-
Notifications
You must be signed in to change notification settings - Fork 179
Description
New Hook implementation request
Is your feature request related to a problem? Please describe.
As a User i would like to use the OWASP DefectDojo Projekt to analyse my findings (instead or in parallel to my kibana dashboard). While the secureCodeBox has its major focus on the automation part of the security scanner execution, defectDojo is good in visualising, deduplication and analysing the findings.
To integrate OWASP DefectDojo it's necessary to implement a new Hook which pushes the raw finding results of each scanner to the DefectDojo API: ImportScan. DefectDojo can be started as a separate Docker Container or via HelmChart in a K8S cluster environment.
Possible Scanner Integrations:
- NMAP (XML output (use -oX))
- Nikto (XML output)
- ZAP (ZAP XML report format)
Describe the solution you'd like
The is already a working integration solution implemented for the secureCodeBox V1, which maybe can be migrated or reused in the secureCodeBox V2. Therefore the existing code must be wrapped in a Hook.
Describe alternatives you've considered
Another alternative could be implement this hook with a complete green field approach. But this alternative would take much longer and has no real benefits.
Additional context
- https://github.com/secureCodeBox/engine/tree/master/scb-persistenceproviders/defectdojo-persistenceprovider
- https://github.com/secureCodeBox/engine/tree/feature/defect-dojo-config-extension/scb-persistenceproviders/defectdojo-persistenceprovider
Steps to implement a new Hook
- Create a new folder with the name of the hook here
- Add a README and give a brief overview of the scanner and its configuration options.
- Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub
- Use the Hook-SDK to implement a new hook (currently based on NodeJS)
- Add unit tests with at minimum 80% test coverage
- Add some example scan.yaml and finding.yaml files in the example folder
- Implement a new integration test for the hook here