Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Parser: Kiuwan SCA #10522

Merged
merged 35 commits into from
Aug 2, 2024
Merged

New Parser: Kiuwan SCA #10522

merged 35 commits into from
Aug 2, 2024

Conversation

mwager
Copy link
Contributor

@mwager mwager commented Jul 6, 2024

Re-opening as per comment: #10064 (comment)

See description and discussion in the other PR: #10064

FYI @mtesauro

mwager added 28 commits April 25, 2024 10:50
@mwager
Update kiuwan docs
0ac5a69
@mwager
Add Kiuwan SCA test files
718d8b1
@mwager
Add Kiuwan SCA Parser Unittest
c44d701
@mwager
Add Kiuwan SCA parser implementation
54e50d9
@mwager
Add more fields to the Kiuwan SCA parser
9b4e9ef
@mwager
Update parser docs
1d8146d
@mwager
Add test case for "muted" findings
a137892
@mwager
Update finding title
ae533cd
@mwager
Minor cleanupo
4374447
@mwager
Update hashing logic
ab6ad9f
@mwager
Remove print statement
9660329
@mwager
Add optional epss support
d07b9d5
@mwager
Add epss unit test
cd37fe9
@mwager
Add custom deduplication logic as default static is not enough for SCA
274fb16
@mwager
Remove cve as it is not allowed for deduplication
9345115
@mwager
Set finding title to component name as this makes more sense within t…
fb052cc 
…he UI display
@mwager
Merge branch 'DefectDojo:master' into kiuwan-sca
84ec7f7
@mwager
Fix lint warnings
690e6cd
@mwager
Merge branch 'kiuwan-sca' of github.com:mwager/django-DefectDojo into…
596760a 
… kiuwan-sca

* 'kiuwan-sca' of github.com:mwager/django-DefectDojo:
  Update versions in application files
  Product Metrics: Performance Enhancements (DefectDojo#10059)
  String Based Filtering: Follow on for DefectDojo#10038 (DefectDojo#10050)
  update semgrep tests (DefectDojo#10058)
  Jira Webhook: Reorg logging and responses (DefectDojo#10049)
  Similar Findings: Create Toggle (DefectDojo#10047)
  Bump social-auth-app-django from 5.4.0 to 5.4.1 (DefectDojo#10026)
  Update versions in application files
  Update versions in application files
  Updated DryRun Security config (DefectDojo#10037)
  Filtering Performance: Add opt-in setting for converting to string ba… (DefectDojo#10038)
  Updates to semgrep parser (DefectDojo#10033)
  Update versions in application files
@mwager
Fix another lint warning
13a6bf5
@mwager
Merge branch 'dev' into kiuwan-sca
fc44d4f
@mwager
Fix lint error
eb1711d
@mwager
fix lint errors
dbb0ed9
@mwager
fix lint errors
3bbf308
@mwager
fix lint errors
70bdd19
@mwager
Merge branch 'dev' into kiuwan-sca
a137ba3
@mwager
Fix lint
589b249
@mwager
Fix lint
5c8a080
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR labels Jul 6, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 15, 2024
edited
Loading

DryRun Security Summary

The pull request includes various updates and improvements to the integration of the Kiuwan Scanner (both SAST and SCA) with the DefectDojo application, including documentation updates, the addition of a new parser for Kiuwan SCA scan results, and the inclusion of unit tests to ensure the robustness of the Kiuwan SCA parser.

Expand for full summary

Summary:

The code changes in this pull request cover various updates and improvements to the integration of the Kiuwan Scanner (both SAST and SCA) with the DefectDojo application. The changes include documentation updates, the addition of a new parser for Kiuwan SCA scan results, and the inclusion of unit tests to ensure the robustness of the Kiuwan SCA parser.

From an application security perspective, the key points to highlight are:

  1. Documentation Updates: The changes to the documentation provide more detailed information on how to integrate Kiuwan SAST and SCA scans with DefectDojo, which helps improve the usability and security-related functionality of the application.

  2. Kiuwan SCA Parser: The addition of the KiuwanSCAParser class and the associated unit tests ensure that the DefectDojo application can accurately process and ingest the results of Kiuwan SCA scans. This includes mapping the Kiuwan vulnerability data to the appropriate fields, deduplicating findings, and handling muted (false positive) findings.

  3. Secure API Integration: The documentation and code changes demonstrate the use of secure API authentication (e.g., Basic Authentication with a token) when integrating with the Kiuwan REST API. This is an important security consideration to prevent unauthorized access and potential data leakage.

  4. Secure Handling of Scan Results: The unit tests cover the proper handling of the Kiuwan SCA scan results, including input validation and sanitization when processing the JSON data. This helps to mitigate potential security issues, such as JSON injection or insecure deserialization.

  5. Vulnerability Monitoring and Remediation: The inclusion of sample Kiuwan SCA scan results, which contain details about various vulnerabilities, demonstrates the organization's commitment to proactive vulnerability monitoring and remediation.

Overall, the changes in this pull request appear to be a positive contribution to the security and functionality of the DefectDojo application, as they improve the integration and processing of Kiuwan SAST and SCA scan results.

Files Changed:

  1. docs/content/en/integrations/parsers/file/kiuwan.md: Documentation update for the Kiuwan Scanner (SAST) integration.
  2. docs/content/en/integrations/parsers/file/kiuwan-sca.md: Documentation for the Kiuwan Scanner (SCA) integration.
  3. dojo/settings/settings.dist.py: Addition of a new parser for the "Kiuwan SCA Scan" tool, including updates to the deduplication algorithm and hash code fields.
  4. dojo/settings/.settings.dist.py.sha256sum: Update to the SHA-256 hash value for the dojo/settings/.settings.dist.py file, indicating a change to the configuration file.
  5. unittests/scans/kiuwan-sca/kiuwan_sca_no_vuln.json: Addition of an empty JSON array, indicating a Kiuwan SCA scan with no detected vulnerabilities.
  6. unittests/scans/kiuwan-sca/kiuwan_sca_many_vuln.json: Addition of a file containing details about various vulnerabilities detected by the Kiuwan SCA tool.
  7. dojo/tools/kiuwan_sca/parser.py: Implementation of the KiuwanSCAParser class, which is responsible for parsing the Kiuwan SCA scan results.
  8. unittests/tools/test_kiuwan_sca_parser.py: Unit tests for the KiuwanSCAParser class.
  9. unittests/scans/kiuwan-sca/kiuwan_sca_two_vuln.json: Addition of a file containing details about two security vulnerabilities and one muted vulnerability.

Code Analysis

We ran 9 analyzers against 10 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mwager added 2 commits July 15, 2024 16:25
@mwager
Merge branch 'dev' into kiuwan-sca
abf48f2 
* dev:
  Update dependency ruff from 0.5.0 to v0.5.1 (requirements-lint.txt) (DefectDojo#10521)
  Bump django-debug-toolbar from 4.4.2 to 4.4.4 (DefectDojo#10520)
  Bump boto3 from 1.34.138 to 1.34.139 (DefectDojo#10518)
  Bump psycopg[binary] from 3.1.19 to 3.2.1 (DefectDojo#10517)
  Bump packageurl-python from 0.15.1 to 0.15.2 (DefectDojo#10516)
@mwager
Merge branch 'dev' into kiuwan-sca
0fd219c
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mwager
Copy link
Contributor Author

mwager commented Jul 16, 2024

@kiblik Do you know why all these tests are failing? Is this expected to happen?

https://github.com/DefectDojo/django-DefectDojo/actions/runs/9941292602/job/27463545277?pr=10522

@kiblik
Copy link
Contributor

kiblik commented Jul 16, 2024

@kiblik Do you know why all these tests are failing? Is this expected to happen?

https://github.com/DefectDojo/django-DefectDojo/actions/runs/9941292602/job/27463545277?pr=10522

I know :)

django-DefectDojo/dojo/settings/settings.dist.py

Lines 7 to 11 in 828d1e7

#########################################################################################################
# If as a developer of a new feature, you need to perform an update of file 'settings.dist.py', #
# after the change, calculate the checksum and store it related file by calling the following command: #
# $ sha256sum settings.dist.py | cut -d ' ' -f1 > .settings.dist.py.sha256sum #
#########################################################################################################

mwager added 2 commits July 16, 2024 12:33
@mwager
chore: add sha256sum of settings.dist.py
7410770
@mwager
Merge branch 'kiuwan-sca' of github.com:mwager/django-DefectDojo into…
b225ff2 
… kiuwan-sca

# By dependabot[bot] (13) and others
# Via GitHub
* 'kiuwan-sca' of github.com:mwager/django-DefectDojo: (39 commits)
  Deprecate Python-jose and migrate okta to python_social_auth (DefectDojo#10117)
  fix: dockerfile warnings (DefectDojo#10505)
  Ruff: Add and fix Q000 (DefectDojo#10095)
  Fix(django): Upgrade of 4.2 (DefectDojo#10553)
  fix(deps): build python psycopg3 dependency instead of use the pre-build binary (DefectDojo#10491)
  Bump coverage from 7.5.4 to 7.6.0 (DefectDojo#10560)
  Bump asteval from 1.0.0 to 1.0.1 (DefectDojo#10561)
  Bump djangorestframework from 3.14.0 to 3.15.2 (DefectDojo#10431)
  Bump boto3 from 1.34.142 to 1.34.143 (DefectDojo#10558)
  Bump django-debug-toolbar from 4.4.5 to 4.4.6 (DefectDojo#10557)
  Bump boto3 from 1.34.141 to 1.34.142 (DefectDojo#10551)
  Bump packageurl-python from 0.15.2 to 0.15.3 (DefectDojo#10541)
  Bump boto3 from 1.34.140 to 1.34.141 (DefectDojo#10542)
  Update helm lock file
  Update versions in application files
  Update versions in application files
  API: Convert get_filterset calls to get_queryset (DefectDojo#10543)
  Bump django-debug-toolbar from 4.4.4 to 4.4.5 (DefectDojo#10527)
  Fix ruff
  Ruff fix
  ...

# Conflicts:
#	dojo/settings/.settings.dist.py.sha256sum
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mwager
Copy link
Contributor Author

mwager commented Jul 16, 2024

@kiblik Do you know why all these tests are failing? Is this expected to happen?
https://github.com/DefectDojo/django-DefectDojo/actions/runs/9941292602/job/27463545277?pr=10522

I know :)

django-DefectDojo/dojo/settings/settings.dist.py

Lines 7 to 11 in 828d1e7

#########################################################################################################
# If as a developer of a new feature, you need to perform an update of file 'settings.dist.py', #
# after the change, calculate the checksum and store it related file by calling the following command: #
# $ sha256sum settings.dist.py | cut -d ' ' -f1 > .settings.dist.py.sha256sum #
#########################################################################################################

Thank you!😅

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mwager
Copy link
Contributor Author

mwager commented Jul 16, 2024

Still these errors even though I added the sha256 sum, did I miss something?

https://github.com/DefectDojo/django-DefectDojo/actions/runs/9955319925/job/27511988262?pr=10522

@kiblik
Copy link
Contributor

kiblik commented Jul 16, 2024

Still these errors even though I added the sha256 sum, did I miss something?

https://github.com/DefectDojo/django-DefectDojo/actions/runs/9955319925/job/27511988262?pr=10522

sha256 needs to be calculated based latest commit (to be more precise, based on changes from the latest commit where settings.dist.py was edited). I see that you did the calculation but afterward, you merged data from dev branch which contained an edit of settings.dist.py. So you need to do recalculation again.

@mwager
Copy link
Contributor Author

mwager commented Jul 18, 2024

There are e2e test issues, looks like typical async issues:
https://github.com/DefectDojo/django-DefectDojo/actions/runs/9959370422/job/27517136351?pr=10522#step:9:45

and also helm download issues:
https://github.com/DefectDojo/django-DefectDojo/actions/runs/9959370404/job/27516840500?pr=10522

What could I do? Maybe trigger a re-run?

@mwager
Copy link
Contributor Author

mwager commented Jul 29, 2024

@mtesauro as I already re-created this PR (see description above) I would like to avoid doing it again. This PR was reviewed already by 2 persons and just cannot get merged because of strange issues with the pipelines.

What could I do to help speed things up?

@mtesauro
Copy link
Contributor

mtesauro commented Aug 1, 2024

@mwager Sorry, you've had unfortunate timing - we're deprecating MySQL and RabbitMQ which were sprinkled all through our tests so they have been extra flaky in July which hasn't been helped by contributors being on holiday.

We're targeting this one to be part of next weeks release of 2.37.0 👍

mtesauro
mtesauro approved these changes Aug 1, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 91b34af into DefectDojo:dev Aug 2, 2024
125 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kiblik kiblik kiblik left review comments

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship hblankenship approved these changes

@mtesauro mtesauro mtesauro approved these changes

Assignees
No one assigned
Labels
docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mwager @kiblik @mtesauro @hblankenship @Maffooch @blakeaowens