Resolve merge conflicts

Author: propersam

dojo/db_migrations/0005_repo_field.py

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.20 on 2019-05-24 18:22
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0004_cve_field'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='engagement',
+            name='source_code_management_uri',
+            field=models.URLField(blank=True, help_text=b'Resource link to source code', max_length=600, null=True, verbose_name=b'Repo'),
+        ),
+    ]

dojo/endpoint/views.py

@@ -228,7 +228,7 @@ def delete_endpoint(request, eid):
                                      messages.SUCCESS,
                                      'Endpoint and relationships removed.',
                                      extra_tags='alert-success')
-                return HttpResponseRedirect(reverse('view_endpoint', args=(product.id,)))
+                return HttpResponseRedirect(reverse('view_product', args=(product.id,)))
 
     collector = NestedObjects(using=DEFAULT_DB_ALIAS)
     collector.collect([endpoint])

dojo/fixtures/test_type.json

@@ -312,5 +312,12 @@
     },
     "model": "dojo.test_type",
     "pk": 52
+  },
+  {
+    "fields": {
+      "name": "Sonatype Application Scan"
+    },
+    "model": "dojo.test_type",
+    "pk": 53
   }
 ]

dojo/forms.py

@@ -293,7 +293,8 @@ class ImportScanForm(forms.Form):
                          ("Bundler-Audit Scan", "Bundler-Audit Scan"),
                          ("Twistlock Image Scan", "Twistlock Image Scan"),
                          ("Kiuwan Scan", "Kiuwan Scan"),
-                         ("Blackduck Hub Scan", "Blackduck Hub Scan"))
+                         ("Blackduck Hub Scan", "Blackduck Hub Scan"),
+                         ("Sonatype Application Scan", "Sonatype Application Scan"))
 
     SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
 

dojo/models.py

@@ -787,7 +787,7 @@ class Engagement(models.Model):
                                    null=True, blank=True, help_text="Tag or branch of the product the engagement tested.", verbose_name="Branch/Tag")
     build_server = models.ForeignKey(Tool_Configuration, verbose_name="Build Server", help_text="Build server responsible for CI/CD test", null=True, blank=True, related_name='build_server')
     source_code_management_server = models.ForeignKey(Tool_Configuration, null=True, blank=True, verbose_name="SCM Server", help_text="Source code server for CI/CD test", related_name='source_code_management_server')
-    source_code_management_uri = models.CharField(max_length=600, null=True, blank=True, verbose_name="Repo", help_text="Resource link to source code")
+    source_code_management_uri = models.URLField(max_length=600, null=True, blank=True, editable=True, verbose_name="Repo", help_text="Resource link to source code")
     orchestration_engine = models.ForeignKey(Tool_Configuration, verbose_name="Orchestration Engine", help_text="Orchestration service responsible for CI/CD test", null=True, blank=True, related_name='orchestration')
     deduplication_on_engagement = models.BooleanField(default=False)
 
@@ -1289,6 +1289,9 @@ def save(self, dedupe_option=True, false_history=False, rules_option=True, *args
                 except:
                     async_false_history.delay(self, *args, **kwargs)
                     pass
+        # Title Casing
+        from titlecase import titlecase
+        self.title = titlecase(self.title)
 
         from dojo.utils import calculate_grade
         calculate_grade(self.test.engagement.product)

dojo/templates/dojo/import_scan_results.html

@@ -26,6 +26,7 @@ <h3> Add Tests</h3>
 
 	<p>DefectDojo accepts:</p>
     <ul>
+	<li><b>Acunetix Scanner</b> - XML format.</li>
 	<li><b>Anchore-Engine</b> - Anchore-CLI JSON vulnerability report format.</li>
 	<li><b>AWS Scout2 Scanner</b> - JS file in scout2-report/inc-awsconfig/aws_config.js.</li>
 	<li><b>AWS Prowler Scanner</b> - Prowler file can be imported as a CSV file (-M csv).</li>
@@ -46,6 +47,7 @@ <h3> Add Tests</h3>
 	<li><b>Dependency Check</b> - OWASP Dependency Check output can be imported in Xml format.</li>
 	<li><b>Generic Findings Import</b> - Import Generic findings in CSV format.</li>
 	<li><b>Gosec Scanner </b> - Import Gosec Scanner findings in JSON format.</li>
+	<li><b>Kiuwan Scanner</b> - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.</li>
 	<li><b>MobSF Scanner </b> - Export a JSON file using the API, api/v1/report_json.</li>
 	<li><b>Nessus (Tenable)</b> - Reports can be imported as CSV or .nessus (XML) report formats.</li>
 	<li><b>Netsparker Scanner</b> - Netsparker JSON format.</li>
@@ -64,6 +66,7 @@ <h3> Add Tests</h3>
 	<li><b>SKF Scan</b> - Output of SKF Sprint summary export.</li>
 	<li><b>Snyk</b> - Snyk output file (snyk test --json > snyk.json) can be imported in JSON format.</li>
 	<!----<li><b>SonarQube</b> - SonarQube output file can be imported in HTML format.</li>-->
+	<li><b>Sonatype Application Scan</b> - Can be imported in JSON format</li>
 	<li><b>SpotBugs</b> - XML report of textui cli.</li>
 	<li><b>SSL Labs</b> - JSON Output of ssllabs-scan cli.</li>
 	<li><b>Trufflehog</b> - JSON Output of Trufflehog.</li>
@@ -72,8 +75,6 @@ <h3> Add Tests</h3>
 	<li><b>Visual Code Grepper (VCG)</b> - VCG output can be imported in CSV or Xml formats.</li>
 	<li><b>Veracode Detailed XML Report</b></li>
 	<li><b>Zed Attack Proxy</b> - ZAP XML report format.</li>
-	<li><b>Acunetix Scanner</b> - XML format.</li>
-	<li><b>Kiuwan Scanner</b> - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.</li>
 
     </ul>
 

dojo/tools/anchore_engine/parser.py

@@ -21,17 +21,21 @@ def __init__(self, filename, test):
             title = ''
             group = ''
             status = ''
+            cve = ''
 
             title = item['vuln'] + ' - ' + item['package'] + '(' + item['package_type'] + ')'
 
+            if item['vuln']:
+                cve = item['vuln']
+
             # Finding details information
-            findingdetail += 'Image hash: ' + data['imageDigest'] + '\n'
-            findingdetail += 'Package: ' + item['package'] + '\n'
-            findingdetail += 'Package path: ' + item['package_path'] + '\n'
-            findingdetail += 'Package type: ' + item['package_type'] + '\n'
-            findingdetail += 'Feed: ' + item['feed'] + '/' + item['feed_group'] + '\n'
-            findingdetail += 'CVE: ' + item['vuln'] + '\n'
-            findingdetail += 'CPE: ' + item['package_cpe'] + '\n'
+            findingdetail += 'Image hash: ' + data['imageDigest'] + '\n\n'
+            findingdetail += 'Package: ' + item['package'] + '\n\n'
+            findingdetail += 'Package path: ' + item['package_path'] + '\n\n'
+            findingdetail += 'Package type: ' + item['package_type'] + '\n\n'
+            findingdetail += 'Feed: ' + item['feed'] + '/' + item['feed_group'] + '\n\n'
+            findingdetail += 'CVE: ' + item['vuln'] + '\n\n'
+            findingdetail += 'CPE: ' + item['package_cpe'] + '\n\n'
 
             sev = item['severity']
             if sev == "Negligible" or sev == "Unknown":
@@ -54,6 +58,7 @@ def __init__(self, filename, test):
                     test=test,
                     active=False,
                     verified=False,
+                    cve=cve,
                     description=findingdetail,
                     severity=sev,
                     numerical_severity=Finding.get_numerical_severity(sev),

dojo/tools/blackduck/parser.py

@@ -63,6 +63,7 @@ def __init__(self, filename, test):
 
                 finding = Finding(title=title,
                                   cwe=int(cwe),
+                                  cve=cve,
                                   test=test,
                                   active=False,
                                   verified=False,

dojo/tools/factory.py

@@ -46,6 +46,7 @@
 from dojo.tools.twistlock.parser import TwistlockParser
 from dojo.tools.kiuwan.parser import KiuwanCSVParser
 from dojo.tools.blackduck.parser import BlackduckHubCSVParser
+from dojo.tools.sonatype.parser import SonatypeJSONParser
 
 __author__ = 'Jay Paz'
 
@@ -153,6 +154,8 @@ def import_parser_factory(file, test, scan_type=None):
         parser = KiuwanCSVParser(file, test)
     elif scan_type == 'Blackduck Hub Scan':
         parser = BlackduckHubCSVParser(file, test)
+    elif scan_type == 'Sonatype Application Scan':
+        parser = SonatypeJSONParser(file, test)
     else:
         raise ValueError('Unknown Test Type')
 

dojo/tools/gosec/parser.py

@@ -17,23 +17,38 @@ def __init__(self, filename, test):
             title = ''
             group = ''
             status = ''
+            filename = item.get("file")
+            line = item.get("line")
+            scanner_confidence = item.get("confidence")
 
-            title = item["details"] + "-" + item["rule_id"]
+            title = item["details"] + " - rule " + item["rule_id"]
 
 #           Finding details information
-            findingdetail += "Filename: " + item["file"] + "\n"
-            findingdetail += "Line number: " + str(item["line"]) + "\n"
-            findingdetail += "Issue Confidence: " + item["confidence"] + "\n\n"
-            findingdetail += "Code:\n"
-            findingdetail += item["code"] + "\n"
+            findingdetail += "Filename: {}\n\n".format(filename)
+            findingdetail += "Line number: {}\n\n".format(str(line))
+            findingdetail += "Issue Confidence: {}\n\n".format(scanner_confidence)
+            findingdetail += "Code:\n\n"
+            findingdetail += "```{}```".format(item["code"])
 
             sev = item["severity"]
-#            mitigation = item["issue_text"]
             mitigation = "coming soon"
-#            references = item["test_id"]
-            referencesxs = "coming soon"
+            # Best attempt at ongoing documentation provided by gosec, based on rule id
+            references = "https://securego.io/docs/rules/{}.html".format(item['rule_id']).lower()
 
-            dupe_key = title + item["file"] + str(item["line"])
+            if scanner_confidence:
+                # Assign integer value to confidence.
+                if scanner_confidence == "HIGH":
+                    scanner_confidence = 1
+                elif scanner_confidence == "MEDIUM":
+                    scanner_confidence = 4
+                elif scanner_confidence == "LOW":
+                    scanner_confidence = 7
+
+            if '-' in line:
+                # if this is a range, only point to the beginning.
+                line = line.split('-', 1)[0]
+
+            dupe_key = title + item["file"] + str(line)
 
             if dupe_key in dupes:
                 find = dupes[dupe_key]
@@ -50,9 +65,10 @@ def __init__(self, filename, test):
                                mitigation=mitigation,
                                impact=impact,
                                references=references,
-                               file_path=item["file"],
-#                               line = item["line"],
+                               file_path=filename,
+                               line=line,
                                url='N/A',
+                               scanner_confidence=scanner_confidence,
                                static_finding=True)
 
                 dupes[dupe_key] = find