django-DefectDojo
django-DefectDojo copied to clipboard
DefectDojo
Add a CSAF Parser/Importer
We are a team of university students from Hochschule Furtwangen University in Furtwangen, Germany. As part of a scientific research project, we were tasked with creating a DefectDojo Parser for the CSAF v2 format. The json schema that we added is the official CSAF schema from OASIS.
Feel free to review our code and we're happy to apply all feedback! :)
The CSAF specification can be found here: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf
Currently, two of the unit tests are failing. This is because we had the idea of attaching the imported json file to the test itself so that it can be re-downloaded at a later point in time. This, however, seems to break the unit tests with the following backtrace:
Traceback (most recent call last):
File "/app/unittests/tools/test_csaf_parser.py", line 18, in test_parse_file_has_two_findings
findings = parser.get_findings(testfile, Test())
File "/app/dojo/tools/csaf/parser.py", line 39, in get_findings
return csaf_import(dd_test, file, csaf)
File "/app/dojo/tools/csaf/parser.py", line 86, in csaf_import
file_upload.save()
File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 739, in save
self.save_base(using=using, force_insert=force_insert,
File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 776, in save_base
updated = self._save_table(
File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 881, in _save_table
results = self._do_insert(cls._base_manager, using, fields, returning_fields, raw)
File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 919, in _do_insert
return manager._insert(
File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method
return getattr(self.get_queryset(), name)(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 1270, in _insert
return query.get_compiler(using=using).execute_sql(returning_fields)
File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1415, in execute_sql
for sql, params in self.as_sql():
File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1358, in as_sql
value_rows = [
File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1359, in <listcomp>
[self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1359, in <listcomp>
[self.prepare_value(field, self.pre_save_val(field, obj)) for field in fields]
File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1310, in pre_save_val
return field.pre_save(obj, add=True)
File "/usr/local/lib/python3.8/site-packages/django/db/models/fields/files.py", line 300, in pre_save
if file and not file._committed:
AttributeError: '_io.TextIOWrapper' object has no attribute '_committed'
Do you have any advice on how to proceed here or is this is even intended use of the file field?
Please see Flake8 errors
Fixed those :)
For uploading files, the FileUpload object is only tracking the path on the media root and the caption for the file. If this feature were to be added (I think it would be best for the user to choose if they want they file save on the instance of not) it should be at the import level rather than the parser level.
We removed that for now. If I understand you correctly, you're basically suggesting having a "Also attach uploaded file to import" checkbox in the import GUI? That sounds like a nice idea to me.
We also had some issues attaching additional information to the notes (during tests only, from the GUI, it worked just fine), so we moved it into the engagement description.
If I understand you correctly, you're basically suggesting having a "Also attach uploaded file to import" checkbox in the import GUI? That sounds like a nice idea to me.
That is exactly what I was thinking. It would be better to put that in a separate PR though.
If I understand you correctly, you're basically suggesting having a "Also attach uploaded file to import" checkbox in the import GUI? That sounds like a nice idea to me.
That is exactly what I was thinking. It would be better to put that in a separate PR though.
Yeah, my thoughts as well. Thanks for clarifying :)
This is a cool PR, but not in-line with DefectDojo functionality, modifying the engagement, etc.
This is a cool PR, but not in-line with DefectDojo functionality, modifying the engagement, etc.
Sorry for the lack of replies, our team has been busy with other tasks in the meantime, but we'll sure revisit this at some point and fix the issues you've commented, including the engagement one you mentioned.
@Bassadin please take into account all comments, we will help improve the PR if you want to continue the work.
@Bassadin please take into account all comments, we will help improve the PR if you want to continue the work.
Will do! As soon as we can get back to it. I thank you a lot for your answers and comments :) And I wanna apologize again for our lack of answers.