Skip to content

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
J12934 merged 80 commits into from
Mar 19, 2021
Merged

Add new Persistence-Provider Hook to Import Scan Results into OWASP DefectDojo #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
80 commits
Select commit Hold shift + click to select a range
7a9445e
WIP port of the scb v1 DefectDojo integration
J12934 Oct 23, 2020
4ea80f9
Add some missing attributes to the engagementPayload
J12934 Oct 23, 2020
1670232
Support local development and execution of the hook
J12934 Oct 23, 2020
ec4787f
Fix typo
J12934 Oct 27, 2020
67f9506
Properly name projectName
J12934 Oct 27, 2020
dc8ec7b
Improve handling of Product names
J12934 Oct 27, 2020
2b668d9
Regenerate README
J12934 Oct 27, 2020
f766c1b
Fix bug which lead dd pp to crash on its first run
J12934 Oct 28, 2020
8550969
Set new Engagements to "In Progress" by default
J12934 Oct 28, 2020
f32725d
Extract testId after importing scan results
J12934 Oct 28, 2020
163df96
Update DescriptionGenerator to generate usefull descriptions for v2
J12934 Oct 28, 2020
91b61a2
Throw proper error message when unable to fetch scan
J12934 Oct 28, 2020
1b5bb6a
Imporve error handling when ensuring proper tool types
J12934 Oct 28, 2020
3c1ecb9
Update DefectDojo mapping for scanner
J12934 Nov 2, 2020
8861f23
Only create new engagements if they don't already exist
J12934 Nov 2, 2020
f326071
Refactor product lookup
J12934 Nov 2, 2020
7beef04
Delete unused import
J12934 Nov 2, 2020
38e0c3d
Update appVersion
J12934 Nov 2, 2020
9c31908
Copy over scb annotations from ScheduledScans to Scans
J12934 Nov 2, 2020
1d91aa9
Optimize Models
J12934 Nov 2, 2020
49448f0
Switch to reimport and create test beforehand
J12934 Nov 2, 2020
f034c50
Updating Helm Docs
J12934 Nov 2, 2020
61fa566
Create configured Product and ProductTypes if they don't already exist
J12934 Nov 3, 2020
b031145
Auto-format code
J12934 Nov 4, 2020
a7d3e5f
Slight refactoring
J12934 Nov 5, 2020
6580ce5
WIP Docs
J12934 Nov 5, 2020
135f192
WIP
J12934 Nov 12, 2020
524f741
Refactor DefectDojo persistence provider to generic service class
J12934 Nov 14, 2020
26d7b82
Update readme
J12934 Nov 14, 2020
9cbca1a
Update sprint boot
J12934 Nov 14, 2020
2f41f5b
Refactore how config values are read from the scan
J12934 Nov 14, 2020
9fe5995
Update tests to junit 5
J12934 Nov 14, 2020
de8d849
Skip test execution in docker build
J12934 Nov 14, 2020
139d8db
Reformatting
J12934 Nov 16, 2020
71de2a8
Autoformat
J12934 Nov 16, 2020
1340b05
Fix scan name mapping
J12934 Nov 16, 2020
d95d2b6
Add defectdojo integration
J12934 Nov 16, 2020
392384b
Properly rename ci for defectdojo
J12934 Nov 16, 2020
d509abc
Enable searchUnique to be used with actual models instead of untyped …
J12934 Nov 18, 2020
119be3a
Switch from beta setup-go action
J12934 Nov 17, 2020
a9f44bd
Add additional helper methods
J12934 Nov 19, 2020
cb2ab86
Properly seperate scan and test type to allow usage of client without…
J12934 Nov 19, 2020
190f3e8
Fix null pointer exception if scans don't have any annotations set
J12934 Dec 3, 2020
96cc6da
Pass version number also as branch
J12934 Dec 3, 2020
288bc73
Don't include null properties in json output
J12934 Dec 3, 2020
e89b3fb
Migrate to seperate defectdojo java client
J12934 Feb 3, 2021
13de840
Add basic tests
J12934 Feb 15, 2021
b697f7d
Merge branch 'main' into feature/defect-dojo
J12934 Feb 15, 2021
5066c47
Reorder enum to match importance
J12934 Feb 15, 2021
dd5725f
Add missing supported scans
J12934 Feb 15, 2021
9f87e0f
Add first version of proper docs
J12934 Feb 15, 2021
c166da6
Replace latest with a upcomming alpha release
J12934 Feb 15, 2021
57fe3e6
Add docker build for defectdojo hook
J12934 Feb 15, 2021
f447cd7
Regenerate helm-docs
J12934 Feb 15, 2021
123776e
Update helm-docs version
J12934 Feb 15, 2021
18ccbb5
Integrate java tests into main ci flow
J12934 Feb 15, 2021
fa442fd
Correct image repo
J12934 Feb 15, 2021
70cb682
Correct template
J12934 Feb 15, 2021
a6132a0
Switch example to faster zap-baseline scan
J12934 Feb 15, 2021
ece96df
Add missing matrix in java unit test declaration
J12934 Feb 15, 2021
4d335ba
Update defectdojo client version with fixed testTypes
J12934 Feb 15, 2021
be3d2db
Regenerate readme
J12934 Feb 15, 2021
5fd43b1
Merge branch 'main' into feature/defect-dojo
J12934 Feb 17, 2021
2deb7d6
Exclude auto generated java files from code climate
J12934 Feb 18, 2021
dc68f06
Remove unused spring prod profile
J12934 Feb 18, 2021
6af1925
Don't url encode the download url for the file. It's already encoded...
J12934 Feb 18, 2021
c0dc953
Increase allowed method complexity
J12934 Mar 5, 2021
8bf647c
Merge branch 'main' into feature/defect-dojo
rfelber Mar 6, 2021
a8bb71f
Merge branch 'main' into feature/defect-dojo
rfelber Mar 9, 2021
fc8e10a
Merge branch 'main' into feature/defect-dojo
J12934 Mar 15, 2021
1ef9e6c
Merge branch 'main' into feature/defect-dojo
J12934 Mar 18, 2021
1a52a60
Update template func names
J12934 Mar 18, 2021
cb8550f
Added some additional comments, fixed header and some compile issues.
rfelber Mar 18, 2021
b41c676
Updating Helm Docs
Mar 18, 2021
30e858e
Fixing codeclimate issues.
rfelber Mar 18, 2021
d7c1775
Fixing codeclimate issues.
rfelber Mar 18, 2021
81de689
Fixing codeclimate issues.
rfelber Mar 18, 2021
1217db5
Fixing version.
rfelber Mar 18, 2021
75caf61
Fixing productName strategie.
rfelber Mar 18, 2021
3b773b0
Fixing productName strategie.
rfelber Mar 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions .codeclimate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
version: "2" # required to adjust maintainability checks
version: "2" # required to adjust maintainability checks
checks:
file-lines:
config:
Expand All @@ -10,6 +10,20 @@ checks:
enabled: false
identical-code:
enabled: false
# plugins:
# eslint:
# enabled: true
# channel: "eslint-7"
# fixme:
# enabled: true
# golint:
# enabled: true
# gofmt:
# enabled: true
# govet:
# enabled: true
# markdownlint:
# enabled: true
exclude_patterns:
- "config/"
- "db/"
Expand All @@ -27,4 +41,6 @@ exclude_patterns:
- "**/*_test.go"
- "**/*.deepcopy.go"
- "**/*.test.js"
- "**/*.d.ts"
- "**/*.d.ts"
# Auto Generated by kubernetes java client
- "**/hooks/persistence-defectdojo/src/main/java/io/securecodebox/models/"
20 changes: 20 additions & 0 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,25 @@ env:

jobs:
# ---- Unit-Test ----

# ---- Unit-Test | Java ----

unit-java:
name: "Unit-Test | Java"
runs-on: ubuntu-latest
strategy:
matrix:
unit: ["persistence-defectdojo"]
steps:
- uses: actions/checkout@v2
- uses: actions/setup-java@v1
with:
java-version: '11' # The JDK version to make available on the path.
java-package: jdk # (jre, jdk, or jdk+fx) - defaults to jdk
architecture: x64 # (x64 or x86) - defaults to x64
- run: |
cd hooks/${{ matrix.unit }}/
./gradlew test

# ---- Unit-Test | Python ----

Expand Down Expand Up @@ -209,6 +228,7 @@ jobs:
- finding-post-processing
- generic-webhook
- persistence-elastic
- persistence-defectdojo
- update-field
- teams-webhook
steps:
Expand Down
7 changes: 7 additions & 0 deletions hooks/persistence-defectdojo/.dockerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Dockerfile
./gradle
./idea
./settings
build/
gradle/
templates
35 changes: 35 additions & 0 deletions hooks/persistence-defectdojo/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
HELP.md
.gradle
build/
bin/
!gradle/wrapper/gradle-wrapper.jar
!**/src/main/**/build/
!**/src/test/**/build/

### STS ###
.apt_generated
.classpath
.factorypath
.project
.settings
.springBeans
.sts4-cache

### IntelliJ IDEA ###
.idea
*.iws
*.iml
*.ipr
out/
!**/src/main/**/out/
!**/src/test/**/out/

### NetBeans ###
/nbproject/private/
/nbbuild/
/dist/
/nbdist/
/.nb-gradle/

### VS Code ###
.vscode/
38 changes: 38 additions & 0 deletions hooks/persistence-defectdojo/.helmignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# Node.js files
node_modules/*
package.json
package-lock.json
src/*
config/*
Dockerfile
.dockerignore
gradle/
.gradle/
src/
gradlew
gradlew.bat
settings.gradle
update.sh
build/
13 changes: 13 additions & 0 deletions hooks/persistence-defectdojo/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v2
name: persistence-defectdojo
description: The defectdojo persistence provider persists secureCodeBox scan results into defectdojo.

type: application

# version - gets automatically set to the secureCodeBox release version when the helm charts gets published
version: v2.6.0-alpha1

appVersion: 1.12.0
kubeVersion: ">=v1.11.0-0"

dependencies: []
9 changes: 9 additions & 0 deletions hooks/persistence-defectdojo/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM gradle:jdk11 as build
COPY . /home/gradle/src
WORKDIR /home/gradle/src
RUN gradle build -x test

FROM gcr.io/distroless/java:11-nonroot
COPY --from=build --chown=nonroot:nonroot /home/gradle/src/build/libs /app
# TLS Config works around an issue in OpenJDK... See: https://github.com/kubernetes-client/java/issues/854
ENTRYPOINT ["java", "-Djdk.tls.client.protocols=TLSv1.2", "-jar", "/app/defectdojo-persistenceprovider-0.1.0-SNAPSHOT.jar"]
114 changes: 103 additions & 11 deletions hooks/persistence-defectdojo/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,116 @@
title: "DefectDojo"
category: "hook"
type: "persistenceProvider"
state: "developing"
usecase: "Publishes all Scan Findings to DefectDojo."
state: "released"
usecase: "Publishes all Scan Reports to OWASP DefectDojo."
---

<!-- end -->

## About

DefectDojo is an open-source tool for importing and managing findings of security scanners. The DefectDojo persistence provider can be used to create new Engagements for SecurityTests run via the secureCodeBox and import all findings which were identified automatically to DefectDojo.
The DefectDojo hook imports the reports from scans automatically into [OWASP DefectDojo](https://www.defectdojo.org/).
The hook uses the import scan [API from DefectDojo](https://defectdojo.readthedocs.io/en/latest/api-v2-docs.html) to import the scan results.

This means that only scan types are supported by the hook which are both supported by the secureCodeBox and DefectDojo.
These are:
- Nmap
- ZAP (Baseline, API Scan and Full Scan)
- SSLyze
- Trivy
- Gitleaks

:::caution

Nikto is currently **not** supported even though it's supported by the secureCodeBox and DefectDojo as the secureCodeBox
uses the Nikto JSON format while DefectDojo uses the XML format.

:::

## Runtime Configuration

The hook will automatically import the scan results into an engagement in DefectDojo.
If the engagement doesn't exist the hook will create the engagement (CI/CD engagement) and all objects required for it
(product & product type).

You don't need any configuration for that to work, the hook will infer engagement & product names from the scan name.
If you want more control over the names or add additional meta information like the version of the tested software you
can add these via annotation to the scan. See examples below.

Tools which are supported both by the secureCodeBox and DefectDojo (OWASP ZAP & Nmap) this is done by importing the raw scan report into DefectDojo. Findings by other secureCodeBox supported scanners are currently not directly supported by DefectDojo. These findings are imported via a generic finding API of DefectDojo, which might cause some loss of information on the findings.
| Scan Annotation | Description | Default if not set | Notes |
|--------------------------------------------------|----------------------------|----------------------------------------------------------------------|---------------------------------------------------------------------------------------|
| `defectdojo.securecodebox.io/product-type-name` | Name of the Product Type | Product Type with ID 1 (typically "Research and Development") | Product Type will be automatically created if no Product Type under that name exists |
| `defectdojo.securecodebox.io/product-name` | Name of the Product | ScheduledScan Name if Scheduled, Scan Name if it's a standalone Scan | Product will be automatically created if no Product under that name exists |
| `defectdojo.securecodebox.io/product-description`| Description of the Product | Empty String | Only used when creating the Product not used for updating |
| `defectdojo.securecodebox.io/product-tags` | Product Tags | Nothing | Only used when creating the Product not used for updating |
| `defectdojo.securecodebox.io/engagement-name` | Name of the Engagement | Scan Name | Will be automatically created if not Engagement with that name **and** version exists |
| `defectdojo.securecodebox.io/engagement-version` | Engagement Version | Nothing | |
| `defectdojo.securecodebox.io/engagement-tags` | Engagement Tags | Nothing | Only used when creating the Product not used for updating |

To learn more about DefectDojo visit [DefectDojo GitHub] or [DefectDojo Website].
### Simple Example Scans

This will import the results daily into an engagements called: "zap-juiceshop-$UNIX_TIMESTAMP" (Name of the Scan created daily by the ScheduledScan), in a Product called: "zap-juiceshop" in the default DefectDojo product type.

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "zap-juiceshop"
spec:
interval: 24h
scanSpec:
scanType: "zap-full-scan"
parameters:
- "-t"
- "http://juice-shop.demo-apps.svc:3000"
```

### Complete Example Scan

This will import the results into engagement, product and product type following the labels.
The engagement will be reused by the hook for the daily scans / imports until the engagement version is increased.

```yaml
apiVersion: "execution.securecodebox.io/v1"
kind: ScheduledScan
metadata:
name: "zap-full-scan-juiceshop"
annotations:
defectdojo.securecodebox.io/product-type-name: "OWASP"
defectdojo.securecodebox.io/product-name: "Juice Shop"
defectdojo.securecodebox.io/product-description: |
OWASP Juice Shop is probably the most modern and sophisticated insecure web application!
It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools!
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
defectdojo.securecodebox.io/product-tags: vulnerable,appsec,owasp-top-ten,vulnapp
defectdojo.securecodebox.io/engagement-name: "Juice Shop"
defectdojo.securecodebox.io/engagement-version: "v12.6.1"
defectdojo.securecodebox.io/engagement-tags: "automated,daily"
spec:
interval: 24h
scanSpec:
scanType: "zap-full-scan"
parameters:
- "-t"
- "http://juice-shop.demo-apps.svc:3000"
```

## Deployment
> 🔧 The implementation is currently work-in-progress and under still undergoing major changes. It'll be released here once it has stabilized.

Installing the DefectDojo persistenceProvider hook will add a _ReadOnly Hook_ to your namespace.

```bash
kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..."

helm upgrade --install dd secureCodeBox/persistence-defectdojo \
--set="defectdojo.url=https://defectdojo-django.default.svc"
```

## Chart Configuration

[DefectDojo Website]: https://www.defectdojo.org/
[DefectDojo GitHub]: https://github.com/DefectDojo/django-DefectDojo
[DefectDojo Documentation]: https://defectdojo.readthedocs.io/en/latest/
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| defectdojo.authentication.apiKeyKey | string | `"apikey"` | Name of the apikey key in the `userSecret` secret. Use this if you already have a secret with different key / value pairs |
| defectdojo.authentication.userSecret | string | `"defectdojo-credentials"` | Link a pre-existing generic secret with `username` and `apikey` key / value pairs |
| defectdojo.authentication.usernameKey | string | `"username"` | Name of the username key in the `userSecret` secret. Use this if you already have a secret with different key / value pairs |
| defectdojo.url | string | `"http://defectdojo-django.default.svc"` | Url to the DefectDojo Instance |
| image.repository | string | `"docker.io/securecodebox/persistence-defectdojo"` | Hook image repository |
| image.tag | string | `nil` | Container image tag |
Loading