Skip to content

fix(generic parser): prevent nested list when cve and vulnerability_ids are both present#15212

Open
narvadanami wants to merge 1 commit into
DefectDojo:bugfixfrom
narvadanami:fix-generic-json-vulnerability-ids-bugfix
Open

fix(generic parser): prevent nested list when cve and vulnerability_ids are both present#15212
narvadanami wants to merge 1 commit into
DefectDojo:bugfixfrom
narvadanami:fix-generic-json-vulnerability-ids-bugfix

Conversation

@narvadanami

@narvadanami narvadanami commented Jul 10, 2026

Copy link
Copy Markdown

Bug

When both cve and vulnerability_ids were present in generic JSON import, .append() was used instead of .extend(), causing a nested list:

['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']] instead of ['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234'].

Without cve, vulnerability_ids worked correctly via direct assignment. The bug only manifested when both fields were present simultaneously.

Fix

  • Changed .append() to .extend() when merging cve into existing vulnerability_ids
  • Added isinstance(str) protection for string-type vulnerability_ids (prevents .extend() from iterating over characters)
  • Updated documentation with vulnerability_ids example

Testing

  • Added test_parse_json_with_cve_and_vulnerability_ids covering:
    • cve + vulnerability_ids (list) → flat list of 3 items
    • vulnerability_ids as string → wrapped in list
  • All 42 generic parser tests pass

…ds are both present

When both 'cve' and 'vulnerability_ids' were present in generic JSON import,
.append() was used instead of .extend(), causing a nested list:
  ['CVE-2020-36234', ['GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']] instead of ['CVE-2020-36234', 'GHSA-5mrr-rgp6-x4gr', 'OSV-2021-1234']

Without 'cve', vulnerability_ids worked correctly via direct assignment.
The bug only manifested when both fields were present simultaneously.

Added test to verify flat list behavior.
Updated documentation with vulnerability_ids example.
@narvadanami narvadanami force-pushed the fix-generic-json-vulnerability-ids-bugfix branch from 07ee5bf to f620839 Compare July 10, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant