Update nancy parser.py

[osgmirantis]

Nancy latest versions works with CVSS4.0 and "ID" instead of "Id",among others.

⚠️ Pre-Approval check ⚠️

We don't want to waste your time, so if you're unsure whether your hypothetical enhancement meets the criteria for approval, please file an issue to get pre-approval before beginning work on a PR.
Learn more here: https://github.com/DefectDojo/django-DefectDojo/blob/master/readme-docs/CONTRIBUTING.md#submission-pre-approval

Description

Describe the feature / bug fix implemented by this PR.
If this is a new parser, the parser guide may be worth (re)reading.

Test results

Ideally you extend the test suite in tests/ and dojo/unittests to cover the changed in this PR.
Alternatively, describe what you have and haven't tested.

Documentation

Please update any documentation when needed in the documentation folder)

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

Extra information

Please clear everything below when submitting your pull request, it's here purely for your information.

Moderators: Labels currently accepted for PRs:

• Import Scans (for new scanners/importers)
• enhancement
• performance
• feature
• bugfix
• maintenance (a.k.a chores)
• dependencies
• New Migration (when the PR introduces a DB migration)
• settings_changes (when the PR introduces changes or new settings in settings.dist.py)

Contributors: Git Tips

Rebase on dev branch

If the dev branch has changed since you started working on it, please rebase your work after the current dev.

On your working branch mybranch:

git rebase dev mybranch

In case of conflict:

 git mergetool
 git rebase --continue

When everything's fine on your local branch, force push to your myOrigin remote:

git push myOrigin --force-with-lease

To cancel everything:

git rebase --abort

Squashing commits

git rebase -i origin/dev

• Replace pick by fixup on the commits you want squashed out
• Replace pick by reword on the first commit if you want to change the commit message
• Save the file and quit your editor

Force push to your myOrigin remote:

git push myOrigin --force-with-lease

[dryrunsecurity]

This pull request contains a potential information disclosure vulnerability in the get_findings method of the Nancy parser, where error messages from JSON decoding could reveal sensitive details about the input JSON structure or content, though the risk is considered low and non-blocking.

Information Disclosure in Error Message in dojo/tools/nancy/parser.py

Vulnerability

Information Disclosure in Error Message

Description

The get_findings method constructs an error message for json.JSONDecodeError by directly embedding the string representation of the exception object. This can lead to information disclosure because json.JSONDecodeError messages often include details about the malformed JSON input, such as the problematic snippet and its location (line/column). If the input JSON contains sensitive data or reveals internal application structure, this information could be exposed to an attacker.

django-DefectDojo/dojo/tools/nancy/parser.py

Lines 1 to 107 in 57535c9

	import json
	import re
	from cvss.cvss4 import CVSS4 # Changed from cvss3 to cvss4
	from dojo.models import Finding
	class NancyParser:
	def get_scan_types(self):
	return ["Nancy Scan"]
	def get_label_for_scan_types(self, scan_type):
	return scan_type # no custom label for now
	def get_description_for_scan_types(self, scan_type):
	return ("Nancy output file (go list -json -deps ./... | nancy sleuth > "
	" nancy.json) can be imported in JSON format.")
	def requires_file(self, scan_type):
	return True
	def get_findings(self, scan_file, test):
	try:
	data = json.load(scan_file)
	except json.JSONDecodeError as e:
	msg = f"Invalid JSON format: {e}"
	raise ValueError(msg)
	if "vulnerable" in data and data["vulnerable"] is not None:
	return self.get_items(data["vulnerable"], test)
	else:
	# If 'vulnerable' is not present or is null, return empty list
	return []
	def get_items(self, vulnerable_list, test):
	findings = []
	for vuln in vulnerable_list:
	if not vuln.get("Vulnerabilities"):
	continue
	try:
	coordinates = vuln["Coordinates"].split(":")
	comp_info = coordinates[1].split("@")
	comp_name = comp_info[0]
	comp_version = comp_info[1]
	except (IndexError, KeyError):
	# Handle cases where coordinate parsing might fail
	continue
	for associated_vuln in vuln["Vulnerabilities"]:
	# The tool does not define severity, but it provides a CVSS vector,
	# which DefectDojo uses to calculate severity dynamically on save.
	severity = "Info"
	# Aggregate references
	references = [vuln.get("Reference"), associated_vuln.get("Reference")]
	references = "\n".join(filter(None, references))
	finding = Finding(
	title=associated_vuln.get("Title", "N/A"),
	description=associated_vuln.get("Description", "No description provided."),
	test=test,
	severity=severity,
	component_name=comp_name,
	component_version=comp_version,
	false_p=False,
	duplicate=False,
	out_of_scope=False,
	static_finding=True,
	dynamic_finding=False,
	vuln_id_from_tool=associated_vuln.get("ID"), # Changed from "Id" to "ID"
	references=references,
	)
	# Set vulnerability IDs (e.g., CVEs)
	if cve := associated_vuln.get("Cve"):
	finding.unsaved_vulnerability_ids = [cve]
	# Process CVSSv4 vector if available
	if cvss_vector := associated_vuln.get("CvssVector"):
	try:
	# Store the cleaned CVSSv4 vector. DefectDojo will process it.
	finding.cvssv3 = CVSS4(cvss_vector).clean_vector()
	except Exception:
	# Fallback or log error if vector is not valid CVSSv4
	pass # Or log a warning
	# Extract CWE if present in the title using regex for robustness
	if title := associated_vuln.get("Title", ""):
	cwe_match = re.search(r"CWE-(\d+)", title, re.IGNORECASE)
	if cwe_match:
	try:
	finding.cwe = int(cwe_match.group(1))
	except (ValueError, IndexError):
	pass # Or log a warning
	findings.append(finding)
	return findings

---

All finding details can be found in the DryRun Security Dashboard.

[manuel-sommer]

please always point the PR against bugfix or dev.
Also, please make the parser backwards compatible. I assume that earlier versions of nancy use CVSS v3?

[valentijnscholten]

Defect Dojo 2.49.0 will have a CVSS4 field. There's also some guidance on how to parse CVSS vectors in parsers: https://github.com/DefectDojo/django-DefectDojo/blob/dev/docs/content/en/open_source/contributing/how-to-write-a-parser.md

[Maffooch]

Marking this one as a draft until existing comments are addressed