feat(DD_DEDUPLICATION_ALGORITHM_PER_PARSER + DD_HASHCODE_FIELDS_PER_SCANNER): Add checker of values

[kiblik]

This PR:

• Add real values for DD_DEDUPLICATION_ALGORITHM_PER_PARSER to documentation
• Add checkers that DD_DEDUPLICATION_ALGORITHM_PER_PARSER and DD_HASHCODE_FIELDS_PER_SCANNER has the correct format

Tested manually on following scenarios:

• Use-case DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy scan": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL"}':
  • Result: AttributeError: DEDUP algorithm 'DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL' for 'Trivy scan' is not valid. Use one of following values: legacy, unique_id_from_tool, hash_code, unique_id_from_tool_or_hash_code
• Use-case DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy scan": "unique_id_from_tool_or_hash_code"}'
  • OK
• Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": "cwe"}'
  • Result: TypeError: Fields definition 'cwe' for hashcode calculation of 'Trivy scan' is not valid. It needs to be list of strings but it is <class 'str'>.
• Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": [1]}'
  • Result: AttributeError: Fields for hashcode calculation for Trivy scan are not valid. It needs to be list of strings. Some of fields are not string.
• Use-case DD_HASHCODE_FIELDS_PER_SCANNER: '{"Trivy scan": ["cwe"]}'
  • OK

Context: https://owasp.slack.com/archives/C2P5BA8MN/p1731339375410859

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on enhancing the security-related configurations and documentation of the DefectDojo application, particularly improving the deduplication and hashcode calculation mechanisms, and providing more detailed information about various features, such as tags, risk acceptance, deduplication, SLA management, reporting, and metrics.

Expand for full summary

Summary:

The provided code changes focus on enhancing the security-related configurations and documentation of the DefectDojo application. The key changes include improvements to the deduplication and hashcode calculation mechanisms, which are crucial for effective vulnerability management. Additionally, the documentation updates provide more detailed information about various features, such as tags, risk acceptance, deduplication, SLA management, reporting, and metrics.

From an application security perspective, the deduplication and hashcode calculation configurations are particularly noteworthy. The ability to configure different deduplication algorithms and hashcode computation settings per scanner/parser helps improve the accuracy and reliability of the deduplication process, which is essential for effectively managing security findings. The inclusion of security-related settings, such as CSRF, session, and content security configurations, also helps strengthen the overall security of the application.

The documentation updates cover a wide range of features, providing users with a comprehensive understanding of the capabilities and security-related aspects of the DefectDojo application. This level of transparency and documentation is commendable, as it helps users make informed decisions and effectively utilize the security tools and features provided by the application.

Files Changed:

1. dojo/settings/.settings.dist.py.sha256sum: This file contains a SHA-256 hash sum of the dojo/settings/.settings.dist.py configuration file. The change in the hash value indicates that the contents of the configuration file have been modified. It is important to review the actual changes to the configuration file to ensure that no security-sensitive information has been inadvertently exposed and that the changes do not introduce any security vulnerabilities.

2. docs/content/en/usage/features.md: This file has been updated to provide more detailed information about the various features available in the DefectDojo application, including tags, risk acceptance, deduplication, SLA management, reporting, metrics, users, calendar, benchmarks, and the Endpoint Meta Importer. These documentation updates help users better understand the security-related aspects and capabilities of the application.

3. dojo/settings/settings.dist.py: This file contains the settings configuration for the DefectDojo application. The changes focus on enhancing the deduplication and hashcode calculation configurations, which are crucial for effective vulnerability management. The code also includes security-related settings, such as CSRF, session, and content security configurations, which help improve the overall security of the application.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[optimistic5]

@kiblik thank you for improvment.
what about documentations?
Because when you read:

The available algorithms are:
DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL
DEDUPE_ALGO_HASH_CODE
DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE
DEDUPE_ALGO_LEGACY

I understand it like I need to use something like:

DD_DEDUPLICATION_ALGORITHM_PER_PARSER: '{"Trivy Scan": "DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL"}'

but DD expects:

DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL = "unique_id_from_tool"

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.