Is your feature request related to a problem?
As secureCodeBox (SCB) user i would like to use all integrated security scanners and examine their results in OWASP DefectDojo (DD), when i use DD as vulnerability management tool in my environment.#300 introducing the DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP ("nmap" , ScanType .NMAP_SCAN ),
ZAP_BASELINE ("zap-baseline" , ScanType .ZAP_SCAN ),
ZAP_API_SCAN ("zap-api-scan" , ScanType .ZAP_SCAN ),
ZAP_FULL_SCAN ("zap-full-scan" , ScanType .ZAP_SCAN ),
SSLYZE ("sslyze" , ScanType .SS_LYZE_3_SCAN_JSON ),
TRIVY ("trivy" , ScanType .TRIVY_SCAN ),
GITLEAKS ("gitleaks" , ScanType .GITLEAKS_SCAN ),
// WPSCAN("wpscan", ScanType.WPSCAN),
// NIKTO("nikto", ScanType.NIKTO_SCAN),
// SSH("ssh-scan, ScanType.?),
;
Problem is that there are some scanners missing which are already integrated within secureCodeBox but have no corresponding parser at OWASP DefectDojo. Thats why i'm currently not able to import and analyse the following scanner finding results. Using those scanners in combination with the DefectDojo-Persistence Hook
WPScan
SSH-Scan
Nikto (in JSON format instead of XML)
Kube-Hunter
Kubeaudit
Example failure
Example scan with kube-hunter:
k tree scan kube-hunter-internal-1616236981 -n demo-scans
NAMESPACE NAME READY REASON AGE
demo-scans Scan/kube-hunter-internal-1616236981 - 96m
demo-scans ├─Job/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw - 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-8cthv False ContainersNotReady 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-gjdz6 False ContainersNotReady 95m
demo-scans │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-hf26w False ContainersNotReady 93m
demo-scans │ └─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-xdszp False ContainersNotReady 94m
demo-scans └─Job/parse-kube-hunter-internal-1616236981-qnwc8 - 95m
demo-scans └─Pod/parse-kube-hunter-internal-1616236981-qnwc8-wm4ls False PodCompleted 95m Example defectdojo-hook log:
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Accept=[text/plain, application/json, application/* +json, * /* ]
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Response 200 OK
2021-03-20 10:45:42 DEBUG RestTemplate:147 - Reading to [java.lang.String] as " application/octet-stream" in thread " main" for ScanType ' kube-hunter' Describe alternatives you've considered
The following alternative solutions are only focussed on the missing parser problem:
Use the generic CSV findings importer DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP ("nmap" , ScanType .NMAP_SCAN ),
ZAP_BASELINE ("zap-baseline" , ScanType .ZAP_SCAN ),
ZAP_API_SCAN ("zap-api-scan" , ScanType .ZAP_SCAN ),
ZAP_FULL_SCAN ("zap-full-scan" , ScanType .ZAP_SCAN ),
SSLYZE ("sslyze" , ScanType .SS_LYZE_3_SCAN_JSON ),
TRIVY ("trivy" , ScanType .TRIVY_SCAN ),
GITLEAKS ("gitleaks" , ScanType .GITLEAKS_SCAN ),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_CSV_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_CSV_SCAN),
;
Implement a new generic JSON Findings Importer in OWASP DefectDojo as already suggested here Add Generic JSON importer DefectDojo/django-DefectDojo#3798 DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP ("nmap" , ScanType .NMAP_SCAN ),
ZAP_BASELINE ("zap-baseline" , ScanType .ZAP_SCAN ),
ZAP_API_SCAN ("zap-api-scan" , ScanType .ZAP_SCAN ),
ZAP_FULL_SCAN ("zap-full-scan" , ScanType .ZAP_SCAN ),
SSLYZE ("sslyze" , ScanType .SS_LYZE_3_SCAN_JSON ),
TRIVY ("trivy" , ScanType .TRIVY_SCAN ),
GITLEAKS ("gitleaks" , ScanType .GITLEAKS_SCAN ),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_JSON_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_JSON_SCAN),
;
Implement a new generic SCB JSON Findings Importer in OWASP DefectDojo which is based on the secureCodeBox specific findings format and use it to import them in the DefectDojo-Persistence Hook
public enum ScanNameMapping {
NMAP ("nmap" , ScanType .NMAP_SCAN ),
ZAP_BASELINE ("zap-baseline" , ScanType .ZAP_SCAN ),
ZAP_API_SCAN ("zap-api-scan" , ScanType .ZAP_SCAN ),
ZAP_FULL_SCAN ("zap-full-scan" , ScanType .ZAP_SCAN ),
SSLYZE ("sslyze" , ScanType .SS_LYZE_3_SCAN_JSON ),
TRIVY ("trivy" , ScanType .TRIVY_SCAN ),
GITLEAKS ("gitleaks" , ScanType .GITLEAKS_SCAN ),
// New Approach
// NIKTO("nikto", ScanType.GENERIC_SCB_SCAN),
// SSH("ssh-scan, ScanType.GENERIC_SCB_SCAN),
;Describe the solution you'd like
I would prefer the solution alternative 3 because it seems to be a clean integration strategy. Both OWASP projects (secureCodeBox and DefectDojo) would have advantages.
Additional context
Is your feature request related to a problem?
As secureCodeBox (SCB) user i would like to use all integrated security scanners and examine their results in OWASP DefectDojo (DD), when i use DD as vulnerability management tool in my environment.
With the latest PR #300 introducing the DefectDojo-Persistence Hook it is now already possible to import some SCB scanner findings supported by DefectDojo:
secureCodeBox/hooks/persistence-defectdojo/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java
Lines 23 to 34 in 0257dda
Problem is that there are some scanners missing which are already integrated within secureCodeBox but have no corresponding parser at OWASP DefectDojo. Thats why i'm currently not able to import and analyse the following scanner finding results. Using those scanners in combination with the DefectDojo-Persistence Hook leads to failed scans:
Example failure
Example
scanwithkube-hunter:Example
defectdojo-hooklog:Describe alternatives you've considered
The following alternative solutions are only focussed on the missing parser problem:
There are multiple solution strategies to solve this problem:
Describe the solution you'd like
I would prefer the solution alternative 3 because it seems to be a clean integration strategy. Both OWASP projects (secureCodeBox and DefectDojo) would have advantages.
Additional context