From 7de2e7bf925042100edc7d76192a9e0090b2e8f1 Mon Sep 17 00:00:00 2001 From: foobar Date: Thu, 15 Feb 2024 21:37:31 +0000 Subject: [PATCH] make defect dojo able to tag duplicate findings --- .../consumers/defectdojo/client/client.go | 8 ++++++-- .../defectdojo/client/client_test.go | 10 +--------- components/consumers/defectdojo/main.go | 2 -- components/consumers/defectdojo/main_test.go | 20 ++++++++++++++----- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/components/consumers/defectdojo/client/client.go b/components/consumers/defectdojo/client/client.go index e44e62780..59e2f0e4a 100644 --- a/components/consumers/defectdojo/client/client.go +++ b/components/consumers/defectdojo/client/client.go @@ -62,17 +62,21 @@ func (client *Client) CreateFinding( title, description, severity, target, date, numericalSeverity string, tags []string, testID, line, cwe, foundBy int32, - falseP, duplicate, active bool, + falseP, duplicate bool, cvssScore float64, ) (types.FindingCreateResponse, error) { url := fmt.Sprintf("%s/findings", client.host) + active := true + if duplicate { + active = false + } body := types.FindingCreateRequest{ Tags: tags, Date: date, Cwe: cwe, Line: line, FilePath: target, - Duplicate: false, + Duplicate: duplicate, FalseP: falseP, Active: active, Verified: false, diff --git a/components/consumers/defectdojo/client/client_test.go b/components/consumers/defectdojo/client/client_test.go index abe4a347e..7e10d1461 100644 --- a/components/consumers/defectdojo/client/client_test.go +++ b/components/consumers/defectdojo/client/client_test.go @@ -2,7 +2,7 @@ package client import ( "encoding/json" - "io" + "io/ioutil" "net/http" "net/http/httptest" "testing" @@ -36,10 +36,8 @@ func TestCreateFinding(t *testing.T) { called = true assert.Equal(t, r.Method, "POST") assert.Equal(t, r.RequestURI, "/findings") - b, err := io.ReadAll(r.Body) require.NoError(t, err) - var actual, exp types.FindingCreateRequest exp = types.FindingCreateRequest{ Test: 1, @@ -59,11 +57,9 @@ func TestCreateFinding(t *testing.T) { } require.NoError(t, json.Unmarshal(b, &actual)) assert.Equal(t, actual, exp) - _, err = w.Write([]byte(expected)) require.NoError(t, err) })) - c := &Client{host: mockTs.URL, apiToken: "test", user: ""} _, err := c.CreateFinding("title", "description", @@ -85,10 +81,8 @@ func TestCreateEngagement(t *testing.T) { called = true assert.Equal(t, r.Method, "POST") assert.Equal(t, r.RequestURI, "/engagements") - b, err := io.ReadAll(r.Body) require.NoError(t, err) - var engagement types.EngagementRequest require.NoError(t, json.Unmarshal(b, &engagement)) @@ -101,11 +95,9 @@ func TestCreateEngagement(t *testing.T) { Product: 2, } assert.Equal(t, expectedEngagement, engagement) - _, err = w.Write([]byte(`{"id":4,"tags":["foo.git/somesha"],"name":"dracon scan foo","description":null,"version":"string","first_contacted":null,"target_start":"2022-06-01","target_end":"2022-06-01","reason":null,"updated":"2022-06-01T16:29:18.965507Z","created":"2022-06-01T16:29:18.908694Z","active":true,"tracker":null,"test_strategy":null,"threat_model":true,"api_test":true,"pen_test":true,"check_list":true,"status":"","progress":"threat_model","tmodel_path":"none","done_testing":false,"engagement_type":"Interactive","build_id":"foo","commit_hash":null,"branch_tag":null,"source_code_management_uri":null,"deduplication_on_engagement":false,"lead":null,"requester":null,"preset":null,"report_type":null,"product":2,"build_server":null,"source_code_management_server":null,"orchestration_engine":null,"notes":[],"files":[],"risk_acceptance":[]}`)) require.NoError(t, err) })) - c := &Client{host: mockTs.URL, apiToken: "test", user: ""} _, err := c.CreateEngagement("dracon scan foo", "2022-06-01", []string{"foo.git/somesha"}, 2) require.NoError(t, err) diff --git a/components/consumers/defectdojo/main.go b/components/consumers/defectdojo/main.go index e5c59da6b..b13278465 100644 --- a/components/consumers/defectdojo/main.go +++ b/components/consumers/defectdojo/main.go @@ -70,7 +70,6 @@ func handleRawResults(product int, dojoClient *client.Client, responses []*v1.La dojoClient.UserID, false, false, - true, iss.GetCvss()) if err != nil { log.Fatalf("Could not create raw finding error: %v\n", err) @@ -129,7 +128,6 @@ func handleEnrichedResults(product int, dojoClient *client.Client, responses []* test.ID, 0, 0, dojoClient.UserID, iss.GetFalsePositive(), duplicate, - true, rawIss.GetCvss()) if err != nil { log.Fatalf("Could not create enriched finding error: %v\n", err) diff --git a/components/consumers/defectdojo/main_test.go b/components/consumers/defectdojo/main_test.go index d6d450803..721847b64 100644 --- a/components/consumers/defectdojo/main_test.go +++ b/components/consumers/defectdojo/main_test.go @@ -62,6 +62,8 @@ func createObjects(product int, scanType string) ([]*v1.LaunchToolResponse, []*t var issues []*v1.Issue var enrichedIssues []*v1.EnrichedIssue for j := 0; j <= 3%(i+1); j++ { + duplicateTimes, _ := time.Parse(time.RFC3339, "2000-01-19T18:09:06.370037788Z") + duplicateTimestamp := timestamppb.New(duplicateTimes) x := v1.Issue{ Target: fmt.Sprintf("myTarget %d-%d", i, j), Type: fmt.Sprintf("type %d-%d", i, j), @@ -72,7 +74,7 @@ func createObjects(product int, scanType string) ([]*v1.LaunchToolResponse, []*t y := v1.EnrichedIssue{ RawIssue: &x, FirstSeen: response.ScanInfo.ScanStartTime, - Count: uint64(i), + Count: 1, FalsePositive: false, UpdatedAt: response.ScanInfo.ScanStartTime, Hash: "d41d8cd98f00b204e9800998ecf8427e", @@ -81,6 +83,10 @@ func createObjects(product int, scanType string) ([]*v1.LaunchToolResponse, []*t "Policy.Blah.Decision": "failed", }, } + if j%2 == 0 { + y.FirstSeen = duplicateTimestamp + y.Count = uint64(j) + } issues = append(issues, &x) enrichedIssues = append(enrichedIssues, &y) @@ -98,7 +104,7 @@ func createObjects(product int, scanType string) ([]*v1.LaunchToolResponse, []*t } d = desc } - findingsRequests = append(findingsRequests, &types.FindingCreateRequest{ + findingsReq := &types.FindingCreateRequest{ Tags: []string{"DraconScan", scanType + "Finding", scanID, toolName}, Title: x.Title, Date: times.Format(DojoTimeFormat), @@ -108,7 +114,13 @@ func createObjects(product int, scanType string) ([]*v1.LaunchToolResponse, []*t FoundBy: []int32{1}, Description: *d, Active: true, - }) + Duplicate: false, + } + if j%2 == 0 && scanType != "Raw" { + findingsReq.Active = false + findingsReq.Duplicate = true + } + findingsRequests = append(findingsRequests, findingsReq) } response.Issues = issues enrichedResponse.OriginalResults = response // duplication here is important since we use this enrichedResponse in getEnrichedIssues above @@ -156,7 +168,6 @@ func TestHandleRawResults(t *testing.T) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { body, err := io.ReadAll(r.Body) require.NoError(t, err) - switch string(r.URL.Path) { case "/users": assert.Equal(t, r.Method, http.MethodGet) @@ -230,7 +241,6 @@ func TestHandleEnrichedResults(t *testing.T) { ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { body, err := io.ReadAll(r.Body) require.NoError(t, err) - switch string(r.URL.String()) { case "/users": assert.Equal(t, r.Method, http.MethodGet)