jiramot
diff --git a/‎docker/entrypoint-unit-tests-devDocker.sh‎
Lines changed: 1 addition & 1 deletion b/‎docker/entrypoint-unit-tests-devDocker.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dojo/models.py‎
Lines changed: 42 additions & 5 deletions b/‎dojo/models.py‎
Lines changed: 42 additions & 5 deletions
diff --git a/‎dojo/settings/settings.dist.py‎
Lines changed: 19 additions & 18 deletions b/‎dojo/settings/settings.dist.py‎
Lines changed: 19 additions & 18 deletions
diff --git a/‎dojo/tools/aqua/parser.py‎
Lines changed: 12 additions & 7 deletions b/‎dojo/tools/aqua/parser.py‎
Lines changed: 12 additions & 7 deletions
diff --git a/‎dojo/tools/cargo_audit/parser.py‎
Lines changed: 5 additions & 6 deletions b/‎dojo/tools/cargo_audit/parser.py‎
Lines changed: 5 additions & 6 deletions
diff --git a/‎dojo/tools/checkmarx_osa/parser.py‎
Lines changed: 4 additions & 3 deletions b/‎dojo/tools/checkmarx_osa/parser.py‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎dojo/tools/clair/parser.py‎
Lines changed: 3 additions & 1 deletion b/‎dojo/tools/clair/parser.py‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎dojo/tools/dependency_check/parser.py‎
Lines changed: 10 additions & 6 deletions b/‎dojo/tools/dependency_check/parser.py‎
Lines changed: 10 additions & 6 deletions
@@ -10,7 +10,7 @@ cd /app
 # Unset the database URL so that we can force the DD_TEST_DATABASE_NAME (see django "DATABASES" configuration in settings.dist.py)
 unset DD_DATABASE_URL
 
-# Unset the celery broker URL so that we can force the other DD_CELERY_BROKER settings
+# Unset the celery broker URL so that we can force the other DD_CELERY_BROKER settings
 unset DD_CELERY_BROKER_URL
 
 python3 manage.py makemigrations dojo
 
@@ -2151,15 +2151,20 @@ def compute_hash_code(self):
 
         fields_to_hash = ''
         for hashcodeField in hash_code_fields:
-            if(hashcodeField != 'endpoints'):
-                # Generically use the finding attribute having the same name, converts to str in case it's integer
-                fields_to_hash = fields_to_hash + str(getattr(self, hashcodeField))
-                deduplicationLogger.debug(hashcodeField + ' : ' + str(getattr(self, hashcodeField)))
-            else:
+            if hashcodeField == 'endpoints':
                 # For endpoints, need to compute the field
                 myEndpoints = self.get_endpoints()
                 fields_to_hash = fields_to_hash + myEndpoints
                 deduplicationLogger.debug(hashcodeField + ' : ' + myEndpoints)
+            elif hashcodeField == 'vulnerability_ids':
+                # For vulnerability_ids, need to compute the field
+                my_vulnerability_ids = self.get_vulnerability_ids()
+                fields_to_hash = fields_to_hash + my_vulnerability_ids
+                deduplicationLogger.debug(hashcodeField + ' : ' + my_vulnerability_ids)
+            else:
+                # Generically use the finding attribute having the same name, converts to str in case it's integer
+                fields_to_hash = fields_to_hash + str(getattr(self, hashcodeField))
+                deduplicationLogger.debug(hashcodeField + ' : ' + str(getattr(self, hashcodeField)))
         deduplicationLogger.debug("compute_hash_code - fields_to_hash = " + fields_to_hash)
         return self.hash_fields(fields_to_hash)
 
@@ -2168,6 +2173,35 @@ def compute_hash_code_legacy(self):
         deduplicationLogger.debug("compute_hash_code_legacy - fields_to_hash = " + fields_to_hash)
         return self.hash_fields(fields_to_hash)
 
+    # Get vulnerability_ids to use for hash_code computation
+    def get_vulnerability_ids(self):
+        vulnerability_id_str = ''
+        if self.id is None:
+            if self.unsaved_vulnerability_ids:
+                deduplicationLogger.debug("get_vulnerability_ids before the finding was saved")
+                # convert list of unsaved vulnerability_ids to the list of their canonical representation
+                vulnerability_id_str_list = list(
+                    map(
+                        lambda vulnerability_id: str(vulnerability_id),
+                        self.unsaved_vulnerability_ids
+                    ))
+                # deduplicate (usually done upon saving finding) and sort endpoints
+                vulnerability_id_str = ''.join(sorted(list(dict.fromkeys(vulnerability_id_str_list))))
+            else:
+                deduplicationLogger.debug("finding has no unsaved vulnerability references")
+        else:
+            vulnerability_ids = Vulnerability_Id.objects.filter(finding=self)
+            deduplicationLogger.debug("get_vulnerability_ids after the finding was saved. Vulnerability references count: " + str(vulnerability_ids.count()))
+            # convert list of vulnerability_ids to the list of their canonical representation
+            vulnerability_id_str_list = list(
+                map(
+                    lambda vulnerability_id: str(vulnerability_id),
+                    vulnerability_ids.all()
+                ))
+            # sort vulnerability_ids strings
+            vulnerability_id_str = ''.join(sorted(vulnerability_id_str_list))
+        return vulnerability_id_str
+
     # Get endpoints to use for hash_code computation
     # (This sometimes reports "None")
     def get_endpoints(self):
@@ -2636,6 +2670,9 @@ class Vulnerability_Id(models.Model):
     finding = models.ForeignKey(Finding, editable=False, on_delete=models.CASCADE)
     vulnerability_id = models.TextField(max_length=50, blank=False, null=False)
 
+    def __str__(self):
+        return self.vulnerability_id
+
 
 class Stub_Finding(models.Model):
     title = models.TextField(max_length=1000, blank=False, null=False)
 
@@ -1053,43 +1053,43 @@ def saml2_attrib_map_format(dict):
     # Including the severity in the hash_code keeps those findings not duplicate
     'Anchore Engine Scan': ['title', 'severity', 'component_name', 'component_version', 'file_path'],
     'Anchore Grype': ['title', 'severity', 'component_name', 'component_version'],
-    'Aqua Scan': ['severity', 'cve', 'component_name', 'component_version'],
+    'Aqua Scan': ['severity', 'vulnerability_ids', 'component_name', 'component_version'],
     'Bandit Scan': ['file_path', 'line', 'vuln_id_from_tool'],
-    'CargoAudit Scan': ['cve', 'severity', 'component_name', 'component_version', 'vuln_id_from_tool'],
+    'CargoAudit Scan': ['vulnerability_ids', 'severity', 'component_name', 'component_version', 'vuln_id_from_tool'],
     'Checkmarx Scan': ['cwe', 'severity', 'file_path'],
-    'Checkmarx OSA': ['cve', 'component_name'],
+    'Checkmarx OSA': ['vulnerability_ids', 'component_name'],
     'Cloudsploit Scan': ['title', 'description'],
     'SonarQube Scan': ['cwe', 'severity', 'file_path'],
     'SonarQube API Import': ['title', 'file_path', 'line'],
-    'Dependency Check Scan': ['cve', 'cwe', 'file_path'],
+    'Dependency Check Scan': ['vulnerability_ids', 'cwe', 'file_path'],
     'Dockle Scan': ['title', 'description', 'vuln_id_from_tool'],
-    'Dependency Track Finding Packaging Format (FPF) Export': ['component_name', 'component_version', 'cwe', 'cve'],
+    'Dependency Track Finding Packaging Format (FPF) Export': ['component_name', 'component_version', 'cwe', 'vulnerability_ids'],
     'Mobsfscan Scan': ['title', 'severity', 'cwe'],
-    'Nessus Scan': ['title', 'severity', 'cve', 'cwe'],
-    'Nexpose Scan': ['title', 'severity', 'cve', 'cwe'],
+    'Nessus Scan': ['title', 'severity', 'vulnerability_ids', 'cwe'],
+    'Nexpose Scan': ['title', 'severity', 'vulnerability_ids', 'cwe'],
     # possible improvement: in the scanner put the library name into file_path, then dedup on cwe + file_path + severity
-    'NPM Audit Scan': ['title', 'severity', 'file_path', 'cve', 'cwe'],
+    'NPM Audit Scan': ['title', 'severity', 'file_path', 'vulnerability_ids', 'cwe'],
     # possible improvement: in the scanner put the library name into file_path, then dedup on cwe + file_path + severity
-    'Yarn Audit Scan': ['title', 'severity', 'file_path', 'cve', 'cwe'],
-    # possible improvement: in the scanner put the library name into file_path, then dedup on cve + file_path + severity
+    'Yarn Audit Scan': ['title', 'severity', 'file_path', 'vulnerability_ids', 'cwe'],
+    # possible improvement: in the scanner put the library name into file_path, then dedup on vulnerability_ids + file_path + severity
     'Whitesource Scan': ['title', 'severity', 'description'],
     'ZAP Scan': ['title', 'cwe', 'severity'],
     'Qualys Scan': ['title', 'severity'],
     # 'Qualys Webapp Scan': ['title', 'unique_id_from_tool'],
-    'PHP Symfony Security Check': ['title', 'cve'],
-    'Clair Scan': ['title', 'cve', 'description', 'severity'],
+    'PHP Symfony Security Check': ['title', 'vulnerability_ids'],
+    'Clair Scan': ['title', 'vulnerability_ids', 'description', 'severity'],
     'Clair Klar Scan': ['title', 'description', 'severity'],
     # for backwards compatibility because someone decided to rename this scanner:
-    'Symfony Security Check': ['title', 'cve'],
-    'DSOP Scan': ['cve'],
+    'Symfony Security Check': ['title', 'vulnerability_ids'],
+    'DSOP Scan': ['vulnerability_ids'],
     'Acunetix Scan': ['title', 'description'],
     'Terrascan Scan': ['vuln_id_from_tool', 'title', 'severity', 'file_path', 'line', 'component_name'],
-    'Trivy Scan': ['title', 'severity', 'cve', 'cwe'],
+    'Trivy Scan': ['title', 'severity', 'vulnerability_ids', 'cwe'],
     'TFSec Scan': ['severity', 'vuln_id_from_tool', 'file_path', 'line'],
     'Snyk Scan': ['vuln_id_from_tool', 'file_path', 'component_name', 'component_version'],
-    'GitLab Dependency Scanning Report': ['title', 'cve', 'file_path', 'component_name', 'component_version'],
+    'GitLab Dependency Scanning Report': ['title', 'vulnerability_ids', 'file_path', 'component_name', 'component_version'],
     'SpotBugs Scan': ['cwe', 'severity', 'file_path', 'line'],
-    'JFrog Xray Unified Scan': ['cve', 'file_path', 'component_name', 'component_version'],
+    'JFrog Xray Unified Scan': ['vulnerability_ids', 'file_path', 'component_name', 'component_version'],
     'Scout Suite Scan': ['file_path', 'vuln_id_from_tool'],  # for now we use file_path as there is no attribute for "service"
     'AWS Security Hub Scan': ['unique_id_from_tool'],
     'Meterian Scan': ['cwe', 'component_name', 'component_version', 'description', 'severity'],
@@ -1145,7 +1145,7 @@ def saml2_attrib_map_format(dict):
 # List of fields that are known to be usable in hash_code computation)
 # 'endpoints' is a pseudo field that uses the endpoints (for dynamic scanners)
 # 'unique_id_from_tool' is often not needed here as it can be used directly in the dedupe algorithm, but it's also possible to use it for hashing
-HASHCODE_ALLOWED_FIELDS = ['title', 'cwe', 'cve', 'line', 'file_path', 'component_name', 'component_version', 'description', 'endpoints', 'unique_id_from_tool', 'severity', 'vuln_id_from_tool']
+HASHCODE_ALLOWED_FIELDS = ['title', 'cwe', 'vulnerability_ids', 'line', 'file_path', 'component_name', 'component_version', 'description', 'endpoints', 'unique_id_from_tool', 'severity', 'vuln_id_from_tool']
 
 # Adding fields to the hash_code calculation regardless of the previous settings
 HASH_CODE_FIELDS_ALWAYS = ['service']
@@ -1442,4 +1442,5 @@ def saml2_attrib_map_format(dict):
     'OSV': 'https://osv.dev/vulnerability/',
     'PYSEC': 'https://osv.dev/vulnerability/',
     'SNYK': 'https://snyk.io/vuln/',
+    'RUSTSEC': 'https://rustsec.org/advisories/',
 }
@@ -42,7 +42,7 @@ def get_items(self, tree, test):
 def get_item(resource, vuln, test):
     resource_name = resource.get('name', resource.get('path'))
     resource_version = resource.get('version', 'No version')
-    cve = vuln.get('name', 'No CVE')
+    vulnerability_id = vuln.get('name', 'No CVE')
     fix_version = vuln.get('fix_version', 'None')
     description = vuln.get('description', 'No description.')
     cvssv3 = None
@@ -84,24 +84,27 @@ def get_item(resource, vuln, test):
         severity = severity_of(score)
         severity_justification += "\n{}".format(used_for_classification)
 
-    return Finding(
-        title=cve + " - " + resource_name + " (" + resource_version + ") ",
+    finding = Finding(
+        title=vulnerability_id + " - " + resource_name + " (" + resource_version + ") ",
         test=test,
         severity=severity,
         severity_justification=severity_justification,
         cwe=0,
-        cve=cve,
         cvssv3=cvssv3,
         description=description.strip(),
         mitigation=fix_version,
         references=url,
         component_name=resource.get('name'),
         component_version=resource.get('version'),
         impact=severity)
+    if vulnerability_id != 'No CVE':
+        finding.unsaved_vulnerability_ids = [vulnerability_id]
+
+    return finding
 
 
 def get_item_v2(item, test):
-    cve = item['name']
+    vulnerability_id = item['name']
     file_path = item['file']
     url = item.get('url')
     severity = severity_of(float(item['score']))
@@ -115,15 +118,17 @@ def get_item_v2(item, test):
     else:
         mitigation = 'No known mitigation'
 
-    return Finding(title=str(cve) + ': ' + str(file_path),
+    finding = Finding(title=str(vulnerability_id) + ': ' + str(file_path),
                    description=description,
                    url=url,
                    cwe=0,
-                   cve=cve,
                    test=test,
                    severity=severity,
                    impact=severity,
                    mitigation=mitigation)
+    finding.unsaved_vulnerability_ids = [vulnerability_id]
+
+    return finding
 
 
 def aqua_severity_of(score):
 
@@ -24,6 +24,7 @@ def get_findings(self, filename, test):
             for item in data.get('vulnerabilities').get('list'):
                 advisory = item.get('advisory')
                 vuln_id = advisory.get('id')
+                vulnerability_ids = [advisory.get('id')]
                 if "categories" in advisory:
                     categories = f"**Categories:** {', '.join(advisory['categories'])}"
                 else:
@@ -38,10 +39,8 @@ def get_findings(self, filename, test):
                 references = f"{advisory.get('url')}\n" + '\n'.join(advisory['references'])
                 date = advisory.get('date')
 
-                if len(advisory.get('aliases')) != 0:
-                    cve = advisory.get('aliases')[0]
-                else:
-                    cve = None
+                for alias in advisory.get('aliases', []):
+                    vulnerability_ids.append(alias)
 
                 package_name = item.get('package').get('name')
                 package_version = item.get('package').get('version')
@@ -56,7 +55,7 @@ def get_findings(self, filename, test):
                 except KeyError:
                     mitigation = "No information about patched version"
                 dupe_key = hashlib.sha256(
-                    (vuln_id + str(cve) + date + package_name + package_version).encode('utf-8')
+                    (vuln_id + date + package_name + package_version).encode('utf-8')
                 ).hexdigest()
 
                 if dupe_key in dupes:
@@ -67,7 +66,6 @@ def get_findings(self, filename, test):
                         title=title,
                         test=test,
                         severity=severity,
-                        cve=cve,
                         tags=tags,
                         description=description,
                         component_name=package_name,
@@ -78,5 +76,6 @@ def get_findings(self, filename, test):
                         references=references,
                         mitigation=mitigation
                     )
+                    finding.unsaved_vulnerability_ids = vulnerability_ids
                     dupes[dupe_key] = finding
         return list(dupes.values())
@@ -38,17 +38,16 @@ def get_findings(self, filehandle, test):
 
             # Possible status as per checkmarx 9.2: TO_VERIFY, NOT_EXPLOITABLE, CONFIRMED, URGENT, PROPOSED_NOT_EXPLOITABLE
             status = item['state']['name']
-            cve = item.get('cveName', 'NC')
+            vulnerability_id = item.get('cveName', 'NC')
             finding_item = Finding(
-                title='{0} {1} | {2}'.format(library['name'], library['version'], cve),
+                title='{0} {1} | {2}'.format(library['name'], library['version'], vulnerability_id),
                 severity=item['severity']['name'],
                 description=item.get('description', 'NC'),
                 unique_id_from_tool=item.get('id', None),
                 references=item.get('url', None),
                 mitigation=item.get('recommendations', None),
                 component_name=library['name'],
                 component_version=library['version'],
-                cve=cve,
                 # 1035 is "Using Components with Known Vulnerabilities"
                 # Possible improvment: get the CWE from the CVE using some database?
                 # nvd.nist.gov has the info; see for eg https://nvd.nist.gov/vuln/detail/CVE-2020-25649 "Weakness Enumeration"
@@ -63,6 +62,8 @@ def get_findings(self, filehandle, test):
                 verified=status != 'TO_VERIFY' and status != 'NOT_EXPLOITABLE' and status != 'PROPOSED_NOT_EXPLOITABLE',
                 test=test
             )
+            if vulnerability_id != 'NC':
+                finding_item.unsaved_vulnerability_ids = [vulnerability_id]
             items.append(finding_item)
         return items
 
 
@@ -56,7 +56,6 @@ def get_item(item_node, test):
                       references=item_node['link'],
                       component_name=item_node['featurename'],
                       component_version=item_node['featureversion'],
-                      cve=item_node['vulnerability'],
                       false_p=False,
                       duplicate=False,
                       out_of_scope=False,
@@ -65,4 +64,7 @@ def get_item(item_node, test):
                       dynamic_finding=False,
                       impact="No impact provided")
 
+    if item_node['vulnerability']:
+        finding.unsaved_vulnerability_ids = [item_node['vulnerability']]
+
     return finding
@@ -23,7 +23,7 @@ class DependencyCheckParser(object):
 
     def add_finding(self, finding, dupes):
         key_str = '|'.join([
-            str(finding.cve),
+            str(finding.title),
             str(finding.cwe),
             str(finding.file_path).lower()
         ])
@@ -137,11 +137,11 @@ def get_finding_from_vulnerability(self, dependency, related_dependency, vulnera
         # I need the notes field since this is how the suppression is documented.
         notes = vulnerability.findtext(f'.//{namespace}notes')
 
-        cve = name[:28]
-        if cve and not cve.startswith('CVE'):
+        vulnerability_id = name[:28]
+        if vulnerability_id and not vulnerability_id.startswith('CVE'):
             # for vulnerability sources which have a CVE, it is the start of the 'name'.
             # for other sources, we have to set it to None
-            cve = None
+            vulnerability_id = None
 
         # Use CWE-1035 as fallback
         cwe = 1035  # Vulnerable Third Party Component
@@ -219,12 +219,11 @@ def get_finding_from_vulnerability(self, dependency, related_dependency, vulnera
             description += '\n**Filepath:** ' + str(dependency_filepath)
             active = True
 
-        return Finding(
+        finding = Finding(
             title=f'{component_name}:{component_version} | {name}',
             file_path=dependency_filename,
             test=test,
             cwe=cwe,
-            cve=cve,
             description=description,
             severity=severity,
             mitigation=mitigation,
@@ -237,6 +236,11 @@ def get_finding_from_vulnerability(self, dependency, related_dependency, vulnera
             component_version=component_version,
         )
 
+        if vulnerability_id:
+            finding.unsaved_vulnerability_ids = [vulnerability_id]
+
+        return finding
+
     def get_scan_types(self):
         return ["Dependency Check Scan"]