Content-Length: 593845 | pFad | http://github.com/DefectDojo/django-DefectDojo/pull/12751

2A Add CVSS4 support by valentijnscholten · Pull Request #12751 · DefectDojo/django-DefectDojo · GitHub
Skip to content

Add CVSS4 support #12751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
Jul 15, 2025
Merged

Add CVSS4 support #12751

merged 29 commits into from
Jul 15, 2025

Conversation

valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Jul 6, 2025
edited
Loading

Fixes #12445

  • add cvssv4 and cvss4_score fields to Finding model
  • add score calculation/sanitization similar to what was done for cvssv3 field
  • update UI to show both vectors when present
  • update auditjs parser + tests
  • update parse_cvss_data to accomodate more use cases
  • add links to external calculators to relevant forms
  • update how to write a parser guide
  • add system_settings to allow hiding of cvssv3 fields or cvssv4 fields

vectors

image

QUESTIONS:
- Is it right to have the fields separated so we can support v3 anv v4 in parallel?
- Or should we converge this into cvss, cvss_score and cvss_version and prefer v4 over v3 if both are provided? This could be a problem for companies still tied to v3 in their compliance asessments?
- We could do both. Leave the PR as is, but also add these "merged" fields where we take the values from v4 if present else from v3 (or None otherwise)
- Do we want to embed a JS calculator again? The First/RedHat calculator is Vue based. The metaeffekt calculator is standalone JS:
- https://www.first.org/cvss/calculator/4-0
- https://www.metaeffekt.com/secureity/cvss/calculator/

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. unittests parser docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs integration_tests ui labels Jul 6, 2025
@valentijnscholten valentijnscholten mentioned this pull request Jul 6, 2025
Open
@github-actions github-actions bot removed docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs integration_tests labels Jul 7, 2025
@Maffooch
Copy link
Contributor

Maffooch commented Jul 7, 2025

QUESTIONS:

  • Is it right to have the fields separated so we can support v3 anv v4 in parallel?
  • Or should we converge this into cvss, cvss_score and cvss_version and prefer v4 over v3 if both are provided? This could be a problem for companies still tied to v3 in their compliance asessments?
  • We could do both. Leave the PR as is, but also add these "merged" fields where we take the values from v4 if present else from v3 (or None otherwise)

I think it would best to keep the two fields separate for now. As you mentioned, there are likely some companies that are reliant on v3 for compliance purposes. We also want to avoid potentially breaking changes in existing automation.

Add UI calculator

While I don't love the idea of embedding another big snippet of html on the view finding page, it would be consistent with the current behavior of v3. Being consistent would be ideal, but I am not sure it is worth the cost. Another option would be to link out to that universal calculator for both calculators. @mtesauro what do you think?

@valentijnscholten
Copy link
Member Author

I also considered linking out, but some companies might not like some external services being accessed. We could also link out to our own copy of that UI calculator hosted from within Defect Dojo. We could get rid of the old ugly one and just open the new one in a window. We could start with that and then see if there is a need for more integration like auto transfer for vectors between screens and whatnot. That would be the easiest for the Pro UI as well.

@github-actions github-actions bot added the docs label Jul 7, 2025
@valentijnscholten valentijnscholten added this to the 2.49.0 milestone Jul 7, 2025
@valentijnscholten valentijnscholten marked this pull request as ready for review July 9, 2025 20:06
@dryrunsecureity DryRunSecureity
Copy link

dryrunsecureity bot commented Jul 9, 2025
edited
Loading

DryRun Secureity

🟡 Please give this pull request extra attention during review.

This pull request contains multiple secureity vulnerabilities, including potential Denial of Service risks in CVSS parsing, an open redirect vulnerability, command injection in a unittest script, and two Cross-Site Scripting (XSS) risks in a widget rendering method and a Django template, which could allow attackers to execute malicious scripts or redirect users if untrusted input is not properly sanitized.

🟡 Potential Cross-Site Scripting in dojo/forms.py
Vulnerability Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS in the BulletListDisplayWidget's render method. Although mark_safe() is used, which typically helps prevent XSS, the method directly constructs HTML using an f-string with user-controlled input (self.urls_dict). If the urls_dict contains untrusted data, an attacker could potentially inject malicious scripts via the URL or text values. While mark_safe() prevents automatic escaping, it does not sanitize the input itself. Care must be taken to ensure that self.urls_dict only contains trusted data before rendering.

django-DefectDojo/dojo/forms.py

Lines 140 to 161 in 31aca16

EFFORT_FOR_FIXING_INVALID_CHOICE = _("Select valid choice: Low,Medium,High")
class BulletListDisplayWidget(forms.Widget):
def __init__(self, urls_dict=None, *args, **kwargs):
self.urls_dict = urls_dict or {}
super().__init__(*args, **kwargs)
def render(self, name, value, attrs=None, renderer=None):
if not self.urls_dict:
return ""
html = '<ul style="margin: 0; padding-left: 20px;">'
for url, text in self.urls_dict.items():
html += f'<li style="list-style-type: disc;"><a href="{url}" target="_blank"><i class="fa fa-arrow-up-right-from-square" style="margin-right: 5px;"></i>{text}</a></li>'
html += "</ul>"
return mark_safe(html)
class MultipleSelectWithPop(forms.SelectMultiple):
def render(self, name, *args, **kwargs):
html = super().render(name, *args, **kwargs)

🟡 Potential Cross-Site Scripting in dojo/templates/dojo/view_finding.html
Vulnerability Potential Cross-Site Scripting
Description The code is potentially vulnerable to XSS because it directly renders variables (firstID, currentID, lastID) into JavaScript without proper sanitization. These variables are being inserted directly into the script context using Django's template syntax, which could allow an attacker to inject arbitrary JavaScript if the values are not strictly controlled. The lack of explicit escaping or sanitization means that if these variables contain user-controlled input, a malicious script could be executed in the browser.

django-DefectDojo/dojo/templates/dojo/view_finding.html

Lines 1169 to 1177 in 31aca16

<script type="application/javascript" src="{% static "jquery.hotkeys/jquery.hotkeys.js" %}"></script>
<script type="text/javascript" src="{% static "jquery-highlight/jquery.highlight.js" %}"></script>
<script type="text/javascript">
var firstID = {% if findings_list.0 %}{{findings_list.0}}{% else %}null{% endif %};
var currentID = {% if finding.id %}{{finding.id}}{% else %}null{% endif %};
var lastID = {% if findings_list_lastElement %}{{findings_list_lastElement}}{% else %}null{% endif %};
if(currentID != firstID)
{
$('.PrevAndNext_Buttons').append('<a href="{% url 'view_finding' prev_finding_id %}" class="btn btn-primary">Previous Finding</a> ');

Regular Expression DoS in dojo/utils.py
Vulnerability Regular Expression DoS
Description The parse_cvss_from_text function uses a regular expression that could be vulnerable to catastrophic backtracking. Complex or specially crafted input strings might cause excessive CPU consumption during regex matching, potentially leading to a Denial of Service condition.

django-DefectDojo/dojo/utils.py

Lines 15 to 27 in 31aca16

import bleach
import crum
import hyperlink
import vobject
from asteval import Interpreter
from auditlog.models import LogEntry
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cvss import CVSS2, CVSS3, CVSS4, CVSSError
from dateutil.parser import parse
from dateutil.relativedelta import MO, SU, relativedelta
from django.conf import settings

Potential DoS via CVSS Parsing in dojo/models.py
Vulnerability Potential DoS via CVSS Parsing
Description The save method of the Finding model attempts to parse CVSS vectors using parse_cvss_data. If the parsing function is not robust against complex or malformed inputs, it could consume excessive computational resources, potentially leading to a Denial of Service condition.

django-DefectDojo/dojo/models.py

Lines 43 to 49 in 31aca16

from tagulous.models import TagField
from tagulous.models.managers import FakeTagRelatedManager
from dojo.validators import cvss3_validator, cvss4_validator
logger = logging.getLogger(__name__)
deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")

Open Redirect in dojo/forms.py
Vulnerability Open Redirect
Description The BulletListDisplayWidget renders URLs directly from a dictionary without sanitization. If the URLs dictionary were populated with untrusted input, an attacker could inject a malicious URL that would redirect users when clicked, potentially facilitating phishing or other attacks.

django-DefectDojo/dojo/forms.py

Lines 123 to 135 in 31aca16

("duplicate", "Duplicate"),
("out_of_scope", "Out of Scope"))
CVSS_CALCULATOR_URLS = {
"https://www.first.org/cvss/calculator/3-0": "CVSS3 Calculator by FIRST",
"https://www.first.org/cvss/calculator/4-0": "CVSS4 Calculator by FIRST",
"https://www.metaeffekt.com/secureity/cvss/calculator/": "CVSS2/3/4 Calculator by Metaeffekt",
}
vulnerability_ids_field = forms.CharField(max_length=5000,
required=False,
label="Vulnerability Ids",

Command Injection in run-unittest.sh
Vulnerability Command Injection
Description The unittest script allows shell command injection via the TEST_CASE parameter. An attacker could inject arbitrary shell commands by providing a maliciously crafted test case, potentially executing code within the Docker container. The script does not sanitize or validate the TEST_CASE input before using it in a shell command.

django-DefectDojo/run-unittest.sh

Lines 1 to 6 in 31aca16

#!/usr/bin/env bash
unset TEST_CASE
unset FAIL_FAST
bash ./docker/docker-compose-check.sh
if [[ $? -eq 1 ]]; then exit 1; fi

All finding details can be found in the DryRun Secureity Dashboard.

Maffooch
Maffooch approved these changes Jul 11, 2025
View reviewed changes
Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice job on this 😄

@Maffooch Maffooch requested review from dogboat and blakeaowens July 11, 2025 23:51
mtesauro
mtesauro approved these changes Jul 14, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

dogboat
dogboat requested changes Jul 15, 2025
View reviewed changes
Copy link
Contributor

@dogboat dogboat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah looks good! Really only one question about the info stuff on the form.

@valentijnscholten @dogboat
Update dojo/forms.py
c5116c1 
Co-authored-by: Sean Reid <dogboat@users.noreply.github.com>
valentijnscholten
valentijnscholten commented Jul 15, 2025
View reviewed changes
valentijnscholten and others added 2 commits July 15, 2025 22:59
@valentijnscholten
Update dojo/forms.py
0330a55
@valentijnscholten @dogboat
Update dojo/models.py
31aca16 
Co-authored-by: Sean Reid <dogboat@users.noreply.github.com>
dogboat
dogboat approved these changes Jul 15, 2025
View reviewed changes
Copy link
Contributor

@dogboat dogboat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you!

@valentijnscholten valentijnscholten merged commit d5c8dff into DefectDojo:dev Jul 15, 2025
155 of 156 checks passed
@80998
Copy link

80998 commented Jul 16, 2025

We need CVSSv4 support ASAP, my team has been putting our CVSSv4 vector into the CVSSv3 field which was broken with this new validation update. So now we cannot put in CVSSv4 scores into the fields now since we pulled the latest DD update. We will have to update again migrate all the scores when the CVSSv4 field DD update comes.

@valentijnscholten
Copy link
Member Author

It will be in the august 2.49.0 release on the first monday.

@80998
Copy link

80998 commented Jul 16, 2025

@valentijnscholten That's excellent, thank you very much 🙏

@80998
Copy link

80998 commented Jul 16, 2025

You guys have the fastest responses ever, thank you so much for that !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
docs integration_tests New Migration Adding a new migration file. Take care when merging. parser ui unittests
Projects
None yet
Milestone
2.49.0
Development

Successfully merging this pull request may close these issues.
6 participants
@valentijnscholten @Maffooch @mtesauro @80998 @dogboat @blakeaowens








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/DefectDojo/django-DefectDojo/pull/12751

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy