Fix Tenable hash code calculation by removing dynamic description fie…

[tejas0077]

Description

The Tenable Scan hash code configuration included the description field:
["title", "severity", "vulnerability_ids", "cwe", "description"]

The description field contains dynamic data (plugin_output) that changes
between scans of the same host and finding, causing deduplication to fail
and creating duplicate findings on reimport.

Fix: removed description from the hash code fields. The title, severity,
vulnerability_ids and cwe fields are sufficient to uniquely identify a
Tenable finding. Endpoint deduplication handles port-level separation.

Fixes #11994

Test results

Manually verified the hash code configuration change. The remaining fields
(title, severity, vulnerability_ids, cwe) are stable between scans and
sufficient to uniquely identify findings.

Documentation

No documentation changes needed.

Checklist

• Bugfix submitted against the bugfix branch.
• Meaningful PR name given.
• Proper labels added.

[valentijnscholten]

For this one we're going to need some assurance this is the right way to go as I personally have no experience with Tenable. It would also need some ugprade notes to instruct the users to recalculate the hash codes using the dedupe management command.

[tejas0077]

Hi @valentijnscholten, thank you for the feedback!

Regarding the assurance: The description field in Tenable findings
contains dynamic plugin_output data (scan results, timestamps,
affected hosts) that changes between scans of the same vulnerability.
This was reported on Slack and referenced in issue #11994 by yourself.
The title, severity, vulnerability_ids and cwe fields are stable
identifiers that uniquely identify a Tenable plugin/finding.

Regarding upgrade notes, I will add a note instructing users to
recalculate hash codes after upgrading using:

python manage.py dedupe --hash_code_only

Should I add this to the PR description or is there a specific
upgrade notes file I should update?

[Maffooch]

I think this one is okay. The description has been a painful field for tenable for a long given the format of the plugin output is not always consistent. For some plugins, description is a great tool to use, but for others, It is riddled with date times and other dynamic data that make identification of duplicates impossible.

Will leave final call to @mtesauro

[tejas0077]

Thanks @Maffooch for the approval! @valentijnscholten could you point me to the right file for upgrade notes? I'll add a note instructing users to run python manage.py dedupe --hash_code_only after upgrading to recalculate hash codes for existing Tenable findings.

[mtesauro]

I think this one is okay. The description has been a painful field for tenable for a long given the format of the plugin output is not always consistent. For some plugins, description is a great tool to use, but for others, It is riddled with date times and other dynamic data that make identification of duplicates impossible.

Will leave final call to @mtesauro

I agree that description for Tenable scans is not consistent enough between plugins to allow it to be used without issues in the hashcode.

So we have the choice of an intermittent problem forever (or at least until Tenable makes descriptions consistent) and one-time pain of the change in hashcode fields.

I think we should take the one-time hit and make this better for future Tenable imports.

[Maffooch]

Release notes can be found here: https://github.com/DefectDojo/django-DefectDojo/tree/master/docs/content/releases