Skip to content

DefectDojo Hook: Allow setting minimum severity on Import (closes #1700 ) #1775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Weltraumschaf merged 5 commits into from
Jul 2, 2023
Merged

DefectDojo Hook: Allow setting minimum severity on Import (closes #1700 ) #1775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
bf8f63b
ADDED: Functionality to add a notation to a scan for defectdojo. This…
Jun 22, 2023
7fed628
ADDED: Documentation for DD minimum severity annotation in scans
Jun 23, 2023
3999698
changed _ to - in minimum-severity annotation for DD
Jun 27, 2023
fb3b0ba
Update hooks/persistence-defectdojo/.helm-docs.gotmpl
ManuelNeuer Jun 27, 2023
bb9409c
Merge branch 'main' into feature/minimum_severity_integration
Weltraumschaf Jun 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion hooks/persistence-defectdojo/.helm-docs.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ can add these via annotation to the scan. See examples below.
| `defectdojo.securecodebox.io/engagement-deduplicate-on-engagement` | Deduplicate On Engagement | false | Only used when creating the Engagement not used for updating |
| `defectdojo.securecodebox.io/engagement-tags` | Engagement Tags | Nothing | Only used when creating the Engagement not used for updating |
| `defectdojo.securecodebox.io/test-title` | Test Title | Scan Name | |

| `defectdojo.securecodebox.io/minimum_severity` | Minimum severity for findings created in DD | Nothing | Used to only create finding in DD, which are of a certain severity |
### Read-only Mode

By default, the DefectDojo hook will pull the imported results from DefectDojo and use them to replace the results inside secureCodeBox.
Expand Down Expand Up @@ -220,6 +220,30 @@ helm upgrade --install dd secureCodeBox/persistence-defectdojo \
--set="defectdojo.authentication.userId=42"
```

### DefectDojo minimum severity

It has come to our attention, that DefectDojo become slow when handling a lot of data. A lot of data in DefectDojo can be informational findings one likes to ignore.
Therefore Defectdojo provides the option to only create findings for scan finding from a certain severity level and above, thus lowering the amount of data stored.
We integrate this option in our scans by providing the "defectdojo.securecodebox.io/minimum_severity" annotation for scans.
This is an example of how the minimum severity for findings of a scan can be set:
```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "zap-juiceshop"
annotations:
defectdojo.securecodebox.io/minimum_severity: "Low"
spec:
interval: 24h
scanSpec:
scanType: "zap-full-scan"
parameters:
- "-t"
- "http://juice-shop.demo-targets.svc:3000"
```
In this example only for scan findings with a severity of "Low" or higher there are findings in DefectDojo created.


### Simple Example Scans

This will run a daily scan using ZAP on a demo target. The results will be imported using the name "zap-juiceshop-$UNIX_TIMESTAMP" (Name of the Scan created by the ScheduledScan), in a product called "zap-juiceshop" in the default DefectDojo product type.
Expand Down
2 changes: 1 addition & 1 deletion hooks/persistence-defectdojo/hook/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ repositories {
dependencies {
implementation 'io.kubernetes:client-java:12.0.0'

implementation 'io.securecodebox:defectdojo-client:0.0.40-SNAPSHOT'
implementation 'io.securecodebox:defectdojo-client:0.0.41-SNAPSHOT'

implementation group: 'org.springframework', name: 'spring-web', version: '5.3.9'
implementation 'com.fasterxml.jackson.core:jackson-core:2.12.4'
Expand Down
6 changes: 6 additions & 0 deletions ...s/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/models/Scan.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,11 @@ public Optional<String> getTestTitle() {
return this.getKey(SecureCodeBoxScanAnnotations.TEST_TITLE);
}


public Optional<String> getMinimumSeverity() {
return this.getKey(SecureCodeBoxScanAnnotations.MINIMUM_SEVERITY);
}

@AllArgsConstructor
public enum SecureCodeBoxScanAnnotations {
PRODUCT_TYPE("defectdojo.securecodebox.io/product-type-name"),
Expand All @@ -98,6 +103,7 @@ public enum SecureCodeBoxScanAnnotations {
ENGAGEMENT_DEDUPLICATE_ON_ENGAGEMENT("defectdojo.securecodebox.io/engagement-deduplicate-on-engagement"),
ENGAGEMENT_TAGS("defectdojo.securecodebox.io/engagement-tags"),
TEST_TITLE("defectdojo.securecodebox.io/test-title"),
MINIMUM_SEVERITY("defectdojo.securecodebox.io/minimum-severity")
;

@Getter
Expand Down
12 changes: 9 additions & 3 deletions ...k/src/main/java/io/securecodebox/persistence/strategies/VersionedEngagementsStrategy.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.springframework.util.LinkedMultiValueMap;

/**
* VersionedEngagementsStrategy creates a new Engagement for every new version of the software.
Expand Down Expand Up @@ -87,7 +88,6 @@ public List<Finding> run(Scan scan, ScanFile scanResultFile) throws Exception {
}

LOG.info("Running with DefectDojo User Id: {}", userId);

long productTypeId = this.ensureProductTypeExistsForScan(scan);
long productId = this.ensureProductExistsForScan(scan, productTypeId).getId();

Expand All @@ -101,14 +101,20 @@ public List<Finding> run(Scan scan, ScanFile scanResultFile) throws Exception {

ScanType scanType = ScanNameMapping.bySecureCodeBoxScanType(scan.getSpec().getScanType()).scanType;
TestType testType = testTypeService.searchUnique(TestType.builder().name(scanType.getTestType()).build()).orElseThrow(() -> new DefectDojoPersistenceException("Could not find test type '" + scanType.getTestType() + "' in DefectDojo API. DefectDojo might be running in an unsupported version."));


var additionalValues = new LinkedMultiValueMap<String, Object>();
if (scan.getMinimumSeverity().isPresent()) {
additionalValues.add("minimum-severity", scan.getMinimumSeverity().get());
}

importScanService.reimportScan(
scanResultFile,
testId,
userId,
this.descriptionGenerator.currentDate(),
scanType,
testType.getId()
testType.getId(),
additionalValues
);

LOG.info("Uploaded Scan Report as testID {} to DefectDojo", testId);
Expand Down