django-DefectDojo: Endpoint with protocol length > 20 characters causes error in report uploads (Tested with nessus)
When importing an endpoint which has protocol length > 20 characters the import fails
error in UI :
An exception error occurred during the report import:value too long for type character varying(20)
Causes of the problem is a restrictive max_length=20 in the Endpoint model :
class Endpoint(models.Model):
protocol = models.CharField(null=True, blank=True, max_length=20,
help_text="The communication protocol/scheme such as 'http', 'ftp', 'dns', etc.")
Example string causing error: as seen below the string is 21 chars
fw1-topology-download://xx-0-0-0-0.xx-xx-x.xxx.xxxx
By truncating the endpoint as the example below is possible to upload the Nessus report :
fw1://xx-0-0-0-0.xx-xx-x.xxx.xxxx
Deployment method (select with an X)
- Docker Compose
- Kubernetes
- GoDojo
Logs
│
│ uwsgi Traceback (most recent call last): │
│ uwsgi File "/app/./dojo/engagement/views.py", line 602, in import_scan_results │
│ uwsgi test, finding_count, closed_finding_count = importer.import_scan(scan, scan_type, engagement, user, environment, active=active, verified=verified, tags=tags, │
│ uwsgi File "/app/./dojo/importers/importer/importer.py", line 299, in import_scan │
│ uwsgi new_findings = self.process_parsed_findings(test, parsed_findings, scan_type, user, active, │
│ uwsgi File "/app/./dojo/importers/importer/importer.py", line 125, in process_parsed_findings │
│ uwsgi ep, created = endpoint_get_or_create( │
│ uwsgi File "/app/./dojo/endpoint/utils.py", line 79, in endpoint_get_or_create │
│ uwsgi return Endpoint.objects.get_or_create(**kwargs) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method │
│ uwsgi return getattr(self.get_queryset(), name)(*args, **kwargs) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/tagulous/models/tagged.py", line 238, in get_or_create │
│ uwsgi return super(TaggedQuerySet, self).get_or_create(**safe_fields) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 576, in get_or_create │
│ uwsgi return self._create_object_from_params(kwargs, params) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 610, in _create_object_from_params │
│ uwsgi obj = self.create(**params) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/tagulous/models/tagged.py", line 219, in create │
│ uwsgi obj = super(TaggedQuerySet, self).create(**safe_fields) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 447, in create │
│ uwsgi obj.save(force_insert=True, using=self.db) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 753, in save │
│ uwsgi self.save_base(using=using, force_insert=force_insert, │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 790, in save_base │
│ uwsgi updated = self._save_table( │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 895, in _save_table │
│ uwsgi results = self._do_insert(cls._base_manager, using, fields, returning_fields, raw) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/base.py", line 933, in _do_insert │
│ uwsgi return manager._insert( │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/manager.py", line 85, in manager_method │
│ uwsgi return getattr(self.get_queryset(), name)(*args, **kwargs) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 1254, in _insert │
│ uwsgi return query.get_compiler(using=using).execute_sql(returning_fields) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/models/sql/compiler.py", line 1397, in execute_sql │
│ uwsgi cursor.execute(sql, params) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/backends/utils.py", line 66, in execute │
│ uwsgi return self._execute_with_wrappers(sql, params, many=False, executor=self._execute) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/backends/utils.py", line 75, in _execute_with_wrappers │
│ uwsgi return executor(sql, params, many, context) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/backends/utils.py", line 84, in _execute │
│ uwsgi return self.cursor.execute(sql, params) │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/utils.py", line 90, in __exit__ │
│ uwsgi raise dj_exc_value.with_traceback(traceback) from exc_value │
│ uwsgi File "/usr/local/lib/python3.8/site-packages/django/db/backends/utils.py", line 84, in _execute │
│ uwsgi return self.cursor.execute(sql, params)
Screenshot Below
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 15 (13 by maintainers)
Hey @kiblik thanks for looking into it. Can’t really share the report as it was for internal things. However the nessus parser in dojo will create an endpoint checking for :
<ReportItem port="264" svc_name="fw1-topology-download" protocol="tcp" severity="0" pluginID="11219" pluginName="Nessus SYN scanner" pluginFamily="Port scanners">so if you have any report just increase the svc_name length to 21 chars and that will create error.