fix typos

Author: valentijnscholten

dojo/models.py

@@ -10,7 +10,6 @@
 from pathlib import Path
 from uuid import uuid4
 
-import cvss.parser
 import dateutil
 import hyperlink
 import tagulous.admin
@@ -2700,9 +2699,12 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
         # Synchronize cvssv3 score using cvssv3 vector
         if self.cvssv3:
             try:
-                cvss_vector = cvss.parser.parse_cvss_from_text(self.cvssv3)
-                # use the environmental score, which is the most refined score
-                self.cvssv3_score = cvss_vector.scores()[2]
+
+                cvss_data = parse_cvss_data(self.cvssv3)
+                if cvss_data:
+                    self.cvss3 = cvss_data.get("vector")
+                    self.cvssv3_score = cvss_data.get("score")
+
             except Exception as ex:
                 logger.warning("Can't compute cvssv3 score for finding id %i. Invalid cvssv3 vector found: '%s'. Exception: %s.", self.id, self.cvssv3, ex)
                 # should we set self.cvssv3 to None here to avoid storing invalid vectors? it would also remove invalid vectors on existing findings...
@@ -4635,7 +4637,11 @@ def __str__(self):
     auditlog.register(Notification_Webhooks, exclude_fields=["header_name", "header_value"])
 
 
-from dojo.utils import calculate_grade, to_str_typed  # noqa: E402  # there is issue due to a circular import
+from dojo.utils import (  # noqa: E402  # there is issue due to a circular import
+    calculate_grade,
+    parse_cvss_data,
+    to_str_typed,
+)
 
 tagulous.admin.register(Product.tags)
 tagulous.admin.register(Test.tags)

dojo/tools/qualys/csv_parser.py

@@ -232,7 +232,7 @@ def build_findings_from_dict(report_findings: [dict]) -> [Finding]:
             # Make sure vector is valid
             cvss_data = parse_cvss_data(cvssv3)
             if cvss_data:
-                finding.cvss3 = cvss_data.get("vector")
+                finding.cvssv3 = cvss_data.get("vector")
                 finding.cvssv3_score = cvss_data.get("score")
 
             # Qualys reports regression findings as active, but with a Date Last

dojo/tools/qualys/parser.py

@@ -352,11 +352,14 @@ def parse_finding(host, tree):
         finding.mitigated = temp["mitigation_date"]
         finding.is_mitigated = temp["mitigated"]
         finding.active = temp["active"]
+        logger.debug("CVSS_Vector: %s", temp.get("CVSS_vector"))
         if temp.get("CVSS_vector") is not None:
+            logger.debug("CVSS_Vector: %s", temp.get("CVSS_vector"))
             cvss_data = parse_cvss_data(temp.get("CVSS_vector"))
+            logger.debug("cvss_data: %s", cvss_data)
             if cvss_data:
-                finding.cvss3 = cvss_data.get("vector")
-                finding.cvss3_score = cvss_data.get("score")
+                finding.cvssv3 = cvss_data.get("vector")
+                finding.cvssv3_score = cvss_data.get("score")
 
         if temp.get("CVSS_value") is not None:
             finding.cvssv3_score = temp.get("CVSS_value")

dojo/tools/sysdig_cli/parser.py

@@ -108,7 +108,7 @@ def parse_json(self, data, test):
                         finding.cvssv3_score = vulnCvssScore
                         vectors = cvss.parser.parse_cvss_from_text(vulnCvssVector)
                         if len(vectors) > 0 and isinstance(vectors[0], CVSS3):
-                            finding.cvss = vectors[0].clean_vector()
+                            finding.cvssv3 = vectors[0].clean_vector()
                 except ValueError:
                     continue
 
@@ -164,7 +164,7 @@ def parse_csv(self, arr_data, test):
                     finding.cvssv3_score = float(row.cvss_score)
                     vectors = cvss.parser.parse_cvss_from_text(row.cvss_vector)
                     if len(vectors) > 0 and isinstance(vectors[0], CVSS3):
-                        finding.cvss = vectors[0].clean_vector()
+                        finding.cvssv3 = vectors[0].clean_vector()
             except ValueError:
                 continue
             finding.risk_accepted = row.risk_accepted

dojo/tools/sysdig_reports/parser.py

@@ -221,7 +221,7 @@ def parse_csv(self, arr_data, test):
                     finding.cvssv3_score = float(row.cvss_score)
                     vectors = cvss.parser.parse_cvss_from_text(row.cvss_vector)
                     if len(vectors) > 0 and isinstance(vectors[0], CVSS3):
-                        finding.cvss = vectors[0].clean_vector()
+                        finding.cvssv3 = vectors[0].clean_vector()
             except ValueError:
                 continue
             finding.risk_accepted = row.risk_accepted

dojo/tools/trivy/parser.py

@@ -167,6 +167,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     severity_source = vuln.get("SeveritySource", None)
                     cvss = vuln.get("CVSS", None)
                     cvssv3 = None
+                    cvssv3_score = None
                     if severity_source is not None and cvss is not None:
                         cvssclass = cvss.get(severity_source, None)
                         if cvssclass is not None:

dojo/utils.py

@@ -2666,7 +2666,7 @@ def parse_cvss_data(cvss_vector_string: str) -> dict:
     if len(vectors) > 0 and type(vectors[0]) is CVSS3:
         return {
             "vector": vectors[0].clean_vector(),
-            "score": vectors[0].scores()[0],
+            "score": vectors[0].scores()[2],  # environmental score is the most detailed one
             "severity":  vectors[0].severities()[0],
         }
     logger.debug("No valid CVSS3 vector found in %s", cvss_vector_string)