Best way to import findings from periodic scan reports

[tienthanh411]

Hi,

I would like to ask what would be the best way to import findings to DefectDojo in this situation:
There are monthly automated scans of all products. The scan produces a single report that contains all the vulnerabilities of the products. If a vulnerability has been fixed, it will not be included in the report.

Based on my understanding of DefectDojo, writing a custom parser in this case may not be ideal because the import function only works for one product at a time. We don't want to manually import the findings for each product because the number of products could be several hundreds. Also, it seems that the import function can't handle the case where a vulnerability should be closed because it is not showed in the report anymore.

Writing a script that calls DefectDojo's API to import the findings is of course an option. However, it is quite slow when the number of vulnerabilities is big.

What would be your suggestion in this case?

[damiencarol]

First, it's not one but many questions :D

There are monthly automated scans of all products. The scan produces a single report that contains all the vulnerabilities of the products. If a vulnerability has been fixed, it will not be included in the report.

I don't think implementing a new specific parser dedicated to your report format is a good thing. We prefer to stick to the raw format of the security tools.
Most of the users use DefectDojo like this. automated scans that produce reports but most of them use raw data (output from the tools directly) instead of an aggregate. I honestly it's better this way.

Based on my understanding of DefectDojo, writing a custom parser in this case may not be ideal because the import function only works for one product at a time.

You're right. DefectDojo split the management of findings by product. Maybe you can consider one special product in DefectDojo as a "group" and import this findings in this "group" product.

Also, it seems that the import function can't handle the case where a vulnerability should be closed because it is not showed in the report anymore.

It's wrong, DefectDojo handle well this use case. It is able to detect that a vulnerability is fixed and close automatically after an upload.
We call this feature the "Re-Upload".

Writing a script that calls DefectDojo's API to import the findings is of course an option. However, it is quite slow when the number of vulnerabilities is big.

Many users do that.

[tienthanh411]

Thanks for the answer! Does the "Re-Upload" feature that you mentioned use the "reimport-scan" API?

[damiencarol]

yes, exactly