Skip to content

Commit

Permalink
Merge pull request DependencyTrack#2532 from lme-nca/bugfix/issue_242…
Browse files Browse the repository at this point in the history 
…4_add_do_not_reactivate_flag

add DefectDojo "do not reactivate" flag, fixes issue 2424

Closes DependencyTrack#2424
  • Loading branch information
@nscuro
nscuro committed Mar 7, 2023
2 parents 64e0f99 + 8e72253 commit f35b129
Show file tree
Hide file tree
Showing 5 changed files with 36 additions and 6 deletions.
22 changes: 20 additions & 2 deletions docs/_docs/integrations/defectdojo.md
View file
Expand Up @@ -48,7 +48,7 @@ This feature is used to map projects in Dependency-Track to engagements in Defec
| ---------------| --------------------------------- |
| Group Name | `integrations` |
| Property Name | `defectdojo.engagementId` |
| Property Value | The CI/CD engagement ID to upload findings to, noted in Step 3 |
| Property Value | The CI/CD engagement ID to upload findings to, noted in Step 3 |s
| Property Type | `STRING` |

#### Step 7: Add Per-project configuration for Reimport Enhancement (Optional)
Expand All @@ -64,7 +64,25 @@ The additional configuration property is defined as below:
| Property Value | 'true' |
| Property Type | `BOOLEAN` |

#### Step 8: Global configuration for Reimport Enhancement (Optional)
#### Step 8: Add Per-project configuration for do_not_reactivate Enhancement (Optional)
![Configure Project](/images/screenshots/defectdojo_do-not-reactivate.png)

* Dependency-Track v4.8.0 or higher
* Only work in combination with reimport
* Enabling this flag will mean that DefectDojo is considered the source of truth and findings closed in DefectDojo are not re-opened.
* WARNING! This comes with the downside that a potentially patched vulnerability that is re-introduced by, for example a library downgrade, is reactivated

As mentioned in the DefectDojo documentation this feature 'Will keep existing findings closed, without reactivating them.' Usually DefectDojo considers the scanners report as the source of truth, this leads DefectDojo to re-open findings that might have been closed in DefectDojo if it shows up in a scan.


| Attribute | Value |
| ---------------| --------------------------------- |
| Group Name | `integrations` |
| Property Name | `defectdojo.doNotReactivate` |
| Property Value | 'true' |
| Property Type | `BOOLEAN` |

#### Step 9: Global configuration for Reimport Enhancement (Optional)
* Dependency-Track v4.6.0 or higher
![Configure Project](/images/screenshots/defectdojo_global_reimport.png)
Alternatively, you can turn on the above reimport feature for all projects in one click, by checking on 'Enable reimport' box as shown in the screenshot above.
Binary file added docs/images/screenshots/defectdojo_do-not-reactivate.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 2 additions & 1 deletion src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoClient.java
View file
Expand Up @@ -163,7 +163,7 @@ public ArrayList<String> jsonToList(final JSONArray jsonArray) {
* A Reimport will reuse (overwrite) the existing test, instead of create a new test.
* The Successfully reimport will also increase the reimport counter by 1.
*/
public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId) {
public void reimportDependencyTrackFindings(final String token, final String engagementId, final InputStream findingsJson, final String testId, final Boolean doNotReactivate) {
LOGGER.debug("Re-reimport Dependency-Track findings to DefectDojo per Engagement");
HttpPost request = new HttpPost(baseURL + "/api/v2/reimport-scan/");
request.addHeader("accept", "application/json");
Expand All @@ -178,6 +178,7 @@ public void reimportDependencyTrackFindings(final String token, final String eng
.addPart("minimum_severity", new StringBody("Info", ContentType.MULTIPART_FORM_DATA))
.addPart("close_old_findings", new StringBody("true", ContentType.MULTIPART_FORM_DATA))
.addPart("push_to_jira", new StringBody("push_to_jira", ContentType.MULTIPART_FORM_DATA))
.addPart("do_not_reactivate", new StringBody(doNotReactivate.toString(), ContentType.MULTIPART_FORM_DATA))
.addPart("test", new StringBody(testId, ContentType.MULTIPART_FORM_DATA))
.addPart("scan_date", new StringBody(DATE_FORMAT.format(new Date()), ContentType.MULTIPART_FORM_DATA))
.build();
Expand Down
13 changes: 12 additions & 1 deletion src/main/java/org/dependencytrack/integrations/defectdojo/DefectDojoUploader.java
View file
Expand Up @@ -44,6 +44,8 @@ public class DefectDojoUploader extends AbstractIntegrationPoint implements Proj
private static final Logger LOGGER = Logger.getLogger(DefectDojoUploader.class);
private static final String ENGAGEMENTID_PROPERTY = "defectdojo.engagementId";
private static final String REIMPORT_PROPERTY = "defectdojo.reimport";
private static final String DO_NOT_REACTIVATE_PROPERTY = "defectdojo.doNotReactivate";


public boolean isReimportConfigured(final Project project) {
final ProjectProperty reimport = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), REIMPORT_PROPERTY);
Expand All @@ -54,6 +56,15 @@ public boolean isReimportConfigured(final Project project) {
}
}

public boolean isDoNotReactivateConfigured(final Project project) {
final ProjectProperty reactivate = qm.getProjectProperty(project, DEFECTDOJO_ENABLED.getGroupName(), DO_NOT_REACTIVATE_PROPERTY);
if (reactivate != null) {
return Boolean.parseBoolean(reactivate.getPropertyValue());
} else {
return false;
}
}

@Override
public String name() {
return "DefectDojo";
Expand Down Expand Up @@ -97,7 +108,7 @@ public void upload(final Project project, final InputStream payload) {
if (testId.equals("")) {
client.uploadDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload);
} else {
client.reimportDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload, testId);
client.reimportDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload, testId, isDoNotReactivateConfigured(project));
}
} else {
client.uploadDependencyTrackFindings(apiKey.getPropertyValue(), engagementId.getPropertyValue(), payload);
Expand Down
4 changes: 2 additions & 2 deletions src/test/java/org/dependencytrack/integrations/defectdojo/DefectDojoClientTest.java
View file
Expand Up @@ -85,7 +85,7 @@ public void testReimportFindingsPositiveCase() throws Exception {
withBody(WireMock.equalTo(engagementId))).willReturn(WireMock.aResponse().withStatus(201).withHeader(HttpHeaders.CONTENT_TYPE, "application/json")));
DefectDojoUploader uploader = new DefectDojoUploader();
DefectDojoClient client = new DefectDojoClient(uploader, new URL(wireMockRule.baseUrl() + "/defectdojo"));
client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(0), testId);
client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(0), testId, false);
WireMock.verify(WireMock.postRequestedFor(WireMock.urlPathEqualTo("/defectdojo/api/v2/reimport-scan/"))
.withAnyRequestBodyPart(WireMock.aMultipart().withName("engagement").
withBody(WireMock.equalTo(engagementId)
Expand All @@ -103,7 +103,7 @@ public void testReimportFindingsNegativeCase() throws Exception {
withBody(WireMock.equalTo(""))).willReturn(WireMock.aResponse().withStatus(400).withHeader(HttpHeaders.CONTENT_TYPE, "application/json")));
DefectDojoUploader uploader = new DefectDojoUploader();
DefectDojoClient client = new DefectDojoClient(uploader, new URL(wireMockRule.baseUrl() + "/defectdojo"));
client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(16), testId);
client.reimportDependencyTrackFindings(token, engagementId, new NullInputStream(16), testId, false);
WireMock.verify(WireMock.postRequestedFor(WireMock.urlPathEqualTo("/defectdojo/api/v2/reimport-scan/"))
.withAnyRequestBodyPart(WireMock.aMultipart().withName("engagement").
withBody(WireMock.equalTo(engagementId)
Expand Down

0 comments on commit f35b129

Please sign in to comment.