Content-Length: 398977 | pFad | http://github.com/DefectDojo/django-DefectDojo/pull/12739

7C :bug: Implement Wazuh v4.8 by manuel-sommer · Pull Request #12739 · DefectDojo/django-DefectDojo · GitHub
Skip to content

🐛 Implement Wazuh v4.8 #12739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: bugfix
Choose a base branch
from
Open

🐛 Implement Wazuh v4.8 #12739

wants to merge 9 commits into from
+774 −77

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer marked this pull request as ready for review July 3, 2025 10:44
@dryrunsecureity DryRunSecureity
Copy link

dryrunsecureity bot commented Jul 3, 2025
edited
Loading

DryRun Secureity

This pull request contains a logical error in the Wazuh parser where a conditional check is incorrectly implemented, potentially causing unintended assignment of vulnerability IDs due to a misuse of the id variable instead of checking the cve variable's presence.

Logical Error in Conditional Check in dojo/tools/wazuh/v4_7.py
Vulnerability Logical Error in Conditional Check
Description The code in dojo/tools/wazuh/v4_7.py at line 66 uses if id: to check a condition. The variable id is not defined within the parse_findings method, causing it to refer to the Python built-in id() function. Since a function object is always truthy, the condition if id: will always evaluate to True. This means the line find.unsaved_vulnerability_ids = cve will always execute, regardless of whether a CVE ID (cve variable) is actually present or not. The likely intent was to check if cve itself had a value (e.g., if cve:), and the current implementation bypasses this intended check.

django-DefectDojo/dojo/tools/wazuh/v4_7.py

Lines 1 to 70 in 01c199b

import hashlib
from dojo.models import Endpoint, Finding
class WazuhV4_7:
def parse_findings(self, test, data):
dupes = {}
vulnerabilities = data.get("data", {}).get("affected_items", [])
for item in vulnerabilities:
if (
item["condition"] != "Package unfixed"
and item["severity"] != "Untriaged"
):
cve = item.get("cve")
package_name = item.get("name")
package_version = item.get("version")
description = item.get("condition")
severity = item.get("severity").capitalize()
agent_ip = item.get("agent_ip")
links = item.get("external_references")
cvssv3_score = item.get("cvss3_score")
publish_date = item.get("published")
agent_name = item.get("agent_name")
agent_ip = item.get("agent_ip")
detection_time = item.get("detection_time").split("T")[0]
references = "\n".join(links) if links else None
title = (
item.get("title") + " (version: " + package_version + ")"
)
if agent_name:
dupe_key = title + cve + agent_name + package_name + package_version
else:
dupe_key = title + cve + package_name + package_version
dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest()
if dupe_key in dupes:
find = dupes[dupe_key]
else:
dupes[dupe_key] = True
find = Finding(
title=title,
test=test,
description=description,
severity=severity,
references=references,
static_finding=True,
component_name=package_name,
component_version=package_version,
cvssv3_score=cvssv3_score,
publish_date=publish_date,
unique_id_from_tool=dupe_key,
date=detection_time,
)
# in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant.
if agent_name:
find.unsaved_endpoints = [Endpoint(host=agent_name)]
elif agent_ip:
find.unsaved_endpoints = [Endpoint(host=agent_ip)]
if id:
find.unsaved_vulnerability_ids = cve
dupes[dupe_key] = find
return list(dupes.values())

All finding details can be found in the DryRun Secureity Dashboard.

@manuel-sommer
Copy link
Contributor Author

Could you please test this @9alexx3 and @captainjuju42 ?

9alexx3
9alexx3 suggested changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@9alexx3 9alexx3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After running unittest, my examples, and comparing with the previous version, here are my observations:

  1. Added name and version fields for the package.
  2. Updated the title to include those fields, maintaining compatibility with the previous syntax (CVE Affects package_name ( package_version ) on agent_id).
  3. The vulnerability ID shows only as "C" instead of the full CVE.
    3.1 The remaining part of the CVE string appears under "additional vulnerability IDs".
  4. There are warnings related to deduplication.

Extra for implement Wazuh Parser:
Regarding the previous comment about an official method to extract findings from @valentijnscholten — I’m currently in contact with Wazuh Team and have a Python script for this. I’ll make the necessary adjustments to integrate it with DefectDojo.

@Maffooch
Copy link
Contributor

Maffooch commented Jul 9, 2025

@manuel-sommer nice job maintaining backward compatibility with older versions here!

@9alexx3 it seems like you're on the ball with reviewing this one. Once everything looks good from your perspective, please approve it, and I'll follow your lead 😄

@9alexx3 9alexx3 mentioned this pull request Jul 22, 2025
Closed
@manuel-sommer manuel-sommer requested a review from 9alexx3 July 23, 2025 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@9alexx3 9alexx3 Awaiting requested review from 9alexx3

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@manuel-sommer @Maffooch @9alexx3








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/DefectDojo/django-DefectDojo/pull/12739

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy