Import OSSINDEX API answer

[ThiefaineM]

OSSINDEX API

OSSINDEX is database of vulnerabilities where it's possible to search with purl. With a cycloneDX BOM, it is easy to call the API to get the vulnerabilities linked. It will be very similar to the AuditJS Scan, but with a different parser for the purl at least.

Sample File

It's JSON file with this construction:

[
  {
    "coordinates": "pkg:alpine/ssl_client@1.31.1-r9",
    "reference": "https://ossindex.sonatype.org/component/pkg:alpine/ssl_client@1.31.1-r9?utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
    "vulnerabilities": []
  },
  {
    "coordinates": "pkg:alpine/zlib@1.2.11-r3",
    "reference": "https://ossindex.sonatype.org/component/pkg:alpine/zlib@1.2.11-r3?utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
    "vulnerabilities": []
  },
  {
    "coordinates": "pkg:alpine/apk-tools@2.10.5-r0",
    "reference": "https://ossindex.sonatype.org/component/pkg:alpine/apk-tools@2.10.5-r0?utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
    "vulnerabilities": [
      {
        "id": "7c64092f-6f02-4e75-ab73-1b77f2e316bb",
        "displayName": "CVE-2021-30139",
        "title": "[CVE-2021-30139] In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer over...",
        "description": "In Alpine Linux apk-tools before 2.12.5, the tarball parser allows a buffer overflow and crash.",
        "cvssScore": 7.5,
        "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "cve": "CVE-2021-30139",
        "reference": "https://ossindex.sonatype.org/vulnerability/7c64092f-6f02-4e75-ab73-1b77f2e316bb?component-type=alpine&component-name=apk-tools&utm_source=python-requests&utm_medium=integration&utm_content=2.27.1",
        "externalReferences": [
          "https://nvd.nist.gov/vuln/detail/CVE-2021-30139"
        ]
      }
    ]
  }
]

[valentijnscholten]

What functionality would you like to see added to Defect Dojo? Not sure if I understand the reference to AuditJS. AuditJS is a scanner that creates a report based on the dependencies being used. This report can then be imported into Defect Dojo.The OSS Index is an API to retrieve vulnerabilities based on an id or purl, which is being used for example by Dependency Track based on SBOMs that are uploaded.

[ThiefaineM]

I would like to be able to import the result sent by the OSSINDEX Api because it can work as a scan. For example, I'm generating a BOM, and then I'm calling the API to get the vulnerabilities for the components: this call gives the type of result that I put in the last message. Then I would like to import the result into DefectDojo. So it's like Dependency Track but where I can upload my report to DefectDojo. I referenced AuditJS because the result of the scan is very similar as it uses the same tool to get the vulnerabilities.

[damiencarol]

If you use a standard format like CycloneDX 1.4 or SARIF, you will be able to "merge" the BOM data and the vulnerability data. Take a look at the 1.4 release of CycloneDX: https://github.com/DefectDojo/django-DefectDojo/blob/d07c007f24b1c6f0509b32e5aad3f2a2765b4581/unittests/scans/cyclonedx/valid-vulnerability-1.4.json DefectDojo support many formats that cover this use case without even modifying it :)

[valentijnscholten]

I haven't seen many SBOM generators that include vulnerabilities in their SBOM. But doing this is the core functionality of OWASP Dependency Track. I don't think it fits well with the functionality of Defect Dojo to start parings SBOMs and lookup vulnerabilities in various datasources. But you can push vulnerabilities from Dependency Track to Defect Dojo.

[ThiefaineM]

If you use a standard format like CycloneDX 1.4 or SARIF, you will be able to "merge" the BOM data and the vulnerability data. Take a look at the 1.4 release of CycloneDX: https://github.com/DefectDojo/django-DefectDojo/blob/d07c007f24b1c6f0509b32e5aad3f2a2765b4581/unittests/scans/cyclonedx/valid-vulnerability-1.4.json DefectDojo support many formats that cover this use case without even modifying it :)

Thanks for your reply. I am trying to apply it, but when I am trying to import my CycloneDX 1.4 BOM in json into DefectDojo I got: An exception error occurred during the report import:not well-formed (invalid token): line 1, column 0. The error does not appear when the BOM is in XML. Is it normal ?

[ThiefaineM]

I haven't seen many SBOM generators that include vulnerabilities in their SBOM. But doing this is the core functionality of OWASP Dependency Track. I don't think it fits well with the functionality of Defect Dojo to start parings SBOMs and lookup vulnerabilities in various datasources. But you can push vulnerabilities from Dependency Track to Defect Dojo.

Yes we are using two differents tools to generate the SBOM and get the vulnerabilities. It was more about being able to push into DefectDojo the result of the API OSSINDEX that I generate from the SBOM.

[damiencarol]

@ThiefaineM if you really want to create a new format to import data, if you don't use a standard like SARIF or CycloneDX, you will be forced to create a new parser and everything around (not the best long term solution). It could be a lot of work.

Yes we are using two differents tools to generate the SBOM and get the vulnerabilities. It was more about being able to push into DefectDojo the result of the API OSSINDEX that I generate from the SBOM.

Maybe you can generate vulnerabilities in the generic CSV or JSON format.

[ThiefaineM]

@ThiefaineM if you really want to create a new format to import data, if you don't use a standard like SARIF or CycloneDX, you will be forced to create a new parser and everything around (not the best long term solution). It could be a lot of work.

Yes we are using two differents tools to generate the SBOM and get the vulnerabilities. It was more about being able to push into DefectDojo the result of the API OSSINDEX that I generate from the SBOM.

Maybe you can generate vulnerabilities in the generic CSV or JSON format.

@damiencarol As mentioned previouslly, I am using CycloneDX 1.4 JSON BOM with the vulnerabilities added as described in the file: https://github.com/DefectDojo/django-DefectDojo/blob/d07c007f24b1c6f0509b32e5aad3f2a2765b4581/unittests/scans/cyclonedx/valid-vulnerability-1.4.json Nevertheless, I can't import it because I am having an error that I don't understand: An exception error occurred during the report import:not well-formed (invalid token): line 1, column 0. If this format can work as you explained, I won't need to create a new parser.

In the worst case scenario, where I would need a new parser, I do not think it would be a lot of work as it's very close to the AuditJS one.

[valentijnscholten]

The parser only supports XML: https://defectdojo.github.io/django-DefectDojo/integrations/parsers/

[ThiefaineM]

Ok thanks, it was not directly mentioned so I wasn't sure

[valentijnscholten]

yeah, I saw it was not explicit. But there error message is very explicit :-)

[ThiefaineM]

Without creating a new parser, would it be possible to upgrade this part in the file? https://github.com/DefectDojo/django-DefectDojo/blob/d07c007f24b1c6f0509b32e5aad3f2a2765b4581/dojo/tools/auditjs/parser.py

        for dependency in data:
            # reading package name in format pkg:npm/PACKAGE_NAME@PACKAGE_VERSION
            if "coordinates" in dependency:
                file_path = dependency["coordinates"]
                component_name, component_version = file_path.split('/')[1].split('@')

Instead of reading only purl of the form: pkg:npm/PACKAGE_NAME@PACKAGE_VERSION It could be nice to be able to read more general one without having an error: pkg:type/namespace/name@version?qualifiers

I do understand if that's not something you want to do. In this case, you can close the issue.

[valentijnscholten]

Please create a separate issue (or PR) for that.