django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Update views.py to fix #10162

Open devsecopsale opened this issue 1 year ago • 1 comments

this line will keep template finding cvssv3 field in the new created finding

:warning: Note on feature completeness :warning:

We are narrowing the scope of acceptable enhancements to DefectDojo in preparation for v3. Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md

Description

this is a fix for #10162. The cvssv3 vector will be preserved from the finding template.

Test results

it was tested and it works. it preserves the cvssv3 vector in the new created finding.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

  • [ ] Make sure to rebase your PR against the very latest dev.
  • [ ] Features/Changes should be submitted against the dev.
  • [ ] Bugfixes should be submitted against the bugfix branch.
  • [ ] Give a meaningful name to your PR, as it may end up being used in the release notes.
  • [ ] Your code is flake8 compliant.
  • [ ] Your code is python 3.11 compliant.
  • [ ] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • [ ] Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • [ ] Add applicable tests to the unit tests.
  • [ ] Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

  • Import Scans (for new scanners/importers)
  • enhancement
  • performance
  • feature
  • bugfix
  • maintenance (a.k.a chores)
  • dependencies
  • New Migration (when the PR introduces a DB migration)
  • settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev
  • Replace pick by fixup on the commits you want squashed out
  • Replace pick by reword on the first commit if you want to change the commit message
  • Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

devsecopsale avatar May 09 '24 12:05 devsecopsale

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer :x: 1 finding
Sensitive Files Analyzer :white_check_mark: 0 findings
AppSec Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings

[!Note] :red_circle: Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code change in this pull request is related to the add_temp_finding function in the dojo/test/views.py file. The change adds the cvssv3 field to the new_finding object, which is being created from a finding template.

From an application security perspective, this change is a positive improvement as it ensures that the CVSS v3 score associated with the finding template is carried over to the new finding that is being created. The CVSS (Common Vulnerability Scoring System) is a widely used standard for assessing the severity of security vulnerabilities, and having accurate CVSS scores is important for prioritizing and addressing security issues. By including the cvssv3 field in the new finding, the application is providing more detailed information about the potential impact and risk associated with the vulnerability, which can help security teams make more informed decisions about how to address the issue.

Overall, this change seems to be a reasonable and security-conscious improvement to the application's functionality.

Files Changed:

  • dojo/test/views.py: The code change in this file adds the cvssv3 field to the new_finding object, which is being created from a finding template. This ensures that the CVSS v3 score associated with the finding template is carried over to the new finding, providing more detailed information about the potential impact and risk associated with the vulnerability.

Powered by DryRun Security

dryrunsecurity[bot] avatar May 09 '24 12:05 dryrunsecurity[bot]

Hi @dougmorato , could you review this one when you have the chance? thank you

devsecopsale avatar May 31 '24 14:05 devsecopsale