Skip to content

Comments

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo#300

Merged
J12934 merged 80 commits intomainfrom
feature/defect-dojo
Mar 19, 2021
Merged

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo#300
J12934 merged 80 commits intomainfrom
feature/defect-dojo

Conversation

@J12934
Copy link
Member

@J12934 J12934 commented Feb 17, 2021

This PR adds a new Hook which imports raw results of scans into DefectDojo.
For more details check out the hooks readme: https://github.com/secureCodeBox/secureCodeBox/blob/feature/defect-dojo/hooks/persistence-defectdojo/README.md

You can test out this pr by using the official DefectDojo Demo instance at: https://demo.defectdojo.org/
See DefectDojo docs for the credentials: https://defectdojo.readthedocs.io/en/latest/

To test out the pr with the demo instance, you can install the hook like the following:

# check out secureCodeBox repo at feature/defect-dojo branch

# log in to defectdojo beforehand and grab the apiv2 key for your user. Then replace the apikey placeholder in the command below
kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..."

helm upgrade --install defectdojo-hook ./hooks/persistence-defectdojo/ \
  --set="defectdojo.url=https://demo.defectdojo.org" \
  --set="image.tag=feature-defect-dojo"

J12934 and others added 30 commits October 23, 2020 15:28
Product Names are infered by the Scans / ScheduledScans name, or if set by a special label.
- Optiimize Imports
- Replace Getter/Setter with lombok
- Remove unused methods
This lets us better control the fields of the test.
E.g. the description and the timestamps
Encoding it again will mess with the signatures
@J12934
Copy link
Member Author

J12934 commented Feb 18, 2021

Ok, I got to say I'm a bit confused with code climate here.
The one method it doesn't like (getProductName) is probably one of the best readable ones in the PR.
Does anybody have an idea on how to improve it?

@damiencarol
Copy link

damiencarol commented Mar 4, 2021

@J12934 I think it's because this method call a method of a proxy object. You should just remove it and use scan.getProductName() directly in your code.

  protected String getProductName(Scan scan) {
    if (scan.getProductName().isPresent()) {
      return scan.getProductName().get();
    }

Also there is a lot of loop and if statement that increase complexity. And I agree, 5 in complexity is a little bit low :D

@rfelber rfelber linked an issue Mar 7, 2021 that may be closed by this pull request
7 tasks
dependencies {
implementation 'io.kubernetes:client-java:10.0.0'

implementation 'io.securecodebox:defectdojo-client:0.0.7-SNAPSHOT'
Copy link
Member

@rfelber rfelber Mar 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should reference here a released version instead of a snapshot version.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes 👍
I planned to do this later after this initial merge once we're fairly certain that the API of the client is stable.

@J12934 J12934 merged commit 0257dda into main Mar 19, 2021
@J12934 J12934 deleted the feature/defect-dojo branch March 19, 2021 08:34
@rfelber rfelber added this to the v2.6.0 milestone Mar 19, 2021
@rfelber rfelber removed the enhancement New feature or request label Mar 26, 2021
@rfelber rfelber changed the title Add Hook to Import Scan Results into DefectDojo Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo Mar 30, 2021
@damiencarol
Copy link

@J12934 I saw that it's merged now! 👍
Do we have a demo env to test this one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

hook Implement or update a hook

Projects

None yet

Development

Successfully merging this pull request may close these issues.

⚓️ New persistenceProvider Hook for OWASP DefectDojo

3 participants