Add new parser - Rapplex

[AlperenY-cs]

Rapplex - Web Application Security Scanner

For more information, Rapplex

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This GitHub Pull Request includes several changes related to the integration of the Rapplex web application security scanner into the DefectDojo application. The changes cover the following areas:

1. Documentation: A new markdown file rapplex.md has been added to the documentation, providing information on how to import JSON reports from the Rapplex scanner.
2. Configuration: The settings.dist.py file has been updated to include configuration settings for the Rapplex parser, such as the fields to be used for deduplicating findings and the deduplication algorithm.
3. Parser Implementation: A new parser class RapplexParser has been added to handle the processing of Rapplex scan reports and the extraction of security findings.
4. Unit Tests: A set of unit tests has been added to verify the functionality of the RapplexParser class, ensuring that it can correctly handle various scenarios, including reports with no findings, one finding, and multiple findings.
5. Test Data: Sample Rapplex scan reports have been added to the unittests/scans/rapplex directory, covering different types of vulnerabilities (SQL Injection, XSS, Information Disclosure, etc.) and severity levels.

From an application security perspective, these changes appear to be well-designed and implemented. The addition of the Rapplex integration, the comprehensive test coverage, and the inclusion of sample scan reports demonstrate a commitment to improving the security capabilities of the DefectDojo application.

Files Changed:

1. docs/content/en/integrations/parsers/file/rapplex.md: This new file provides documentation on how to import Rapplex scan data into the DefectDojo application.
2. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash of the .settings.dist.py file has been updated, indicating that the configuration file has been modified.
3. dojo/settings/settings.dist.py: The default settings for the DefectDojo application have been updated to include configuration for the Rapplex parser, such as the fields to be used for deduplicating findings and the deduplication algorithm.
4. dojo/tools/rapplex/parser.py: This new file contains the implementation of the RapplexParser class, which is responsible for parsing and processing Rapplex scan reports.
5. unittests/scans/rapplex/rapplex_one_vul.json: This file contains a sample Rapplex scan report with a single SQL Injection vulnerability.
6. unittests/tools/test_rapplex_parser.py: This file contains unit tests for the RapplexParser class, ensuring that it can correctly handle various scenarios and extract the expected security findings.
7. unittests/scans/rapplex/rapplex_many_vul.json: This file contains a sample Rapplex scan report with multiple vulnerabilities, including SQL Injection, XSS, Information Disclosure, and Missing X-Frame-Options Header.
8. unittests/scans/rapplex/rapplex_zero_vul.json: This file contains a sample Rapplex scan report with no identified vulnerabilities.

Overall, the changes in this Pull Request appear to be well-designed and implemented, with a focus on improving the security capabilities of the DefectDojo application through the integration of the Rapplex web application security scanner.

Powered by DryRun Security

[mtesauro]

@AlperenY-cs I just kicked off the tests - they'll need to be green before we'll merge this PR - the Ruff linter has issues you can address now or when the rest of the tests have run.

[AlperenY-cs]

@AlperenY-cs I just kicked off the tests - they'll need to be green before we'll merge this PR - the Ruff linter has issues you can address now or when the rest of the tests have run.

Thanks. I solved the ruff linter's problems. #fyi

[mtesauro]

Approved

[albay]

Thanks for the code changes.

[mtesauro]

@albay Closing and re-opening as the tests seem stuck for some reason

[Maffooch]

@AlperenY-cs one last thing that needed is to update the settings hash, and then I think this one will be good to go!

Details for doing so are here: https://github.com/DefectDojo/django-DefectDojo/blob/67a75710d6991a3ee3d4ed8dca7d0ef5c9cef46a/dojo/settings/settings.dist.py#L1C1-L11C106

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[AlperenY-cs]

@mtesauro Hi, is there anything I need to do?

[mtesauro]

@AlperenY-cs Looks like there's a conflict with the settings.dist.py - mind (re)doing what @Maffooch said above: #10202 (comment) Other then the merge conflict, this looks good.

Once the merge conflicts are sorted out, the rest of the reviews/approvals can start happening.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

DryRun Security Summary

This pull request introduces changes to integrate the Rapplex web application security scanner with the DefectDojo application, including adding documentation, updating configuration files, implementing support for the "Rapplex Scan" type, adding a parser script, and providing sample Rapplex scan reports for unit testing.

Expand for full summary

Summary:

This pull request introduces several changes related to the integration of the Rapplex web application security scanner with the DefectDojo application. The changes include:

1. Adding documentation for importing JSON reports from the Rapplex scanner in the rapplex.md file.
2. Updating the hash sum for the settings.dist.py configuration file, indicating changes to the application's default settings.
3. Implementing support for the "Rapplex Scan" type in the DefectDojo application, including mapping attributes to finding fields and configuring the deduplication algorithm.
4. Adding a Python script (parser.py) that parses Rapplex JSON reports and generates security findings.
5. Adding several JSON files containing sample Rapplex scan reports, which are used for unit testing the RapplexParser class.

From an application security perspective, these changes are generally positive, as they improve the integration and handling of security scan data from the Rapplex tool. However, it's important to review the changes carefully to ensure that they do not introduce any security vulnerabilities or unintended consequences.

Files Changed:

1. docs/content/en/integrations/parsers/file/rapplex.md: This file adds documentation for importing JSON reports from the Rapplex scanner, which is a common practice for integrating third-party security tools.
2. dojo/settings/.settings.dist.py.sha256sum: This file contains a SHA-256 hash sum for the settings.dist.py configuration file, which has been updated, indicating changes to the default application settings.
3. dojo/settings/settings.dist.py: This file adds support for the "Rapplex Scan" type in the DefectDojo application, including mapping attributes to finding fields and configuring the deduplication algorithm.
4. dojo/tools/rapplex/parser.py: This file is a Python script that parses Rapplex JSON reports and generates security findings, which can be imported into the DefectDojo application.
5. unittests/scans/rapplex/rapplex_one_vul.json, unittests/scans/rapplex/rapplex_zero_vul.json, and unittests/scans/rapplex/rapplex_many_vul.json: These files contain sample Rapplex scan reports that are used for unit testing the RapplexParser class.
6. unittests/tools/test_rapplex_parser.py: This file contains unit tests for the RapplexParser class, which ensures that the parser can correctly handle different types of Rapplex scan reports.

Code Analysis

We ran 9 analyzers against 9 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud