🎉 add Dawnscanner fix_available field. (#13660)

manuel-sommer · web-flow · commit 3396e7b2a55c · 2025-11-12T17:31:01.000+01:00
* 🎉 Advance Dawnscanner with fix_available

* update
diff --git a/dojo/tools/dawnscanner/parser.py b/dojo/tools/dawnscanner/parser.py
@@ -30,7 +30,6 @@ def get_findings(self, filename, test):
                 if item["message"][0:2] != "b,"
                 else item["message"][0:-1]
             )
-
             finding = Finding(
                 title=item["name"],
                 test=test,
@@ -42,6 +41,10 @@ def get_findings(self, filename, test):
                 static_finding=True,
                 dynamic_finding=False,
             )
+            if item.get("remediation"):
+                finding.fix_available = True
+            else:
+                finding.fix_available = False
 
             if self.CVE_REGEX.match(item["name"]):
                 finding.unsaved_vulnerability_ids = [
diff --git a/unittests/scans/dawnscanner/dawnscanner_v1.6.9.json b/unittests/scans/dawnscanner/dawnscanner_v1.6.9.json
@@ -31,7 +31,7 @@
         "severity": "info",
         "cvss_score": "    ",
         "message": "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request.",
-        "remediation": "Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb"
+        "remediation": ""
     }, {
         "name": "Owasp Ror CheatSheet: Security Related Headers",
         "cve_link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=Owasp Ror CheatSheet: Security Related Headers",
diff --git a/unittests/tools/test_dawnscanner_parser.py b/unittests/tools/test_dawnscanner_parser.py
@@ -13,38 +13,24 @@ def test_burp_with_one_vuln_has_one_finding(self):
             for finding in findings:
                 for endpoint in finding.unsaved_endpoints:
                     endpoint.clean()
-
             self.assertEqual(4, len(findings))
-
             with self.subTest(i=0):
                 finding = findings[0]
                 self.assertEqual("CVE-2016-6316", finding.title)
                 self.assertEqual("Medium", finding.severity)
                 self.assertEqual(1, len(finding.unsaved_vulnerability_ids))
                 self.assertEqual("CVE-2016-6316", finding.unsaved_vulnerability_ids[0])
-                self.assertEqual(
-                    'Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack.',
-                    finding.description,
-                )
-                self.assertEqual(
-                    datetime.datetime(2019, 4, 1, 21, 14, 32, tzinfo=datetime.timezone(datetime.timedelta(seconds=0))),
-                    finding.date,
-                )  # 2019-04-01 21:14:32 +0000
-
+                self.assertEqual(finding.description, 'Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack.')
+                self.assertEqual(datetime.datetime(2019, 4, 1, 21, 14, 32, tzinfo=datetime.timezone(datetime.timedelta(seconds=0))), finding.date)  # 2019-04-01 21:14:32 +0000
+            with self.subTest(i=2):
+                finding = findings[2]
+                self.assertEqual(False, finding.fix_available)
             with self.subTest(i=3):
                 finding = findings[3]
                 self.assertEqual("Owasp Ror CheatSheet: Security Related Headers", finding.title)
                 self.assertEqual("Info", finding.severity)
                 self.assertIsNone(finding.unsaved_vulnerability_ids)
-                self.assertEqual(
-                    'To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.',
-                    finding.description,
-                )
-                self.assertEqual(
-                    "Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project.",
-                    finding.mitigation,
-                )
-                self.assertEqual(
-                    datetime.datetime(2019, 4, 1, 21, 14, 32, tzinfo=datetime.timezone(datetime.timedelta(seconds=0))),
-                    finding.date,
-                )  # 2019-04-01 21:14:32 +0000
+                self.assertEqual(finding.description, 'To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.')
+                self.assertEqual("Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project.", finding.mitigation)
+                self.assertEqual(datetime.datetime(2019, 4, 1, 21, 14, 32, tzinfo=datetime.timezone(datetime.timedelta(seconds=0))), finding.date)  # 2019-04-01 21:14:32 +0000
+                self.assertEqual(True, finding.fix_available)
