Commit 34891f81 authored by Boris Barnier's avatar Boris Barnier Committed by Cédric OLIVIER
Browse files

fix: Add TestSSL Scan 

needs TestSSL template version >=3.1.2
parent f28ec678

README.md

+23 −21
Original line number Diff line number Diff line
@@ -64,7 +64,7 @@ It is bound to the `.post` stage, and uses the following variables: 
Depending on the security tools you launch, and their configuration, you may have to redefine some of the following variables in your `gitlab-ci.yml`:



| Name                                     | description                                                                                                                            | default value                             |

| ------------------------------ | ---------------------------------------- | ----------------------------------------- |

|------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------| ----------------------------------------- |

| `DEFECTDOJO_BANDIT_REPORTS`              | path to Bandit JSON reports                                                                                                            | `**/bandit*.json reports/py-bandit.bandit.json`                        |

| `DEFECTDOJO_DC_GRADLE_REPORTS`           | path to Dependency Check XML reports (Gradle template)                                                                                 | `**/dependency-check*.xml` |

| `DEFECTDOJO_DC_REPORTS`                  | path to Dependency Check XML reports (Maven template)                                                                                  | `**/dependency-check*.xml`        |
@@ -73,6 +73,7 @@ Depending on the security tools you launch, and their configuration, you may hav 
| `DEFECTDOJO_MOBSF_REPORTS`               | path to MobSF JSON reports                                                                                                             | `**/mobsf*.json`                        |

| `DEFECTDOJO_NODEJSSCAN_REPORTS`          | path to NodeJSScan SARIF reports                                                                                                       | `**/nodejsscan-report-sarif.json`                        |

| `DEFECTDOJO_NPMAUDIT_REPORTS`            | path to NPM Audit JSON reports                                                                                                         | `**/npm-audit*.json`                        |

| `DEFECTDOJO_TESTSSL_REPORTS`             | path to TestSSL CSV reports                                                                                                            | `reports/testssl.native.csv`                        |

| `DEFECTDOJO_TRIVY_REPORTS`               | path to Trivy JSON reports                                                                                                             | `trivy/*.json **/trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json`             |

| `DEFECTDOJO_SONARQUBE_APPLICATION`       | your application name in Sonar                                                                                                         | ex: project-name                         |

| `DEFECTDOJO_SONARQUBE_PROJECT_KEY`       | your project key in Sonar (be careful, the project key might be distinct from project-dir-project-name, sometimes Sonar adds a suffix) | ex: project-dir-project-name or        project-dir-project-name__AXjLJ76cpGZrj3BUYg10                 |
@@ -107,6 +108,7 @@ For now, the current template allows to import reports from the following tools: 
- NodeJSScan

- NPM Audit

- SonarQube 

- TestSSL

- Trivy



## SonarQube specific case

kicker.json

+6 −0
Original line number Diff line number Diff line
@@ -84,6 +84,12 @@ 
      "default": "**/npm-audit*.json",

      "advanced": true

    },

    {

      "name": "DEFECTDOJO_TESTSSL_REPORTS",

      "description": "Path to TestSSL reports",

      "default": "reports/testssl.native.csv",

      "advanced": true

    },

    {

      "name": "DEFECTDOJO_TRIVY_REPORTS",

      "description": "Path to Trivy reports",

templates/gitlab-ci-defectdojo.yml

+23 −0
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ variables: 
  DEFECTDOJO_TRIVY_REPORTS: "trivy/*.json trivy-*.json reports/docker-trivy-*.native.json reports/py-trivy.trivy.json"

  DEFECTDOJO_HADOLINT_REPORTS: "hadolint-json-*.json reports/docker-hadolint-*.native.json"

  DEFECTDOJO_MOBSF_REPORTS: "mobsf*.json"

  DEFECTDOJO_TESTSSL_REPORTS: "reports/testssl.native.csv"

  DEFECTDOJO_SONARQUBE_SINCELEAKPERIOD: "false"

  DEFECTDOJO_SONARQUBE_NOSECURITYHOTSPOT: "true"

  DEFECTDOJO_SONARQUBE_ALLBUGS: "false"
@@ -247,6 +248,18 @@ variables: 
      fi

    done



    # TestSSL

    # template: testssl

    testssl_nb_reports=0

    for file in ${DEFECTDOJO_TESTSSL_REPORTS}

    do

      if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then

        log_info "testssl report found: $file"

        testssl_nb_reports=$((testssl_nb_reports + 1))

        nb_reports=$((nb_reports + 1))

      fi

    done



    # NodeJSScan

    # template: node

    nodejsscan_nb_reports=0
@@ -368,6 +381,16 @@ variables: 
          fi

        done

      fi

      if [ "$testssl_nb_reports" -gt 0 ]; then

        testssl_tpl_version=$(get_tpl_version_in_use "to-be-continuous/testssl")

        log_info "TestSSL template version: $testssl_tpl_version"

        for file in ${DEFECTDOJO_TESTSSL_REPORTS}

        do

          if [[ $(expr "$file" : '.*\*.*') == 0 ]] && [[ -f "$file" ]]; then

            import_scan "$file" "Testssl Scan" "$engagement_id" "to-be-continuous/testssl ${testssl_tpl_version}"

          fi

        done

      fi

      if [ "$nodejsscan_nb_reports" -gt 0 ]; then

        node_tpl_version=$(get_tpl_version_in_use "to-be-continuous/node")

        log_info "Node template version: $node_tpl_version"