From a11a7390612e7a465314e818d848ad8ed9c5c10f Mon Sep 17 00:00:00 2001 From: noamblitz <43830693+noamblitz@users.noreply.github.com> Date: Mon, 9 Sep 2024 15:23:18 +0200 Subject: [PATCH] Dont yield all snyk findings when no version was found (#3431) Co-authored-by: stephanie0x00 <9821756+stephanie0x00@users.noreply.github.com> --- .../kat_kat_finding_types/kat_finding_types.json | 5 +++++ boefjes/boefjes/plugins/kat_snyk/normalize.py | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json b/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json index 23ec1b70da7..00fbbba47a4 100644 --- a/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json +++ b/boefjes/boefjes/plugins/kat_kat_finding_types/kat_finding_types.json @@ -486,5 +486,10 @@ "source": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers", "impact": "Nonstandard headers may not be supported by all browsers and may not provide the security that is expected.", "recommendation": "Remove the nonstandard headers from the response." + }, + "KAT-SOFTWARE-VERSION-NOT-FOUND": { + "description": "The version of the software is not found.", + "risk": "recommendation", + "recommendation": "There was no version found for this software but there are known vulnerabilities for this software." } } diff --git a/boefjes/boefjes/plugins/kat_snyk/normalize.py b/boefjes/boefjes/plugins/kat_snyk/normalize.py index cd8b5746234..240cc580e0f 100755 --- a/boefjes/boefjes/plugins/kat_snyk/normalize.py +++ b/boefjes/boefjes/plugins/kat_snyk/normalize.py @@ -23,7 +23,7 @@ def run(input_ooi: dict, raw: bytes) -> Iterable[NormalizerOutput]: elif not results["table_vulnerabilities"] and not results["cve_vulnerabilities"]: # no vulnerabilities found return - else: + if software_version: for vuln in results["table_vulnerabilities"]: snyk_ft = SnykFindingType(id=vuln.get("Vuln_href")) yield snyk_ft @@ -40,6 +40,15 @@ def run(input_ooi: dict, raw: bytes) -> Iterable[NormalizerOutput]: ooi=pk_ooi, description=vuln.get("Vuln_text"), ) + if not software_version and (results["table_vulnerabilities"] or results["cve_vulnerabilities"]): + kat_ooi = KATFindingType(id="KAT-SOFTWARE-VERSION-NOT-FOUND") + yield kat_ooi + yield Finding( + finding_type=kat_ooi.reference, + ooi=pk_ooi, + description="There was no version found for this software. " + "But there are known vulnerabilities for some versions.", + ) # Check for latest version latest_version = ""