From e4ee60b3e8368257db7e23cd8f65e3a5d94e7bc8 Mon Sep 17 00:00:00 2001 From: Jay Paz Date: Fri, 9 Feb 2024 09:58:14 -0600 Subject: [PATCH 1/3] Modifying Bugcrowd API Parser to align to vendor documentation on what the not_applicable state means. It is now active == False and severity == 'Info'. [sc-4217] --- dojo/tools/api_bugcrowd/parser.py | 32 ++++++++++++++++++--- unittests/tools/test_api_bugcrowd_parser.py | 5 ++-- 2 files changed, 31 insertions(+), 6 deletions(-) diff --git a/dojo/tools/api_bugcrowd/parser.py b/dojo/tools/api_bugcrowd/parser.py index d78b2eb5af4..cdf7afefdaa 100644 --- a/dojo/tools/api_bugcrowd/parser.py +++ b/dojo/tools/api_bugcrowd/parser.py @@ -138,13 +138,20 @@ def get_findings(self, file, test): verified=self.is_verified(bugcrowd_state), false_p=self.is_false_p(bugcrowd_state), out_of_scope=self.is_out_of_scope(bugcrowd_state), - risk_accepted=self.is_risk_accepted(bugcrowd_state), is_mitigated=self.is_mitigated(bugcrowd_state), static_finding=False, dynamic_finding=True, unique_id_from_tool=unique_id_from_tool, references=links, ) + + if self.is_not_applicable(bugcrowd_state): + # From Bugcrowd - Not Applicable: A submission that you reject because it does not apply to your application. + # Because of this, setting finding to inactive and to Informational + finding.active = False + finding.severity = "Info" + + if bug_endpoint: try: bug_endpoint.clean() @@ -227,16 +234,33 @@ def is_active(self, bugcrowd_state): self.is_mitigated(bugcrowd_state) or self.is_false_p(bugcrowd_state) or self.is_out_of_scope(bugcrowd_state) - or self.is_risk_accepted(bugcrowd_state) or bugcrowd_state == "not_reproducible" or bugcrowd_state == "informational" ) + # From https://docs.bugcrowd.com/customers/submission-management/submission-status/ + # Status Options + # There are three categories of statuses: open, accepted, and rejected. Within each category are the following statuses: + + # Open + # New: A submission that has not been reviewed or assigned a status. + # Triaged: A submission that has been confirmed valid and unique by the Bugcrowd ASE team and is ready for the customer to accept. + + # Accepted + # Unresolved: A valid submission that needs to be fixed. Typically, you should reward a submission at this point in the process. + # Resolved: A valid submission that has been fixed. + # Informational: A submission that is reproducible but will not be fixed. Use this if the submission is a best practice issue but will not be fixed, a minor priority issue, or if you already have a mitigation. + + # Rejected + # Out of Scope: A submission you reject because it is not in scope with the criteria outlined in the bounty program. + # Not Reproducible: A submission you reject because you cannot reproduce it based on the information you have. + # Not Applicable: A submission that you reject because it does not apply to your application. + def is_duplicate(self, bugcrowd_state): return bugcrowd_state == "duplicate" def is_false_p(self, bugcrowd_state): - return bugcrowd_state == "not-reproducible" + return bugcrowd_state == "not_reproducible" def is_mitigated(self, bugcrowd_state): return bugcrowd_state == "resolved" @@ -244,7 +268,7 @@ def is_mitigated(self, bugcrowd_state): def is_out_of_scope(self, bugcrowd_state): return bugcrowd_state == "out_of_scope" - def is_risk_accepted(self, bugcrowd_state): + def is_not_applicable(self, bugcrowd_state): return bugcrowd_state == "not_applicable" def is_verified(self, bugcrowd_state): diff --git a/unittests/tools/test_api_bugcrowd_parser.py b/unittests/tools/test_api_bugcrowd_parser.py index c1182d86997..f692797a19e 100644 --- a/unittests/tools/test_api_bugcrowd_parser.py +++ b/unittests/tools/test_api_bugcrowd_parser.py @@ -89,7 +89,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): endpoint.clean() self.assertEqual(finding_1.severity, "Info") self.assertEqual(finding_2.severity, "Critical") - self.assertEqual(finding_3.severity, "Medium") + self.assertEqual(finding_3.severity, "Info") self.assertEqual(finding_1.mitigation, "Do things properly1") self.assertEqual(finding_2.mitigation, "Do things properly2") @@ -102,7 +102,7 @@ def test_parse_file_with_multiple_vuln_has_multiple_finding(self): self.assertEqual(finding_1.is_mitigated, True) self.assertEqual(finding_2.is_mitigated, False) self.assertEqual(finding_3.is_mitigated, False) - self.assertEqual(finding_3.risk_accepted, True) + self.assertEqual(finding_3.risk_accepted, False) self.assertEqual( finding_1.unique_id_from_tool, "3b0e6b2a-c21e-493e-bd19-de40f525016e" @@ -140,6 +140,7 @@ def test_parse_file_with_not_reproducible_finding(self): # self.assertEqual(finding.description, description) self.assertEqual(finding.mitigation, "Properly do JWT") self.assertEqual(finding.active, False) + self.assertEqual(finding.false_p, True) self.assertEqual( finding.unique_id_from_tool, "a4201d47-62e1-4287-9ff6-30807ae9d36a" ) From 4c12a521e0fd4b85fb4cd1fde55124792ad23389 Mon Sep 17 00:00:00 2001 From: Jay Paz Date: Fri, 9 Feb 2024 10:07:46 -0600 Subject: [PATCH 2/3] fixing Flake8 errors --- dojo/tools/api_bugcrowd/parser.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dojo/tools/api_bugcrowd/parser.py b/dojo/tools/api_bugcrowd/parser.py index cdf7afefdaa..6a3babef2fa 100644 --- a/dojo/tools/api_bugcrowd/parser.py +++ b/dojo/tools/api_bugcrowd/parser.py @@ -151,7 +151,6 @@ def get_findings(self, file, test): finding.active = False finding.severity = "Info" - if bug_endpoint: try: bug_endpoint.clean() @@ -245,12 +244,13 @@ def is_active(self, bugcrowd_state): # Open # New: A submission that has not been reviewed or assigned a status. # Triaged: A submission that has been confirmed valid and unique by the Bugcrowd ASE team and is ready for the customer to accept. - + # Accepted # Unresolved: A valid submission that needs to be fixed. Typically, you should reward a submission at this point in the process. # Resolved: A valid submission that has been fixed. - # Informational: A submission that is reproducible but will not be fixed. Use this if the submission is a best practice issue but will not be fixed, a minor priority issue, or if you already have a mitigation. - + # Informational: A submission that is reproducible but will not be fixed. Use this if the submission is a best practice issue but + # will not be fixed, a minor priority issue, or if you already have a mitigation. + # Rejected # Out of Scope: A submission you reject because it is not in scope with the criteria outlined in the bounty program. # Not Reproducible: A submission you reject because you cannot reproduce it based on the information you have. From 55624c3f7a81de292eab85d4d408d8009dcb5f54 Mon Sep 17 00:00:00 2001 From: Jay Paz Date: Fri, 9 Feb 2024 10:14:55 -0600 Subject: [PATCH 3/3] fixing Flake8 errors, part deux --- dojo/tools/api_bugcrowd/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/api_bugcrowd/parser.py b/dojo/tools/api_bugcrowd/parser.py index 6a3babef2fa..fee43f09d87 100644 --- a/dojo/tools/api_bugcrowd/parser.py +++ b/dojo/tools/api_bugcrowd/parser.py @@ -248,7 +248,7 @@ def is_active(self, bugcrowd_state): # Accepted # Unresolved: A valid submission that needs to be fixed. Typically, you should reward a submission at this point in the process. # Resolved: A valid submission that has been fixed. - # Informational: A submission that is reproducible but will not be fixed. Use this if the submission is a best practice issue but + # Informational: A submission that is reproducible but will not be fixed. Use this if the submission is a best practice issue but # will not be fixed, a minor priority issue, or if you already have a mitigation. # Rejected