-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathdojo_finding.py
125 lines (104 loc) · 4.3 KB
/
dojo_finding.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
"""
Example written by Aaron Weaver <aaron.weaver@owasp.org>
as part of the OWASP DefectDojo and OWASP AppSec Pipeline Security projects
Description: Creates a manual finding in DefectDojo and returns information about the newly created finding
"""
from defectdojo_api import defectdojo
from datetime import datetime, timedelta
from random import randint
import os
# Setup DefectDojo connection information
host = 'http://localhost:8000'
api_key = os.environ['DOJO_API_KEY']
user = 'admin'
user_id = 1 #Default user
"""
#Optionally, specify a proxy
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
"""
proxies=None
def create_finding_data(product_id, engagement_id, test_id, build):
cwe = [352, 22, 676, 863, 134, 759, 798]
cwe_desc = ['Cross-Site Request Forgery (CSRF)', 'Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\')',
'Use of Potentially Dangerous Function', 'Incorrect Authorization', 'Uncontrolled Format String',
'Use of a One-Way Hash without a Salt', 'Use of Hard-coded Credentials']
severity=['Low','Medium','High', 'Critical']
user_id = 1
finding_date = datetime.now()
finding_date = finding_date+timedelta(days=randint(-30,0))
finding_cwe = randint(0,6)
finding = dd.create_finding(cwe_desc[finding_cwe], cwe_desc[finding_cwe], severity[randint(0,3)],
cwe[finding_cwe], finding_date.strftime("%Y-%m-%d"), product_id, engagement_id, test_id, user_id,
"None", "true", "true", "References", build=build)
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=False, proxies=proxies)
# Search and see if product exists so that we don't create multiple product entries
product_name = "Acme API Finding Demo"
products = dd.list_products(name_contains=product_name)
product_id = None
if products.count() > 0:
for product in products.data["objects"]:
product_id = product['id']
else:
# Create a product
prod_type = 1 #1 - Research and Development, product type
product = dd.create_product(product_name, "This is a detailed product description.", prod_type)
# Get the product id
product_id = product.id()
print "Product successfully created with an id: " + str(product_id)
# Retrieve the newly created product
product = dd.get_product(product_id)
product_name = "Acme API Finding Demo"
engagement = dd.list_engagements(product_in=product_id, name_contains="Intial " + product_name + " Engagement")
engagement_id = None
start_date = datetime.now()
end_date = start_date+timedelta(days=randint(2,8))
if engagement.count() > 0:
for engagement in engagement.data["objects"]:
engagement_id = engagement['id']
else:
# Create an engagement
print "Creating engagement: " + "Intial " + product_name + " Engagement"
engagement = dd.create_engagement("Intial " + product_name + " Engagement", product_id, user_id,
"In Progress", start_date.strftime("%Y-%m-%d"), end_date.strftime("%Y-%m-%d"))
engagement_id = engagement.id()
print "Creating the test"
# Create Test
test_type = 5 #Web Test
environment = 3 #Production environment
test = dd.create_test(engagement_id, test_type, environment,
start_date.strftime("%Y-%m-%d"), start_date.strftime("%Y-%m-%d"))
test_id = test.id()
print "Creating the finding"
build = "Jenkins-" + str(randint(100,999))
# Create Finding
create_finding_data(product_id, engagement_id, test_id, build=build)
print "Listing the new findings for this build"
i = 0
#Creating four tests
while i < 4:
test_type = i+1 #Select some random tests
environment = randint(1,6) #Select random environments
test = dd.create_test(engagement_id, test_type, environment,
start_date.strftime("%Y-%m-%d"), start_date.strftime("%Y-%m-%d"))
test_id = test.id()
f = 0
f_max = randint(2,4)
while f < f_max:
# Load findings
create_finding_data(product_id, engagement_id, test_id, build=build)
f = f + 1
i = i + 1
#Summarize the findings loaded
print "***************************************"
findings = dd.list_findings(build=build)
print "Build ID: " + build
print "Total Created: " + str(findings.count())
print "***************************************"
print
if findings.count() > 0:
for finding in findings.data["objects"]:
print finding["title"] + ", Severity: " + finding["severity"]