-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 fix sonarqube missing CWE for deduplication #10178
base: bugfix
Are you sure you want to change the base?
🐛 fix sonarqube missing CWE for deduplication #10178
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Summary: This pull request includes several changes across different files, all of which are focused on improving the security-related functionality and configuration of the DefectDojo application, an open-source vulnerability management tool. The changes to the The changes to the Finally, the changes to the Files Changed:
Powered by DryRun Security |
@quirinziessler how much longer is import taking when using a different a hash code computation? I believe there is one more conditional and a log statement added to the hashcode computation. Sonarqube is a pretty popular tool, and this update would impact a lot of folks when their hash codes are now using different values, and there is no longer a match with existing sonarqube findings. I would recommend updating the config in your instance to allow the hash code calculation for sonarqube to accept null CWEs: |
@Maffooch I am aware of the widespread use of SQ and this is also why I opened this PR against bugfix. During testing I saw my import time dropping about 5 seconds until all processes finished for aprox 50 findings. This may sound like a small impact but after successful testing with around 200 SQ projects I can say this change should definitely be part of the next release, so everyone can use DD out of the box and to keep the required adaptations as low as possible. Furthermore the SQ ID should be preferred instead of the CWE for deduplication in my eyes. A file can have multiple findings with the same CWE in multiple lines, e.g. "missing input validation". By using the SQ ID those findings will be reflected in DefectDojo and not marked as duplicates like it is currently. Unfortunately the finding line is not consequently provided within the output of SQ so this is the only possible way to catch this behavior. |
@Maffooch any updates here? |
Apologies for missing this. If the hashcode is the be changed here, I think it should align with how the API based SonarQube parser is handling deduplication. It uses A migration will also need to be written to update all of the hash codes for sonarqube findings. Something like this would need to go against the |
No worries @Maffooch. According to the dedupe of SQ and your statement this meets my changes. I can also prepare the same PR against the latest dev version. However I currently fail on how to write a db_migration for the hash codes as the models seem not to be accessible at migration time. Can you help me on this and maybe provide an example? |
During the import of Sonarqube findings I got aware of an issue related with the deduplication on the parser. For some kind of findings a cwe is not provided but is mandatory for the deduplication algorithm by settings.dist.py. The deduplication then falls back to the legacy dedupe hash model and the import takes longer than usual.
I removed the cwe from the dedupe hash code and added other suitable values by extending the parser.