Add support for Invicti parser through Netsparker

[Maffooch]

Netsparker has now become Invicti, so we should support Invicti by extending the Netsparker parser. If there are modifications to the incivicti format going forward, it will be much easier to make a change to an existing parser.

[sc-2526]

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the integration and documentation of the Invicti security scanner within the DefectDojo application, including adding documentation, updating the configuration file, implementing an InvictiParser class, adding unit tests, and incorporating sample Invicti security scan reports.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on improving the integration and documentation of the Invicti security scanner within the DefectDojo application. The changes include:

1. Adding documentation for the Invicti integration, including sample scan data and information about the Netsparker to Invicti rebrand.
2. Updating the configuration file to add support for the Invicti security scanner, including mapping SAML2 attributes and specifying the deduplication algorithm.
3. Implementing an InvictiParser class that extends the existing NetsparkerParser to handle the parsing and processing of Invicti security scan reports.
4. Adding unit tests to verify the functionality of the InvictiParser class, including handling edge cases and validating the parsed findings.
5. Incorporating sample Invicti security scan reports, including examples with and without findings, to support the unit tests.

From an application security perspective, these changes are positive and do not introduce any obvious security vulnerabilities. The documentation updates, configuration changes, and parser implementation are all focused on improving the integration and handling of security scan data, which is an important aspect of a vulnerability management system like DefectDojo.

Files Changed:

• docs/content/en/integrations/parsers/file/invicti.md: This new file provides documentation for the Invicti security scanner integration, including a link to sample scan data.
• docs/content/en/integrations/parsers/file/netsparker.md: This file was updated to include a note about the Netsparker to Invicti rebrand and a link to the Invicti blog post.
• dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash of the dojo/settings/.settings.dist.py configuration file was updated, likely due to changes in the configuration file.
• dojo/tools/invicti/parser.py: This new file implements the InvictiParser class, which extends the NetsparkerParser to handle Invicti security scan reports.
• unittests/scans/invicti/invicti_one_finding.json: This file contains a sample Invicti security scan report with a single finding.
• dojo/settings/settings.dist.py: This file was updated to add the Invicti Scan integration, including mapping SAML2 attributes and specifying the deduplication algorithm.
• unittests/scans/invicti/invicti_zero_finding.json: This file contains a sample Invicti security scan report with no findings.
• unittests/tools/test_invicti_parser.py: This new file contains a test suite for the InvictiParser class, verifying its functionality in handling various Invicti scan report scenarios.
• unittests/scans/invicti/issue_9816.json and unittests/scans/invicti/issue_10311.json: These files contain sample Invicti security scan reports with specific issues, likely used for testing the InvictiParser class.

Overall, these changes appear to be a positive contribution to the DefectDojo project, as they improve the integration and handling of Invicti security scan data, which is an important aspect of a comprehensive vulnerability management solution.

Code Analysis

We ran 9 analyzers against 12 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[cneill]

Minor docs typo, otherwise this looks good