Skip to content

Comments

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo#300

Merged
J12934 merged 80 commits intomainfrom
feature/defect-dojo
Mar 19, 2021
Merged

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo#300
J12934 merged 80 commits intomainfrom
feature/defect-dojo

Conversation

@J12934
Copy link
Member

@J12934 J12934 commented Feb 17, 2021

This PR adds a new Hook which imports raw results of scans into DefectDojo.
For more details check out the hooks readme: https://github.com/secureCodeBox/secureCodeBox/blob/feature/defect-dojo/hooks/persistence-defectdojo/README.md

You can test out this pr by using the official DefectDojo Demo instance at: https://demo.defectdojo.org/
See DefectDojo docs for the credentials: https://defectdojo.readthedocs.io/en/latest/

To test out the pr with the demo instance, you can install the hook like the following:

# check out secureCodeBox repo at feature/defect-dojo branch

# log in to defectdojo beforehand and grab the apiv2 key for your user. Then replace the apikey placeholder in the command below
kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..."

helm upgrade --install defectdojo-hook ./hooks/persistence-defectdojo/ \
  --set="defectdojo.url=https://demo.defectdojo.org" \
  --set="image.tag=feature-defect-dojo"

J12934 and others added 30 commits October 23, 2020 15:28
@J12934
WIP port of the scb v1 DefectDojo integration
7a9445e
@J12934
Add some missing attributes to the engagementPayload
4ea80f9
@J12934
Support local development and execution of the hook
1670232
@J12934
Fix typo
ec4787f
@J12934
Properly name projectName
67f9506
@J12934
Improve handling of Product names
dc8ec7b 
Product Names are infered by the Scans / ScheduledScans name, or if set by a special label.
@J12934
Regenerate README
2b668d9
@J12934
Fix bug which lead dd pp to crash on its first run
f766c1b
@J12934
Set new Engagements to "In Progress" by default
8550969
@J12934
Extract testId after importing scan results
f32725d
@J12934
Update DescriptionGenerator to generate usefull descriptions for v2
163df96
@J12934
Throw proper error message when unable to fetch scan
91b61a2
@J12934
Imporve error handling when ensuring proper tool types
1b5bb6a
@J12934
Update DefectDojo mapping for scanner
3c1ecb9
@J12934
Only create new engagements if they don't already exist
8861f23
@J12934
Refactor product lookup
f326071
@J12934
Delete unused import
7beef04
@J12934
Update appVersion
38e0c3d
@J12934
Copy over scb annotations from ScheduledScans to Scans
9c31908
@J12934
Optimize Models
1d91aa9 
- Optiimize Imports
- Replace Getter/Setter with lombok
- Remove unused methods
@J12934
Switch to reimport and create test beforehand
49448f0 
This lets us better control the fields of the test.
E.g. the description and the timestamps
@J12934 @actions-user
Updating Helm Docs
f034c50
@J12934
Create configured Product and ProductTypes if they don't already exist
61fa566
@J12934
Auto-format code
b031145
@J12934
Slight refactoring
a7d3e5f
@J12934
WIP Docs
6580ce5
@J12934
WIP
135f192
@J12934
Refactor DefectDojo persistence provider to generic service class
524f741
@J12934
Update readme
26d7b82
@J12934
Update sprint boot
9cbca1a
@J12934
Don't url encode the download url for the file. It's already encoded...
6af1925 
Encoding it again will mess with the signatures
@J12934
Copy link
Member Author

J12934 commented Feb 18, 2021

Ok, I got to say I'm a bit confused with code climate here.
The one method it doesn't like (getProductName) is probably one of the best readable ones in the PR.
Does anybody have an idea on how to improve it?

@damiencarol
Copy link

damiencarol commented Mar 4, 2021
edited
Loading

@J12934 I think it's because this method call a method of a proxy object. You should just remove it and use scan.getProductName() directly in your code.

  protected String getProductName(Scan scan) {
    if (scan.getProductName().isPresent()) {
      return scan.getProductName().get();
    }

Also there is a lot of loop and if statement that increase complexity. And I agree, 5 in complexity is a little bit low :D

@rfelber rfelber linked an issue Mar 7, 2021 that may be closed by this pull request
⚓️ New persistenceProvider Hook for OWASP DefectDojo #171
Closed
7 tasks
rfelber
rfelber reviewed Mar 12, 2021
View reviewed changes
hooks/persistence-defectdojo/build.gradle Outdated
dependencies {
implementation 'io.kubernetes:client-java:10.0.0'

implementation 'io.securecodebox:defectdojo-client:0.0.7-SNAPSHOT'
Copy link
Member

@rfelber rfelber Mar 12, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should reference here a released version instead of a snapshot version.

Copy link
Member Author

@J12934 J12934 Mar 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes 👍
I planned to do this later after this initial merge once we're fairly certain that the API of the client is stable.

rfelber
rfelber reviewed Mar 17, 2021
View reviewed changes
@J12934 J12934 merged commit 0257dda into main Mar 19, 2021
@J12934 J12934 deleted the feature/defect-dojo branch March 19, 2021 08:34
@rfelber rfelber added this to the v2.6.0 milestone Mar 19, 2021
@rfelber rfelber mentioned this pull request Mar 20, 2021
Closed
@rfelber rfelber removed the enhancement New feature or request label Mar 26, 2021
@rfelber rfelber changed the title Add Hook to Import Scan Results into DefectDojo Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo Mar 30, 2021
@damiencarol
Copy link

damiencarol commented Apr 13, 2021

@J12934 I saw that it's merged now! 👍
Do we have a demo env to test this one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rfelber rfelber rfelber approved these changes

@nigthknight nigthknight Awaiting requested review from nigthknight

+1 more reviewer

@qlty-cloud-legacy qlty-cloud-legacy[bot] qlty-cloud-legacy[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@J12934 J12934

Labels

hook Implement or update a hook

Projects

None yet

Milestone

v2.6.0

Development

Successfully merging this pull request may close these issues.

⚓️ New persistenceProvider Hook for OWASP DefectDojo

3 participants

@J12934 @damiencarol @rfelber