Closed uyless closed 8 months ago
This can be closed @mtesauro
Also reported in: https://github.com/DefectDojo/django-DefectDojo/issues/10249
We still experience this bug in version 2.34.4. The input is a CyclonDX report which does not generate a description in the XML format.
16/May/2024 13:22:55] ERROR [dojo.api_v2.exception_handler:36] null value in column "description" of relation "dojo_finding" violates not-null constraint
We've concluded that after looking at the codebase that there are 2 xml parser functions (legacy for CycloneDX 1.0, and a new on for a higher CDX version). This fix has only been merged on the legacy function after the refactor earlier this year. As we're using CycloneDX version 1.4+ the issue still persists.
Hi @k0mand1r,
could you please add a sample file? Than, I can submit a bugfix.
Best
@k0mand1r It's also quite possible that whatever tool generated that XML file isn't valid per the CycloneDX spec - this wouldn't be the first time a tool produced "ClycloneDX-like" output that didn't pass a validation test.
I'd suggest you use the cyclonedx
tool to validate your XML files to ensure they are actually valid (and should be parsed by DefectDojo's parser). If it's valid and DefectDojo can't parse it, then there's definitely an issue with our parser. If it's not valid ClycloneDX, then that's on the tool that output the XML file.
You can get the CLI tool at: https://github.com/CycloneDX/cyclonedx-cli
I've used it, it works great.
Bug description
Hey,
we are trying to implement a process in which we scan all our docker images with trivy. The resulting CycloneDX should be send to DefectDojo. Some Images had a CVE such as https://security-tracker.debian.org/tracker/TEMP-0290435-0B57B5. This CVE did not have a description in the beginning, after a few days debian added one. Anyways, in DefectDojo the description field seems to be mandatory but the specification of CycloneDX does not state any requirements on the fields of the vulnerability objects https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_description. We were not able to import those CycloneDX SBOMs using the API /api/v2/reimport-scan/
Thats beeing said I think such a requirement should also not be expected on CycloneDX SBOM imports.
Steps to reproduce
Expected behavior Import should be possible without giving a description in a vulnerability entry, at least since specification does not mention any requirements on this key.
Deployment method (select with an
X
)Environment information
Logs
Sample scan files Thats just a scan with trivy from ubuntu:latest and I added a vulnerability without description. ubuntu.json
Additional context (optional) First I was thinking to raise an issue at trivy but it seems wrong that the specification of CycloneDX does not mention a requirement on this field.