Skip to content

Fix Wazuh 4.8 parser to attach endpoints/locations to findings#14629

Open
DeWaRs1206 wants to merge 1 commit intoDefectDojo:bugfixfrom
DeWaRs1206:fix_wazuh48_exporter
Open

Fix Wazuh 4.8 parser to attach endpoints/locations to findings#14629
DeWaRs1206 wants to merge 1 commit intoDefectDojo:bugfixfrom
DeWaRs1206:fix_wazuh48_exporter

Conversation

@DeWaRs1206
Copy link
Copy Markdown

@DeWaRs1206 DeWaRs1206 commented Apr 2, 2026
edited
Loading

Summary

The Wazuh 4.8 parser currently creates findings without associating them with an Endpoint/Location, unlike the 4.7 parser.

This change updates the Wazuh 4.8 parser to attach the agent name to each finding:

  • as a Location when V3_FEATURE_LOCATIONS is enabled
  • as an Endpoint otherwise

This restores host association for imported Wazuh 4.8 findings and keeps the behavior aligned with the existing feature flag logic.

I also added the missing cvssv3_score mapping from the Wazuh score payload.
Tests were added to validate the expected behavior.

valentijnscholten
valentijnscholten reviewed Apr 2, 2026
View reviewed changes
valentijnscholten
valentijnscholten reviewed Apr 2, 2026
View reviewed changes
@valentijnscholten
Copy link
Copy Markdown
Member

valentijnscholten commented Apr 2, 2026

Could you also rephrase the title + description as it doesn't really reflect the issue/fix at the moment

@DeWaRs1206 DeWaRs1206 force-pushed the fix_wazuh48_exporter branch 2 times, most recently from 7de85c4 to ed9508c Compare April 2, 2026 20:37
@DeWaRs1206 DeWaRs1206 changed the title Fix Wazuh 4.8 exporter to provide Endpoint capability Fix Wazuh 4.8 parser to attach endpoints/locations to findings Apr 2, 2026
valentijnscholten
valentijnscholten reviewed Apr 3, 2026
View reviewed changes
@valentijnscholten valentijnscholten added this to the 2.57.0 milestone Apr 3, 2026
@Maffooch Maffooch modified the milestones: 2.57.0, 2.57.1 Apr 3, 2026
@DeWaRs1206 DeWaRs1206 force-pushed the fix_wazuh48_exporter branch from ed9508c to ef77122 Compare April 4, 2026 04:54
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity bot commented Apr 4, 2026
edited
Loading

DryRun Security

This pull request introduces code that constructs Endpoint/Location objects using unvalidated external input (agent name) in dojo/tools/wazuh/v4_8.py (lines 62–67), which could allow server-side request forgery (SSRF) if attacker-controlled values are used to issue requests or render URLs. The finding is marked critical and should be mitigated by validating/normalizing the agent input, enforcing scheme/host allowlists, or otherwise sanitizing/isolating usage before any network calls.

🔴 Potential Server-Side Request Forgery (SSRF) in dojo/tools/wazuh/v4_8.py (drs_fa8304ff)
Vulnerability Potential Server-Side Request Forgery (SSRF)
Description Unvalidated external input used to construct Endpoint/Location objects. The code assigns item.get("agent").get("name") directly into LocationData.url(host=...) or Endpoint(host=...), without any normalization, scheme or allowlist checks. If agent_name is attacker-controlled and these objects are later used to issue HTTP requests or render external URLs, this can enable SSRF.

django-DefectDojo/dojo/tools/wazuh/v4_8.py

Lines 62 to 67 in 69a25ab

agent_name = item.get("agent").get("name")
if agent_name is not None:
if settings.V3_FEATURE_LOCATIONS:
find.unsaved_locations = [LocationData.url(host=agent_name)]
else:
find.unsaved_endpoints = [Endpoint(host=agent_name)]

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

@DeWaRs1206 DeWaRs1206 force-pushed the fix_wazuh48_exporter branch from ef77122 to 69a25ab Compare April 4, 2026 08:11
Maffooch
Maffooch approved these changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unique ID from tool is used as dedupe here, so description field change is fin

@Maffooch Maffooch requested review from Jino-T and paulOsinski April 11, 2026 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@paulOsinski paulOsinski Awaiting requested review from paulOsinski

@Jino-T Jino-T Awaiting requested review from Jino-T

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

parser unittests

Projects

None yet

Milestone

2.57.1

Development

Successfully merging this pull request may close these issues.

3 participants

@DeWaRs1206 @valentijnscholten @Maffooch