Addition of a new parser for Wappalyzer JSON output in DefectDojo

ErdemOzgen commented 9 months ago

Scanner Name Wappalyzer

Sample File test.json

Also you can download csv from extension:

wappalyzer_github-dev.csv

Feature Request

I would like to propose the addition of a new parser for Wappalyzer JSON output in DefectDojo.

Motivation

Wappalyzer is a cross-platform utility that uncovers the technologies used on websites. It detects content management systems, eCommerce platforms, web frameworks, server software, analytics tools, and many more. Integrating Wappalyzer with DefectDojo will help users to import the results of their web technology detection directly into DefectDojo, facilitating a smoother workflow for security teams and website analysts.

Feature Description

The parser should be able to:

Parse the JSON output from Wappalyzer and map the detected technologies to findings in DefectDojo.
Include metadata such as the version of the detected technology, if available.
Categorize the findings based on the type of technology (CMS, JavaScript frameworks, analytics tools, etc.).

Preliminary Work

I've examined the current parsers in DefectDojo and have a good understanding of the framework required for parser implementation.
I've reviewed the JSON output format of Wappalyzer and identified the key elements that need to be extracted.
I've begun drafting a schema for how the Wappalyzer findings could be integrated into DefectDojo's data models.

Potential Challenges

Determining the appropriate level of granularity for findings (e.g., should each technology version be a separate finding, or should they be aggregated under a single website/technology entry?).
Ensuring the parser remains maintainable and up-to-date with the evolution of Wappalyzer's output format.

I'm ready to start working on this feature and would appreciate any guidelines or suggestions from the DefectDojo community to ensure that the implementation aligns with the project's standards and expectations.

Thank you for considering this contribution. I look forward to your feedback and collaboration!

Related Issues and/or Pull Requests

(None so far)

Please let me know if there are existing efforts or if some parts of this feature are already being worked on.

manuel-sommer commented 9 months ago

I can make a PR for you

manuel-sommer commented 9 months ago

Can you add also a file with 0 Resultat and a file with exactly one finding?

ErdemOzgen commented 9 months ago

I can make a PR for you

I will also work we can work on this PR

manuel-sommer commented 9 months ago

Hi @ErdemOzgen , I looked into the provided json and csv outputs. I can't see why you want to add this to DefectDojo as it does not provide any real vulnerability, but rather facts about the technologies in use.

Do you have a more valuable output?

ErdemOzgen commented 9 months ago

@manuel-sommer

"Integrating Wappalyzer with DefectDojo is a strategic enhancement for several reasons. Firstly, for DevSecOps, knowledge of the underlying technology stack is essential for thorough security practices. It enables teams to be proactive rather than reactive by tailoring security measures to the specific technologies in use. This is not just about identifying immediate vulnerabilities, but also about risk assessment and management. Understanding the tech stack can help in anticipating potential security threats and addressing them as part of the development cycle, rather than post-deployment.

Secondly, for Open Source Intelligence (OSINT), Wappalyzer provides valuable insights that can aid in information gathering and analysis. In cybersecurity, being able to quickly and accurately identify the technologies used by a target can inform the subsequent steps in security testing or incident response. For instance, knowing what software a website is running can reveal known vulnerabilities or common misconfigurations associated with those technologies.

Furthermore, the inclusion of technology stack information within DefectDojo could allow teams to track the technologies they have assessed over time, see trends in technology usage, correlate this with exposure to vulnerabilities, and make data-driven decisions on security priorities. Although Wappalyzer's output does not include explicit vulnerabilities, the context it provides is fundamental to comprehensive security analysis and strengthens the overall security posture.

The JSON and CSV outputs from Wappalyzer can be utilized within DefectDojo to create a more informative and actionable repository of intelligence. It complements the vulnerability data by mapping it against the technology profile of assets, which is crucial for effective security governance, risk management, and compliance."

ErdemOzgen commented 9 months ago

But I think you have right point defectdojo parsers only take care of vulnerabilities but I still think assessment of tech stack and assets could be useful for these type of framework

manuel-sommer commented 9 months ago

Yeah, but then I would rather suggest an enhancement equally to this and not to a vulnerability parser: https://defectdojo.github.io/django-DefectDojo/integrations/languages/

Or maybe there is a way to parse this information of TechStack via Cyclonedx to DependencyTrack and use this Information there and sync back the findings to DefectDojo

ErdemOzgen commented 9 months ago

Make sense I will do my research on this. Thanks again

DefectDojo / django-DefectDojo