunetix XML reports.
  2. unittests/tools/test_acunetix_parser.py: The changes in this file add a new test case to verify the parsing of an Acunetix scan file with a specific issue (ID 11206).
  3. unittests/scans/acunetix/issue_11206.json: This file provides details about a security vulnerability identified by the Acunetix360 scanner, where the PHPSESSID cookie was not marked as HttpOnly.
  4. dojo/tools/acunetix/parse_acunetix360_json.py: The changes in this file update the date parsing logic to correctly handle the "DD/MM/YYYY" date format used in Acunetix JSON reports.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

cneill
cneill reviewed Nov 7, 2024
View reviewed changes
Copy link
Contributor

@cneill cneill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked some of our example scan files to be sure this wasn't a user-configurable thing that would vary based on the user's timezone/preferences, and it at least appears that this is consistent. Unfortunately, changing this behavior didn't trigger any unit test failures, meaning we're not evaluating it at all today. Would you mind adding some test cases, @manuel-sommer ?

@manuel-sommer manuel-sommer requested a review from cneill November 7, 2024 18:31
cneill
cneill approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@cneill cneill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 😄

mtesauro
mtesauro approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 5f60988 into DefectDojo:bugfix Nov 11, 2024
73 checks passed
@manuel-sommer manuel-sommer deleted the fix_acunetixdate branch November 11, 2024 16:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @cneill @mtesauro @Maffooch @blakeaowens