Skip to content

🎉 Add fix_available to KrakenDAudit #13055

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 2, 2025
Merged

🎉 Add fix_available to KrakenDAudit #13055

merged 2 commits into from
Sep 2, 2025

Conversation

manuel-sommer
Copy link
Contributor

#12633 (comment)

I removed also the mitigation from dedeuplication as this was only there to close the old finding in case the mitigation becomes available.

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR parser labels Aug 26, 2025
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 26, 2025
edited
Loading

DryRun Security

This pull request contains a potential misinformation issue in the KrakenD audit report parser, where the code incorrectly hardcodes fix_available=True for all findings, which could mislead users about the actual remediation status of vulnerabilities.

Incorrect State Reporting / Misinformation in dojo/tools/krakend_audit/parser.py
Vulnerability Incorrect State Reporting / Misinformation
Description The code hardcodes fix_available=True for all findings parsed from KrakenD audit reports. This is problematic because it assumes a fix is always available, which is unlikely to be true for all security findings. This can mislead users about the true remediation status of vulnerabilities, potentially causing them to misprioritize remediation efforts or giving a false sense of security.

django-DefectDojo/dojo/tools/krakend_audit/parser.py

Lines 29 to 35 in 3cb19c7

mitigation=message,
static_finding=True,
dynamic_finding=False,
fix_available=True,
)
findings.append(finding)
return findings

All finding details can be found in the DryRun Security Dashboard.

@manuel-sommer manuel-sommer mentioned this pull request Aug 26, 2025
Open
Maffooch
Maffooch requested changes Aug 26, 2025
View reviewed changes
@github-actions github-actions bot removed the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Aug 26, 2025
@manuel-sommer manuel-sommer requested a review from Maffooch August 26, 2025 22:28
@valentijnscholten valentijnscholten added this to the 2.50.0 milestone Aug 27, 2025
mtesauro
mtesauro approved these changes Sep 2, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten modified the milestones: 2.50.0, 2.50.1 Sep 2, 2025
@valentijnscholten valentijnscholten merged commit 2a252ca into DefectDojo:bugfix Sep 2, 2025
86 checks passed
@manuel-sommer manuel-sommer deleted the krakend_fix_available branch September 2, 2025 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

Assignees
No one assigned
Labels
parser
Projects
None yet
Milestone
2.50.1
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @mtesauro @valentijnscholten @Maffooch @Jino-T