search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.57k stars 1.51k forks source link

Incorrect Severity Level Mapping from Tenable Reports in DefectDojo #10051

Open alexander-p2p opened 3 months ago

alexander-p2p commented 3 months ago

Bug description

I've encountered an issue with the Tenable report parser where the Severity Level of vulnerabilities is incorrectly mapped based on their CVSS scores. Specifically, the parser currently assigns severity levels by strictly adhering to the CVSS score, which does not always align with the severity level provided by Tenable.

For reference, you can see the relevant code here: https://github.com/DefectDojo/django-DefectDojo/blob/c4ea89b82ac4f6bb25f298b4acda540ab9af1518/dojo/tools/tenable/xml_format.py#L30C1-L43C24

In our case, a vulnerability that Tenable classified as 'Medium' was marked as 'High' in DefectDojo. We haven't manually altered the severity levels in Tenable, but this discrepancy could potentially affect the risk assessment process. I believe this might be a common issue for others who rely on Tenable's severity levels for subsequent scans and risk evaluations.

Could the team consider enhancing the parser to accommodate the original severity levels as specified in Tenable reports? This adjustment would help in maintaining consistency between the reported and actual risk levels, providing more accurate vulnerability management.

Thank you for looking into this!

Steps to reproduce Steps to reproduce the behavior:

Just upload report with medium severiry level issue that have CVSS score 7.8

Expected behavior

Getting severity level from risk_factor parameter in xml report

Deployment method (select with an X)

Environment information

sample-scan.nessus.zip

dd-severity tio-severity
WojTecH94 commented 3 months ago

First of all Risk Factor is not the same term as Severity https://docs.tenable.com/nessus/Content/RiskMetrics.htm . But apart from that: CVSS score is some universal grading system for vulnerabilities, while Tenable or other tools might have some individual methods of calculating serverity, risk factors etc. DefectDojo need to use something that is present in the highest number of tools, because you can import vulnerabilites from different systems and you cannot force all of them to calculate risk factor in the way Tenable does it or use some proprietary algorithm of other producent.

manuel-sommer commented 3 months ago

Thank you for the explanation @WojTecH94 . Shall we close this @mtesauro ?