Skip to content

OpenVAS parser improvments #13214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mtesauro merged 4 commits into from
Sep 26, 2025

bugfix: fix failing tests

e913275
Select commit
Loading
Failed to load commit list.
Merged

OpenVAS parser improvments #13214

bugfix: fix failing tests
e913275
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Sep 21, 2025 in 58s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ CSV Injection dojo/tools/openvas/parser.py (click for details)
Type CSV Injection
Description The OpenVASParserV2 processes CSV files and directly assigns column values to Finding model fields such as title, summary, impact, mitigation, and openvas_result without specific sanitization against spreadsheet formula injection. While cleanup_openvas_text removes newlines and escape_restructured_text wraps text in triple backticks for display within DefectDojo, these functions do not prevent malicious formulas (e.g., starting with '=', '+', '-', '@') from being interpreted as commands if the exported data is opened in a spreadsheet program. If a malicious CSV is imported and then its findings are exported, an attacker could craft inputs that, when opened in a spreadsheet, execute arbitrary commands or exfiltrate data.
Filename dojo/tools/openvas/parser.py
CodeLink

django-DefectDojo/dojo/tools/openvas/parser.py

Lines 20 to 40 in e913275

if str(filename.name).endswith(".xml"):
return OpenVASXMLParser().get_findings(filename, test)
return None
class OpenVASParserV2:
def get_scan_types(self):
return ["OpenVAS Parser v2"]
def get_label_for_scan_types(self, scan_type):
return scan_type
def get_description_for_scan_types(self, scan_type):
return "Import CSV or XML output of Greenbone OpenVAS report."
def get_findings(self, file, test):
if str(file.name).endswith(".csv"):
return get_findings_from_csv(file, test)
if str(file.name).endswith(".xml"):
return get_findings_from_xml(file, test)
return None
View more details on DryRunSecurity