-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fix severity lookup in Qualys parser #10205
Conversation
Fixes a bug in the Qualys parser where the severity lookup was not correctly handling integer values. This caused incorrect severity values to be returned. The fix updates the severity lookup to convert the severity value to an integer before performing the lookup.
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request focus on improving the accuracy and reliability of the Qualys vulnerability data parsing in both the unittests and the Dojo application security tool. The key changes include:
These changes improve the quality and accuracy of the vulnerability data imported from Qualys, ensuring that the findings are correctly classified and prioritized within the application security management system. The increased level of detail about the vulnerabilities also provides security teams with more context to understand and address the identified issues. Files Changed:
Powered by DryRun Security |
Would you mind adding a unit test here with an example file that triggers the bug you mention, in order to validate this fix and ensure we don't have a regression? |
Should I close this PR and open a new one with the UNITTEST? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
You can push a new commit to your branch with the unit test and it will update this PR automatically. You're welcome to create a new PR if you want, but it's not strictly necessary. |
@mtesauro Additional changes follow the logic of #6248 (comment). Pull severity from 'SEVERITY' field in source XML, if not available, try to extract it from CVSS_VALUE field, if neither are available: default to Informational and log a warning. Before this PR: it was the other way around: first 'CVSS_VALUE' then 'SEVERITY'. |
@nv-pipo You'd like to think vendors could make their 'word' score match CVSS but 🤷 |
It may be a case where they get CVSS info from NVD or similar but then decide based on their own analysis that the implied severity is wrong. In that case, I expect they probably don't update the CVSS score/vector. |
@@ -70,7 +70,7 @@ def parse_file_with_multiple_vuln_has_multiple_findings(self): | |||
self.assertEqual(finding_cvssv3_vector.cvssv3, | |||
"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H") | |||
self.assertEqual( | |||
finding_cvssv3_vector.severity, "Critical" | |||
finding_cvssv3_vector.severity, "High" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The need for this line to change tells me that this will be unexpected behavior for qualys users. What used to be Critical
will now to be demoted to a High
...
I looked at your first commit, and see that it is fixing the issue described in the pull request. The move to using CVSS to attempt to be "smarter than the vendor" is a slippery path that has bit us before as @mtesauro has mentioned. I think reverting to your first commit, and then adding a unit test for that change would be the best path to success with this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line had to change because for that vulnerability the Finding severity didn't match the CVSS severity. So again, the question is, what should DD use first?
- The severity explicitly given by the vendor, or
- The mapped value from the CVSS score to severity.
In other words, that line changed because this PR changes the priority in how to populate the finding severity: before it was "CVSS Severity" then "real severity", this PR uses: "real severity" and if not available fallback to "CVSS Severity".
In the past, DD went for this PR's approach: #6248 (comment). If you think this is a mistake, maybe the Veracode SCA parser also needs to be changed?
For context:
Qualys calls this the "CVSS Severity" (https://blog.qualys.com/qualys-insights/2022/10/10/in-depth-look-into-data-driven-science-behind-qualys-trurisk) and it might not always match the finding severity (https://success.qualys.com/support/s/article/000002759). Extracts:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Maffooch
I think there is a misunderstanding: the current version of the Qualys parser is the one that tries to be "smarter than the vendor", as it uses the CVSS, whereas this PR is simply attempts to use qualys' severity. In other words, we all agree with @mtesauro: DD should use the already available 'Severity' field by the vendor, before trying CVSS to fill DD's 'severity' field. Similar to other parsers in DD: #6248 (comment).... TBH, I've never seen a qualys vulnerability without 'Severity' field, so I'd be happy to remove the fallback to CVSS altogether, as it will probably never be used.
FYI:
The change of severity in the other unittest, is because of this mismatch between Severity and CVSS Severity:
A 'CVSSv3 severity' translates to 'Critical' (old code), but the 'vendor provided severity' is 4 in a scale 1-5, so it translates to 'High' (this PR code).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right. I was confusing the CSV parser and the XML one. I agree with removing the CVSS fallback altogether. That way it would match the CSV parser
@mtesauro what do you think about that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Maffooch and @mtesauro, There seem to be some build problems, but I doubt it has anything to do with this PR (ran the Qualys unit_tests locally without problems). Please advise how to fix. |
There was a commit in Dev that broke the tests that require building a container. The best way to fix is to rebase against what's currently in the Dev branch (the fix to what broke tests has been merged already) |
Description
Fixes a bug in the Qualys parser where the severity lookup was not correctly handling integer values. This caused incorrect severity values to be returned. The fix updates the severity lookup to convert the severity value to an integer before performing the lookup.
Test results
Ideally you extend the test suite in
tests/
anddojo/unittests
to cover the changed in this PR.Alternatively, describe what you have and haven't tested.
Documentation
Please update any documentation when needed in the documentation folder)
Checklist
This checklist is for your information.
dev
.dev
.bugfix
branch.Extra information
Please clear everything below when submitting your pull request, it's here purely for your information.
Moderators: Labels currently accepted for PRs:
Contributors: Git Tips
Rebase on dev branch
If the dev branch has changed since you started working on it, please rebase your work after the current dev.
On your working branch
mybranch
:In case of conflict:
When everything's fine on your local branch, force push to your
myOrigin
remote:To cancel everything:
Squashing commits
pick
byfixup
on the commits you want squashed outpick
byreword
on the first commit if you want to change the commit messageForce push to your
myOrigin
remote: