Feature/lab12

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+## Goal
+
+## Changes
+
+## Testing
+
+## Artifacts & Screenshots
+
+## Checklist
+- [ ] clear title
+- [ ] docs updated if needed
+- [ ] no secrets/large temp files

labs/lab10/imports/import-grype-vuln-results.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":11,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":12,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":12},"low":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"medium":{"active":32,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":32},"high":{"active":64,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":64},"critical":{"active":11,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":11},"total":{"active":122,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":122}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Anchore Grype","close_old_findings":false,"close_old_findings_product_scope":false,"test":11}

labs/lab10/imports/import-juice-shop-trivy-detailed.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":9,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":18,"verified":18,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"medium":{"active":36,"verified":34,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":36},"high":{"active":83,"verified":81,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":83},"critical":{"active":10,"verified":10,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":10},"total":{"active":147,"verified":143,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":147}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Trivy Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":9}

labs/lab10/imports/import-nuclei-results.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":10,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"high":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Nuclei Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":10}

labs/lab10/imports/import-semgrep-results.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":8,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":18,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"high":{"active":7,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":7},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":25,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":25}}},"pro":["Did you know, Pro has an automated no-code connector for Semgrep JSON Report? Try today for free or email us at hello@defectdojo.com"],"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Semgrep JSON Report","close_old_findings":false,"close_old_findings_product_scope":false,"test":8}

labs/lab10/imports/run-imports.ps1

@@ -0,0 +1,126 @@
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$ProjectRoot = if ($ScriptDir -match "labs\\lab10\\imports") { Split-Path -Parent (Split-Path -Parent (Split-Path -Parent $ScriptDir)) } else { Get-Location }
+
+function Resolve-ProjectPath {
+    param($RelativePath)
+    $Full = Join-Path $ProjectRoot $RelativePath
+    if (Test-Path $Full) { return $Full }
+    return $null
+}
+
+$DD_API = if ($env:DD_API) { $env:DD_API } else { "http://localhost:8080/api/v2" }
+$DD_TOKEN = if ($env:DD_TOKEN) { $env:DD_TOKEN } else { "268519587e3e68b8447c691da729289cbbd6995a" }
+
+if (-not $DD_TOKEN) {
+    Write-Error "DD_TOKEN environment variable is required."
+    exit 1
+}
+
+$DD_PRODUCT_TYPE = if ($env:DD_PRODUCT_TYPE) { $env:DD_PRODUCT_TYPE } else { "Engineering" }
+$DD_PRODUCT = if ($env:DD_PRODUCT) { $env:DD_PRODUCT } else { "Juice Shop" }
+$DD_ENGAGEMENT = if ($env:DD_ENGAGEMENT) { $env:DD_ENGAGEMENT } else { "Labs Security Testing" }
+
+Write-Host "Using context:"
+Write-Host "  ProjectRoot=$ProjectRoot"
+Write-Host "  DD_API=$DD_API"
+Write-Host "  DD_PRODUCT_TYPE=$DD_PRODUCT_TYPE"
+Write-Host "  DD_PRODUCT=$DD_PRODUCT"
+Write-Host "  DD_ENGAGEMENT=$DD_ENGAGEMENT"
+
+$Headers = @{
+    "Authorization" = "Token $DD_TOKEN"
+}
+
+Write-Host "Discovering importer names from /test_types/ ..."
+try {
+    $response = Invoke-RestMethod -Uri "$DD_API/test_types/?limit=2000" -Headers $Headers -Method Get
+    $types = $response.results.name
+} catch {
+    Write-Warning "Failed to fetch test types from API. Using defaults."
+    $types = @()
+}
+
+function Get-ScanType {
+    param($Pattern, $Fallback)
+    $match = $types | Where-Object { $_ -match $Pattern } | Select-Object -First 1
+    if ($match) { return $match }
+    return $Fallback
+}
+
+$SCAN_ZAP = Get-ScanType "^ZAP Scan" "ZAP Scan"
+$SCAN_SEMGREP = Get-ScanType "^Semgrep JSON Report" "Semgrep JSON Report"
+$SCAN_TRIVY = Get-ScanType "^Trivy Scan" "Trivy Scan"
+$SCAN_NUCLEI = Get-ScanType "^Nuclei Scan" "Nuclei Scan"
+$SCAN_GRYPE = Get-ScanType "^Anchore Grype|^Grype" "Anchore Grype"
+
+Write-Host "Importer names:"
+Write-Host "  ZAP      = $SCAN_ZAP"
+Write-Host "  Semgrep  = $SCAN_SEMGREP"
+Write-Host "  Trivy    = $SCAN_TRIVY"
+Write-Host "  Nuclei   = $SCAN_NUCLEI"
+Write-Host "  Grype    = $SCAN_GRYPE"
+
+function Import-ScanFile {
+    param($ScanType, $FilePath)
+
+    if (-not $FilePath) { return }
+    if (-not (Test-Path $FilePath)) {
+        Write-Host "SKIP: $ScanType file not found: $FilePath" -ForegroundColor Yellow
+        return
+    }
+
+    Write-Host "Importing $ScanType from $FilePath" -ForegroundColor Cyan
+
+    $outBase = [System.IO.Path]::GetFileNameWithoutExtension($FilePath)
+    $outPath = Join-Path (Join-Path $ProjectRoot "labs\lab10\imports") "import-$($outBase -replace '[^A-Za-z0-9_.-]', '_').json"
+
+    $UploadFile = $FilePath
+    if ($ScanType -match "Nuclei") {
+        $content = Get-Content $FilePath -Raw
+        if ($content -match '}\s*{') {
+            Write-Host "  Detected JSON-L format for Nuclei, converting to array..." -ForegroundColor Gray
+            $jsonArray = "[" + ($content -replace '}\s*{', '},{') + "]"
+            $UploadFile = Join-Path $env:TEMP "nuclei-fixed.json"
+            $jsonArray | Out-File -FilePath $UploadFile -Encoding utf8
+        }
+    }
+
+    curl.exe -sS -X POST "$DD_API/import-scan/" `
+        -H "Authorization: Token $DD_TOKEN" `
+        -F "scan_type=$ScanType" `
+        -F "file=@$UploadFile" `
+        -F "product_type_name=$DD_PRODUCT_TYPE" `
+        -F "product_name=$DD_PRODUCT" `
+        -F "engagement_name=$DD_ENGAGEMENT" `
+        -F "auto_create_context=true" `
+        -F "minimum_severity=Info" `
+        -F "close_old_findings=false" `
+        -F "push_to_jira=false" `
+        -o "$outPath"
+
+    if (Test-Path $outPath) {
+        $res = Get-Content $outPath | ConvertFrom-Json
+        if ($res.engagement -or $res.engagement_id -or $res.test -or $res.test_id) {
+            Write-Host "SUCCESS: Imported into engagement $($res.engagement_id)" -ForegroundColor Green
+        } else {
+            Write-Host "WARNING: Import returned unexpected response. Check $outPath" -ForegroundColor Yellow
+            if ($res.message) { Write-Host "  Message: $($res.message)" -ForegroundColor Red }
+        }
+    } else {
+        Write-Error "FAILED to import $ScanType : No response saved."
+    }
+}
+
+$Reports = @(
+    @{ Type = $SCAN_ZAP; Path = Resolve-ProjectPath "labs/lab5/zap/zap-report-noauth.json" },
+    @{ Type = $SCAN_SEMGREP; Path = Resolve-ProjectPath "labs/lab5/semgrep/semgrep-results.json" },
+    @{ Type = $SCAN_TRIVY; Path = Resolve-ProjectPath "labs/lab4/trivy/juice-shop-trivy-detailed.json" },
+    @{ Type = $SCAN_NUCLEI; Path = Resolve-ProjectPath "labs/lab5/nuclei/nuclei-results.json" },
+    @{ Type = $SCAN_GRYPE; Path = Resolve-ProjectPath "labs/lab4/syft/grype-vuln-results.json" }
+)
+
+foreach ($report in $Reports) {
+    Import-ScanFile -ScanType $report.Type -FilePath $report.Path
+}
+
+Write-Host "Done. Import process completed."

labs/lab10/imports/scan_types_utf8.txt

@@ -0,0 +1,232 @@
+API Test
+Static Check
+Pen Test
+Web Application Test
+Security Research
+Threat Modeling
+Manual Code Review
+Prowler
+Anchore Grype
+Anchore Grype detailed
+HCLAppScan XML
+SpotBugs Scan
+NeuVector (compliance)
+NPM Audit Scan
+Threagile risks report
+OssIndex Devaudit SCA Scan Importer
+Clair Scan
+Checkov Scan
+GitLab API Fuzzing Report Scan
+Bundler-Audit Scan
+Openscap Vulnerability Scan
+PHP Symfony Security Check
+Burp Suite DAST Scan
+Burp Enterprise Scan
+OSV Scan
+Rubocop Scan
+Blackduck Hub Scan
+Sslscan
+WFuzz JSON report
+Terrascan Scan
+SSLyze Scan (JSON)
+Sslyze Scan
+AWS Security Hub Scan
+Popeye Scan
+Solar Appscreener Scan
+pip-audit Scan
+PMD Scan
+GitLab SAST Report
+Blackduck Binary Analysis
+Acunetix Scan
+Wiz Scan
+IriusRisk Threats Scan
+SARIF
+ORT evaluated model Importer
+Qualys Hacker Guardian Scan
+Crunch42 Scan
+AnchoreCTL Vuln Report
+OpenVAS Parser
+OpenVAS Parser v2
+Azure Security Center Recommendations Scan
+Horusec Scan
+Kubeaudit Scan
+Humble Json Importer
+Contrast Scan
+GitLab Secret Detection Report
+Mozilla Observatory Scan
+StackHawk HawkScan
+Tenable Scan
+Semgrep Pro JSON Report
+Yarn Audit Scan
+Codechecker Report native
+Hydra Scan
+Node Security Platform Scan
+Veracode Scan
+Immuniweb Scan
+Cycognito Scan
+ESLint Scan
+Cloudflare Insights
+HackerOne Cases
+Bugcrowd API Import
+Burp REST API
+BlackDuck API
+Github Secrets Detection Report Scan
+Brakeman Scan
+GitLab DAST Report
+Retire.js Scan
+BugCrowd Scan
+Checkmarx One Scan
+Twistlock Image Scan
+Snyk Issue API Scan
+Ggshield Scan
+AWS Security Finding Format (ASFF) Scan
+GitLab Container Scan
+PWN SAST
+Trivy Scan
+Checkmarx CxFlow SAST
+AWS Inspector2 Scan
+CredScan Scan
+Legitify Scan
+Aqua Scan
+Crashtest Security JSON File
+Crashtest Security XML File
+OpenReports
+Kiuwan Scan
+SSL Labs Scan
+PingCastle
+AppSpider Scan
+Talisman Scan
+Burp GraphQL API
+Anchore Engine Scan
+Kiuwan SCA Scan
+Checkmarx OSA
+Burp Dastardly Scan
+DrHeader JSON Importer
+Cobalt.io Scan
+HCL AppScan on Cloud SAST XML
+Edgescan Scan
+ThreatComposer Scan
+Whispers Scan
+SSH Audit Importer
+Orca Security Alerts
+TFSec Scan
+Sysdig Vulnerability Report
+MobSF Scorecard Scan
+Trustwave Fusion API Scan
+Invicti Scan
+Xeol Parser
+ReversingLabs Spectra Assure
+IBM AppScan DAST
+Chef Inspect Log
+Wpscan
+Rusty Hog Scan
+Choctaw Hog Scan
+Duroc Hog Scan
+Gottingen Hog Scan
+Essex Hog Scan
+SKF Scan
+Wizcli IaC Scan
+Generic Findings Import
+Deepfence Threatmapper Report
+Nuclei Scan
+Vulners
+PHP Security Audit v2
+GitLab Dependency Scanning Report
+Cyberwatch scan (Galeax)
+AppCheck Web Application Scanner
+Gitleaks Scan
+Qualys Scan
+Bearer CLI
+Xanitizer Scan
+Arachni Scan
+Qualys Webapp Scan
+NPM Audit v7+ Scan
+Dependency Track Finding Packaging Format (FPF) Export
+Mend Scan
+Dockle Scan
+Google Cloud Artifact Vulnerability Scan
+Nancy Scan
+HuskyCI Report
+KICS Scan
+AWS Prowler Scan
+Cobalt.io API Import
+DSOP Scan
+Gosec Scanner
+Wizcli Dir Scan
+Govulncheck Scanner
+Wizcli Img Scan
+CycloneDX Scan
+MobSF Scan
+Mobsfscan Scan
+Detect-secrets Scan
+JFrog Xray Unified Scan
+Harbor Vulnerability Scan
+docker-bench-security Scan
+Progpilot Scan
+Testssl Scan
+IntSights Report
+MSDefender Parser
+Veracode SourceClear Scan
+VCG Scan
+PTART Report
+Fortify Scan
+Prowler Scan
+Wapiti Scan
+Nexpose Scan
+Snyk Scan
+Nmap Scan
+KubeHunter Scan
+AWS Prowler V3
+Checkmarx Scan
+Checkmarx Scan detailed
+Trustwave Scan (CSV)
+Bandit Scan
+Red Hat Satellite
+Risk Recon API Importer
+Netsparker Scan
+Mayhem SARIF Report
+ZAP Scan
+Sysdig CLI Report
+Dependency Check Scan
+Burp Scan
+SonarQube API Import
+NeuVector (REST)
+Outpost24 Scan
+Microfocus Webinspect Scan
+Nosey Parker Scan
+Trufflehog Scan
+kube-bench Scan
+Trufflehog3 Scan
+DawnScanner Scan
+Github SAST Scan
+Snyk Code Scan
+Kubescape JSON Importer
+Blackduck Component Risk
+Qualys Infrastructure Scan (WebGUI XML)
+Coverity API
+Meterian Scan
+AnchoreCTL Policies Report
+Coverity Scan JSON Report
+Rapplex Scan
+JFrog Xray Scan
+JFrog Xray On Demand Binary Scan
+Anchore Enterprise Policy Check
+Github Vulnerability Scan
+SonarQube Scan
+SonarQube Scan detailed
+Semgrep JSON Report
+WhiteHat Sentinel
+AuditJS Scan
+Sonatype Application Scan
+Hadolint Dockerfile check
+Scantist Scan
+Zora Parser
+Scout Suite Scan
+Nikto Scan
+JFrog Xray API Summary Artifact Scan
+Cloudsploit Scan
+CargoAudit Scan
+Trivy Operator Scan
+KrakenD Audit Scan
+Wazuh
+n0s1 Scanner