Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Import of CycloneDX Scan fails if vulnerability description is missing #10249

Open
1 of 3 tasks
k0mand1r opened this issue May 22, 2024 · 2 comments
Open
1 of 3 tasks

Import of CycloneDX Scan fails if vulnerability description is missing #10249

k0mand1r opened this issue May 22, 2024 · 2 comments
Labels
bug

Comments

@k0mand1r
Copy link

k0mand1r commented May 22, 2024
edited

Bug description
When uploading a CycloneDX report to DefectDojo (2.34.4) an error is throw over a missing description fields in the vulnerability section. As the documentation of CycloneDX does not mandate the description field to be present in the report this seems like a bug, because DefectDojo requires this field in the report.
The CycloneDX report is generated by Sonatype Lifecycle.

Steps to reproduce
Steps to reproduce the behavior:

  1. Go to DefectDojo
  2. Go to an engagement
  3. Upload the sample file attached (petclinic-bom.xml)
  4. See error:

Expected behavior
I would expect that the CycloneDX report would upload successfully if the 'desription' field is not mandatory.

Deployment method (select with an X)

  • Docker Compose
  • Kubernetes
  • GoDojo

Environment information

  • Official DefectDojo docker image from DockerHub
  • DefectDojo version 2.34.4

Logs
16/May/2024 13:22:55] ERROR [dojo.api_v2.exception_handler:36] null value in column "description" of relation "dojo_finding" violates not-null constraint

Sample scan files
petclinic-bom.xml.md (Remove .md from the file)

Screenshots
![image](https://github.com/DefectDojo/django-DefectDojo/assets/13031028/92129d06-b19b-461e-bda2-68cd92ad909b

Additional context (optional)

  • The issue was flagged previously in Import of CycloneDX Scan fails if description of CVE is missing #9277. It was supposedly fixed in DefectDojo 2.31.0
  • It seems the fix was only applied to manage_vulnerability_legacy(). manage_vulnerability_legacy() is triggered on CycloneDX v1.0 exports, while _manage_vulnerability_xml() is used on newer versions. _manage_vulnerability_xml() does not yet set a default value for 'description'.
  • Sonatype Lifecycle supports CycloneDx schema versions 1.4 and 1.5
  • manage_vulnerability_legacy() (Legacy function)
  • manage_vulnerabilty_xml() (New function)
@k0mand1r k0mand1r added the bug label May 22, 2024
@k0mand1r k0mand1r mentioned this issue May 22, 2024
Closed
3 tasks
@mtesauro
Copy link
Contributor

mtesauro commented May 22, 2024
edited

FWIW, that sample file is valid per cyclonedx cli tool:

$ ./cyclonedx validate --input-file petclinic-bom.xml --input-format xml
BOM validated successfully.

And is schema version 1.5 per xmlns="http://cyclonedx.org/schema/bom/1.5"

@k0mand1r
Copy link
Author

k0mand1r commented May 23, 2024
edited

We know the sample file is valid. We have issues with importing it in DefectDojo, due to a missing description in the vulnerability fields. In the mentioned lines of the xml parser DefectDojo does not require a description in the manage_vulnerability_legacy() function, but does still check for it in the manage_vulnerabilty_xml() function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtesauro @k0mand1r