Skip to content

feat(lab10): defectdojo governance report + capstone walkthrough#1443

Open
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab10
Open

feat(lab10): defectdojo governance report + capstone walkthrough#1443
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab10

Conversation

@Muratich

@Muratich Muratich commented Jul 9, 2026

Copy link
Copy Markdown

Goal: Lab 10 capstone: DefectDojo governance report for OWASP Juice Shop (401 imported findings, SLA, metrics, risk acceptance) plus a 5-minute interview walkthrough script.


Changes

Added / updated:

  • submissions/lab10.md β€” Task 1 (DefectDojo setup, 9 imports, dedup) and Task 2 (governance report: severity, tools, MTTR/SLA, risk-accepted CVE-2026-42766)
  • submissions/lab10-walkthrough.md β€” Bonus: timed 5-minute DevSecOps program walkthrough with Q&A (Log4Shell, IAST tradeoff)
  • labs/lab4/grype-from-sbom.json, labs/lab4/trivy.json β€” scan artifacts used for DefectDojo import
  • labs/lab4/grype-from-sbom.txt, labs/lab4/trivy.txt β€” human-readable scan output

Other changes (local, not yet committed):

  • labs/lab10/imports/run-imports.sh β€” DD_ENGAGEMENT_ID, deduplication_on_engagement=true, product type fix
  • labs/lab10/imports/lab10-clean-import.ps1 β€” one-shot clean import helper (PowerShell)
  • labs/lab10/imports/env.sample β€” updated comments
  • labs/lab5/scripts/zap-auth.yaml β€” ZAP XML report for DefectDojo import

Testing

Commands run:

# DefectDojo (release mode)
cd labs/lab10/work/dd
docker compose up -d

# API token + clean import into engagement 4
$env:DD_URL = "http://localhost:8080"
$env:DD_TOKEN = "<api-token>"
$env:DD_PRODUCT_TYPE = "Research and Development"
$env:DD_ENGAGEMENT_ID = "4"
& "C:\Program Files\Git\bin\bash.exe" -lc "labs/lab10/imports/run-imports.sh"

# Verify counts (use test__engagement, not engagement=)
(Invoke-RestMethod -Uri "$env:DD_URL/api/v2/findings/?test__engagement=4&active=true&limit=1" `
  -Headers @{ Authorization = "Token $env:DD_TOKEN" }).count

Observed output:

  • DefectDojo v3.1.0 at http://localhost:8080
  • Product: OWASP Juice Shop (id 1), Engagement: Final Submission Run (id 4)
  • 9 imports, 401 total findings (trivy-k8s = 0 after dedup)
  • SLA profile DevSecOps (id 3) on Product 1
  • Severity (active): 17 Critical / 165 High / 176 Medium / 29 Low / 13 Info (400 active after 1 risk-accepted)
  • Risk Accepted in UI: CVE-2026-42766, expiry 2027-01-04, status Inactive, Verified, Risk Accepted
  • Walkthrough timed at ~4:34

Artifacts & Screenshots

  • submissions/lab10.md
  • submissions/lab10-walkthrough.md
  • Screenshots / links:
    • DefectDojo: Product OWASP Juice Shop + engagement Final Submission Run
    • Findings list (401 total / 400 active)
    • Risk Accepted finding CVE-2026-42766 (Inactive, Verified, Risk Accepted)
    • SLA Configuration: DevSecOps on Product
    • Import statistics (labs/lab10/imports/import-*.json)

Checklist

  • Title is clear (feat(lab10): defectdojo governance report + capstone walkthrough)
  • No secrets or large temp files are committed (API token not in repo; labs/lab10/work/ and import-* responses gitignored)
  • Submission file at submissions/lab10.md exists
  • Bonus walkthrough at submissions/lab10-walkthrough.md exists
  • Task 1 β€” DefectDojo setup + imports + dedup proof
  • Task 2 β€” Governance report with MTTD/MTTR/SLA/backlog
  • Bonus β€” 5-minute walkthrough script with timed practice

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant