Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🎉 Improvements for wazuh importer #9248

Merged
merged 16 commits into from
Feb 6, 2024
Merged
2 changes: 1 addition & 1 deletion docs/content/en/integrations/parsers/file/wazuh.md
Original file line number Diff line number Diff line change
@@ -2,4 +2,4 @@
title: "Wazuh Scanner"
toc_hide: true
---
Import JSON report.
Import findings from Wazuh. The export from wazuh should be done via the script [available here](https://github.com/quirinziessler/wazuh-findings-exporter). The script fetches the findings by Wazuh client groups and saves them as json, ready for upload. Have in mind to adjust the max file size via "DD_SCAN_FILE_MAX_SIZE" if the file is larger than the default value of 100MB.
quirinziessler marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 1 addition & 1 deletion dojo/settings/settings.dist.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Django settings for DefectDojo

Check warning on line 1 in dojo/settings/settings.dist.py

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File

Our AI-Powered Sensitive File checker believes it has discovered a sensitive file being modified in this PR. Extra care must be taken when modifying a file that is potentially security-sensitive. The following reason was provided: Contains sensitive settings
import os
from datetime import timedelta
from celery.schedules import crontab
@@ -1255,7 +1255,6 @@
'NeuVector (compliance)': ['title', 'vuln_id_from_tool', 'description'],
'Wpscan': ['title', 'description', 'severity'],
'Popeye Scan': ['title', 'description'],
'Wazuh Scan': ['title'],
'Nuclei Scan': ['title', 'cwe', 'severity'],
'KubeHunter Scan': ['title', 'description'],
'kube-bench Scan': ['title', 'vuln_id_from_tool', 'description'],
@@ -1469,6 +1468,7 @@
'Threagile risks report': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
'Humble Json Importer': DEDUPE_ALGO_HASH_CODE,
'MSDefender API': DEDUPE_ALGO_HASH_CODE,
'Wazuh Scan': DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL,
}

# Override the hardcoded settings here via the env var
130 changes: 66 additions & 64 deletions dojo/tools/wazuh/parser.py
Original file line number Diff line number Diff line change
@@ -1,90 +1,92 @@
import hashlib
import json
from dojo.models import Finding
from dojo.models import Finding, Endpoint


class WazuhParser(object):
"""
Use Wazuh Vulnerability API to retrieve the findings
IMPORTANT: Please use the script available here https://github.com/quirinziessler/wazuh-findings-exporter to generate
the report for DefectDojo. This script fetches the findings from wazuh based on a single Wazuh group.

Check notice on line 9 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L9

trailing whitespace (W291)
In DD please configure one engagement per group and upload the report.

The vulnerabilities with condition "Package unfixed" are skipped because there is no fix out yet.
https://github.com/wazuh/wazuh/issues/14560
"""

def get_scan_types(self):
return ["Wazuh"]

def get_label_for_scan_types(self, scan_type):
return "Wazuh"

def get_description_for_scan_types(self, scan_type):
return "Wazuh"

def get_findings(self, filename, test):
data = json.load(filename)
def get_findings(self, file, test):
data = json.load(file)

if not data:
return []

# Detect duplications
dupes = dict()

try:
vulnerability = data[next(iter(data.keys()))]["affected_items"]
except (KeyError, StopIteration):
return list()
# Loop through each element in the list
for entry in data:
vulnerabilities = entry.get("data", {}).get("affected_items", [])
for item in vulnerabilities:
if (
item["condition"] != "Package unfixed"
and item["severity"] != "Untriaged"
):
id = item.get("cve")
package_name = item.get("name")
package_version = item.get("version")
description = item.get("condition")
severity = item.get("severity").capitalize()
agent_ip = item.get("agent_ip")
links = item.get("external_references")
cvssv3_score = item.get("cvss3_score")
publish_date = item.get("published")
agent_name = item.get("agent_name")

if vulnerability is None:
return list()
if links:
references = "\n".join(links)
else:
references = None

for item in vulnerability:
if (
item["condition"] != "Package unfixed"
and item["severity"] != "Untriaged"
):
id = item.get("cve")
package_name = item.get("name")
package_version = item.get("version")
description = item.get("condition")
if item.get("severity") == "Untriaged":
severity = "Info"
else:
severity = item.get("severity")
if item.get("status") == "VALID":
active = True
else:
active = False
links = item.get("external_references")
title = (
item.get("title") + " (version: " + package_version + ")"
)
severity = item.get("severity", "info").capitalize()
if links:
references = ""
for link in links:
references += f"{link}\n"
else:
references = None

if id and id.startswith("CVE"):
vulnerability_id = id
else:
vulnerability_id = None
title = (
item.get("title") + " (version: " + package_version + ")"
)
dupe_key = title + id + agent_name + package_name + package_version
dupe_key = hashlib.sha256(dupe_key.encode('utf-8')).hexdigest()

dupe_key = title
if dupe_key in dupes:
find = dupes[dupe_key]
else:
dupes[dupe_key] = True

if dupe_key in dupes:
find = dupes[dupe_key]
else:
dupes[dupe_key] = True
find = Finding(
title=title,
test=test,
description=description,
severity=severity,
mitigation="mitigation",
references=references,
static_finding=True,
component_name=package_name,
component_version=package_version,
cvssv3_score = cvssv3_score,

Check notice on line 79 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L79

unexpected spaces around keyword / parameter equals (E251)

Check notice on line 79 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L79

unexpected spaces around keyword / parameter equals (E251)
publish_date = publish_date,

Check notice on line 80 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L80

unexpected spaces around keyword / parameter equals (E251)

Check notice on line 80 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L80

unexpected spaces around keyword / parameter equals (E251)
unique_id_from_tool = dupe_key,

Check notice on line 81 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L81

unexpected spaces around keyword / parameter equals (E251)

Check notice on line 81 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L81

unexpected spaces around keyword / parameter equals (E251)
)
# in some cases the agent_ip is not the perfect way on how to identify a host. Thus prefer the agent_name, if existant.
if agent_ip and agent_name:
find.unsaved_endpoints = [Endpoint(host=agent_name)]
elif agent_ip:
find.unsaved_endpoints = [Endpoint(host=agent_ip)]
elif agent_name:
find.unsaved_endpoints = [Endpoint(host=agent_name)]

Check warning on line 89 in dojo/tools/wazuh/parser.py

DryRunSecurity / AI-powered Sensitive Function Check

Possible Sensitive Function

Our AI-Powered Sensitive Function checker believes it has discovered a sensitive function being modified in this PR. The name of the function is `get_findings`. Extra care must be taken when modifying a function that is potentially security-sensitive. The following reason was provided for why this function was flagged as sensitive: The get_findings function processes the JSON data retrieved from Wazuh and creates findings. This function is related to parsing and importing Wazuh scan results, which is an authorization-related task.
dupes[dupe_key] = find

find = Finding(
title=title,
test=test,
description=description,
severity=severity,
active=active,
mitigation="mitigation",
references=references,
static_finding=True,
component_name=package_name,
component_version=package_version,
)
if vulnerability_id:
find.unsaved_vulnerability_ids = [vulnerability_id]
dupes[dupe_key] = find
return list(dupes.values())
return list(dupes.values())

Check notice on line 92 in dojo/tools/wazuh/parser.py

GitHub Actions / flake8-your-pr

dojo/tools/wazuh/parser.py#L92

no newline at end of file (W292)