Merge remote-tracking branch 'origin/feature/defect-dojo-generic-import' into merge/defect-dojo

# Conflicts:
#	scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java
#	scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

Author: J12934

scb-engine/pom.xml

@@ -166,6 +166,12 @@
                     <version>0.0.1-SNAPSHOT</version>
                     <scope>runtime</scope>
                 </dependency>
+                <dependency>
+                    <groupId>io.securecodebox.scanprocesses</groupId>
+                    <artifactId>subdomain-scanner-process</artifactId>
+                    <version>1.0-SNAPSHOT</version>
+                    <scope>runtime</scope>
+                </dependency>
                 <dependency>
                     <groupId>io.securecodebox.scanprocesses</groupId>
                     <artifactId>combined-nmap-nikto-scanprocess</artifactId>

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoPersistenceProvider.java

@@ -19,6 +19,7 @@
 package io.securecodebox.persistence;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import io.securecodebox.model.findings.Finding;
 import io.securecodebox.model.securitytest.CommonMetaFields;
 import io.securecodebox.model.securitytest.SecurityTest;
 
@@ -33,6 +34,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.text.MessageFormat;
 import java.time.Clock;
 import java.time.LocalDate;
 import java.time.format.DateTimeFormatter;
@@ -72,20 +74,21 @@ public void persist(SecurityTest securityTest) throws PersistenceException {
         String username = securityTest.getMetaData().get(DefectDojoMetaFields.DEFECT_DOJO_USER.name());
         String userUrl = defectDojoService.getUserUrl(username);
 
-        for (String rawResult : getRawResults(securityTest)) {
-            defectDojoService.createFindings(
-                    rawResult,
-                    engagementUrl,
-                    userUrl,
-                    currentDate(),
-                    getDefectDojoScanName(securityTest.getName())
-            );
-        }
+        List<String> results = getDefectDojoScanName(securityTest.getName()).equals("Generic Findings Import") ? getGenericResults(securityTest) : getRawResults(securityTest);
+            for (String result : results) {
+                defectDojoService.createFindings(
+                        result,
+                        engagementUrl,
+                        userUrl,
+                        currentDate(),
+                        getDefectDojoScanName(securityTest.getName())
+                );
+            }
     }
 
-    static final String GIT_SERVER_NAME = "Git Server";
-    static final String BUILD_SERVER_NAME = "Build Server";
-    static final String SECURITY_TEST_SERVER_NAME = "Security Test Orchestration Engine";
+    static final String GIT_SERVER_NAME = "GitServer";
+    static final String BUILD_SERVER_NAME = "BuildServer";
+    static final String SECURITY_TEST_SERVER_NAME = "SecurityTestOrchestrationEngine";
 
     private void checkToolTypes() {
         DefectDojoResponse<ToolType> toolTypeGitResponse = defectDojoService.getToolTypeByName(GIT_SERVER_NAME);
@@ -128,6 +131,23 @@ private List<String> getRawResults(SecurityTest securityTest) throws DefectDojoP
         }
     }
 
+    private List<String> getGenericResults(SecurityTest securityTest) {
+        List<String> genericResults = new LinkedList<>();
+        for(Finding finding: securityTest.getReport().getFindings()){
+            genericResults.add(MessageFormat.format("date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate\n" +
+                            "{0},{1},,{2},{3},{4},,,,,,{5},{6}",
+                    currentDate(),
+                    finding.getName().replace(",", "  "),
+                    finding.getLocation().replace(",", "  "),
+                    finding.getSeverity(),
+                    finding.getDescription().replace(",", "  "),
+                    finding.isFalsePositive(),
+                    "false"
+            ));
+        }
+        return genericResults;
+    }
+
     private EngagementResponse createEngagement(SecurityTest securityTest) {
         EngagementPayload engagementPayload = new EngagementPayload();
         engagementPayload.setProduct(defectDojoService.getProductUrl(securityTest.getContext()));
@@ -169,7 +189,8 @@ protected static String getDefectDojoScanName(String securityTestName) {
         scannerDefectDojoMapping.put("nmap", "Nmap Scan");
         scannerDefectDojoMapping.put("zap", "ZAP Scan");
 
-        // TODO: Why is nikto not in the list?
+        // Nikto is a supported tool as well but currently not accessible for supported import.
+        // Nikto thus will use Generic Findings Import.
 
         // Can be used by 3rd party integrations to
         // import these scan results directly into defectdojo
@@ -195,8 +216,8 @@ protected static String getDefectDojoScanName(String securityTestName) {
 
         if (scannerDefectDojoMapping.containsKey(securityTestName)) {
             return scannerDefectDojoMapping.get(securityTestName);
+        }else{
+            return "Generic Findings Import";
         }
-
-        throw new DefectDojoPersistenceException("No defectdojo parser for securityTest: '" + securityTestName + "'");
     }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/main/java/io/securecodebox/persistence/DefectDojoService.java

@@ -18,6 +18,7 @@
  */
 package io.securecodebox.persistence;
 
+
 import io.securecodebox.persistence.models.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DefectDojoPersistenceProviderTest.java

@@ -2,6 +2,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import io.securecodebox.model.findings.Finding;
 import io.securecodebox.model.rest.Report;
 import io.securecodebox.model.securitytest.CommonMetaFields;
 import io.securecodebox.model.securitytest.SecurityTest;
@@ -19,6 +20,7 @@
 import java.time.ZoneId;
 import java.util.*;
 
+import static io.securecodebox.model.findings.Severity.INFORMATIONAL;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.eq;
 import static org.mockito.Mockito.*;
@@ -174,7 +176,7 @@ public void failsIfProductCouldNotBeFound(){
     }
 
     @Test
-    public void createsFindings() throws JsonProcessingException {
+    public void createsFindingsForSupportedScanner() throws JsonProcessingException {
         SecurityTest securityTest = new SecurityTest();
         securityTest.setContext("Nmap Scan 11");
         securityTest.setName("nmap");
@@ -199,4 +201,34 @@ public void createsFindings() throws JsonProcessingException {
                 eq("Nmap Scan")
         );
     }
+
+    @Test
+    public void createsFindingsForNonSupportedScanner() {
+        SecurityTest securityTest = new SecurityTest();
+        securityTest.setContext("Non supported Scan 11");
+        securityTest.setName("any non supported scanner");
+
+        List<Finding> findings = new ArrayList<>();
+        Finding finding = new Finding();
+        finding.setName("findingname");
+        finding.setDescription("description");
+        finding.setFalsePositive(false);
+        finding.setLocation("http://someadress");
+        finding.setSeverity(INFORMATIONAL);
+        findings.add(finding);
+
+        report.setFindings(findings);
+        securityTest.setMetaData(metaData);
+        securityTest.setReport(report);
+
+        persistenceProvider.persist(securityTest);
+        verify(defectDojoService, times(1)).createFindings(
+                eq( "date,title,cweid,url,severity,description,mitigation,impact,references,active,verified,falsepositive,duplicate\n"+
+                        "2019-01-07,findingname,,http://someadress,INFORMATIONAL,description,,,,,,false,false"),
+                eq("http://localhost:8000/api/v2/engagements/2/"),
+                eq("http://localhost:8000/api/v2/users/5/"),
+                eq("2019-01-07"),
+                eq("Generic Findings Import")
+        );
+    }
 }

scb-persistenceproviders/defectdojo-persistenceprovider/src/test/java/io/securecodebox/persistence/DescriptionGeneratorTest.java

@@ -37,7 +37,7 @@ public void generate(){
     public void nullGenerate(){
         securityTest.setTarget(new Target());
 
-        assertEquals("#null  \nTime: 07.01.2019 16:50:03  \nTarget: null \"null\"", descriptionGenerator.generate(securityTest));
+        assertEquals("#Generic Findings Import  \nTime: 07.01.2019 16:50:03  \nTarget: null \"null\"", descriptionGenerator.generate(securityTest));
     }
 
 }