Incorrect Severity Level Mapping from Tenable Reports in DefectDojo #10051
Labels
Comments
|
First of all Risk Factor is not the same term as Severity https://docs.tenable.com/nessus/Content/RiskMetrics.htm . |
|
Thank you for the explanation @WojTecH94 . Shall we close this @mtesauro ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug description
I've encountered an issue with the Tenable report parser where the Severity Level of vulnerabilities is incorrectly mapped based on their CVSS scores. Specifically, the parser currently assigns severity levels by strictly adhering to the CVSS score, which does not always align with the severity level provided by Tenable.
For reference, you can see the relevant code here:
https://github.com/DefectDojo/django-DefectDojo/blob/c4ea89b82ac4f6bb25f298b4acda540ab9af1518/dojo/tools/tenable/xml_format.py#L30C1-L43C24
In our case, a vulnerability that Tenable classified as 'Medium' was marked as 'High' in DefectDojo. We haven't manually altered the severity levels in Tenable, but this discrepancy could potentially affect the risk assessment process. I believe this might be a common issue for others who rely on Tenable's severity levels for subsequent scans and risk evaluations.
Could the team consider enhancing the parser to accommodate the original severity levels as specified in Tenable reports? This adjustment would help in maintaining consistency between the reported and actual risk levels, providing more accurate vulnerability management.
Thank you for looking into this!
Steps to reproduce
Steps to reproduce the behavior:
Just upload report with medium severiry level issue that have CVSS score 7.8
Expected behavior
Getting severity level from risk_factor parameter in xml report
Deployment method (select with an
X)Environment information
sample-scan.nessus.zip
The text was updated successfully, but these errors were encountered: