Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor to support multiple CWEs #1467

Closed
stevespringett opened this issue Mar 11, 2022 · 5 comments
Closed

Refactor to support multiple CWEs #1467

stevespringett opened this issue Mar 11, 2022 · 5 comments
Assignees
@stevespringett
Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Milestone
4.5

Comments

@stevespringett
Copy link
Member

The enhancement may already be reported! Please search for the enhancement before creating one.

Current Behavior:

Only a single CWE can be specified for a vulnerability. This design decision was based on legacy implementation detail from the NVD.

Proposed Behavior:

Add support for an array of CWEs per vulnerability. This will be a breaking change for the vulnerability REST APIs and notifications.

Related to #96
@stevespringett stevespringett added enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk labels Mar 11, 2022
@stevespringett stevespringett added this to the 4.5 milestone Mar 11, 2022
@stevespringett stevespringett self-assigned this Mar 11, 2022
stevespringett added a commit that referenced this issue Mar 15, 2022
@stevespringett
#1467 - Refactored to support multiple CPEs per vulnerability. Breaki…
6356a51 
…ng change on Finding API. Updated docs. Updated CPE spec to v4.6

Signed-off-by: Steve Springett <steve@springett.us>
stevespringett added a commit to DependencyTrack/frontend that referenced this issue Mar 16, 2022
@stevespringett
Added support for multiple CPEs in UI - DependencyTrack/dependency-tr…
6f32f12 
…ack#1467
@sephiroth-j
Copy link
Contributor

@stevespringett, may I ask you to not add a breaking change to the API for this? You could leave the existing elements and let them return the values of the first entry of the list of CWEs while cwes holds the complete list. Similar to what you did here in the KennaDataTransformer.

And isn't the API supposed to be versioned by its URI (based on that "v1" in the URI)? If so, adding breaking changes would not be permitted.

@nscuro nscuro mentioned this issue May 17, 2022
Merged
@nscuro
Copy link
Member

nscuro commented May 17, 2022

@sephiroth-j That's a valid concern. I opened a PR #1633 that addresses this by including a cwe field, in addition to the new cwes array.

nscuro added a commit to nscuro/dependency-track that referenced this issue May 17, 2022
@nscuro
Ensure backwards-compatibility by including an additional cwe field…
013252c 
… in API objects and notifications

Addresses concerns with 3rd party integrations, e.g. DependencyTrack#1467 (comment)

Signed-off-by: nscuro <nscuro@protonmail.com>
@sephiroth-j
Copy link
Contributor

@nscuro , thank you but the fields where previously named cweId and cweName -> https://github.com/DependencyTrack/dependency-track/blob/4.4.2/docs/_docs/integrations/file-formats.md#L63,L64

@nscuro
Copy link
Member

nscuro commented May 17, 2022

@sephiroth-j Good catch! Fix is underway.

TheocharisPetros added a commit to TheocharisPetros/django-DefectDojo that referenced this issue Jun 2, 2022
@TheocharisPetros
Remove CWE from Dependency Track Hash Code Field
b08e9e1 
Dependency Track upgraded the export of results format in order to follow the relevant updated FPF format, so now multiple CWEs are included into to the vulnerabilities export. For information visit their release log https://docs.dependencytrack.org/changelog/ version 4.5.0 . 

In order to not change their API and relevant integrations (such as DefectDojo) they created a work around. So, in case there are multiple CWEs in a single finding they would always use the first one in the list (under the same JSON objects "cweId"and "cweName"), while the total count of CWEs and relevant information will be available in a new array. For more information DependencyTrack/dependency-track#1467 (comment). 

Close old findings and deduplication features breaks since findings with multiple CWEs may include a different CWE than the one used in order to calculate the original hash (due to the new CWE holding the first place in the array).

Based on the above I would propose to change the "HASHCODE_FIELDS_PER_SCANNER" for "Dependency Track Finding Packaging Format (FPF) Export" in order to not include CWE by default.
@TheocharisPetros TheocharisPetros mentioned this issue Jun 2, 2022
Merged
@github-actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stevespringett stevespringett

Labels
enhancement New feature or request p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release
Projects
None yet
Milestone
4.5
Development

No branches or pull requests
3 participants
@stevespringett @nscuro @sephiroth-j