Skip to content

Commit 495cc63

Browse files
rfelberrfelber
authored
Merge pull request #588 from secureCodeBox/fix/dd-timestamp-crash
Fix Crash in DefectDojo PersistenceProvider when Deserializing DefectDojo Timestamps
2 parents 7b8f802 + 78643bc commit 495cc63

5 files changed

Lines changed: 30 additions & 10 deletions

File tree

hooks/persistence-defectdojo/hook/build.gradle

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ repositories {
2222
dependencies {
2323
implementation 'io.kubernetes:client-java:12.0.0'
2424

25-
implementation 'io.securecodebox:defectdojo-client:0.0.18-SNAPSHOT'
25+
implementation 'io.securecodebox:defectdojo-client:0.0.19-SNAPSHOT'
2626

2727
implementation group: 'org.springframework', name: 'spring-web', version: '5.3.9'
2828
implementation 'com.fasterxml.jackson.core:jackson-core:2.12.4'

hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapper.java

Lines changed: 24 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
public class SecureCodeBoxFindingsToDefectDojoMapper {
2626
private static final Logger LOG = LoggerFactory.getLogger(SecureCodeBoxFindingsToDefectDojoMapper.class);
2727
private static final DateTimeFormatter dtf = DateTimeFormatter.ofPattern("yyyy-MM-dd");
28-
private static final ObjectWriter prettyJSONPrinter = new ObjectMapper().writerWithDefaultPrettyPrinter();
28+
private static final ObjectWriter prettyJSONPrinter = new ObjectMapper().findAndRegisterModules().writerWithDefaultPrettyPrinter();
2929

3030
/**
3131
* Converts a SecureCodeBox Findings JSON String to a DefectDojo Findings JSON String.
@@ -36,7 +36,9 @@ public class SecureCodeBoxFindingsToDefectDojoMapper {
3636
*/
3737
public static String fromSecureCodeboxFindingsJson(String scbFindingsJson) throws IOException {
3838
LOG.debug("Converting SecureCodeBox Findings to DefectDojo Findings");
39-
ObjectMapper mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
39+
ObjectMapper mapper = new ObjectMapper()
40+
.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false)
41+
.findAndRegisterModules();
4042
List<DefectDojoImportFinding> DefectDojoImportFindings = new ArrayList<>();
4143
List<SecureCodeBoxFinding> secureCodeBoxFindings = mapper.readValue(scbFindingsJson, new TypeReference<>() {
4244
});
@@ -50,6 +52,25 @@ public static String fromSecureCodeboxFindingsJson(String scbFindingsJson) throw
5052
return ddFindingJson.toString();
5153
}
5254

55+
protected static String convertToDefectDojoSeverity(SecureCodeBoxFinding.Severities severity) {
56+
if (severity == null) {
57+
return "Info";
58+
}
59+
60+
switch (severity) {
61+
case HIGH:
62+
return "High";
63+
case MEDIUM:
64+
return "Medium";
65+
case LOW:
66+
return "Low";
67+
case INFORMATIONAL:
68+
return "Info";
69+
}
70+
71+
return "Info";
72+
}
73+
5374
/**
5475
* Converts a SecureCodeBox Finding to a DefectDojo Finding,
5576
* that can be imported by the DefectDojo Generic JSON Parser.
@@ -62,8 +83,7 @@ protected static DefectDojoImportFinding fromSecureCodeBoxFinding(SecureCodeBoxF
6283
//set basic Finding info
6384
DefectDojoImportFinding result = new DefectDojoImportFinding();
6485
result.setTitle(secureCodeBoxFinding.getName());
65-
if (secureCodeBoxFinding.getSeverity() != null)
66-
result.setSeverity(capitalize(secureCodeBoxFinding.getSeverity().toString()));
86+
result.setSeverity(convertToDefectDojoSeverity(secureCodeBoxFinding.getSeverity()));
6787
result.setUniqueIdFromTool(secureCodeBoxFinding.getId());
6888
// set DefectDojo description as combination of SecureCodeBox Finding description and Finding attributes
6989
String description = secureCodeBoxFinding.getDescription();

hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/service/S3Service.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ public class S3Service {
1919
private static final Logger LOG = LoggerFactory.getLogger(S3Service.class);
2020

2121
public void overwriteFindings(String url, List<SecureCodeBoxFinding> secureCodeBoxFindings) throws IOException, InterruptedException {
22-
ObjectMapper mapper = new ObjectMapper();
22+
ObjectMapper mapper = new ObjectMapper().findAndRegisterModules();
2323
var findingJson = mapper.writeValueAsString(secureCodeBoxFindings);
2424

2525
LOG.info("Uploading Findings to S3");

hooks/persistence-defectdojo/hook/src/test/java/io/securecodebox/persistence/mapping/SecureCodeBoxFindingsToDefectDojoMapperTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ public void yieldsCorrectResult() throws IOException {
4444
public void correctlyParsesFindings() throws IOException {
4545
var name = "Name";
4646
var description = "Description";
47-
var severity = "HIGH";
47+
var severity = "High";
4848
var id = "123";
4949
var parsedAt = "2020-04-15T12:27:28.153Z";
5050
var location = "ldap://[2001:db8::7]/c=GB?objectClass?one";

hooks/persistence-defectdojo/hook/src/test/resources/kubehunter-dd-findings.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
{
44
"title": "Read access to pod's service account token",
55
"description": " Accessing the pod service account token gives an attacker the option to use the server API \n {\n \"evidence\" : \"eyJhbGciOiJSUzI1NiIsImtpZCI6IkxuOE9ZaGt1SFFabmwzN3ZEYlg1R2ZqX25VVWtnWUlnU0VOdExBbWE4VFEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Imx1cmNoZXItdG9rZW4tdjI4cWIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibHVyY2hlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjIzMTg2YTI5LTY0NDQtNGI3Ny1hZjA1LTY5YzcyYWViZWYwZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0Omx1cmNoZXIifQ.IeiByhB-g3W6Zzr4_cEU2sdfyAHVwgnKn-apu8YVkS9886zSeg_BB4F-KsljFApt8gZA4gzLEMuDTEubURkD-omaWw6_eHkV_SfIiD69rvLFC-wTtLLxQijrfBa1ZJ6PxI1kVnykaWMnmBUbkqaK-xsnhw8_pk536qWjwEFUyf6PUUg1wzk_IpEQAY8paDzB1Od2eoE18NbXUFZYllsqKZly59jvsjwPRRHk8yYr3eQW6AyxBezOhpY9qI3kooKY2_mzMXAiyrcmb-apucQabMuDfVaFF7zR0OQ-1wR_hwH-ZfLZXjf9S0Im8_Hf0WLPw60iWp5d9g_kdKuysPlJGg\",\n \"kubeHunterRule\" : \"Access Secrets\"\n}",
6-
"severity": "LOW",
6+
"severity": "Low",
77
"date": "2020-04-15",
88
"unique_id_from_tool": "df9afbb5-f0c4-475b-a0e5-e3635c55917a",
99
"endpoints": [
@@ -13,7 +13,7 @@
1313
{
1414
"title": "CAP_NET_RAW Enabled",
1515
"description": "CAP_NET_RAW is enabled by default for pods.\n If an attacker manages to compromise a pod,\n they could potentially take advantage of this capability to perform network\n attacks on other pods running on the same node\n {\n \"evidence\" : \"\",\n \"kubeHunterRule\" : \"Pod Capabilities Hunter\"\n}",
16-
"severity": "LOW",
16+
"severity": "Low",
1717
"date": "2020-04-16",
1818
"unique_id_from_tool": "341ad0c8-0f3b-47ff-9b89-83d4a7e121f7",
1919
"endpoints": [
@@ -23,7 +23,7 @@
2323
{
2424
"title": "Access to pod's secrets",
2525
"description": " Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker\n {\n \"evidence\" : \"['/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2021_05_17_21_58_54.448582170/token', '/var/run/secrets/kubernetes.io/serviceaccount/..2021_05_17_21_58_54.448582170/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/..2021_05_17_21_58_54.448582170/ca.crt']\",\n \"kubeHunterRule\" : \"Access Secrets\"\n}",
26-
"severity": "LOW",
26+
"severity": "Low",
2727
"date": "2020-04-17",
2828
"unique_id_from_tool": "eb0c75cf-beef-4fd8-b2ed-6e46a5afa1bc",
2929
"endpoints": [

0 commit comments

Comments
 (0)