Skip to content

Fix CycloneDX XML import failing when vulnerability description is missing #13963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Maffooch merged 1 commit into from
Dec 29, 2025
Merged

Fix CycloneDX XML import failing when vulnerability description is missing #13963

Maffooch merged 1 commit into from
Dec 29, 2025

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Dec 22, 2025

Fixes #10249

Description

When uploading a CycloneDX report to DefectDojo, an error was thrown when the vulnerability description field was missing. The CycloneDX specification does not mandate the description field to be present, but DefectDojo requires it in the database.

Root Cause

The _manage_vulnerability_xml() function (used for CycloneDX 1.4+) did not set a default value for missing descriptions, while manage_vulnerability_legacy() (used for CycloneDX 1.0) already had this fix applied in version 2.31.0.

Solution

Added a default description when both description and detail fields are missing, similar to the legacy function. The default description includes the vulnerability ID and severity.

Testing

  • Verified the fix handles missing descriptions correctly
  • No linting errors introduced
  • Follows the same pattern as the legacy function

@valentijnscholten valentijnscholten added this to the 2.53.5 milestone Dec 22, 2025
@valentijnscholten valentijnscholten linked an issue Dec 22, 2025 that may be closed by this pull request
Import of CycloneDX Scan fails if vulnerability description is missing #10249
Open
3 tasks
mtesauro
mtesauro approved these changes Dec 23, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 3e15654 into DefectDojo:bugfix Dec 29, 2025
149 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@Jino-T Jino-T Jino-T approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees

No one assigned

Labels

parser

Projects

None yet

Milestone

2.53.5

Development

Successfully merging this pull request may close these issues.

Import of CycloneDX Scan fails if vulnerability description is missing

5 participants

@valentijnscholten @mtesauro @Maffooch @Jino-T @blakeaowens