Information:
DefectDojo master branch have API issues , so we will be using only dev branch.
If you want to know how to change port or change password , scroll to relevant sections.
Pull Defectdojo source code from git repo:
initiate a local folder as git repo
git init
add remote branch
git remote add origin https://github.com/DefectDojo/django-DefectDojo.git
pull the latest
git pull
Checkout to dev:
git checkout dev
Run below commands to build and run the DefectDojo docker:
Note: make sure you have updated the packages using “sudo yum update” command
sudodocker-compose buildcp dojo/settings/settings.dist.py dojo/settings/settings.pysudodocker/setEnv.sh devsudodocker-compose up
What if you are getting below error:
Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease Temporary failure resolving ‘deb.debian.org’
Failed to fetch http://deb.debian.org/debian/dists/buster/InRelease Temporary failure resolving 'deb.debian.org' docker compose
This might be due to issue docker DNS service, just restart your system or service and it will get resolved.
To restart service use the command : service docker restart
To check if DNS is the problem :
will run a simple docker container called busybox and run the nslookup
sudo docker run busybox nslookup google.com
If the below message is displayed then we can confirm that the issue is with DNS
Now run below command:
sudo docker run --network=host busybox nslookup google.com
This command will run the docker with the same network settings as of the host
So we understood that fixing dns will fix the issue.
Read more at: Medium
Open the application:
The process of building the docker image takes time. Once done, navigate to http://localhost:8080
If you want to change the port…………
Stop the docker and edit the docker-compose.yml file
Update the highlighted field with the port you want to assign for Defect Dojo
Once done, start the defect dojo applicaiton using ‘sudo docker-compose up‘
To change Defectdojo Password:………..
Find docker process ID:
run the below command and grab the id of django-defectdojo_uwsgi_1
sudo docker ps
Interact with docker to change the password:
Run below command. Here ‘1a9357169415‘ is the container ID we got from previous step.
sudo docker exec -it 1a9357169415 /bin/bash
Now we are in the container terminal. Change the password using manage.py.
To change password run below command:
python manage.py changepassword admin
Automatically uploading results to DefectDojo………..
Create following stuffs in DefectDojo:
- New Product Type
- New Product
- New Engagement
- New Test Type ( available list zap scan, burp scan etc)
- New Test ( test results)
Install Defect Dojo python API…………………..
Install Defect Dojo API source code:
Download the Defect dojo python API source code from : https://github.com/DefectDojo/defectdojo_api/releases
Extract the download and naivgate to extracted folder
Run below command to install the package:
sudo python setup.py develop
Run below command:
Update the api key with your defectdojo api key
Change the value “ZAP Scan”, according to the scan type you want to upload. Leave it empty and send the request to get all the supported scan type list.
#!/usr/bin/python #import the package from defectdojo_api import defectdojo import os #setup DefectDojo connection information host = 'http://localhost:8000' api_key = '1ef85cxxxx7840a767470b8cc107d6f77acb8c4d4' user = 'admin' #instantiate the DefectDojo api wrapper dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=True) #upload the file print dd.upload_scan(1,"ZAP Scan", "/home/praveen/Downloads/a.xml", "True", "2019-08-08")
To uninstall the package:
if you want to uninstall the package, use below command.
sudo python setup.py develop --uninstall
Python code to integrate with jenkins:
I am using below code to get environmental variables i created in Jenkins.
#!/usr/bin/python
#import the package
from defectdojo_api import defectdojo
import os
#setup DefectDojo connection information
host = 'http://localhost:8000'
api_key = '64397d0fcac84f6c791013ba17ad0f3d1bebe18f'
user = 'admin'
time=os.getenv('BUILD_TIMESTAMP')
user=os.getenv('DEFECTDOJO_USER')
host=os.getenv('DEFECTDOJO_HOST')
api_key=os.getenv('DEFECTDOJO_API')
engagement_id=os.getenv('DEFECTDOJO_ENGAGEMENT')
#instantiate the DefectDojo api wrapper
dd = defectdojo.DefectDojoAPI(host, api_key, user, debug=True)
time= time.split(" ",1)
#upload the findings
print dd.upload_scan(engagement_id,"ZAP Scan", "../Selelnium+Zap/SeleniumTutorial/target/testoutfinal.xml", "True", time[0])
'''
Other Examples:
print dd.upload_scan(1,"Snyk Scan", "snyk.json", "True", time[0])
'''
Learn with praveen 