Ruff: Add and fix D414

[kiblik]

Add rule empty-docstring-section (D414) and "fix" it

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[dryrunsecurity]

DryRun Security Summary

The code changes primarily focus on enhancing the parsing and handling of security scan data from WhiteHat Sentinel and Qualys in DefectDojo, including improvements to input validation, error handling, severity mapping, endpoint handling, and duplicate/mitigated finding management.

Expand for full summary

Summary:

The provided code changes cover several files in the DefectDojo application, with a focus on improving the parsing and handling of data from various security scanning tools. The changes do not introduce any significant security concerns, but there are a few areas that are worth highlighting from an application security perspective.

1. Parsing Untrusted Input: The changes in the parser.py and csv_parser.py files deal with parsing data from external sources, such as the WhiteHat Sentinel API and Qualys CSV reports. It's crucial to ensure that the parsing process is secure and does not introduce any vulnerabilities, such as potential injection flaws or unintended behavior.

2. Handling Malformed or Incomplete Data: The code in the csv_parser.py file includes error handling mechanisms to address cases where the CVSS vectors or CVE data are not in the expected format. This is a good practice to ensure the application can gracefully handle unexpected or malformed input.

3. Severity Mapping: The csv_parser.py file includes a get_severity function that maps the Qualys severity values to the corresponding severities used in the application. This is an important step to ensure that the findings are properly categorized and prioritized.

4. Endpoint Handling: The csv_parser.py file extracts endpoint information (FQDN, DNS, IP) from the Qualys report and creates Endpoint objects. This is a crucial step for associating the findings with the correct targets.

5. Duplicate Handling: The csv_parser.py file checks if a finding with the same vulnerability ID (QID) already exists in the list of findings. If a duplicate is found, the existing finding is updated instead of creating a new one. This helps to avoid duplicate findings and maintain data integrity.

6. Mitigated Findings: The csv_parser.py file correctly handles mitigated findings by setting the is_mitigated and mitigated fields based on the "Date Last Fixed" information in the Qualys report.

Files Changed:

1. dojo/tools/whitehat_sentinel/parser.py: The changes remove the Returns: section from the docstring of the _parse_solution() method, which is responsible for converting the HTML-formatted solution provided by the WhiteHat Sentinel API into a Markdown-formatted solution.
2. dojo/tools/qualys/csv_parser.py: The changes are focused on the get_report_findings function, which is responsible for filtering out the unneeded information at the beginning of the Qualys CSV report. The changes include improvements to error handling, input validation, data normalization, and duplicate/mitigated finding handling.
3. ruff.toml: The changes update the select list in the [lint] section to include the D414 rule, which is a Ruff-specific rule related to the use of with statements. While this change does not directly impact the security of the application, the Ruff linter includes several security-related rules that should be considered.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approves