Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make titlecasing for finding title configurable #10357

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Make titlecasing for finding title configurable #10357

wants to merge 1 commit into from

Conversation

StephanPillhofer
Copy link

@StephanPillhofer StephanPillhofer commented Jun 7, 2024
edited
Loading

New feature to optionally disable titlecasing for the title of findings.

This implements/fixes #9241
@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Jun 7, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 7, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 1 finding
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request are focused on improving the functionality and data quality of the DefectDojo application. The key changes include:

  1. Adding a new setting called DD_FINDING_TITLECASING_ENABLED to enable or disable the titlecasing feature for finding titles. This is a user interface enhancement and does not introduce any significant security risks.

  2. Updating the save() method of the Finding model to trim the title length and apply title casing if the FINDING_TITLECASING_ENABLED setting is enabled. Additionally, a new set_sla_expiration_date() method has been added to set the sla_expiration_date field based on the finding's severity and the product's SLA configuration. These changes are focused on improving the quality and consistency of the finding data stored in the system.

  3. Updating the SHA-256 checksum for the dojo/settings/.settings.dist.py file, which indicates that the contents of the settings file have been modified. The use of a cryptographic checksum is a positive security measure to ensure the integrity of the configuration file, but the application should continue to maintain best practices for securing sensitive configuration data.

Overall, these changes do not directly address any known security vulnerabilities, but they contribute to the overall data quality and manageability of the application security findings within the DefectDojo system.

Files Changed:

  1. dojo/settings/settings.dist.py: This file has been updated to add a new setting called DD_FINDING_TITLECASING_ENABLED, which is set to True by default. This setting is used to enable or disable the titlecasing feature for finding titles in the DefectDojo application.

  2. dojo/models.py: The save() method of the Finding model has been updated to trim the title length and apply title casing if the FINDING_TITLECASING_ENABLED setting is enabled. Additionally, a new set_sla_expiration_date() method has been added to set the sla_expiration_date field based on the finding's severity and the product's SLA configuration.

  3. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 checksum for the dojo/settings/.settings.dist.py file has been updated, indicating that the contents of the settings file have been modified.

Powered by DryRun Security
@StephanPillhofer
Copy link
Author

recalculated settings hash to fix failing unit tests
@Maffooch
Copy link
Contributor

This flexibility makes me very nervous. From my perspective, it seems that this flexibility can only have a positive impact if a user is starting from an empty database. If not then, the hashcodes for existing findings will not be correct. Correcting this hashcodes retroactively may not be possible in all cases as we do not know exactly what the title of a given vulnerability is at the time it was ingested into DefectDojo.

Overall, I think this flexible functionality may cause more harm for users that switch it on/off without knowing the full gravity of the implications that come with it
@StephanPillhofer
Copy link
Author

I do understand your fears of wrong hashcodes.

However enabling this configuration option would allow DefectDojo to be used with so many other languages other than English out of the box. Titlecasing only works in English and causes errors in most other languages.

Do you maybe have an idea how to make the config more "hidden" or harder to accidentally change? I can also include documentation about the implications of changing this config (in code and in the official docs)

In the end it would be sad to limit DefectDojo to English findings only, especially if this missing config is the only thing holding it back. (for German e.g.)

Thank you for your thoughts!
@StephanPillhofer
Copy link
Author

StephanPillhofer commented Jun 14, 2024
edited
Loading

Another idea could be to always create the titlecase version of the title of the finding right before it get's hashed, no matter the current setting. Therfore, even if the setting is changed just to play with it, the resulting hash will still be the same.
@Maffooch
Copy link
Contributor

Another idea could be to always create the titlecase version of the title of the finding right before it get's hashed, no matter the current setting. Therfore, even if the setting is changed just to play with it, the resulting hash will still be the same.

Just to be sure I understand this correctly, are you saying something like this?

orignial_title = self.title
 # Title Casing
from titlecase import titlecase
self.title = titlecase(self.title[:511])
...
>> Do the hash code stuff
...
if not settings.FINDING_TITLECASING_ENABLED:
    self.title = original_title
@StephanPillhofer
Copy link
Author

I had a different solution in mind when writing my comment but I now realize that that wouldn't have worked.

So yes, something like you wrote could solve the hashing issue:

...

orignial_title = self.title
 # Title Casing
from titlecase import titlecase
self.title = titlecase(self.title[:511])

...

if dedupe_option:
    if (self.hash_code is not None):
        deduplicationLogger.debug("Hash_code already computed for finding")
    else:        
        self.hash_code = self.compute_hash_code()
        deduplicationLogger.debug(
            "Hash_code computed for finding: %s", self.hash_code)
        if not settings.FINDING_TITLECASING_ENABLED:
            self.title = original_title

...
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.
@StephanPillhofer
Copy link
Author

@Maffooch what do you think? I could implement it as described above.
@Maffooch
Copy link
Contributor

Maffooch commented Jul 3, 2024

@StephanPillhofer apologies for the delay were. This one is still being discussed in a wider audience. Thank you for your contribution and patience 😄
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
conflicts-detected settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
2 participants
@StephanPillhofer @Maffooch