The generic parser is currently failing when importing findings that have locations/endpoints without a protocol. I've made a PR to fix this issue: #4643

The finding attributes are not imported into the DefectDojo description. Scans such as screenshooter save important information into the findings attributes.

Is it possible to parse the finding attributes generically into DefectDojo's description?

The finding attributes are not imported into the DefectDojo description. Scans such as screenshooter save important information into the findings attributes.

Is it possible to parse the finding attributes generically into DefectDojo's description?

Do you mean that findings attributes that are currently not passed to defectdojo (like category, osi layer etc.) should be concatenated to the description string?

Here's a finding from ssh_scan:

[
  {
    "name": "SSH Service",
    "description": "SSH Service Information",
    "category": "SSH Service",
    "osi_layer": "APPLICATION",
    "severity": "INFORMATIONAL",
    "reference": {},
    "hint": "",
    "location": "[REDACTED]",
    "attributes": {
      "hostname": "[REDACTED]",
      "ip_address": "[REDACTED]",
      "server_banner": "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10",
      "ssh_version": 2,
      "os_cpe": "o:canonical:ubuntu:16.04",
      "ssh_lib_cpe": "a:openssh:openssh:7.2p2",
      "compliance_policy": "Mozilla Modern",
      "compliant": false,
      "grade": "D",
      "references": [
        "https://wiki.mozilla.org/Security/Guidelines/OpenSSH"
      ],
      "auth_methods": [
        "publickey",
        "password"
      ],
      "key_algorithms": [
        "[email protected]",
        [...]
      ],
      "encryption_algorithms": [
        "[email protected]",
        [...]
      ],
      "mac_algorithms": [
        "[email protected]",
        [...]
      ],
      "compression_algorithms": [
        "none",
        "[email protected]"
      ]
    },
    "id": "aa12b3d2-4493-4fff-b5bf-65de3ac20a70"
  }
]

And the corresponding DefectDojo finding:

As you can see, all the finding attributes (such as auth_methods, grade, mac_algorithms, etc.), are not imported.

My question was whether all these attributes can be formatted into the DefectDojo description. This could either be a pretty printed json or some kind of formatter to markdown such that the description would be something like:

SSH Service Information
hostname: [REDACTED]
ip_address: [REDACTED]
server_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
ssh_version: 2
[...]
auth_methods: publickey, password
[...]

Especially for informational findings these attributes are really valuable and should be viewable in DefectDojo.

@EndPositive the findings attributes are now written into the description as prettified JSON :)

Awesome! Works wonderfully for me.

DefectDojo's Finding model houses a field called unique_id_from_tool with help text Vulnerability technical id from the source tool. Allows to track unique vulnerabilities..

Would it be possible to fill this with the SecureCodeBox finding ID?

@EndPositive if I'm not mistaken unique_id_from_tool is already populated with the finding id. My unit test also checks for it to be correctly set. Is it not populated in DefectDojo?

Hmm, yeah I now see that it does work with the generic parser, but not with any pre-existing parser. The built-in DefectDojo tools all work with the raw findings and thus don't have access to the SecureCodeBox ID.

For us, it would be really nice to have the SecureCodeBox finding ID throughout all DefectDojo findings. Maybe the persistence provider could patch the created finding with the SecureCodeBox ID?

Since this is getting a bit unrelated to the current PR and requested features, we can move this discussion somewhere else if you want.

I would prefer to separate your request to patch the secureCodeBox UID within DefectDojo into a different Issue/PR. Do you want to create an issue for that @EndPositive ?

@JohannesZahn Beside that is there any stuff here that needs attention or can we mark this PR as ready to review?

It is ready to review from my side 👍

@JohannesZahn @rseedorff ICYDK generic JSON format is part of 2.0.0 release.