OWASP / glue

Application Security Automation
Other
522 stars 112 forks source link

Duplicate tasks in JIRA #157

Open ghost opened 5 years ago

ghost commented 5 years ago

Description Tasks are created in the JIRA system, but the filter that eliminates duplication does not work. Duplicates are created because the jql query is incorrect and incorrectly verified by the "fingerprint".

Proposed solution I found a working solution. https://community.atlassian.com/t5/Jira-questions/CONTAINS-does-not-seem-to-work-when-searching-description/qaq-p/408602 I tested this solution on local machine and it's working.

ghost commented 5 years ago

The problem is the wrong symbol "_" in the fingerprints. The CONTAINS (~) operator incorrectly supports fingerprint.

Maybe, remove the "" symbol from the fingeprint (by changing the jq instruction "fingerprint": "\ ($ in.pluginid) \ ($ h.uri) _ \ ($ h.method)" on "fingerprint": "\ ($ in.pluginid) \ ($ h.uri) \ ($ h.method)"

@omerlh What do you think about such an idea?

omerlh commented 5 years ago

Sounds good! Seems like there is no need for a PR, right?

ghost commented 5 years ago

@omerlh Unfortunately, the solution does not work. The jql filter is incorrect. I made the test.

Actual jql query zrzut1

Modify jql query (based on https://community.atlassian.com/t5/Jira-questions/CONTAINS-does-not-seem-to-work-when-searching-description/qaq-p/408602) Below is an example output : zrzut2 I hope you understand :-), the current filter does not find any tasks and duplicates are created. I think the error is in the file glue / lib / glue / filters / jira_one_time_filter.rb (line 46). I would like to implement Glue productively, and correct reporting is very important, so I am asking for PR.

omerlh commented 5 years ago

Will you able to contribute this PR?

ghost commented 5 years ago

I will try :-), but I will need help with modification /glue/lib/glue/filters/jira_one_time_filter.rb:46.

I changed jira.Issue.jql ("project = # {@ project} AND description ~ '# {finding.fingerprint}' AND resolution is EMPTY '). each to | issue |

on jira.Issue.jql ("project = # {@ project} AND description ~ '"\"#{finding.fingerprint}\""' AND resolution is EMPTY"). each to | issue |

I tried this way, but I get the error:

/usr/local/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:117:in `require': /glue/lib/glue/filters/jira_one_time_filter.rb:46: syntax error, unexpected $undefined, expecting ')' (SyntaxError)
project} AND description ~ '"\"#{finding.fingerprint}\""' AN
                              ^
/glue/lib/glue/filters/jira_one_time_filter.rb:46: unterminated string meets end of file
/glue/lib/glue/filters/jira_one_time_filter.rb:46: syntax error, unexpected end-of-input, expecting keyword_end
    from /usr/local/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:117:in `require'
    from /glue/lib/glue/filters.rb:40:in `block in <top (required)>'
    from /glue/lib/glue/filters.rb:39:in `each'
    from /glue/lib/glue/filters.rb:39:in `<top (required)>'
    from /usr/local/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /usr/local/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:54:in `require'
    from /glue/lib/glue.rb:248:in `scan'
    from /glue/lib/glue.rb:47:in `run'
    from bin/glue:58:in `<main>'
omerlh commented 5 years ago

Let's move to OWASP slack, it will be faster - feel free to ping me there :)

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.