openscap: also importing description and rationale

[dd-alexander]

Description

Importing more than just IdRef and Title of XCCDF Findings.

before

after

notes

results in the OpenSCAP XCCDF result.xml contain <code> and <pre> boxes for code. html2text seem to not be able to convert those boxes to proper markup for DefunctDojo. Has anybody an idea to somehow improve the style for descriptions?

example description of the result.xml (yes indention is that bad in the original file):

...
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for <html:code xmlns:html="http://www.w3.org/1999/xhtml">PermitEmptyPasswords</html:code>.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To explicitly disallow SSH login from accounts with empty passwords,
add or correct the following line in


<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config.d/00-complianceascode-hardening.conf</html:code>:

<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</html:pre>
Any accounts with empty passwords should be disabled immediately, and PAM configuration
should prevent users from being able to assign themselves empty passwords.</description>
...

Test results

No unit tests, but checked functionality on running DefectDojo instance.

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

No security concerns detected in this pull request.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

Thank you for the PR, some remarks:

• Can you add/update the unit tests and sample to contain this rationale and description items?
• Can you look at if it's possible to have a hash code field configuration for this parser? By default it uses ['title', 'cwe', 'line', 'file_path', 'description']. So if the description changes the upgrade notes should contain instructions for users to recalculate the hash_codes.

[dd-alexander]

Thank you for the PR, some remarks:

* Can you add/update the unit tests and sample to contain this rationale and description items?

* Can you look at if it's possible to have a hash code field configuration for this parser? By default it uses ['title', 'cwe', 'line', 'file_path', 'description']. So if the description changes the upgrade notes should contain instructions for users to recalculate the hash_codes.

• Where would be the place to add those tests? im not really familar with the dojo codebase and in the various tests folders i only could find dojo-releated and not tool/plugin related tests.
• Im not quite sure what you mean with hash-code-field, could you please point me to a tool/plugin that has this already implemented?

[valentijnscholten]

Could you look at https://github.com/DefectDojo/django-DefectDojo/blob/master/unittests/tools/test_openscap_parser.py and

django-DefectDojo/dojo/settings/settings.dist.py

Line 1232 in a81cf78

# ------------------------------------

. The hash code configuration is used to calculate a unique id for each finding and use that for deduplication and reimport.