GSoC'19 Final Report | OWASP Foundation
---- GSoC'19 Final Report | OWASP Foundation ( Project- DefectDojo) ----
Greetings, fellow defenders of the digital realm! I, Saurabh Kumar, am here to present the thrilling tale of my adventures during the Google Summer of Code 2019, in collaboration with the esteemed OWASP Foundation and their magnificent project, DefectDojo. Prepare yourself for a journey through vulnerability management and application security automation!
DefectDojo, a powerful security tool, serves as a guardian of applications by automating the management of security vulnerabilities. With its arsenal of features like third-party security findings import, merging and deduplication, Jira integration, templating, report generation, and security metrics, DefectDojo streamlines the application security testing process like a true champion.
Let’s dive into the exciting chapters of my GSoC’19 project and witness the remarkable achievements:
Organization: OWASP Foundation
Category: DefectDojo
Mentor: The wise and knowledgeable Aaron Weaver
Now, let’s explore the feats I accomplished during this exhilarating journey:
Implemented Scan Parsers:
-
Kiuwan Scan Importer:
- Scan parser completed with finesse.
- Unittests conquered.
- [Pull Request #1118] - Merged with the project’s codebase.
-
Openscap Scan Importer:
- Scan parser successfully implemented.
- Unittests mastered.
- [Pull Request #1193] - Merged into the project, triumphantly.
-
Wapiti Scan Importer:
- Scan parser skillfully added.
- Unittests tamed.
- [Pull Request #1206] - Merged gracefully into the project.
-
Cobalt.io Scan Importer:
- Scan parser expertly integrated.
- Unittests vanquished.
- [Pull Request #1215] - Merged triumphantly with the project’s codebase.
-
Mozilla Observatory Scan Importer:
- Scan parser tackled skillfully.
- Unittests conquered with precision.
- Pull Request [#1226] - Merged valiantly into the project.
-
Whitesource Importer:
- Scan parser implemented flawlessly.
- Unittests mastered with finesse.
- [Pull Request #1243] - Merged into the project, victorious.
-
Microfocus Webinspect Importer:
- Scan parser expertly crafted.
- Unittests conquered with determination.
- [Pull Request #1268] - Merged into the project, celebrating success.
-
Wpscan Importer:
- Scan parser skillfully added.
- Unittests mastered with precision.
- [Pull Request #1345] - Merged with the project’s codebase, a remarkable achievement.
-
Sslscan Importer:
- Scan parser successfully integrated.
- Unittests vanquished, showcasing expertise.
- [Pull Request #1351] - Merged valiantly into the project.
-
Sslyze Scan Importer:
- Scan parser tackled skillfully.
- Unittests conquered with precision.
- [Pull Request #1376] - Merged into the project, celebrating success.
-
Testssl Scan Importer:
- Scan parser implemented flawlessly.
- Unittests mastered with finesse.
- [Pull Request #1397] - Merged into the project, victorious.
Fixed Issues:
Throughout my journey, I encountered obstacles that I overcame with skill and dedication. Here are the issues I resolved with unwavering determination:
- Kiuwan CWE issue fixed - [Pull Request #1175] - Merged, bringing victory.
- Repo field issue resolved - [Pull Request #1177] - Merged into the project, conquering challenges.
- Added CVE option in findings - [Pull Request #1106] - Merged successfully, strengthening the project.
- Product grading issue fixed - [Pull Request #1082] - Merged, showcasing resilience.
- Static and dynamic type finding issue resolved - [Pull Request #1050] - Merged, demonstrating adaptability.
- Markdown_render function fixed - [Pull Request #1049] - Merged gracefully, proving attention to detail.
- Fixed #1257 and Unicode error in Contrast importer - [Pull Request #1260] - Merged with triumph.
- SSLLabs scanner issue fixed if suites not provided - [Pull Request #1367] - Merged, overcoming challenges.
- Status column now displays under review option correctly - [Pull Request #1373] - Merged, ensuring accuracy.
- Veracode static and dynamic issue fixed - [Pull Request #1377] - Merged into the project, conquering adversity.
- Included tags in reports - [Pull Request #1400] - Merged with pride, enhancing functionality.
- User edit form fixed to remove products - [Pull Request #1420] - Merged gracefully, ensuring user satisfaction.
- Added current commit hash in footer - [Pull Request #1440] - Merged, leaving a mark of success.
- Fixed Dependency parser - [Pull Request #1455] - Merged with triumph, strengthening the project’s core.
- Fixed clair klar importer - [Pull Request #1459] - Merged, overcoming challenges with resilience.
- Immuniweb issue of ValueError resolved - [Pull Request #1477] - Merged, showcasing adaptability.
- Added CVE to Crashtest + dawnscanner findings - [Pull Request #1480] - Merged, fortifying the project.
- Fixed release mode git commit showing issue - [Pull Request #1483] - Merged successfully, ensuring accuracy.
- Fixed menu overlapping - [Pull Request #1493] - Merged gracefully, enhancing user experience.
Implemented Unittests:
To ensure the strength and reliability of the project, I undertook the monumental task of implementing unittests for various components:
- Product Type Unittests - [Pull Request #1153] - Merged, validating excellence.
- Engagement Unittests - [Pull Request #1170] - Merged, showcasing meticulousness.
- Environment Unittests - [Pull Request #1181] - Merged, demonstrating attention to detail.
Remaining Tasks:
As with any heroic endeavor, some tasks still await completion. Here are the remaining items on my quest’s to-do list:
- Add new image and select from existing images inside the finding editor - [Issue #1354]
- Fix permission handling of users - An impending challenge yet to be conquered.
And thus, my GSoC’19 adventure with DefectDojo comes to a close, but the legacy of security automation and vulnerability management lives on. I am immensely grateful for the opportunity to contribute to such a remarkable project and to collaborate with the brilliant minds of OWASP Foundation.
May the code be secure, the vulnerabilities be few, and the defenders of applications stand tall in the face of cyber threats. Farewell, until we meet again on the next digital battlefield!
Yours in the pursuit of secure applications, Saurabh Kumar (saurabh.dakshana17@gmail.com)
Let me know what you think of this article on twitter @0xdr3dd or leave a comment below!