-
|
Hello, I'm just wanting to verify, and perhaps further understand why, defectdojo will only import "host-based" reports from qualys VMDR (not WAP) and not "scan-based" reports. Scan-based reports seem to be what is wanted for application/container specific scans. Host-based will include everything on the host, such as versions of mongoDB installed, kernels...etc. It will also grab all the scans that the host has preformed... which is great if you want to cover an entire host or even groups of hosts, but doesn't seem to fit with what I'm trying to acheive. Host-based have a different XML structure than scan-based, and looking at the two, it is evident that only host based is accounted for in the source code Am I using qualys incorrectly, should it all be host-based scans? Or is this simply functionality that hasn't been built yet? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Good question. There's a couple of things to point out: Being an open source project, we rely pretty heavily on the community to contribute example scanner files to write parsers (or new versions of an existing one) - especially for commercial software. When generating a sample file also comes with a licensing cost, there an extra burden to make support happen. One way to greatly increase the chance that a parser is included in DefectDojo is to add one to the sample scan files via a PR. We use those files to write new parsers and test the functionality of existing parsers. If you are worried about 'interesting' or internal data being in a submitted scan, you can either anonymize them or scan something like OWASP Juice Shop that is open source and known to be vulnerable. About Qualys in particular, has been an more challenging vendor because they offer reporting at various places within their UI and, over the 9+ years that DefectDojo has been around, they have had multiple format changes that break existing parsers. This isn't to knock Qualys - vendors are free to make whatever changes are needed but others like BurpSuite and Zap haven't changed their output format in quite some time. Nessus has made one output format change since I first used their software in ~2005. Finally, if you do submit a PR for the sample files repo, you get major bonus points if you also describe how you generated that output. A good example of that is the submission for fortify. HTH |
Beta Was this translation helpful? Give feedback.
-
|
Ah, so it's simply a matter of lack of support. This makes sense. I will look into the feasibility of generating a report of a scan run against juice shop in my current environment. If there is a submitted sample, would a parser for it be implemented in the next few months, or it is there less activity and community contributions play a large role in parser development? Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
So, this is an open source project anb obviously, if a PR comes in for that parser, it will happen quickly. In general, parsers take between 1 and 2 releases to get in without special love and attention. DefectDojo does a release every month so a few months is a reasonable bet. |
Beta Was this translation helpful? Give feedback.
Good question.
There's a couple of things to point out:
Being an open source project, we rely pretty heavily on the community to contribute example scanner files to write parsers (or new versions of an existing one) - especially for commercial software. When generating a sample file also comes with a licensing cost, there an extra burden to make support happen.
One way to greatly increase the chance that a parser is included in DefectDojo is to add one to the sample scan files via a PR. We use those files to write new parsers and test the functionality of existing parsers. If you are worried about 'interesting' or internal data being in a submitted scan, you can either anonymize them or s…