-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZAP parser: do not resolve hostname to IP address during endpoint creation (#2284) #2286
Conversation
I think it's a good improvement, but I am wondering if we should make it optional to use the old behaviour? Someone has experience with ZAP scans/imports? Changing endpoint value may also impact dedupe. |
@valentijnscholten Any way except creating new scanner entry like "ZAP Scan with Hostnames"? So, it your target was https://10.0.0.1:8443 you will have exactly the same endpoint. I just removed enforcing of converting from hostname to ip address. I.e. the endpoint is just a real from the report (now endpoint is changing from original by importing tool). I think this option (to resolve hostname) was useful for the company who wrote this import in 2013 (see the copyright note). But it is obsoleted now. |
I think it would have to be a setting in settings.py. But you may be right that it is not needed. I have no experience with endpoints at all, so I'll have to leave it to others to decide. |
A new challenge to learn DefectDojo closer :-D 👍 Really I forgot about settings.py |
I've only used endpoints a bit - typically they're not as important as the product name + test environment especially for AppSec work. That said, I think it's a good idea to default to this behaviour (not resolving hostnames to IPs) and to put an boolean in settings.py for those that really want the previous style of behaviour. Heck, you can control how this works by using the IP or hostname in Zap so it's upstream of DD's import. TBH, when I've needed/wanted to change the behaviour of a scanner's import, I've just written either a pre or post importing tools that either changes the file before importing or updated findings using the API - so those options will still exist after this PR is merged for those that have special reasons to save scanner data stored in a certain way. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on @mtesauro's feedback, a small flag in settings.dist.py
to dictate the behavior as well as the needed logic in code would probably be best and suit everyone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed that removing this the host resolving is a good move. Since the user can choose either the host or IP at the ZAP level then there is no need to force it here.
2 approvals |
#2284
ZAP Parser: