You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The SARIF parser for reports will attempt to parse the value of a properties.security-severity field of a report as a float because some scanners store the CVSS value in it:
However, other scanners may also produce a properties.security-severity field that contains something else.
Namely using GitLabs' Semgrep rules with the Semgrep scanner and SARIF output can produce properties like the following:
Trying to import a SARIF report like it will result in a 400 Bad Request: {"message":"[\"could not convert string to float: 'MEDIUM'\"]"}
Steps to reproduce
Steps to reproduce the behavior:
Scan with GitLabs' Semgrep rules against a vulnerable application (like OWASP Juice Shop): semgrep ci --config=sast-rules/javascript/ --sarif > gitlab-rules.sarif.json
Try to import the SARIF report into DefectDojo
Expected behavior
The importing should not give an error.
Deployment method(select with an X)
Docker Compose
Kubernetes
GoDojo
Environment information
Operating System: AlmaLinux 9.3
DefectDojo version (see footer) or commit message: v. 2.30.1
Logs
[pid: 1|app: -|req: -/-] <ip> (-) {38 vars in 653 bytes} [Fri May 10 12:20:56 2024] POST //api/v2/import-scan/ => generated 1345 bytes in 128710 msecs (HTTP/1.1 201) 8 headers in 241 bytes (2 switches on core 1)
[10/May/2024 12:23:04] WARNING [dojo.importers.importer.importer:268] could not convert string to float: 'MEDIUM'
[10/May/2024 12:23:04] WARNING [django.request:241] Bad Request: /api/v2/import-scan/
Sample scan files
SARIF report produced from scanning against OWASP Juice Shop which will give the error: gitlab-rules.sarif.json
The text was updated successfully, but these errors were encountered:
Bug description
The SARIF parser for reports will attempt to parse the value of a
properties.security-severity
field of a report as a float because some scanners store the CVSS value in it:django-DefectDojo/dojo/tools/sarif/parser.py
Lines 416 to 422 in 2c7b506
However, other scanners may also produce a
properties.security-severity
field that contains something else.Namely using GitLabs' Semgrep rules with the Semgrep scanner and SARIF output can produce properties like the following:
Trying to import a SARIF report like it will result in a
400 Bad Request
:{"message":"[\"could not convert string to float: 'MEDIUM'\"]"}
Steps to reproduce
Steps to reproduce the behavior:
semgrep ci --config=sast-rules/javascript/ --sarif > gitlab-rules.sarif.json
Expected behavior
The importing should not give an error.
Deployment method (select with an
X
)Environment information
Logs
Sample scan files
SARIF report produced from scanning against OWASP Juice Shop which will give the error:
gitlab-rules.sarif.json
The text was updated successfully, but these errors were encountered: