🐛 Implement Wazuh v4.8

[manuel-sommer]

#12634

[dryrunsecurity]

This pull request contains a potential code issue in the parse_findings method of dojo/tools/wazuh/v4_7.py, where an undefined 'id' variable might cause unexpected behavior due to the built-in id() function always being truthy, though the issue is not considered blocking.

Undefined Variable Usage in dojo/tools/wazuh/v4_7.py

Vulnerability	Undefined Variable Usage
Description	In the parse_findings method, an undefined 'id' variable is used in a conditional statement. This could lead to unexpected behavior due to the built-in id() function always being truthy, potentially masking intended logic checks.

django-DefectDojo/dojo/tools/wazuh/v4_7.py

Lines 1 to 70 in 3684cec

	import hashlib
	from dojo.models import Endpoint, Finding
	class WazuhV4_7:
	def parse_findings(self, test, data):
	dupes = {}
	vulnerabilities = data.get("data", {}).get("affected_items", [])
	for item in vulnerabilities:
	if (
	item["condition"] != "Package unfixed"
	and item["severity"] != "Untriaged"
	):
	cve = item.get("cve")
	package_name = item.get("name")
	package_version = item.get("version")
	description = item.get("condition")
	severity = item.get("severity").capitalize()
	agent_ip = item.get("agent_ip")
	links = item.get("external_references")
	cvssv3_score = item.get("cvss3_score")
	publish_date = item.get("published")
	agent_name = item.get("agent_name")
	agent_ip = item.get("agent_ip")
	detection_time = item.get("detection_time").split("T")[0]
	references = "\n".join(links) if links else None
	title = (
	item.get("title") + " (version: " + package_version + ")"
	)
	if agent_name:
	dupe_key = title + cve + agent_name + package_name + package_version
	else:
	dupe_key = title + cve + package_name + package_version
	dupe_key = hashlib.sha256(dupe_key.encode("utf-8")).hexdigest()
	if dupe_key in dupes:
	find = dupes[dupe_key]
	else:
	dupes[dupe_key] = True
	find = Finding(
	title=title,
	test=test,
	description=description,
	severity=severity,
	references=references,
	static_finding=True,
	component_name=package_name,
	component_version=package_version,
	cvssv3_score=cvssv3_score,
	publish_date=publish_date,
	unique_id_from_tool=dupe_key,
	date=detection_time,
	)
	# in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant.
	if agent_name:
	find.unsaved_endpoints = [Endpoint(host=agent_name)]
	elif agent_ip:
	find.unsaved_endpoints = [Endpoint(host=agent_ip)]
	if id:
	find.unsaved_vulnerability_ids = cve
	dupes[dupe_key] = find
	return list(dupes.values())

---

All finding details can be found in the DryRun Security Dashboard.

[manuel-sommer]

Could you please test this @9alexx3 and @captainjuju42 ?

[9alexx3]

After running unittest, my examples, and comparing with the previous version, here are my observations:

1. Added name and version fields for the package.
2. Updated the title to include those fields, maintaining compatibility with the previous syntax (CVE Affects package_name ( package_version ) on agent_id).
3. The vulnerability ID shows only as "C" instead of the full CVE.
   3.1 The remaining part of the CVE string appears under "additional vulnerability IDs".
4. There are warnings related to deduplication.

Extra for implement Wazuh Parser:
Regarding the previous comment about an official method to extract findings from @valentijnscholten — I’m currently in contact with Wazuh Team and have a Python script for this. I’ll make the necessary adjustments to integrate it with DefectDojo.

[9alexx3]

Updated the title to include package_name and package_version, like the previous syntax CVE Affects package_name ( package_version ) on agent_id.

[9alexx3]

Add package object too for get package_name and package_version fields.

[9alexx3]

In my case, the vulnerability ID shows only as "C" instead of the full CVE.
The remaining part of the CVE string appears under "additional vulnerability IDs".

Example of the field:
"id": "CVE-2020-35527",

[9alexx3]

I got some warnings on dedupes

uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER
uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER
uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER
uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER
uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER
uwsgi-1             | [07/Jul/2025 12:47:34] WARNING [dojo.specific-loggers.deduplication:2203] test_type name Wazuh and scan_type Wazuh not found in HASHCODE_FIELDS_PER_SCANNER

[Maffooch]

This means that the default dedupe fields are being used here

[Maffooch]

@manuel-sommer nice job maintaining backward compatibility with older versions here!

@9alexx3 it seems like you're on the ball with reviewing this one. Once everything looks good from your perspective, please approve it, and I'll follow your lead 😄