Parsers
All commands assume that you’re located at the root of the django-DefectDojo cloned repo.
Pre-requisites
- You have forked https://github.com/DefectDojo/django-DefectDojo and cloned locally.
- Checkout
dev
and make sure you’re up to date with the latest changes. - It’s advised that you create a dedicated branch for your development, such as
git checkout -b parser-name
.
It is easiest to use the docker compose deployment as it has hot-reload capbility for uWSGI. Set up your environment to use the dev environment:
$ docker/setEnv.sh dev
Please have a look at DOCKER.md for more details.
Docker images
You will want to build your docker images locally, and eventually pass in your local user’s uid
to be able to write to the image (handy for database migration files). Assuming your user’s uid
is 1000
, then:
$ docker compose build --build-arg uid=1000
Which files do you need to modify?
File | Purpose |
---|---|
dojo/tools/<parser_dir>/__init__.py | Empty file for class initialization |
dojo/tools/<parser_dir>/parser.py | The meat. This is where you write your actual parser. The class name must be the Python module name without underscores plus Parser . Example: When the name of the Python module is dependency_check , the class name shall be DependencyCheckParser |
unittests/scans/<parser_dir>/{many_vulns,no_vuln,one_vuln}.json | Sample files containing meaningful data for unit tests. The minimal set. |
unittests/tools/test_<parser_name>_parser.py | Unit tests of the parser. |
dojo/settings/settings.dist.py | If you want to use a modern hashcode based deduplication algorithm |
doc/content/en/integrations/parsers/<file/api>/<parser_file>.md | Documentation, what kind of file format is required and how it should be obtained |
Factory contract
Parsers are loaded dynamicaly with a factory pattern. To have your parser loaded and works correctly, you need to implement the contract.
- your parser MUST be in a sub-module of module
dojo.tools
- ex:
dojo.tools.my_tool.parser
module
- ex:
- your parser MUST be a class in this sub-module.
- ex:
dojo.tools.my_tool.parser.MyToolParser
- ex:
- The name of this class MUST be the Python module name without underscores and with
Parser
suffix.- ex:
dojo.tools.my_tool.parser.MyToolParser
- ex:
- This class MUST have an empty constructor or no constructor
- This class MUST implement 3 methods:
def get_scan_types(self)
This function return a list of all the scan_type supported by your parser. This identifiers are used internally. Your parser can support more than one scan_type. For example some parsers use different identifier to modify the behavior of the parser (aggregate, filter, etc…)def get_label_for_scan_types(self, scan_type):
This function return a string used to provide some text in the UI (short label)def get_description_for_scan_types(self, scan_type):
This function return a string used to provide some text in the UI (long description)def get_findings(self, file, test)
This function return a list of findings
- If your parser have more than 1 scan_type (for detailled mode) you MUST implement
def set_mode(self, mode)
method
Example:
API Parsers
DefectDojo has a limited number of API parsers. While we won’t remove these connectors, adding API connectors has been problematic and thus we cannot accept new API parsers / connectors from the community at this time for supportability reasonsing. To maintain a high quality API connector, it is necessary to have a license to the tool. To get that license requires partnership with the author or vendor. We’re close to announcing a new program to help address this and bring API connectors to DefectDojo.
Template Generator
Use the template parser to quickly generate the files required. To get started you will need to install cookiecutter.
$ pip install cookiecutter
Then generate your scanner parser from the root of django-DefectDojo:
$ cookiecutter https://github.com/DefectDojo/cookiecutter-scanner-parser
Read more on the template configuration variables.
Things to pay attention to
Here is a list of considerations that will make the parser robust for both common cases and edge cases.
Do not parse URLs by hand
We use 2 modules to handle endpoints:
hyperlink
dojo.models
with a specific class to handle processing around URLs to create endpointsEndpoint
.
All the existing parser use the same code to parse URL and create endpoints.
Using Endpoint.from_uri()
is the best way to create endpoints.
If you really need to parse an URL, use hyperlink
module.
Good example:
Very bad example:
Use the right libraries to parse information
Various file formats are handled through libraries. In order to keep DefectDojo slim and also don’t extend the attack surface, keep the number of libraries used minimal and take other parsers as an example.
defusedXML in favour of lxml
As xml is by default an unsecure format, the information parsed from various xml output has to be parsed in a secure way. Within an evaluation, we determined that defusedXML is the library which we will use in the future to parse xml files in parsers as this library is rated more secure. Thus, we will only accept PRs with the defusedxml library.
Not all attributes are mandatory
Parsers may have many fields, out of which many of them may be optional.
It better to not set attribute if you don’t have data instead of filling with values like NA
, No data
etc…
Check class dojo.models.Finding
Data could be missing in the source report
Always make sure you include checks to avoid potential KeyError
errors (e.g. field does not exist), for those fields you are not absolutely certain will always be in file that will get uploaded. These translate to 500 error, and do not look good.
Good example:
Do not parse CVSS by hand (vector, score or severity)
Data can have CVSS
vectors or scores. Don’t write your own CVSS score algorithm.
For parser, we rely on module cvss
.
It’s easy to use and will make the parser aligned with the rest of the code.
Example of use:
Good example:
Bad example (DIY):
Deduplication algorithm
By default a new parser uses the ’legacy’ deduplication algorithm documented at https://documentation.defectdojo.com/usage/features/#deduplication-algorithms
Please use a pre-defined deduplication algorithm where applicable.
Unit tests
Each parser must have unit tests, at least to test for 0 vuln, 1 vuln and many vulns. You can take a look at how other parsers have them for starters. The more quality tests, the better.
It’s important to add checks on attributes of findings. For ex:
Use with to open example files
In order to make certain that file handles are closed properly, please use the with pattern to open files. Instead of:
use:
This ensures the file is closed at the end of the with statement, even if an exception occurs somewhere in the block.
Test database
To test your unit tests locally, you first need to grant some rights. Get your MySQL root password from the docker compose logs, login as root and issue the following commands:
MYSQL> grant all privileges on test_defectdojo.* to defectdojo@'%';
MYSQL> flush privileges;
Run your tests
This local command will launch the unit test for your new parser
$ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.<your_unittest_py_file>.<main_class_name> -v2'
or like this:
$ ./dc-unittest.sh --test-case unittests.tools.<your_unittest_py_file>.<main_class_name>
Example for the blackduck hub parser:
$ docker compose exec uwsgi bash -c 'python manage.py test unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser -v2'
or like this:
$ ./dc-unittest.sh --test-case unittests.tools.test_blackduck_csv_parser.TestBlackduckHubParser
If you want to run all unit tests, simply run $ docker-compose exec uwsgi bash -c 'python manage.py test unittests -v2'
Endpoint validation
Some types of parsers create a list of endpoints that are vulnerable (they are stored in finding.unsaved_endpoints
). DefectDojo requires storing endpoints in a specific format (which follow RFCs). Endpoints that do not follow this format can be stored but they will be marked as broken (red flag 🚩in UI). To be sure your parse store endpoints in the correct format run the .clean()
function for all endpoints in unit tests
Tests API Parsers
Not only parser but also importer should be tested.
patch
method from unittest.mock
is usualy usefull for simulating API responses.
It is highly recommeded to use it.
Other files that could be involved
Change to the model
In the event where you’d have to change the model, e.g. to increase a database column size to accomodate a longer string of data to be saved
Change what you need in
dojo/models.py
Create a new migration file in dojo/db_migrations by running and including as part of your PR
$ docker compose exec uwsgi bash -c 'python manage.py makemigrations -v2'
Accept a different type of file to upload
If you want to be able to accept a new type of file for your parser, take a look at dojo/forms.py
around line 436 (at the time of this writing) or locate the 2 places (for import and re-import) where you find the string attrs={"accept":
.
Formats currently accepted: .xml, .csv, .nessus, .json, .html, .js, .zip.
A need for more than just the parser.py
Of course, nothing prevents you from having more files than the parser.py
file. It’s python :-)
Pull request examples
If you want to take a look at previous parsers that are now part of DefectDojo, take a look at https://github.com/DefectDojo/django-DefectDojo/pulls?q=is%3Apr+sort%3Aupdated-desc+label%3A%22Import+Scans%22+is%3Aclosed
Update the import page documentation
Please add a new .md file in [docs/content/en/integrations/parsers
] with the details of your new parser. Include the following content headings:
- Acceptable File Type(s) - please include how to generate this type of file from the related tool, as some tools have multiple methods or require specific commands.
- An example unit test block, if applicable.
- A link to the relevant unit tests folder so that users can quickly navigate there from Documentation.
- A link to the scanner itself - (e.g. GitHub or vendor link)
Here is an example of a completed Parser documentation page: https://defectdojo.github.io/django-DefectDojo/integrations/parsers/file/awssecurityhub/