django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard

Published 20 hours ago verified publisher icon DefectDojo

Linking Vulnerabilities Across Multiple Engagements to Display All Impacted Hosts

Open 4b75726169736859 opened this issue 7 months ago • 3 comments

Hello, I have an issue that I can't resolve. Maybe I am using the DefectDojo import incorrectly, I'm not sure.

I have automated the retrieval of CVEs for the machines in my IT infrastructure. I use products to separate each client's infrastructure.

Under each product (which represents a client for me), I import my CVEs in OSV format. To be able to add my hosts and assign the correct CVEs to them, I have to import one OSV file per machine, which creates a new Engagement each time.

The problem is that, with this method, a CVE is linked to only one specific host.

As a result, the "Vulnerable Endpoints" section in the vulnerability view is no longer relevant.

Is it possible for DefectDojo to automatically recognize similar vulnerabilities across different Engagements, and thus provide the complete list of impacted hosts?

4b75726169736859 avatar Apr 28 '25 12:04 4b75726169736859

In general I think Defect Dojo expects the report to already aggregate the vulnerabilities across endpoints. It specifically checks for endpoints between similar vulnerabilities to be the same before the findings are considered as s duplicate of each other. Is there a reason why you have a separate report per endpoint? Which scanner are you using? Some scanners can aggregate vulnerabilities per endpoint in their report. And some parsers in defect dojo perform some aggregation inside the parser, but this is not the most common implementation.

valentijnscholten avatar Apr 28 '25 15:04 valentijnscholten

Hi, thanks for your reply. To keep it simple: I use Ansible with AWX to retrieve the packages and their versions, then I process them with a custom script that converts each file (I have one package + version file per machine) into JSON in the OSV format. Then, I create a host in DefectDojo with a name matching the filename using the API, and I send the OSV JSON to DefectDojo by specifying the ID of the corresponding host (which was just created).

I might not be using the tool properly; if you have any recommendations on a better way to use DefectDojo in my case, I'm open to suggestions!

4b75726169736859 avatar Apr 29 '25 08:04 4b75726169736859

In general Defect Dojo expects any aggregation of multiple endpoints into a single finding to be done by the scanner before being uploaded to Defect Dojo. I'm not aware if there are many scanners doing that. Maybe there are some parsers that perform some aggregation inside defect dojo, but not the OSV parser. Did you look at other scanners to scan your endpoints/hosts? I'm not too familiar with them. You could also update your scripts to perform the aggregation before generating the OSV format, but I am aware that would complicate your scripts. In Defect Dojo Pro there's a "Smart upload" feature that is helpful when doing infrastucture type of scans and divide findings over multiple products. But I don't think it will cover this use case.

valentijnscholten avatar Apr 29 '25 19:04 valentijnscholten