Merge pull request #1712 from blacklotos/add-hackeroneparcer-359

Add hackeroneparcer 359

dojo/fixtures/test_type.json

@@ -521,6 +521,13 @@
 		},
 		"model": "dojo.test_type",
 		"pk": 166
+	},
+	{
+		"fields": {
+			"name": "HackerOne Cases"
+		},
+		"model": "dojo.test_type",
+		"pk": 167
 	}
 ]
 

dojo/forms.py

@@ -359,10 +359,12 @@ class ImportScanForm(forms.Form):
                          ("Testssl Scan", "Testssl Scan"),
                          ("Hadolint Dockerfile check", "Hadolint Dockerfile check"),
                          ("Aqua Scan", "Aqua Scan"),
+                         ("HackerOne Cases", "HackerOne Cases"),
                          ("Xanitizer Scan", "Xanitizer Scan"),
                          ("Trivy Scan", "Trivy Scan"))
 
 
+
     SORTED_SCAN_TYPE_CHOICES = sorted(SCAN_TYPE_CHOICES, key=lambda x: x[1])
     scan_date = forms.DateTimeField(
         required=True,

dojo/templates/dojo/import_scan_results.html

@@ -53,6 +53,7 @@ <h3> Add Tests</h3>
 
 	<li><b>Generic Findings Import</b> - Import Generic findings in CSV format.</li>
 	<li><b>Gosec Scanner </b> - Import Gosec Scanner findings in JSON format.</li>
+	<li><b>HackerOne Cases</b> - Import HackerOne cases findings in JSON format.</li>
 	<li><b>Hadolint Dockerfile check </b> - Import Hadolint Dockerfile check findings in JSON format.</li>
 	<li><b>JFrogXray Scan </b> - Import Xray findings in JSON format.</li>
 	<li><b>Kiuwan Scanner</b> - Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan.</li>

dojo/tools/factory.py

@@ -65,10 +65,12 @@
 from dojo.tools.hadolint.parser import HadolintParser
 from dojo.tools import SCAN_SONARQUBE_API
 from dojo.tools.aqua.parser import AquaJSONParser
+from dojo.tools.h1.parser import HackerOneJSONParser
 from dojo.tools.xanitizer.parser import XanitizerXMLParser
 from dojo.tools.trivy.parser import TrivyParser
 
 
+
 __author__ = 'Jay Paz'
 
 
@@ -216,6 +218,8 @@ def import_parser_factory(file, test, active, verified, scan_type=None):
         parser = HadolintParser(file, test)
     elif scan_type == 'Aqua Scan':
         parser = AquaJSONParser(file, test)
+    elif scan_type == 'HackerOne Cases':
+        parser = HackerOneJSONParser(file, test)
     elif scan_type == 'Xanitizer Scan':
         parser = XanitizerXMLParser(file, test)
     elif scan_type == 'Trivy Scan':

dojo/tools/h1/parser.py

@@ -0,0 +1,83 @@
+import json
+import hashlib
+from dojo.models import Finding
+
+__author__ = 'Kirill Gotsman'
+
+
+class HackerOneJSONParser(object):
+    """
+    A class that can be used to parse the Get All Reports JSON export from HackerOne API.
+    """
+
+    def __init__(self, file, test):
+        """
+        Converts a HackerOne reports to a DefectDojo finding
+        """
+        self.dupes = dict()
+        # Start with an empty findings
+        self.items = ()
+        # Exit if file is not provided
+        if file is None:
+            return
+        # Load the contents of the JSON file into a dictionary
+        data = file.read()
+        try:
+            tree = json.loads(str(data, 'utf-8'))
+        except:
+            tree = json.loads(data)
+        # Conver JSON  report to DefectDojo format
+        for content in tree["data"]:
+            # Build the title of the Dojo finding
+            title = "#" + content["id"] + " " + content["attributes"]["title"]
+            # Build the description of the Dojo finding
+            description = content["attributes"]["vulnerability_information"]
+
+            # Build the severity of the Dojo finding
+            try:
+                severity = content["relationships"]["severity"]["data"]["attributes"]["rating"].capitalize()
+                if severity not in ["Low", "Medium", "Hight", "Critical"]:
+                    severity = "Info"
+            except:
+                severity = "Info"
+            # Build the references of the Dojo finding
+            ref_link = "https://hackerone.com/reports/{}".format(content.get("id"))
+            references = "[{}]({})".format(ref_link, ref_link)
+
+            # Set active state of the Dojo finding
+            if content["attributes"]["state"] in ["triaged", "new"]:
+                active = True
+            else:
+                active = False
+
+            # Set CWE of the Dojo finding
+            try:
+                cwe = int(content["relationships"]["weakness"]["data"]["attributes"]["external_id"][4:])
+            except:
+                cwe = 0
+
+            dupe_key = hashlib.md5(str(references + title).encode('utf-8')).hexdigest()
+            if dupe_key in self.dupes:
+                finding = self.dupes[dupe_key]
+                if finding.references:
+                    finding.references = finding.references
+                self.dupes[dupe_key] = finding
+            else:
+                self.dupes[dupe_key] = True
+
+                # Build and return Finding model
+                finding = Finding(
+                    title=title,
+                    test=test,
+                    active=active,
+                    description=description,
+                    severity=severity,
+                    numerical_severity=Finding.get_numerical_severity(severity),
+                    mitigation="See description",
+                    impact="No impact provided",
+                    references=references,
+                    cwe=cwe,
+                    dynamic_finding=False,)
+                finding.unsaved_endpoints = list()
+                self.dupes[dupe_key] = finding
+            self.items = self.dupes.values()

dojo/unittests/scans/h1/data_empty.json

@@ -0,0 +1,9 @@
+{
+    "data": [
+    ],
+    "links": {
+        "self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
+        "next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
+        "last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
+    }
+}