-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Parser: Kiuwan SCA Scan #10064
New Parser: Kiuwan SCA Scan #10064
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: This pull request introduces several changes related to the integration of the Kiuwan Scanner tool with the DefectDojo application security management platform. The changes include updates to the documentation, the addition of a new parser for Kiuwan Software Composition Analysis (SCA) scan results, and the inclusion of sample Kiuwan SCA scan data for testing purposes. The key highlights of these changes are:
Overall, these changes demonstrate a focused effort to improve the integration and management of Kiuwan security scan data within the DefectDojo application. From an application security perspective, these changes are positive and should help organizations better identify, prioritize, and address security vulnerabilities in their applications. Files Changed:
Powered by DryRun Security |
… kiuwan-sca * 'kiuwan-sca' of github.com:mwager/django-DefectDojo: Update versions in application files Product Metrics: Performance Enhancements (DefectDojo#10059) String Based Filtering: Follow on for DefectDojo#10038 (DefectDojo#10050) update semgrep tests (DefectDojo#10058) Jira Webhook: Reorg logging and responses (DefectDojo#10049) Similar Findings: Create Toggle (DefectDojo#10047) Bump social-auth-app-django from 5.4.0 to 5.4.1 (DefectDojo#10026) Update versions in application files Update versions in application files Updated DryRun Security config (DefectDojo#10037) Filtering Performance: Add opt-in setting for converting to string ba… (DefectDojo#10038) Updates to semgrep parser (DefectDojo#10033) Update versions in application files
finding.mitigation = "See Kiuwan Web UI" | ||
finding.static_finding = True | ||
|
||
key = hashlib.sha256( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mwager, the PR looks quite good.
I don't know if you need the key at all if you choose DEDUPE_ALGO_HASH_CODE.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's wait for the reviews of the maintainers. Ah, good point, maybe you are right, but why would you have duplicates in one file?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question :) TBH I just followed the Kiuwan SAST importer logic: https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/kiuwan/parser.py#L118
which is using the default legacy behavior based on:
static scanner: ['title', 'cwe', 'line', 'file_path', 'description']
So probably I got this wrong, let's wait for other reviewers and I am happy to clean this up if necessary.
@mtesauro Any more work needed from my side? I don't understand the error from the "Detect Merge conflicts" action: See here: https://github.com/DefectDojo/django-DefectDojo/actions/runs/8889852139/job/24429470629?pr=10064 Or is it just that more reviewers need to approve? |
That "Detect Merge conflicts" is just GH having issues running GH Actions and nothing you need to do. You're good for now as there's an issue with the REST tests we're trying to figure out so hold tight for a bit and we can start the approvals once we sort out whatever is going on with the REST tests. |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Conflicts have been resolved. A maintainer will review the pull request shortly. |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Conflicts have been resolved. A maintainer will review the pull request shortly. |
@mtesauro We really need this in master because via Kubernetes we would need to build and host our own images to use it. Without this Parser we cannot import our supply chain scans which is quite an issue. I think the Rest test Issues are fixed now? |
This PR is targeting the dev branch so, once it's got the needed approvals, it will be merged into main/master on the first Monday in August and be part of version 2.37.0 I just approved the tests to run, assuming those are good, we can start getting the needed approvals. Thanks for you patience - summer is 'interesting' with people going on holiday and such. |
@mwager |
Re-opened here, hope this is good to go now :) |
As discussed in slack #defectdojo-dev:
Checklist
This checklist is for your information.
dev
.dev
.(cc @flmarkus)