✨ implement progpilot SAST parser #10044

[manuel-sommer]

see issue #10044

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

This pull request includes changes related to the integration of the Progpilot Static Application Security Testing (SAST) tool into the DefectDojo application. The changes involve adding documentation for the Progpilot parser, making a minor change to the __init__.py file, and modifying several test files to handle the parsing of Progpilot security scan results.

From an application security perspective, the key points to highlight are:

1. Progpilot Integration: The addition of the Progpilot parser allows DefectDojo to import and process the output of the Progpilot SAST tool. This integration is a positive step towards improving the application's security testing capabilities.

2. Vulnerability Identification: The test files contain sample Progpilot scan results that identify potential security vulnerabilities, such as SQL injection and cross-site scripting (XSS) issues. These findings should be reviewed and addressed to improve the overall security of the application.

3. Parsing Robustness: The unit tests for the ProgpilotParser class demonstrate the ability to handle various input formats, ensuring the parser can reliably process the output of the Progpilot tool. This is an important aspect of maintaining the security testing infrastructure.

4. Dependency on External Tools: While the integration with Progpilot is a valuable addition, it's crucial to ensure that the Progpilot tool itself is maintained and secure, as any vulnerabilities in the tool could potentially impact the security of the DefectDojo application.

Files Changed:

• docs/content/en/integrations/parsers/file/progpilot.md: This file adds documentation for the new Progpilot parser, providing information about the parser's functionality and the sample scan data.
• dojo/tools/progpilot/__init__.py: The changes in this file simply add an __author__ attribute, which is a common practice to indicate the author of a Python module.
• unittests/scans/progpilot/progpilot.json: This file contains sample Progpilot scan results that identify a SQL injection vulnerability and a security misconfiguration issue in the Order.php file.
• dojo/tools/progpilot/parser.py: The changes in this file are related to the implementation of the ProgpilotParser class, which is responsible for parsing the Progpilot security scan results and generating Finding objects.
• unittests/scans/progpilot/progpilot[2-4].json: These files contain additional sample Progpilot scan results, including findings related to SQL injection and cross-site scripting (XSS) vulnerabilities.
• unittests/tools/test_progpilot_parser.py: This file includes unit tests for the ProgpilotParser class, ensuring the parser can correctly handle various input formats and extract the relevant security findings.

Powered by DryRun Security

[mtesauro]

Approved

[cneill]

Just a small typo, otherwise looks good

[manuel-sommer]

Done @cneill. You can merge.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.