DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.
It is very easy to install and start to use:
$ git clone https://github.com/DefectDojo/django-DefectDojo
$ cd django-DefectDojo
$ ./setup.bash
$ ./run_dojo.bash
For detailed documentation you can visit Read the Docs.
One of the most powerful features is the complete Swagger API. In previous releases the API was created using Tastypie, available within each DefectDojo installation at /api/v1/doc/
But now the API is created using Swagger for django, available within each DefectDojo installation at /api/v2/doc/
Using a Token provided for each DefectDojo user and installation can be easily manage this Vulnerability Management Tool. The next examples can used as starting point in order to create our own integration tool, below you can see how to get all the products in our installation and how to upload reports for all the security tools and scanners integrated in DefectDojo.
Examples
In the next def is sent the data as HTTP GET or HTTP POST depending on the operation needed to be executed:
def fetch_data(DefectDojoURL, headersapi, dataApi, upload):
if dataApi or upload:
r = requests.post(DefectDojoURL, headers = headersapi, data = dataApi, verify=False)
else:
r = requests.get(DefectDojoURL, headers = headersapi, verify=False)
if not (r.status_code == 200 or r.status_code == 201):
logging.error('Error in operation')
return False
results = json.loads(r.text)
if results:
try:
return results['results']
except KeyError as error:
return results
else:
logging.error('Error in operation')
return None
The next def is an example in which can be retrieved all the products in our DefectDojo:
def GetProducts(DefectDojoURL, apiKey):
url = DefectDojoURL + "/api/v2/products/"
dataApi = None
headers = {'Authorization':apiKey}
data = []
n = 0
jsondata = fetch_data(url, headers, dataApi, false)
if jsondata:
for results in jsondata:
n += 1
product_url = results['url'].split("/")
id_product = product_url[len(product_url)-2]
data.append([n, id_product, results['name'], results['url'], results['findings_count'], results['prod_type'], results['description'], results['platform'], results['lifecycle'], results['origin']])
print((colored(tabulate(data, tablefmt="fancy_grid", headers=["#", "ID Product", "Name", "URL", "Findings", "Product Type", "Description", "Platform", "Lifecycle", "Origin"]), 'green')))
The next def is an example in which can be upladed report scans for the tools integrated in DefectDojo:
def UploadScan(DefectDojoURL, apiKey, engegementID, PathFile, scan_type, scan_date):
url = DefectDojoURL + "/api/v2/import-scan/"
headers = {'Authorization':apiKey}
data = []
n = 0
engagement_id = '/api/v2/engagements/' + engegementID + '/'
active = 'true'
tags = 'test'
build = 'test'
minimum_severity = 'Info'
lead = 'http://X.X.X.X:8888/api/v2/users/1/?id=1'
dataV2 = {
'engagement': ('', engagement_id),
'verified': ('', active),
'lead': ('', lead),
'tags': ('', tags),
'scan_date': ('', scan_date),
'scan_type': ('', scan_type),
'minimum_severity': ('', minimum_severity),
'file': open(PathFile, 'rb'),
'active': ('', active)
}
jsondata = fetch_data(url, headers, dataV2, true)
if jsondata:
n += 1
data.append([n, jsondata['active'], jsondata['engagement'], jsondata['lead'], jsondata['minimum_severity'], jsondata['scan_date'], jsondata['scan_type'], jsondata['verified']])
print((colored(tabulate(data, tablefmt="fancy_grid", headers=["#", "Active", "Engagement", "Lead", "Minimum severity", "Scan Date", "Scan Type", "Verified"]), 'green')))