Add new parser - Rapplex

[AlperenY-cs]

Rapplex - Web Application Security Scanner

For more information, Rapplex

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This GitHub Pull Request includes several changes related to the integration of the Rapplex web application security scanner into the DefectDojo application. The changes cover the following areas:

1. Documentation: A new markdown file rapplex.md has been added to the documentation, providing information on how to import JSON reports from the Rapplex scanner.
2. Configuration: The settings.dist.py file has been updated to include configuration settings for the Rapplex parser, such as the fields to be used for deduplicating findings and the deduplication algorithm.
3. Parser Implementation: A new parser class RapplexParser has been added to handle the processing of Rapplex scan reports and the extraction of security findings.
4. Unit Tests: A set of unit tests has been added to verify the functionality of the RapplexParser class, ensuring that it can correctly handle various scenarios, including reports with no findings, one finding, and multiple findings.
5. Test Data: Sample Rapplex scan reports have been added to the unittests/scans/rapplex directory, covering different types of vulnerabilities (SQL Injection, XSS, Information Disclosure, etc.) and severity levels.

From an application security perspective, these changes appear to be well-designed and implemented. The addition of the Rapplex integration, the comprehensive test coverage, and the inclusion of sample scan reports demonstrate a commitment to improving the security capabilities of the DefectDojo application.

Files Changed:

1. docs/content/en/integrations/parsers/file/rapplex.md: This new file provides documentation on how to import Rapplex scan data into the DefectDojo application.
2. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash of the .settings.dist.py file has been updated, indicating that the configuration file has been modified.
3. dojo/settings/settings.dist.py: The default settings for the DefectDojo application have been updated to include configuration for the Rapplex parser, such as the fields to be used for deduplicating findings and the deduplication algorithm.
4. dojo/tools/rapplex/parser.py: This new file contains the implementation of the RapplexParser class, which is responsible for parsing and processing Rapplex scan reports.
5. unittests/scans/rapplex/rapplex_one_vul.json: This file contains a sample Rapplex scan report with a single SQL Injection vulnerability.
6. unittests/tools/test_rapplex_parser.py: This file contains unit tests for the RapplexParser class, ensuring that it can correctly handle various scenarios and extract the expected security findings.
7. unittests/scans/rapplex/rapplex_many_vul.json: This file contains a sample Rapplex scan report with multiple vulnerabilities, including SQL Injection, XSS, Information Disclosure, and Missing X-Frame-Options Header.
8. unittests/scans/rapplex/rapplex_zero_vul.json: This file contains a sample Rapplex scan report with no identified vulnerabilities.

Overall, the changes in this Pull Request appear to be well-designed and implemented, with a focus on improving the security capabilities of the DefectDojo application through the integration of the Rapplex web application security scanner.

Powered by DryRun Security

[mtesauro]

@AlperenY-cs I just kicked off the tests - they'll need to be green before we'll merge this PR - the Ruff linter has issues you can address now or when the rest of the tests have run.

[AlperenY-cs]

@AlperenY-cs I just kicked off the tests - they'll need to be green before we'll merge this PR - the Ruff linter has issues you can address now or when the rest of the tests have run.

Thanks. I solved the ruff linter's problems. #fyi

[mtesauro]

Approved

[albay]

Thanks for the code changes.

[mtesauro]

@albay Closing and re-opening as the tests seem stuck for some reason

[Maffooch]

@AlperenY-cs one last thing that needed is to update the settings hash, and then I think this one will be good to go!

Details for doing so are here: https://github.com/DefectDojo/django-DefectDojo/blob/67a75710d6991a3ee3d4ed8dca7d0ef5c9cef46a/dojo/settings/settings.dist.py#L1C1-L11C106

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.