如何將 minIO（例如 Nmap、Nikto、Sslyze、Zap）的掃描輸出上傳到 OWASP DefectDojo

Question

我在將 minIO securecodebox 輸出結果上傳到 OWASP DefectDojo 時遇到問題。

錯誤截圖https://drive.google.com/file/d/1PqVOazjr7r_1oMPf6SQsh8_iPFgnqkjC/view?usp=sharing

我嘗試按照這些步驟操作 https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/KUBE.NETES.md然后https://docs.securecodebox.io/docs/hooks/defectdojo/

這是掃描儀的鏈接https://github.com/secureCodeBox/secureCodeBox/tree/main/scanners

錯誤：

2022-03-07 07:23:54 信息 DefectDojoPersistenceProvider:35 - 下載掃描結果提供程序 2022-03-07 07:23:56 信息 DefectDojoPersistenceProvider:39 - 將結果上傳到 DefectDojo，地址： http://defectdojo.default.minikube .local:8080/ tDojo at: http://defectdojo.default.minikube.local:8080/線程“main”中的異常 org.springframework.web.client.ResourceAccessException：GET 請求“http:/ /defectdojo.default.minikube.locarror 對“http://defectdojo.default.minikube.local:8080/api/v2/users/”的 GET 請求：defectdojo.default.minikube.local；嵌套異常是 java.net。 UnknownHostException: defectdojo.default.minikube.local 在 org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:785) 在 org.springframework.web.client.RestTemplate.execute(RestTemplate.88213284867988:785) .java:151) 在 org.springframework.web.client.RestTemplate.e xchange(RestTemplate.java:621) ch(GenericDefectDojoService.java:167) at io.securecodebox.persistence.defectdojo.service.GenericDefectDojoService.intechUnique(GenericDefectDojoService.java:187)rnalSearch(GenericDefectDojoService.java:151) ionedEngagementsStrategy.java:82 ) at io.securecodebox.persistence.defectdojo.service.GenericDefectDojoService.search(GenericDefectDojoService.java:167) at io.securecodebox.persistence.defectdojo.service.GenericDefectDojoService.searchUnique(GenericDefectDojoService.java:187) at io.securecodebox.persistence. strategies.VersionedEngagementsStrategy.run(VersionedEngagementsStrategy.java:82) at io.securecodebox.persistence.DefectDojoPersistenceProvider.main(DefectDojoPersistenceProvider.java:42) Caused by: java.net.UnknownHostException: defectdojo.default.minikube.local at java.base/ java.net.AbstractPlain SocketImpl.connect(AbstractPlainSocketImpl.java:229) at java.base/java.net.Socket.connect(Socket.java:609) at java.base/java.net.Socket.connect(Socket.java:558) at java .base/sun.net.NetworkClient.doConnect(NetworkClient.java:182) 在 java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:474) 在 88924.net/sun/8888 .http.HttpClient.openServer(HttpClient.java:569) at java.base/sun.net.www.http.HttpClient.(HttpClient.java:242) at java.base/sun.net.www.http.HttpClient. New(HttpClient.java:341) at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:362) at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient( HttpURLConnection.java:1253) 在 java.base/sun.net.www.protocol.http.HttpURLConnection .plainConnect0(HttpURLConnection.java:1187) at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081) at java.base/sun.net.www.protocol.http.HttpURLConnection .connect(HttpURLConnection.java:1015) at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org. springframework.http.client.AbstractClientHttpRequest.execute（AbstractClientHttpRequest.java:66）在org.springframework.web.client.RestTemplate.doExecute（RestTemplate.java8:66）...88:77

感謝您的回復！

Answer 1

有一個專用的 DefectDojo Hook 可以為您完成。 您只需要安裝在具有一些基本配置的集群上。

安裝 DefectDojo persistenceProvider 掛鈎會將 ReadAndWrite 掛鈎添加到您的命名空間。

kubectl create secret generic defectdojo-credentials --from-literal="username=admin" --from-literal="apikey=08b7..."

helm 升級 --install dd secureCodeBox/persistence-defectdojo
--set="defectdojo.url=https://defectdojo-django.default.svc"

該掛鈎會自動將掃描結果導入到 DefectDojo 中。 如果參與不存在，掛鈎將創建參與（CI/CD 參與）和它所需的所有對象（產品和產品類型）。 然后，該掛鈎將從 DefectDojo 中提取導入的信息，並使用它們替換 secureCodeBox 中的發現。

更多https://docs.securecodebox.io/docs/hooks/defectdojo