├── .github └── workflows │ ├── release-update-version-numbers.yml │ └── sphinx-validate.yml ├── .gitignore ├── .travis.yml ├── doc └── img │ ├── 10Security-logo.png │ ├── Twitter_Logo.png │ ├── WHP.png │ ├── XING_logo.png │ ├── admin.png │ ├── cash_reward.png │ ├── cloudbees-logo.png │ ├── dojo_tshirt_back.png │ ├── dojo_tshirt_front.png │ ├── gc_logo_2018.png │ ├── getting_started_1.png │ ├── getting_started_10.png │ ├── getting_started_11.png │ ├── getting_started_12.png │ ├── getting_started_13.png │ ├── getting_started_14.png │ ├── getting_started_15.png │ ├── getting_started_16.png │ ├── getting_started_17.png │ ├── getting_started_18.png │ ├── getting_started_19.png │ ├── getting_started_2.png │ ├── getting_started_20.png │ ├── getting_started_21.png │ ├── getting_started_22.png │ ├── getting_started_3.png │ ├── getting_started_4.png │ ├── getting_started_5.png │ ├── getting_started_6.png │ ├── getting_started_7.png │ ├── getting_started_8.png │ ├── getting_started_9.png │ ├── isaac.png │ ├── owner.png │ ├── screenshot1.png │ ├── sda-se-logo.png │ ├── signal-iduna.png │ ├── slack_rgb.png │ ├── swag_reward.png │ ├── timo-pagel-logo.png │ └── wso2-logo-for-screen.png ├── docs ├── .DS_Store ├── Makefile ├── README.md ├── _static │ ├── DD-Hierarchy.png │ ├── admin-creds.png │ ├── api_1.png │ ├── api_2.png │ ├── api_3.png │ ├── api_v2_1.png │ ├── api_v2_2.png │ ├── api_v2_3.png │ ├── bug-2x.png │ ├── burp_plugin_usage.gif │ ├── dashboard.png │ ├── deduplication.png │ ├── end_1.png │ ├── end_2.png │ ├── end_3.png │ ├── eng_1.png │ ├── eng_2.png │ ├── engagement_risk_acceptance.png │ ├── find_1.png │ ├── find_2.png │ ├── find_3.png │ ├── find_4.png │ ├── find_5.png │ ├── find_6.png │ ├── finding_accepted.png │ ├── getting_started_1.png │ ├── getting_started_10.png │ ├── getting_started_11.png │ ├── getting_started_12.png │ ├── getting_started_13.png │ ├── getting_started_14.png │ ├── getting_started_15.png │ ├── getting_started_16.png │ ├── getting_started_17.png │ ├── getting_started_18.png │ ├── getting_started_19.png │ ├── getting_started_2.png │ ├── getting_started_20.png │ ├── getting_started_21.png │ ├── getting_started_22.png │ ├── getting_started_3.png │ ├── getting_started_4.png │ ├── getting_started_5.png │ ├── getting_started_6.png │ ├── getting_started_7.png │ ├── getting_started_8.png │ ├── getting_started_9.png │ ├── google_1.png │ ├── google_2.png │ ├── google_3.png │ ├── google_4.png │ ├── google_5.png │ ├── google_sheets_sync_1.png │ ├── google_sheets_sync_2.png │ ├── google_sheets_sync_3.png │ ├── google_sheets_sync_4.png │ ├── graph-2x.png │ ├── imp_1.png │ ├── imp_2.png │ ├── key-2x.png │ ├── met_1.png │ ├── met_2.png │ ├── met_3.png │ ├── met_4.png │ ├── met_5.png │ ├── notifications_1.png │ ├── okta_1.png │ ├── okta_2.png │ ├── okta_3.png │ ├── okta_4.png │ ├── okta_5.png │ ├── okta_6.png │ ├── okta_7.png │ ├── owasp_asvs.png │ ├── owasp_asvs_level.png │ ├── owasp_asvs_menu.png │ ├── owasp_asvs_score.png │ ├── prod-owner-creds.png │ ├── product_1.png │ ├── product_2.png │ ├── product_3.png │ ├── report_1.png │ ├── report_2.png │ ├── risk_exception.png │ ├── scan_1.png │ ├── scan_2.png │ ├── scan_3.png │ ├── select_engagement.png │ ├── similar_finding_1.png │ ├── similar_finding_2.png │ ├── sla_global_settings.png │ ├── sla_notification_product_checkboxes.png │ ├── slack_scopes.png │ └── slack_tokens.png ├── about.rst ├── api-docs.rst ├── api-v2-docs.rst ├── burp-plugin.rst ├── conf.py ├── features.rst ├── getting-started.rst ├── how-to-write-a-parser.rst ├── index.rst ├── integrations.rst ├── models.rst ├── requirements.txt ├── running-in-production.rst ├── settings-docs.rst ├── social-authentication.rst ├── start-using.rst ├── upgrading.rst └── workflows.rst └── sample_deployments └── nginx ├── env └── bin │ ├── celery-startup │ └── dojo-startup ├── nginx.conf └── superverisord.conf /.github/workflows/release-update-version-numbers.yml: -------------------------------------------------------------------------------- 1 | name: "Release: 1. Update version numbers" 2 | 3 | env: 4 | GIT_USERNAME: "DefectDojo release bot" 5 | GIT_EMAIL: "dojo-release-bot@users.noreply.github.com" 6 | on: 7 | workflow_dispatch: 8 | inputs: 9 | release_number: 10 | description: "Release version (x.y.z format)" 11 | required: true 12 | 13 | jobs: 14 | update_version_numbers: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout master 18 | uses: actions/checkout@v2 19 | with: 20 | ref: master 21 | - name: Configure git 22 | run: | 23 | git config --global user.name "${{ env.GIT_USERNAME }}" 24 | git config --global user.email "${{ env.GIT_EMAIL }}" 25 | - name: Update version numbers in key files 26 | run: | 27 | sed -ri "s/release = '.*'/release = '${{ github.event.inputs.release_number }}'/" docs/conf.py 28 | sed -ri "s/version = '.*'/version = '${{ github.event.inputs.release_number }}'/" docs/conf.py 29 | sed -ri "s/version = '(.*)(\.[0-9]*)'/version = '\1'/" docs/conf.py 30 | - name: Check numbers 31 | run: | 32 | grep "version = " docs/conf.py 33 | grep "release = " docs/conf.py 34 | - name: Push version changes 35 | uses: stefanzweifel/git-auto-commit-action@v4.7.2 36 | with: 37 | commit_user_name: "${{ env.GIT_USERNAME }}" 38 | commit_user_email: "${{ env.GIT_EMAIL }}" 39 | commit_author: "${{ env.GIT_USERNAME }} <${{ env.GIT_EMAIL }}>" 40 | commit_message: "Update versions in application files" 41 | branch: ${{ env.NEW_BRANCH }} 42 | - name: Push master 43 | if: "!startsWith('${{ github.event.inputs.from_branch }}', 'release/')" 44 | run: git push origin master 45 | -------------------------------------------------------------------------------- /.github/workflows/sphinx-validate.yml: -------------------------------------------------------------------------------- 1 | name: "Pull Request Docs Check" 2 | on: 3 | pull_request_target: 4 | push: 5 | branches: 6 | - master 7 | 8 | jobs: 9 | docs: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout 13 | if: github.event_name == 'pull_request' || github.event_name == 'pull_request_target' 14 | uses: actions/checkout@v2 15 | # by default the pull_requst_target event checks out the base branch, i.e. dev 16 | # so we need to explicitly checkout the head of the PR 17 | # we use fetch-depth 0 to make sure the full history is checked out and we can compare against 18 | # the base commit (branch) of the PR 19 | # more info https://github.community/t/github-actions-are-severely-limited-on-prs/18179/16 20 | # we checkout merge_commit here as this contains all new code from dev also. we don't need to compare against base_commit 21 | with: 22 | fetch-depth: 0 23 | ref: refs/pull/${{ github.event.pull_request.number }}/merge 24 | # repository: ${{github.event.pull_request.head.repo.full_name}} 25 | 26 | - name: Checkout 27 | # for non PR runs we just checkout the default, which is a sha on a branch probably 28 | if: github.event_name != 'pull_request' && github.event_name != 'pull_request_target' 29 | uses: actions/checkout@v2 30 | 31 | - uses: ammaraskar/sphinx-action@master 32 | with: 33 | docs-folder: "docs/" 34 | build-command: "sphinx-build -nWT -b dummy . _build/html" 35 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Sphinx documentation 2 | docs/_build/ 3 | 4 | # Junk files 5 | .DS_Store 6 | *~ 7 | .vscode/ 8 | venv 9 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | dist: xenial 2 | language: python 3 | python: 4 | - "3.7" 5 | 6 | sudo: false 7 | cache: pip 8 | 9 | install: 10 | - pip install sphinx~=3.2.1 11 | - pip install sphinx-rtd-theme~=0.5.0 12 | 13 | script: cd docs && sphinx-build -nWT -b dummy . _build/html 14 | -------------------------------------------------------------------------------- /doc/img/10Security-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/10Security-logo.png -------------------------------------------------------------------------------- /doc/img/Twitter_Logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/Twitter_Logo.png -------------------------------------------------------------------------------- /doc/img/WHP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/WHP.png -------------------------------------------------------------------------------- /doc/img/XING_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/XING_logo.png -------------------------------------------------------------------------------- /doc/img/admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/admin.png -------------------------------------------------------------------------------- /doc/img/cash_reward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/cash_reward.png -------------------------------------------------------------------------------- /doc/img/cloudbees-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/cloudbees-logo.png -------------------------------------------------------------------------------- /doc/img/dojo_tshirt_back.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/dojo_tshirt_back.png -------------------------------------------------------------------------------- /doc/img/dojo_tshirt_front.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/dojo_tshirt_front.png -------------------------------------------------------------------------------- /doc/img/gc_logo_2018.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/gc_logo_2018.png -------------------------------------------------------------------------------- /doc/img/getting_started_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_1.png -------------------------------------------------------------------------------- /doc/img/getting_started_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_10.png -------------------------------------------------------------------------------- /doc/img/getting_started_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_11.png -------------------------------------------------------------------------------- /doc/img/getting_started_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_12.png -------------------------------------------------------------------------------- /doc/img/getting_started_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_13.png -------------------------------------------------------------------------------- /doc/img/getting_started_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_14.png -------------------------------------------------------------------------------- /doc/img/getting_started_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_15.png -------------------------------------------------------------------------------- /doc/img/getting_started_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_16.png -------------------------------------------------------------------------------- /doc/img/getting_started_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_17.png -------------------------------------------------------------------------------- /doc/img/getting_started_18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_18.png -------------------------------------------------------------------------------- /doc/img/getting_started_19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_19.png -------------------------------------------------------------------------------- /doc/img/getting_started_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_2.png -------------------------------------------------------------------------------- /doc/img/getting_started_20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_20.png -------------------------------------------------------------------------------- /doc/img/getting_started_21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_21.png -------------------------------------------------------------------------------- /doc/img/getting_started_22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_22.png -------------------------------------------------------------------------------- /doc/img/getting_started_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_3.png -------------------------------------------------------------------------------- /doc/img/getting_started_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_4.png -------------------------------------------------------------------------------- /doc/img/getting_started_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_5.png -------------------------------------------------------------------------------- /doc/img/getting_started_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_6.png -------------------------------------------------------------------------------- /doc/img/getting_started_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_7.png -------------------------------------------------------------------------------- /doc/img/getting_started_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_8.png -------------------------------------------------------------------------------- /doc/img/getting_started_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/getting_started_9.png -------------------------------------------------------------------------------- /doc/img/isaac.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/isaac.png -------------------------------------------------------------------------------- /doc/img/owner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/owner.png -------------------------------------------------------------------------------- /doc/img/screenshot1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/screenshot1.png -------------------------------------------------------------------------------- /doc/img/sda-se-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/sda-se-logo.png -------------------------------------------------------------------------------- /doc/img/signal-iduna.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/signal-iduna.png -------------------------------------------------------------------------------- /doc/img/slack_rgb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/slack_rgb.png -------------------------------------------------------------------------------- /doc/img/swag_reward.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/swag_reward.png -------------------------------------------------------------------------------- /doc/img/timo-pagel-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/timo-pagel-logo.png -------------------------------------------------------------------------------- /doc/img/wso2-logo-for-screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/doc/img/wso2-logo-for-screen.png -------------------------------------------------------------------------------- /docs/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/.DS_Store -------------------------------------------------------------------------------- /docs/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = _build 9 | 10 | # User-friendly check for sphinx-build 11 | ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) 12 | $(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) 13 | endif 14 | 15 | # Internal variables. 16 | PAPEROPT_a4 = -D latex_paper_size=a4 17 | PAPEROPT_letter = -D latex_paper_size=letter 18 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 19 | # the i18n builder cannot share the environment and doctrees with the others 20 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 21 | 22 | .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest coverage gettext validate 23 | 24 | help: 25 | @echo "Please use \`make ' where is one of" 26 | @echo " html to make standalone HTML files" 27 | @echo " dirhtml to make HTML files named index.html in directories" 28 | @echo " singlehtml to make a single large HTML file" 29 | @echo " pickle to make pickle files" 30 | @echo " json to make JSON files" 31 | @echo " htmlhelp to make HTML files and a HTML help project" 32 | @echo " qthelp to make HTML files and a qthelp project" 33 | @echo " applehelp to make an Apple Help Book" 34 | @echo " devhelp to make HTML files and a Devhelp project" 35 | @echo " epub to make an epub" 36 | @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" 37 | @echo " latexpdf to make LaTeX files and run them through pdflatex" 38 | @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" 39 | @echo " text to make text files" 40 | @echo " man to make manual pages" 41 | @echo " texinfo to make Texinfo files" 42 | @echo " info to make Texinfo files and run them through makeinfo" 43 | @echo " gettext to make PO message catalogs" 44 | @echo " changes to make an overview of all changed/added/deprecated items" 45 | @echo " xml to make Docutils-native XML files" 46 | @echo " pseudoxml to make pseudoxml-XML files for display purposes" 47 | @echo " linkcheck to check all external links for integrity" 48 | @echo " doctest to run all doctests embedded in the documentation (if enabled)" 49 | @echo " coverage to run coverage check of the documentation (if enabled)" 50 | @echo " validate to validate no warnings or missing references are present" 51 | 52 | clean: 53 | rm -rf $(BUILDDIR)/* 54 | 55 | html: 56 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 57 | @echo 58 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 59 | 60 | dirhtml: 61 | $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml 62 | @echo 63 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." 64 | 65 | singlehtml: 66 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 67 | @echo 68 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 69 | 70 | pickle: 71 | $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle 72 | @echo 73 | @echo "Build finished; now you can process the pickle files." 74 | 75 | json: 76 | $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json 77 | @echo 78 | @echo "Build finished; now you can process the JSON files." 79 | 80 | htmlhelp: 81 | $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp 82 | @echo 83 | @echo "Build finished; now you can run HTML Help Workshop with the" \ 84 | ".hhp project file in $(BUILDDIR)/htmlhelp." 85 | 86 | qthelp: 87 | $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp 88 | @echo 89 | @echo "Build finished; now you can run "qcollectiongenerator" with the" \ 90 | ".qhcp project file in $(BUILDDIR)/qthelp, like this:" 91 | @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/DefectDojo.qhcp" 92 | @echo "To view the help file:" 93 | @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/DefectDojo.qhc" 94 | 95 | applehelp: 96 | $(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp 97 | @echo 98 | @echo "Build finished. The help book is in $(BUILDDIR)/applehelp." 99 | @echo "N.B. You won't be able to view it unless you put it in" \ 100 | "~/Library/Documentation/Help or install it in your application" \ 101 | "bundle." 102 | 103 | devhelp: 104 | $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp 105 | @echo 106 | @echo "Build finished." 107 | @echo "To view the help file:" 108 | @echo "# mkdir -p $$HOME/.local/share/devhelp/DefectDojo" 109 | @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/DefectDojo" 110 | @echo "# devhelp" 111 | 112 | epub: 113 | $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub 114 | @echo 115 | @echo "Build finished. The epub file is in $(BUILDDIR)/epub." 116 | 117 | latex: 118 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 119 | @echo 120 | @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." 121 | @echo "Run \`make' in that directory to run these through (pdf)latex" \ 122 | "(use \`make latexpdf' here to do that automatically)." 123 | 124 | latexpdf: 125 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 126 | @echo "Running LaTeX files through pdflatex..." 127 | $(MAKE) -C $(BUILDDIR)/latex all-pdf 128 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 129 | 130 | latexpdfja: 131 | $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex 132 | @echo "Running LaTeX files through platex and dvipdfmx..." 133 | $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja 134 | @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." 135 | 136 | text: 137 | $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text 138 | @echo 139 | @echo "Build finished. The text files are in $(BUILDDIR)/text." 140 | 141 | man: 142 | $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man 143 | @echo 144 | @echo "Build finished. The manual pages are in $(BUILDDIR)/man." 145 | 146 | texinfo: 147 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 148 | @echo 149 | @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." 150 | @echo "Run \`make' in that directory to run these through makeinfo" \ 151 | "(use \`make info' here to do that automatically)." 152 | 153 | info: 154 | $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo 155 | @echo "Running Texinfo files through makeinfo..." 156 | make -C $(BUILDDIR)/texinfo info 157 | @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." 158 | 159 | gettext: 160 | $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale 161 | @echo 162 | @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." 163 | 164 | changes: 165 | $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes 166 | @echo 167 | @echo "The overview file is in $(BUILDDIR)/changes." 168 | 169 | linkcheck: 170 | $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck 171 | @echo 172 | @echo "Link check complete; look for any errors in the above output " \ 173 | "or in $(BUILDDIR)/linkcheck/output.txt." 174 | 175 | doctest: 176 | $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest 177 | @echo "Testing of doctests in the sources finished, look at the " \ 178 | "results in $(BUILDDIR)/doctest/output.txt." 179 | 180 | coverage: 181 | $(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage 182 | @echo "Testing of coverage in the sources finished, look at the " \ 183 | "results in $(BUILDDIR)/coverage/python.txt." 184 | 185 | xml: 186 | $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml 187 | @echo 188 | @echo "Build finished. The XML files are in $(BUILDDIR)/xml." 189 | 190 | pseudoxml: 191 | $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml 192 | @echo 193 | @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." 194 | 195 | validate: 196 | $(SPHINXBUILD) -b dummy -nWT $(ALLSPHINXOPTS) $(BUILDDIR) 197 | @echo 198 | @echo "Validation finished." 199 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | :warning: **Docs are now integrated in the main repository**: [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/docs) 2 | 3 | # DefectDojo 4 | ![](https://avatars0.githubusercontent.com/u/35606478?s=200&v=4) 5 | 6 | 7 | This folder is solely used to generate our readthedocs page and is not intended to be human-readable. 8 | 9 | For detailed Project description and information please have a look at our readable Documentation [here](https://defectdojo.readthedocs.io/en/latest/) 10 | 11 | -------------------------------------------------------------------------------- /docs/_static/DD-Hierarchy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/DD-Hierarchy.png -------------------------------------------------------------------------------- /docs/_static/admin-creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/admin-creds.png -------------------------------------------------------------------------------- /docs/_static/api_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_1.png -------------------------------------------------------------------------------- /docs/_static/api_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_2.png -------------------------------------------------------------------------------- /docs/_static/api_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_3.png -------------------------------------------------------------------------------- /docs/_static/api_v2_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_v2_1.png -------------------------------------------------------------------------------- /docs/_static/api_v2_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_v2_2.png -------------------------------------------------------------------------------- /docs/_static/api_v2_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/api_v2_3.png -------------------------------------------------------------------------------- /docs/_static/bug-2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/bug-2x.png -------------------------------------------------------------------------------- /docs/_static/burp_plugin_usage.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/burp_plugin_usage.gif -------------------------------------------------------------------------------- /docs/_static/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/dashboard.png -------------------------------------------------------------------------------- /docs/_static/deduplication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/deduplication.png -------------------------------------------------------------------------------- /docs/_static/end_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/end_1.png -------------------------------------------------------------------------------- /docs/_static/end_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/end_2.png -------------------------------------------------------------------------------- /docs/_static/end_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/end_3.png -------------------------------------------------------------------------------- /docs/_static/eng_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/eng_1.png -------------------------------------------------------------------------------- /docs/_static/eng_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/eng_2.png -------------------------------------------------------------------------------- /docs/_static/engagement_risk_acceptance.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/engagement_risk_acceptance.png -------------------------------------------------------------------------------- /docs/_static/find_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_1.png -------------------------------------------------------------------------------- /docs/_static/find_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_2.png -------------------------------------------------------------------------------- /docs/_static/find_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_3.png -------------------------------------------------------------------------------- /docs/_static/find_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_4.png -------------------------------------------------------------------------------- /docs/_static/find_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_5.png -------------------------------------------------------------------------------- /docs/_static/find_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/find_6.png -------------------------------------------------------------------------------- /docs/_static/finding_accepted.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/finding_accepted.png -------------------------------------------------------------------------------- /docs/_static/getting_started_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_1.png -------------------------------------------------------------------------------- /docs/_static/getting_started_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_10.png -------------------------------------------------------------------------------- /docs/_static/getting_started_11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_11.png -------------------------------------------------------------------------------- /docs/_static/getting_started_12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_12.png -------------------------------------------------------------------------------- /docs/_static/getting_started_13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_13.png -------------------------------------------------------------------------------- /docs/_static/getting_started_14.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_14.png -------------------------------------------------------------------------------- /docs/_static/getting_started_15.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_15.png -------------------------------------------------------------------------------- /docs/_static/getting_started_16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_16.png -------------------------------------------------------------------------------- /docs/_static/getting_started_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_17.png -------------------------------------------------------------------------------- /docs/_static/getting_started_18.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_18.png -------------------------------------------------------------------------------- /docs/_static/getting_started_19.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_19.png -------------------------------------------------------------------------------- /docs/_static/getting_started_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_2.png -------------------------------------------------------------------------------- /docs/_static/getting_started_20.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_20.png -------------------------------------------------------------------------------- /docs/_static/getting_started_21.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_21.png -------------------------------------------------------------------------------- /docs/_static/getting_started_22.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_22.png -------------------------------------------------------------------------------- /docs/_static/getting_started_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_3.png -------------------------------------------------------------------------------- /docs/_static/getting_started_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_4.png -------------------------------------------------------------------------------- /docs/_static/getting_started_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_5.png -------------------------------------------------------------------------------- /docs/_static/getting_started_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_6.png -------------------------------------------------------------------------------- /docs/_static/getting_started_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_7.png -------------------------------------------------------------------------------- /docs/_static/getting_started_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_8.png -------------------------------------------------------------------------------- /docs/_static/getting_started_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/getting_started_9.png -------------------------------------------------------------------------------- /docs/_static/google_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_1.png -------------------------------------------------------------------------------- /docs/_static/google_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_2.png -------------------------------------------------------------------------------- /docs/_static/google_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_3.png -------------------------------------------------------------------------------- /docs/_static/google_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_4.png -------------------------------------------------------------------------------- /docs/_static/google_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_5.png -------------------------------------------------------------------------------- /docs/_static/google_sheets_sync_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_sheets_sync_1.png -------------------------------------------------------------------------------- /docs/_static/google_sheets_sync_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_sheets_sync_2.png -------------------------------------------------------------------------------- /docs/_static/google_sheets_sync_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_sheets_sync_3.png -------------------------------------------------------------------------------- /docs/_static/google_sheets_sync_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/google_sheets_sync_4.png -------------------------------------------------------------------------------- /docs/_static/graph-2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/graph-2x.png -------------------------------------------------------------------------------- /docs/_static/imp_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/imp_1.png -------------------------------------------------------------------------------- /docs/_static/imp_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/imp_2.png -------------------------------------------------------------------------------- /docs/_static/key-2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/key-2x.png -------------------------------------------------------------------------------- /docs/_static/met_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/met_1.png -------------------------------------------------------------------------------- /docs/_static/met_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/met_2.png -------------------------------------------------------------------------------- /docs/_static/met_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/met_3.png -------------------------------------------------------------------------------- /docs/_static/met_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/met_4.png -------------------------------------------------------------------------------- /docs/_static/met_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/met_5.png -------------------------------------------------------------------------------- /docs/_static/notifications_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/notifications_1.png -------------------------------------------------------------------------------- /docs/_static/okta_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_1.png -------------------------------------------------------------------------------- /docs/_static/okta_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_2.png -------------------------------------------------------------------------------- /docs/_static/okta_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_3.png -------------------------------------------------------------------------------- /docs/_static/okta_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_4.png -------------------------------------------------------------------------------- /docs/_static/okta_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_5.png -------------------------------------------------------------------------------- /docs/_static/okta_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_6.png -------------------------------------------------------------------------------- /docs/_static/okta_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/okta_7.png -------------------------------------------------------------------------------- /docs/_static/owasp_asvs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/owasp_asvs.png -------------------------------------------------------------------------------- /docs/_static/owasp_asvs_level.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/owasp_asvs_level.png -------------------------------------------------------------------------------- /docs/_static/owasp_asvs_menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/owasp_asvs_menu.png -------------------------------------------------------------------------------- /docs/_static/owasp_asvs_score.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/owasp_asvs_score.png -------------------------------------------------------------------------------- /docs/_static/prod-owner-creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/prod-owner-creds.png -------------------------------------------------------------------------------- /docs/_static/product_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/product_1.png -------------------------------------------------------------------------------- /docs/_static/product_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/product_2.png -------------------------------------------------------------------------------- /docs/_static/product_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/product_3.png -------------------------------------------------------------------------------- /docs/_static/report_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/report_1.png -------------------------------------------------------------------------------- /docs/_static/report_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/report_2.png -------------------------------------------------------------------------------- /docs/_static/risk_exception.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/risk_exception.png -------------------------------------------------------------------------------- /docs/_static/scan_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/scan_1.png -------------------------------------------------------------------------------- /docs/_static/scan_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/scan_2.png -------------------------------------------------------------------------------- /docs/_static/scan_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/scan_3.png -------------------------------------------------------------------------------- /docs/_static/select_engagement.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/select_engagement.png -------------------------------------------------------------------------------- /docs/_static/similar_finding_1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/similar_finding_1.png -------------------------------------------------------------------------------- /docs/_static/similar_finding_2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/similar_finding_2.png -------------------------------------------------------------------------------- /docs/_static/sla_global_settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/sla_global_settings.png -------------------------------------------------------------------------------- /docs/_static/sla_notification_product_checkboxes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/sla_notification_product_checkboxes.png -------------------------------------------------------------------------------- /docs/_static/slack_scopes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/slack_scopes.png -------------------------------------------------------------------------------- /docs/_static/slack_tokens.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DefectDojo/Documentation/c29b67e94998de995ddbc4abacfb8e2f548c54e3/docs/_static/slack_tokens.png -------------------------------------------------------------------------------- /docs/about.rst: -------------------------------------------------------------------------------- 1 | About DefectDojo 2 | ================ 3 | 4 | DefectDojo Basics 5 | ~~~~~~~~~~~~~~~~~ 6 | 7 | Terms 8 | ***** 9 | There are several terms that will be helpful to understand as you work with DefectDojo 10 | 11 | Products 12 | ******** 13 | This is the name of any project, program, team, or company that you are currently testing. 14 | 15 | *Examples* 16 | * Wordpress 17 | * Internal wiki 18 | * Slack 19 | 20 | Product types 21 | ************* 22 | These can be business unit divisions, different offices or locations, or any other logical way of distinguishing "types" of products. 23 | 24 | *Examples* 25 | * Internal / 3rd party 26 | * Main company / Acquisition 27 | * San Francisco / New York offices 28 | 29 | Engagements 30 | *********** 31 | Engagements are moments in time when testing is taking place. They are associated with a name for easy reference, a time line, a lead (the user account of the main person conducting the testing), a test strategy, and a status. 32 | 33 | *Examples* 34 | * Beta 35 | * Quarterly PCI Scan 36 | * Release Version X 37 | 38 | Test Types 39 | ********** 40 | These can be any sort of distinguishing characteristic about the type of testing that was done during an Engagement. 41 | 42 | *Examples* 43 | * Functional 44 | * Security 45 | * Nessus Scan 46 | * API test 47 | 48 | Environments 49 | ************ 50 | These describe the environment that was tested during a particular Engagement. 51 | 52 | *Examples* 53 | * Production 54 | * Staging 55 | * Stable 56 | -------------------------------------------------------------------------------- /docs/api-docs.rst: -------------------------------------------------------------------------------- 1 | DefectDojo API Documentation 2 | ============================ 3 | 4 | .. warning:: 5 | API v1 is deprecated and will be no longer maintained after 12-31-2020. 6 | API v1 will be removed on 06-30-2021. 7 | Please move to API v2 and raise issues for any unsupported operations. 8 | 9 | 10 | DefectDojo's API is created using `Tastypie`_. The documentation of each endpoint is available within each DefectDojo 11 | installation at `/api/v1/doc/` and can be accessed by choosing the API Docs link on the user drop down menu in the 12 | header. 13 | 14 | .. image:: _static/api_1.png 15 | 16 | The documentation is generated using `Tastypie Swagger`_, and is interactive. 17 | 18 | To interact with the documentation, a valid Authorization header value is needed. Visit the `/api/key/` view to generate 19 | your API Key and copy the header value provided. 20 | 21 | .. image:: _static/api_3.png 22 | 23 | Return to the `/api/v1/doc/` view to paste your key in the form field and click `Explore`. Your authorization header 24 | value will be captured and used for all requests. 25 | 26 | Each section allows you to make calls to the API and view the Request URL, Response Body, Response Code and Response 27 | Headers. 28 | 29 | .. image:: _static/api_2.png 30 | 31 | Currently the following endpoints are available: 32 | 33 | * Engagements 34 | * Findings 35 | * Products 36 | * Scan Settings 37 | * Scans 38 | * Tests 39 | * Users 40 | 41 | .. _Tastypie: https://django-tastypie.readthedocs.org 42 | .. _Tastypie Swagger: http://django-tastypie-swagger.readthedocs.org/ 43 | 44 | Authentication 45 | -------------- 46 | 47 | The API uses header authentication with API key. The format of the header should be: :: 48 | 49 | Authorization: ApiKey : 50 | 51 | For example: :: 52 | 53 | Authorization: ApiKey jay7958:c8572a5adf107a693aa6c72584da31f4d1f1dcff 54 | 55 | 56 | Sample Code 57 | ----------- 58 | 59 | Here are some simple python examples and their results produced against the `/users` endpoint: :: 60 | 61 | import requests 62 | 63 | url = 'http://127.0.0.1:8000/api/v1/users' 64 | headers = {'content-type': 'application/json', 65 | 'Authorization': 'ApiKey jay7958:c8572a5adf107a693aa6c72584da31f4d1f1dcff'} 66 | r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed 67 | 68 | for key, value in r.__dict__.iteritems(): 69 | print key 70 | print value 71 | print '------------------' 72 | 73 | This code will display the list of all the users defined in DefectDojo. 74 | The json object result of the above code is: :: 75 | 76 | { 77 | "meta": { 78 | "limit": 20, 79 | "next": null, 80 | "offset": 0, 81 | "previous": null, 82 | "total_count": 3 83 | }, 84 | "objects": [ 85 | { 86 | "first_name": "Greg", 87 | "id": 22, 88 | "last_login": "2018-10-28T08:05:51.925743", 89 | "last_name": "", 90 | "resource_uri": "/api/v1/users/22/", 91 | "username": "greg.dev" 92 | }, 93 | 94 | { 95 | "first_name": "Andy", 96 | "id": 29, 97 | "last_login": "2019-05-28T08:05:51.925743", 98 | "last_name": "", 99 | "resource_uri": "/api/v1/users/29/", 100 | "username": "andy586432" 101 | }, 102 | 103 | { 104 | "first_name": "Dev", 105 | "id": 31, 106 | "last_login": "2018-10-13T11:44:32.533035", 107 | "last_name": "", 108 | "resource_uri": "/api/v1/users/31/", 109 | "username": "dev.paz" 110 | } 111 | ] 112 | } 113 | 114 | 115 | Here is another example against the `/users` endpoint,we apply the condition(username__contains=jay) which will filter and display the list of the users 116 | whose username includes `jay`: :: 117 | 118 | import requests 119 | 120 | url = 'http://127.0.0.1:8000/api/v1/users/?username__contains=jay' 121 | headers = {'content-type': 'application/json', 122 | 'Authorization': 'ApiKey jay7958:c8572a5adf107a693aa6c72584da31f4d1f1dcff'} 123 | r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed 124 | 125 | for key, value in r.__dict__.iteritems(): 126 | print key 127 | print value 128 | print '------------------' 129 | 130 | The json object result of the above code is: :: 131 | 132 | { 133 | "meta": { 134 | "limit": 20, 135 | "next": null, 136 | "offset": 0, 137 | "previous": null, 138 | "total_count": 2 139 | }, 140 | "objects": [ 141 | { 142 | "first_name": "Jay", 143 | "id": 22, 144 | "last_login": "2019-04-22T08:05:51.925743", 145 | "last_name": "Paz", 146 | "resource_uri": "/api/v1/users/22/", 147 | "username": "jay7958" 148 | }, 149 | { 150 | "first_name": "", 151 | "id": 31, 152 | "last_login": "2019-04-04T11:44:32.533035", 153 | "last_name": "", 154 | "resource_uri": "/api/v1/users/31/", 155 | "username": "jay.paz" 156 | } 157 | ] 158 | } 159 | 160 | Here is a simple python POST example for creating a new product_type: :: 161 | 162 | import requests 163 | 164 | url = 'http://127.0.0.1:8000/api/v1/product_types/' 165 | data = { 166 | 'name':'Spartans Dev Team', 167 | "critical_product": "true", 168 | "key_product": "true" 169 | } 170 | headers = {'content-type': 'application/json', 171 | 'Authorization': 'ApiKey jay7958:c8572a5adf107a693aa6c72584da31f4d1f1dcff'} 172 | r = requests.get(url, json = data, headers=headers, verify=True) # set verify to False if ssl cert is self-signed 173 | 174 | print("The response status code :%s"%r.status_code) 175 | print("The response text is :%s"%r.text) 176 | 177 | See `Tastypie's documentation on interacting with an API`_ for additional examples and tips. 178 | 179 | .. _Tastypie's documentation on interacting with an API: https://django-tastypie.readthedocs.org/en/latest/interacting.html 180 | 181 | 182 | See `defectdojo_api project`_, a Python API wrapper for DefectDojo (a utility to call the API using python) 183 | 184 | .. _defectdojo_api project: https://github.com/DefectDojo/defectdojo_api 185 | 186 | 187 | Manually calling the API 188 | ------------------------ 189 | 190 | Tools like Postman can be used for testing the API. 191 | 192 | Example for importing a scan result: 193 | 194 | * Verb: POST 195 | * URI: http://localhost:8080/api/v1/importscan/ 196 | * Headers tab: add the authentication header 197 | * Key: Authorization 198 | * Value: ApiKey jay7958:c8572a5adf107a693aa6c72584da31f4d1f1dcff 199 | * Body tab 200 | * select "form-data", click "bulk edit". Example for a ZAP scan: 201 | 202 | :: 203 | 204 | verified:true 205 | active:true 206 | lead:/api/v1/users/1/ 207 | tags:test 208 | scan_date:2019-04-30 209 | scan_type:ZAP Scan 210 | minimum_severity:Info 211 | engagement:/api/v1/engagements/1/ 212 | 213 | * Body tab 214 | * Click "Key-value" edit 215 | * Add a "file" parameter of type "file". This will trigger multi-part form data for sending the file content 216 | * Browse for the file to upload 217 | * Click send 218 | -------------------------------------------------------------------------------- /docs/api-v2-docs.rst: -------------------------------------------------------------------------------- 1 | DefectDojo API v2 Documentation 2 | =============================== 3 | 4 | DefectDojo's API is created using `Django Rest Framework`_. The documentation of each endpoint is available within each DefectDojo 5 | installation at `/api/v2/doc/` and can be accessed by choosing the API v2 Docs link on the user drop down menu in the 6 | header. 7 | 8 | .. image:: _static/api_v2_1.png 9 | 10 | The documentation is generated using `Django Rest Framework Swagger`_, and is interactive. 11 | 12 | To interact with the documentation, a valid Authorization header value is needed. Visit the `/api/v2/key/` view to generate 13 | your API Key (Token ) and copy the header value provided. 14 | 15 | .. image:: _static/api_v2_2.png 16 | 17 | Return to the `/api/v2/doc/` and click on `Authorize` to open Authorization form. Paste your key in the form field provided and clic on `Authorize` button. Your authorization header value will be captured and used for all requests. 18 | 19 | Each section allows you to make calls to the API and view the Request URL, Response Body, Response Code and Response 20 | Headers. 21 | 22 | .. image:: _static/api_v2_3.png 23 | 24 | Currently the following endpoints are available: 25 | 26 | * Engagements 27 | * Findings 28 | * Products 29 | * Scan Settings 30 | * Scans 31 | * Tests 32 | * Users 33 | 34 | .. _Django Rest Framework: http://www.django-rest-framework.org/ 35 | .. _Django Rest Framework Swagger: https://marcgibbons.com/django-rest-swagger/ 36 | 37 | Authentication 38 | -------------- 39 | 40 | The API uses header authentication with API key. The format of the header should be: :: 41 | 42 | Authorization: Token 43 | 44 | For example: :: 45 | 46 | Authorization: Token c8572a5adf107a693aa6c72584da31f4d1f1dcff 47 | 48 | 49 | Sample Code 50 | ----------- 51 | 52 | Here are some simple python examples and their results produced against the `/users` endpoint: :: 53 | 54 | import requests 55 | 56 | url = 'http://127.0.0.1:8000/api/v2/users' 57 | headers = {'content-type': 'application/json', 58 | 'Authorization': 'Token c8572a5adf107a693aa6c72584da31f4d1f1dcff'} 59 | r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed 60 | 61 | for key, value in r.__dict__.iteritems(): 62 | print key 63 | print value 64 | print '------------------' 65 | 66 | This code will return the list of all the users defined in DefectDojo. 67 | The json object result looks like : :: 68 | 69 | [ 70 | { 71 | "first_name": "Tyagi", 72 | "id": 22, 73 | "last_login": "2019-06-18T08:05:51.925743", 74 | "last_name": "Paz", 75 | "resource_uri": "/api/v1/users/22/", 76 | "username": "dev7958" 77 | }, 78 | { 79 | "first_name": "saurabh", 80 | "id": 31, 81 | "last_login": "2019-06-06T11:44:32.533035", 82 | "last_name": "", 83 | "resource_uri": "/api/v1/users/31/", 84 | "username": "saurabh.paz" 85 | } 86 | ] 87 | 88 | 89 | Here is another example against the `/users` endpoint, this time we will filter the results to include only the users 90 | whose user name includes `jay`: :: 91 | 92 | import requests 93 | 94 | url = 'http://127.0.0.1:8000/api/v2/users/?username__contains=jay' 95 | headers = {'content-type': 'application/json', 96 | 'Authorization': 'Token c8572a5adf107a693aa6c72584da31f4d1f1dcff'} 97 | r = requests.get(url, headers=headers, verify=True) # set verify to False if ssl cert is self-signed 98 | 99 | for key, value in r.__dict__.iteritems(): 100 | print key 101 | print value 102 | print '------------------' 103 | 104 | The json object result is: :: 105 | 106 | [ 107 | { 108 | "first_name": "Jay", 109 | "id": 22, 110 | "last_login": "2015-10-28T08:05:51.925743", 111 | "last_name": "Paz", 112 | "resource_uri": "/api/v1/users/22/", 113 | "username": "jay7958" 114 | }, 115 | { 116 | "first_name": "", 117 | "id": 31, 118 | "last_login": "2015-10-13T11:44:32.533035", 119 | "last_name": "", 120 | "resource_uri": "/api/v1/users/31/", 121 | "username": "jay.paz" 122 | } 123 | ] 124 | 125 | See `Django Rest Framework's documentation on interacting with an API`_ for additional examples and tips. 126 | 127 | .. _Django Rest Framework's documentation on interacting with an API: http://www.django-rest-framework.org/topics/api-clients/ 128 | 129 | Manually calling the API 130 | ------------------------ 131 | 132 | Tools like Postman can be used for testing the API. 133 | 134 | Example for importing a scan result: 135 | 136 | * Verb: POST 137 | * URI: http://localhost:8080/api/v2/import-scan/ 138 | * Headers tab: add the authentication header 139 | * Key: Authorization 140 | * Value: Token c8572a5adf107a693aa6c72584da31f4d1f1dcff 141 | * Body tab 142 | * select "form-data", click "bulk edit". Example for a ZAP scan: 143 | 144 | :: 145 | 146 | engagement:3 147 | verified:true 148 | active:true 149 | lead:1 150 | tags:test 151 | scan_date:2019-04-30 152 | scan_type:ZAP Scan 153 | minimum_severity:Info 154 | skip_duplicates:true 155 | close_old_findings:false 156 | 157 | * Body tab 158 | * Click "Key-value" edit 159 | * Add a "file" parameter of type "file". This will trigger multi-part form data for sending the file content 160 | * Browse for the file to upload 161 | * Click send 162 | -------------------------------------------------------------------------------- /docs/burp-plugin.rst: -------------------------------------------------------------------------------- 1 | Defect Dojo Burp-Plugin 2 | ========================== 3 | 4 | This is Burp Plugin to export findings directly to Defect Dojo . 5 | 6 | Installation 7 | ************ 8 | 9 | In order for the plugin to work , you will need to have Jython set up in Burp Suite Pro . 10 | To use this plugin before it appears in the BApp Store you will need to do the following : 11 | 12 | 1. Go to `Extender` and select the `Extensions` tab 13 | 2. Click on `Add` , select `Extension Type:` to be `Python` and select the `DefectDojoPlugin.py` 14 | 15 | Usage 16 | ***** 17 | .. image:: /_static/burp_plugin_usage.gif 18 | -------------------------------------------------------------------------------- /docs/conf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # 3 | # DefectDojo documentation build configuration file, created by 4 | # sphinx-quickstart on Sat Oct 31 19:07:36 2015. 5 | # 6 | # This file is execfile()d with the current directory set to its 7 | # containing dir. 8 | # 9 | # Note that not all possible configuration values are present in this 10 | # autogenerated file. 11 | # 12 | # All configuration values have a default; values that are commented out 13 | # serve to show the default. 14 | 15 | import sys 16 | import os 17 | import shlex 18 | 19 | # If extensions (or modules to document with autodoc) are in another directory, 20 | # add these directories to sys.path here. If the directory is relative to the 21 | # documentation root, use os.path.abspath to make it absolute, like shown here. 22 | #sys.path.insert(0, os.path.abspath('.')) 23 | 24 | # -- General configuration ------------------------------------------------ 25 | 26 | # If your documentation needs a minimal Sphinx version, state it here. 27 | #needs_sphinx = '1.0' 28 | 29 | # Add any Sphinx extension module names here, as strings. They can be 30 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom 31 | # ones. 32 | extensions = [ 33 | 'sphinx.ext.viewcode', 34 | ] 35 | 36 | # Add any paths that contain templates here, relative to this directory. 37 | templates_path = ['_templates'] 38 | 39 | # The suffix(es) of source filenames. 40 | # You can specify multiple suffix as a list of string: 41 | # source_suffix = ['.rst', '.md'] 42 | source_suffix = '.rst' 43 | 44 | # The encoding of source files. 45 | #source_encoding = 'utf-8-sig' 46 | 47 | # The master toctree document. 48 | master_doc = 'index' 49 | 50 | # General information about the project. 51 | project = u'DefectDojo' 52 | copyright = u'2015-2018, Greg Anderson, Charles Neill (@ccneill), Jay Paz (@jjpaz), Aaron Weaver (@weavera)' 53 | author = u', Aaron Weaver (@weeavera), Greg Anderson, Charles Neill (@ccneill), Jay Paz (@jjpaz)' 54 | 55 | # The version info for the project you're documenting, acts as replacement for 56 | # |version| and |release|, also used in various other places throughout the 57 | # built documents. 58 | # 59 | # The short X.Y version. 60 | version = '1.14' 61 | # The full version, including alpha/beta/rc tags. 62 | release = '1.14.0' 63 | 64 | # The language for content autogenerated by Sphinx. Refer to documentation 65 | # for a list of supported languages. 66 | # 67 | # This is also used if you do content translation via gettext catalogs. 68 | # Usually you set "language" from the command line for these cases. 69 | language = None 70 | 71 | # There are two options for replacing |today|: either, you set today to some 72 | # non-false value, then it is used: 73 | #today = '' 74 | # Else, today_fmt is used as the format for a strftime call. 75 | #today_fmt = '%B %d, %Y' 76 | 77 | # List of patterns, relative to source directory, that match files and 78 | # directories to ignore when looking for source files. 79 | exclude_patterns = ['_build'] 80 | 81 | # The reST default role (used for this markup: `text`) to use for all 82 | # documents. 83 | #default_role = None 84 | 85 | # If true, '()' will be appended to :func: etc. cross-reference text. 86 | #add_function_parentheses = True 87 | 88 | # If true, the current module name will be prepended to all description 89 | # unit titles (such as .. function::). 90 | #add_module_names = True 91 | 92 | # If true, sectionauthor and moduleauthor directives will be shown in the 93 | # output. They are ignored by default. 94 | #show_authors = False 95 | 96 | # The name of the Pygments (syntax highlighting) style to use. 97 | pygments_style = 'sphinx' 98 | 99 | # A list of ignored prefixes for module index sorting. 100 | #modindex_common_prefix = [] 101 | 102 | # If true, keep warnings as "system message" paragraphs in the built documents. 103 | #keep_warnings = False 104 | 105 | # If true, `todo` and `todoList` produce output, else they produce nothing. 106 | todo_include_todos = False 107 | 108 | 109 | # -- Options for HTML output ---------------------------------------------- 110 | 111 | # The theme to use for HTML and HTML Help pages. See the documentation for 112 | # a list of builtin themes. 113 | 114 | import sphinx_rtd_theme 115 | 116 | html_theme = "sphinx_rtd_theme" 117 | 118 | html_theme_path = [sphinx_rtd_theme.get_html_theme_path()] 119 | 120 | # Theme options are theme-specific and customize the look and feel of a theme 121 | # further. For a list of options available for each theme, see the 122 | # documentation. 123 | #html_theme_options = {} 124 | 125 | # Add any paths that contain custom themes here, relative to this directory. 126 | #html_theme_path = [] 127 | 128 | # The name for this set of Sphinx documents. If None, it defaults to 129 | # " v documentation". 130 | #html_title = None 131 | 132 | # A shorter title for the navigation bar. Default is the same as html_title. 133 | #html_short_title = None 134 | 135 | # The name of an image file (relative to this directory) to place at the top 136 | # of the sidebar. 137 | #html_logo = None 138 | 139 | # The name of an image file (within the static path) to use as favicon of the 140 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 141 | # pixels large. 142 | #html_favicon = None 143 | 144 | # Add any paths that contain custom static files (such as style sheets) here, 145 | # relative to this directory. They are copied after the builtin static files, 146 | # so a file named "default.css" will overwrite the builtin "default.css". 147 | html_static_path = ['_static'] 148 | 149 | # Add any extra paths that contain custom files (such as robots.txt or 150 | # .htaccess) here, relative to this directory. These files are copied 151 | # directly to the root of the documentation. 152 | #html_extra_path = [] 153 | 154 | # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, 155 | # using the given strftime format. 156 | #html_last_updated_fmt = '%b %d, %Y' 157 | 158 | # If true, SmartyPants will be used to convert quotes and dashes to 159 | # typographically correct entities. 160 | #html_use_smartypants = True 161 | 162 | # Custom sidebar templates, maps document names to template names. 163 | #html_sidebars = {} 164 | 165 | # Additional templates that should be rendered to pages, maps page names to 166 | # template names. 167 | #html_additional_pages = {} 168 | 169 | # If false, no module index is generated. 170 | #html_domain_indices = True 171 | 172 | # If false, no index is generated. 173 | #html_use_index = True 174 | 175 | # If true, the index is split into individual pages for each letter. 176 | #html_split_index = False 177 | 178 | # If true, links to the reST sources are added to the pages. 179 | #html_show_sourcelink = True 180 | 181 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 182 | #html_show_sphinx = True 183 | 184 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 185 | #html_show_copyright = True 186 | 187 | # If true, an OpenSearch description file will be output, and all pages will 188 | # contain a tag referring to it. The value of this option must be the 189 | # base URL from which the finished HTML is served. 190 | #html_use_opensearch = '' 191 | 192 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 193 | #html_file_suffix = None 194 | 195 | # Language to be used for generating the HTML full-text search index. 196 | # Sphinx supports the following languages: 197 | # 'da', 'de', 'en', 'es', 'fi', 'fr', 'hu', 'it', 'ja' 198 | # 'nl', 'no', 'pt', 'ro', 'ru', 'sv', 'tr' 199 | #html_search_language = 'en' 200 | 201 | # A dictionary with options for the search language support, empty by default. 202 | # Now only 'ja' uses this config value 203 | #html_search_options = {'type': 'default'} 204 | 205 | # The name of a javascript file (relative to the configuration directory) that 206 | # implements a search results scorer. If empty, the default will be used. 207 | #html_search_scorer = 'scorer.js' 208 | 209 | # Output file base name for HTML help builder. 210 | htmlhelp_basename = 'DefectDojodoc' 211 | 212 | # -- Options for LaTeX output --------------------------------------------- 213 | 214 | latex_elements = { 215 | # The paper size ('letterpaper' or 'a4paper'). 216 | #'papersize': 'letterpaper', 217 | 218 | # The font size ('10pt', '11pt' or '12pt'). 219 | #'pointsize': '10pt', 220 | 221 | # Additional stuff for the LaTeX preamble. 222 | #'preamble': '', 223 | 224 | # Latex figure (float) alignment 225 | #'figure_align': 'htbp', 226 | } 227 | 228 | # Grouping the document tree into LaTeX files. List of tuples 229 | # (source start file, target name, title, 230 | # author, documentclass [howto, manual, or own class]). 231 | latex_documents = [ 232 | (master_doc, 'DefectDojo.tex', u'DefectDojo Documentation', 233 | u'Greg Anderson (@\\_GRRegg), Charles Neill (@ccneill), Jay Paz (@jjpaz)', 'manual'), 234 | ] 235 | 236 | # The name of an image file (relative to this directory) to place at the top of 237 | # the title page. 238 | #latex_logo = None 239 | 240 | # For "manual" documents, if this is true, then toplevel headings are parts, 241 | # not chapters. 242 | #latex_use_parts = False 243 | 244 | # If true, show page references after internal links. 245 | #latex_show_pagerefs = False 246 | 247 | # If true, show URL addresses after external links. 248 | #latex_show_urls = False 249 | 250 | # Documents to append as an appendix to all manuals. 251 | #latex_appendices = [] 252 | 253 | # If false, no module index is generated. 254 | #latex_domain_indices = True 255 | 256 | 257 | # -- Options for manual page output --------------------------------------- 258 | 259 | # One entry per manual page. List of tuples 260 | # (source start file, name, description, authors, manual section). 261 | man_pages = [ 262 | (master_doc, 'defectdojo', u'DefectDojo Documentation', 263 | [author], 1) 264 | ] 265 | 266 | # If true, show URL addresses after external links. 267 | #man_show_urls = False 268 | 269 | 270 | # -- Options for Texinfo output ------------------------------------------- 271 | 272 | # Grouping the document tree into Texinfo files. List of tuples 273 | # (source start file, target name, title, author, 274 | # dir menu entry, description, category) 275 | texinfo_documents = [ 276 | (master_doc, 'DefectDojo', u'DefectDojo Documentation', 277 | author, 'DefectDojo', 'DefectDojo is an open-source application vulnerability correlation and security orchestration tool.', 278 | 'Miscellaneous'), 279 | ] 280 | 281 | # Documents to append as an appendix to all manuals. 282 | #texinfo_appendices = [] 283 | 284 | # If false, no module index is generated. 285 | #texinfo_domain_indices = True 286 | 287 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 288 | #texinfo_show_urls = 'footnote' 289 | 290 | # If true, do not generate a @detailmenu in the "Top" node's menu. 291 | #texinfo_no_detailmenu = False 292 | -------------------------------------------------------------------------------- /docs/features.rst: -------------------------------------------------------------------------------- 1 | DefectDojo Features 2 | =================== 3 | 4 | Below are the main sections within DefectDojo. Each is designed to allow for ease of use and simple organization of 5 | Products and their Tests. The :doc:`models` page will help you understand the terminology we use below, so we recommend 6 | taking a look at that first. 7 | 8 | Products 9 | -------- 10 | 11 | The following attributes describe a Product: 12 | 13 | Name 14 | A short name for the product, used for easy identification. This field can hold up to 300 characters. 15 | 16 | Description 17 | Used to fully describe the product. This field can hold up to 2000 characters. 18 | 19 | Product Manager 20 | Provides the ability to store who manages the product lifecycle. Useful for contacting team members. This field 21 | can hold up to 200 characters. 22 | 23 | Technical Contact 24 | Provides the ability to store who should be contacted in case of technical questions and/or difficulties. 25 | This field can hold up to 200 characters. 26 | 27 | Manager 28 | Provides the ability to store who manages the technical resources for the product. This field can hold up to 200 29 | characters. 30 | 31 | Date Created 32 | Stores when the Product was first added to DefectDojo. 33 | 34 | Date Updated 35 | Stores when the Product was updated. 36 | 37 | Business Criticality 38 | Criticality of the product. 39 | 40 | Platform 41 | Type of product: web, API, mobile etc. 42 | 43 | Lifecycle 44 | Stage of product development 45 | 46 | Product Type 47 | Used to group products together. 48 | 49 | Authorized Users 50 | List of users who are allowed to view and interact with the product. 51 | 52 | Products are listed on the ``/product`` page and can be filtered by their attributes as well as sorted by their name and 53 | product type. 54 | 55 | .. image:: _static/product_3.png 56 | :alt: Product Listing Page 57 | 58 | Visual representation of a product: 59 | 60 | .. image:: _static/product_1.png 61 | :alt: View Product Page 62 | 63 | Product with metrics: 64 | 65 | .. image:: _static/product_2.png 66 | :alt: View Product Page With Metrics Displayed 67 | 68 | Engagements 69 | ----------- 70 | 71 | The following attributes describe an Engagement: 72 | 73 | Name 74 | Helps distinguish one Engagement from another on the same product. This field can hold up to 300 characters. 75 | 76 | Target Start Date 77 | The projected start date for this engagement. 78 | 79 | Target End Date 80 | The projected end date for this engagement. 81 | 82 | Lead 83 | The DefectDojo user who is considered the lead for this group of tests. 84 | 85 | Product 86 | The Product being tested as part of this group of tests. 87 | 88 | Active 89 | Denotes if the Engagement is currently active or not. 90 | 91 | Test Strategy 92 | The URL of the testing strategy defined for this Engagement. 93 | 94 | Threat Model 95 | The document generated by a threat modeling session discussing the risks associated with this product at this moment in time. 96 | 97 | Hash Code 98 | A hash over a configurable set of fields that is used for findings deduplication. 99 | 100 | Payload 101 | Payload used to attack the service / application and trigger the bug / problem. 102 | 103 | Status 104 | Describes the current state of the Engagement. Values include In Progress, On Hold and Completed. 105 | 106 | Engagements are listed in the ``/engagement`` page and can be filtered by their attributes as well as sorted by the 107 | product or product type. 108 | 109 | .. image:: _static/eng_2.png 110 | :alt: Engagement Listing Page 111 | 112 | Visual representation of an engagement: 113 | 114 | .. image:: _static/eng_1.png 115 | :alt: View Engagement Page 116 | 117 | Endpoints 118 | --------- 119 | 120 | .. |FQDN| replace:: Fully Qualified Domain Name 121 | 122 | Endpoints represent testable systems defined by IP address or |FQDN|. 123 | 124 | The following attributes describe an Endpoint: 125 | 126 | Protocol 127 | The communication protocol such as 'http', 'https', 'ftp', etc. 128 | 129 | Host 130 | The host name or IP address, you can also include the port number. For example '127.0.0.1', '127.0.0.1:8080', 131 | 'localhost', 'yourdomain.com'. 132 | 133 | Path 134 | The location of the resource, it should start with a '/'. For example "/endpoint/420/edit" 135 | 136 | Query 137 | The query string, the question mark should be omitted. "For example 'group=4&team=8' 138 | 139 | Fragment 140 | The fragment identifier which follows the hash mark. The hash mark should be omitted. For example 'section-13', 141 | 'paragraph-2'. 142 | 143 | Product 144 | The Product that this endpoint should be associated with. 145 | 146 | Endpoints are listed in the ``/endpoints`` page and can be filtered by their attributes as well as sorted by the 147 | product or host. 148 | 149 | .. image:: _static/end_1.png 150 | :alt: Endpoint Listing Page 151 | 152 | Visual representation of an endpoint: 153 | 154 | .. image:: _static/end_2.png 155 | :alt: View Endpoint Page 156 | 157 | Visual representation of an endpoint with metrics displayed: 158 | 159 | .. image:: _static/end_3.png 160 | :alt: View Endpoint Page with metrics 161 | 162 | 163 | Findings 164 | -------- 165 | 166 | Findings represent a flaw within the product being tested. The following attributes help define a Finding: 167 | 168 | Title 169 | A short description of the flaw (Up to 511 characters). 170 | 171 | Description 172 | Longer more descriptive information about the flaw. 173 | 174 | Date 175 | The date the flaw was discovered. 176 | 177 | CVE 178 | The Common Vulnerabilities and Exposures (CVE) associated with this flaw. 179 | 180 | CVSSV3 181 | Common Vulnerability Scoring System version 3 (CVSSv3) score associated with this flaw. 182 | 183 | CWE 184 | The CWE number associated with this flaw. 185 | 186 | URL 187 | External reference that provides more information about this flaw. 188 | 189 | Severity 190 | The severity level of this flaw (Critical, High, Medium, Low, Informational) 191 | 192 | Numerical Severity 193 | The numerical representation of the severity (S0, S1, S2, S3, S4) 194 | 195 | Mitigation 196 | Text describing how to best fix the flaw. 197 | 198 | Impact 199 | Text describing the impact this flaw has on systems, products, enterprise, etc. 200 | 201 | Steps to Reproduce 202 | Text describing the steps that must be followed in order to reproduce the flaw / bug. 203 | 204 | Severity Justification 205 | Text describing why a certain severity was associated with this flaw. 206 | 207 | Endpoints 208 | The hosts within the product that are susceptible to this flaw. 209 | 210 | Endpoint Status 211 | The status of the endpoint associated with this flaw (Vulnerable, Mitigated, ...). 212 | 213 | References 214 | The external documentation available for this flaw. 215 | 216 | Thread ID 217 | Thread ID 218 | 219 | Hash Code 220 | A hash over a configurable set of fields that is used for findings deduplication. 221 | 222 | Test 223 | The test that is associated with this flaw. 224 | 225 | Is Template 226 | Denotes if this finding is a template and can be reused. 227 | 228 | Active 229 | Denotes if this flaw is active or not. 230 | 231 | Verified 232 | Denotes if this flaw has been manually verified by the tester. 233 | 234 | False Positive 235 | Denotes if this flaw has been deemed a false positive by the tester. 236 | 237 | Duplicate 238 | Denotes if this flaw is a duplicate of other flaws reported. 239 | 240 | Duplicate Finding 241 | Link to the original finding if this finding is a duplicate. 242 | 243 | Out Of Scope 244 | Denotes if this flaw falls outside the scope of the test and/or engagement. 245 | 246 | Under Review 247 | Denotes is this flaw is currently being reviewed. 248 | 249 | Mitigated 250 | Denotes if this flaw has been fixed, by storing the date it was fixed. 251 | 252 | Is Mitigated 253 | Denotes if this flaw has been fixed. 254 | 255 | Mitigated By 256 | Documents who has deemed this flaw as fixed. 257 | 258 | Reporter 259 | Documents who reported the flaw. 260 | 261 | Reviewers 262 | Document who reviewed the flaw. 263 | 264 | Last Reviewed 265 | Provides the date the flaw was last "touched" by a tester. 266 | 267 | Last Reviewed By 268 | Provides the person who last reviewed the flaw. 269 | 270 | Component Name 271 | Name of the affected component (library name, part of a system, ...). 272 | 273 | Component Version 274 | Version of the affected component. 275 | 276 | Found By 277 | The name of the scanner that identified the flaw. 278 | 279 | SonarQube Issue 280 | The SonarQube issue associated with this finding. 281 | 282 | Unique ID from tool 283 | Vulnerability technical id from the source tool. Allows to track unique vulnerabilities. 284 | 285 | Defect Review Requested By 286 | Document who requested a defect review for this flaw. 287 | 288 | Under Defect Review 289 | Denotes if this finding is under defect review. 290 | 291 | Review Requested By 292 | Document who requested a review for this finding. 293 | 294 | Static Finding 295 | Flaw has been detected from a Static Application Security Testing tool (SAST). 296 | 297 | Dynamic Finding 298 | Flaw has been detected from a Dynamic Application Security Testing tool (DAST). 299 | 300 | Jira Creation 301 | The date a Jira issue was created from this finding. 302 | 303 | Jira Change 304 | The date the linked Jira issue was last modified. 305 | 306 | SLA Days Remaining 307 | The number of day remaining to stay within the SLA. 308 | 309 | Finding Meta 310 | Custom metadata (K/V) that can be set on top of findings. 311 | 312 | Tags 313 | Add custom tags on top of findings (helpful for searching). 314 | 315 | Created 316 | The date the finding was created inside DefectDojo. 317 | 318 | Param 319 | Parameter used to trigger the issue (DAST). 320 | 321 | Payload 322 | Payload used to attack the service / application and trigger the bug / problem. 323 | 324 | Age 325 | The number of days since the finding was created. 326 | 327 | Scanner confidence 328 | Confidence level of vulnerability which is supplied by the scanner. 329 | 330 | Number of Occurrences 331 | Number of occurrences in the source tool when several vulnerabilities were found and aggregated by the scanner. 332 | 333 | Source File 334 | Name of the source code file in which the flaw is located. 335 | 336 | Source File Path 337 | Filepath of the source code file in which the flaw is located. 338 | 339 | Notes 340 | Stores information pertinent to the flaw or the mitigation. 341 | Initially there isn't a way to categorize notes added for Findings. Admin can introduce a new attribute to notes as 'note-type' which can categorize notes. 342 | To enable note-types go to System Settings, select Note Types and add new note-types to Dojo. 343 | 344 | Note-type 345 | A note-type has 4 attributes. 346 | 347 | - Name 348 | - Description 349 | - is_active - This has to be true to assign the note-type to a note. 350 | - is_single - If true, only one note of that note-type can exist for a Finding. 351 | - is_mandatory - If true, a Finding has to have at least one note from the note-type in order to close it. 352 | 353 | If note-types are enabled, User has to first select the note-type from the "Note Type" drop down and then add the contents of the note. 354 | 355 | Images 356 | Image(s) / Screenshot(s) related to the flaw. 357 | 358 | SAST specific 359 | ............. 360 | 361 | For SAST, when source (start of the attack vector) and sink (end of the attack vector) information are available. 362 | 363 | Line 364 | Source line number of the attack vector. 365 | 366 | Line Number 367 | Deprecated will be removed, use line. 368 | 369 | File Path 370 | Identified file(s) containing the flaw. 371 | 372 | SAST Source Object 373 | Source object (variable, function...) of the attack vector. 374 | 375 | SAST Sink Object 376 | Sink object (variable, function...) of the attack vector. 377 | 378 | SAST Source line 379 | Source line number of the attack vector, 380 | 381 | SAST Source File Path 382 | Source file path of the attack vector. 383 | 384 | 385 | .. _finding_pics: 386 | 387 | Images 388 | ...... 389 | 390 | Images 391 | Finding images can now be uploaded to help with documentation and proof of vulnerability. 392 | 393 | If you are upgrading from an older version of DefectDojo, you will have to complete the following and make sure 394 | `MEDIA_ROOT` and `MEDIA_URL` are properly configured: 395 | 396 | Add imagekit to INSTALLED_APPS:: 397 | 398 | INSTALLED_APPS = ( 399 | 'django.contrib.auth', 400 | 'django.contrib.contenttypes', 401 | 'django.contrib.sessions', 402 | 'django.contrib.sites', 403 | 'django.contrib.messages', 404 | 'django.contrib.staticfiles', 405 | 'polymorphic', # provides admin templates 406 | 'overextends', 407 | 'django.contrib.admin', 408 | 'django.contrib.humanize', 409 | 'gunicorn', 410 | 'tastypie', 411 | 'djangobower', 412 | 'auditlog', 413 | 'dojo', 414 | 'tastypie_swagger', 415 | 'watson', 416 | 'tagging', 417 | 'custom_field', 418 | 'imagekit', 419 | ) 420 | 421 | Add `r'^media/'` to `LOGIN_EXEMPT_URLS`:: 422 | 423 | LOGIN_EXEMPT_URLS = ( 424 | r'^static/', 425 | r'^api/v1/', 426 | r'^ajax/v1/', 427 | r'^reports/cover$', 428 | r'^finding/image/(?P[^/]+)$' 429 | ) 430 | 431 | 432 | Then run the following commands (make sure your virtual environment is activated):: 433 | 434 | pip install django-imagekit 435 | pip install pillow --upgrade 436 | ./manage.py makemigrations dojo 437 | ./manage.py makemigrations 438 | ./manage.py migrate 439 | 440 | New installations will already have finding images configured. 441 | 442 | Findings are listed on the ``/finding/open``, ``/finding/closed``, ``/finding/accepted`` and ``/finding/all`` pages. They can be filtered by their attributes as well as sorted by their Name, Date, Reviewed Date, Severity and Product. 443 | 444 | .. image:: _static/find_1.png 445 | :alt: Finding Listing Page 446 | 447 | | 448 | 449 | .. image:: _static/find_2.png 450 | :alt: Finding Listing Page 451 | 452 | | 453 | 454 | .. image:: _static/find_3.png 455 | :alt: Finding Listing Page 456 | 457 | | 458 | 459 | Visual representation of a Finding: 460 | 461 | .. image:: _static/find_4.png 462 | :alt: Finding View 463 | 464 | .. image:: _static/find_5.png 465 | :alt: Finding View 466 | 467 | .. image:: _static/find_6.png 468 | :alt: Finding View 469 | 470 | Deduplication / Similar findings 471 | ................................ 472 | 473 | Automatically Flag Duplicate Findings 474 | 'De-duplication' is a feature that when enabled will compare findings to automatically identify duplicates. 475 | To enable de-duplication go to System Settings and check Deduplicate findings. 476 | Dojo deduplicates findings by comparing endpoints, CWE fields, and titles. If two findings share a URL 477 | and have the same CWE or title, Dojo marks the less recent finding as a duplicate. When deduplication is enabled, a 478 | list of deduplicated findings is added to the engagement view. 479 | The following image illustrates the option deduplication on engagement and deduplication on product level: 480 | 481 | .. image:: _static/deduplication.png 482 | :alt: Deduplication on product and engagement level 483 | 484 | Similar Findings Visualization: 485 | 486 | .. image:: _static/similar_finding_1.png 487 | :alt: Similar findings list 488 | 489 | .. image:: _static/similar_finding_2.png 490 | :alt: Similar findings list with a duplicate 491 | 492 | Similar Findings 493 | While viewing a finding, similar findings within the same product are 494 | listed along with buttons to mark one finding a duplicate of the other. 495 | Clicking the "Use as original" button on a similar finding will mark that 496 | finding as the original while marking the viewed finding as a duplicate. 497 | Clicking the "Mark as duplicate" button on a similar finding will mark that 498 | finding as a duplicate of the viewed finding. If a similar finding is 499 | already marked as a duplicate, then a "Reset duplicate status" button is 500 | shown instead which will remove the duplicate status on that finding along 501 | with marking it active again. 502 | 503 | Metrics 504 | ------- 505 | 506 | DefectDojo provides a number of metrics visualization in order to help with reporting, awareness and to be able to 507 | quickly communicate a products/product type's security stance. 508 | 509 | The following metric views are provided: 510 | 511 | Product Type Metrics 512 | This view provides graphs displaying Open Bug Count by Month, Accepted Bug Count by Month, Open Bug Count by Week, 513 | Accepted Bug Count by Week as well as tabular data on Top 10 Products by bug severity, Detail Breakdown of all 514 | reported findings, Opened Findings, Accepted Findings, Closed Findings, Trending Open Bug Count, Trending Accepted 515 | Bug Count, and Age of Issues. 516 | 517 | .. image:: _static/met_1.png 518 | :alt: Product Type Metrics 519 | 520 | Product Type Counts 521 | This view provides tabular data of Total Current Security Bug Count, Total Security Bugs Opened In Period, Total 522 | Security Bugs Closed In Period, Trending Total Bug Count By Month, Top 10 By Bug Severity, and Open Findings. This 523 | view works great for communication with stakeholders as it is a snapshot in time of the product. 524 | 525 | .. image:: _static/met_2.png 526 | :alt: Product Type Counts 527 | 528 | Simple Metrics 529 | Provides tabular data for all Product Types. The data displayed in this view is the total number of S0, S1, S2, S3, 530 | S4, Opened This Month, and Closed This Month. 531 | 532 | .. image:: _static/met_3.png 533 | :alt: Simple Metrics 534 | 535 | Engineer Metrics 536 | Provides graphs displaying information about a tester's activity. 537 | 538 | .. image:: _static/met_4.png 539 | :alt: Simple Metrics 540 | 541 | Metrics Dashboard 542 | Provides a full screen, auto scroll view with many metrics in graph format. This view is great for large displays 543 | or "Dashboards." 544 | 545 | .. image:: _static/met_5.png 546 | :alt: Metrics Dashboard 547 | 548 | Users 549 | ----- 550 | 551 | DefectDojo users inherit from `django.contrib.auth.models.User`_. 552 | 553 | .. _django.contrib.auth.models.User: https://docs.djangoproject.com/en/1.8/topics/auth/default/#user-objects 554 | 555 | A username, first name, last name, and email address can be associated with each. Additionally the following 556 | describe the type of use they are: 557 | 558 | Active 559 | Designates whether this user should be treated as active. Unselect this instead of deleting accounts. 560 | 561 | Staff status 562 | Designates whether the user can log into this site. 563 | 564 | Superuser status 565 | Designates that this user has all permissions without explicitly assigning them. 566 | 567 | Calendar 568 | -------- 569 | 570 | The calendar view provides a look at all the engagements occurring during the month displayed. Each entry is a direct 571 | link to the Engagement view page. 572 | 573 | 574 | Port Scans 575 | ---------- 576 | 577 | DefectDojo has the ability to run a port scan using nmap. Scan can be configured for TCP or UDP ports as well as for 578 | a Weekly, Monthly or Quarterly frequency. 579 | 580 | .. image:: _static/scan_1.png 581 | :alt: Port Scan Form 582 | 583 | In order for the scans to kick off the `dojo.management.commands.run_scan.py` must run. It is easy to set up a cron 584 | job in order to kick these off at the appropriate frequency. Below is an example cron entry: :: 585 | 586 | 0 0 * * 0 /root/.virtualenvs/dojo/bin/python /root/defect-dojo/manage.py run_scan Weekly 587 | 0 0 1 * * /root/.virtualenvs/dojo/bin/python /root/defect-dojo/manage.py run_scan Monthly 588 | 0 0 1 3,6,9,12 * /root/.virtualenvs/dojo/bin/python /root/defect-dojo/manage.py run_scan Quarterly 589 | 590 | .. image:: _static/scan_2.png 591 | :alt: Port Scan Form 592 | 593 | The scan process will email the configured recipients with the results. 594 | 595 | These scans call also be kicked off on demand by selecting the Launch Scan Now option in the view scan screen. 596 | 597 | .. image:: _static/scan_3.png 598 | :alt: Port Scan Form 599 | 600 | Notifications 601 | ------------- 602 | 603 | .. image:: _static/notifications_1.png 604 | :alt: Notification settings 605 | 606 | DefectDojo can inform you of different events in a variety of ways. You can be notified about things like 607 | an upcoming engagement, when someone mentions you in a comment, a scheduled report has finished generating, and more. 608 | 609 | The following notification methods currently exist: 610 | - Email 611 | - Slack 612 | - Microsoft Teams 613 | - Alerts within DefectDojo 614 | 615 | You can set these notifications on a global scope (if you have administrator rights) or on a personal scope. For instance, 616 | an administrator might want notifications of all upcoming engagements sent to a certain Slack channel, whereas an individual user 617 | wants email notifications to be sent to the user's specified email address when a report has finished generating. 618 | 619 | In order to identify and notify you about things like upcoming engagements, DefectDojo runs scheduled tasks for this 620 | purpose. These tasks are scheduled and run using Celery beat, so this needs to run for those notifications to work. Instructions 621 | on how to run Celery beat are available in the `Reports`_ section. 622 | 623 | Benchmarks 624 | ---------- 625 | 626 | .. image:: _static/owasp_asvs.png 627 | :alt: OWASP ASVS Benchmarks 628 | 629 | DefectDojo utilizes the OWASP ASVS Benchmarks to benchmark a product to ensure the product meets your application technical security controls. Benchmarks can be defined per the organizations policy for secure development and multiple benchmarks can be applied to a product. 630 | 631 | Benchmarks are available from the Product view. To view the configured benchmarks select the dropdown menu from the right hand drop down menu. You will find the selection near the bottom of the menu entitled: 'OWASP ASVS v.3.1'. 632 | 633 | .. image:: _static/owasp_asvs_menu.png 634 | :alt: OWASP ASVS Benchmarks Menu 635 | 636 | In the Benchmarks view for each product, the default level is ASVS Level 1. On the top right hand side the drop down can be changed to the desired ASVS level (Level 1, Level 2 or Level 3). The publish checkbox will display the ASVS score on the product page and in the future this will be applied to reporting. 637 | 638 | .. image:: _static/owasp_asvs_score.png 639 | :alt: OWASP ASVS Score 640 | 641 | On the left hand side the ASVS score is displayed with the desired score, the % of benchmarks passed to achieve the score and the total enabled benchmarks for that AVSV level. 642 | 643 | Additional benchmarks can be added/updated in the Django admin site. In a future release this will be brought out to the UI. 644 | 645 | Reports 646 | ------- 647 | 648 | .. image:: _static/report_1.png 649 | :alt: Report Listing 650 | 651 | DefectDojo's reports can be generated in AsciiDoc and PDF. AsciiDoc is recommended for reports with a large number of 652 | findings. 653 | 654 | The PDF report is generated using `wkhtmltopdf`_ via `Celery`_ and sane defaults are included in the `settings.py` file. 655 | This allows report generation to be asynchronous and improves the user experience. 656 | 657 | If you are updating from an older version of DefectDojo, you will need to install `wkhtmltopdf` on your own. Please 658 | follow the directions for your specific OS in the `wkhtmltopdf documentation`_. 659 | 660 | Some operating systems are capable of installing `wkhtmltopdf` from their package managers: 661 | 662 | .. Note:: 663 | To get report email notifications, make sure you have a working email configuration in the system settings, 664 | and enable notifications for generated reports in the notification settings. 665 | 666 | Mac: :: 667 | 668 | brew install Caskroom/cask/wkhtmltopdf 669 | 670 | Debian/Ubuntu: :: 671 | 672 | sudo apt-get install wkhtmltopdf 673 | 674 | Fedora/Centos: :: 675 | 676 | sudo yum install wkhtmltopdf 677 | 678 | .. Warning:: 679 | Version in debian/ubuntu repos has reduced functionality (because it's compiled without the wkhtmltopdf QT 680 | patches), such as adding outlines, headers, footers, TOC etc. To use these options you should install a static binary 681 | from `wkhtmltopdf`_ site. 682 | 683 | Additionally, DefectDojo takes advantage of `python-PDFKit`_ to interact with the `wkhtmltopdf` commandline interface. 684 | It is easily installed by running: :: 685 | 686 | pip install pdfkit 687 | 688 | It will also be necessary to add the path of `wkhtmltopdf` to your `settings.py` file. By default the following entry 689 | ships with DefectDojp: :: 690 | 691 | WKHTMLTOPDF_PATH = '/usr/local/bin/wkhtmltopdf' 692 | 693 | However, you may have to update that entry to suit your installation. 694 | 695 | Celery is included with DefectDojo and needs to be kicked off in order for reports to generate/work. 696 | In development you can run the celery process like: :: 697 | 698 | celery -A dojo worker -l info --concurrency 3 699 | 700 | In production it is recommended that the celery process be daemonized. Supervisor is also included with 701 | DefectDojo and can be set up by following the `Celery documentation`_. A sample `celeryd.conf` `can be found at`_. 702 | 703 | .. _can be found at: https://github.com/celery/celery/blob/3.1/extra/supervisord/celeryd.conf 704 | 705 | Celery beat should also be running, this will enable defectDojo to perform periodic checks of things like upcoming and stale engagements 706 | as well as allowing for celery to clean up after itself and keep your task database from 707 | getting too large. In development you can run the process like: :: 708 | 709 | celery beat -A dojo -l info 710 | 711 | In production it is recommended that the celery beat process also be daemonized. A sample `celerybeatd.conf` 712 | `can be found here`_. 713 | 714 | .. _can be found here: https://github.com/celery/celery/blob/3.1/extra/supervisord/celerybeat.conf 715 | 716 | If you are upgrading from an older version of DefectDojo, you will have to install Celery on your own. To do this you 717 | you can run: :: 718 | 719 | pip install celery 720 | 721 | If you are using virtual environments make sure your environment is activated. You can also follow the `installation 722 | instructions`_ from the Celery documentation. 723 | 724 | .. _wkhtmltopdf: http://wkhtmltopdf.org/ 725 | .. _wkhtmltopdf documentation: https://github.com/pdfkit/pdfkit/wiki/Installing-WKHTMLTOPDF 726 | .. _python-PDFKit: https://github.com/JazzCore/python-pdfkit 727 | .. _Celery: http://docs.celeryproject.org/en/latest/index.html 728 | .. _Celery documentation: http://docs.celeryproject.org/en/latest/tutorials/daemonizing.html 729 | .. _installation instructions: http://docs.celeryproject.org/en/latest/getting-started/introduction.html#installation 730 | 731 | Reports can be generated for: 732 | 733 | 1. Groups of Products 734 | 2. Individual Products 735 | 3. Endpoints 736 | 4. Product Types 737 | 5. Custom Reports 738 | 739 | .. image:: _static/report_2.png 740 | :alt: Report Generation 741 | 742 | Filtering is available on all Report Generation views to aid in focusing the report for the appropriate need. 743 | 744 | Custom reports allow you to select specific components to be added to the report. These include: 745 | 746 | 1. Cover Page 747 | 2. Table of Contents 748 | 3. WYSIWYG Content 749 | 4. Findings List 750 | 5. Endpoint List 751 | 6. Page Breaks 752 | 753 | The custom report workflow takes advantage of the same asynchronous process described above. 754 | 755 | Slack integration 756 | ----------------- 757 | 758 | Scopes 759 | ...... 760 | 761 | The following scopes have to be granted. 762 | 763 | .. image:: _static/slack_scopes.png 764 | :alt: Slack OAuth scopes 765 | 766 | Token 767 | ..... 768 | 769 | The bot token has to be chosen and put in your System Settings 770 | 771 | .. image:: _static/slack_tokens.png 772 | :alt: Slack token 773 | 774 | JIRA Integration 775 | ---------------- 776 | 777 | DefectDojo's JIRA integration is bidirectional. You may push findings to JIRA and share comments. If an issue is closed in JIRA it will automatically be closed in Dojo. 778 | 779 | **NOTE:** These steps will configure the necessary webhook in JIRA and add JIRA integration into DefectDojo. This isn't sufficient by itself, you will need to configure products and findings to push to JIRA. On a product's settings page you will need to define a: 780 | - Project Key (and this project must exist in JIRA) 781 | - JIRA Configuration (select the JIRA configuration that you create in the steps below) 782 | - Component (can be left blank) 783 | 784 | Then elect (via tickbox) whether you want to 'Push all issues', 'Enable engagement epic mapping' and/or 'Push notes'. Then click on 'Submit'. 785 | 786 | Enabling the Webhook 787 | .................... 788 | 789 | 1. Visit https://<**YOUR JIRA URL**>/plugins/servlet/webhooks 790 | 2. Click 'Create a Webhook' 791 | 3. For the field labeled 'URL' enter: https://<**YOUR DOJO DOMAIN**>/webhook/ 792 | 4. Under 'Comments' enable 'Created'. Under Issue enable 'Updated'. 793 | 794 | Configurations in Dojo 795 | ...................... 796 | 797 | 1. Navigate to the System Settings from the menu on the left side or by directly visiting /system_settings. 798 | 2. Enable 'Enable JIRA integration' and click submit. 799 | 800 | Adding JIRA to Dojo 801 | ................... 802 | 803 | 1. Click 'JIRA' from the left hand menu. 804 | 2. Select 'Add Configuration' from the drop-down. 805 | 3. If you use Jira Cloud, you will need to generate an `API token for Jira `_ to use as the password 806 | 4. To obtain the 'open status key' and 'closed status key' visit https://<**YOUR JIRA URL**>/rest/api/latest/issue/<**ANY VALID ISSUE KEY**>/transitions?expand=transitions.fields 807 | 5. The 'id' for 'Todo' should be filled in as the 'open status key' 808 | 6. The 'id' for 'Done' should be filled in as the 'closed status key' 809 | 810 | To obtain 'epic name id': 811 | If you have admin access to JIRA: 812 | 813 | 1. visit: https://<**YOUR JIRA URL**>/secure/admin/ViewCustomFields.jspa 814 | 2. Click on the cog next to 'Epic Name' and select view. 815 | 3. The numeric value for 'epic name id' will be displayed in the URL 816 | 4. **Note**: dojojira uses the same celery functionality as reports. Make sure the celery runner is setup correctly as described: http://defectdojo.readthedocs.io/en/latest/features.html#reports 817 | 818 | Or 819 | 820 | 1. login to JIRA 821 | 2. visit https://yourjiraurl/rest/api/2/field and use control+F or grep to search for 'Epic Name' it should look something like this: 822 | 823 | {"id":"customfield_122","key":"customfield_122","name":"Epic Name","custom":true,"orderable":true,"navigable":true,"searchable":true,"clauseNames":["cf[122]","Epic Name"],"schema":{"type":"string","custom":"com.pyxis.greenhopper.jira:gh-epic-label","customId":122}}, 824 | 825 | **In the above example 122 is the number needed** 826 | 827 | Engagement Epic Mapping 828 | ....................... 829 | 830 | If creating an Engagement, ensure to tick 'Enable engagement epic mapping' if desired. This can also be done after engagement creation on the edit engagement page. 831 | This will create an 'Epic' type issue within Jira. All findings in the engagement pushed to Jira will have a link to this Epic issue. 832 | If Epic Mapping was enabled after associated findings have already been pushed to Jira, simply pushing them again will link the Jira issue to the Epic issue. 833 | 834 | Pushing findings 835 | ................ 836 | 837 | Findings can be pushed to Jira in a number of ways: 838 | 839 | 1. When importing scanner reports, select 'Push to JIRA' to push every single finding in the report to Jira 840 | 2. When creating a new finding, select 'Push to JIRA' and submit. This will create the finding in DefectDojo and Jira simultaneously 841 | 3. If a finding already exist, visit the edit finding page and find the 'Push to JIRA' tick box at the bottom 842 | 4. When viewing a list of findings, select each relevant tick boxes to the left of the finding, and click the 'Bulk Edit' button at the top. find 'Push to JIRA' at the bottom of the menu 843 | 844 | **Known Issues** 845 | 846 | DefectDojo will try to keep the status in sync with the status in JIRA using the various status IDs configured for each JIRA instance. This will only work if your workflow in JIRA allows arbitrary transitions between the statuses JIRA issues can be in. 847 | The Risk Acceptance feature in DefectDojo will (for that reason) not (yet) try to sync statuses. A comment will be pushed to JIRA if a finding is risk accepted or unaccepted. Contributions are welcome to enhance the integration. 848 | 849 | **Troubleshooting JIRA integration** 850 | 851 | JIRA actions are typically performed in the celery background process. Errors are logged as alerts/notifications to be seen on the top right of the DefectDojo UI and in stdout of the celery workers. 852 | 853 | Issue Consolidation 854 | ------------------- 855 | 856 | DefectDojo allows users to automatically consolidate issues from multiple scanners to remove duplicates. 857 | 858 | To enable this feature, hover over the configuration tab on the left menu and click on system settings. In system settings, click 'Deduplicate findings'. Click 'Submit' at the bottom of the page. 859 | 860 | 861 | When deduplication is enabled, Dojo will compare CWE, title, and endpoint details for all findings in a given product. 862 | If an issue is added with either the CWE or title being the same while the endpoint is also the same, Dojo marks the old issue as a duplicate. 863 | 864 | False Positive Removal 865 | ---------------------- 866 | 867 | DefectDojo allows users to tune out false positives by enabling False Positive History. This will track what engineers have labeled as false positive for a specific product and for a specific scanner. While enabled, when a tool reports the same issue that has been flagged as a false positive previously, it will automatically mark the finding as a false positive, helping to tune overly verbose security tools. 868 | 869 | Deduplication 870 | ------------- 871 | 872 | Deduplication is a process that allows DefectDojo to find out that a finding has already been imported. 873 | 874 | Upon saving a finding, defectDojo will look at the other findings in the product or the engagement (depending on the configuration) to find duplicates 875 | 876 | When a duplicate is found: 877 | 878 | * The newly imported finding takes status: inactive, duplicate 879 | * An "Original" link is displayed after the finding status, leading to the original finding 880 | 881 | There are two ways to use the deduplication: 882 | 883 | * Deduplicate vulnerabilities in the same build/release. The vulnerabilities may be found by the same scanner (same scanner deduplication) or by different scanners (cross-scanner deduplication). 884 | * this helps analysis and assessment of the technical debt, especially if using many different scanners; although detecting duplicates across scanners is not trivial as it requires a certain standardization. 885 | * Track unique vulnerabilities across builds/releases so that defectDojo knows when it finds a vulnerability whether it has seen it before. 886 | * this allows you keep information attached to a given finding in a unique place: all further duplicate findings will point to the original one. 887 | 888 | Deduplication Configuration 889 | ........................... 890 | 891 | Global configuration 892 | '''''''''''''''''''' 893 | 894 | The deduplication can be activated in "System Settings" by ticking "Deduplicate findings". 895 | 896 | An option to delete duplicates can be found in the same menu, and the maximum number of duplicates to keep for the same finding can be configured. 897 | 898 | Engagement configuration 899 | '''''''''''''''''''''''' 900 | 901 | When creating an engagement or later by editing the engagement, the "Deduplication within engagement only" checkbox can be ticked. 902 | 903 | * If activated: Findings are only deduplicated within the same engagement. Findings present in different engagements cannot be duplicates 904 | 905 | * Else: Findings are deduplicated across the whole product 906 | 907 | Note that deduplication can never occur across different products. 908 | 909 | Deduplication algorithms 910 | ........................ 911 | 912 | The behavior of the deduplication can be configured for each parser in settings.dist.py (or settings.py after install) by configuring the `DEDUPLICATION_ALGORITHM_PER_PARSER` variable. 913 | 914 | 915 | The available algorithms are: 916 | 917 | * `DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL` 918 | * the deduplication occurs based on finding.unique_id_from_tool which is a unique technical id existing in the source tool. Few scanners populate this field currently. If you want to use this algorithm, you may need to update the scanner code beforehand 919 | * The tools that populate the unique_id_from_tool field are: 920 | * `Checkmarx Scan detailed` 921 | * `SonarQube Scan detailed` 922 | * Advantages: 923 | * If your source tool has a reliable means of tracking a unique vulnerability across scans, this configuration will allow defectDojo to use this ability 924 | * Drawbacks: 925 | * Using this algorithm will not allow cross-scanner deduplication as other tools will have a different technical id. 926 | * When the tool evolves, it may change the way the unique id is generated. In that case you won't be able to recognise that findings found in previous scans are actually the same as the new findings. 927 | * `DEDUPE_ALGO_HASH_CODE` 928 | * the deduplication occurs based on finding.hash_code. The hash_code itself is configurable for each scanner in parameter `HASHCODE_FIELDS_PER_SCANNER` 929 | * `DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE` 930 | * a finding is a duplicate with another if they have the same unique_id_from_tool OR the same hash_code 931 | * Allows to use both 932 | * a technical deduplication (based on unique_id_from_tool) for a reliable same-parser deduplication 933 | * and a functional one (based on hash_code configured on CWE+severity+file_path for example) for cross-parser deduplication 934 | * `DEDUPE_ALGO_LEGACY` 935 | * This is algorithm that was in place before the configuration per parser was made possible, and also the default one for backward compatibility reasons. 936 | * Legacy algorithm basically deduplicates based on: 937 | * For static scanner: ['title', 'cwe', 'line', 'file_path', 'description'] 938 | * For dynamic scanner: ['title', 'cwe', 'line', 'file_path', 'description', 'endpoints'] 939 | * Note that there are some subtleties that may give unexpected results. Switch `dojo.specific-loggers.deduplication` to debug in settings.py to get more info in case of trouble. 940 | 941 | 942 | Hash_code computation configuration 943 | ................................... 944 | 945 | The hash_code computation can be configured for each parser using the parameter `HASHCODE_FIELDS_PER_SCANNER` in settings.dist.py. 946 | 947 | The parameter `HASHCODE_ALLOWED_FIELDS` list the fields from finding table that were tested and are known to be working when used as a hash_code. Don't hesitate to enrich this list when required (the code is generic and allows adding new fields by configuration only) 948 | 949 | Note that `endpoints` isn't a field from finding table but rather a meta value that will trigger a computation based on all the endpoints. 950 | 951 | Whe populating `HASHCODE_FIELDS_PER_SCANNER`, please respect the order of declaration of the fields: use the same order as in `HASHCODE_ALLOWED_FIELDS` : that will allow cross-scanner deduplication to function because the hash_code is computed as a sha-256 of concatenated values of the configured fields. 952 | 953 | Tips: 954 | 955 | * It's advised to use fields that are standardized for a reliable deduplication, especially if aiming at cross-scanner deduplication. For example `title` and `description` tend to change when the tools evolve and don't allow cross-scanner deduplication 956 | * Good candidates are 957 | * cwe or cve 958 | * Adding the severity will make sure the deduplication won't be to aggressive (there are several families of XSS and sql injection for example, with various severities but the same cwe). 959 | * Adding the file_path or endpoints is advised too. 960 | * The parameter `HASHCODE_ALLOWS_NULL_CWE` will allow switching to legacy algorithm when a null cwe is found for a given finding: this is to avoid getting many duplicates when the tool fails to give a cwe while we are expecting it. 961 | 962 | 963 | Debugging deduplication 964 | ....................... 965 | 966 | There is a specific logger that can be activated in order to have details about the deduplication process : switch `dojo.specific-loggers.deduplication` to debug in settings.py. 967 | 968 | Deduplication - APIv2 parameters 969 | ................................ 970 | 971 | * `skip_duplicates` : if true, duplicates are not inserted at all 972 | * `close_old_findings` : if true, findings that are not duplicates and that were in the previous scan of the same type (example ZAP) for the same product (or engagement in case of "Deduplication on engagement") and that are not present in the new scan are closed (Inactive, Verified, Mitigated) 973 | 974 | 975 | Google Sheets Sync 976 | ------------------ 977 | 978 | With the Google Sheets sync feature, DefectDojo allow the users to export all the finding details of each test into a separate Google Spreadsheet. Users can review and edit finding details via Google Spreadsheets. Also, they can add new notes to findings and edit existing notes using the Google Spreadsheet. After reviewing and updating the finding details in the Google Spreadsheet, the user can import (sync) all the changes done via the Google Spreadsheet into DefectDojo database. 979 | 980 | Configuration 981 | ............. 982 | 983 | Creating a project and a Service Account 984 | 1. Go to the `Service Accounts page `_. 985 | 2. Create a new project for DefectDojo and select it. 986 | 3. Click **+CREATE SERVICE ACCOUNT**, enter a name and description for the service account. You can use the default service account ID, or choose a different, unique one. When done click Create. 987 | 4. The **Service account permissions (optional)** section that follows is not required. Click **Continue**. 988 | 5. On the **Grant users access to this service account** screen, scroll down to the **Create key** section. Click **+Create key**. 989 | 6. In the side panel that appears, select the format for your key as **JSON** 990 | 7. Click **Create**. Your new public/private key pair is generated and downloaded to your machine. 991 | 992 | Enabling the required APIs 993 | 1. Go to the `Google API Console `_. 994 | 2. From the projects list, select the project created for DefectDojo. 995 | 3. If the APIs & services page isn't already open, open the console left side menu and select **APIs & services**, and then select **Library**. 996 | 4. **Google Sheets API** and **Google Drive API** should be enabled. Click the API you want to enable. If you need help finding the API, use the search field. 997 | 5. Click **ENABLE**. 998 | 999 | Configurations in DefectDojo 1000 | 1. Click 'Configuration' from the left hand menu. 1001 | 2. Click 'Google Sheets Sync'. 1002 | 3. Fill the form. 1003 | 1004 | .. image:: _static/google_sheets_sync_1.png 1005 | :alt: Google Sheets Sync Configuration Page 1006 | 1007 | a. Upload the downloaded json file into the **Upload Credentials file** field. 1008 | b. Drive Folder Id 1009 | 1010 | a. Create a folder inside the Google drive of the same gmail account used to create the service account. 1011 | b. Get the **client_email** from the downloaded json file and share the created drive folder with client_email giving **edit access**. 1012 | c. Extract the folder id from the URL and insert it as the **Drive Folder Id**. 1013 | 1014 | .. image:: _static/google_sheets_sync_2.png 1015 | :alt: Extracting Drive Folder ID 1016 | 1017 | c. Tick the **Enable Service** check box. (**Optional** as this has no impact on the configuration, but you must set it to true inorder to use the feature. Service can be enabled or disabled at any point after the configuration using this check box) 1018 | d. For each field in the finding table there are two related entries in the form. 1019 | 1020 | a. In the drop down, select Hide if the column needs to be hidden in the Google Sheet, else select any other option based on the length of the entry that goes under the column. 1021 | b. If the column needs to be protected in the Google Sheet, tick the check box. Otherwise leave it unchecked. 1022 | 4. Click 'Submit'. 1023 | 1024 | Admin has the privilege to revoke the access given to DefectDojo to access Google Sheets and Google Drive data by simply clicking the **Revoke Access** button. 1025 | 1026 | Using Google Sheets Sync Feature 1027 | ................................ 1028 | 1029 | Before a user can export a test to a Google Spreadsheet, admin must Configure Google Sheets Sync and **Enable** sync feature.Depending on whether a Google Spreadsheet exists for the test or not, the User interface displayed will be different. 1030 | 1031 | If a Google Spreadsheet does not exist for the Test: 1032 | 1033 | .. image:: _static/google_sheets_sync_3.png 1034 | :alt: Create Google Sheet Button 1035 | 1036 | If a Google Spreadsheet is already created for the Test: 1037 | 1038 | .. image:: _static/google_sheets_sync_4.png 1039 | :alt: Sync Google Sheet Button 1040 | 1041 | After creating a Google Spreadsheet, users can review and edit Finding details using the Google Sheet. If any change is done in the Google Sheet users can click the **Sync Google Sheet** button to get those changes into DefectDojo. 1042 | 1043 | Service Level Agreement (SLA) 1044 | ----------------------------- 1045 | 1046 | DefectDojo allows you to maintain your security SLA and automatically remind teams whenever a SLA is about to get breached, or breaches. 1047 | 1048 | Simply indicate in the ``System Settings`` for each severity, how many days teams have to remediate a finding. 1049 | 1050 | .. image:: _static/sla_global_settings.png 1051 | :alt: SLA configuration screen 1052 | 1053 | SLA notification configuration 1054 | .............................. 1055 | 1056 | There are 5 variables in the settings.py file that you can configure, to act on the global behavior. 1057 | By default, any findings across the instance that are in ``Active, Verified`` state will be considered for notifications. 1058 | 1059 | .. code-block:: bash 1060 | 1061 | SLA_NOTIFY_ACTIVE = False 1062 | SLA_NOTIFY_ACTIVE_VERIFIED_ONLY = True 1063 | SLA_NOTIFY_WITH_JIRA_ONLY = False 1064 | SLA_NOTIFY_PRE_BREACH = 3 1065 | SLA_NOTIFY_POST_BREACH = 7 1066 | 1067 | Setting both ``SLA_NOTIFY_ACTIVE`` and ``SLA_NOTIFY_ACTIVE_VERIFIED_ONLY`` to ``False`` will effectively disable SLA notifications. 1068 | 1069 | You can choose to only consider findings that have a JIRA issue linked to them. If so, please set ``SLA_NOTIFY_WITH_JIRA_ONLY`` to ``True``. 1070 | 1071 | The ``SLA_NOTIFY_PRE_BREACH`` is expressed in days. Whenever a finding's "SLA countdown" (time to remediate) drops to this number, a notification would be sent everyday, as scheduled by the crontab in ``settings.py``, until the day it breaches. 1072 | 1073 | The ``SLA_NOTIFY_POST_BREACH`` lets you define in days how long you want to be kept notified about findings that have breached the SLA. Passed that number, notifications will cease. 1074 | 1075 | .. warning:: 1076 | Be mindful of performance if you choose to have SLA notifications on non-verified findings, especially if you import a lot of findings through CI in 'active' state. 1077 | 1078 | What notification channels for SLA notifications? 1079 | ................................................. 1080 | 1081 | The same as usual. You will notice that an extra `SLA breach` option is now present on the ``Notification`` page and also in the ``Product`` view. 1082 | 1083 | .. image:: _static/sla_notification_product_checkboxes.png 1084 | :alt: SLA notification checkbox 1085 | 1086 | SLA notification with JIRA 1087 | .......................... 1088 | 1089 | You can choose to also send SLA notification as JIRA comments, if your product is configured with JIRA. You can enable it at the JIRA configuration level or at the Product level. 1090 | 1091 | The Product level JIRA notification configuration takes precendence over the global JIRA notification configuration. 1092 | 1093 | When is the SLA notification job run? 1094 | ..................................... 1095 | 1096 | The default setup will trigger the SLA notification code at 7:30am on a daily basis, as defined in the ``settings.py`` file. You can of course modify this schedule to your context. 1097 | 1098 | .. code-block:: python 1099 | 1100 | 'compute-sla-age-and-notify': { 1101 | 'task': 'dojo.tasks.async_sla_compute_and_notify', 1102 | 'schedule': crontab(hour=7, minute=30), 1103 | } 1104 | 1105 | .. note:: The celery containers are the ones concerned with this configuration. If you suspect things are not working as expected, make sure they have the latest version of your settings.py file. 1106 | 1107 | You can of course change this default by modifying that stanza. 1108 | 1109 | Launching from the CLI 1110 | ...................... 1111 | 1112 | You can also invoke the SLA notification function from the CLI. For example, if run from docker-compose: 1113 | 1114 | .. code-block:: bash 1115 | 1116 | $ docker-compose exec uwsgi /bin/bash -c 'python manage.py sla_notifications' 1117 | -------------------------------------------------------------------------------- /docs/getting-started.rst: -------------------------------------------------------------------------------- 1 | Getting Started 2 | =============== 3 | 4 | Docker Compose Install (recommended) 5 | ************************************ 6 | * Go to https://github.com/DefectDojo/django-DefectDojo 7 | * Select the appropriate branch you're working on 8 | * Instructions in the [`DOCKER.md`](https://github.com/DefectDojo/django-DefectDojo/blob/master/DOCKER.md) file at the root of the repository. 9 | 10 | Kubernetes 11 | ********** 12 | * Go to https://github.com/DefectDojo/django-DefectDojo 13 | * Select the appropriate branch you're working on 14 | * Instructions in the [`KUBERNETES.md`](https://github.com/DefectDojo/django-DefectDojo/blob/master/KUBERNETES.md) file at the root of the repository. 15 | 16 | Setup.bash Install (no longer maintained) 17 | ***************************************** 18 | .. warning:: 19 | This installation method will is EOL and will be removed on 2020-12-31 20 | 21 | * Go to https://github.com/DefectDojo/django-DefectDojo 22 | * Select the appropriate branch you're working on 23 | * Under "Installation Options" click "Setup.bash" 24 | * Follow the instructions 25 | 26 | Customizing settings 27 | ******************** 28 | See [Settings](settings-docs.rst) 29 | -------------------------------------------------------------------------------- /docs/how-to-write-a-parser.rst: -------------------------------------------------------------------------------- 1 | How to write a DefectDojo parser 2 | ================================ 3 | 4 | Please read https://github.com/DefectDojo/django-DefectDojo/tree/dev/doc/guide_to_parser_writing.md 5 | -------------------------------------------------------------------------------- /docs/index.rst: -------------------------------------------------------------------------------- 1 | DefectDojo's Documentation 2 | ========================== 3 | 4 | .. warning:: 5 | This documentation is EOL. The latest documentation is now located at https://defectdojo.github.io/django-DefectDojo/ 6 | 7 | .. image:: /_static/dashboard.png 8 | 9 | **About DefectDojo** 10 | 11 | *What is DefectDojo?* 12 | 13 | .. image:: /_static/bug-2x.png 14 | 15 | `DefectDojo` is a security tool that automates application security vulnerability management. `DefectDojo` streamlines the application security testing process by offering features such as importing third party security findings, merging and de-duping, integration with Jira, templating, report generation and security metrics. 16 | 17 | *What does DefectDojo do?* 18 | 19 | .. image:: /_static/graph-2x.png 20 | 21 | While traceability and metrics are the ultimate end goal, DefectDojo is a bug tracker at its core. Taking advantage of DefectDojo's Product:Engagement model, enables traceability among multiple projects and test cycles, and allows for fine-grained reporting. 22 | 23 | *How does DefectDojo work?* 24 | 25 | .. image:: /_static/key-2x.png 26 | 27 | DefectDojo is based on a model that allows the ultimate flexibility in your test tracking needs. 28 | 29 | * Working in DefectDojo starts with a ``Product Type``. 30 | * Each Product Type can have one or more ``Products``. 31 | * Each Product can have one or more ``Engagements``. 32 | * Each Engagement can have one or more ``Tests``. 33 | * Each Test can have one or more ``Findings``. 34 | 35 | .. image:: /_static/DD-Hierarchy.png 36 | 37 | The code is open source, and `available on github`_ and a running example is available on `the demo server`_ using the credentials ``admin / defectdojo@demo#appsec``. Note: The demo server is refreshed regularly and provisioned some sample data. 38 | 39 | .. _available on github: https://github.com/DefectDojo/django-DefectDojo 40 | .. _the demo server: https://demo.defectdojo.org 41 | 42 | 43 | 44 | Our documentation is organized in the following sections: 45 | 46 | * :ref:`user-docs` 47 | * :ref:`feature-docs` 48 | * :ref:`api-docs` 49 | * :ref:`plugin-docs` 50 | * :ref:`dev-docs` 51 | 52 | .. _user-docs: 53 | 54 | User Documentation 55 | ------------------ 56 | .. toctree:: 57 | :maxdepth: 2 58 | 59 | about 60 | getting-started 61 | integrations 62 | models 63 | start-using 64 | workflows 65 | upgrading 66 | running-in-production 67 | 68 | .. _feature-docs: 69 | 70 | Feature Documentation 71 | --------------------- 72 | 73 | .. toctree:: 74 | :maxdepth: 2 75 | :glob: 76 | 77 | features 78 | social-authentication 79 | 80 | .. _api-docs: 81 | 82 | API and settings Documentation 83 | ------------------------------ 84 | 85 | .. toctree:: 86 | :maxdepth: 2 87 | :glob: 88 | 89 | api-docs 90 | api-v2-docs 91 | settings-docs 92 | 93 | .. _plugin-docs: 94 | 95 | Plugins 96 | ------- 97 | 98 | .. toctree:: 99 | :maxdepth: 2 100 | :glob: 101 | 102 | burp-plugin 103 | 104 | .. _dev-docs: 105 | 106 | Dev Documentation 107 | ----------------- 108 | 109 | .. toctree:: 110 | :maxdepth: 2 111 | :glob: 112 | 113 | how-to-write-a-parser 114 | -------------------------------------------------------------------------------- /docs/integrations.rst: -------------------------------------------------------------------------------- 1 | Integrations 2 | ============ 3 | 4 | DefectDojo has the ability to import reports from other security tools. 5 | 6 | Acunetix Scanner 7 | ---------------- 8 | XML format. 9 | 10 | Anchore-Engine 11 | -------------- 12 | JSON vulnerability report generated by anchore-cli tool, using a command like ``anchore-cli --json image vuln all`` 13 | 14 | Aqua 15 | ---- 16 | JSON report format. 17 | 18 | Arachni Scanner 19 | --------------- 20 | Arachni JSON report format. 21 | 22 | AppSpider (Rapid7) 23 | ------------------ 24 | Use the VulnerabilitiesSummary.xml file found in the zipped report download. 25 | 26 | AWS Security Hub 27 | ---------------- 28 | The JSON output from AWS Security Hub exported with the [`aws securityhub get-findings`](https://docs.aws.amazon.com/cli/latest/reference/securityhub/get-findings.html) command. 29 | 30 | AWS Scout2 Scanner 31 | ------------------- 32 | JS file in scout2-report/inc-awsconfig/aws_config.js. 33 | 34 | AWS Prowler Scanner 35 | ------------------- 36 | Prowler file can be imported as a CSV file (-M csv). 37 | 38 | Bandit 39 | ------ 40 | JSON report format 41 | 42 | Blackduck Hub 43 | ------------- 44 | 2 options: 45 | * Import the zip file as can be created by Blackduck export. The zip file must contain the security.csv and files.csv in order to produce findings that bear file locations information. 46 | * Import a single security.csv file. Findings will not have any file location information. 47 | 48 | Brakeman Scan 49 | ------------- 50 | Import Brakeman Scanner findings in JSON format. 51 | 52 | Bugcrowd 53 | ------------- 54 | Import Bugcrowd results in CSV format. 55 | 56 | Bundler-Audit 57 | ------------- 58 | Import the text output generated with bundle-audit check 59 | 60 | Burp XML 61 | -------- 62 | When the Burp report is generated, **the recommended option is Base64 encoding both the request and response fields** - e.g. check the box that says "Base64-encode requests and responses". These fields will be processed and made available in the 'Finding View' page. 63 | 64 | Burp Enterprise Scan 65 | -------------------- 66 | Import HTML reports from Burp Enterprise Edition 67 | 68 | CCVS Report 69 | ----------- 70 | Import JSON reports from [CCVS API](https://github.com/William-Hill-Online/CCVS-API) 71 | 72 | Checkov Report 73 | -------------- 74 | Import JSON reports of Infrastructure as Code vulnerabilities. 75 | 76 | Clair Scan 77 | ---------- 78 | Import JSON reports of Docker image vulnerabilities. 79 | 80 | Clair Klar Scan 81 | --------------- 82 | Import JSON reports of Docker image vulnerabilities from clair klar client. 83 | 84 | Cobalt.io Scan 85 | -------------- 86 | CSV Report 87 | 88 | Crashtest Security 89 | ------------------ 90 | Import JSON Report 91 | Import XML Report in JUnit Format 92 | 93 | Contrast Scanner 94 | ---------------- 95 | CSV Report 96 | 97 | Checkmarx 98 | --------- 99 | Detailed XML Report 100 | 101 | Choctaw Hog parser 102 | ------------------ 103 | From: https://github.com/newrelic/rusty-hog 104 | Import the JSON output. 105 | 106 | DawnScanner 107 | ----------- 108 | Import report in JSON generated with -j option 109 | 110 | Dependency Check 111 | ---------------- 112 | OWASP Dependency Check output can be imported in Xml format. 113 | 114 | Dependency Track 115 | ---------------- 116 | The Finding Packaging Format (FPF) from OWASP Dependency Track can be imported in JSON format. 117 | 118 | See here for more info on this JSON format: https://docs.dependencytrack.org/integrations/file-formats/ 119 | 120 | DrHeader 121 | -------- 122 | Import of JSON report from https://github.com/Santandersecurityresearch/DrHeader 123 | 124 | ESLint 125 | ------ 126 | ESLint Json report format (-f json) 127 | 128 | Fortify 129 | -------- 130 | Import Findings from XML file format. 131 | 132 | Generic Findings Import 133 | ----------------------- 134 | Import Generic findings in CSV format. 135 | 136 | Hadolint 137 | -------- 138 | Hadolint Dockerfile scan in json format. 139 | 140 | Harbor Vulnerability 141 | -------------------- 142 | Import findings from Harbor registry container scan: https://github.com/goharbor/harbor 143 | 144 | JFrogXRay 145 | ---------- 146 | Import the JSON format for the "Security Export" file. 147 | 148 | Gosec Scanner 149 | ------------- 150 | Import Gosec Scanner findings in JSON format. 151 | 152 | Gitleaks 153 | -------- 154 | Import Gitleaks findings in JSON format. 155 | 156 | GitLab SAST Report 157 | ------------------ 158 | Import SAST Report vulnerabilities in JSON format: https://docs.gitlab.com/ee/user/application_security/sast/#reports-json-format 159 | 160 | GitLab Dependency Scanning Report 161 | --------------------------------- 162 | Import Dependency Scanning Report vulnerabilities in JSON format: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#reports-json-format 163 | 164 | Github Vulnerability 165 | -------------------- 166 | Import findings from Github vulnerability scan: https://help.github.com/en/github/managing-security-vulnerabilities 167 | 168 | Github v4 graphql query to fetch data:: 169 | 170 | query getVulnerabilitiesByOwner($owner: String!) { 171 | search(query: $owner, type: REPOSITORY, first: 100) { 172 | nodes { 173 | ... on Repository { 174 | name
175 | vulnerabilityAlerts(last: 100) { 176 | nodes { 177 | id
178 | securityVulnerability { 179 | severity
180 | package { 181 | name 182 | } 183 | advisory { 184 | description
185 | summary
186 | identifiers { 187 | type
188 | value 189 | } 190 | references { 191 | url 192 | } 193 | } 194 | } 195 | } 196 | } 197 | } 198 | } 199 | } 200 | } 201 | 202 | 203 | HuskyCI Report 204 | -------------- 205 | Import JSON reports from [HuskyCI](https://github.com/globocom/huskyCI) 206 | 207 | IBM AppScan DAST 208 | ---------------- 209 | XML file from IBM App Scanner. 210 | 211 | Immuniweb Scan 212 | -------------- 213 | XML Scan Result File from Immuniweb Scan. 214 | 215 | Kiuwan Scanner 216 | -------------- 217 | Import Kiuwan Scan in CSV format. Export as CSV Results on Kiuwan. 218 | 219 | kube-bench Scanner 220 | ------------------ 221 | Import JSON reports of Kubernetes CIS benchmark scans. 222 | 223 | Microfocus Webinspect Scanner 224 | ----------------------------- 225 | Import XML report 226 | 227 | MobSF Scanner 228 | ------------- 229 | Export a JSON file using the API, api/v1/report_json. 230 | 231 | Mozilla Observatory Scanner 232 | --------------------------- 233 | Import JSON report. 234 | 235 | Nessus (Tenable) 236 | ---------------- 237 | Reports can be imported in the CSV, and .nessus (XML) report formats. 238 | 239 | Netsparker 240 | ---------- 241 | Vulnerabilities List - JSON report 242 | 243 | Nexpose XML 2.0 (Rapid7) 244 | ------------------------ 245 | Use the full XML export template from Nexpose. 246 | 247 | Nikto 248 | ----- 249 | XML output 250 | 251 | Nmap 252 | ---- 253 | XML output (use -oX) 254 | 255 | Node JS Scan 256 | ------------ 257 | Node JS Scan output file can be imported in JSON format. 258 | 259 | Node Security Platform 260 | ---------------------- 261 | Node Security Platform (NSP) output file can be imported in JSON format. 262 | 263 | NPM Audit 264 | --------- 265 | Node Package Manager (NPM) Audit plugin output file can be imported in JSON format. Only imports the 'advisories' subtree. 266 | 267 | Openscap Vulnerability Scan 268 | --------------------------- 269 | Import Openscap Vulnerability Scan in XML formats. 270 | 271 | OpenVAS CSV 272 | ----------- 273 | Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS. 274 | 275 | OssIndex Devaudit 276 | ----------------- 277 | Import JSON formatted output from [OSSIndex Devaudit](https://github.com/sonatype-nexus-community/DevAudit). 278 | 279 | Oss Review Toolkit 280 | ------------------ 281 | Import ORT Evaluated model reporter in JSON Format. (Example)[https://github.com/DefectDojo/sample-scan-files/blob/master/ort/evaluated-model-reporter-output.json] 282 | 283 | PHP Security Audit v2 284 | --------------------- 285 | Import PHP Security Audit v2 Scan in JSON format. 286 | 287 | PHP Symfony Security Checker 288 | ---------------------------- 289 | Import results from the PHP Symfony Security Checker. 290 | 291 | Probely 292 | ------- 293 | Synchronize Probely Plus findings with DefectDojo. 294 | 295 | To setup this integration set the DefectDojo URL and API key on the Integrations page on Probely. Then, select which Product, Engagement, and, optionally, the Test you want to synchronize to. The API key needs to belong to a staff user. 296 | 297 | Works with DefectDojo 1.5.x and 1.6.x. Probely also supports non-public DefectDojo instances. 298 | 299 | For detailed instructions on how to configure Probely and DefectDojo, see https://help.probely.com/en/articles/3811515-how-to-integrate-probely-with-defectdojo 300 | 301 | Qualys Scan 302 | ----------- 303 | Qualys output files can be imported in API XML format. 304 | Qualys output files can be imported in WebGUI XML format. 305 | 306 | Qualys Webapp Scan 307 | ------------------ 308 | Qualys WebScan output files can be imported in XML format. 309 | 310 | Retire.js 311 | --------- 312 | Retire.js JavaScript scan (--js) output file can be imported in JSON format. 313 | 314 | Risk Recon API Importer 315 | ----------------------- 316 | 317 | Import findings from Risk Recon via the API. Configure your own JSON report as follows 318 | 319 | .. code-block:: JSON 320 | 321 | { 322 | "url_endpoint": "https://api.riskrecon.com/v1", 323 | "api_key": "you-api-key", 324 | "companies": [ 325 | { 326 | "name": "Company 1", 327 | "filters": { 328 | "domain_name": [], 329 | "ip_address": ["127.0.0.1"], 330 | "host_name": ["localhost"], 331 | "asset_value": [], 332 | "severity": ["critical", "high"], 333 | "priority": [], 334 | "hosting_provider": [], 335 | "country_name": [] 336 | } 337 | }, 338 | { 339 | "name": "Company 2", 340 | "filters": { 341 | "ip_address": ["0.0.0.0"] 342 | } 343 | } 344 | 345 | ], 346 | "filters": { 347 | "domain_name": [], 348 | "ip_address": [], 349 | "host_name": [], 350 | "asset_value": [], 351 | "severity": ["critical"], 352 | "priority": [], 353 | "hosting_provider": [], 354 | "country_name": [] 355 | } 356 | } 357 | 358 | 359 | * More than one company finding list can be queried with it's own set of filters. Company 1 shows all available fitlers, while Company 2 shows that empty filters need not be present. 360 | * To query all companies in your Risk Recon instance, simple remove the "companies" field entirely. 361 | * If the "companies" field is not present, and filtering is still requested, the "filters" field can be used to filter all findings across all companies. It carries the same behavior as the company filters. The "filters" field is disregarded in the prescense of the "companies" field. 362 | * Removing both fields will allow retrieval of all findings in the Risk Recon instance. 363 | 364 | Safety Scan 365 | ----------- 366 | Safety scan (--json) output file can be imported in JSON format. 367 | 368 | SARIF 369 | ----------- 370 | OASIS Static Analysis Results Interchange Format (SARIF). 371 | SARIF is supported by many tools. 372 | More details about the format here: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif 373 | 374 | ScoutSuite 375 | ----------- 376 | Multi-Cloud security auditing tool. It uses APIs exposed by cloud providers. 377 | Scan results are located at `scan-reports/scoutsuite-results/scoutsuite_*.json` files. 378 | Multiple scans will create multiple files if they are runing agains different Cloud projects. 379 | See https://github.com/nccgroup/ScoutSuite 380 | 381 | SKF Scan 382 | -------- 383 | Output of SKF Sprint summary export. 384 | 385 | Snyk 386 | ---- 387 | Snyk output file (snyk test --json > snyk.json) can be imported in JSON format. 388 | 389 | SonarQube Scan (Aggregates findings per cwe, title, description, file_path.) 390 | ---------------------------------------------------------------------------- 391 | SonarQube output file can be imported in HTML format. 392 | 393 | To generate the report, see https://github.com/soprasteria/sonar-report 394 | 395 | Version: >= 1.1.0 396 | 397 | SonarQube Scan Detailed (Import all findings from SonarQube html report.) 398 | ------------------------------------------------------------------------- 399 | SonarQube output file can be imported in HTML format. 400 | 401 | To generate the report, see https://github.com/soprasteria/sonar-report 402 | 403 | Version: >= 1.1.0 404 | 405 | SonarQube API Import 406 | -------------------- 407 | SonarQube API will be accessed to gather the report. No report file required. 408 | 409 | Follow below steps to setup API Import: 410 | 411 | 1. Configure the Sonarqube Authentication details by navigating to Configuration->Tool Configuration. Note the url should be in the formation of http:///api. Select the tool type to SonarQube. 412 | 2. In the Product settings fill the details for the SonarQube Project Key (Key name can be found by navigating to a specific project and selecting the value from the url http:///dashboard?id= 413 | 3. Once all of the above setting are made , the API Import should be able to auto import all vulnerability information from the sonarqube instance. 414 | 415 | SpotBugs 416 | -------- 417 | XML report of textui cli. 418 | 419 | Sonatype 420 | -------- 421 | JSON output. 422 | 423 | SSL Labs 424 | -------- 425 | JSON Output of ssllabs-scan cli. 426 | 427 | Sslscan 428 | ------- 429 | Import XML output of sslscan report. 430 | 431 | Sslyze Scan 432 | ----------- 433 | XML report of SSLyze version 2 scan 434 | 435 | SSLyze 3 Scan (JSON) 436 | -------------------- 437 | JSON report of SSLyze version 3 scan 438 | 439 | Testssl Scan 440 | ---------------- 441 | Import CSV output of testssl scan report. 442 | 443 | Trivy 444 | ----- 445 | JSON report of `trivy scanner `_. 446 | 447 | Trufflehog 448 | ---------- 449 | JSON Output of Trufflehog. 450 | 451 | Trustwave 452 | --------- 453 | CSV output of Trustwave vulnerability scan. 454 | 455 | Twistlock 456 | --------- 457 | JSON output of the ``twistcli`` tool. Example: 458 | 459 | .. code-block:: bash 460 | 461 | ./twistcli images scan --address https:// --user --details --output-file= 462 | 463 | The CSV output from the UI is now also accepted. 464 | 465 | Visual Code Grepper (VCG) 466 | ------------------------- 467 | VCG output can be imported in CSV or Xml formats. 468 | 469 | Veracode 470 | -------- 471 | Detailed XML Report 472 | 473 | Wapiti Scan 474 | ----------- 475 | Import XML report. 476 | 477 | Whitesource Scan 478 | ---------------- 479 | Import JSON report 480 | 481 | Wpscan Scanner 482 | -------------- 483 | Import JSON report. 484 | 485 | Xanitizer 486 | --------- 487 | Import XML findings list report, preferably with parameter 'generateDetailsInFindingsListReport=true'. 488 | 489 | Zed Attack Proxy 490 | ---------------- 491 | ZAP XML report format. 492 | 493 | 494 | The importers analyze each report and create new Findings for each item reported. DefectDojo collapses duplicate 495 | Findings by capturing the individual hosts vulnerable. 496 | 497 | .. image:: /_static/imp_1.png 498 | :alt: Import Form 499 | 500 | Additionally, DefectDojo allows for re-imports of previously uploaded reports. DefectDojo will attempt to capture the deltas between the original and new import and automatically add or mitigate findings as appropriate. 501 | 502 | .. image:: /_static/imp_2.png 503 | :alt: Re-Import Form 504 | 505 | Bulk import of findings can be done using a CSV file with the following column headers: 506 | 507 | Date: :: 508 | Date of the finding in mm/dd/yyyy format. 509 | 510 | Title: :: 511 | Title of the finding 512 | 513 | CweId: :: 514 | Cwe identifier, must be an integer value. 515 | 516 | Url: :: 517 | Url associated with the finding. 518 | 519 | Severity: :: 520 | Severity of the finding. Must be one of Info, Low, Medium, High, or Critical. 521 | 522 | Description: :: 523 | Description of the finding. Can be multiple lines if enclosed in double quotes. 524 | 525 | Mitigation: :: 526 | Possible Mitigations for the finding. Can be multiple lines if enclosed in double quotes. 527 | 528 | Impact: :: 529 | Detailed impact of the finding. Can be multiple lines if enclosed in double quotes. 530 | 531 | References: :: 532 | References associated with the finding. Can be multiple lines if enclosed in double quotes. 533 | 534 | Active: :: 535 | Indicator if the finding is active. Must be empty, True or False 536 | 537 | Verified: :: 538 | Indicator if the finding has been verified. Must be empty, True, or False 539 | 540 | FalsePositive: :: 541 | Indicator if the finding is a false positive. Must be True, or False. 542 | 543 | Duplicate: :: 544 | Indicator if the finding is a duplicate. Must be True, or False. 545 | -------------------------------------------------------------------------------- /docs/models.rst: -------------------------------------------------------------------------------- 1 | Models 2 | ====== 3 | 4 | DefectDojo attempts to simplify how users interact with the system by minimizing the number of objects it defines. 5 | The definition for each as well as sample usages is below. 6 | 7 | Product Types 8 | ------------- 9 | 10 | Product types represent the top level model, these can be business unit divisions, different offices or locations, 11 | development teams, or any other logical way of distinguishing "types" of products. 12 | 13 | * *Examples:* 14 | * IAM Team 15 | * Internal / 3rd Party 16 | * Main company / Acquisition 17 | * San Francisco / New York offices 18 | 19 | Products 20 | -------- 21 | 22 | This is the name of any project, program, or product that you are currently testing. 23 | 24 | * *Examples:* 25 | * Wordpress 26 | * Internal wiki 27 | * Slack 28 | 29 | 30 | 31 | Environments 32 | ------------ 33 | 34 | These describe the environment that was tested in a particular Test. 35 | 36 | * *Examples* 37 | * Production 38 | * Staging 39 | * Stable 40 | * Development 41 | 42 | Engagements 43 | ----------- 44 | 45 | Engagements are moments in time when testing is taking place. They are associated with a name for easy reference, a 46 | time line, a lead (the user account of the main person conducting the testing), a test strategy, and a status. Engagement consists 47 | of two types: Interactive and CI/CD. An interactive engagement is typically an engagement conducted by an engineer, where findings 48 | are usually uploaded by the engineer. A CI/CD engagement, as it's name suggests, is for automated integration with a CI/CD pipeline. 49 | 50 | * *Examples* 51 | * Beta 52 | * Quarterly PCI Scan 53 | * Release Version X 54 | 55 | Test Types 56 | ---------- 57 | 58 | These can be any sort of distinguishing characteristic about the type of testing that was done in an Engagement. 59 | 60 | * *Examples* 61 | * Functional 62 | * Security 63 | * Nessus Scan 64 | * API test 65 | * Static Analysis 66 | 67 | Test 68 | ---- 69 | 70 | Tests are a grouping of activities conducted by engineers to attempt to discover flaws in a product. Tests represent 71 | an instance of a Test Type - a moment in time when the product is being analyzed. Tests are bundled within engagements, 72 | have a start and end date and are defined by a test type. 73 | 74 | * *Examples* 75 | * Burp Scan from Oct. 29, 2015 to Oct. 29, 2015 76 | * Nessus Scan from Oct. 31, 2015 to Oct. 31, 2015 77 | * API Test from Oct. 15, 2015 to Oct. 20, 2015 78 | 79 | Finding 80 | ------- 81 | 82 | A finding represents a flaw discovered while testing. It can be categorized with severities of Critical, High, 83 | Medium, Low, and Informational (Info). 84 | 85 | * *Examples* 86 | * OpenSSL 'ChangeCipherSpec' MiTM Potential Vulnerability 87 | * Web Application Potentially Vulnerable to Clickjacking 88 | * Web Browser XSS Protection Not Enabled 89 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | sphinx_rtd_theme 2 | -------------------------------------------------------------------------------- /docs/running-in-production.rst: -------------------------------------------------------------------------------- 1 | Running in Production 2 | ===================== 3 | 4 | Improving your docker-compose performance 5 | ----------------------------------------- 6 | 7 | Database 8 | ^^^^^^^^ 9 | Run your database elsewhere. Tweak your docker-compose configuration to that effect. If you don't, you cannot pretend to be running in production. 10 | 11 | Instance size 12 | ^^^^^^^^^^^^^ 13 | 14 | .. note:: 15 | Please read the paragraphs below about key processes tweaks. 16 | 17 | Having taken the database to run elsewhere, the minimum recommendation is: 18 | 19 | * 2 vCPUs 20 | * 8 GB of RAM 21 | * 2 GB of disk space (remember, your database is not here -- so basically, what you have for your O/S should do). You could allocate a different disk than your OS's for potential performance improvements. 22 | 23 | Key processes 24 | ^^^^^^^^^^^^^ 25 | Per https://github.com/DefectDojo/django-DefectDojo/pull/2813, it is now easy to somewhat improve the uWSGI and celery worker performance. 26 | 27 | uWSGI 28 | """"" 29 | By default (except in ``ptvsd`` mode for debug purposes), uWSGI will handle 4 concurrent connections. 30 | 31 | Based on your resource settings, you can tweak: 32 | 33 | * ``DD_UWSGI_NUM_OF_PROCESSES`` for the number of spawned processes. (default 2) 34 | * ``DD_UWSGI_NUM_OF_THREADS`` for the number of threads in these processes. (default 2) 35 | 36 | For example, you may have 4 processes with 6 threads each, yielding 24 concurrent connections. 37 | 38 | Celery worker 39 | """"""""""""" 40 | By default, a single mono-process celery worker is spawned. This is fine until you start having many findings, and when async operations like deduplication start to kick in. Eventually, it will starve your resources and crawl to a halt, while operations continue to queue up. 41 | 42 | The following variables will help a lot, while keeping a single celery worker container. 43 | 44 | * ``DD_CELERY_WORKER_POOL_TYPE`` will let you switch to ``prefork``. (default ``solo``) 45 | 46 | As you've enabled `prefork`, the following variables have to be used. The default are working fairly well, see the Dockerfile.django for in-file references. 47 | 48 | * ``DD_CELERY_WORKER_AUTOSCALE_MIN`` defaults to 2. 49 | * ``DD_CELERY_WORKER_AUTOSCALE_MAX`` defaults to 8. 50 | * ``DD_CELERY_WORKER_CONCURRENCY`` defaults to 8. 51 | * ``DD_CELERY_WORKER_PREFETCH_MULTIPLIER`` defaults to 128. 52 | 53 | You can execute the following command to see the configuration: 54 | 55 | ``docker-compose exec celerybeat bash -c "celery -A dojo inspect stats"`` and see what is in effect. 56 | 57 | Production with setup.bash 58 | -------------------------- 59 | 60 | .. warning:: 61 | From this point down, this page is slated to get a revamp 62 | 63 | This guide will walk you through how to setup DefectDojo for running in production using Ubuntu 16.04, nginx, and uwsgi. 64 | 65 | **Install, Setup, and Activate Virtualenv** 66 | 67 | Assumes running as root or using sudo command for the below. 68 | 69 | .. code-block:: console 70 | 71 | pip install virtualenv 72 | 73 | cd /opt 74 | 75 | virtualenv dojo 76 | 77 | cd /opt/dojo 78 | 79 | git clone https://github.com/DefectDojo/django-DefectDojo.git 80 | 81 | useradd -m dojo 82 | 83 | chown -R dojo /opt/dojo 84 | 85 | source ./bin/activate 86 | 87 | **Install Dojo** 88 | 89 | .. warning:: 90 | The setup.bash installation method will be EOL on 2020-12-31 91 | 92 | .. code-block:: console 93 | 94 | cd django-DefectDojo/setup 95 | 96 | ./setup.bash 97 | 98 | **Install Uwsgi** 99 | 100 | .. code-block:: console 101 | 102 | pip install uwsgi 103 | 104 | **Install WKHTML** 105 | 106 | from inside the django-DefectDojo/ directory execute: 107 | 108 | .. code-block:: console 109 | 110 | ./reports.sh 111 | 112 | **Disable Debugging** 113 | 114 | Using the text-editor of your choice, change ``DEBUG`` in django-DefectDojo/dojo/settings/settings.py to: 115 | 116 | .. code-block:: console 117 | 118 | `DEBUG = False` 119 | 120 | **Configure external database** 121 | 122 | If you host your DefectDojo into AWS and you decide to use their managed database service (AWS RDS), you will have to do the following configuration updates: 123 | 124 | 1) `Download the root certificate `_ to encrypt traffic between DefectDojo and the database 125 | 2) Update your Dockerfile to add the SSL certificate to the container 126 | 127 | .. code-block:: console 128 | :caption: Dockerfile.django 129 | 130 | COPY rds-ca-2019-root.pem /etc/ssl/certs/rds-ca-2019-root.pem 131 | 132 | 3) Update Django settings to use encrypted connection to the database (Changes highlighted below) 133 | 134 | .. code-block:: python 135 | :caption: dojo/settings/settings.dist.py 136 | :emphasize-lines: 4-6 137 | 138 | DATABASES = { 139 | 'default': env.db('DD_DATABASE_URL') 140 | } 141 | DATABASES['default']['OPTIONS'] = { 142 | 'ssl': {'ca': '/etc/ssl/certs/rds-ca-2019-root.pem'} 143 | } 144 | else: 145 | DATABASES = { 146 | 'default': { 147 | 148 | 4) Update the environment variables for the database connection: *DD_DATABASE_URL* or *DD_DATABASE_HOST*, *DD_DATABASE_PORT*, *DD_DATABASE_NAME*, *DD_DATABASE_USER* and *DD_DATABASE_PASSWORD*. 149 | 150 | Note: This configuration can be adapted to other cloud providers. 151 | 152 | **Start Celery and Beats** 153 | 154 | From inside the django-DefectDojo/ directory execute: 155 | 156 | .. code-block:: console 157 | 158 | celery -A dojo worker -l info --concurrency 3 159 | 160 | celery beat -A dojo -l info 161 | 162 | It is recommended that you daemonized both these processes with the sample configurations found `here`_ and `here.`_ 163 | 164 | .. _here: https://github.com/celery/celery/blob/3.1/extra/supervisord/celeryd.conf 165 | .. _here.: https://github.com/celery/celery/blob/3.1/extra/supervisord/celerybeat.conf 166 | 167 | However, for a quick setup you can use the following to run both in the background 168 | 169 | .. code-block:: console 170 | 171 | celery -A dojo worker -l info --concurrency 3 & 172 | 173 | celery beat -A dojo -l info & 174 | 175 | **Start Uwsgi** 176 | 177 | From inside the django-DefectDojo/ directory execute: 178 | 179 | .. code-block:: console 180 | 181 | uwsgi --socket :8001 --wsgi-file wsgi.py --workers 7 182 | 183 | It is recommended that you use an Upstart job or a @restart cron job to launch uwsgi on reboot. However, if you’re in a hurry you can use the following to run it in the background: 184 | 185 | .. code-block:: console 186 | 187 | uwsgi --socket :8001 --wsgi-file wsgi.py --workers 7 & 188 | 189 | **Making Defect Dojo start on boot** 190 | 191 | Below we configure service files for systemd. The commands follow, the config files are below the Nginx in the next section. 192 | 193 | .. code-block:: shell-session 194 | 195 | $ cd /etc/systemd/system/ 196 | $ sudo vi dojo.service 197 | [contents below] 198 | 199 | $ sudo systemctl enable dojo 200 | $ sudo systemctl start dojo 201 | $ sudo systemctl status dojo 202 | [ensure it launched OK] 203 | 204 | $ sudo vi celery-worker.service 205 | [contents below] 206 | 207 | $ sudo systemctl enable celery-worker 208 | $ sudo systemctl start celery-worker 209 | $ sudo systemctl status celery-worker 210 | [ensure it launched OK] 211 | 212 | $ sudo vi celery-beat.service 213 | [contents below] 214 | 215 | $ sudo systemctl enable celery-beat 216 | $ sudo systemctl start celery-beat 217 | $ sudo systemctl status celery-beat 218 | [ensure it launched OK] 219 | 220 | 221 | *NGINX Configuration* 222 | 223 | Everyone feels a little differently about nginx settings, so here are the barebones to add your to your nginx configuration to proxy uwsgi. Make sure to modify the filesystem paths if needed: 224 | 225 | .. code-block:: nginx 226 | 227 | upstream django { 228 | server 127.0.0.1:8001; 229 | } 230 | 231 | server { 232 | listen 80; 233 | return 301 https://$host$request_uri; 234 | } 235 | 236 | server { 237 | listen 443; 238 | server_name ; 239 | 240 | client_max_body_size 500m; # To accommodate large scan files 241 | 242 | ssl_certificate ; 243 | ssl_certificate_key ; 244 | 245 | ssl on; 246 | 247 | # ciphers, options, logging, etc 248 | 249 | location /static/ { 250 | alias /django-DefectDojo/static/; 251 | } 252 | 253 | location /media/ { 254 | alias /django-DefectDojo/media/; 255 | } 256 | 257 | location / { 258 | uwsgi_pass django; 259 | include /django-DefectDojo/wsgi_params; 260 | } 261 | } 262 | 263 | *Systemd Configuration Files* 264 | 265 | dojo.service 266 | 267 | .. code-block:: ini 268 | 269 | [Unit] 270 | Description=uWSGI instance to serve DefectDojo 271 | Requires=nginx.service mysql.service 272 | Before=nginx.service 273 | After=mysql.service 274 | 275 | [Service] 276 | ExecStart=/bin/bash -c 'su - dojo -c "cd /opt/dojo/django-DefectDojo && source ../bin/activate && uwsgi --socket :8001 --wsgi-file wsgi.py --workers 7"' 277 | Restart=always 278 | RestartSec=3 279 | #StandardOutput=syslog 280 | #StandardError=syslog 281 | SyslogIdentifier=dojo 282 | 283 | [Install] 284 | WantedBy=multi-user.target 285 | 286 | celery-worker.service 287 | 288 | .. code-block:: ini 289 | 290 | [Unit] 291 | Description=celery workers for DefectDojo 292 | Requires=dojo.service 293 | After=dojo.service 294 | 295 | [Service] 296 | ExecStart=/bin/bash -c 'su - dojo -c "cd /opt/dojo/django-DefectDojo && source ../bin/activate && celery -A dojo worker -l info --concurrency 3"' 297 | Restart=always 298 | RestartSec=3 299 | #StandardOutput=syslog 300 | #StandardError=syslog 301 | SyslogIdentifier=celeryworker 302 | 303 | [Install] 304 | WantedBy=multi-user.target 305 | 306 | celery-beat.service 307 | 308 | .. code-block:: ini 309 | 310 | [Unit] 311 | Description=celery beat for DefectDojo 312 | Requires=dojo.service 313 | After=dojo.service 314 | 315 | [Service] 316 | ExecStart=/bin/bash -c 'su - dojo -c "cd /opt/dojo/django-DefectDojo && source ../bin/activate && celery beat -A dojo -l info"' 317 | Restart=always 318 | RestartSec=3 319 | #StandardOutput=syslog 320 | #StandardError=syslog 321 | SyslogIdentifier=celerybeat 322 | 323 | [Install] 324 | WantedBy=multi-user.target 325 | 326 | 327 | *That's it!* 328 | 329 | *Monitoring* 330 | 331 | To expose Django statistics for Prometheus, using the text-editor of your choice, change ``DJANGO_METRICS_ENABLED`` to True in django-DefectDojo/dojo/settings/settings.py to: 332 | 333 | .. code-block:: console 334 | 335 | `DJANGO_METRICS_ENABLED = True` 336 | 337 | Or export ``DD_DJANGO_METRICS_ENABLED`` with the same value. 338 | 339 | Prometheus endpoint than is available under the path: ``http://dd_server/django_metrics/metrics`` 340 | -------------------------------------------------------------------------------- /docs/settings-docs.rst: -------------------------------------------------------------------------------- 1 | DefectDojo settings.py variables 2 | ================================ 3 | 4 | For more info on custom settings and use of custom settings during development, please see: [settings.py documentation](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.py) and [extra settings](https://github.com/DefectDojo/django-DefectDojo/blob/master/docker/extra_settings/README.md) 5 | 6 | .. note:: 7 | To complete 8 | 9 | * ``DD_AUTHORIZED_USERS_ALLOW_CHANGE``: Grants ``Active`` users (e.g regular users) the ability to perform changes for the ``Products`` they are authorized. 10 | * ``DD_AUTHORIZED_USERS_ALLOW_DELETE``: Grants ``Active`` users (e.g regular users) delete powers for the ``Products`` they are authorized. 11 | * ``DD_SITE_URL``: 12 | * ``DD_DEBUG``: 13 | * ``DD_DJANGO_METRICS_ENABLED``: 14 | * ``DD_LOGIN_REDIRECT_URL``: 15 | * ``DD_DJANGO_ADMIN_ENABLED``: 16 | * ``DD_SESSION_COOKIE_HTTPONLY``: 17 | * ``DD_CSRF_COOKIE_HTTPONLY``: 18 | * ``DD_SECURE_SSL_REDIRECT``: 19 | * ``DD_SECURE_HSTS_INCLUDE_SUBDOMAINS``: 20 | * ``DD_SECURE_HSTS_SECONDS``: 21 | * ``DD_SESSION_COOKIE_SECURE``: 22 | * ``DD_CSRF_COOKIE_SECURE``: 23 | * ``DD_SECURE_BROWSER_XSS_FILTER``: 24 | * ``DD_SECURE_CONTENT_TYPE_NOSNIFF``: 25 | * ``DD_TIME_ZONE``: 26 | * ``DD_LANG``: 27 | * ``DD_WKHTMLTOPDF``: 28 | * ``DD_TEAM_NAME``: 29 | * ``DD_ADMINS``: 30 | * ``DD_PORT_SCAN_CONTACT_EMAIL``: 31 | * ``DD_PORT_SCAN_RESULT_EMAIL_FROM``: 32 | * ``DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST``: 33 | * ``DD_PORT_SCAN_SOURCE_IP``: 34 | * ``DD_WHITENOISE``: 35 | * ``DD_TRACK_MIGRATIONS``: 36 | * ``DD_SECURE_PROXY_SSL_HEADER``: 37 | * ``DD_TEST_RUNNER``: 38 | * ``DD_URL_PREFIX``: 39 | * ``DD_ROOT``: 40 | * ``DD_LANGUAGE_CODE``: 41 | * ``DD_SITE_ID``: 42 | * ``DD_USE_I18N``: 43 | * ``DD_USE_L10N``: 44 | * ``DD_USE_TZ``: 45 | * ``DD_MEDIA_URL``: 46 | * ``DD_MEDIA_ROOT``: 47 | * ``DD_STATIC_URL``: 48 | * ``DD_STATIC_ROOT``: 49 | * ``DD_CELERY_BROKER_URL``: 50 | * ``DD_CELERY_BROKER_SCHEME``: 51 | * ``DD_CELERY_BROKER_USER``: 52 | * ``DD_CELERY_BROKER_PASSWORD``: 53 | * ``DD_CELERY_BROKER_HOST``: 54 | * ``DD_CELERY_BROKER_PORT``: 55 | * ``DD_CELERY_BROKER_PATH``: 56 | * ``DD_CELERY_TASK_IGNORE_RESULT``: 57 | * ``DD_CELERY_RESULT_BACKEND``: 58 | * ``DD_CELERY_RESULT_EXPIRES``: 59 | * ``DD_CELERY_BEAT_SCHEDULE_FILENAME``: 60 | * ``DD_CELERY_TASK_SERIALIZER``: 61 | * ``DD_FORCE_LOWERCASE_TAGS``: 62 | * ``DD_FOOTER_VERSION``: Optionally pass a custom version string displayed in the footer of all pages (base.html template). Defaults to the version configured in `django-DefectDojo/setup.py `_ 63 | * ``DD_MAX_TAG_LENGTH``: 64 | * ``DD_DATABASE_ENGINE``: 65 | * ``DD_DATABASE_HOST``: 66 | * ``DD_DATABASE_NAME``: 67 | * ``DD_TEST_DATABASE_NAME``: 68 | * ``DD_DATABASE_PASSWORD``: 69 | * ``DD_DATABASE_PORT``: 70 | * ``DD_DATABASE_USER``: 71 | * ``DD_SECRET_KEY``: 72 | * ``DD_CREDENTIAL_AES_256_KEY``: 73 | * ``DD_DATA_UPLOAD_MAX_MEMORY_SIZE``: 74 | * ``DD_SOCIAL_AUTH_TRAILING_SLASH``: 75 | * ``DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED``: 76 | * ``DD_SOCIAL_AUTH_AUTH0_KEY``: 77 | * ``DD_SOCIAL_AUTH_AUTH0_SECRET``: 78 | * ``DD_SOCIAL_AUTH_AUTH0_DOMAIN``: 79 | * ``DD_SOCIAL_AUTH_AUTH0_SCOPE``: 80 | * ``DD_SOCIAL_AUTH_GOOGLE_OAUTH2_ENABLED``: 81 | * ``DD_SOCIAL_AUTH_GOOGLE_OAUTH2_KEY``: 82 | * ``DD_SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET``: 83 | * ``DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS``: 84 | * ``DD_SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS``: 85 | * ``DD_SOCIAL_AUTH_OKTA_OAUTH2_ENABLED``: 86 | * ``DD_SOCIAL_AUTH_OKTA_OAUTH2_KEY``: 87 | * ``DD_SOCIAL_AUTH_OKTA_OAUTH2_SECRET``: 88 | * ``DD_SOCIAL_AUTH_OKTA_OAUTH2_API_URL``: 89 | * ``DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_ENABLED``: 90 | * ``DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY``: 91 | * ``DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET``: 92 | * ``DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID``: 93 | * ``DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_RESOURCE``: 94 | * ``DD_SOCIAL_AUTH_GITLAB_OAUTH2_ENABLED``: 95 | * ``DD_SOCIAL_AUTH_GITLAB_KEY``: 96 | * ``DD_SOCIAL_AUTH_GITLAB_SECRET``: 97 | * ``DD_SOCIAL_AUTH_GITLAB_API_URL``: 98 | * ``DD_SOCIAL_AUTH_GITLAB_SCOPE``: 99 | * ``DD_SAML2_ENABLED``: 100 | * ``DD_SAML2_METADATA_AUTO_CONF_URL``: 101 | * ``DD_SAML2_METADATA_LOCAL_FILE_PATH``: 102 | * ``DD_SAML2_ASSERTION_URL``: 103 | * ``DD_SAML2_ENTITY_ID``: 104 | * ``DD_SAML2_DEFAULT_NEXT_URL``: 105 | * ``DD_SAML2_NEW_USER_PROFILE``: 106 | * ``DD_SAML2_ATTRIBUTES_MAP``: 107 | * ``DD_DISABLE_FINDING_MERGE``: 108 | * ``DD_AUTHORIZED_USERS_ALLOW_CHANGE``: 109 | * ``DD_AUTHORIZED_USERS_ALLOW_DELETE``: 110 | * ``DD_AUTHORIZED_USERS_ALLOW_STAFF``: 111 | * ``DD_SLA_NOTIFY_ACTIVE``: Consider "Active" findings for SLA notifications. 112 | * ``DD_SLA_NOTIFY_ACTIVE_VERIFIED_ONLY``: Consider "Active" and "Verified" findings only for SLA notifications. 113 | * ``DD_SLA_NOTIFY_WITH_JIRA_ONLY``: Considers findings that have a JIRA issue linked. 114 | * ``DD_SLA_NOTIFY_PRE_BREACH``: Number of days to notify before breaching the SLA. 115 | * ``DD_SLA_NOTIFY_POST_BREACH``: Number of days to keep notifying after the SLA has been breached. 116 | * ``DD_EMAIL_URL, default``: 117 | -------------------------------------------------------------------------------- /docs/social-authentication.rst: -------------------------------------------------------------------------------- 1 | Setting up Social Authentication via OAuth2 Providers 2 | ===================================================== 3 | 4 | 5 | Auth0 OAuth2 Configuration 6 | -------------------------- 7 | 8 | In the same way as with other Identiy-Providers, it's now possible to leverage Auth0 to authenticate users on DefectDojo. 9 | 10 | 1. Inside your Auth0 dashboard create a new application (Applications / Create Application / Single Page Web Application). 11 | 12 | 2. On the new application set the following fields: 13 | 14 | * Name: "Defectdojo" 15 | * Allowed Callback URLs: "https://the_hostname_you_have_dojo_deployed:your_server_port/complete/auth0/" 16 | 17 | 3. Copy the following info from the application: 18 | 19 | * Domain 20 | * Client ID 21 | * Client Secret 22 | 23 | 3. Now, edit the dojo/settings.py file and edit/replace the following information: 24 | 25 | * DD_SOCIAL_AUTH_AUTH0_OAUTH2_ENABLED=True 26 | * DD_SOCIAL_AUTH_AUTH0_KEY=(str, '**YOUR_CLIENT_ID_FROM_STEP_ABOVE**'), 27 | * DD_SOCIAL_AUTH_AUTH0_SECRET=(str, '**YOUR_CLIENT_SECRET_FROM_STEP_ABOVE**'), 28 | * DD_SOCIAL_AUTH_AUTH0_DOMAIN=(str, '**YOUR_AUTH0_DOMAIN_FROM_STEP_ABOVE**'), 29 | 30 | 5. Restart DefectDojo, and you should now see a **Login with Auth0** button on the login page. 31 | 32 | 33 | Google 34 | ------ 35 | 36 | New to DefectDojo, a Google account can now be used for Authentication, Authorization, and a DefectDojo user. Upon login with a Google account, a new user will be created if one does not already exist. The criteria for determining whether a user exists is based on the users username. In the event a new user is created, the username is that of the Google address without the domain. Once created, the user creation process will not happen again as the user is recalled by its username, and logged in. In order to make the magic happen, a Google authentication server needs to be created. Closely follow the steps below to guarantee success. 37 | 38 | 1. Navigate to the following address and either create a new account, or login with an existing one: `Google Developers Console`_ 39 | 2. Once logged in, find the key shaped button labeled **Credentials** on the left side of the screen. Click **Create Credentials**, and choose **OAuth Client ID**: 40 | 41 | .. image:: /_static/google_1.png 42 | 43 | 3. Select **Web Applications**, and provide a descriptive name for the client. 44 | 45 | .. image:: /_static/google_2.png 46 | 47 | 4. Add the pictured URLs in the **Authorized Redirect URLs** section. This part is very important. If there are any mistakes here, the authentication client will not authorize the request, and deny access. 48 | 5. Once all URLs are added, finish by clicking **Create** 49 | 50 | Now with the authentication client created, the **Client ID** and **Client Secret Key** need to be copied over to settings.py in the project. Click the newly created client and copy the values: 51 | 52 | .. image:: /_static/google_3.png 53 | 54 | In the **Environment** section at the top of settings.py, enter the values as shown below: 55 | 56 | .. image:: /_static/google_4.png 57 | 58 | In the **Authentication** section of settings.py, set **DD_GOOGLE_OAUTH_ENABLED** to **True** to redirect away from this README and actually authorize. 59 | 60 | .. image:: /_static/google_5.png 61 | 62 | To authorize users you will need to set the following: 63 | 64 | * SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_DOMAINS = ['example.com', 'example.org'] 65 | 66 | or 67 | 68 | * SOCIAL_AUTH_GOOGLE_OAUTH2_WHITELISTED_EMAILS = ['email@example.com'] 69 | 70 | .. _Google Developers Console: https://console.developers.google.com 71 | 72 | 73 | OKTA 74 | ---- 75 | 76 | In a similar fashion to that of Google, using OKTA as a OAuth2 provider carries the same attributes and a similar procedure. Follow along below. 77 | 78 | 1. Navigate to the following address and either create a new account, or login with an existing one: `OKTA Account Creation`_ 79 | 2. Once logged in, enter the **Applications** and click **Add Application**: 80 | 81 | .. image:: /_static/okta_1.png 82 | 83 | 3. Select **Web Applications**. 84 | 85 | .. image:: /_static/okta_2.png 86 | 87 | 4. Add the pictured URLs in the **Login Redirect URLs** section. This part is very important. If there are any mistakes here, the authentication client will not authorize the request, and deny access. Check the **Implicit** box as well. 88 | 89 | .. image:: /_static/okta_3.png 90 | 91 | 5. Once all URLs are added, finish by clicking **Done**. 92 | 6. Return to the **Dashboard** to find the **Org-URL**. Note this value as it will be important in the settings file. 93 | 94 | .. image:: /_static/okta_4.png 95 | 96 | Now, with the authentication client created, the **Client ID** and **Client Secret** Key need to be copied over to settings.py in the project. Click the newly created client and copy the values: 97 | 98 | .. image:: /_static/okta_5.png 99 | 100 | In the **Environment** section at the top of settings.py, enter the values as shown below: 101 | 102 | .. image:: /_static/okta_6.png 103 | 104 | In the **Authentication** section of settings.py, set **DD_OKTA_OAUTH_ENABLED** to **True** to redirect away from this README and actually authorize. 105 | 106 | .. image:: /_static/okta_7.png 107 | 108 | .. _OKTA Account Creation: https://www.okta.com/developer/signup/ 109 | 110 | 111 | If during the login process you get the following error: *The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings.* and the `redirect_uri` HTTP GET parameter starts with `http://` instead of `https://` you need to add **SOCIAL_AUTH_REDIRECT_IS_HTTPS = True** in the **Authentication** section of settings.py. 112 | 113 | 114 | 115 | Azure Active Directory Tenant Configuration 116 | ------------------------------------------- 117 | You can now use your corporate Azure Active Directory to authenticate users to Defect Dojo. 118 | Users will be using your corporate Azure AD account (A.K.A. Office 365 identity) to authenticate via OAuth, and all the conditional access rules and benefits from Azure Active Directory will also apply to the Defect Dojo Authentication. 119 | Once the user signs in, it will try to match the UPN of the user to an existing e-mail from a user in Defect Dojo, and if no match is found, a new user will be created in Defect Dojo, associated with the unique id/value of the user provided by your Azure AD tenant. Then, you can assign roles to this user, such as ‘staff‘ or ‘superuser‘ 120 | 121 | 1. Navigate to the following address and follow instructions to create a new app registration 122 | 123 | * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app 124 | 125 | 2. Once you register an app, take note of the following information: 126 | 127 | * **Application (client) ID** 128 | * **Directory (tenant) ID** 129 | * Under Certificates & Secrets, create a new **Client Secret** 130 | 131 | 3. Under Authentication > Redirect URIs, add a *WEB* type of uri where the redirect points to 132 | 133 | * http://localhost:8080/complete/azuread-tenant-oauth2/ 134 | * **OR** 135 | * https://the_hostname_you_have_dojo_deployed:your_server_port/complete/azuread-tenant-oauth2/ 136 | 137 | 4. Now, edit the dojo/settings.py file and edit/replace the following information: 138 | 139 | * DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_KEY=(str, '**YOUR_APPLICATION_ID_FROM_STEP_ABOVE**'), 140 | * DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_SECRET=(str, '**YOUR_CLIENT_SECRET_FROM_STEP_ABOVE**''), 141 | * DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_TENANT_ID=(str, '**YOUR_DIRECTORY_ID_FROM_STEP_ABOVE**''), 142 | * DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_ENABLED = **True** 143 | 144 | 5. Restart your Dojo, and you should now see a **Login with Azure AD** button on the login page which should *magically* work 145 | 146 | 147 | Gitlab OAuth2 Configuration 148 | --------------------------- 149 | In a similar fashion to that of Google and OKTA, using Gitlab as a OAuth2 provider carries the same attributes and a similar procedure. Follow along below. 150 | 151 | 1. Navigate to your Gitlab settings page and got to the Applications section 152 | 153 | * https://gitlab.com/profile/applications 154 | * **OR** 155 | * https://the_hostname_you_have_gitlab_deployed:your_gitlab_port/profile/applications 156 | 157 | 2. Choose a name for your application 158 | 159 | 3. For the Redirect URI, enter the DefectDojo URL with the following format 160 | 161 | * https://the_hostname_you_have_dojo_deployed:your_server_port/complete/gitlab/ 162 | 163 | 4. Now, edit the dojo/settings.py file and edit/replace the following information: 164 | 165 | * DD_SOCIAL_AUTH_GITLAB_KEY=(str, '**YOUR_APPLICATION_ID_FROM_STEP_ABOVE**'), 166 | * DD_SOCIAL_AUTH_GITLAB_SECRET=(str, '**YOUR_SECRET_FROM_STEP_ABOVE**'), 167 | * DD_SOCIAL_AUTH_GITLAB_API_URL=(str, '**https://gitlab.com**'), 168 | * DD_SOCIAL_AUTH_GITLAB_OAUTH2_ENABLED = **True** 169 | 170 | Additionally, if you want to import your Gitlab projects as DefectDojo products, add the following line, still in dojo/settings.py: 171 | 172 | * DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT = **True** 173 | 174 | 5. Restart DefectDojo, and you should now see a **Login with Gitlab** button on the login page. 175 | 176 | 177 | SAML 2.0 178 | -------- 179 | In a similar direction OAuth, this SAML addition provides a more secure perogative to SSO. 180 | For definitions of terms used and more information, see the plugin `plugin homepage`_ 181 | 182 | .. _plugin homepage: https://github.com/fangli/django-saml2-auth 183 | 184 | 1. Navigate to your SAML IdP and find your metadata 185 | 186 | 2. Edit the dojo/settings.py file: 187 | 188 | * DD_SAML2_ENABLED=(bool, **True**), 189 | * If the metadata can be accessed from a url, try the DD_SAML2_METADATA_AUTO_CONF_URL 190 | * DD_SAML2_METADATA_AUTO_CONF_URL=(str, 'https://your_IdP.com/metadata.xml'), 191 | * Otherwise, downlaod a copy of the metadata into an xml file, and list the path in DD_SAML2_METADATA_LOCAL_FILE_PATH 192 | * DD_SAML2_METADATA_LOCAL_FILE_PATH=(str, '/path/to/your/metadata.xml'), 193 | * Fill in DD_SAML2_ASSERTION_URL and DD_SAML2_ENTITY_ID to match the specs of you IdP. 194 | * Configure the remaining optional fields to your desire. 195 | 196 | 4. In the "Authentication" section of the settings.py, do the following 197 | 198 | * Find the "SAML_2_AUTH" dictionary 199 | * Comment out the metadata collection method that was not used. 200 | * For example, if METADATA_AUTO_CONF_URL was used, comment the METADATA_LOCAL_FILE_PATH line. 201 | 202 | 5. Restart DefectDojo, and you should now see a **Login with SAML** button on the login page. 203 | 204 | NOTE: In the case when IDP is configured to use self signed certificate, than CA needs to be specified by define environments variable REQUESTS_CA_BUNDLE that points to the path of public CA certificate. 205 | 206 | User Permissions 207 | ---------------- 208 | 209 | When a new user is created via the social-auth, the default permissions are only active. This means that the newly created user does not have access to add, edit, nor delete anything within DefectDojo. To circumvent that, a custom pipeline was added (dojo/pipline.py/modify_permissions) to elevate new users to staff. This can be disabled by setting ‘is_staff’ equal to False. Similarly, for an admin account, simply add the following to the modify_permissions pipeline: 210 | is_superuser = True 211 | 212 | Exception for Gitlab OAuth2: with DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT set to True in dojo/settings.py, where a new user is created via the Gitlab social-auth, he has one permission: add_engagement. It allows him to create further engagements on his products via API v1. 213 | 214 | Other Providers 215 | --------------- 216 | 217 | In an effort to accommodate as much generality as possible, it was decided to implement OAuth2 with the `social-auth`_ ecosystem as it has a library of compatible providers with documentation of implementation. Conveniently, each provider has an identical procedure of managing the authenticated responses and authorizing access within a given application. The only difficulty is creating a new authentication client with a given OAuth2 provider. 218 | 219 | .. _social-auth: https://github.com/python-social-auth/social-core/tree/master/social_core/backends 220 | -------------------------------------------------------------------------------- /docs/start-using.rst: -------------------------------------------------------------------------------- 1 | Usage Examples 2 | ============== 3 | 4 | DefectDojo is designed to make tracking testing engagements simple and intuitive. The :doc:`models` page will help you 5 | understand the terminology we use below, so we recommend taking a look at that first. 6 | 7 | .. _create-new-product-type: 8 | 9 | Create a new Product Type 10 | ------------------------- 11 | 12 | The first step to using DefectDojo is to create a Product Type. Some examples might be "Mobile Apps" or 13 | "New York Office." The idea is to make it easy to divide your Products into logical categories, based on your 14 | organizational structure, or just to divide internal and external applications. 15 | 16 | .. image:: /_static/getting_started_1.png 17 | 18 | Select "View Product Types" from the "Products" dropdown in the main menu. 19 | 20 | .. image:: /_static/getting_started_2.png 21 | 22 | Click the "New Product Type" button at the top. 23 | 24 | .. image:: /_static/getting_started_3.png 25 | 26 | Enter a name for your new Product Type. 27 | 28 | .. _Create a new Test Type: 29 | 30 | Create a new Test Type 31 | ---------------------- 32 | 33 | Test Types will help you differentiate the scope of your work. For instance, 34 | you might have a Performance Test Type, or a specific type of security testing 35 | that you regularly perform. 36 | 37 | .. image:: /_static/getting_started_4.png 38 | 39 | Select "Test Types" from the "Engagements" dropdown in the main menu. 40 | 41 | .. image:: /_static/getting_started_5.png 42 | 43 | Click the "New Test Type" button at the top. 44 | 45 | .. image:: /_static/getting_started_6.png 46 | 47 | Enter a name for your new Test Type. 48 | 49 | .. _Create a new Development Environment: 50 | 51 | Create a new Development Environment 52 | ------------------------------------ 53 | 54 | Development Environments are for tracking distinct deployments of a particular 55 | Product. You might have one called "Local" if you deploy the Product on your 56 | own computer for testing, or "Staging" or "Production" for official deployments. 57 | 58 | .. image:: /_static/getting_started_7.png 59 | 60 | Select "Development Environments" from the "Engagements" dropdown in the main menu. 61 | 62 | .. image:: /_static/getting_started_8.png 63 | 64 | Click the "New Development Environment" button at the top. 65 | 66 | .. image:: /_static/getting_started_9.png 67 | 68 | Enter a name for your new Development Environment. 69 | 70 | .. _Create a new Engagement: 71 | 72 | Create a new Engagement 73 | ----------------------- 74 | 75 | Engagements are useful for tracking the time spent testing a Product. 76 | They are associated with a Product, a Testing Lead, and are comprised of one or 77 | more Tests that may have Findings associated with them. Engagements also show 78 | up on your calendar. 79 | 80 | .. image:: /_static/getting_started_10.png 81 | 82 | Select "Engagements" from the "Engagements" dropdown in the main menu. 83 | 84 | .. image:: /_static/getting_started_11.png 85 | 86 | Click the "New Engagement" button on the right. 87 | 88 | .. image:: /_static/getting_started_12.png 89 | 90 | Enter the details of your Engagement. 91 | 92 | The `Deduplication Level` specifies weather to perform deduplication only for tests in the engagement or to perform deduplication on all tests in the product which have an engagement also on `Deduplication Level` product. Enabled deduplication is mandatory. 93 | 94 | .. _Adding Tests to an Engagement: 95 | 96 | Adding Tests to an Engagement 97 | ----------------------------- 98 | 99 | From the Engagement creation page, you can add a new Test to the Engagement. 100 | You can also add a Test to the Engagement later from that Engagement's main 101 | page. Tests are associated with a particular Test Type, a time, and an 102 | Environment. 103 | 104 | .. image:: /_static/getting_started_13.png 105 | 106 | Enter the details of your Test. 107 | 108 | .. _Adding Findings to a Test: 109 | 110 | Adding Findings to a Test 111 | ------------------------- 112 | 113 | Findings are the defects or interesting things that you want to keep track of 114 | when testing a Product during a Test/Engagement. Here, you can lay out the 115 | details of what went wrong, where you found it, what the impact is, and your 116 | proposed steps for mitigation. You can also reference `CWEs`_, or add links to your own references. 117 | 118 | .. _CWEs: http://cwe.mitre.org/ 119 | 120 | Templating findings allows you to create a version of a finding that you can 121 | then re-use over and over again, on any Engagement. 122 | 123 | .. image:: /_static/getting_started_14.png 124 | 125 | Enter the details of your Finding, or click the "Add Finding from Template" 126 | button to use a templated Finding. 127 | 128 | .. image:: /_static/getting_started_15.png 129 | 130 | From the "Add Finding Template" popup, you can select finding templates from 131 | the list, or use the search bar. Templates can be used across all Engagements. 132 | 133 | .. image:: /_static/getting_started_16.png 134 | 135 | Define what kind of Finding this is. Is it a false positive? A duplicate? If 136 | you want to save this finding as a template, check the "Is template" box. 137 | 138 | .. _Accepting a Finding Risk: 139 | 140 | Accepting a Finding Risk 141 | ------------------------ 142 | 143 | Findings cannot always be remediated or addressed for various reasons. A finding status can change to accepted 144 | by doing the following. Findings are accepted in the engagement view. To locate the engagement from the finding 145 | click the link to engagement as shown below. 146 | 147 | .. image:: /_static/select_engagement.png 148 | :width: 400 149 | :alt: Select an engagement 150 | 151 | Then, in the engagement view click the plus icon in the 'Risk Acceptance' box and fill in the details to 152 | support the risk acceptance. 153 | 154 | .. image:: /_static/risk_exception.png 155 | :width: 400 156 | :alt: Creating a risk acceptance 157 | 158 | The engagement view is now updated with the risk. 159 | 160 | .. image:: /_static/engagement_risk_acceptance.png 161 | :width: 400 162 | :alt: Risk Acceptance engagement view 163 | 164 | The finding status changes to 'Accepted' with a link to the risk acceptance. 165 | 166 | .. image:: /_static/finding_accepted.png 167 | :width: 400 168 | :alt: Risk acceptance on finding 169 | 170 | .. _Viewing an Engagement: 171 | 172 | Viewing an Engagement 173 | --------------------- 174 | 175 | Most of the work of an Engagement can be done from that Engagement's main page. 176 | You can view the Test Strategy or Threat Model, modify the Engagement dates, 177 | view Tests and Findings, add Risk Acceptance, complete the security Check List, 178 | or close the Engagement. 179 | 180 | .. image:: /_static/getting_started_17.png 181 | 182 | This page lets you do most of the common tasks that are associated with an 183 | Engagement. 184 | 185 | .. _Tracking your Engagements in the calendar: 186 | 187 | Tracking your Engagements in the calendar 188 | ----------------------------------------- 189 | 190 | The calendar can help you keep track of what Engagements your team is currently 191 | working on, or determine the time line for past Engagements. 192 | 193 | .. image:: /_static/getting_started_18.png 194 | 195 | Select "Calendar" in the main menu. 196 | 197 | .. image:: /_static/getting_started_19.png 198 | 199 | Here you can view the current engagements for the month, or go back in time. 200 | 201 | .. _Tracking metrics for your Products: 202 | 203 | Tracking metrics for your Products 204 | ---------------------------------- 205 | 206 | Tracking metrics for your Products can help you identify Products that may 207 | need additional help, or highlight a particularly effective member of your 208 | team. 209 | 210 | You can also see the Dashboard view, a page that scrolls automatically, showing 211 | off the results of your testing. This can be useful if you want to display your 212 | team's work in public without showing specific details. 213 | 214 | .. image:: /_static/getting_started_20.png 215 | 216 | Select "All" or a Product Type from the "Metrics" drop-down in the main menu. 217 | 218 | .. image:: /_static/getting_started_21.png 219 | 220 | Here you can see graphs of various metrics, with the ability to filter your 221 | results by time, Product Type, and severity. 222 | 223 | .. image:: /_static/getting_started_22.png 224 | 225 | At the bottom of the Metrics page, you can see granular data about your work, 226 | such as a breakdown of the most severe bugs by Product, lists of open, accepted, 227 | and closed Findings, and trends for each week, as well as the age of all current 228 | open Findings. 229 | -------------------------------------------------------------------------------- /docs/upgrading.rst: -------------------------------------------------------------------------------- 1 | Upgrading 2 | ========= 3 | Docker-compose 4 | -------------- 5 | When you deploy a vanilla docker-compose, it will create a persistent volume for your MySQL database. As long as your volume is there, you should not lose any data. 6 | 7 | Using docker images provided in DockerHub 8 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 9 | 10 | .. note:: 11 | If you're using ``latest``, then you need to pre pull the ``latest`` from DockerHub to update. 12 | 13 | The generic upgrade method for docker-compose follows these steps: 14 | 15 | * Pull the latest version 16 | 17 | .. code-block:: bash 18 | 19 | docker pull defectdojo/defectdojo-django:latest 20 | docker pull defectdojo/defectdojo-nginx:latest 21 | 22 | * If you would like to use something older (so not the latest version), specify the version (tag) you want to upgrade to: 23 | 24 | .. code-block:: bash 25 | 26 | docker pull defectdojo/defectdojo-django:1.10.2 27 | docker pull defectdojo/defectdojo-nginx:1.10.2 28 | 29 | * Go to the directory where your docker-compose.yml file lives 30 | * Stop DefectDojo: ``docker-compose stop`` 31 | * Re-start DefectDojo, allowing for container recreation: ``docker-compose up -d`` 32 | * Run the database migrations to bring your database schema up to speed with the latest code 33 | * If you have the initializer disabled (or if you want to be on the safe side), run the migration command: ``docker-compose exec uwsgi /bin/bash -c 'python manage.py migrate`` 34 | 35 | Building your local images 36 | ^^^^^^^^^^^^^^^^^^^^^^^^^^ 37 | 38 | If you build your images locally and do not use the ones from DockerHub, the instructions are much the same, except that you'd build your images first. (Of course, if you're doing this, then you know you have to update the source code first) 39 | 40 | Replace the first step above with this one: 41 | - ``docker-compose build`` 42 | 43 | 44 | Setup.bash 45 | ---------- 46 | .. warning:: 47 | This installation method will is EOL and will be removed on 2020-12-31 48 | 49 | The easiest way to upgrade to a new version of DefectDojo is to pull from Github. Assuming the source code lives in a 50 | directory named `defect-dojo` you can complete the following steps to upgrade to the latest DefectDojo release.:: 51 | 52 | cd defect-dojo 53 | git checkout master 54 | git pull 55 | pip freeze > pip_frozen.txt 56 | pip install -r pip_frozen.txt --upgrade 57 | ./manage.py makemigrations dojo 58 | ./manage.py makemigrations 59 | ./manage.py migrate 60 | 61 | Because yarn assets change from time to time, it is always a good idea to re-install them and collect the static 62 | resources. :: 63 | 64 | cd defect-dojo 65 | cd components 66 | yarn 67 | cd .. 68 | 69 | At this point yarn may ask you to select from different versions of packages, choose the latest on each. 70 | 71 | Next you can run: :: 72 | 73 | ./manage.py collectstatic --noinput 74 | 75 | If you are in your production system, you will need to restart gunicorn and celery to make sure the latest code is 76 | being used by both. 77 | 78 | FAQ 79 | --- 80 | 81 | **Celery Error:** 82 | 83 | If you have an issue starting Django with the error: TypeError: config_from_object() got an unexpected keyword argument 'namespace' 84 | 85 | Upgrade Celery to the latest version: 86 | 87 | ``pip install --upgrade celery`` 88 | 89 | Upgrading to DefectDojo Version 1.13.x 90 | -------------------------------------- 91 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.13.0 92 | - Hashcode settings affecting deduplication have changed, to update existing findings run: 93 | 94 | `./manage.py dedupe` 95 | 96 | If you're using docker: 97 | 98 | `docker-compose exec uwsgi ./manage.py dedupe` 99 | 100 | This can take a while depeneding on your instance size. It might possible that new duplicates are detected among existing findings, so make a backup before running! 101 | 102 | 103 | Upgrading to DefectDojo Version 1.12.x 104 | -------------------------------------- 105 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.12.0 106 | - 1.12.1 is a security release https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.12.1 107 | 108 | Upgrading to DefectDojo Version 1.11.x 109 | -------------------------------------- 110 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.11.0 111 | - 1.11.1 is a security release https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.11.1 112 | 113 | Upgrading to DefectDojo Version 1.10.x 114 | -------------------------------------- 115 | **1.10.4 is a security release** 116 | 117 | - See the security advisory: https://github.com/DefectDojo/django-DefectDojo/security/advisories/GHSA-96vq-gqr9-vf2c 118 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases/tag/1.10.4 119 | - Version 1.10.4 replaces 1.10.3 as the latter contained an incomplete fix 120 | 121 | **What's New:** 122 | 123 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases 124 | - Defect Dojo now provides a `settings.py` file out-of-the-box. Custom settings need to go into `local_settings.py`. See https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.py and https://github.com/DefectDojo/django-DefectDojo/blob/master/docker/extra_settings/README.md 125 | - A quickfix is to rename your own / customized `settings.py` or `settings.dist.py` to `local_settings.py`. Details of that PR: https://github.com/DefectDojo/django-DefectDojo/pull/3136 126 | - Major JIRA integration refactoring, for which you should at least use 1.10.1 and not 1.10.0 for many bug fixes. 127 | 128 | **Breaking changes** 129 | 130 | Kubernetes/Helm users: we have moved away from the "stable" repository to "bitnami" in this release. The bitnami postgresql chart required us to add a new key to the postgresql secret, which will give you the error ``postgresql-postgres-password is missing`` if you have ``createPostgresqlSecret: false``. In 1.10.1, a fix was also included to allow your existing ``postgresqlPassword`` to be reused properly. 131 | 132 | Including in 1.10.1 were a couple fixes related to a rabbitMQ upgrade. The path to access ``password``, ``erlangCookie`` and ``existingPasswordSecret`` changed from ``rabbitmq`` to ``auth``. Furthermore, as rabbitMQ is deployed as a StatefulSet, an in-place upgrade is not possible and an error will likely be thrown such as ``Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden``. After ensuring your rabbitMQ celery queue is empty, you will then want to delete your rabbitMQ StatefulSet and PVC to allow them to get re-created, or fully delete and recreate defectdojo. 133 | 134 | 135 | Upgrading to DefectDojo Version 1.9.3 136 | ------------------------------------- 137 | **This is a security release** 138 | 139 | - See the `security advisory `_ 140 | - See `release notes `_ 141 | 142 | **What's New:** 143 | 144 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases 145 | 146 | **NOTE:** 147 | 148 | When upgrading from before 1.9.2, a corrective script may need to be ran 149 | 150 | `./manage.py create_endpoint_status` 151 | 152 | If you're using docker: 153 | 154 | `docker-compose exec uwsgi ./manage.py create_endpoint_status` 155 | 156 | This can take a while depending on your hardware and the number of findings in your instance. 157 | 158 | - Search index tweaking index rebuild after upgrade: 159 | 160 | This requires a (one-time) rebuild of the Django-Watson search index. Execute the django command from the defect dojo installation directory: 161 | 162 | `./manage.py buildwatson` 163 | 164 | If you're using docker: 165 | 166 | `docker-compose exec uwsgi ./manage.py buildwatson` 167 | 168 | This can take a while depending on your hardware and the number of findings in your instance. 169 | 170 | 171 | Upgrading to DefectDojo Version 1.8.0 172 | ------------------------------------- 173 | **What's New:** 174 | 175 | - See release notes: https://github.com/DefectDojo/django-DefectDojo/releases 176 | - Improved search, which requires an index rebuild (https://github.com/DefectDojo/django-DefectDojo/pull/2861) 177 | 178 | This requires a (one-time) rebuild of the Django-Watson search index. Execute the django command from the defect dojo installation directory: 179 | 180 | `./manage.py buildwatson` 181 | 182 | If you're using docker: 183 | 184 | `docker-compose exec uwsgi ./manage.py buildwatson` 185 | 186 | This can take a while depending on your hardware and the number of findings in your instance. 187 | 188 | - **NOTE:** 189 | 190 | As a result of a breaking bug revolving around Endpoint_status objects, a corrective script will need to be ran after 191 | every dynamic scan imported through either API version. 192 | 193 | The script can be found `here`_ 194 | 195 | 196 | 197 | .. _here: https://github.com/DefectDojo/django-DefectDojo/blob/dev/dojo/management/commands/create_endpoint_status.py 198 | 199 | `./manage.py create_endpoint_status` 200 | 201 | If you're using docker: 202 | 203 | `docker-compose exec uwsgi ./manage.py create_endpoint_status` 204 | 205 | This can take a while depending on your hardware and the number of findings in your instance. 206 | 207 | Upgrading to DefectDojo Version 1.7.0 208 | ------------------------------------- 209 | 210 | **What's New:** 211 | 212 | - Updated search, you can now search for CVE-XXXX-YYYY 213 | - Updated search index, fields added to index: 'id', 'title', 'cve', 'url', 'severity', 'description', 'mitigation', 'impact', 'steps_to_reproduce', 'severity_justification', 'references', 'sourcefilepath', 'sourcefile', 'hash_code', 'file_path', 'component_name', 'component_version', 'unique_id_from_tool' 214 | 215 | This requires a (one-time) rebuild of the Django-Watson search index. Execute the django command from the defect dojo installation directory: 216 | 217 | `./manage.py buildwatson dojo.Finding` 218 | 219 | If you're using docker: 220 | 221 | `docker-compose exec uwsgi ./manage.py buildwatson dojo.Finding` 222 | 223 | Upgrading to DefectDojo Version 1.5.0 224 | ------------------------------------- 225 | 226 | **What's New:** 227 | 228 | - Updated UI with a new DefectDojo logo, default colors and CSS. 229 | - Updated Product views with tabs for Product Overview, Metrics, Engagements, Endpoints, Benchmarks (ASVS), and Settings to make it easier to navigate and manage your products. 230 | - New Product Information fields: Regulations, Criticality, Platform, Lifecycle, Origin, User Records, Revenue, External Audience, Internet Accessible 231 | - Languages pie chart on product overview, only supported through the API and Django admin, integrates with cloc analyzer 232 | - New Engagement type of CI/CD to support continual testing 233 | - Engagement shortcuts and ability to import findings and auto-create an engagement 234 | - Engagement labels for overdue, no tests and findings 235 | - New Contextual menus throughout DefectDojo and shortcuts to new findings and critical findings 236 | - Ability to merge a finding into a parent finding and either inactivate or delete the merged findings. 237 | - Report improvements and styling adjustment with the default option of HTML reports 238 | - SLA for remediation of severities based on finding criticality, for example critical findings remediated within 7 days. Configurable in System Settings. 239 | - Engagement Auto-Close Days in System Settings. Automatically close an engagement if open past the end date. 240 | - Ability to apply remediation advice based on CWE. For example XSS can be configured as a template so that it's consistent across all findings. Enabled in system settings. 241 | - Finding confidence field supported from scanners. First implementation in the Burp importer. 242 | - Goast importer for static analysis of Golang products 243 | - Celery status check on System Settings 244 | - Beta rules framework release for modifying findings on the fly 245 | - DefectDojo 2.0 API with Swagger support 246 | - Created and Modified fields on all major tables 247 | - Various bug fixes reported on Github 248 | 249 | **Upgrading to 1.5.0 requirements:** 250 | 251 | 1. Back up your database first, ideally take the backup from production and test the upgrade on a staging server. 252 | 253 | 2. Edit the settings.py file which can be found in ``django-DefectDojo/dojo/settings/settings.py``. Copy in the rest framework configuration after the CSRF_COOKIE_SECURE = True:: 254 | 255 | REST_FRAMEWORK = { 256 | 'DEFAULT_AUTHENTICATION_CLASSES': ( 257 | 'rest_framework.authentication.TokenAuthentication', 258 | 'rest_framework.authentication.BasicAuthentication', 259 | ), 260 | 'DEFAULT_PERMISSION_CLASSES': ( 261 | 'rest_framework.permissions.DjangoModelPermissions', 262 | ), 263 | 'DEFAULT_RENDERER_CLASSES': ( 264 | 'rest_framework.renderers.JSONRenderer', 265 | ), 266 | 'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination', 267 | 'PAGE_SIZE': 25 268 | } 269 | 270 | Navigate to: LOGIN_EXEMPT_URLS and add the following after r'^%sfinding/image/(?P[^/]+)$' % URL_PREFIX:: 271 | 272 | r'^%sfinding/image/(?P[^/]+)$' % URL_PREFIX, 273 | r'^%sapi/v2/' % URL_PREFIX, 274 | 275 | Navigate to: INSTALLED_APPS and add the following after: 'multiselectfield',:: 276 | 277 | 'multiselectfield', 278 | 'rest_framework', 279 | 'rest_framework.authtoken', 280 | 'rest_framework_swagger', 281 | 'dbbackup', 282 | 283 | Navigate to: CELERY_TASK_IGNORE_RESULT = True and add the following after CELERY_TASK_IGNORE_RESULT line:: 284 | 285 | CELERY_RESULT_BACKEND = 'db+sqlite:///dojo.celeryresults.sqlite' 286 | 287 | Save your modified settings file. For reference the modified file should look like the new 1.5.0 [settings](https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/settings/settings.dist.py) file, minus the environmental configurations. As an alternative this file can be used and the enviromental configurations from you environment can be copied into this file. 288 | 289 | 3. Activate your virtual environment and then upgrade the requirements: 290 | 291 | ``pip install -r requirements.txt --upgrade`` 292 | 293 | 4. Upgrade the database:: 294 | 295 | ./manage.py makemigrations 296 | ./manage.py migrate 297 | 298 | 5. Collect the static files (Javascript, Images, CSS):: 299 | 300 | ./manage.py collectstatic --noinput 301 | 302 | 6. Complete 303 | 304 | Upgrading to DefectDojo Version 1.3.1 305 | ------------------------------------- 306 | 307 | **What's New:** 308 | 309 | - New importers for Contrast, Nikto and TruffleHog (finding secrets in git repos). 310 | - Improved merging of findings for dynamic and static importers 311 | - Markdown support for findings 312 | - HTML report improvements including support of Markdown. 313 | - System settings Celery status page to assist in debugging if Celery is functional. 314 | 315 | **Upgrading to 1.3.1 requires:** 316 | 317 | 1. pip install markdown 318 | pip install pandas 319 | 320 | 2. ./manage.py makemigrations 321 | ./manage.py migrate 322 | 323 | 3. ./manage.py collectstatic --noinput 324 | 325 | 4. Complete 326 | 327 | Upgrading to DefectDojo Version 1.2.9 328 | ------------------------------------- 329 | 330 | **What's New:** 331 | New feature: Benchmarks (OWASP ASVS) 332 | 333 | **Upgrading to 1.2.9 requires:** 334 | 335 | 1. ./manage.py makemigrations 336 | ./manage.py migrate 337 | ./manage.py loaddata dojo/fixtures/benchmark_type.json 338 | ./manage.py loaddata dojo/fixtures/benchmark_category.json 339 | ./manage.py loaddata dojo/fixtures/benchmark_requirement.json 340 | 341 | 2. ./manage.py collectstatic --noinput 342 | 343 | 3. Complete 344 | 345 | Upgrading to DefectDojo Version 1.2.8 346 | ------------------------------------- 347 | 348 | New feature: Product Grading (Overall Product Health) 349 | Upgrading to 1.2.8 requires: 350 | 351 | 1. ./manage.py makemigrations 352 | ./manage.py migrate 353 | ./manage.py system_settings 354 | 355 | 2. ./manage.py collectstatic --noinput 356 | 357 | 3. pip install asteval 358 | 359 | 4. pip install --upgrade celery 360 | 361 | 5. Complete 362 | 363 | Upgrading to DefectDojo Version 1.2.4 364 | ------------------------------------- 365 | 366 | Upgrading to 1.2.4 requires: 367 | 368 | 1. ./manage.py makemigrations 369 | ./manage.py migrate 370 | ./manage.py loaddata dojo/fixtures/objects_review.json 371 | 372 | Upgrading to DefectDojo Version 1.2.3 373 | ------------------------------------- 374 | 375 | Upgrading to 1.2.3 requires: 376 | 377 | 1. ./manage.py makemigrations 378 | ./manage.py migrate 379 | ./manage.py loaddata dojo/fixtures/language_type.json 380 | 381 | 2. Currently languages and technologies can be updated via the API or in the admin section of Django. 382 | 383 | July 6th 2017 - New location for system settings 384 | ------------------------------------------------ 385 | 386 | Pull request #313 moves a number of system settings previously located in the application's settings.py 387 | to a model that can be used and changed within the web application under "Configuration -> System Settings". 388 | 389 | If you're using a custom ``URL_PREFIX`` you will need to set this in the model after upgrading by 390 | editing ``dojo/fixtures/system_settings.json`` and setting your URL prefix in the ``url_prefix`` value there. 391 | Then issue the command ``./manage.py loaddata system_settings.json`` to load your settings into the database. 392 | 393 | If you're not using a custom ``URL_PREFIX``, after upgrading simply go to the System Settings page and review 394 | which values you want to set for each setting, as they're not automatically migrated from settings.py. 395 | 396 | If you like you can then remove the following settings from settings.py to avoid confusion: 397 | 398 | * ``ENABLE_DEDUPLICATION`` 399 | * ``ENABLE_JIRA`` 400 | * ``S_FINDING_SEVERITY_NAMING`` 401 | * ``URL_PREFIX`` 402 | * ``TIME_ZONE`` 403 | * ``TEAM_NAME`` 404 | 405 | Upgrading to DefectDojo Version 1.2.2 406 | ------------------------------------- 407 | 408 | Upgrading to 1.2.2 requires: 409 | 410 | 1. Copying settings.py to the settings/ folder. 411 | 412 | 2. If you have supervisor scripts change DJANGO_SETTINGS_MODULE=dojo.settings.settings 413 | 414 | Upgrading to Django 1.1.5 415 | ------------------------- 416 | If you are upgrading an existing version of DefectDojo, you will need to run the following commands manually: 417 | 418 | #. First install Yarn. 419 | Follow the instructions based on your OS: https://yarnpkg.com/lang/en/docs/install/ 420 | 421 | #. The following must be removed/commented out from ``settings.py``: :: 422 | 423 | 'djangobower.finders.BowerFinder', 424 | 425 | From the line that contains: 426 | # where should bower install components 427 | ... 428 | 429 | To the end of the bower declarations 430 | 'justgage' 431 | ) 432 | 433 | #. The following needs to be updated in ``settings.py``: :: 434 | 435 | STATICFILES_DIRS = ( 436 | # Put strings here, like "/home/html/static" or "C:/www/django/static". 437 | # Always use forward slashes, even on Windows. 438 | # Don't forget to use absolute paths, not relative paths. 439 | os.path.dirname(DOJO_ROOT) + "/components/yarn_components", 440 | ) 441 | 442 | Upgrading to Django 1.11 443 | ------------------------ 444 | 445 | Pull request #300 makes DefectDojo Django 1.11 ready. A fresh install of DefectDojo can be done with the setup.bash script included - no special steps are required. 446 | 447 | If you are upgrading an existing installation of DefectDojo, you will need to run the following commands manually: :: 448 | 449 | pip install django-tastypie --upgrade 450 | pip install django-tastypie-swagger --upgrade 451 | pip install django-filter --upgrade 452 | pip install django-watson --upgrade 453 | pip install django-polymorphic --upgrade 454 | pip install django --upgrade 455 | pip install pillow --upgrade 456 | ./manage.py makemigrations 457 | ./manage.py migrate 458 | 459 | The following must be removed/commented out from settings.py: :: 460 | 461 | TEMPLATE_DIRS 462 | TEMPLATE_DEBUG 463 | TEMPLATE_LOADERS 464 | TEMPLATE_CONTEXT_PROCESSORS 465 | 466 | The following needs to be added to settings.py: :: 467 | 468 | TEMPLATES = [ 469 | { 470 | 'BACKEND': 'django.template.backends.django.DjangoTemplates', 471 | 'APP_DIRS': True, 472 | 'OPTIONS': { 473 | 'context_processors': [ 474 | 'django.template.context_processors.debug', 475 | 'django.template.context_processors.request', 476 | 'django.contrib.auth.context_processors.auth', 477 | 'django.contrib.messages.context_processors.messages', 478 | ], 479 | }, 480 | }, 481 | ] 482 | 483 | Once all these steps are completed your installation of DefectDojo will be running under Django 1.11 484 | -------------------------------------------------------------------------------- /docs/workflows.rst: -------------------------------------------------------------------------------- 1 | Workflows 2 | ========= 3 | 4 | Example 1 - Bill the security engineer 5 | -------------------------------------- 6 | 7 | Bill wants a place to keep track of what he's worked on, so that he can show 8 | his boss exactly what issues he reports, and statistics about how long it 9 | takes to close them. 10 | 11 | When he is asked to audit an application, Bill registers a new Product in 12 | DefectDojo, and creates a new Engagement. Here he sets some basic information, 13 | like how long he expects the Engagement will take, who will be leading the 14 | testing (himself), what Product he will be working on, and what tests he 15 | will be doing. 16 | 17 | Next, he can add a Test to the Engagement, or upload a Nessus scan and start 18 | picking out the real vulnerabilities from the false positives (Nessus scan 19 | Findings are imported as inactive by default). 20 | 21 | Within the Test section, Bill can add Findings for any issues that he has 22 | uncovered during his audit. He can assign a severity to the Findings, describe 23 | replication steps, mitigation strategies, and impact on the system. This will 24 | come in handy when he wants to generate a report to send to the development 25 | team responsible for this Product, or his manager. 26 | 27 | Once Bill has completed his Engagement, he can close the Engagement on the 28 | main Engagement page. He can then view the results of his Tests, and generate 29 | a report to send to the development team. 30 | 31 | If Bill hears back from the development team that they won't be able to fix 32 | the issue for a while, he can make a note of this on the Engagement page. 33 | Bill will also receive Alerts for any bugs that persist longer than they are 34 | supposed to based on their severity. 35 | 36 | Example 2 - John the QE manager 37 | ------------------------------- 38 | 39 | John wants to keep tabs on what his team members are up to, and find issues 40 | that are taking a long time to get fixed. He creates his own DefectDojo account 41 | with superuser privileges so that he can view other team members' metrics. 42 | 43 | To get a better idea of what his team members are currently working on, he 44 | can start by checking the Calendar. This will show him any active Engagements 45 | that his team is involved in, based on the dates assigned to those Engagements. 46 | 47 | He can view metrics for a Product Type, such as "Third Party Apps" to track his 48 | team's activity and follow up with Product teams who have long-lived bugs. He 49 | can also look at all the Findings for which there is a Risk Acceptance 50 | associated, and ensure that the proper documentation or timeline has been 51 | provided for the Findings in question. 52 | 53 | If he wants to check on a particular team member's progress, he can look at the 54 | Engineer Metrics dashboard under "Additional Metrics" for that user. 55 | -------------------------------------------------------------------------------- /sample_deployments/nginx/env/bin/celery-startup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAME="celery-defect-dojo" # Name of the app 4 | DJANGODIR=/install_path/django-DefectDojo/ # Django project dir 5 | USER=defectdojo # run as this user 6 | GROUP=defectdojo # the group to run as 7 | NUM_WORKERS=3 # how many workers 8 | # usually # of CPU + 1 9 | DJANGO_SETTINGS_MODULE=dojo.settings # which settings file 10 | 11 | DJANGO_WSGI_MODULE=dojo.wsgi # WSGI module name 12 | GUNICORN_LOG_LEVEL=debug # Set log level 13 | # possible values: debug, info, warning, error, critical 14 | 15 | echo "Starting $NAME as `whoami`" 16 | 17 | # Activate the virtual environment 18 | cd $DJANGODIR 19 | source /install_path/django-DefectDojo/venv/bin/activate 20 | export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE 21 | export PYTHONPATH=$DJANGODIR:$PYTHONPATH 22 | 23 | # Start your Django Unicorn 24 | exec celery -A dojo worker -l info --concurrency 3 25 | -------------------------------------------------------------------------------- /sample_deployments/nginx/env/bin/dojo-startup: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NAME="defect-dojo" # Name of the app 4 | DJANGODIR=/install_path/django-DefectDojo/ # Django project dir 5 | USER=defectdojo # run as this user 6 | GROUP=defectdojo # the group to run as 7 | NUM_WORKERS=3 # how many workers 8 | # usually # of CPU + 1 9 | DJANGO_SETTINGS_MODULE=dojo.settings # which settings file 10 | 11 | DJANGO_WSGI_MODULE=dojo.wsgi # WSGI module name 12 | GUNICORN_LOG_LEVEL=debug # Set log level 13 | # possible values: debug, info, warning, error, critical 14 | 15 | echo "Starting $NAME as `whoami`" 16 | 17 | # Activate the virtual environment 18 | cd $DJANGODIR 19 | source /install_path/django-DefectDojo/venv/bin/activate 20 | export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE 21 | export PYTHONPATH=$DJANGODIR:$PYTHONPATH 22 | 23 | echo $PYTHONPATH 24 | # Create the run directory if it doesn't exist 25 | #RUNDIR=$(dirname $SOCKFILE) 26 | #test -d $RUNDIR || mkdir -p $RUNDIR 27 | 28 | # Start your Django Unicorn 29 | exec gunicorn ${DJANGO_WSGI_MODULE}:application \ 30 | --name $NAME \ 31 | --timeout 300 32 | --workers $NUM_WORKERS \ 33 | --user=$USER --group=$GROUP \ 34 | # --bind=unix:$SOCKFILE \ 35 | --bind 127.0.0.1:8001 36 | --log-level=$GUNICORN_LOG_LEVEL \ 37 | --log-file=- 38 | -------------------------------------------------------------------------------- /sample_deployments/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | 4 | # Increase max upload 5 | client_max_body_size 500M; 6 | 7 | # Redirect http to https 8 | return 301 https://$host$request_uri; 9 | } 10 | 11 | server { 12 | 13 | listen 443; 14 | server_name defectdojo 15 | 16 | # Increase max upload 17 | client_max_body_size 500M; 18 | 19 | ssl_certificate /etc/nginx/ssl/nginx.crt; 20 | ssl_certificate_key /etc/nginx/ssl/nginx.key; 21 | 22 | ssl on; 23 | ssl_session_cache builtin:1000 shared:SSL:10m; 24 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 25 | ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; 26 | ssl_prefer_server_ciphers on; 27 | 28 | access_log /var/log/nginx/defectdojo.access.log; 29 | 30 | error_page 404 /404.html; 31 | error_page 500 502 503 504 /50x.html; 32 | location = /50x.html { 33 | root /usr/share/nginx/html; 34 | } 35 | 36 | #static for defectdojo 37 | location /static/ { 38 | alias /var/www/django-DefectDojo/static/; 39 | } 40 | 41 | location /media/ { 42 | alias /var/www/django-DefectDojo/media/; 43 | } 44 | 45 | location / { 46 | # Increase max upload 47 | client_max_body_size 500M; 48 | 49 | # an HTTP header important enough to have its own Wikipedia entry: 50 | # http://en.wikipedia.org/wiki/X-Forwarded-For 51 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 52 | 53 | # enable this if and only if you use HTTPS, this helps to 54 | # set the proper protocol for doing redirects: 55 | proxy_set_header X-Forwarded-Proto $scheme; 56 | 57 | # pass the Host: header from the client right along so redirects 58 | # can be set properly within the Rack application 59 | proxy_set_header Host $host; 60 | 61 | # we don't want nginx trying to do something clever with 62 | # redirects, we set the Host: header above already. 63 | proxy_redirect off; 64 | 65 | # Fix the “It appears that your reverse proxy set up is broken" error. 66 | proxy_pass http://127.0.0.1:8000; 67 | proxy_read_timeout 90; 68 | 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /sample_deployments/nginx/superverisord.conf: -------------------------------------------------------------------------------- 1 | ;DefectDojo 2 | [program:defectdojo] 3 | command = /install_path/django-DefectDojo/env/bin/dojo-startup ; Command to start app 4 | user = defectdojo ; User to run as 5 | stdout_logfile = /install_path/django-DefectDojo/env/logs/dojo-supervisor.log ; Where to write log messages 6 | redirect_stderr = true ; Save stderr in the same log 7 | environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8 ; Set UTF-8 as default encoding 8 | 9 | ;CeleryDefectDojo 10 | [program:celerydefectdojo] 11 | command = /install_path/django-DefectDojo/env/bin/celery-startup ; Command to start app 12 | user = defectdojo ; User to run as 13 | stdout_logfile = /install_path/django-DefectDojo/env/logs/celerydojo-supervisor.log ; Where to write log messages 14 | redirect_stderr = true ; Save stderr in the same log 15 | environment=LANG=en_US.UTF-8,LC_ALL=en_US.UTF-8 ; Set UTF-8 as default encoding 16 | --------------------------------------------------------------------------------