René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"⚙️ Add a generic (SCB) finding importer to the DefectDojo Integration Hook","articleBody":"\u003c!--\r\nThank you for reporting an issue in our documentation 🙌\r\n\r\nBefore opening a new issue, please make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.\r\n--\u003e\r\n\r\n## Is your feature request related to a problem?\r\n\u003c!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] --\u003e\r\nAs secureCodeBox (SCB) user i would like to use [all integrated security scanners](https://docs.securecodebox.io/docs/scanners) and examine their results in [OWASP DefectDojo](https://github.com/DefectDojo/django-DefectDojo) (DD), when i use DD as vulnerability management tool in my environment. \r\nWith the latest PR #300  introducing the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo) it is now already possible to import some SCB scanner findings supported by DefectDojo:\r\n\r\nhttps://github.com/secureCodeBox/secureCodeBox/blob/0257ddaa07540381d3a056a7cc7b7fc740926f43/hooks/persistence-defectdojo/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java#L23-L34\r\n\r\nProblem is that there are some scanners missing which are already integrated within secureCodeBox but have no corresponding parser at OWASP DefectDojo. Thats why i'm currently not able to import and analyse the following scanner finding results. Using those scanners in combination with the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo) leads to failed scans:\r\n- WPScan\r\n- SSH-Scan\r\n- Nikto (in JSON format instead of XML)\r\n- Kube-Hunter\r\n- Kubeaudit\r\n\r\n### Example failure\r\nExample `scan` with `kube-hunter`:\r\n```bash\r\nk tree scan kube-hunter-internal-1616236981 -n demo-scans\r\nNAMESPACE   NAME                                                                 READY  REASON              AGE\r\ndemo-scans  Scan/kube-hunter-internal-1616236981                                 -                          96m\r\ndemo-scans  ├─Job/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw          -                          95m\r\ndemo-scans  │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-8cthv  False  ContainersNotReady  95m\r\ndemo-scans  │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-gjdz6  False  ContainersNotReady  95m\r\ndemo-scans  │ ├─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-hf26w  False  ContainersNotReady  93m\r\ndemo-scans  │ └─Pod/defectdojo-hook-kube-hunter-internal-1616236981-hwnhw-xdszp  False  ContainersNotReady  94m\r\ndemo-scans  └─Job/parse-kube-hunter-internal-1616236981-qnwc8                    -                          95m\r\ndemo-scans    └─Pod/parse-kube-hunter-internal-1616236981-qnwc8-wm4ls            False  PodCompleted        95m\r\n```\r\nExample `defectdojo-hook` log:\r\n```bash\r\n2021-03-20 10:45:42 DEBUG RestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]\r\n2021-03-20 10:45:42 DEBUG RestTemplate:147 - Response 200 OK\r\n2021-03-20 10:45:42 DEBUG RestTemplate:147 - Reading to [java.lang.String] as \"application/octet-stream\"\r\n2021-03-20 10:45:42 DEBUG VersionedEngagementsStrategy:99 - Finished Downloading Scan Report (RawResults)\r\nException in thread \"main\" java.lang.IllegalArgumentException: No Mapping found for ScanType 'kube-hunter'\r\n\tat io.securecodebox.persistence.util.ScanNameMapping.bySecureCodeBoxScanType(ScanNameMapping.java:60)\r\n\tat io.securecodebox.persistence.strategies.VersionedEngagementsStrategy.createTest(VersionedEngagementsStrategy.java:259)\r\n\tat io.securecodebox.persistence.strategies.VersionedEngagementsStrategy.run(VersionedEngagementsStrategy.java:101)\r\n\tat io.securecodebox.persistence.DefectDojoPersistenceProvider.main(DefectDojoPersistenceProvider.java:53)\r\n```\r\n\r\n**Describe alternatives you've considered**\r\n\u003c!-- A clear and concise description of any alternative solutions or features you've considered. --\u003e\r\nThe following alternative solutions are only focussed on the missing parser problem:\r\nThere are multiple solution strategies to solve this problem:\r\n\r\n1.  Use the _[generic CSV findings importer](https://defectdojo.readthedocs.io/en/latest/integrations.html#generic-findings-import)_ to implement a generic SCB findings import in the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo)\r\n```java\r\npublic enum ScanNameMapping {\r\n  NMAP(\"nmap\", ScanType.NMAP_SCAN),\r\n  ZAP_BASELINE(\"zap-baseline\", ScanType.ZAP_SCAN),\r\n  ZAP_API_SCAN(\"zap-api-scan\", ScanType.ZAP_SCAN),\r\n  ZAP_FULL_SCAN(\"zap-full-scan\", ScanType.ZAP_SCAN),\r\n  SSLYZE(\"sslyze\", ScanType.SS_LYZE_3_SCAN_JSON),\r\n  TRIVY(\"trivy\", ScanType.TRIVY_SCAN),\r\n  GITLEAKS(\"gitleaks\", ScanType.GITLEAKS_SCAN),\r\n  // New Approach\r\n  // NIKTO(\"nikto\", ScanType.GENERIC_CSV_SCAN),\r\n  // SSH(\"ssh-scan, ScanType.GENERIC_CSV_SCAN),\r\n  ;\r\n```\r\n* You will find the existing generic CSV DefectDojo parser here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/generic \r\n2. Implement _a new generic JSON Findings Importer_ in OWASP DefectDojo as already suggested here https://github.com/DefectDojo/django-DefectDojo/issues/3798  and use it to implement a generic SCB findings import in the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo)\r\n```java\r\npublic enum ScanNameMapping {\r\n  NMAP(\"nmap\", ScanType.NMAP_SCAN),\r\n  ZAP_BASELINE(\"zap-baseline\", ScanType.ZAP_SCAN),\r\n  ZAP_API_SCAN(\"zap-api-scan\", ScanType.ZAP_SCAN),\r\n  ZAP_FULL_SCAN(\"zap-full-scan\", ScanType.ZAP_SCAN),\r\n  SSLYZE(\"sslyze\", ScanType.SS_LYZE_3_SCAN_JSON),\r\n  TRIVY(\"trivy\", ScanType.TRIVY_SCAN),\r\n  GITLEAKS(\"gitleaks\", ScanType.GITLEAKS_SCAN),\r\n  // New Approach\r\n  // NIKTO(\"nikto\", ScanType.GENERIC_JSON_SCAN),\r\n  // SSH(\"ssh-scan, ScanType.GENERIC_JSON_SCAN),\r\n  ;\r\n```\r\n* Such a new generic JSON DefectDojo parser should be implemented here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/ \r\n3. Implement _a new generic SCB JSON Findings Importer_ in OWASP DefectDojo which is based on the secureCodeBox specific findings format and use it to import them in the [**DefectDojo-Persistence Hook**](https://docs.securecodebox.io/docs/hooks/defectdojo)\r\n```java\r\npublic enum ScanNameMapping {\r\n  NMAP(\"nmap\", ScanType.NMAP_SCAN),\r\n  ZAP_BASELINE(\"zap-baseline\", ScanType.ZAP_SCAN),\r\n  ZAP_API_SCAN(\"zap-api-scan\", ScanType.ZAP_SCAN),\r\n  ZAP_FULL_SCAN(\"zap-full-scan\", ScanType.ZAP_SCAN),\r\n  SSLYZE(\"sslyze\", ScanType.SS_LYZE_3_SCAN_JSON),\r\n  TRIVY(\"trivy\", ScanType.TRIVY_SCAN),\r\n  GITLEAKS(\"gitleaks\", ScanType.GITLEAKS_SCAN),\r\n  // New Approach\r\n  // NIKTO(\"nikto\", ScanType.GENERIC_SCB_SCAN),\r\n  // SSH(\"ssh-scan, ScanType.GENERIC_SCB_SCAN),\r\n  ;\r\n```\r\n* Such a new generic SCB DefectDojo parser should be implemented here: https://github.com/DefectDojo/django-DefectDojo/tree/master/dojo/tools/ \r\n\r\n## Describe the solution you'd like\r\n\u003c!-- A clear and concise description of what you want to happen. --\u003e\r\nI would prefer the solution alternative 3 because it seems to be a clean integration strategy. Both OWASP projects (secureCodeBox and DefectDojo) would have advantages.\r\n\r\n**Additional context**\r\n\u003c!-- Add any other context or screenshots about the feature request here. --\u003e\r\n- Documentation of all currently supported security scanner parsers implemented by OWASP DefectDojo: https://defectdojo.readthedocs.io/en/latest/integrations.html \r\n- secureCodeBox Java Client for DefectDojo: https://github.com/secureCodeBox/defectdojo-client-java","author":{"url":"https://github.com/rfelber","@type":"Person","name":"rfelber"},"datePublished":"2021-03-20T12:40:50.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":10},"url":"https://github.com/332/secureCodeBox/issues/332"}