Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

including test for Finding in xml parser #11464

Open
wants to merge 1 commit into
base: bugfix
Choose a base branch
from

Conversation

LeoOMaia
Copy link

@LeoOMaia LeoOMaia commented Dec 23, 2024

We are facing difficulties saving a finding to later perform the disambiguation of findings into problems, which will summarize a group of findings into a single problem. There are already several parsers from other tools that pass the variable test as a parameter to the Finding class. I believe there should be no issues with doing something like this.
More information here #11432

Copy link

DryRun Security Summary

The code change involves adding a test parameter to the Finding object in the OpenVASXMLParser class to improve tracking and management of vulnerabilities when parsing OpenVAS XML files.

Expand for full summary

Summary:

The code change in the provided patch appears to be a minor addition to the get_findings() method in the OpenVASXMLParser class. The change adds the test parameter to the Finding object being created, which is a good practice as it helps associate the finding with the specific test that generated it. The code seems to be handling the parsing of OpenVAS XML files, a common tool used in vulnerability assessments, and extracting various pieces of information from the XML, such as the title, description, severity, and other details, to create Finding objects representing the identified vulnerabilities. The code follows best practices for parsing XML data, such as using the defusedxml library to mitigate potential XML-related security vulnerabilities. Additionally, the convert_cvss_score() method, which converts a raw CVSS score value to a more user-friendly severity level, is a common practice in vulnerability management tools and helps security teams quickly understand the relative importance of the identified findings. Overall, the code change seems to be a reasonable and secure implementation of an OpenVAS XML parser, and the addition of the test parameter to the Finding object is a positive improvement that will help with the tracking and management of the identified vulnerabilities.

Files Changed:

  • dojo/tools/openvas/xml_parser.py: This file contains the OpenVASXMLParser class, which is responsible for parsing OpenVAS XML files and extracting vulnerability information. The code change in this file adds the test parameter to the Finding object being created, which helps associate the finding with the specific test that generated it. The code follows best practices for parsing XML data and includes a convert_cvss_score() method to convert raw CVSS scores to more user-friendly severity levels.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@cunha
Copy link

cunha commented Dec 24, 2024

@LeoOMaia Please write some explanation in the PR opening comment so project maintainers have some context about the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants