Skip to content

Reimporting SCB Findings from OWASP DefectDojo after persisting them #330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 18 commits into from
Mar 25, 2021
Merged

Reimporting SCB Findings from OWASP DefectDojo after persisting them #330

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
9748332
Upgrade DD Client Version
J12934 Mar 10, 2021
9370a5c
Strategies now return the Findings identified by DefectDojo to the Pe…
J12934 Mar 10, 2021
6b9b715
Overwrite secureCodeBox Findings with Findings fetched from DefectDojo
J12934 Mar 12, 2021
6c2936d
Move DD to SCB Finding Mapping to its own Class
J12934 Mar 18, 2021
637a409
Set default log level to info
J12934 Mar 18, 2021
31e9afd
Optimize Imports
J12934 Mar 18, 2021
a9e519b
Update classes generated from CRDs
J12934 Mar 18, 2021
5d909b7
Update Finding stats on the kubernetes object after mapping DD Findin…
J12934 Mar 18, 2021
3dea3c9
Merge branch 'main' into feature/extract-findings-from-dd
J12934 Mar 19, 2021
1ca7e28
Add section to docs about mapped back findings from DefectDojo
J12934 Mar 19, 2021
7832d06
Refactor `recalculateFindingStats` to reduce complexity.
J12934 Mar 19, 2021
d84dbb0
Update helm-docs
J12934 Mar 19, 2021
a196672
Allow to run in either one or two way sync
J12934 Mar 22, 2021
c1085fa
Reduce logs verbosity
J12934 Mar 22, 2021
8fa2d60
Remove accidental DefectDojo example from nmap example
J12934 Mar 22, 2021
704499a
Regenerate helm-docs
J12934 Mar 22, 2021
0c90035
Merge branch 'main' into feature/extract-findings-from-dd
J12934 Mar 22, 2021
150e8dd
Merge branch 'main' into feature/extract-findings-from-dd
rfelber Mar 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions hooks/persistence-defectdojo/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,20 @@ uses the Nikto JSON format while DefectDojo uses the XML format.

:::

After uploading the results to DefectDojo it will use the findings parsed by DefectDojo to overwrite the
original secureCodeBox findings identified by the parser. This lets you access the finding metadata like the false
positive and duplicate status from DefectDojo in further ReadOnly hooks, e.g. send out slack notification
for non-duplicate & non-false positive findings only.

:::caution

Be careful when using the DefectDojo Hook in combination with other ReadAndWrite hooks. The secureCodeBox currently has
no way to guarantee that one ReadAndWrite hook gets executed before another ReadAndWrite hook. This can lead to
"lost update" problems as the DefectDojo hook will overwrite all findings, which disregards the results of previously
run ReadAndWrite hooks.
ReadOnly hooks work fine with the DefectDojo hook as they are always executed after ReadAndWrite Hooks.
:::

## Runtime Configuration

The hook will automatically import the scan results into an engagement in DefectDojo.
Expand Down Expand Up @@ -112,6 +126,7 @@ helm upgrade --install dd secureCodeBox/persistence-defectdojo \
| defectdojo.authentication.apiKeyKey | string | `"apikey"` | Name of the apikey key in the `userSecret` secret. Use this if you already have a secret with different key / value pairs |
| defectdojo.authentication.userSecret | string | `"defectdojo-credentials"` | Link a pre-existing generic secret with `username` and `apikey` key / value pairs |
| defectdojo.authentication.usernameKey | string | `"username"` | Name of the username key in the `userSecret` secret. Use this if you already have a secret with different key / value pairs |
| defectdojo.syncFindingsBack | bool | `true` | Syncs back (two way sync) all imported findings from DefectDojo to SCB Findings Store, set to false to only import the findings to DefectDojo (one way sync). |
| defectdojo.url | string | `"http://defectdojo-django.default.svc"` | Url to the DefectDojo Instance |
| image.repository | string | `"docker.io/securecodebox/persistence-defectdojo"` | Hook image repository |
| image.tag | string | `nil` | Container image tag |
14 changes: 14 additions & 0 deletions hooks/persistence-defectdojo/README.md.gotmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,20 @@ uses the Nikto JSON format while DefectDojo uses the XML format.

:::

After uploading the results to DefectDojo it will use the findings parsed by DefectDojo to overwrite the
original secureCodeBox findings identified by the parser. This lets you access the finding metadata like the false
positive and duplicate status from DefectDojo in further ReadOnly hooks, e.g. send out slack notification
for non-duplicate & non-false positive findings only.

:::caution

Be careful when using the DefectDojo Hook in combination with other ReadAndWrite hooks. The secureCodeBox currently has
no way to guarantee that one ReadAndWrite hook gets executed before another ReadAndWrite hook. This can lead to
"lost update" problems as the DefectDojo hook will overwrite all findings, which disregards the results of previously
run ReadAndWrite hooks.
ReadOnly hooks work fine with the DefectDojo hook as they are always executed after ReadAndWrite Hooks.
:::

## Runtime Configuration

The hook will automatically import the scan results into an engagement in DefectDojo.
Expand Down
2 changes: 1 addition & 1 deletion hooks/persistence-defectdojo/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ repositories {
}

dependencies {
implementation 'io.kubernetes:client-java:10.0.0'
implementation 'io.kubernetes:client-java:12.0.0'

implementation 'io.securecodebox:defectdojo-client:0.0.12-SNAPSHOT'

Expand Down
2 changes: 1 addition & 1 deletion hooks/persistence-defectdojo/src/main/java/io/securecodebox/models/V1Scan.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
* Scan is the Schema for the scans API
*/
@ApiModel(description = "Scan is the Schema for the scans API")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2020-10-21T08:16:15.156Z[Etc/UTC]")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2021-03-18T15:41:43.082Z[Etc/UTC]")
public class V1Scan implements io.kubernetes.client.common.KubernetesObject {
public static final String SERIALIZED_NAME_API_VERSION = "apiVersion";
@SerializedName(SERIALIZED_NAME_API_VERSION)
Expand Down
2 changes: 1 addition & 1 deletion hooks/persistence-defectdojo/src/main/java/io/securecodebox/models/V1ScanList.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
* ScanList is a list of Scan
*/
@ApiModel(description = "ScanList is a list of Scan")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2020-10-21T08:16:15.156Z[Etc/UTC]")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2021-03-18T15:41:43.082Z[Etc/UTC]")
public class V1ScanList implements io.kubernetes.client.common.KubernetesListObject {
public static final String SERIALIZED_NAME_API_VERSION = "apiVersion";
@SerializedName(SERIALIZED_NAME_API_VERSION)
Expand Down
90 changes: 83 additions & 7 deletions hooks/persistence-defectdojo/src/main/java/io/securecodebox/models/V1ScanSpec.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
import com.google.gson.stream.JsonWriter;
import io.securecodebox.models.V1ScanSpecCascades;
import io.securecodebox.models.V1ScanSpecEnv;
import io.securecodebox.models.V1ScanSpecVolumeMounts;
import io.securecodebox.models.V1ScanSpecVolumes;
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import java.io.IOException;
Expand All @@ -32,7 +34,7 @@
* ScanSpec defines the desired state of Scan
*/
@ApiModel(description = "ScanSpec defines the desired state of Scan")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2020-10-21T08:16:15.156Z[Etc/UTC]")
@javax.annotation.Generated(value = "org.openapitools.codegen.languages.JavaClientCodegen", date = "2021-03-18T15:41:43.082Z[Etc/UTC]")
public class V1ScanSpec {
public static final String SERIALIZED_NAME_CASCADES = "cascades";
@SerializedName(SERIALIZED_NAME_CASCADES)
Expand All @@ -50,6 +52,14 @@ public class V1ScanSpec {
@SerializedName(SERIALIZED_NAME_SCAN_TYPE)
private String scanType;

public static final String SERIALIZED_NAME_VOLUME_MOUNTS = "volumeMounts";
@SerializedName(SERIALIZED_NAME_VOLUME_MOUNTS)
private List<V1ScanSpecVolumeMounts> volumeMounts = null;

public static final String SERIALIZED_NAME_VOLUMES = "volumes";
@SerializedName(SERIALIZED_NAME_VOLUMES)
private List<V1ScanSpecVolumes> volumes = null;


public V1ScanSpec cascades(V1ScanSpecCascades cascades) {

Expand Down Expand Up @@ -120,11 +130,11 @@ public V1ScanSpec addParametersItem(String parametersItem) {
}

/**
* Get parameters
* All CLI parameters to configure the scan container.
* @return parameters
**/
@javax.annotation.Nullable
@ApiModelProperty(value = "")
@ApiModelProperty(value = "All CLI parameters to configure the scan container.")

public List<String> getParameters() {
return parameters;
Expand All @@ -143,11 +153,11 @@ public V1ScanSpec scanType(String scanType) {
}

/**
* Get scanType
* The name of the scanType which should be started.
* @return scanType
**/
@javax.annotation.Nullable
@ApiModelProperty(value = "")
@ApiModelProperty(value = "The name of the scanType which should be started.")

public String getScanType() {
return scanType;
Expand All @@ -159,6 +169,68 @@ public void setScanType(String scanType) {
}


public V1ScanSpec volumeMounts(List<V1ScanSpecVolumeMounts> volumeMounts) {

this.volumeMounts = volumeMounts;
return this;
}

public V1ScanSpec addVolumeMountsItem(V1ScanSpecVolumeMounts volumeMountsItem) {
if (this.volumeMounts == null) {
this.volumeMounts = new ArrayList<V1ScanSpecVolumeMounts>();
}
this.volumeMounts.add(volumeMountsItem);
return this;
}

/**
* VolumeMounts allows to specify volume mounts for the scan container.
* @return volumeMounts
**/
@javax.annotation.Nullable
@ApiModelProperty(value = "VolumeMounts allows to specify volume mounts for the scan container.")

public List<V1ScanSpecVolumeMounts> getVolumeMounts() {
return volumeMounts;
}


public void setVolumeMounts(List<V1ScanSpecVolumeMounts> volumeMounts) {
this.volumeMounts = volumeMounts;
}


public V1ScanSpec volumes(List<V1ScanSpecVolumes> volumes) {

this.volumes = volumes;
return this;
}

public V1ScanSpec addVolumesItem(V1ScanSpecVolumes volumesItem) {
if (this.volumes == null) {
this.volumes = new ArrayList<V1ScanSpecVolumes>();
}
this.volumes.add(volumesItem);
return this;
}

/**
* Volumes allows to specify volumes for the scan container.
* @return volumes
**/
@javax.annotation.Nullable
@ApiModelProperty(value = "Volumes allows to specify volumes for the scan container.")

public List<V1ScanSpecVolumes> getVolumes() {
return volumes;
}


public void setVolumes(List<V1ScanSpecVolumes> volumes) {
this.volumes = volumes;
}


@Override
public boolean equals(Object o) {
if (this == o) {
Expand All @@ -171,12 +243,14 @@ public boolean equals(Object o) {
return Objects.equals(this.cascades, v1ScanSpec.cascades) &&
Objects.equals(this.env, v1ScanSpec.env) &&
Objects.equals(this.parameters, v1ScanSpec.parameters) &&
Objects.equals(this.scanType, v1ScanSpec.scanType);
Objects.equals(this.scanType, v1ScanSpec.scanType) &&
Objects.equals(this.volumeMounts, v1ScanSpec.volumeMounts) &&
Objects.equals(this.volumes, v1ScanSpec.volumes);
}

@Override
public int hashCode() {
return Objects.hash(cascades, env, parameters, scanType);
return Objects.hash(cascades, env, parameters, scanType, volumeMounts, volumes);
}


Expand All @@ -188,6 +262,8 @@ public String toString() {
sb.append(" env: ").append(toIndentedString(env)).append("\n");
sb.append(" parameters: ").append(toIndentedString(parameters)).append("\n");
sb.append(" scanType: ").append(toIndentedString(scanType)).append("\n");
sb.append(" volumeMounts: ").append(toIndentedString(volumeMounts)).append("\n");
sb.append(" volumes: ").append(toIndentedString(volumes)).append("\n");
sb.append("}");
return sb.toString();
}
Expand Down
Loading