8000 [SCB-Bot] Upgraded nuclei from v2.6.2 to v2.6.5 by secureCodeBoxBot · Pull Request #1014 · secureCodeBox/secureCodeBox · GitHub
[go: up one dir, main page]
Skip to content

[SCB-Bot] Upgraded nuclei from v2.6.2 to v2.6.5 #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rfelber merged 7 commits into from
Mar 23, 2022
Merged

[SCB-Bot] Upgraded nuclei from v2.6.2 to v2.6.5 #1014

rfelber merged 7 commits into from
Mar 23, 2022

Conversation

@secureCodeBoxBot
Copy link
Contributor
@secureCodeBoxBot secureCodeBoxBot commented Mar 4, 2022

This is an automated Pull Request by the SCB-Bot. It upgrades nuclei from v2.6.2 to v2.6.3

Release changes : here

@secureCodeBoxBot
Upgrading nuclei from v2.6.2 to v2.6.3
08383f9 
Signed-off-by: secureCodeBoxBot <securecodebox@iteratec.com>
@secureCodeBoxBot secureCodeBoxBot added dependencies Pull requests that update a dependency file scanner Implement or update a security scanner labels Mar 4, 2022
@rfelber
Copy link
Member
rfelber commented Mar 7, 2022

This patch upgrade adds a new severity "unkown":
"Possible severity values: info, low, medium, high, critical, unknown" maybe this change needs to be reflected in our parser somehow 🤔

@J12934
Copy link
Member
J12934 commented Mar 8, 2022

I'd personally map unkown to informational. 🤷‍♂️

@Ilyesbdlala
Copy link
Member
Ilyesbdlala commented Mar 16, 2022

I'd personally map unkown to informational. man_shrugging

I don't think mapping the findings to informational is a good idea. We usually reserve this to findings that don't result in vulnerabilities (like the service version in NMAP). Quoting the nuclei issue concerning this:

For the cases where the impact of the issue is not proved/confirmed as a result of the finding and can be decided after further inspection, at the same time using info is also not accurate for those templates.

Personally, I see the findings of type "unknown" deserving more attention than an Informational finding, and our mapping should reflect that. Maybe setting it as "LOW" would be me better idea.

@malexmave
Copy link
Member
malexmave commented Mar 17, 2022

I just looked through a couple of scanners that I am familiar with:

So, seems like there isn't a globally recognized default (and by @Ilyesbdlala argument, we should probably also switch semgrep to a default of LOW). I agree with Ilyes that for nuclei, LOW seems a better default than INFORMATIONAL.

@rfelber rfelber mentioned this pull request Mar 23, 2022
Closed
@rfelber rfelber changed the title [SCB-Bot] Upgraded nuclei from v2.6.2 to v2.6.3 [SCB-Bot] Upgraded nuclei from v2.6.2 to v2.6.5 Mar 23, 2022
@rfelber rfelber added the breaking Changes requiring a major release label Mar 23, 2022
@rfelber
Copy link
Member
rfelber commented Mar 23, 2022

Thx for your feedback! Switched the mapping to a LOW severity in case nuclei claims a unknown.

@rfelber rfelber merged commit 90cb379 into main Mar 23, 2022
@rfelber rfelber deleted the dependencies/upgrading-nuclei-to-v2.6.3 branch March 23, 2022 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rfelber rfelber rfelber approved these changes

Assignees

No one assigned

Labels

breaking Changes requiring a major release dependencies Pull requests that update a dependency file scanner Implement or update a security scanner

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@secureCodeBoxBot @rfelber @J12934 @Ilyesbdlala @malexmave
0