Exception on DependencyCheck XML report upload

[juhakivekas]

After running a DependencyCheck scan on JuiceShop during a DevSecOps hackathon, trying to upload the results to Defect Dojo failed with an exception and stacktrace. Something in the parser breaks. Unfortunately we didn't have time to debug this any futher.

Tested with commit 6377d9cd682c394f80c5f88c9b9b1c6d2b9499fb The input used is this: https://pastebin.com/nLQWmYJ7

Environment:

Request Method: POST
Request URL: http://54.93.246.23:8000/engagement/3/import_scan_results

Django Version: 1.11.2
Python Version: 2.7.12
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'polymorphic',
 'overextends',
 'django.contrib.admin',
 'django.contrib.humanize',
 'gunicorn',
 'tastypie',
 'djangobower',
 'auditlog',
 'dojo',
 'tastypie_swagger',
 'watson',
 'tagging',
 'custom_field',
 'imagekit',
 'multiselectfield')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'dojo.middleware.LoginRequiredMiddleware')

Traceback:

File "/home/ubuntu/.local/lib/python2.7/site-packages/django/core/handlers/exception.py" in inner
  41.             response = get_response(request)

File "/home/ubuntu/.local/lib/python2.7/site-packages/django/core/handlers/base.py" in _legacy_get_response
  249.             response = self._get_response(request)

File "/home/ubuntu/.local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  187.                 response = self.process_exception_by_middleware(e, request)

File "/home/ubuntu/.local/lib/python2.7/site-packages/django/core/handlers/base.py" in _get_response
  185.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/home/ubuntu/.local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  23.                 return view_func(request, *args, **kwargs)

File "/home/ubuntu/django-DefectDojo/dojo/engagement/views.py" in import_scan_results
  417.                 parser = import_parser_factory(file, t)

File "/home/ubuntu/django-DefectDojo/dojo/tools/factory.py" in import_parser_factory
  50.         parser = DependencyCheckParser(file, test)

File "/home/ubuntu/django-DefectDojo/dojo/tools/dependencycheck/parser.py" in __init__
  61.         for dependency in dependencies.findall(self.namespace + 'dependency'):

Exception Type: AttributeError at /engagement/3/import_scan_results
Exception Value: 'NoneType' object has no attribute 'findall'

[devGregA]

hi @juhakivekas could you share the scan file please?

[juhakivekas]

The XML report is behind this link https://pastebin.com/nLQWmYJ7. If you are referring to another scan file, let me know

[juhakivekas]

Actually, that is the output of the the DependencyCheck Jenkins plugin, not the stock OWASP DependencyCheck. However, the XML can be reliably reproduced with this command:

./bin/dependency-check.sh --scan ../juice-shop/ -f ALL --project juiceshop

[juhakivekas]

Apparently the xml namespace has changed since the parser was written. The namespaces seem to be quite different from each other too.

https://jeremylong.github.io/DependencyCheck/dependency-check.1.3.xsd (used by the Defect Dojo)

https://jeremylong.github.io/DependencyCheck/dependency-check.1.5.xsd (used by DependencyCheck)

[devGregA]

Believe to be fixed via: https://github.com/OWASP/django-DefectDojo/pull/406