damiencarol
commented
1 year ago wer shouyld use the package cvss
Open HelpMe-AC opened 1 year ago
damiencarol
commented
1 year ago wer shouyld use the package cvss
Hi Team !
I'm writing a new API lib to import data from specific tool. When calling "Finding" model to import vulnerability in DefectDojo, an error occurs as the "cvssv3_regex" is not consistent with cvss library used by DefectDojo.
The regex used is at line 2009 : cvssv3_regex = RegexValidator(regex=r'^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]', message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'").
The 'cvss' lib is able to handle CVSSv2 and CVSSv3. For this to work, we have to prefix the CVSS vector with "CVSS:3.0/" which is not accepted by the regex in defectdojo/dojo/models.py. Also the slash is not in the regex, so need to add it at the end of the regex.
I suggest this improvement : "cvssv3_regex = RegexValidator(regex=r'^CVSS:3.0\/AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|\/', message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")".
So importing an existing CVSSv3 vector from a vuln tool is not possible and CVSSv3 score will be not calculated.
Steps to reproduce Steps to reproduce the behavior: Import a CVSSv3 vector by using 'Finding' model of DefectDojo.
Deployment method (select with an
X)