cvss4: UI + rest tests + fixes

Author: valentijnscholten

dojo/forms.py

@@ -1354,6 +1354,9 @@ class FindingForm(forms.ModelForm):
     vulnerability_ids = vulnerability_ids_field
     cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
     cvssv3_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+    cvssv4 = forms.CharField(max_length=255, required=False)
+    cvssv4_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+
     description = forms.CharField(widget=forms.Textarea)
     severity = forms.ChoiceField(
         choices=SEVERITY_CHOICES,
@@ -1385,7 +1388,7 @@ class FindingForm(forms.ModelForm):
 
     # the only reliable way without hacking internal fields to get predicatble ordering is to make it explicit
     field_order = ("title", "group", "date", "sla_start_date", "sla_expiration_date", "cwe", "vulnerability_ids", "severity", "cvssv3",
-                   "cvssv3_score", "description", "mitigation", "impact", "request", "response", "steps_to_reproduce", "severity_justification",
+                   "cvssv3_score", "cvssv4", "cvssv4_score", "description", "mitigation", "impact", "request", "response", "steps_to_reproduce", "severity_justification",
                    "endpoints", "endpoints_to_add", "references", "active", "mitigated", "mitigated_by", "verified", "false_p", "duplicate",
                    "out_of_scope", "risk_accept", "under_defect_review")
 

dojo/models.py

@@ -2743,7 +2743,7 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
             try:
                 cvss_data = parse_cvss_data(self.cvssv4)
                 if cvss_data:
-                    self.cvssv4 = cvss_data.get("cvssv4_vector")
+                    self.cvssv4 = cvss_data.get("cvssv4")
                     if not self.cvssv4_score:
                         self.cvssv4_score = cvss_data.get("cvssv4_score")
 

dojo/templates/dojo/view_finding.html

@@ -292,16 +292,16 @@ <h3 class="pull-left finding-title">
                         <td>
                             <span class="label severity severity-{{ finding.severity }}">
                                 {% if finding.severity %}
-                                    {% if finding.cvssv3 %}
+                                    {{ finding.severity_display }}
+                                    {% if finding.cvssv4_score %}
                                         <i class="no-italics has-popover" font-style="normal" data-toggle="tooltip" data-placement="bottom" data-container="body" title="" href="#"
-                                            data-content="{{ finding.cvssv3 }}">
+                                            data-content="{{ finding.cvssv4 }}">
+                                        ({{ finding.cvssv4_score }}{% if finding.cvssv3_score %},{% else %}){% endif %}</i>
                                     {% endif %}
-                                    {{ finding.severity_display }}
                                     {% if finding.cvssv3_score %}
-                                        ({{ finding.cvssv3_score }})
-                                    {% endif %}
-                                    {% if finding.cvssv3 %}
-                                        </i>
+                                        <i class="no-italics has-popover" font-style="normal" data-toggle="tooltip" data-placement="bottom" data-container="body" title="" href="#"
+                                            data-content="{{ finding.cvssv3 }}">
+                                        {% if not finding.cvssv4_score %}({% endif %}{{ finding.cvssv3_score }})</i>
                                     {% endif %}
                                 {% else %}
                                     Unknown
@@ -760,7 +760,7 @@ <h4 class="has-filters">Similar Findings ({{ similar_findings.paginator.count }}
                     </div>
                 {% endif %}
             </span>
-        </div>  
+        </div>
     {% endif %}
     {% comment %} Add a form to (ab)use to submit any actions related to similar/duplicates as POST requests {% endcomment %}
     <form method="post" style="display: none" id="related_action">

dojo/validators.py

@@ -2,7 +2,6 @@
 import re
 from collections.abc import Callable
 
-import cvss.parser
 from cvss import CVSS2, CVSS3, CVSS4
 from django.core.exceptions import ValidationError
 
@@ -28,7 +27,8 @@ def tag_validator(value: str | list[str], exception_class: Callable = Validation
 
 def cvss3_validator(value: str | list[str], exception_class: Callable = ValidationError) -> None:
     logger.debug("cvss3_validator called with value: %s", value)
-    cvss_vectors = cvss.parser.parse_cvss_from_text(value)
+    from dojo.utils import parse_cvss_from_text
+    cvss_vectors = parse_cvss_from_text(value)
     if len(cvss_vectors) > 0:
         vector_obj = cvss_vectors[0]
 
@@ -48,13 +48,14 @@ def cvss3_validator(value: str | list[str], exception_class: Callable = Validati
 
     # Explicitly raise an error if no CVSS vectors are found,
     # to avoid 'NoneType' errors during severity processing later.
-    msg = "No valid CVSS vectors found by cvss.parse_cvss_from_text()"
+    msg = "No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"
     raise exception_class(msg)
 
 
 def cvss4_validator(value: str | list[str], exception_class: Callable = ValidationError) -> None:
     logger.debug("cvss4_validator called with value: %s", value)
-    cvss_vectors = cvss.parser.parse_cvss_from_text(value)
+    from dojo.utils import parse_cvss_from_text
+    cvss_vectors = parse_cvss_from_text(value)
     if len(cvss_vectors) > 0:
         vector_obj = cvss_vectors[0]
 
@@ -74,5 +75,5 @@ def cvss4_validator(value: str | list[str], exception_class: Callable = Validati
 
     # Explicitly raise an error if no CVSS vectors are found,
     # to avoid 'NoneType' errors during severity processing later.
-    msg = "No valid CVSS vectors found by cvss.parse_cvss_from_text()"
+    msg = "No valid CVSS4 vectors found by cvss.parse_cvss_from_text()"
     raise exception_class(msg)

unittests/test_metrics_queries.py

@@ -75,6 +75,7 @@ def test_finding_queries_no_data(self):
 
     @patch("django.utils.timezone.now")
     def test_finding_queries(self, mock_timezone):
+        self.maxDiff = 999999999
         mock_datetime = datetime(2020, 12, 9, tzinfo=UTC)
         mock_timezone.return_value = mock_datetime
 

unittests/test_rest_framework.py

@@ -1287,41 +1287,67 @@ def test_cvss3_validation(self):
             result = self.client.patch(self.url + "2/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv3_score": 3})
             self.assertEqual(result.status_code, status.HTTP_200_OK)
             finding = Finding.objects.get(id=2)
+            # valid so vector must be set and score calculated does not ovewrite the score provided by us/the report
+            self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3)
+            self.assertEqual(3.0, finding.cvssv3_score)
+
+        with self.subTest(i=1):
+            result = self.client.patch(self.url + "5/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            finding = Finding.objects.get(id=5)
             # valid so vector must be set and score calculated
             self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3)
             self.assertEqual(8.8, finding.cvssv3_score)
 
-        with self.subTest(i=1):
+        with self.subTest(i=2):
             # extra slash makes it invalid
             result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/", "cvssv3_score": 3})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
             finding = Finding.objects.get(id=3)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"])
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=2):
+        with self.subTest(i=3):
             # no CVSS version prefix makes it invalid
             result = self.client.patch(self.url + "3/", data={"cvssv3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv3_score": 4})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
             finding = Finding.objects.get(id=3)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"])
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=3):
+        with self.subTest(i=4):
             # CVSS4 version makes it invalid
             result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv3_score": 5})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"])
             finding = Finding.objects.get(id=3)
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
         with self.subTest(i=4):
+            # CVSS4 version valid
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "cvssv4_score": 5})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            finding = Finding.objects.get(id=3)
+            # invalid vector, so no calculated score and our provided score is stored (not overwritten)
+            self.assertEqual("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", finding.cvssv4)
+            self.assertEqual(5.0, finding.cvssv4_score)
+
+        with self.subTest(i=14):
+            # CVSS4 version valid, calculate score
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            finding = Finding.objects.get(id=3)
+            # invalid vector, so no calculated score and our provided score is stored (not overwritten)
+            self.assertEqual("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", finding.cvssv4)
+            self.assertEqual(5.0, finding.cvssv4_score)
+
+        with self.subTest(i=5):
             # CVSS2 style vector makes not supported
             result = self.client.patch(self.url + "3/", data={"cvssv3": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvssv3_score": 6})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
@@ -1331,31 +1357,31 @@ def test_cvss3_validation(self):
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=5):
+        with self.subTest(i=6):
             # CVSS2 prefix makes it invalid
             result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvssv3_score": 7})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"])
             finding = Finding.objects.get(id=3)
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=6):
+        with self.subTest(i=7):
             # try to put rubbish in there
             result = self.client.patch(self.url + "4/", data={"cvssv3": "happy little vector", "cvssv3_score": 3})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS3 vectors found by cvss.parse_cvss_from_text()"])
             finding = Finding.objects.get(id=4)
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=7):
+        with self.subTest(i=8):
             # CVSS4 prefix makes it invalid
-            result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv3_score": 7})
+            result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "cvssv3_score": 7})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
-            self.assertEqual(result.json()["cvssv3"], ["No valid CVSS vectors found by cvss.parse_cvss_from_text()"])
+            self.assertEqual(result.json()["cvssv3"], ["CVSS(4) vector vannot be stored in the cvss3 field. Use the cvss4 fields."])
             finding = Finding.objects.get(id=3)
             # invalid vector, so no calculated score and no score stored
             self.assertEqual(None, finding.cvssv3)