DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.69k stars 1.55k forks source link

Wazuh Import Error #8124

Closed SeanWrightFeat closed 1 year ago

SeanWrightFeat commented 1 year ago

Bug description If a vulnerability in a Wazuh import has the severity of Untriaged, this results in an error in the import since this doesn't map to a severity within DefectDojo:

[18/May/2023 12:34:37] ERROR [dojo.api_v2.exception_handler:32] 'Untriaged'
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
    self.perform_create(serializer)
  File "/app/dojo/api_v2/views.py", line 2302, in perform_create
    serializer.save(push_to_jira=push_to_jira)
  File "/app/dojo/api_v2/serializers.py", line 1674, in save
    test, finding_count, closed_finding_count, test_import = importer.import_scan(scan, scan_type, engagement, lead, environment,
                                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/importer/importer.py", line 337, in import_scan
    new_findings = self.process_parsed_findings(test, parsed_findings, scan_type, user, active=active,
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/decorators.py", line 47, in __wrapper__
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/local.py", line 188, in __call__
    return self._get_current_object()(*a, **kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/app/task.py", line 392, in __call__
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/importer/importer.py", line 79, in process_parsed_findings
    if minimum_severity and (Finding.SEVERITIES[item.severity] >
                             ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'Untriaged'

Steps to reproduce Steps to reproduce the behavior:

  1. Import a Wazuh import where a vulnerability has the status of Untriaged

Expected behavior A clear and concise description of what you expected to happen.

Deployment method (select with an X)

Environment information

Logs

[18/May/2023 12:34:37] ERROR [dojo.api_v2.exception_handler:32] 'Untriaged'
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/mixins.py", line 19, in create
    self.perform_create(serializer)
  File "/app/dojo/api_v2/views.py", line 2302, in perform_create
    serializer.save(push_to_jira=push_to_jira)
  File "/app/dojo/api_v2/serializers.py", line 1674, in save
    test, finding_count, closed_finding_count, test_import = importer.import_scan(scan, scan_type, engagement, lead, environment,
                                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/importer/importer.py", line 337, in import_scan
    new_findings = self.process_parsed_findings(test, parsed_findings, scan_type, user, active=active,
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/decorators.py", line 47, in __wrapper__
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/local.py", line 188, in __call__
    return self._get_current_object()(*a, **kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/app/task.py", line 392, in __call__
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/dojo/importers/importer/importer.py", line 79, in process_parsed_findings
    if minimum_severity and (Finding.SEVERITIES[item.severity] >
                             ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'Untriaged'
[18/May/2023 12:34:37] ERROR [django.request:241] Internal Server Error: /api/v2/import-scan/

Sample scan files

{
  "data": {
      "affected_items": [
          {
            "architecture": "amd64",
            "condition": "Package less than 4.3.2",
            "cve": "CVE-1234-123123",
            "cvss2_score": 0,
            "cvss3_score": 5.5,
            "detection_time": "2023-02-08T13:55:10Z",
            "external_references": [
                "https://nvd.nist.gov/vuln/detail/CVE-YYYY-XXXXX",
                "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-XXXXX"
            ],
            "name": "asdf",
            "published": "2022-09-01",
            "severity": "Untriaged",
            "status": "VALID",
            "title": "CVE-YYYY-XXXXX affects asdf",
            "type": "PACKAGE",
            "updated": "2022-09-07",
            "version": "4.3.1"
        }
      ],
      "failed_items": [],
      "total_affected_items": 1,
      "total_failed_items": 0
  },
  "error": 0,
  "message": "All selected vulnerabilities were returned"
}
manuel-sommer commented 1 year ago

@damiencarol and @mtesauro: This issue reults from this commit: https://github.com/DefectDojo/django-DefectDojo/pull/7684/commits/74a4fc886e259b2ddc8734137a37682bb673e9a3

We have two options here to resolve this:

  1. Set a default severity for "untriaged"
  2. Skip all "untriaged" findings. It will be processed as soon as it has an official severity.

The problem is that in case 1 we rely on the possibility to automatically update the severity of a finding. Is this planned for V3?

mtesauro commented 1 year ago

@manuel-sommer I assume "untriaged" is the same as the "Pending" described here

If that's the case, I'd skip all 'untriaged' findings as Wazuh isn't sure they're really vulnerable at the time the file was generated. Also, subsequent Wazuh scans will show those as "valid" in future imports so they will be finding in DefectDojo once Wazuh is sure of their state.

I'd personally rather have untriaged findings dropped than cluttering up DefectDojo.

There's maybe a case to bring them in under Info but since info findings aren't action-able, I don't see how adding info findings into DefectDojo for Wazuh imports adds any value for the DefectDojo users.

HTH

manuel-sommer commented 1 year ago

@mtesauro I agree to this and add a PR today / tomorrow.

manuel-sommer commented 1 year ago

You can close this issue @SeanWrightFeat

mtesauro commented 1 year ago

I got it.

SeanWrightFeat commented 1 year ago

Thanks all the help with this, really appreciate it!

mtesauro commented 1 year ago

@SeanWrightFeat Thanks for the PR - we always appreciate the community's work to make DefectDojo even better :+1: