✨ implement krakend audit parser (#10924)

* ✨ implement krakend audit parser

* advance unittests

Author: manuel-sommer

docs/content/en/integrations/parsers/file/krakend_audit.md

@@ -0,0 +1,11 @@
+---
+title: "KrakenD Audit Scan"
+toc_hide: true
+---
+Import KrakenD Audit Scan results in JSON format. You can use the following command to audit the KrakenD configuration which then can be uploaded to DefectDojo: 
+```
+krakend audit -c krakend.json -f "{{ marshal . }}" >> recommendations.json
+```
+
+### Sample Scan Data
+Sample KrakenD Audit scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/krakend_audit).

dojo/settings/.settings.dist.py.sha256sum

@@ -1 +1 @@
-702d74c8bc703d11c03cf5b3f7c4319ad0cdeaef68db6426d1112c59e59365a6
+b330f7dbd92c2df5a2a0632befc9775bef4a1c62b90375aa511957ebcd0ea82a

dojo/settings/settings.dist.py

@@ -1280,6 +1280,7 @@ def saml2_attrib_map_format(dict):
     "Legitify Scan": ["title", "endpoints", "severity"],
     "ThreatComposer Scan": ["title", "description"],
     "Invicti Scan": ["title", "description", "severity"],
+    "KrakenD Audit Scan": ["description", "mitigation", "severity"],
 }
 
 # Override the hardcoded settings here via the env var
@@ -1505,6 +1506,7 @@ def saml2_attrib_map_format(dict):
     "Legitify Scan": DEDUPE_ALGO_HASH_CODE,
     "ThreatComposer Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE,
     "Invicti Scan": DEDUPE_ALGO_HASH_CODE,
+    "KrakenD Audit Scan": DEDUPE_ALGO_HASH_CODE,
 }
 
 # Override the hardcoded settings here via the env var

dojo/tools/krakend_audit/__init__.py

@@ -0,0 +1 @@
+__author__ = "manuel-sommer"

dojo/tools/krakend_audit/parser.py

@@ -0,0 +1,34 @@
+import json
+
+from dojo.models import Finding
+
+
+class KrakenDAuditParser:
+    def get_scan_types(self):
+        return ["KrakenD Audit Scan"]
+
+    def get_label_for_scan_types(self, scan_type):
+        return scan_type  # no custom label for now
+
+    def get_description_for_scan_types(self, scan_type):
+        return "Import JSON reports of KrakenD Audit Scans."
+
+    def get_findings(self, file, test):
+        data = json.load(file)
+        findings = []
+        for recommendation in data.get("recommendations", []):
+            rule = recommendation.get("rule", None)
+            severity = recommendation.get("severity")
+            message = recommendation.get("message", None)
+            if rule is not None:
+                finding = Finding(
+                    title="KrakenD" + "_" + rule,
+                    test=test,
+                    description="**Rule:** " + rule,
+                    severity=severity.lower().capitalize(),
+                    mitigation=message,
+                    static_finding=True,
+                    dynamic_finding=False,
+                )
+                findings.append(finding)
+        return findings

unittests/scans/krakend_audit/many_findings.json

@@ -0,0 +1,30 @@
+{
+    "recommendations": [
+      {
+        "rule": "2.1.2",
+        "severity": "HIGH",
+        "message": "Enable TLS or use a terminator in front of KrakenD."
+      },
+      {
+        "rule": "2.1.7",
+        "severity": "HIGH",
+        "message": "Enable HTTP security header checks (security/http)."
+      },
+      {
+        "rule": "2.2.1",
+        "severity": "MEDIUM",
+        "message": "Hide the version banner in runtime."
+      },
+      {
+        "rule": "3.1.1",
+        "severity": "LOW",
+        "message": "Enable a bot detector."
+      },
+      {
+        "rule": "4.2.1",
+        "severity": "MEDIUM",
+        "message": "Implement a telemetry system for tracing for monitoring and troubleshooting."
+      }
+    ],
+    "stats": {}
+  }

unittests/scans/krakend_audit/no_findings.json

@@ -0,0 +1,4 @@
+{
+    "recommendations": [],
+    "stats": {}
+  }

unittests/tools/test_krakend_audit_parser.py

@@ -0,0 +1,22 @@
+from dojo.models import Test
+from dojo.tools.krakend_audit.parser import KrakenDAuditParser
+from unittests.dojo_test_case import DojoTestCase
+
+
+class TestKrakenDAuditParser(DojoTestCase):
+
+    def test_parse_no_findings(self):
+        with open("unittests/scans/krakend_audit/no_findings.json", encoding="utf-8") as testfile:
+            parser = KrakenDAuditParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(0, len(findings))
+
+    def test_parse_many_findings(self):
+        with open("unittests/scans/krakend_audit/many_findings.json", encoding="utf-8") as testfile:
+            parser = KrakenDAuditParser()
+            findings = parser.get_findings(testfile, Test())
+            self.assertEqual(5, len(findings))
+            with self.subTest(i=0):
+                finding = findings[0]
+                self.assertEqual("High", finding.severity)
+                self.assertEqual("Enable TLS or use a terminator in front of KrakenD.", finding.mitigation)