Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SARIF parsing error on security-severity field #10191

Closed
1 of 3 tasks
tomasrinne opened this issue May 13, 2024 · 1 comment
Closed
1 of 3 tasks

SARIF parsing error on security-severity field #10191

tomasrinne opened this issue May 13, 2024 · 1 comment
Labels
bug

Comments

@tomasrinne
Copy link

Bug description

The SARIF parser for reports will attempt to parse the value of a properties.security-severity field of a report as a float because some scanners store the CVSS value in it:

django-DefectDojo/dojo/tools/sarif/parser.py

Lines 416 to 422 in 2c7b506

# Some tools such as GitHub or Grype return the severity in properties
# instead
if "properties" in rule and "security-severity" in rule["properties"]:
cvss = float(rule["properties"]["security-severity"])
severity = cvss_to_severity(cvss)
finding.cvssv3_score = cvss
finding.severity = severity

However, other scanners may also produce a properties.security-severity field that contains something else.
Namely using GitLabs' Semgrep rules with the Semgrep scanner and SARIF output can produce properties like the following:

...
                "properties": {
                  "precision": "very-high",
                  "security-severity": "MEDIUM",
                  "tags": [
                    "CWE-346",
                    "OWASP-A05:2021-Security Misconfiguration",
                    "OWASP-A6:2017-Security Misconfiguration",
                    "security"
                  ]
                },
...

Trying to import a SARIF report like it will result in a 400 Bad Request: {"message":"[\"could not convert string to float: 'MEDIUM'\"]"}

Steps to reproduce
Steps to reproduce the behavior:

  1. Scan with GitLabs' Semgrep rules against a vulnerable application (like OWASP Juice Shop): semgrep ci --config=sast-rules/javascript/ --sarif > gitlab-rules.sarif.json
  2. Try to import the SARIF report into DefectDojo

Expected behavior

The importing should not give an error.

Deployment method (select with an X)

  • Docker Compose
  • Kubernetes
  • GoDojo

Environment information

  • Operating System: AlmaLinux 9.3
  • DefectDojo version (see footer) or commit message: v. 2.30.1

Logs

[pid: 1|app: -|req: -/-] <ip> (-) {38 vars in 653 bytes} [Fri May 10 12:20:56 2024] POST //api/v2/import-scan/ => generated 1345 bytes in 128710 msecs (HTTP/1.1 201) 8 headers in 241 bytes (2 switches on core 1)
[10/May/2024 12:23:04] WARNING [dojo.importers.importer.importer:268] could not convert string to float: 'MEDIUM'
[10/May/2024 12:23:04] WARNING [django.request:241] Bad Request: /api/v2/import-scan/

Sample scan files
SARIF report produced from scanning against OWASP Juice Shop which will give the error:
gitlab-rules.sarif.json
@tomasrinne tomasrinne added the bug label May 13, 2024
manuel-sommer added a commit to manuel-sommer/django-DefectDojo that referenced this issue May 14, 2024
@manuel-sommer
🐛 fix SARIF, issue DefectDojo#10191
e015f4c
@manuel-sommer manuel-sommer mentioned this issue May 14, 2024
Merged
Maffooch pushed a commit that referenced this issue May 20, 2024
@manuel-sommer
🐛 fix SARIF, issue #10191 (#10200)
b12fc58
@manuel-sommer
Copy link
Contributor

This can be closed @mtesauro.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mtesauro @manuel-sommer @tomasrinne