🪲 Parse empty machines in Defender (#11844)

* 🪲 Parse empty machines in zip * added docs * see review
DefectDojo · Feb 25, 2025 · cd18539 · cd18539
1 parent 7825c53
commit cd18539
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/docs/content/en/connecting_your_tools/parsers/file/ms_defender.md b/docs/content/en/connecting_your_tools/parsers/file/ms_defender.md
@@ -5,6 +5,7 @@ toc_hide: true
 This parser helps to parse Microsoft Defender Findings and supports two types of imports:
 - You can import a JSON output file from the api/vulnerabilities/machinesVulnerabilities endpoint of Microsoft defender.
 - You can upload a custom zip file which include multiple JSON files from two Microsoft Defender Endpoints. For that you have to make your own zip file and include two folders (machines/ and vulnerabilities/) within the zip file. For vulnerabilities/ you can attach multiple JSON files from the api/vulnerabilities/machinesVulnerabilities REST API endpoint of Microsoft Defender. Furthermore, in machines/ you can attach the JSON output from the api/machines REST API endpoint of Microsoft Defender. Then, the parser uses the information in both folders to add more specific information like the affected IP Address to the finding.
+<br>However, if you have a fast changing environment with a huge number of vulnerabilities and endpoints, it is recommended to leave the folder machines/ empty. Then, for stability reasons the machine info is skipped and only the machineID is added to the finding.
 
 ### Sample Scan Data
 Sample MS Defender Parser scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/ms_defender).
diff --git a/dojo/tools/ms_defender/parser.py b/dojo/tools/ms_defender/parser.py
@@ -32,7 +32,7 @@ def get_findings(self, file, test):
             else:
                 input_zip = zipfile.ZipFile(file, "r")
             zipdata = {name: input_zip.read(name) for name in input_zip.namelist()}
-            if zipdata.get("machines/") is None or zipdata.get("vulnerabilities/") is None:
+            if zipdata.get("vulnerabilities/") is None:
                 return []
             vulnerabilityfiles = []
             machinefiles = []

diff --git a/unittests/scans/ms_defender/empty_machines.zip b/unittests/scans/ms_defender/empty_machines.zip
diff --git a/unittests/tools/test_ms_defender_parser.py b/unittests/tools/test_ms_defender_parser.py
@@ -80,3 +80,10 @@ def test_parser_defender_issue_11217(self):
         for endpoint in finding.unsaved_endpoints:
             endpoint.clean()
         self.assertEqual("Max_Mustermann_iPadAir_17zoll__2ndgeneration_", finding.unsaved_endpoints[0].host)
+
+    def test_parser_defender_empty_machines(self):
+        testfile = open(get_unit_tests_scans_path("ms_defender") / "empty_machines.zip", encoding="utf-8")
+        parser = MSDefenderParser()
+        findings = parser.get_findings(testfile, Test())
+        testfile.close()
+        self.assertEqual(4, len(findings))