Add new parser - Threat Composer

[arivra]

Description

New parser for Threat Composer - simple threat modeling tool

Each threat is equivalent to a finding. Mitigations associated with a threat are included in the finding mitigation field.

For more information, Threat Composer

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the integration and handling of the Threat Composer parser in the DefectDojo application, including updates to documentation, configuration files, threat modeling data handling, unit tests, and the introduction of threat modeling data files.

Expand for full summary

Summary:

The provided code changes cover a range of updates to the DefectDojo application, primarily focused on improving the integration and handling of the Threat Composer parser. The changes include:

1. Documentation Update: Adding documentation for the Threat Composer parser, including information about the file types accepted and where to find sample scan data.
2. Configuration File Changes: Updates to the configuration file checksums and the handling of Threat Composer scan data, including parsing of threats, mitigations, assumptions, and their relationships.
3. Threat Modeling Data Handling: Improvements to the parsing and representation of Threat Composer data within the DefectDojo application, including the creation of Finding objects and the appropriate handling of threat metadata.
4. Unit Tests: Addition of comprehensive unit tests to ensure the proper functioning of the Threat Composer parser, covering various scenarios such as files with no threats, one threat, many threats, and files with errors.
5. Threat Modeling Data Files: Introduction of several JSON files containing threat modeling data for the "Threat Composer" application, including assumptions, mitigations, and threats.

From an application security perspective, the changes appear to be focused on improving the security posture of the DefectDojo application by enhancing the handling of threat modeling data and ensuring the robustness of the Threat Composer parser. The addition of unit tests and the comprehensive threat modeling data files are particularly noteworthy, as they demonstrate a proactive approach to identifying and addressing potential security risks.

Files Changed:

1. docs/content/en/integrations/parsers/file/threat_composer.md: Documentation update for the Threat Composer parser.
2. dojo/settings/.settings.dist.py.sha256sum: Configuration file checksum update.
3. dojo/tools/threat_composer/parser.py: Implementation of the Threat Composer JSON parser.
4. dojo/settings/settings.dist.py: Updates to the SAML2 attribute mapping and deduplication algorithm for the "ThreatComposer Scan" parser.
5. unittests/scans/threat_composer/: Addition of several JSON files containing threat modeling data for the "Threat Composer" application.
6. unittests/tools/test_threat_composer_parser.py: Unit tests for the Threat Composer parser.

Code Analysis

We ran 9 analyzers against 12 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[kiblik]

Couple of ideas for improvements. But I like it in general.

[arivra]

I have added the settings.dist.py checksum, how often are unit tests run?

[kiblik]

@mtesauro, can you enable tests for this PR, please?

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[damianpr]

LGTM

[arivra]

Hi

• @cneill I have solved your comment, could you review it?
• @mtesauro I have changed the base branch to bugfix as in this PR

Could anyone approve the ruff-linting step?

Thank you!