Skip to content

fix(generic parser): prevent nested list when cve and vulnerability_ids are both present#15212

Open
narvadanami wants to merge 2 commits into
DefectDojo:bugfixfrom
narvadanami:fix-generic-json-vulnerability-ids-bugfix
Open

fix(generic parser): prevent nested list when cve and vulnerability_ids are both present#15212
narvadanami wants to merge 2 commits into
DefectDojo:bugfixfrom
narvadanami:fix-generic-json-vulnerability-ids-bugfix

Conversation

@narvadanami

@narvadanami narvadanami commented Jul 10, 2026

Copy link
Copy Markdown

Bug

When both cve and vulnerability_ids were present in generic JSON import, .append() was used instead of .extend(), causing a nested list:

['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']] instead of ['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234'].

Without cve, vulnerability_ids worked correctly via direct assignment. The bug only manifested when both fields were present simultaneously.

Fix

  • Changed .append() to .extend() when merging cve into existing vulnerability_ids
  • Added isinstance(str) protection for string-type vulnerability_ids (prevents .extend() from iterating over characters)
  • Updated documentation with vulnerability_ids example

Testing

  • Added test_parse_json_with_cve_and_vulnerability_ids covering:
    • cve + vulnerability_ids (list) → flat list of 3 items
    • vulnerability_ids as string → wrapped in list
  • All 42 generic parser tests pass

…ds are both present

When both 'cve' and 'vulnerability_ids' were present in generic JSON import,
.append() was used instead of .extend(), causing a nested list:
  ['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']] instead of ['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']

Without 'cve', vulnerability_ids worked correctly via direct assignment.
The bug only manifested when both fields were present simultaneously.

Added test to verify flat list behavior.
Updated documentation with vulnerability_ids example.
@narvadanami narvadanami force-pushed the fix-generic-json-vulnerability-ids-bugfix branch from 07ee5bf to f620839 Compare July 10, 2026 10:42
@narvadanami

Copy link
Copy Markdown
Author

@Maffooch @mtesauro hi! Could you please take a look? All 149 tests passed successfully, and the fix resolves a nested list bug in the generic parser. Thanks!

@mtesauro mtesauro requested review from blakeaowens and removed request for mtesauro July 15, 2026 02:13
@mtesauro mtesauro added this to the 3.1.200 milestone Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants