René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"⚓️ New persistenceProvider Hook for OWASP DefectDojo","articleBody":"\u003c!--\r\nThank you for contributing to our project 🙌\r\n\r\nBefore opening a new issue, please make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead. Also, please, have a look at our FAQs and existing questions before opening a new question.\r\n--\u003e\r\n\r\n## New Hook implementation request\r\n\r\n**Is your feature request related to a problem? Please describe.**\r\nAs a User i would like to use the [OWASP DefectDojo Projekt](https://www.owasp.org/index.php/OWASP_DefectDojo_Project) to analyse my findings (_instead or in parallel to my kibana dashboard_). While the secureCodeBox has its major focus on the automation part of the security scanner execution, defectDojo is good in visualising, deduplication and analysing the findings.\r\n\r\nTo integrate OWASP DefectDojo it's necessary to implement a new Hook which pushes the raw finding results of each scanner to the [DefectDojo API: ImportScan](https://app.swaggerhub.com/apis/DefectDojo/defect-dojo_api_v_2/1.0.0#/import-scan/import-scan_create). DefectDojo can be started as a separate Docker Container or via HelmChart in a K8S cluster environment.\r\n\r\nPossible Scanner Integrations:\r\n- NMAP (XML output (use -oX))\r\n- Nikto (XML output)\r\n- ZAP (ZAP XML report format)\r\n\r\n**Describe the solution you'd like**\r\nThe is already a working integration solution implemented for the secureCodeBox V1, which maybe can be migrated or reused in the secureCodeBox V2. Therefore the existing code must be wrapped in a Hook.\r\n\r\n**Describe alternatives you've considered**\r\nAnother alternative could be implement this hook with a complete green field approach. But this alternative would take much longer and has no real benefits.\r\n\r\n**Additional context**\r\n- https://github.com/secureCodeBox/engine/tree/master/scb-persistenceproviders/defectdojo-persistenceprovider\r\n- https://github.com/secureCodeBox/engine/tree/feature/defect-dojo-config-extension/scb-persistenceproviders/defectdojo-persistenceprovider\r\n\r\n## Steps to implement a new Hook\r\n\u003c!--\r\nHint: A general guide how to implement a new scanner is documented [here](https://github.com/secureCodeBox/secureCodeBox/tree/master/docs/developer-guide)\r\n--\u003e\r\n\r\n- [x] Create a new folder with the name of the [hook here](https://github.com/secureCodeBox/secureCodeBox/tree/master/hooks)\r\n- [x] Add a README and give a brief overview of the scanner and its configuration options.\r\n- [x] Add (optional) a Dockerfile for the scanner if there is no existing one publicly available on dockerHub\r\n- [x] Use the [Hook-SDK](https://github.com/secureCodeBox/secureCodeBox/tree/master/hook-sdk) to implement a new hook (currently based on NodeJS)\r\n- [x] Add unit tests with at minimum 80% test coverage\r\n- [ ] Add some example scan.yaml and finding.yaml files in the example folder\r\n- [ ] Implement a new integration test for the hook [here](https://github.com/secureCodeBox/secureCodeBox/tree/master/tests/integration)\r\n","author":{"url":"https://github.com/rfelber","@type":"Person","name":"rfelber"},"datePublished":"2020-10-21T10:36:52.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/171/secureCodeBox/issues/171"}