IBM Appscan, Acunetix, HP Fortify integration with DefectDojo

[Rajarshi333]

Please use the following template when submitting issues:

Issue Template

Issue Type

• [ ] Enhancement

Description

At present we don't see report upload templates for IBM Appscan, Acunetix and HP Fortify and only generic template is supported. We want to build report upload templates for these 3 tools. We are also looking for custom automation around the same set of tools.

If the issue is a bug, please also include the following:

Operating System

Please include the version number (ex: Ubuntu 16.04)

Install

• [ ] setup.bash
• [ ] docker

DefectDojo Version

Steps to Reproduce

Sample Scan File (if applicable)

Screenshots (optional)

Console Logs (optional)

[aaronweaver]

@Rajarshi333 Are you going to be submitting code for these importers? If so, I'll assign the issue to you.

Thanks

[Rajarshi333]

@aaronweaver: Thanks for your quick response. Yes - we are working on this as a project from Cognizant India CyberSecurity Team and expecting to complete in about next 60 days. We are looking for some help as well which we can share.

[aaronweaver]

Fantastic @Rajarshi333 Let me know if you have any questions along the way.

For Fortify, because of the structure of the FPR files the parsing will require an extra step. Take a look at this project: https://github.com/jaxley/python-fortify

[Rajarshi333]

@AAronweaver: Thanks a lot for that link about Fortify FPR file processing.

[Rajarshi333]

@aaronweaver: Wanted to know how about the approach of using the REST API directly with Fortify SSC? Please share your inputs. Thanks.

[aaronweaver]

@Rajarshi333 Create the parser library first in the tools section and make sure you can import a Fortify file, then look at tasks.py to utilize Celery to import Fortify on a periodic basis. Additionally the configuration can be held in: http://localhost:8000/tool_type and then the key can be assigned to each product --> http://localhost:8000/product/1/tool_product/add

[Rajarshi333]

Thanks Aaron!!

[1modm]

Hi,

It could be possible to know the steps to add a new scanner? I'm testing some and want to check if works completely, I known that is needed:

1- Create the parser and place in django-DefectDojo/dojo/tools 2- Add a new entry in dojo_test_type table ? 3- Add an entry in form.py ? 4- ?

Thanks

[Rajarshi333]

Hi Aaron,

We are able to get the CSV results directly from Fortify. In that case can we omit FPR processing step and directly parse the CSV? Please share your inputs.

Thanks.

[aaronweaver]

@Rajarshi333, that sounds good about importing the CSV. I also created a short wiki article regarding scanner imports.

[Rajarshi333]

@Aaron:Thanks a lot for the help and great guidance through the article you have written!!

[Rajarshi333]

@aaronweaver : We are hitting a road block when trying to run the test parser file for Fortify. We are trying to import add_language from dojo.util and Finding from dojo.model and in each case landing to this:

D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\CodeTesting>python FortifyParserClass.py Traceback (most recent call last): File "FortifyParserClass.py", line 10, in from dojo.utils import add_language File "D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo__init__.py", line 5, in from .celery import app as celery_app # noqa File "D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo\celery.py", line 3, in from celery import Celery File "D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo\celery.py", line 3, in from celery import Celery ImportError: cannot import name 'Celery' from 'celery' (D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo\celery.py)

This is the code that is at the top of the parser file:

from defusedxml import ElementTree from dateutil import parser import ntpath from dojo.utils import add_language

from dojo.models import Finding

Please help.

Also, we need some guidance on code testing and wanted to check a few things with you. Could we write you emails? Thanks.

[aaronweaver]

Hi @Rajarshi333, certainly feel free to email me: aaron.weaver@owasp.org.

For that error it's because you are running it outside of Django, if you want a command line version for testing you can run try ./manage.py shell < FortifyParserClass.py

[Rajarshi333]

Hi @aaronweaver, Thanks . . tried the same and got this:

D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master>python manage.py shell <TestParser.py Python 3.7.0 (v3.7.0:1bf9cc5093, Jun 27 2018, 04:59:51) [MSC v.1914 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. (InteractiveConsole)

Traceback (most recent call last): File "", line 1, in File "D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo\utils.py", line 8, in from Crypto.Cipher import AES ModuleNotFoundError: No module named 'Crypto' Traceback (most recent call last): File "", line 1, in File "D:\Automation Stuff\django-DefectDojo-master\django-DefectDojo-master\dojo\models.py", line 9, in from watson import search as watson ModuleNotFoundError: No module named 'watson'

now exiting InteractiveConsole... Traceback (most recent call last): File "manage.py", line 10, in execute_from_command_line(sys.argv) File "D:\Python3.7\lib\site-packages\django\core\management__init.py", line 381, in execute_from_command_line utility.execute() File "D:\Python3.7\lib\site-packages\django\core\management__init__.py", line 375, in execute self.fetch_command(subcommand).run_from_argv(self.argv) File "D:\Python3.7\lib\site-packages\django\core\management\base.py", line 329, in run_from_argv connections.close_all() File "D:\Python3.7\lib\site-packages\django\db\utils.py", line 220, in close_all for alias in self: File "D:\Python3.7\lib\site-packages\django\db\utils.py", line 214, in iter return iter(self.databases) File "D:\Python3.7\lib\site-packages\django\utils\functional.py", line 37, in get res = instance.dict[self.name] = self.func(instance) File "D:\Python3.7\lib\site-packages\django\db\utils.py", line 147, in databases self._databases = settings.DATABASES File "D:\Python3.7\lib\site-packages\django\conf__init.py", line 57, in getattr__ self._setup(name) File "D:\Python3.7\lib\site-packages\django\conf__init__.py", line 44, in _setup self._wrapped = Settings(settings_module) File "D:\Python3.7\lib\site-packages\django\conf\init.py", line 107, in init mod = importlib.import_module(self.SETTINGS_MODULE) File "D:\Python3.7\lib\importlib\init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1006, in _gcd_import File "", line 983, in _find_and_load File "", line 965, in _find_and_load_unlocked ModuleNotFoundError: No module named 'dojo.settings.settings'

code in TestParser.py:

from defusedxml import ElementTree from dateutil import parser import ntpath from dojo.utils import add_language

from dojo.models import Finding

I'm working on a windows 10 platform with Python 3.7. Installed django with pip. Anything wrong with setup? . . Thanks for the help.

[Rajarshi333]

Hi @aaronweaver ,

I suspect my dev environment on a windows 10 is not sufficient. Wrote you an email with details from my email ID(Rajarshi.Bhattacharyya@cognizant.com). Kindly help. Thanks.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.