Ruff: Add and fix D3

[kiblik]

Apply new set of ruff rules

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Sensitive Files Analyzer	❕	1 finding
Configured Codepaths Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request cover various parts of the DefectDojo application, including the survey functionality, Nikto parser, and utility functions. Overall, the changes do not introduce any obvious security vulnerabilities, but there are a few areas that require attention from an application security perspective.

The key points to consider are:

1. Proper Input Validation and Sanitization: The survey-related functionality, such as the QuestionForm and Answer models, should ensure that all user-provided data is properly validated and sanitized to prevent potential security issues like cross-site scripting (XSS) or SQL injection attacks.

2. Access Control and Permissions: The survey and questionnaire functionality should have appropriate access controls and permissions in place to prevent unauthorized access or modification of the survey data.

3. Handling of Scanning Tool Output: The changes to the Nikto parser should be reviewed to ensure that the parser is correctly handling and interpreting the scanner's output, as any issues in the parser could lead to missed or inaccurate security findings.

4. Adherence to Security Best Practices: The addition of the Ruff linter configuration and the improvements to type checking are positive steps towards maintaining code quality and following best practices, which can indirectly contribute to a more secure codebase.

Overall, the changes appear to be focused on improving the functionality and maintainability of the DefectDojo application, and the potential security implications are relatively minor. However, it's important to continue to review the codebase and ensure that proper security practices are followed throughout the application.

Files Changed:

1. dojo/templatetags/survey_tags.py: The changes are primarily related to formatting and style, but it's important to ensure that any user-provided data is properly sanitized and validated before rendering it in the template.
2. dojo/survey/urls.py: The changes are minor and do not introduce any new functionality or security concerns.
3. dojo/forms.py: The changes introduce new form classes for handling survey questions, which should be reviewed to ensure proper input validation and sanitization.
4. dojo/models.py: The addition of survey-related models should be reviewed to consider the potential security and data quality implications of the design choices.
5. dojo/tools/nikto/parser.py: The changes are minor and do not introduce any obvious security concerns, but it's important to ensure that the parser is correctly handling the Nikto scanner's output.
6. ruff.toml: The changes to the Ruff linter configuration are focused on improving code quality and following best practices, which can indirectly contribute to a more secure codebase.
7. dojo/tools/utils.py: The changes to the get_npm_cwe function improve the flexibility and robustness of the function, which is a positive step from an application security perspective.

Powered by DryRun Security

[mtesauro]

Approved

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the security-related functionality and code quality of the Dojo application security tool, including updates to the Nikto scanner parser, the handling of the "cwe" field, and the configuration of the Ruff linter to identify and address potential security vulnerabilities.

Expand for full summary

Summary:

The provided code changes cover updates to three different files in the Dojo application security tool:

1. dojo/tools/nikto/parser.py: This change is a minor documentation update to reflect the supported Nikto scanner output formats, including the "new XML output (with nxvmlversion="1.2" type)" format. This change does not introduce any security vulnerabilities.

2. dojo/tools/utils.py: The changes in this file focus on improving the handling of the "cwe" (Common Weakness Enumeration) field, which is used to categorize and identify potential security vulnerabilities. The code now supports different formats of the "cwe" field, including a list of CWE IDs, a single CWE ID, or a JSON-encoded string. This demonstrates the need for robust and flexible parsing of security-related data.

3. ruff.toml: The changes in this file are related to the configuration of the Ruff linter, which is a Python linter that aims to be fast and extensible. The key changes include the addition of the "D3" rule (which checks for the use of the exec() function, a potential security risk), the enabling of several additional Ruff rules covering a wide range of potential issues (including security, performance, and code quality concerns), and the allowance of autofixing.

Overall, the code changes appear to be focused on improving the security-related functionality and code quality of the Dojo application security tool. The changes in the dojo/tools/utils.py and ruff.toml files are particularly noteworthy from an application security perspective, as they demonstrate a proactive approach to identifying and addressing potential security vulnerabilities.

Files Changed:

1. dojo/tools/nikto/parser.py: This file has been updated to reflect the supported Nikto scanner output formats, including the "new XML output (with nxvmlversion="1.2" type)" format. The rest of the code remains unchanged and appears to be a well-structured and organized parser.

2. dojo/tools/utils.py: The changes in this file focus on improving the handling of the "cwe" field, which is used to categorize and identify potential security vulnerabilities. The code now supports different formats of the "cwe" field and includes a fallback to CWE-1035 (vulnerable third party component) if the field is not in the expected format.

3. ruff.toml: The changes in this file are related to the configuration of the Ruff linter, including the addition of the "D3" rule (which checks for the use of the exec() function, a potential security risk), the enabling of several additional Ruff rules covering a wide range of potential issues, and the allowance of autofixing.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.