ScanSuite
  • Introduction
  • Architecture
  • Installation
    • Technical Requirements
    • Install ScanSuite server
    • Set up DefectDojo
    • Troubleshooting
    • SSL/TLS Setup
  • Administration
    • Setup parameters and services
    • Configuring API keys for external systems
    • User administration
    • Security logs
  • Usage
    • Products
    • Performing a static code analysis
      • Git repository authentication
      • Scheduling Periodic and Incremental Scans
      • (Optional) Compiling the code
      • Executing the OpenAI scan
    • Managing scan execution
    • Working with scan results
      • Checking for exploitable vulnerabilities
      • Export to Securitm
      • (Optional) Parsing CSV exports
    • Performing dynamic web scanning
      • Authenticated scans
      • API scans
    • Running infrastructure tests
    • Scheduling the scan
    • Creating own scanning rules
  • Versions History
    • v 1.0
    • v 1.1
    • v 1.2
Powered by GitBook
On this page
  1. Usage
  2. Working with scan results

(Optional) Parsing CSV exports

PreviousExport to SecuritmNextPerforming dynamic web scanning

Last updated 11 months ago

DefectDojo allows to sort, filter and further export vulnerabilities in different formats. Reports contain complete information about vulnerabilities which may look overwhelming. In certain cases, such as Dependency Checks, only few fields values will be sufficient to present or address the vulnerabilities.

Dependency check is an important step of each static analysis cycle and usually brings an extensive output, containing publicly known vulnerabilities for the external libraries or modules being invoked in the code.

We will use this as an example of the findings bulk export from the DefectDojo with further parsing and saving in the addressable form.

First click on the Trivy scan results, which was used to analyze the vulnerabilities of this project dependencies:

Here we have 96 revealed vulnerabilities, let’s export them in the CSV format:

We now have the findings.csv file containing all details for the 96 dependency vulnerabilities.

This is nice, but not well readable so we will extract only a few fields usually sufficient to address these issues to the developers. The next python script will help:

import os
import glob
import csv
from xlsxwriter.workbook import Workbook

def sort(risk,data):
    for row in data:
        if row[57] == risk:
            row[10] = row[10].split("NEWLINE  NEWLINE ")[1].replace(" NEWLINE","")
            row[45] = row[45].split(" NEWLINE ")[0]

            new_line = list(row[i] for i in [57, 85, 1, 2, 35, 10, 45])
            if new_line not in sorted:
                sorted.append(new_line)

for csvfile in glob.glob(os.path.join('.', '*.csv')):
    sorted = []
    workbook = Workbook(csvfile[:-4] + '.xlsx')
    worksheet = workbook.add_worksheet()

    with open(csvfile,encoding='utf8') as csv_file:
        csv_reader = csv.reader(csv_file, delimiter=',')
        data = list(csv_reader)

        for risk in ["Critical","High","Medium"]:
            sort(risk,data)

        id = 0

        for row in sorted:
            id += 1        
            row.insert(0,id)

        sorted.insert(0,["ID","Severity","CVE","Component","Component Version","Fixed in","Details","References"])

        for r, row in enumerate(sorted):
            for c, col in enumerate(row):
                worksheet.write(r, c, col)
    workbook.close()

Save this script in the same folder with findings.csv and execute it:

python trivy-dep-parse-csv.py

Check the results:

Now we have an XLSX which contains the data one can directly send to the product developers or embed in the report:

The same approach could be taken with other reports but beware every scan type produces a different set of information and therefore the CSV contents and fields positions will vary.