search

DefectDojo / django-DefectDojo

DevSecOps, ASPM, Vulnerability Management. All on one platform.
https://defectdojo.com
BSD 3-Clause "New" or "Revised" License
3.6k stars 1.51k forks source link

Add Generic JSON importer #3798

Closed rsenden closed 3 years ago

rsenden commented 3 years ago

Generic JSON There is already a generic importer for CSV data, but it only supports a small subset of Finding attributes. A generic JSON parser can easily support all relevant attributes from the Finding class. Such a generic JSON importer would allow scanners/exporters that support arbitrary JSON output to add support for DefectDojo, rather than adding a scanner-specific importer to DefectDojo.

Sample use case DefectDojo provides a Fortify importer based on Fortify XML reports, however this approach has various drawbacks. A more modern and much more flexible approach for exporting Fortify vulnerability data is provided by FortifyVulnerabilityExporter.

Based on this utility, we can already set up an integration between Fortify and DefectDojo using a mutually supported format like GitLab SAST or SARIF reports. However it would be even better to have FortifyVulnerabilityExporter export vulnerability data to a dedicated DefectDojo JSON format. This would allow for more flexibility, and could support non-SAST (DAST, ...) vulnerability data to be exported to DefectDojo.

Related issue / depends on: https://github.com/DefectDojo/django-DefectDojo/issues/3797

Sample File

{
    "findings": [{
        "found_by": "MyScanner",
        "unique_id_from_tool": "04ce62ba-4086-44cf-8b7e-ba8308580499",
        "title": "Cross-site Scripting",
        "severity": "Critical",
        "url": "https://my.scanner/x/y/04ce62ba-4086-44cf-8b7e-ba8308580499",
        "sourcefile": "/home/user/project/Test.java",
        "line_number": 10,
        "static_finding": true,
        "dynamic_finding": false
    }, {
        "found_by": "MyScanner",
        "unique_id_from_tool": "74b772b4-176a-40a6-b8ed-b242246b916a",
        "title": "SQL Injection",
        "severity": "Critical",
        "url": "https://my.scanner/x/y/74b772b4-176a-40a6-b8ed-b242246b916a",
        "sourcefile": "/home/user/project/Test.java",
        "line_number": 20,
        "static_finding": true,
        "dynamic_finding": false
    }]
}
damiencarol commented 3 years ago

There are many users that want this feature. I'm taking a look at it

valentijnscholten commented 3 years ago

4484