-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix for multi vuln ids when reimporting scans #10214
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request cover various aspects of the DefectDojo application, focusing on the handling of vulnerability IDs, the import process, and the testing of the REST API endpoints. From an application security perspective, these changes appear to be positive improvements that enhance the security and reliability of the application. The key changes include:
Overall, these code changes are focused on improving the security, reliability, and maintainability of the DefectDojo application. The optimization of vulnerability ID handling, the streamlining of the import process, and the extensive API testing all contribute to a more secure and robust application. Files Changed:
Powered by DryRun Security |
I'm not sure that this is the best idea. If I may suggest, I would:
|
Regarding this suggestion, this does not fix the issue with multiple vulnerability ids with each import (possibly due to the constraints having already been violated for existing imports). I am incorporating the bulk create but maintaining the full delete for now. |
If there is an issue with duplicates during processing, I suppose |
This is not feedback on the approach taken here, but this function is used in other places to set the vulnerability IDs correctly. It should be used directly instead of copy/pasting code from it |
dropping this PR for bugfix PR |
Description
[sc-5982]
Resolves #10198
To re-iterate, when reimporting scans into DefectDojo, vulnerability_ids were getting duplicated with each reimport. This fix implements the same method used by the apiv2 finding helper in the baseimporter.
Test results
Tested mutiple scan types to ensure vulnerability ids were still handled correctly and that duplicates were removed on reimport. This will not clear duplicate vulnerability ids until a reimport is done after this fix.