The Wayback Machine - http://web.archive.org/web/20210803025252/https://github.com/DefectDojo/django-DefectDojo/issues/4598
Skip to content

/ django-DefectDojo

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error importing Checkmarx results. Ignored active and verified state #4598

Open

ssiriz opened this issue Jun 2, 2021 · 5 comments
Open

Error importing Checkmarx results. Ignored active and verified state #4598

ssiriz opened this issue Jun 2, 2021 · 5 comments
Labels
bug good first issue

Comments

@ssiriz
Copy link

@ssiriz ssiriz commented Jun 2, 2021

Information
DefectDojo tag v1.15
Api endpoint import-scan
When you try to import the result file from Checkmarx using the API or the Web UI and changing the active state to true and the verify state to True, the findings are always setted as inactive.

Bug description
Problem importing the Checkmarx file report using the "checkmarx scan" and "checkmarx scan detailed" importer.
The problem is reproduced using the API endpoint (import-scan) and the WEB UI. Findigns state is always "Inactive" when the import process is done successfully setting the Active and Verified flag to True. It seems that these flags are ignored:

curl -X POST "https://defect-dojo.dmain/api/v2/import-scan/" -H "accept: application/json" -H "Content-Type: multipart/form-data" -H "X-CSRFToken: token" -F "scan_date=2021-06-02" -F "minimum_severity=Info" -F "active=true" -F "verified=true" -F "scan_type=Checkmarx Scan" -F "file=@ssdlc-testing.xml;type=text/xml" -F "engagement=51" -F "close_old_findings=false" -F "push_to_jira=false"

image

Expected behavior
Finding state must change if you set the active or verify flag status to False or True.
@ssiriz ssiriz added the bug label Jun 2, 2021
@ssiriz
Copy link
Author

@ssiriz ssiriz commented Jun 2, 2021
edited

the file uploaded is attached
ssdlc-testing.xml.zip
@ssiriz
Copy link
Author

@ssiriz ssiriz commented Jul 5, 2021
edited

Hello @devGregA , I will try to investigate how to solve the bug because is critical for me to solve it... Do you have some recommendation to locate the part of code that import Checkmarx results?

thank you,
@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Jul 5, 2021

For some reason these values are hardcoded to be false, I don't know why: https://github.com/valentijnscholten/django-DefectDojo/blob/3957c7d7f4f32dfa2339494e406ac24675864a13/dojo/tools/checkmarx/parser.py#L122. Looks like very old code, I think it should be removed and let the fields go to default value, which will also allow the settings chosen in API request or UI to propagate.
@ssiriz
Copy link
Author

@ssiriz ssiriz commented Jul 6, 2021
edited

Thank for your answer @valentijnscholten , I have removed the parameters active and verified with the value False hardcoded and It solves the problem for the Checkmarx and Checkmarx Detailed Parser.

If it is possible I am going to open a Pull Request with these changes. :)
image

image

image
@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Jul 6, 2021

yes please :-)
XiChen-Tibco pushed a commit to XiChen-Tibco/django-DefectDojo that referenced this issue Jul 13, 2021
Michael Chen Michael Chen
Solve issue DefectDojo#4598
3944459
ssiriz added a commit to ssiriz/django-DefectDojo that referenced this issue Jul 14, 2021
@ssiriz
Fix: Active and review parameters are commented due the issue DefectD…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
ec51090 
…ojo#4598

@ssiriz ssiriz mentioned this issue Jul 14, 2021

Open

@Maffooch Maffooch mentioned this issue Jul 16, 2021

Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@valentijnscholten @devGregA @ssiriz