Fix: Add pluginID as unique_id_from_tool for Tenable XML parser #12886
Conversation
|
No security concerns detected in this pull request. All finding details can be found in the DryRun Security Dashboard. |
|
I don't know nessus well enough to determine if the plugin field is a good candidate for
|
There was a problem hiding this comment.
The plugin_output can be very large and have timestamps in the data. It is more of a description field (where it is today and also in the deduplication config) rather than a unique identifier. This makes me think the plugin_output is not really a good candidate for unique_id_from_tool
|
@Maffooch The field |
Misread Plugin ID for Plugin Output and relived some trauma from this field
Description
This PR adds support for using the pluginID field from Tenable .nessus scan files as the unique_id_from_tool value in DefectDojo findings.
This enables proper deduplication between scans and reimports when using Tenable Scan, which currently does not populate a unique ID and thus prevents deduplication.
A single line was added to the Tenable parser (dojo/tools/tenable/xml_format.py) to extract the pluginID attribute and pass it into the Finding() constructor as unique_id_from_tool.
Test results
Manual testing done using the following steps:
Uploaded a .nessus scan via the UI and API (import-scan)
Verified that unique_id_from_tool is set correctly for each finding
curl -X GET "https://<dojo>/api/v2/findings/?test=<test_id>" -H "Authorization: Token <TOKEN>" | jq '.results[] | {title, unique_id_from_tool, duplicate}'All findings show the correct unique_id_from_tool values based on Tenable's pluginID.
Documentation
No additional documentation needed. The change aligns with existing parser logic and improves deduplication without changing behavior for other tools.
Suggested labels: bugfix, Import Scans.