search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.5k stars 1.48k forks source link

still not works about HCL scan findings - latest version #10175

Open johnfelipe opened 2 months ago

johnfelipe commented 2 months ago

[furrego@localhost ~]$ cat /etc/*release

NAME="Rocky Linux"
VERSION="9.3 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.3"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.3 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.3"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.3"
Rocky Linux release 9.3 (Blue Onyx)
Rocky Linux release 9.3 (Blue Onyx)
Rocky Linux release 9.3 (Blue Onyx)

[furrego@localhost ~]$ sudo systemctl status docker

[sudo] password for furrego:
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-05-09 12:16:39 -05; 1min 59s ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 898 (dockerd)
      Tasks: 10
     Memory: 115.5M
        CPU: 743ms
     CGroup: /system.slice/docker.service
             └─898 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

May 09 12:16:38 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:38.737403238-05:00" level=info msg="Loadin>
May 09 12:16:38 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:38.813245035-05:00" level=info msg="Firewa>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.135978393-05:00" level=info msg="Firewa>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.317135361-05:00" level=info msg="Defaul>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.395731436-05:00" level=info msg="Firewa>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.479254464-05:00" level=info msg="Loadin>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.527925126-05:00" level=info msg="Docker>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.528743847-05:00" level=info msg="Daemon>
May 09 12:16:39 localhost.localdomain dockerd[898]: time="2024-05-09T12:16:39.592855541-05:00" level=info msg="API li>
May 09 12:16:39 localhost.localdomain systemd[1]: Started Docker Application Container Engine.

[furrego@localhost ~]$ docker compose version

Docker Compose version v2.27.0

all remaining steps here in video:

https://drive.google.com/file/d/1IYYlYHRkdi7dJpJuf-xBuqycpNjpkABT/view?usp=drivesdk

SNAG-0262 SNAG-0263

manuel-sommer commented 2 months ago

Please explain more detailed on what is exactly wrong? I can't see any errors here. The title is reflected from the description.

johnfelipe commented 2 months ago

Tittle and description and all is wrong I upload demo XML, and tittle is not there, something happens

El jue, 9 may 2024, 12:47 p. m., manuelsommer @.***> escribió:

Please explain more detailed on what is exactly wrong? I can't see any errors here. The title is reflected from the description.

— Reply to this email directly, view it on GitHub https://github.com/DefectDojo/django-DefectDojo/issues/10175#issuecomment-2103138071, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADIWFGNGOTYCXU673IKOXDZBOZBVAVCNFSM6AAAAABHPGWPESVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBTGEZTQMBXGE . You are receiving this because you authored the thread.Message ID: @.***>

manuel-sommer commented 2 months ago

Could you please do the following:

Then, please write down on which values you would expect, maybe also use an xml online formatter for these files to determine more specificly on what you would need. Please no video, but rather a screenshot of the part of the xml what you would like to have as a finding.

johnfelipe commented 2 months ago

Pls review this PDF report:

demo.testfire.net Security Report.pdf

and doing a simple comparison:

for example in xml show this:

SNAG-0264

and in report pdf show this:

SNAG-0265

but dojo is not taking good 

<name>Blind SQL Injection</name>

this to

<text>It is possible to view, modify or delete database entries and tables</text>
johnfelipe commented 1 month ago

You need more information? I can upload more screenshots and comparison with demo xml

johnfelipe commented 1 month ago

hi team, do u need something else for fix this bug or issue?

johnfelipe commented 1 month ago

UAT_99.85.165.247_20200922 Security Report.zip

Or with pdf in post before

This is a report not CENSORED, for you understand how is names or structure, only LOW and INFORMATIONAL severity

SNAG-0035

All structure is not correct Name Description Fix Suggestion Is not parsing correctly