def dojo_connection(host, api_key, user, proxy=None):
if proxy is not None:
proxies = {
'http': 'http://' + proxy,
'https': 'http://' + proxy,
}
print proxy
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host,
api_key,
user,
proxies=proxies,
verify_ssl=False,
timeout=360,
debug=True)
else:
dd = defectdojo.DefectDojoAPI(host,
api_key,
user,
verify_ssl=False,
timeout=360,
debug=False)
return dd
def Defect_Dojo_Output(Title, Description):
DD_Details = Load_Defect_Dojo_Configuration()
if DD_Details:
try:
Impact = 'All Scrummage findings have the potential to cause significant damage to a business\' finances, efficiency and reputation. Therefore, findings should be investigated to assist in reducing this risk.'
Mitigation = 'It is recommended that this issue be investigated further by the security team to determine whether or not further action needs to be taken.'
DD_Connection = defectdojo.DefectDojoAPI(DD_Details[1],
DD_Details[0],
DD_Details[2],
debug=False)
Finding = DD_Connection.create_finding(
Title, Description, 'Low', '',
str(datetime.datetime.now().strftime(
'%Y-%m-%d %H:%M:%S').strftime('%Y-%m-%d')), DD_Details[4],
DD_Details[3], DD_Details[5], DD_Details[6], Impact, True,
False, Mitigation)
try:
Finding = str(int(str(Finding)))
logging.info(
f"{Date()} Connectors Library - DefectDojo finding {Finding} created."
)
except:
logging.info(
f"{Date()} Connectors Library - Failed to create DefectDojo finding."
)
except (Exception, psycopg2.DatabaseError) as Error:
logging.warning(Date() + str(Error))
def __init__(self):
"""
Init method
"""
self.defect_dojo = defectdojo.DefectDojoAPI(DEFECT_DOJO_HOST,
DEFECT_DOJO_API_KEY,
DEFECT_DOJO_USERNAME,
debug=False)
def setUp(self):
host = 'http://localhost:8000'
api_key = os.environ['DOJO_API_KEY']
user = '******'
"""
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
proxies=proxies
"""
self.dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=False)
def dojo_connection(host, api_key, user, proxy):
#Optionally, specify a proxy
proxies = None
if proxy:
proxies = {
'http': proxy,
'https': proxy,
}
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, proxies=proxies, verify_ssl=False, timeout=360, debug=False)
return dd
def dojo_connection(host, api_key, user):
#Optionally, specify a proxy
proxies = {
'http': 'http://localhost:8081',
'https': 'http://localhost:8081',
}
#if DEBUG:
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, proxies=proxies, verify_ssl=False, timeout=360, debug=False)
#else:
# dd = defectdojo.DefectDojoAPI(host, api_key, user, verify_ssl=False, timeout=360, debug=False)
return dd
def run(self, testid, scantype):
# check params
print("testid = {}".format(testid))
print("scan type = {}".format(scantype))
# instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=True)
if scantype == 'Nmap Scan':
filepath = "/opt/stackstorm/scan_results/nmap/nmap_standard.xml"
elif scantype == 'Burp Scan':
filepath = "/opt/stackstorm/scan_results/burp/burp_scan.xml"
elif scantype == 'Nessus Scan':
filepath = "/opt/stackstorm/scan_results/nessus/nessus_scan.xml"
# perform upload request + print response
upload_scan = dd.reupload_scan(testid, scantype, filepath, "true",
"2024/1/1", "API")
print("Test number: {}".format(upload_scan))
# @p3r1c0
from defectdojo_api import defectdojo
import os, traceback
import psycopg2
import psycopg2.extras
from datetime import datetime, timedelta
# setup DefectDojo connection information
global api
defectdojo_url = os.getenv('DEFECTDOJO_URL')
defectdojo_api_key = os.getenv('DD_API_KEY')
defectdojo_user = os.getenv('DEFECTDOJO_USER')
# instantiate the DefectDojo api wrapper
api = defectdojo.DefectDojoAPI(defectdojo_url,
defectdojo_api_key,
defectdojo_user,
debug=False)
# method to get the connection directly with dd bbdd
def get_connection_defect():
conn = None
try:
conn = psycopg2.connect(dbname=os.getenv('DEFECT_BBDD_NAME'),
user=os.getenv('DEFECT_BBDD_USER'),
password=os.getenv('DEFECT_PASS'),
host=os.getenv('DEFECT_BBDD_HOST'),
port=os.getenv('DEFECT_BBDD_PORT'),
sslmode='require')
return conn
def _createDojoFindings():
try:
from defectdojo_api import defectdojo
defect_api = defectdojo.DefectDojoAPI(os.getenv('DEFECTDOJO_HOST'),
os.getenv('DEFECTDOJO_APIKEY'),
os.getenv('DEFECTDOJO_USER'),
debug=False)
except ImportError:
criticalMsg = "The DefectDojo library is not installed. Install it with 'pip install git+https://github.com/kn0wm4d/defectdojo_api.git'."
logger.critical(criticalMsg)
return None
except TypeError:
criticalMsg = "The DefectDojo environment variables are not set."
logger.critical(criticalMsg)
return None
# Get Engagement from DefectDojo
engagement = defect_api.get_engagement(conf.engagementDojo)
if engagement.response_code == -1:
criticalMsg = "This DefectDojo Engagement doesn\'t exist. "
logger.critical(criticalMsg)
return None
# Get the Product ID related to this Engagement
product_id = re.match('/api/v1/products/(.*)/',
engagement.data['product'])[1]
# List all tests on this engagement
tests = defect_api.list_tests(engagement_in=engagement.data['id'])
# Get list of SQLMap Tests on this engagement
tests_sqlmap = [
test for test in tests.data['objects']
if test['test_type'] == "SQLMap Scan"
]
if any(tests_sqlmap):
# If an SQLMap Test exists, get the first one
test_id = tests_sqlmap[0]['id']
if not any(tests_sqlmap):
# If not, create an SQLMap test for this engagement
test_type = defect_api.list_test_types(name="SQLMap Scan")
if test_type.count() > 0:
# Get SQLMap Test Type ID
test_type = test_type.data['objects'][0]['id']
else:
# If it doesn't exist, tell the user to create it
criticalMsg = "Please first create SQLMap Scan test type on DefectDojo."
logger.critical(criticalMsg)
return None
# Finally, create the SQLMap Test in this Engagement
test_id = defect_api.create_test(
environment=1,
target_start=engagement.data['target_start'],
target_end=engagement.data['target_end'],
engagement_id=engagement.data['id'],
test_type=test_type).data
for injection in kb.injections:
for stype, sdata in injection.data.items():
title = 'SQL Injection - (%s)' % PAYLOAD.SQLINJECTION[stype]
payload = agent.adjustLateValues(sdata.payload)
payload = urldecode(payload,
unsafe="&",
spaceplus=(injection.place != PLACE.GET
and kb.postSpaceToPlus))
description = 'Injection Type: %s\nVulnerable URL: %s %s\nCookie: %s\nOriginal Payload: %s\nPayload: %s' % (
sdata.title.title(), injection.place, conf.url, conf.cookie,
conf.data, payload)
severity = "Critical"
# Create the Finding on DefectDojo
finding = defect_api.create_finding(
title,
description,
severity,
cwe=89,
date=time.strftime("%Y-%m-%d", time.gmtime()),
product_id=product_id,
engagement_id=engagement.data['id'],
test_id=test_id,
user_id=1,
impact="Integrity, Confidentiality",
active="True",
verified="True",
mitigation=
"https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet",
references=
"https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet"
).data
infoMsg = 'uploaded finding to DefectDojo: %sfinding/%s' % (
os.getenv('DEFECTDOJO_HOST'), finding)
logger.info(infoMsg)
# Setup DefectDojo connection information
host = 'http://localhost:8000'
api_key = os.environ['DOJO_API_KEY']
user = '******'
#Optionally, specify a proxy
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
#proxies=proxies
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host,
api_key,
user,
proxies=proxies,
debug=False)
# List Tool Types
tool_types = dd.list_tool_types()
#print "Configured Tool Types"
#print tool_types.data_json(pretty=True)
list_credential_mappings = dd.list_credential_mappings(product_id_in=2)
print "Creds"
#print list_credential_mappings.data_json(pretty=True)
for cred in list_credential_mappings.data["objects"]:
print cred["id"]
# Setup DefectDojo connection information
host = 'http://localhost:8000'
api_key = os.environ['DOJO_API_KEY']
user = '******'
#Optionally, specify a proxy
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
#proxies=proxies
# Instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=False)
# List Tool Types
tool_types = dd.list_tool_types()
#print "Configured Tool Types"
#print tool_types.data_json(pretty=True)
list_credential_mappings = dd.list_credential_mappings()
print "CredMappings"
print list_credential_mappings.data_json(pretty=True)
list_credentials = dd.list_credentials()
print "Creds"
print list_credentials.data_json(pretty=True)
