Generic Findings Import

Import Generic findings in CSV or JSON format.

Attributes supported for CSV:

  • Date: Date of the finding in mm/dd/yyyy format.
  • Title: Title of the finding
  • CweId: Cwe identifier, must be an integer value.
  • Url: Url associated with the finding.
  • Severity: Severity of the finding. Must be one of Info, Low, Medium, High, or Critical.
  • Description: Description of the finding. Can be multiple lines if enclosed in double quotes.
  • Mitigation: Possible Mitigations for the finding. Can be multiple lines if enclosed in double quotes.
  • Impact: Detailed impact of the finding. Can be multiple lines if enclosed in double quotes.
  • References: References associated with the finding. Can be multiple lines if enclosed in double quotes.
  • Active: Indicator if the finding is active. Must be empty, TRUE or FALSE
  • Verified: Indicator if the finding has been verified. Must be empty, TRUE, or FALSE
  • FalsePositive: Indicator if the finding is a false positive. Must be TRUE, or FALSE.
  • Duplicate:Indicator if the finding is a duplicate. Must be TRUE, or FALSE
  • IsMitigated: Indicator if the finding is mitigated. Must be TRUE, or FALSE
  • MitigatedDate: Date the finding was mitigated in mm/dd/yyyy format or ISO format
  • epss_score: Finding EPSS score
  • epss_percentile: Finding EPSS percentile
  • CVSSV3: CVSSv3 verctor of the finding
  • CVSSV3_score: CVSSv3 score of the finding
  • CVSSV4: CVSSv4 vector of the finding
  • CVSSV4_score: CVSSv4 score of the finding
  • known_exploited: Indicator if the finding is listed in Known Exploited List. Must be TRUE, or FALSE
  • ransomware_used: Indicator if the finding is used in Ransomware. Must be TRUE, or FALSE
  • fix_available: Indicator if fix available for the finding. Must be TRUE, or FALSE
  • kev_date: Date the finding was added to Known Exploited Vulnerabilities list in mm/dd/yyyy format or ISO format.

The CSV expects a header row with the names of the attributes.

Date fields are parsed using dateutil.parse supporting a variety of formats such a YYYY-MM-DD or ISO-8601.

The list of supported fields in JSON format:

  • title: Required. String
  • severity: Required. One of the “Critical”, “High”, “Medium”, “Low”, “Info”
  • description: Required. String
  • date: Date
  • cwe: Int
  • cve: String
  • epss_score: Float
  • epss_percentile: Float
  • cvssv3: String
  • cvssv3_score: Float
  • cvssv4: String
  • cvssv4_score: Float
  • mitigation: String
  • impact: String
  • steps_to_reproduce: String
  • severity_justification: String
  • references: String
  • active: Bool
  • verified: Bool
  • false_p: Bool
  • out_of_scope: Bool
  • risk_accepted: Bool
  • under_review: Bool
  • is_mitigated: Bool
  • thread_id: String
  • mitigated: Bool
  • numerical_severity: Int
  • param: String
  • payload: String
  • line: Int
  • file_path: String
  • component_name: String
  • component_version: String
  • static_finding: Bool
  • dynamic_finding: Bool
  • scanner_confidence: Int
  • unique_id_from_tool: String
  • vuln_id_from_tool: String
  • sast_source_object: String
  • sast_sink_object: String
  • sast_source_line: Int
  • sast_source_file_path: String
  • nb_occurences: Int
  • publish_date: Date
  • service: String
  • planned_remediation_date: Date
  • planned_remediation_version: String
  • effort_for_fixing: One of the “High”, “Medium”, “Low”
  • tags: List of Strings
  • kev_date: Date
  • known_exploited: Bool
  • ransomware_used: Bool
  • fix_available: Bool

Example of JSON format:

{
    "findings": [
        {
            "title": "test title with endpoints as dict",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau",
            "severity": "Medium",
            "mitigation": "Some mitigation",
            "date": "2021-01-06",
            "cve": "CVE-2020-36234",
            "cwe": 261,
            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "cvssv4": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "cvssv4_score": 7.3,
            "known_exploited": true,
            "ransomware_used": true,
            "fix_available": true,
            "kev_date": "2024-05-01",
            "file_path": "src/first.cpp",
            "line": 13,
            "endpoints": [
                {
                    "host": "exemple.com"
                }
            ],
            "tags": [
                "security",
                "myTag"
            ],
        },
        {
            "title": "test title with endpoints as strings",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
            "severity": "Critical",
            "mitigation": "Some mitigation",
            "date": "2021-01-06",
            "cve": "CVE-2020-36235",
            "cwe": 287,
            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "file_path": "src/two.cpp",
            "line": 135,
            "endpoints": [
                "http://urlfiltering.paloaltonetworks.com/test-command-and-control",
                "https://urlfiltering.paloaltonetworks.com:2345/test-pest"
            ]
        },
        {
            "title": "test title",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
            "severity": "Critical",
            "mitigation": "Some mitigation",
            "date": "2021-01-06",
            "cve": "CVE-2020-36236",
            "cwe": 287,
            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "file_path": "src/threeeeeeeeee.cpp",
            "line": 1353
        },
        {
            "title": "test title mitigated",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
            "severity": "Critical",
            "mitigation": "Some mitigation",
            "date": "2021-01-06",
            "cve": "CVE-2020-36236",
            "cwe": 287,
            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "file_path": "src/threeeeeeeeee.cpp",
            "line": 1353,
            "is_mitigated": true,
            "mitigated": "2021-01-16"
        },
        {
            "title": "test title mitigated ISO",
            "description": "Some very long description with\n\n some UTF-8 chars à qu'il est beau2",
            "severity": "Critical",
            "mitigation": "Some mitigation",
            "date": "2024-01-04T11:02:11Z",
            "cve": "CVE-2020-36236",
            "cwe": 287,
            "cvssv3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "file_path": "src/threeeeeeeeee.cpp",
            "line": 1353,
            "is_mitigated": true,
            "mitigated": "2024-01-24T11:02:11Z"
        }
    ]
}

This parser supports an attributes that accept files as Base64 strings. These files are attached to the respective findings.

Example:

{
    "name": "My wonderful report",
    "findings": [
        {
            "title": "Vuln with image",
            "description": "Some very long description",
            "severity": "Medium",
            "files": [
                {
                    "title": "Screenshot from 2017-04-10 16-54-19.png",
                    "data": "iVBORw0KGgoAAAANSUhEUgAABWgAAAK0CAIAAAARSkPJAAAAA3N<...>TkSuQmCC"
                }
            ]
        }
    ]
}

This parser supports an attribute name and type to be able to define TestType. Based on this, you can define custom HASHCODE_FIELDS or DEDUPLICATION_ALGORITHM in the settings.

Example:

{
    "name": "My wonderful report",
    "type": "My custom Test type",
    "findings": [
    ]
}

Sample Scan Data

Sample Generic Findings Import scans can be found here.

Default Deduplication Hashcode Fields

By default, DefectDojo identifies duplicate Findings using these hashcode fields:

  • title
  • cwe
  • line
  • file path
  • description