revert back to overriding the score field always

Author: valentijnscholten

docs/content/en/open_source/contributing/how-to-write-a-parser.md

@@ -179,9 +179,8 @@ There's also a helper method to validate the vector and extract the base score a
     if cvss_data:
         finding.severity = cvss_data["severity"]
         finding.cvssv3 = cvss_data["cvssv3"]
-        finding.cvssv3_score = cvss_data["cvssv3_score"]
         finding.cvssv4 = cvss_data["cvssv4"]
-        finding.cvssv4_score = cvss_data["cvssv4_score"]
+        # we don't set any score fields as those will be overwritten by Defect Dojo
 ```
 Not all values have to be used as scan reports usuyall provide their own value for `severity`.
 And sometimes also for `cvss_score`. Defect Dojo will not overwrite any `cvss3_score` or `cvss4_score`.

dojo/db_migrations/0234_finding_cvssv4_finding_cvssv4_score.py

@@ -20,7 +20,7 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='finding',
             name='cvssv3_score',
-            field=models.FloatField(blank=True, help_text='Numerical CVSS3 score for the vulnerability. If the vector is given without a score, the score is calcaulated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSS3 Score'),
+            field=models.FloatField(blank=True, help_text='Numerical CVSSv3 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSS3 Score'),
         ),
         migrations.AddField(
             model_name='finding',
@@ -30,16 +30,16 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='finding',
             name='cvssv4_score',
-            field=models.FloatField(blank=True, help_text='Numerical CVSS4 score for the vulnerability. If the vector is given without a score, the score is calcaulated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSSv4 Score'),
+            field=models.FloatField(blank=True, help_text='Numerical CVSSv4 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSSv4 Score'),
         ),
         migrations.AddField(
             model_name='system_settings',
             name='enable_cvss3_display',
-            field=models.BooleanField(default=True, help_text='With this setting turned off, CVSS3 fields will be hidden in the user interface.', verbose_name='Enable CVSS3 Display'),
+            field=models.BooleanField(blank=False, default=True, help_text='With this setting turned off, CVSS3 fields will be hidden in the user interface.', verbose_name='Enable CVSS3 Display'),
         ),
         migrations.AddField(
             model_name='system_settings',
             name='enable_cvss4_display',
-            field=models.BooleanField(default=True, help_text='With this setting turned off, CVSS4 fields will be hidden in the user interface.', verbose_name='Enable CVSS4 Display'),
+            field=models.BooleanField(blank=False, default=True, help_text='With this setting turned off, CVSS4 fields will be hidden in the user interface.', verbose_name='Enable CVSS4 Display'),
         ),        
     ]

dojo/models.py

@@ -2363,7 +2363,7 @@ class Finding(models.Model):
     cvssv3_score = models.FloatField(null=True,
                                         blank=True,
                                         verbose_name=_("CVSS3 Score"),
-                                        help_text=_("Numerical CVSS3 score for the vulnerability. If the vector is given without a score, the score is calcaulated while saving the finding. The value must be between 0-10."),
+                                        help_text=_("Numerical CVSSv3 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10."),
                                         validators=[MinValueValidator(0.0), MaxValueValidator(10.0)])
 
     cvssv4 = models.TextField(validators=[cvss4_validator],
@@ -2374,7 +2374,7 @@ class Finding(models.Model):
     cvssv4_score = models.FloatField(null=True,
                                         blank=True,
                                         verbose_name=_("CVSSv4 Score"),
-                                        help_text=_("Numerical CVSS4 score for the vulnerability. If the vector is given without a score, the score is calcaulated while saving the finding. The value must be between 0-10."),
+                                        help_text=_("Numerical CVSSv4 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10."),
                                         validators=[MinValueValidator(0.0), MaxValueValidator(10.0)])
 
     url = models.TextField(null=True,
@@ -2739,8 +2739,7 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
                 cvss_data = parse_cvss_data(self.cvssv3)
                 if cvss_data:
                     self.cvssv3 = cvss_data.get("cvssv3")
-                    if not self.cvssv3_score:
-                        self.cvssv3_score = cvss_data.get("cvssv3_score")
+                    self.cvssv3_score = cvss_data.get("cvssv3_score")
 
             except Exception as ex:
                 logger.warning("Can't compute cvssv3 score for finding id %i. Invalid cvssv3 vector found: '%s'. Exception: %s.", self.id, self.cvssv3, ex)
@@ -2754,8 +2753,7 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
                 cvss_data = parse_cvss_data(self.cvssv4)
                 if cvss_data:
                     self.cvssv4 = cvss_data.get("cvssv4")
-                    if not self.cvssv4_score:
-                        self.cvssv4_score = cvss_data.get("cvssv4_score")
+                    self.cvssv4_score = cvss_data.get("cvssv4_score")
 
             except Exception as ex:
                 logger.warning("Can't compute cvssv4 score for finding id %i. Invalid cvssv4 vector found: '%s'. Exception: %s.", self.id, self.cvssv4, ex)

dojo/tools/auditjs/parser.py

@@ -104,11 +104,7 @@ def get_findings(self, filename, test):
                         cvssv4 = cvss_data["cvssv4"]
                         # The score in the report can be different from what the cvss library calulates
                         if cvss_data["major_version"] == 2:
-                            description += "\nCVSS V2 Vector:" + cvss_data["cvssv2"]
-                        if cvss_data["major_version"] == 3:
-                            cvssv3_score = cvss_score
-                        if cvss_data["major_version"] == 4:
-                            cvssv4_score = cvss_score
+                            description += "\nCVSS V2 Vector:" + cvss_data["cvssv2"] + " (Score: " + cvss_score + ")"
                     else:
                         # If there is no vector, calculate severity based on CVSS score
                         severity = self.get_severity(cvss_score)

dojo/tools/ptart/assessment_parser.py

@@ -45,17 +45,11 @@ def get_finding(self, assessment, hit):
             finding.cve = hit.get("id")
 
         cvss_vector = hit.get("cvss_vector", None)
-        cvss_score = hit.get("cvss_score", None)
         if cvss_vector:
             cvss_data = parse_cvss_data(cvss_vector)
             if cvss_data:
                 finding.cvssv3 = cvss_data["cvssv3"]
                 finding.cvssv4 = cvss_data["cvssv4"]
-                # The score in the report can be different from what the cvss library calulates
-                if cvss_data["major_version"] == 3:
-                    finding.cvssv3_score = cvss_score
-                if cvss_data["major_version"] == 4:
-                    finding.cvssv4_score = cvss_score
 
         if "labels" in hit:
             finding.unsaved_tags = hit["labels"]

dojo/tools/ptart/retest_parser.py

@@ -79,17 +79,11 @@ def get_finding(self, retest, hit):
             finding.cve = original_hit.get("id")
 
         cvss_vector = original_hit.get("cvss_vector", None)
-        cvss_score = original_hit.get("cvss_score", None)
         if cvss_vector:
             cvss_data = parse_cvss_data(cvss_vector)
             if cvss_data:
                 finding.cvssv3 = cvss_data["cvssv3"]
                 finding.cvssv4 = cvss_data["cvssv4"]
-                # The score in the report can be different from what the cvss library calulates
-                if cvss_data["major_version"] == 3:
-                    finding.cvssv3_score = cvss_score
-                if cvss_data["major_version"] == 4:
-                    finding.cvssv4_score = cvss_score
 
         if "labels" in original_hit:
             finding.unsaved_tags = original_hit["labels"]

dojo/utils.py

@@ -2722,6 +2722,7 @@ def parse_cvss_data(cvss_vector_string: str) -> dict:
             major_version = 4
             cvssv4 = vector.clean_vector()
             cvssv4_score = vector.scores()[0]
+            logger.debug("CVSS4 vector: %s, score: %s", cvssv4, cvssv4_score)
             severity = vector.severities()[0]
         elif type(vector) is CVSS3:
             major_version = 3

run-unittest.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 unset TEST_CASE
+unset FAIL_FAST
 
 bash ./docker/docker-compose-check.sh
 if [[ $? -eq 1 ]]; then exit 1; fi
@@ -10,6 +11,7 @@ usage() {
   echo
   echo "Options:"
   echo "  --test-case -t {YOUR_FULLY_QUALIFIED_TEST_CASE}"
+  echo "  --fail-fast -f - stop on first test failure"
   echo "  --help -h - prints this dialogue."
   echo
   echo "You must specify a test case (arg)!"
@@ -25,6 +27,10 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
+    -f|--fail-fast)
+      FAIL_FAST="--failfast"
+      shift # past argument
+      ;;
     -h|--help)
       usage
       exit 0
@@ -49,8 +55,11 @@ then
   exit 1
 fi
 
+# docker compose exec uwsgi bash -c "python manage.py migrate dojo 0233"
+# docker compose exec uwsgi bash -c "python manage.py migrate dojo 0234"
+
 echo "Running docker compose unit tests with test case $TEST_CASE ..."
 # Compose V2 integrates compose functions into the Docker platform, continuing to support
 # most of the  previous docker-compose features and flags. You can run Compose V2 by
 # replacing the hyphen (-) with a space, using docker compose, instead of docker-compose.
-docker compose exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb"
+docker compose exec uwsgi bash -c "python manage.py test $TEST_CASE -v2 --keepdb $FAIL_FAST"

unittests/test_rest_framework.py

@@ -1287,9 +1287,9 @@ def test_cvss3_validation(self):
             result = self.client.patch(self.url + "2/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv3_score": 3})
             self.assertEqual(result.status_code, status.HTTP_200_OK)
             finding = Finding.objects.get(id=2)
-            # valid so vector must be set and score calculated does not ovewrite the score provided by us/the report
+            # valid so vector must be set and score calculated overrides the provided score
             self.assertEqual("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", finding.cvssv3)
-            self.assertEqual(3.0, finding.cvssv3_score)
+            self.assertEqual(8.8, finding.cvssv3_score)
 
         with self.subTest(i=1):
             result = self.client.patch(self.url + "5/", data={"cvssv3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"})
@@ -1329,24 +1329,6 @@ def test_cvss3_validation(self):
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
-        with self.subTest(i=4):
-            # CVSS4 version valid
-            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "cvssv4_score": 5})
-            self.assertEqual(result.status_code, status.HTTP_200_OK)
-            finding = Finding.objects.get(id=3)
-            # invalid vector, so no calculated score and our provided score is stored (not overwritten)
-            self.assertEqual("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", finding.cvssv4)
-            self.assertEqual(5.0, finding.cvssv4_score)
-
-        with self.subTest(i=14):
-            # CVSS4 version valid, calculate score
-            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"})
-            self.assertEqual(result.status_code, status.HTTP_200_OK)
-            finding = Finding.objects.get(id=3)
-            # invalid vector, so no calculated score and our provided score is stored (not overwritten)
-            self.assertEqual("CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", finding.cvssv4)
-            self.assertEqual(5.0, finding.cvssv4_score)
-
         with self.subTest(i=5):
             # CVSS2 style vector makes not supported
             result = self.client.patch(self.url + "3/", data={"cvssv3": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvssv3_score": 6})
@@ -1378,7 +1360,7 @@ def test_cvss3_validation(self):
             self.assertEqual(None, finding.cvssv3_score)
 
         with self.subTest(i=8):
-            # CVSS4
+            # CVSS4 in cvssv3 field
             result = self.client.patch(self.url + "3/", data={"cvssv3": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "cvssv3_score": 7})
             self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
             self.assertEqual(result.json()["cvssv3"], ["CVSS4 vector cannot be stored in the cvssv3 field. Use the cvssv4 field."])
@@ -1387,6 +1369,85 @@ def test_cvss3_validation(self):
             self.assertEqual(None, finding.cvssv3)
             self.assertEqual(None, finding.cvssv3_score)
 
+    def test_cvss4_validation(self):
+        self.maxDiff = None
+        with self.subTest(i=0):
+            self.assertEqual(None, Finding.objects.get(id=2).cvssv3)
+            result = self.client.patch(self.url + "2/", data={"cvssv4": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:M/U:Green/MAV:A/MAC:H/MAT:P/MPR:L/MUI:P/MVC:L/MVI:L/MVA:L/MSC:L/MSI:H/MSA:H/CR:M/IR:M/AR:M/E:A", "cvssv4_score": 3})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            finding = Finding.objects.get(id=2)
+            # valid so vector must be set and score calculated overrides the provided score
+            self.assertEqual("CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:M/U:Green/MAV:A/MAC:H/MAT:P/MPR:L/MUI:P/MVC:L/MVI:L/MVA:L/MSC:L/MSI:H/MSA:H/CR:M/IR:M/AR:M/E:A", finding.cvssv4)
+            self.assertEqual(2.3, finding.cvssv4_score)
+
+        with self.subTest(i=1):
+            result = self.client.patch(self.url + "5/", data={"cvssv4": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:M/U:Green/MAV:A/MAC:H/MAT:P/MPR:L/MUI:P/MVC:L/MVI:L/MVA:L/MSC:L/MSI:H/MSA:H/CR:M/IR:M/AR:M/E:A"})
+            self.assertEqual(result.status_code, status.HTTP_200_OK)
+            finding = Finding.objects.get(id=5)
+            # valid so vector must be set and score calculated
+            self.assertEqual("CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:M/U:Green/MAV:A/MAC:H/MAT:P/MPR:L/MUI:P/MVC:L/MVI:L/MVA:L/MSC:L/MSI:H/MSA:H/CR:M/IR:M/AR:M/E:A", finding.cvssv4)
+            self.assertEqual(2.3, finding.cvssv4_score)
+
+        with self.subTest(i=2):
+            # extra slash makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/R:U/V:C/RE:M/U:Green/MAV:A/MAC:H/MAT:P/MPR:L/MUI:P/MVC:L/MVI:L/MVA:L/MSC:L/MSI:H/MSA:H/CR:M/IR:M/AR:M/E:A/", "cvssv4_score": 3})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            finding = Finding.objects.get(id=3)
+            self.assertEqual(result.json()["cvssv4"], ["No valid CVSS4 vectors found by cvss.parse_cvss_from_text()"])
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv3)
+            self.assertEqual(None, finding.cvssv3_score)
+
+        with self.subTest(i=3):
+            # no CVSS version prefix makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N", "cvssv4_score": 4})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            finding = Finding.objects.get(id=3)
+            self.assertEqual(result.json()["cvssv4"], ["No valid CVSS4 vectors found by cvss.parse_cvss_from_text()"])
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv3)
+            self.assertEqual(None, finding.cvssv3_score)
+
+        with self.subTest(i=5):
+            # CVSS2 style vector makes not supported
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvssv4_score": 6})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv4"], ["Unsupported CVSS2 version detected."])
+            finding = Finding.objects.get(id=3)
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv4)
+            self.assertEqual(None, finding.cvssv4_score)
+
+        with self.subTest(i=6):
+            # CVSS2 prefix makes it invalid
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvssv4_score": 7})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv4"], ["No valid CVSS4 vectors found by cvss.parse_cvss_from_text()"])
+            finding = Finding.objects.get(id=3)
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv4)
+            self.assertEqual(None, finding.cvssv4_score)
+
+        with self.subTest(i=7):
+            # try to put rubbish in there
+            result = self.client.patch(self.url + "4/", data={"cvssv4": "happy little vector", "cvssv4_score": 3})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv4"], ["No valid CVSS4 vectors found by cvss.parse_cvss_from_text()"])
+            finding = Finding.objects.get(id=4)
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv4)
+            self.assertEqual(None, finding.cvssv4_score)
+
+        with self.subTest(i=8):
+            # CVSS3 in CVSS4 field
+            result = self.client.patch(self.url + "3/", data={"cvssv4": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "cvssv4_score": 7})
+            self.assertEqual(result.status_code, status.HTTP_400_BAD_REQUEST)
+            self.assertEqual(result.json()["cvssv4"], ["CVSS3 vector cannot be stored in the cvssv4 field. Use the cvssv3 field."])
+            finding = Finding.objects.get(id=3)
+            # invalid vector, so no calculated score and no score stored
+            self.assertEqual(None, finding.cvssv4)
+            self.assertEqual(None, finding.cvssv4_score)
+
 
 class FindingMetadataTest(BaseClass.BaseClassTest):
     fixtures = ["dojo_testdata.json"]