Listing 1: DefectDojo-Installation git clone https://github.com/DefectDojo/ django-DefectDojo cd django-DefectDojo # building ./dc-build.sh # running (for other profiles besides postgres-redis look at https://github.com/ DefectDojo/django-DefectDojo/blob/dev/ readme-docs/DOCKER.md) ./dc-up.sh postgres-redis # obtain admin credentials. the initializer can take up to 3 minutes to run # use docker-compose logs -f initializer to track progress docker-compose logs initializer | grep "Admin password:" Listing 2: Abrufen von Nutzerinformationen mit Python import requests url = 'http://127.0.0.1:8000/api/v2/users' headers = {'content-type': 'application/json', 'Authorization': 'Token 80749f64ae120c27e504088d8c2ce29a0fa7f85c'} r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed for key, value in r.__dict__.items(): print(f"'{key}': '{value}'") print('------------------') Listing 3: Rückgabe von Nutzerinformationen im JSON-Format [ { "first_name": "Tyagi", "id": 22, "last_login": "2019-06- 18T08:05:51.925743", "last_name": "Paz", "username": "dev7958" }, { "first_name": "saurabh", "id": 31, "last_login": "2019-06- 06T11:44:32.533035", "last_name": "", "username": "saurabh.paz" } ] Listing 4: Filtern mithilfe einer For-Schleife import requests url = 'http://127.0.0.1:8000/api/v2/users/ ?username__contains=jay' headers = {'content-type': 'application/json', 'Authorization': 'Token 80749f64ae120c27e504088d8c2ce29a0fa7f85c'} r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed for key, value in r.__dict__.items(): print(f"'{key}': '{value}'") print('------------------') Uploaden aus GitLab CI In vielen Organisationen sind Securitytools in CI/CD-Pipelines integriert. Aus diesem Grund ist es wünschenswert, Findings daraus direkt in DefectDojo zu veröffentlichen. Im Folgenden zeigen wir in Grundzügen, wie das am Beispiel von Hadolint [3] gelingen kann. In der Regel definieren Sie in einem CI-Skript anfangs immer Konfigurationseinstellungen: DEFECTDOJO_DIR: "." DEFECTDOJO_HADOLINT_REPORTS: "hadolint-json-*.json reports/docker-hadolint-*.native.json" DEFECTDOJO_BASE_IMAGE: "registry.hub.docker.com/library/node:alpine3.11" DEFECTDOJO_NOTIFICATION_SEVERITIES: "Critical,High" DEFECTDOJO_TIMEZONE: "Europe/Paris" # default production ref name (pattern) PROD_REF: '/^(master|main)$/' DEFECTDOJO_NOPROD_ENABLED: "false" Später im Skript sammeln Sie die Ergebnisse aus dem Hadolint-Scan: # Hadolint # template: docker hadolint_nb_reports=0 for file in ${DEFECTDOJO_HADOLINT_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then log_info "hadolint report found: $file" hadolint_nb_reports=$((hadolint_nb_reports + 1)) nb_reports=$((nb_reports + 1)) fi done Anschließend funken Sie gegen die DefectDojo-API und schreiben die Engagments: _engname="Engagement ${_today_time} $CI_COMMIT_REF_NAME $CI_COMMIT_SHORT_SHA"_end=${_today} branch_tag=$CI_COMMIT_TAG branch_tag_info="[${CI_COMMIT_TAG}](${CI_PROJECT_URL}/-/tags/${CI_COMMIT_TAG})" # if there is no tag, then use branch if [[ -z "$CI_COMMIT_TAG" ]]; then branch_tag=$CI_COMMIT_REF_NAME branch_tag_info="[${CI_COMMIT_REF_NAME}](${CI_PROJECT_URL}/-/tree/${CI_COMMIT_REF_NAME})" fi dashboard_template_version=$(get_tpl_version_in_use "to-be-continuous/defectdojo") commit_info="[commit ${CI_COMMIT_SHORT_SHA}](${CI_PROJECT_URL}/-/commit/${CI_COMMIT_SHA})\n${branch_tag_info}\ncreated with dashboard-template ${dashboard_template_version}" echo "{\"engagement_type\": \"CI/CD\", \"product\": \"${dd_product_pk}\", \"name\": \"${_engname}\", \"source_code_management_uri\": \"${CI_PROJECT_URL}\", \"commit_hash\": \"${CI_COMMIT_SHA}\", \"branch_tag\": \"${branch_tag}\", \"status\": \"In Progress\", \"target_start\": \"${_today}\", \"target_end\": \"${_end}\", \"description\": \"${commit_info}\"}" > api_input.json # post request to create engagement curl -LX POST -d @api_input.json "${DEFECTDOJO_SERVER_URL}/api/v2/engagements/" --header "Content-Type: application/json" --header "Authorization: Token $DEFECTDOJO_API_KEY" --verbose 1> api_output.txt engagement_id=$(jq ".id" api_output.txt) echo "engagement_id: $engagement_id" if [ "$hadolint_nb_reports" -gt 0 ]; then docker_tpl_version=$(get_tpl_version_in_use "to-be-continuous/docker") log_info "Docker template version: $docker_tpl_version" for file in ${DEFECTDOJO_HADOLINT_REPORTS} do if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then import_scan "$file" "Hadolint Dockerfile check" "$engagement_id" "to-be-continuous/docker ${docker_tpl_version}" fi done fi # Close the engagement curl -L -X POST "${DEFECTDOJO_SERVER_URL}/api/v2/engagements/$engagement_id/close/" --header "Authorization: Token $DEFECTDOJO_API_KEY" -d '' curl -L "${DEFECTDOJO_SERVER_URL}/api/v2/findings/?test__engagement__product=${dd_product_pk}&severity=$DEFECTDOJO_NOTIFICATION_SEVERITIES&limit=100&false_p= false&duplicate=false&active=true" --header "Content-Type: application/json" --header "Authorization: Token $DEFECTDOJO_API_KEY" --verbose 1> api_final_findings.json