Improve cvssv3 validation (#12440)

* cvssv3 validation

* remove validator calls that are no longer needed

* fix CVSS2.0 test case

* fix CVSS2.0 test case

* fix CVSS2.0 test case

* add migration

* add migration

* add TODO for parsers to check/fix

* revert testdata change

* cleanup

* fix tests, cleanup

* update parsers that didn't parse cvss correctly yet

* fix base score

* fix parser

* fix typos

* fix typos

* fix typos

* address feedback

* rebase migration

* rebase migration

* rebase migration + serializer

Author: valentijnscholten

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -169,15 +169,25 @@ Good example:
 ### Do not parse CVSS by hand (vector, score or severity)
 
 Data can have `CVSS` vectors or scores. Don't write your own CVSS score algorithm.
-For parser, we rely on module `cvss`.
+For parser, we rely on module `cvss`. But we also have a helper method to validate the vector and extract the base score and severity from it.
 
-It's easy to use and will make the parser aligned with the rest of the code.
+```python
+from dojo.utils import parse_cvss_data
+cvss_data = parse_cvss_data("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
+if cvss_data:
+    finding.cvssv3 = cvss_data.get("vector")
+    finding.cvssv3_score = cvss_data.get("score")
+    finding.severity = cvss_data.get("severity")  # if your tool does generate severity
+```
+
+If you need more manual processing, you can parse the `CVSS3` vector directly.
 
 Example of use:
 
 ```python
-from cvss.cvss3 import CVSS3
 import cvss.parser
+from cvss import CVSS2, CVSS3
+
 vectors = cvss.parser.parse_cvss_from_text("CVSS:3.0/S:C/C:H/I:H/A:N/AV:P/AC:H/PR:H/UI:R/E:H/RL:O/RC:R/CR:H/IR:X/AR:X/MAC:H/MPR:X/MUI:X/MC:L/MA:X")
 if len(vectors) > 0 and type(vectors[0]) is CVSS3:
     print(vectors[0].severities())  # this is the 3 severities
@@ -186,17 +196,8 @@ if len(vectors) > 0 and type(vectors[0]) is CVSS3:
     severity = vectors[0].severities()[0]
     vectors[0].compute_base_score()
     cvssv3_score = vectors[0].scores()[0]
-    print(severity)
-    print(cvssv3_score)
-```
-
-Good example:
-
-```python
-vectors = cvss.parser.parse_cvss_from_text(item['cvss_vect'])
-if len(vectors) > 0 and type(vectors[0]) is CVSS3:
-    finding.cvss = vectors[0].clean_vector()
-    finding.severity = vectors[0].severities()[0]  # if your tool does generate severity
+    finding.severity = severity
+    finding.cvssv3_score = cvssv3_score
 ```
 
 Bad example (DIY):
@@ -308,7 +309,7 @@ or like this:
 $ ./run-unittest.sh --test-case unittests.tools.test_aqua_parser.TestAquaParser
 {{< /highlight >}}
 
-If you want to run all unit tests, simply run `$ docker-compose exec uwsgi bash -c 'python manage.py test unittests -v2'`
+If you want to run all parser unit tests, simply run `$ docker-compose exec uwsgi bash -c 'python manage.py test -p "test_*_parser.py" -v2'`
 
 ### Endpoint validation
 

dojo/api_v2/serializers.py

@@ -123,7 +123,8 @@
     requires_tool_type,
 )
 from dojo.user.utils import get_configuration_permissions_codenames
-from dojo.utils import is_scan_file_too_large, tag_validator
+from dojo.utils import is_scan_file_too_large
+from dojo.validators import tag_validator
 
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")

dojo/db_migrations/0231_alter_finding_cvssv3_alter_finding_template_cvssv3.py

@@ -0,0 +1,24 @@
+# Generated by Django 5.1.8 on 2025-05-14 06:35
+
+import dojo.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0230_alter_jira_instance_accepted_mapping_resolution_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='finding',
+            name='cvssv3',
+            field=models.TextField(help_text='Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this finding.', max_length=117, null=True, validators=[dojo.validators.cvss3_validator], verbose_name='CVSS v3 vector'),
+        ),
+        migrations.AlterField(
+            model_name='finding_template',
+            name='cvssv3',
+            field=models.TextField(help_text='Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this finding.', max_length=117, null=True, validators=[dojo.validators.cvss3_validator], verbose_name='CVSS v3 vector'),
+        ),
+    ]

dojo/forms.py

@@ -110,8 +110,8 @@
     get_system_setting,
     is_finding_groups_enabled,
     is_scan_file_too_large,
-    tag_validator,
 )
+from dojo.validators import tag_validator
 from dojo.widgets import TableCheckboxWidget
 
 logger = logging.getLogger(__name__)

dojo/models.py

@@ -14,7 +14,6 @@
 import hyperlink
 import tagulous.admin
 from auditlog.registry import auditlog
-from cvss import CVSS3
 from dateutil.relativedelta import relativedelta
 from django import forms
 from django.conf import settings
@@ -44,6 +43,8 @@
 from tagulous.models import TagField
 from tagulous.models.managers import FakeTagRelatedManager
 
+from dojo.validators import cvss3_validator
+
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
 
@@ -2331,12 +2332,11 @@ class Finding(models.Model):
                               verbose_name=_("EPSS percentile"),
                               help_text=_("EPSS percentile for the CVE. Describes how many CVEs are scored at or below this one."),
                               validators=[MinValueValidator(0.0), MaxValueValidator(1.0)])
-    cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
-    cvssv3 = models.TextField(validators=[cvssv3_regex],
+    cvssv3 = models.TextField(validators=[cvss3_validator],
                               max_length=117,
                               null=True,
-                              verbose_name=_("CVSS v3"),
-                              help_text=_("Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this flaw."))
+                              verbose_name=_("CVSS v3 vector"),
+                              help_text=_("Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this finding."))
     cvssv3_score = models.FloatField(null=True,
                                         blank=True,
                                         verbose_name=_("CVSSv3 score"),
@@ -2698,11 +2698,17 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
         # Synchronize cvssv3 score using cvssv3 vector
         if self.cvssv3:
             try:
-                cvss_object = CVSS3(self.cvssv3)
-                # use the environmental score, which is the most refined score
-                self.cvssv3_score = cvss_object.scores()[2]
+
+                cvss_data = parse_cvss_data(self.cvssv3)
+                if cvss_data:
+                    self.cvssv3 = cvss_data.get("vector")
+                    self.cvssv3_score = cvss_data.get("score")
+
             except Exception as ex:
-                logger.error("Can't compute cvssv3 score for finding id %i. Invalid cvssv3 vector found: '%s'. Exception: %s", self.id, self.cvssv3, ex)
+                logger.warning("Can't compute cvssv3 score for finding id %i. Invalid cvssv3 vector found: '%s'. Exception: %s.", self.id, self.cvssv3, ex)
+                # remove invalid cvssv3 vector for new findings, or should we just throw a ValidationError?
+                if self.pk is None:
+                    self.cvssv3 = None
 
         self.set_hash_code(dedupe_option)
 
@@ -3515,8 +3521,8 @@ class Finding_Template(models.Model):
                            blank=False,
                            verbose_name="Vulnerability Id",
                            help_text="An id of a vulnerability in a security advisory associated with this finding. Can be a Common Vulnerabilities and Exposures (CVE) or from other sources.")
-    cvssv3_regex = RegexValidator(regex=r"^AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]", message="CVSS must be entered in format: 'AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'")
-    cvssv3 = models.TextField(validators=[cvssv3_regex], max_length=117, null=True)
+    cvssv3 = models.TextField(help_text=_("Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this finding."), validators=[cvss3_validator], max_length=117, null=True, verbose_name=_("CVSS v3 vector"))
+
     severity = models.CharField(max_length=200, null=True, blank=True)
     description = models.TextField(null=True, blank=True)
     mitigation = models.TextField(null=True, blank=True)
@@ -4632,7 +4638,11 @@ def __str__(self):
     auditlog.register(Notification_Webhooks, exclude_fields=["header_name", "header_value"])
 
 
-from dojo.utils import calculate_grade, to_str_typed  # noqa: E402  # there is issue due to a circular import
+from dojo.utils import (  # noqa: E402  # there is issue due to a circular import
+    calculate_grade,
+    parse_cvss_data,
+    to_str_typed,
+)
 
 tagulous.admin.register(Product.tags)
 tagulous.admin.register(Test.tags)

dojo/tools/aqua/parser.py

@@ -1,6 +1,7 @@
 import json
 
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 
 class AquaParser:
@@ -201,6 +202,7 @@ def get_item(self, resource, vuln, test):
                     f"NVD score v2 ({score}) used for classification.\n"
                 )
             severity_justification += "\nNVD v2 vectors: {}".format(vuln.get("nvd_vectors"))
+
         severity_justification += f"\n{used_for_classification}"
         severity = self.severity_of(score)
         finding = Finding(
@@ -214,14 +216,19 @@ def get_item(self, resource, vuln, test):
             severity=severity,
             severity_justification=severity_justification,
             cwe=0,
-            cvssv3=cvssv3,
             description=description.strip(),
             mitigation=fix_version,
             references=url,
             component_name=resource.get("name"),
             component_version=resource.get("version"),
             impact=severity,
         )
+
+        cvss_data = parse_cvss_data(cvssv3)
+        if cvss_data:
+            finding.cvssv3 = cvss_data.get("vector")
+            finding.cvssv3_score = cvss_data.get("score")
+
         if vulnerability_id != "No CVE":
             finding.unsaved_vulnerability_ids = [vulnerability_id]
         if vuln.get("epss_score"):

dojo/tools/jfrog_xray_unified/parser.py

@@ -2,6 +2,7 @@
 from datetime import datetime
 
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 
 class JFrogXrayUnifiedParser:
@@ -134,12 +135,16 @@ def get_item(vulnerability, test):
         dynamic_finding=False,
         references=references,
         impact=severity,
-        cvssv3=cvssv3,
         date=scan_time,
         unique_id_from_tool=vulnerability["issue_id"],
         tags=tags,
     )
 
+    cvss_data = parse_cvss_data(cvssv3)
+    if cvss_data:
+        finding.cvssv3 = cvss_data.get("vector")
+        finding.cvssv3_score = cvss_data.get("score")
+
     if vulnerability_id:
         finding.unsaved_vulnerability_ids = [vulnerability_id]
 

dojo/tools/npm_audit_7_plus/parser.py

@@ -3,6 +3,7 @@
 import logging
 
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 logger = logging.getLogger(__name__)
 
@@ -166,7 +167,10 @@ def get_item(item_node, tree, test):
         dojo_finding.cwe = cwe
 
     if (cvssv3 is not None) and (len(cvssv3) > 0):
-        dojo_finding.cvssv3 = cvssv3
+        cvss_data = parse_cvss_data(cvssv3)
+        if cvss_data:
+            dojo_finding.cvssv3 = cvss_data.get("vector")
+            dojo_finding.cvssv3_score = cvss_data.get("score")
 
     return dojo_finding
 

dojo/tools/qualys/csv_parser.py

@@ -8,6 +8,7 @@
 from django.conf import settings
 
 from dojo.models import Endpoint, Finding
+from dojo.utils import parse_cvss_data
 
 _logger = logging.getLogger(__name__)
 
@@ -227,8 +228,13 @@ def build_findings_from_dict(report_findings: [dict]) -> [Finding]:
                 impact=report_finding["Impact"],
                 date=date,
                 vuln_id_from_tool=report_finding["QID"],
-                cvssv3=cvssv3,
             )
+            # Make sure vector is valid
+            cvss_data = parse_cvss_data(cvssv3)
+            if cvss_data:
+                finding.cvssv3 = cvss_data.get("vector")
+                finding.cvssv3_score = cvss_data.get("score")
+
             # Qualys reports regression findings as active, but with a Date Last
             # Fixed.
             if report_finding["Date Last Fixed"]:

dojo/tools/qualys/parser.py

@@ -8,6 +8,7 @@
 
 from dojo.models import Endpoint, Finding
 from dojo.tools.qualys import csv_parser
+from dojo.utils import parse_cvss_data
 
 logger = logging.getLogger(__name__)
 
@@ -352,7 +353,11 @@ def parse_finding(host, tree):
         finding.is_mitigated = temp["mitigated"]
         finding.active = temp["active"]
         if temp.get("CVSS_vector") is not None:
-            finding.cvssv3 = temp.get("CVSS_vector")
+            cvss_data = parse_cvss_data(temp.get("CVSS_vector"))
+            if cvss_data:
+                finding.cvssv3 = cvss_data.get("vector")
+                finding.cvssv3_score = cvss_data.get("score")
+
         if temp.get("CVSS_value") is not None:
             finding.cvssv3_score = temp.get("CVSS_value")
         finding.verified = True