-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make titlecasing for finding title configurable #10357
base: dev
Are you sure you want to change the base?
Make titlecasing for finding title configurable #10357
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🔴 Risk threshold exceeded. Adding a reviewer if one is configured in notification list: @mtesauro @grendel513 Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The changes in this pull request are focused on improving the functionality and data quality of the DefectDojo application. The key changes include:
Overall, these changes do not directly address any known security vulnerabilities, but they contribute to the overall data quality and manageability of the application security findings within the DefectDojo system. Files Changed:
Powered by DryRun Security |
83e22de
to
85dbb42
Compare
recalculated settings hash to fix failing unit tests |
This flexibility makes me very nervous. From my perspective, it seems that this flexibility can only have a positive impact if a user is starting from an empty database. If not then, the hashcodes for existing findings will not be correct. Correcting this hashcodes retroactively may not be possible in all cases as we do not know exactly what the title of a given vulnerability is at the time it was ingested into DefectDojo. Overall, I think this flexible functionality may cause more harm for users that switch it on/off without knowing the full gravity of the implications that come with it |
I do understand your fears of wrong hashcodes. However enabling this configuration option would allow DefectDojo to be used with so many other languages other than English out of the box. Titlecasing only works in English and causes errors in most other languages. Do you maybe have an idea how to make the config more "hidden" or harder to accidentally change? I can also include documentation about the implications of changing this config (in code and in the official docs) In the end it would be sad to limit DefectDojo to English findings only, especially if this missing config is the only thing holding it back. (for German e.g.) Thank you for your thoughts! |
Another idea could be to always create the titlecase version of the title of the finding right before it get's hashed, no matter the current setting. Therfore, even if the setting is changed just to play with it, the resulting hash will still be the same. |
Just to be sure I understand this correctly, are you saying something like this?
|
I had a different solution in mind when writing my comment but I now realize that that wouldn't have worked. So yes, something like you wrote could solve the hashing issue:
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
@Maffooch what do you think? I could implement it as described above. |
@StephanPillhofer apologies for the delay were. This one is still being discussed in a wider audience. Thank you for your contribution and patience 😄 |
New feature to optionally disable titlecasing for the title of findings.
This implements/fixes #9241