🐛 fix Nuclei deduplication #12397

[manuel-sommer]

#12397

[dryrunsecurity]

This pull request introduces a potential security concern with the new 'endpoints' attribute in Nuclei Scan configuration, which might inadvertently expose sensitive network or infrastructure details if not carefully managed.

💭 Unconfirmed Findings (1)

Vulnerability	Potential Information Exposure via Endpoint Tracking
Description	The new 'endpoints' attribute in Nuclei Scan configuration may expose detailed network or application endpoint information. This could lead to unintended revelation of sensitive infrastructure details if access and visibility are not properly controlled, presenting a potential security risk through expanded metadata tracking.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

Can you put a one liner in the description to make it clear what is fixed?

Also could you explain why it is needed to add the endpoints to the hash codes. I haven't looked at the source code, but my understanding is that endpoints are always considered, even when they are not explicitly part of the hash code fields:

django-DefectDojo/dojo/settings/settings.dist.py

Lines 1450 to 1459 in 96a7cb4

	# Allows to deduplicate with endpoints if endpoints is not included in the hashcode.
	# Possible values are: scheme, host, port, path, query, fragment, userinfo, and user. For a details description see https://hyperlink.readthedocs.io/en/latest/api.html#attributes.
	# Example:
	# Finding A and B have the same hashcode. Finding A has endpoint http://defectdojo.com and finding B has endpoint https://defectdojo.com/finding.
	# - An empyt list ([]) means, no fields are used. B is marked as duplicated of A.
	# - Host (['host']) means: B is marked as duplicate of A because the host (defectdojo.com) is the same.
	# - Host and path (['host', 'path']) means: A and B stay untouched because the path is different.
	#
	# If a finding has more than one endpoint, only one endpoint pair must match to mark the finding as duplicate.
	DEDUPE_ALGO_ENDPOINT_FIELDS = ["host", "path"]

Maybe the parser must be updated to mark the findings as dynamic?

[Maffooch]

Maybe the parser must be updated to mark the findings as dynamic?

I was thinking something similar. Some parsers aggregate endpoints by their finding. I think that should be implemented here as well. Tenable is great example of this use case

[manuel-sommer]

Hm, I am not really sure how to proceed here. You are right @valentijnscholten, I wasn't aware that endpoints are always considered. Furthermore, the Finding is dynamic by default:

django-DefectDojo/dojo/models.py

Line 2542 in 924c2c8

dynamic_finding = models.BooleanField(default=True,