RustyHog: improve description and file_path

[valentijnscholten]

Description
Improvements to Rusy Hog parser:

• For Confluence and JIRA scans, set file_path to contain URL of scanned page;
• Ensure found_secret_string is actually a String and not a list;
• Add Reason to description;

Test results
Unit tests updated.

Documentation
No updates needed

Checklist

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

DryRun Security Summary

The code changes enhance the RustyhogParser class by improving the test suite and vulnerability reporting capabilities, focusing on detecting and providing detailed information about sensitive data disclosure in various repositories and collaboration tools.

Expand for full summary

Summary:

The provided code changes focus on enhancing the RustyhogParser class, which is responsible for parsing the output of the "Rusty Hog" security tool. The changes include improvements to the test suite, which covers various scenarios related to the detection of sensitive information disclosure, such as SSH private keys, passwords, and other confidential data found in code repositories, configuration files, and collaboration tools. Additionally, the code changes in the parser.py file aim to provide more detailed and informative vulnerability descriptions, including specific details about the identified issues, such as commit information, file paths, line numbers, diffs, and relevant IDs from JIRA and Confluence. These enhancements improve the overall quality and usefulness of the vulnerability reporting, making it more effective in identifying and addressing potential security issues.

Files Changed:

1. unittests/tools/test_rusty_hog_parser.py:

   • This file contains the test suite for the RustyhogParser class, which covers various scenarios, including files with no vulnerabilities, files with a single vulnerability, and files with multiple vulnerabilities.
   • The test cases highlight the parser's ability to detect sensitive information, such as SSH private keys, passwords, and other confidential data found in different locations (e.g., Confluence pages, file paths, JIRA tickets).
   • The test cases also demonstrate the parser's ability to extract detailed information about the commits associated with the identified vulnerabilities, including the commit message, commit hash, parent commit hash, and the file changes.
   • The test cases show that the parser provides mitigation recommendations for the identified issues, guiding developers and security teams on how to address the vulnerabilities.

2. dojo/tools/rusty_hog/parser.py:

   • The changes in this file focus on improving the handling and presentation of the vulnerability information obtained from various "Hog" scanners (Choctaw Hog, Duroc Hog, Gottingen Hog, and Essex Hog).
   • The code now ensures that the "reason" and "stringsFound" information are properly handled and included in the vulnerability description, even if they are None or empty.
   • The code extracts and includes additional relevant details in the vulnerability description, such as commit information, file paths, line numbers, diffs, JIRA issue IDs, and Confluence page IDs, depending on the scanner type.
   • The code provides specific mitigation recommendations based on the scanner type, advising the user to ensure that no secret material or confidential information is kept in clear within the respective locations (Git repositories, directories/files/archives, JIRA tickets, or Confluence pages).
   • If the file path is not available from the vulnerability information, the code attempts to use the provided URL as a fallback.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[valentijnscholten]

Just realized this may affect hash_code calculation, so these need to be updated on upgrading.
Should this happen in a migration, or just instructions be added to the upgrade notes as was done on earlier releases?
A similar case in #11419 seems to be OK without either.

[valentijnscholten]

wdyt about the PR @Maffooch

[mtesauro]

@valentijnscholten For PRs that change hash_code changes, we've been adding a note to the release notes since we can't know if someone in the community is using any specific tool, has overridden them in local_settings.py, etc. So that release note is likely the best thing we can do given the circumstances.

[mtesauro]

Approved

[Maffooch]

@valentijnscholten I have been out on holidays, but it looks Matt has answered your question 😄 a section in the release notes would be best