Skip to content

Commit c5143eb

Browse files
skywalke34skywalke34
committed
docs: add IriusRisk parser documentation
Authored by T. Walker - DefectDojo
1 parent f275535 commit c5143eb

1 file changed

Lines changed: 136 additions & 0 deletions

File tree

docs/content/supported_tools/parsers/file/iriusrisk.md

Lines changed: 136 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,136 @@
1+
---
2+
title: "IriusRisk Threats Scan"
3+
toc_hide: true
4+
---
5+
6+
The [IriusRisk](https://www.iriusrisk.com/) parser for DefectDojo supports imports from CSV format. This document details the parsing of IriusRisk threat model CSV exports into DefectDojo field mappings, unmapped fields, and location of each field's parsing code for easier troubleshooting and analysis.
7+
8+
## Supported File Types
9+
10+
The IriusRisk parser accepts CSV file format. To generate this file from IriusRisk:
11+
12+
1. Log into your IriusRisk console
13+
2. Navigate to the project containing your threat model
14+
3. Export the threats as CSV
15+
4. Save the file with a `.csv` extension
16+
5. Upload to DefectDojo using the "IriusRisk Threats Scan" scan type
17+
18+
## Default Deduplication Hashcode Fields
19+
20+
By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/):
21+
22+
- title
23+
- cwe
24+
- line
25+
- file_path
26+
- description
27+
28+
The parser also populates `unique_id_from_tool` with a SHA-256 hash of the Component, Threat, and Risk Response fields, providing an additional layer of deduplication across reimports.
29+
30+
### Sample Scan Data
31+
32+
Sample IriusRisk scans can be found in the [sample scan data folder](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/iriusrisk).
33+
34+
## Link To Tool
35+
36+
- [IriusRisk](https://www.iriusrisk.com/)
37+
- [IriusRisk Documentation](https://support.iriusrisk.com/)
38+
39+
## CSV Format (Threat Model Export)
40+
41+
### Total Fields in CSV
42+
43+
- Total data fields: 12
44+
- Total data fields parsed: 12
45+
- Total data fields NOT parsed: 0
46+
47+
### CSV Format Field Mapping Details
48+
49+
<details>
50+
<summary>Click to expand Field Mapping Table</summary>
51+
52+
| Source Field | DefectDojo Field | Parser Line # | Notes |
53+
| ------------------------ | -------------------- | ------------- | --------------------------------------------------------------------- |
54+
| Threat | title | 47 | Truncated to 150 characters with "..." suffix if longer |
55+
| Current Risk | severity | 49 | Mapped from IriusRisk risk levels to DefectDojo severity levels |
56+
| Component | component_name | 79 | The affected asset or component from the threat model |
57+
| Threat | description | 53 | Full threat text included as first line of structured description |
58+
| Component | description | 54 | Included in structured description block |
59+
| Use case | description | 55 | Threat category included in structured description |
60+
| Source | description | 56 | Origin of the threat included in structured description |
61+
| Inherent Risk | description | 57 | Pre-control risk level included in structured description |
62+
| Current Risk | description | 58 | Current risk level included in structured description |
63+
| Projected Risk | description | 59 | Post-mitigation risk level included in structured description |
64+
| Countermeasure progress | description | 60 | Percentage complete included in structured description |
65+
| Weakness tests | description | 61 | Test status included in structured description |
66+
| Countermeasure tests | description | 62 | Test status included in structured description |
67+
| Owner | description | 64-65 | Conditionally appended to description only when present |
68+
| Risk Response | mitigation | 78 | Mitigation status percentages from IriusRisk |
69+
| Component + Threat + Risk Response | unique_id_from_tool | 69-71 | SHA-256 hash used for deduplication across reimports |
70+
71+
</details>
72+
73+
### Additional Finding Field Settings (CSV Format)
74+
75+
<details>
76+
<summary>Click to expand Additional Settings Table</summary>
77+
78+
| Finding Field | Default Value | Parser Line # | Notes |
79+
| ---------------- | -------------------------------- | ------------- | ----------------------------------------------------------- |
80+
| static_finding | True | 81 | Threat model data is static analysis |
81+
| dynamic_finding | False | 82 | Not from live scanning |
82+
| active | True (False when "Very low") | 80 | Set to False when Current Risk is "Very low" (fully mitigated) |
83+
| unique_id_from_tool | SHA-256 hash | 83 | Hash of Component, Threat, and Risk Response |
84+
85+
</details>
86+
87+
## Special Processing Notes
88+
89+
### Status Conversion
90+
91+
IriusRisk uses a four-level risk scale that is mapped to DefectDojo severity levels (lines 7-12):
92+
93+
- `High` → High
94+
- `Medium` → Medium
95+
- `Low` → Low
96+
- `Very low` → Info
97+
98+
Any unrecognized risk value defaults to Info (line 49). The mapping uses the "Current Risk" column, which reflects the risk level accounting for existing controls and represents the most accurate current exposure.
99+
100+
### Title Format
101+
102+
Finding titles are derived from the "Threat" column (line 47). Threat descriptions longer than 150 characters are truncated to 147 characters with a "..." suffix appended. Shorter threat texts are used as-is without modification.
103+
104+
### Description Construction
105+
106+
The parser constructs a structured markdown description containing all 12 CSV fields (lines 52-66):
107+
108+
1. Full threat text (untruncated, regardless of title truncation)
109+
2. Component name
110+
3. Use case (threat category, e.g., "Elevation of Privilege", "Networking")
111+
4. Source (e.g., "Created by Rules Engine")
112+
5. Inherent Risk (pre-control risk level)
113+
6. Current Risk (risk with existing controls)
114+
7. Projected Risk (risk after planned mitigations)
115+
8. Countermeasure Progress (percentage complete)
116+
9. Weakness Tests (test status)
117+
10. Countermeasure Tests (test status)
118+
11. Owner (conditionally included only when the field contains a value)
119+
120+
Each field is formatted as a bold markdown label followed by the value, with fields separated by newlines.
121+
122+
### Mitigation Construction
123+
124+
The mitigation field is populated directly from the "Risk Response" column (line 78), which contains the IriusRisk mitigation status in the format: "Planned mitigation: X%. Mitigated: Y%. Unmitigated: Z%." This preserves the original IriusRisk mitigation tracking percentages.
125+
126+
### Active/Inactive Logic
127+
128+
Findings are set to active by default (line 80). When the "Current Risk" value is "Very low", the finding is set to inactive, as this indicates the threat has been fully mitigated through implemented countermeasures.
129+
130+
### Deduplication
131+
132+
The parser generates a `unique_id_from_tool` by computing a SHA-256 hash of the Component, Threat, and Risk Response fields concatenated with pipe delimiters (lines 69-71). This ensures that each distinct combination of component, threat, and mitigation state produces a unique identifier. On reimport, findings with matching unique IDs are recognized as the same finding rather than being duplicated.
133+
134+
### Duplicate Rows in Source Data
135+
136+
IriusRisk CSV exports can contain multiple rows with the same Component and Threat but different Risk Response values. These represent distinct countermeasure paths for the same threat. Each row is imported as a separate finding, distinguished by its unique ID which incorporates the Risk Response field.

0 commit comments

Comments
 (0)