diff --git a/hooks/persistence-defectdojo/.helm-docs.gotmpl b/hooks/persistence-defectdojo/.helm-docs.gotmpl index c10135d792..ed261a165f 100644 --- a/hooks/persistence-defectdojo/.helm-docs.gotmpl +++ b/hooks/persistence-defectdojo/.helm-docs.gotmpl @@ -130,7 +130,7 @@ can add these via annotation to the scan. See examples below. | `defectdojo.securecodebox.io/engagement-deduplicate-on-engagement` | Deduplicate On Engagement | false | Only used when creating the Engagement not used for updating | | `defectdojo.securecodebox.io/engagement-tags` | Engagement Tags | Nothing | Only used when creating the Engagement not used for updating | | `defectdojo.securecodebox.io/test-title` | Test Title | Scan Name | | - +| `defectdojo.securecodebox.io/minimum_severity` | Minimum severity for findings created in DD | Nothing | Used to only create finding in DD, which are of a certain severity | ### Read-only Mode By default, the DefectDojo hook will pull the imported results from DefectDojo and use them to replace the results inside secureCodeBox. @@ -220,6 +220,30 @@ helm upgrade --install dd secureCodeBox/persistence-defectdojo \ --set="defectdojo.authentication.userId=42" ``` +### DefectDojo minimum severity + +It has come to our attention, that DefectDojo become slow when handling a lot of data. A lot of data in DefectDojo can be informational findings one likes to ignore. +Therefore Defectdojo provides the option to only create findings for scan finding from a certain severity level and above, thus lowering the amount of data stored. +We integrate this option in our scans by providing the "defectdojo.securecodebox.io/minimum_severity" annotation for scans. +This is an example of how the minimum severity for findings of a scan can be set: +```yaml +apiVersion: "execution.securecodebox.io/v1" +kind: ScheduledScan +metadata: + name: "zap-juiceshop" + annotations: + defectdojo.securecodebox.io/minimum_severity: "Low" +spec: + interval: 24h + scanSpec: + scanType: "zap-full-scan" + parameters: + - "-t" + - "http://juice-shop.demo-targets.svc:3000" +``` +In this example only for scan findings with a severity of "Low" or higher there are findings in DefectDojo created. + + ### Simple Example Scans This will run a daily scan using ZAP on a demo target. The results will be imported using the name "zap-juiceshop-$UNIX_TIMESTAMP" (Name of the Scan created by the ScheduledScan), in a product called "zap-juiceshop" in the default DefectDojo product type. diff --git a/hooks/persistence-defectdojo/hook/build.gradle b/hooks/persistence-defectdojo/hook/build.gradle index ac3ee66911..2cf88c0c02 100644 --- a/hooks/persistence-defectdojo/hook/build.gradle +++ b/hooks/persistence-defectdojo/hook/build.gradle @@ -21,7 +21,7 @@ repositories { dependencies { implementation 'io.kubernetes:client-java:12.0.0' - implementation 'io.securecodebox:defectdojo-client:0.0.40-SNAPSHOT' + implementation 'io.securecodebox:defectdojo-client:0.0.41-SNAPSHOT' implementation group: 'org.springframework', name: 'spring-web', version: '5.3.9' implementation 'com.fasterxml.jackson.core:jackson-core:2.12.4' diff --git a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/models/Scan.java b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/models/Scan.java index 959e691654..4aeed55346 100644 --- a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/models/Scan.java +++ b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/models/Scan.java @@ -87,6 +87,11 @@ public Optional getTestTitle() { return this.getKey(SecureCodeBoxScanAnnotations.TEST_TITLE); } + + public Optional getMinimumSeverity() { + return this.getKey(SecureCodeBoxScanAnnotations.MINIMUM_SEVERITY); + } + @AllArgsConstructor public enum SecureCodeBoxScanAnnotations { PRODUCT_TYPE("defectdojo.securecodebox.io/product-type-name"), @@ -98,6 +103,7 @@ public enum SecureCodeBoxScanAnnotations { ENGAGEMENT_DEDUPLICATE_ON_ENGAGEMENT("defectdojo.securecodebox.io/engagement-deduplicate-on-engagement"), ENGAGEMENT_TAGS("defectdojo.securecodebox.io/engagement-tags"), TEST_TITLE("defectdojo.securecodebox.io/test-title"), + MINIMUM_SEVERITY("defectdojo.securecodebox.io/minimum-severity") ; @Getter diff --git a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/strategies/VersionedEngagementsStrategy.java b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/strategies/VersionedEngagementsStrategy.java index 5a4e86c967..abef4bd283 100644 --- a/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/strategies/VersionedEngagementsStrategy.java +++ b/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/strategies/VersionedEngagementsStrategy.java @@ -24,6 +24,7 @@ import java.util.List; import java.util.Map; import java.util.Objects; +import org.springframework.util.LinkedMultiValueMap; /** * VersionedEngagementsStrategy creates a new Engagement for every new version of the software. @@ -87,7 +88,6 @@ public List run(Scan scan, ScanFile scanResultFile) throws Exception { } LOG.info("Running with DefectDojo User Id: {}", userId); - long productTypeId = this.ensureProductTypeExistsForScan(scan); long productId = this.ensureProductExistsForScan(scan, productTypeId).getId(); @@ -101,14 +101,20 @@ public List run(Scan scan, ScanFile scanResultFile) throws Exception { ScanType scanType = ScanNameMapping.bySecureCodeBoxScanType(scan.getSpec().getScanType()).scanType; TestType testType = testTypeService.searchUnique(TestType.builder().name(scanType.getTestType()).build()).orElseThrow(() -> new DefectDojoPersistenceException("Could not find test type '" + scanType.getTestType() + "' in DefectDojo API. DefectDojo might be running in an unsupported version.")); - + + var additionalValues = new LinkedMultiValueMap(); + if (scan.getMinimumSeverity().isPresent()) { + additionalValues.add("minimum-severity", scan.getMinimumSeverity().get()); + } + importScanService.reimportScan( scanResultFile, testId, userId, this.descriptionGenerator.currentDate(), scanType, - testType.getId() + testType.getId(), + additionalValues ); LOG.info("Uploaded Scan Report as testID {} to DefectDojo", testId);