DefectDojo
New Parser: Kiuwan SCA Scan
As discussed in slack #defectdojo-dev:
Checklist
This checklist is for your information.
- [x] Make sure to rebase your PR against the very latest
dev. - [x] Features/Changes should be submitted against the
dev. - [x] Give a meaningful name to your PR, as it may end up being used in the release notes.
- [x] Your code is flake8 compliant.
- [x] Your code is python 3.11 compliant.
- [x] If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
- [x] Add applicable tests to the unit tests.
(cc @flmarkus)
Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.
| DryRun Security | Status | Findings |
|---|---|---|
| Configured Codepaths Analyzer | :white_check_mark: | 0 findings |
| IDOR Analyzer | :white_check_mark: | 0 findings |
| Sensitive Files Analyzer | :white_check_mark: | 0 findings |
| Server-Side Request Forgery Analyzer | :white_check_mark: | 0 findings |
| SQL Injection Analyzer | :white_check_mark: | 0 findings |
| Authn/Authz Analyzer | :white_check_mark: | 0 findings |
| Secrets Analyzer | :white_check_mark: | 0 findings |
[!Note] :green_circle: Risk threshold not exceeded.
Change Summary (click to expand)
The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.
Summary:
This pull request introduces several changes related to the integration of the Kiuwan Scanner tool with the DefectDojo application security management platform. The changes include updates to the documentation, the addition of a new parser for Kiuwan Software Composition Analysis (SCA) scan results, and the inclusion of sample Kiuwan SCA scan data for testing purposes.
The key highlights of these changes are:
Documentation Updates: The changes improve the documentation for the Kiuwan Scanner integration, including the addition of information about the Kiuwan REST API for exporting scan results and the classification of Kiuwan as a Static Application Security Testing (SAST) tool.
Kiuwan SCA Parser Implementation: A new parser has been added to the DefectDojo application to handle the import of Kiuwan SCA scan results. The parser is designed to accurately map the Kiuwan scan data to the DefectDojo finding format, including details such as CVEs, CWEs, CVSS scores, and EPSS data.
Deduplication and Muting of Findings: The parser includes logic to deduplicate findings and handle muted findings from the Kiuwan scans, which is an important security feature to ensure that the DefectDojo application only reports on active, unresolved vulnerabilities.
Sample Kiuwan SCA Scan Data: The pull request includes sample Kiuwan SCA scan data in JSON format, which can be used for unit testing and integration testing purposes. This data includes both a scan with no vulnerabilities and a scan with multiple high-severity vulnerabilities affecting various software components.
Overall, these changes demonstrate a focused effort to improve the integration and management of Kiuwan security scan data within the DefectDojo application. From an application security perspective, these changes are positive and should help organizations better identify, prioritize, and address security vulnerabilities in their applications.
Files Changed:
docs/content/en/integrations/parsers/file/kiuwan.md: Documentation updates for the Kiuwan Scanner integration.docs/content/en/integrations/parsers/file/kiuwan-sca.md: New documentation for the Kiuwan SCA (Software Composition Analysis) integration.dojo/tools/kiuwan_sca/parser.py: Implementation of the Kiuwan SCA parser.unittests/scans/kiuwan-sca/kiuwan_sca_no_vuln.json: Sample Kiuwan SCA scan data with no vulnerabilities.dojo/settings/settings.dist.py: Addition of the Kiuwan SCA parser to the DefectDojo application.unittests/scans/kiuwan-sca/kiuwan_sca_many_vuln.json: Sample Kiuwan SCA scan data with multiple high-severity vulnerabilities.unittests/tools/test_kiuwan_sca_parser.py: Unit tests for the Kiuwan SCA parser.
Powered by DryRun Security
![dryrunsecurity[bot] avatar](https://avatars.githubusercontent.com/in/377039?v=4 "Published by a pub.dev verified publisher"){kind=small}
@mtesauro Any more work needed from my side? I don't understand the error from the "Detect Merge conflicts" action:
See here: https://github.com/DefectDojo/django-DefectDojo/actions/runs/8889852139/job/24429470629?pr=10064
Or is it just that more reviewers need to approve?
@mwager
Any more work needed from my side? I don't understand the error from the "Detect Merge conflicts" action:
That "Detect Merge conflicts" is just GH having issues running GH Actions and nothing you need to do. You're good for now as there's an issue with the REST tests we're trying to figure out so hold tight for a bit and we can start the approvals once we sort out whatever is going on with the REST tests.
This pull request has conflicts, please resolve those before we can evaluate the pull request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Conflicts have been resolved. A maintainer will review the pull request shortly.
This pull request has conflicts, please resolve those before we can evaluate the pull request.
Conflicts have been resolved. A maintainer will review the pull request shortly.
@mtesauro We really need this in master because via Kubernetes we would need to build and host our own images to use it. Without this Parser we cannot import our supply chain scans which is quite an issue. I think the Rest test Issues are fixed now?
@mwager
This PR is targeting the dev branch so, once it's got the needed approvals, it will be merged into main/master on the first Monday in August and be part of version 2.37.0
I just approved the tests to run, assuming those are good, we can start getting the needed approvals. Thanks for you patience - summer is 'interesting' with people going on holiday and such.
@mwager Hate to suggest this but it may make sense to close this PR and open a new one with the same changes. It's likely easier that trying to get this one green on the GH Action tests. We recently did several updates to brittle/flaky tests and I suspect this PR has those old tests associated with it since I just re-kicked off the tests and the same ones failed again.