API Upload Example

aaronweaver · aaronweaver · commit 7e08907642fb · 2016-12-01T16:05:32.000-05:00
diff --git a/defectdojo_api/defectdojo.py b/defectdojo_api/defectdojo.py
@@ -9,7 +9,7 @@
 class DefectDojoAPI(object):
     """An API wrapper for DefectDojo."""
 
-    def __init__(self, host, api_key, user, api_version='v1', verify_ssl=True, timeout=30, proxies=None, user_agent=None, cert=None, debug=False):
+    def __init__(self, host, api_key, user, api_version='v1', verify_ssl=True, timeout=60, proxies=None, user_agent=None, cert=None, debug=False):
         """Initialize a DefectDojo API instance.
 
         :param host: The URL for the DefectDojo server. (e.g., http://localhost:8000/DefectDojo/)
@@ -111,7 +111,7 @@ def get_user(self, user_id):
         return self._request('GET', 'users/' + str(user_id) + '/')
 
     ###### Engagements API #######
-    def list_engagements(self, product_in=None,limit=20):
+    def list_engagements(self, status=None, product_in=None,limit=20):
         """Retrieves all the engagements.
 
         :param product_in: List of product ids (1,2).
@@ -126,6 +126,9 @@ def list_engagements(self, product_in=None,limit=20):
         if product_in:
             params['product__in'] = product_in
 
+        if status:
+            params['status'] = status
+
         return self._request('GET', 'engagements/', params)
 
     def get_engagement(self, engagement_id):
@@ -401,7 +404,7 @@ def set_test(self, test_id, engagement_id=None, test_type=None, environment=None
     ###### Findings API #######
     def list_findings(self, active=None, duplicate=None, mitigated=None, severity=None, verified=None, severity_lt=None,
         severity_gt=None, severity_contains=None, title_contains=None, url_contains=None, date_lt=None,
-        date_gt=None, date=None, product_id_in=None, engagement_id_in=None, test_in=None, limit=20):
+        date_gt=None, date=None, product_id_in=None, engagement_id_in=None, test_id_in=None, limit=20):
 
         """Returns filtered list of findings.
 
@@ -474,8 +477,8 @@ def list_findings(self, active=None, duplicate=None, mitigated=None, severity=No
         if product_id_in:
             params['product__id__in'] = product_id_in
 
-        if test_in:
-            params['test__in'] = test_in
+        if test_id_in:
+            params['test__id__in'] = test_id_in
 
         return self._request('GET', 'findings/', params)
 
@@ -598,7 +601,7 @@ def set_finding(self, finding_id, product_id, engagement_id, test_id, title=None
 
     ##### Upload API #####
 
-    def upload_scan(self, engagement_id, scan_type, file_path, active, scan_date, tags):
+    def upload_scan(self, engagement_id, scan_type, file, active, scan_date, tags=None):
         """Uploads and processes a scan file.
 
         :param application_id: Application identifier.
@@ -607,8 +610,8 @@ def upload_scan(self, engagement_id, scan_type, file_path, active, scan_date, ta
         """
 
         data = {
-            'file': open(file_path, 'rb'),
-            'eid': ('', str(engagement_id)),
+            'file': open(file, 'rb'),
+            'engagement': ('', self.get_engagement_uri(engagement_id)),
             'scan_type': ('', scan_type),
             'active': ('', active),
             'scan_date': ('', scan_date),
diff --git a/examples/dojo_ci_cd.py b/examples/dojo_ci_cd.py
@@ -0,0 +1,143 @@
+"""
+Example written by Aaron Weaver <aaron.weaver@owasp.org>
+as part of the OWASP DefectDojo and OWASP AppSec Pipeline Security projects
+
+Description: CI/CD example for DefectDojo
+"""
+from defectdojo_api import defectdojo
+from datetime import datetime, timedelta
+import os
+import argparse
+
+# Setup DefectDojo connection information
+host = 'http://localhost:8000'
+api_key = os.environ['DOJO_API_KEY']
+user = 'admin'
+
+#Optionally, specify a proxy
+proxies = {
+  'http': 'http://localhost:8080',
+  'https': 'http://localhost:8080',
+}
+"""
+proxies=proxies
+"""
+
+def sum_severity(findings):
+    severity = [0,0,0,0,0]
+    for finding in findings.data["objects"]:
+        if finding["severity"] == "Critical":
+            severity[4] = severity[4] + 1
+        if finding["severity"] == "High":
+            severity[3] = severity[3] + 1
+        if finding["severity"] == "Medium":
+            severity[2] = severity[2] + 1
+        if finding["severity"] == "Info":
+            severity[1] = severity[1] + 1
+
+    return severity
+
+def print_findings(findings):
+    print "Critical: " + str(findings[4])
+    print "High: " + str(findings[3])
+    print "Medium: " + str(findings[2])
+    print "Low: " + str(findings[1])
+    print "Info: " + str(findings[0])
+
+def create_findings(product_id, user_id, file, scanner, engagement_id=None, max_critical=0, max_high=0, max_medium=0):
+    # Instantiate the DefectDojo api wrapper
+    dd = defectdojo.DefectDojoAPI(host, api_key, user, proxies=proxies, timeout=90, debug=False)
+
+    # Workflow as follows:
+    # 1. Scan tool is run against build
+    # 2. Reports is saved from scan tool
+    # 3. Call this script to load scan data, specifying scanner type
+    # 4. Script returns along with a pass or fail results: Example: 2 new critical vulns, 1 low out of 10 vulnerabilities
+
+    #Specify the product id
+    product_id = product_id
+    engagement_id = None
+    user_id = 1
+
+    # Check for a CI/CD engagement_id
+    engagements = dd.list_engagements(product_in=product_id, status="In Progress")
+    if engagements.success:
+        for engagement in engagements.data["objects"]:
+            if "Recurring CI/CD Integration" == engagement['name']:
+                engagement_id = engagement['id']
+
+    # Engagement doesn't exist, create it
+    if engagement_id == None:
+        start_date = datetime.now()
+        end_date = start_date+timedelta(days=180)
+
+        engagement_id = dd.create_engagement("Recurring CI/CD Integration", product_id, user_id,
+        "In Progress", start_date.strftime("%Y-%m-%d"), end_date.strftime("%Y-%m-%d"))
+
+    # Upload the scanner export
+    dir_path = os.path.dirname(os.path.realpath(__file__))
+
+    print "Uploading scanner data."
+    date = datetime.now()
+    upload_scan = dd.upload_scan(engagement_id, scanner, dir_path + file, "true", date.strftime("%Y/%m/%d"), "API")
+
+    if upload_scan.success:
+        test_id = upload_scan.id()
+    else:
+        print upload_scan.message
+
+    findings = dd.list_findings(engagement_id_in=engagement_id, duplicate="false", active="true", verified="true")
+    print"=============================================="
+    print "Total Number of Vulnerabilities: " + str(findings.data["meta"]["total_count"])
+    print"=============================================="
+    print_findings(sum_severity(findings))
+    print
+    findings = dd.list_findings(test_id_in=test_id, duplicate="true")
+    print"=============================================="
+    print "Total Number of Duplicate Findings: " + str(findings.data["meta"]["total_count"])
+    print"=============================================="
+    print_findings(sum_severity(findings))
+    print
+    findings = dd.list_findings(test_id_in=test_id, duplicate="false")
+    print"=============================================="
+    print "Total Number of New Findings: " + str(findings.data["meta"]["total_count"])
+    print"=============================================="
+    sum_new_findings = sum_severity(findings)
+    print_findings(sum_new_findings)
+    print
+    print"=============================================="
+
+    if sum_new_findings[4] > max_critical:
+        print "Build Failed: Max Critical"
+    elif sum_new_findings[3] > max_high:
+        print "Build Failed: Max High"
+    elif sum_new_findings[2] > max_medium:
+        print "Build Failed: Max Medium"
+    else:
+        print "Build Passed!"
+    print"=============================================="
+
+class Main:
+    if __name__ == "__main__":
+        parser = argparse.ArgumentParser(description='CI/CD integration for DefectDojo')
+        parser.add_argument('--user', help="Dojo Product ID", required=True)
+        parser.add_argument('--product', help="Dojo Product ID", required=True)
+        parser.add_argument('--file', help="Scanner file", required=True)
+        parser.add_argument('--scanner', help="Type of scanner", required=True)
+        parser.add_argument('--engagement', help="Engagement ID (optional)", required=False)
+        parser.add_argument('--critical', default=0, help="Maximum new critical vulns to pass the build.", required=False)
+        parser.add_argument('--high', default=0, help="Maximum new high vulns to pass the build.", required=False)
+        parser.add_argument('--medium', default=0, help="Maximum new medium vulns to pass the build.", required=False)
+
+        #Parse out arguments
+        args = vars(parser.parse_args())
+        user_id = args["user"]
+        product_id = args["product"]
+        file = args["file"]
+        scanner = args["scanner"]
+        engagement_id = args["engagement"]
+        max_critical = args["critical"]
+        max_high = args["high"]
+        max_medium = args["medium"]
+
+        create_findings(product_id, user_id, file, scanner, engagement_id, max_critical, max_high, max_medium)
diff --git a/examples/dojo_populate.py b/examples/dojo_populate.py
@@ -1,12 +1,15 @@
+"""
+Example written by Aaron Weaver <aaron.weaver@owasp.org>
+as part of the OWASP DefectDojo and OWASP AppSec Pipeline Security projects
+
+Description: Imports test data into DefectDojo and creates products,
+engagements and tests along with findings.
+"""
 from defectdojo_api import defectdojo
 from random import randint
 import os
 from datetime import datetime, timedelta
 
-"""
-Imports test data into Defect DefectDojo
-"""
-
 # Setup DefectDojo connection information
 host = 'http://localhost:8000'
 api_key = os.environ['DOJO_API_KEY']
@@ -66,8 +69,9 @@ def create_load_data(product_name, product_desc, file=None, file_test_type=None)
         if file is not None:
             print "Loading scanner results from scanner export"
             dir_path = os.path.dirname(os.path.realpath(__file__))
-            upload_scan = dd.upload_scan(engagement_id, "Burp Scan", dir_path + file,
-            "true", "01/11/2016", "API")
+            date = datetime.now()
+            upload_scan = dd.upload_scan(engagement_id, file_test_type, dir_path + file,
+            "true", date.strftime("%Y/%m/%d"), "API")
 
         i = 0
         while i < 6:
@@ -89,7 +93,7 @@ def create_load_data(product_name, product_desc, file=None, file_test_type=None)
         print product.message
 
 ##### Create Products, Engagements and Tests ########
-create_load_data("BodgeIt", "Product description.", "../tests/scans/Bodgeit-burp.xml", "Burp Scan")
+create_load_data("BodgeIt", "Product description.", "/tests/scans/Bodgeit-burp.xml", "Burp Scan")
 create_load_data("A CRM App", "Product description.")
 create_load_data("An Engineering Application", "Product description.")
 create_load_data("A Marketing Site", "Product description.")
diff --git a/examples/dojo_product.py b/examples/dojo_product.py
@@ -1,3 +1,9 @@
+"""
+Example written by Aaron Weaver <aaron.weaver@owasp.org>
+as part of the OWASP DefectDojo and OWASP AppSec Pipeline Security projects
+
+Description: Creates a product in DefectDojo and returns information about the newly created product
+"""
 from defectdojo_api import defectdojo
 
 import os
diff --git a/tests/defectdojo_api_unit_test.py b/tests/defectdojo_api_unit_test.py
