🐞 Bug report
Describe the bug
I am seeing issues with my synced back findings.
My setup includes DefectDojo, the DefectDojo persistence provider, the notification hook and the ZAP + Nikto scanners.
I am trying to prevent a notification from being sent in case all findings in are already "handled" (mitigated as false positive or risk accepted) in DefectDojo as described shortly here: https://www.securecodebox.io/docs/hooks/notification-webhook/#configuration-of-a-notification
I have three findings in DefectDojo which were found by ZAP (Automation Framework) and imported using the persistence hook.
After doing a risk acceptance I expect all of them to be marked as duplicates during the next scan and all should include the "defectdojo.org/original-finding" data.
However as you can see in the json attached the last finding is not marked as a duplicate and the original finding is not attached.
findings-zap.json
With Nikto I am seeing the same issues, but with two (out of five) findings not have the details included. From the picture below the Alt-SVC finding was correctly duplicated and the X-Content finding was not.
Interestingly they are also the last ones in the json! Is there any sorting going on or is it just a coincidence?
Steps To Reproduce
Steps to reproduce the behavior:
- Create DefectDojo Persistence Setup as described below
- Run scans and import the into DefectDojo through the provider
- Check the synced back to json for the missing details.
Expected behavior
I expect the synced back findings to be marked as a duplicate and to include the original DefectDojo finding as described here
System (please complete the following information):
- secureCodeBox Version/Release: 4.1.0
- Kubernetes Version: v1.24.14-gke.2700
Screenshots / Logs
ZAP Findings in DefectDojo
Nikto Findings in DefectDojo
Persistence Hook Log
@LT100144 ~ k logs securecodebox-defectdojo-persistence-defectdojo-nikto-sch-rws67
2023-10-20 11:34:21 INFO DefectDojoPersistenceProvider:25 - Starting DefectDojo persistence provider
2023-10-20 11:34:21 INFO DefectDojoPersistenceProvider:36 - Downloading Scan Result
2023-10-20 11:34:22 INFO DefectDojoPersistenceProvider:40 - Uploading Findings to DefectDojo at: https://REDACTED
2023-10-20 11:34:22 INFO VersionedEngagementsStrategy:85 - Running with DefectDojo User Id: 12
2023-10-20 11:34:22 INFO VersionedEngagementsStrategy:203 - Looking for ID of ProductType 'Customer Facing Infrastructure'
2023-10-20 11:34:22 INFO VersionedEngagementsStrategy:210 - Using ProductType Id: 7
2023-10-20 11:34:24 INFO VersionedEngagementsStrategy:115 - Uploaded Scan Report as testID 2668 to DefectDojo
2023-10-20 11:34:24 INFO DefectDojoPersistenceProvider:44 - Identified total Number of findings in DefectDojo: 5
2023-10-20 11:34:24 INFO DefectDojoPersistenceProvider:51 - Overwriting secureCodeBox findings with the findings from DefectDojo.
2023-10-20 11:34:25 INFO S3Service:25 - Uploading Findings to S3
2023-10-20 11:34:26 INFO KubernetesService:88 - Updating Scan metadata
2023-10-20 11:34:26 INFO DefectDojoPersistenceProvider:63 - DefectDojo Persistence Completed
Additional context
Helm Setup
resource "helm_release" "securecodebox-defectdojo" {
name = "securecodebox-defectdojo"
repository = "https://charts.securecodebox.io"
chart = "persistence-defectdojo"
namespace = kubernetes_namespace_v1.securecodebox.metadata[0].name
version = "4.1.0"
values = [
<<-EOF
hook:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
EOF
]
set {
name = "defectdojo.url"
value = "https://REDACTED"
}
set {
name = "defectdojo.authentication.userSecret"
value = kubernetes_secret_v1.defectdojo-scanner-user-credentials.metadata[0].name
}
set {
name = "hook.resources.limits.memory"
value = "500Mi"
}
}
resource "helm_release" "securecodebox-nikto" {
name = "securecodebox-nikto"
repository = "https://charts.securecodebox.io"
chart = "nikto"
namespace = kubernetes_namespace_v1.securecodebox.metadata[0].name
version = "4.0.1"
values = [
<<-EOF
parser:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
scanner:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
EOF
]
}
resource "helm_release" "securecodebox-zap" {
name = "securecodebox-zap"
repository = "https://charts.securecodebox.io"
chart = "zap"
namespace = kubernetes_namespace_v1.securecodebox.metadata[0].name
version = "4.0.1"
values = [
<<-EOF
parser:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
scanner:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
EOF
]
set {
name = "scanner.resources.requests.cpu"
value = "2200m"
}
set {
name = "scanner.resources.requests.memory"
value = "8200Mi"
}
set {
name = "scanner.resources.limits.memory"
value = "8200Mi"
}
}
}
resource "helm_release" "securecodebox-notification" {
name = "securecodebox-notification"
repository = "https://charts.securecodebox.io"
chart = "notification"
namespace = kubernetes_namespace_v1.securecodebox.metadata[0].name
version = "4.1.0"
values = [
<<-EOF
customTemplateMap:
exists: true
name: "${kubernetes_config_map_v1.email-template.metadata[0].name}"
hook:
tolerations:
- key: "instance_type"
value: "preemptible"
effect: "NoSchedule"
notificationChannels:
- name: email
type: email
template: REDACTED
skipNotificationOnZeroFinding: true
rules:
- matches:
anyOf:
- category: "DefectDojo Imported Finding"
attributes:
defectdojo.org/original-finding:
riskAccepted: false
- category: "DefectDojo Imported Finding"
attributes:
duplicate: false
endPoint: "REDACTED"
env:
- name: EMAIL_FROM
value: REDACTED
- name: SMTP_CONFIG
valueFrom:
secretKeyRef:
name: email-config
key: smtp-config
EOF
]
}
🐞 Bug report
Describe the bug
I am seeing issues with my synced back findings.
My setup includes DefectDojo, the DefectDojo persistence provider, the notification hook and the ZAP + Nikto scanners.
I am trying to prevent a notification from being sent in case all findings in are already "handled" (mitigated as false positive or risk accepted) in DefectDojo as described shortly here: https://www.securecodebox.io/docs/hooks/notification-webhook/#configuration-of-a-notification
I have three findings in DefectDojo which were found by ZAP (Automation Framework) and imported using the persistence hook.
After doing a risk acceptance I expect all of them to be marked as duplicates during the next scan and all should include the "defectdojo.org/original-finding" data.
However as you can see in the json attached the last finding is not marked as a duplicate and the original finding is not attached.
findings-zap.json
With Nikto I am seeing the same issues, but with two (out of five) findings not have the details included. From the picture below the Alt-SVC finding was correctly duplicated and the X-Content finding was not.
Interestingly they are also the last ones in the json! Is there any sorting going on or is it just a coincidence?
Steps To Reproduce
Steps to reproduce the behavior:
Expected behavior
I expect the synced back findings to be marked as a duplicate and to include the original DefectDojo finding as described here
System (please complete the following information):
Screenshots / Logs
ZAP Findings in DefectDojo
Nikto Findings in DefectDojo
Persistence Hook Log
Additional context
Helm Setup