🐛 fix SARIF, issue #10191

[manuel-sommer]

#10191

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on enhancing the SARIF parser in the DefectDojo application. The key updates include:

1. Improvements to the handling of severity information in the SARIF report. The parser now correctly processes the severity information provided in the "properties" section of the rule, in addition to the default severity. This ensures that the severity levels are accurately captured and represented in the application.

2. Robust handling of unexpected security severity values. The parser now includes a try-except block to handle cases where the "security-severity" property contains an unexpected value. This improves the overall reliability of the parser and its ability to process a wider range of SARIF reports.

These changes are important from an application security perspective as they enhance the accuracy and reliability of the SARIF parser. Accurate parsing of the security severity and other relevant information is crucial for effectively identifying and prioritizing security vulnerabilities in the application.

Files Changed:

1. unittests/tools/test_sarif_parser.py:

   • Added two new test cases to verify the handling of severity information and tags in the SARIF report.
   • The test_severity_in_properties case checks that the parser correctly processes the severity information provided in the "properties" section.
   • The test_tags_from_result_properties case verifies that the parser correctly extracts the tags information from the SARIF report.

2. dojo/tools/sarif/parser.py:

   • Implemented improvements to the handling of security severity information in the SARIF report.
   • Included a try-except block to handle unexpected security severity values, ensuring the parser can still process the report and assign a reasonable default severity level.
   • These changes enhance the robustness and accuracy of the SARIF parser, which is crucial for effectively identifying and addressing security vulnerabilities in the application.

Powered by DryRun Security

[mtesauro]

Approved