⚙️ Add a generic (SCB) finding importer to the DefectDojo Integration Hook #332
Description
Is your feature request related to a problem?
As secureCodeBox (SCB) user i would like to use all integrated security scanners and examine their results in OWASP DefectDojo (DD), when i use DD as vulnerability management tool in my environment.
With the latest PR #300 introducing the DefectDojo-Persistence Hook it is now already possible to import some SCB scanner findings supported by DefectDojo:
Problem is that there are some scanners missing which are already integrated within secureCodeBox but have no corresponding parser at OWASP DefectDojo. Thats why i'm currently not able to import and analyse the following scanner finding results. Using those scanners in combination with the DefectDojo-Persistence Hook leads to failed scans:
- WPScan
- SSH-Scan
- Nikto (in JSON format instead of XML)
- Kube-Hunter
- Kubeaudit
Example failure
Example scan with kube-hunter:
k tree scan kube-hunter-internal-1616236981 -n demo-scans
NAMESPACE NAME READY REASON AGE
demo-scans Scan/kube-hunter-internal-1616236981 - 96m
demo-scans ├─Job/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw - 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-8cthv False ContainersNotReady 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-gjdz6 False ContainersNotReady 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-hf26w False ContainersNotReady 93m
demo-scans │ └─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-xdszp False ContainersNotReady 94m
demo-scans └─Job/parse-kube-hunter-internal-1616236981-qnwc8 - 95m
demo-scans └─Pod/parse-kube-hunter-internal-1616236981-qnwc8-wm4ls False PodCompleted 95mExample defectdojo-hook log:
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Response 200 OK
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Reading to [java.lang.String] as "application/octet-stream"
2021-03-20 10:45:42 DEBUG VersionedEngagementsStrategy:99 - Finished Downloading Scan Report (RawResults)
Exception in thread "main" java.lang.IllegalArgumentException: No Mapping found for ScanType 'kube-hunter'
at io.securecodebox.persistence.util.ScanNameMapping.bySecureCodeBoxScanType(ScanNameMapping.java:60)
at io.securecodebox.persistence.strategies.VersionedEngagementsStrategy.createTest(VersionedEngagementsStrategy.java:259)
at io.securecodebox.persistence.strategies.VersionedEngagementsStrategy.run(VersionedEngagementsStrategy.java:101)
at io.securecodebox.persistence.DefectDojoPersistenceProvider.main(DefectDojoPersistenceProvider.java:53)Describe alternatives you've considered
The following alternative solutions are only focussed on the missing parser problem:
There are multiple solution strategies to solve this problem:
- Use the generic CSV findings importer to implement a generic SCB findings import in the DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP("nmap", ScanType.NMAP_SCAN),
ZAP_BASELINE("zap-baseline", ScanType.ZAP_SCAN),
ZAP_API_SCAN("zap-api-scan", ScanType.ZAP_SCAN),
ZAP_FULL_SCAN("zap-full-scan", ScanType.ZAP_SCAN),
SSLYZE("sslyze", ScanType.SS_LYZE_3_SCAN_JSON),
TRIVY("trivy", ScanType.TRIVY_SCAN),
GITLEAKS("gitleaks", ScanType.GITLEAKS_SCAN),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_CSV_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_CSV_SCAN),
;- You will find the existing generic CSV DefectDojo parser here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/generic
- Implement a new generic JSON Findings Importer in OWASP DefectDojo as already suggested here Add Generic JSON importer DefectDojo/django-DefectDojo#3798 and use it to implement a generic SCB findings import in the DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP("nmap", ScanType.NMAP_SCAN),
ZAP_BASELINE("zap-baseline", ScanType.ZAP_SCAN),
ZAP_API_SCAN("zap-api-scan", ScanType.ZAP_SCAN),
ZAP_FULL_SCAN("zap-full-scan", ScanType.ZAP_SCAN),
SSLYZE("sslyze", ScanType.SS_LYZE_3_SCAN_JSON),
TRIVY("trivy", ScanType.TRIVY_SCAN),
GITLEAKS("gitleaks", ScanType.GITLEAKS_SCAN),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_JSON_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_JSON_SCAN),
;- Such a new generic JSON DefectDojo parser should be implemented here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/
- Implement a new generic SCB JSON Findings Importer in OWASP DefectDojo which is based on the secureCodeBox specific findings format and use it to import them in the DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP("nmap", ScanType.NMAP_SCAN),
ZAP_BASELINE("zap-baseline", ScanType.ZAP_SCAN),
ZAP_API_SCAN("zap-api-scan", ScanType.ZAP_SCAN),
ZAP_FULL_SCAN("zap-full-scan", ScanType.ZAP_SCAN),
SSLYZE("sslyze", ScanType.SS_LYZE_3_SCAN_JSON),
TRIVY("trivy", ScanType.TRIVY_SCAN),
GITLEAKS("gitleaks", ScanType.GITLEAKS_SCAN),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_SCB_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_SCB_SCAN),
;- Such a new generic SCB DefectDojo parser should be implemented here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/
Describe the solution you'd like
I would prefer the solution alternative 3 because it seems to be a clean integration strategy. Both OWASP projects (secureCodeBox and DefectDojo) would have advantages.
Additional context
- Documentation of all currently supported security scanner parsers implemented by OWASP DefectDojo: https://defectdojo.readthedocs.io/en/latest/integrations.html
- secureCodeBox Java Client for DefectDojo: https://github.com/secureCodeBox/defectdojo-client-java