Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Parser: Kiuwan SCA Scan #10064

Closed
wants to merge 28 commits into from
Closed

New Parser: Kiuwan SCA Scan #10064

wants to merge 28 commits into from

Conversation

mwager
Copy link
Contributor

@mwager mwager commented Apr 30, 2024

As discussed in slack #defectdojo-dev:

grafik

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is flake8 compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Add applicable tests to the unit tests.

(cc @flmarkus)

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR docs unittests parser labels Apr 30, 2024
Copy link

dryrunsecurity bot commented Apr 30, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
Server-Side Request Forgery Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This pull request introduces several changes related to the integration of the Kiuwan Scanner tool with the DefectDojo application security management platform. The changes include updates to the documentation, the addition of a new parser for Kiuwan Software Composition Analysis (SCA) scan results, and the inclusion of sample Kiuwan SCA scan data for testing purposes.

The key highlights of these changes are:

  1. Documentation Updates: The changes improve the documentation for the Kiuwan Scanner integration, including the addition of information about the Kiuwan REST API for exporting scan results and the classification of Kiuwan as a Static Application Security Testing (SAST) tool.

  2. Kiuwan SCA Parser Implementation: A new parser has been added to the DefectDojo application to handle the import of Kiuwan SCA scan results. The parser is designed to accurately map the Kiuwan scan data to the DefectDojo finding format, including details such as CVEs, CWEs, CVSS scores, and EPSS data.

  3. Deduplication and Muting of Findings: The parser includes logic to deduplicate findings and handle muted findings from the Kiuwan scans, which is an important security feature to ensure that the DefectDojo application only reports on active, unresolved vulnerabilities.

  4. Sample Kiuwan SCA Scan Data: The pull request includes sample Kiuwan SCA scan data in JSON format, which can be used for unit testing and integration testing purposes. This data includes both a scan with no vulnerabilities and a scan with multiple high-severity vulnerabilities affecting various software components.

Overall, these changes demonstrate a focused effort to improve the integration and management of Kiuwan security scan data within the DefectDojo application. From an application security perspective, these changes are positive and should help organizations better identify, prioritize, and address security vulnerabilities in their applications.

Files Changed:

  1. docs/content/en/integrations/parsers/file/kiuwan.md: Documentation updates for the Kiuwan Scanner integration.
  2. docs/content/en/integrations/parsers/file/kiuwan-sca.md: New documentation for the Kiuwan SCA (Software Composition Analysis) integration.
  3. dojo/tools/kiuwan_sca/parser.py: Implementation of the Kiuwan SCA parser.
  4. unittests/scans/kiuwan-sca/kiuwan_sca_no_vuln.json: Sample Kiuwan SCA scan data with no vulnerabilities.
  5. dojo/settings/settings.dist.py: Addition of the Kiuwan SCA parser to the DefectDojo application.
  6. unittests/scans/kiuwan-sca/kiuwan_sca_many_vuln.json: Sample Kiuwan SCA scan data with multiple high-severity vulnerabilities.
  7. unittests/tools/test_kiuwan_sca_parser.py: Unit tests for the Kiuwan SCA parser.

Powered by DryRun Security

mwager added 3 commits April 30, 2024 07:35
… kiuwan-sca

* 'kiuwan-sca' of github.com:mwager/django-DefectDojo:
  Update versions in application files
  Product Metrics: Performance Enhancements (DefectDojo#10059)
  String Based Filtering: Follow on for DefectDojo#10038 (DefectDojo#10050)
  update semgrep tests (DefectDojo#10058)
  Jira Webhook: Reorg logging and responses (DefectDojo#10049)
  Similar Findings: Create Toggle (DefectDojo#10047)
  Bump social-auth-app-django from 5.4.0 to 5.4.1 (DefectDojo#10026)
  Update versions in application files
  Update versions in application files
  Updated DryRun Security config (DefectDojo#10037)
  Filtering Performance: Add opt-in setting for converting to string ba… (DefectDojo#10038)
  Updates to semgrep parser (DefectDojo#10033)
  Update versions in application files
finding.mitigation = "See Kiuwan Web UI"
finding.static_finding = True

key = hashlib.sha256(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mwager, the PR looks quite good.

I don't know if you need the key at all if you choose DEDUPE_ALGO_HASH_CODE.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx! As I understood, this is only for deduping per import? i.e. removing dupes in one import file, therefore preventing further deduplication later? Maybe I got this wrong then?

grafik

But I can remove it if this is not needed. We tested it with lots of prod data and it does what we expect :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's wait for the reviews of the maintainers. Ah, good point, maybe you are right, but why would you have duplicates in one file?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question :) TBH I just followed the Kiuwan SAST importer logic: https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/kiuwan/parser.py#L118

which is using the default legacy behavior based on:

static scanner:  ['title', 'cwe', 'line', 'file_path', 'description']

So probably I got this wrong, let's wait for other reviewers and I am happy to clean this up if necessary.

@mwager
Copy link
Contributor Author

mwager commented May 7, 2024

@mtesauro Any more work needed from my side? I don't understand the error from the "Detect Merge conflicts" action:

grafik

See here: https://github.com/DefectDojo/django-DefectDojo/actions/runs/8889852139/job/24429470629?pr=10064

Or is it just that more reviewers need to approve?

@mtesauro
Copy link
Contributor

@mwager

Any more work needed from my side? I don't understand the error from the "Detect Merge conflicts" action:

That "Detect Merge conflicts" is just GH having issues running GH Actions and nothing you need to do. You're good for now as there's an issue with the REST tests we're trying to figure out so hold tight for a bit and we can start the approvals once we sort out whatever is going on with the REST tests.

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Jul 3, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Jul 4, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mwager
Copy link
Contributor Author

mwager commented Jul 4, 2024

@mtesauro We really need this in master because via Kubernetes we would need to build and host our own images to use it. Without this Parser we cannot import our supply chain scans which is quite an issue. I think the Rest test Issues are fixed now?

@mtesauro
Copy link
Contributor

mtesauro commented Jul 4, 2024

@mwager

This PR is targeting the dev branch so, once it's got the needed approvals, it will be merged into main/master on the first Monday in August and be part of version 2.37.0

I just approved the tests to run, assuming those are good, we can start getting the needed approvals. Thanks for you patience - summer is 'interesting' with people going on holiday and such.

@mtesauro
Copy link
Contributor

mtesauro commented Jul 5, 2024

@mwager
Hate to suggest this but it may make sense to close this PR and open a new one with the same changes. It's likely easier that trying to get this one green on the GH Action tests. We recently did several updates to brittle/flaky tests and I suspect this PR has those old tests associated with it since I just re-kicked off the tests and the same ones failed again.

@mwager mwager closed this Jul 6, 2024
@mwager mwager mentioned this pull request Jul 6, 2024
@mwager
Copy link
Contributor Author

mwager commented Jul 6, 2024

Re-opened here, hope this is good to go now :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants