You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug description
When uploading a CycloneDX report to DefectDojo (2.34.4) an error is throw over a missing description fields in the vulnerability section. As the documentation of CycloneDX does not mandate the description field to be present in the report this seems like a bug, because DefectDojo requires this field in the report.
The CycloneDX report is generated by Sonatype Lifecycle.
Steps to reproduce
Steps to reproduce the behavior:
Go to DefectDojo
Go to an engagement
Upload the sample file attached (petclinic-bom.xml)
See error:
Expected behavior
I would expect that the CycloneDX report would upload successfully if the 'desription' field is not mandatory.
Deployment method(select with an X)
Docker Compose
Kubernetes
GoDojo
Environment information
Official DefectDojo docker image from DockerHub
DefectDojo version 2.34.4
Logs 16/May/2024 13:22:55] ERROR [dojo.api_v2.exception_handler:36] null value in column "description" of relation "dojo_finding" violates not-null constraint
It seems the fix was only applied to manage_vulnerability_legacy(). manage_vulnerability_legacy() is triggered on CycloneDX v1.0 exports, while _manage_vulnerability_xml() is used on newer versions. _manage_vulnerability_xml() does not yet set a default value for 'description'.
Sonatype Lifecycle supports CycloneDx schema versions 1.4 and 1.5
We know the sample file is valid. We have issues with importing it in DefectDojo, due to a missing description in the vulnerability fields. In the mentioned lines of the xml parser DefectDojo does not require a description in the manage_vulnerability_legacy() function, but does still check for it in the manage_vulnerabilty_xml() function.
Bug description
When uploading a CycloneDX report to DefectDojo (2.34.4) an error is throw over a missing description fields in the vulnerability section. As the documentation of CycloneDX does not mandate the description field to be present in the report this seems like a bug, because DefectDojo requires this field in the report.
The CycloneDX report is generated by Sonatype Lifecycle.
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
I would expect that the CycloneDX report would upload successfully if the 'desription' field is not mandatory.
Deployment method (select with an
X
)Environment information
Logs
16/May/2024 13:22:55] ERROR [dojo.api_v2.exception_handler:36] null value in column "description" of relation "dojo_finding" violates not-null constraint
Sample scan files
petclinic-bom.xml.md (Remove .md from the file)
Screenshots
![image](https://github.com/DefectDojo/django-DefectDojo/assets/13031028/92129d06-b19b-461e-bda2-68cd92ad909b
Additional context (optional)
The text was updated successfully, but these errors were encountered: