DefectDojo Cookbook: Automate Your First Security Report

DefectDojo is a powerful tool for security automation. This post describes the first quick win of using DefectDojo: getting summary security information automatically on a regular basis.

Preface

Main purpose of DefectDojo usage for me is to create one point of analysis for the whole company or a part of its infrastructure. And during deploying the DefectDojo (as other solutions and processes) I prefer to receive information quickly because of needs to evaluate the process, its pros and cons, false positives range, etc.

So the first thing that I do for automation is receiving reports via messaging service. The most convenient and the least time-consuming for me here is the Telegram.

The simplest way here is:

  • get screenshot of DefectDojo Metrics dashboard;
  • send it to the security team chat.

Creating Screenshot of DefectDojo Metrics Dashboard from Bash

Install required software

Install Node.js and npm:

$ curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
$ sudo apt-get update
$ sudo apt-get install -y nodejs
$ sudo apt-get install npm

Install capture-website-cli:

$ sudo npm install -g capture-website-cli --unsafe-perm=true

Try to get screenshot of any site:

$ capture-website https://google.com/ --output=test.png

You may see errors about chromium absence (if you are trying to run this command on the server OS like Ubuntu Server). The solution here is:

$ sudo apt-get install gconf-service \
libasound2 libatk1.0-0 libc6 libcairo2 \
libcups2 libdbus-1-3 libexpat1 libfontconfig1 \
libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 \
libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 \
libpangocairo-1.0-0 libstdc++6 libx11-6 \
libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 \
libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 \
libxrender1 libxss1 libxtst6 ca-certificates \
fonts-liberation libappindicator1 libnss3 \
lsb-release xdg-utils wget

Repeat the command to get screenshot:

$ capture-website https://google.com/ --output=test.png

Check the output file test.png and make sure you have the actual test screenshot of the target site.

Create DefectDojo User for Automation

Create DefectDojo user from your DefectDojo interface.

Fill required information for the new user. Do not give additional rights for this user as it needs only view the metrics dashboard.

Save new user by clicking the button “Add User”. Click link “Admin Interface” and set password for the new user.

So, we have now the readonly user who does have access only to metrics and nothing more. Quite secure. Let’s go further!

Get the Screenshot

Login under our new ScreenshotReporter, press F12 and find cookie named “sessionid”. Copy the value to the clipboard and use it in this command.

$ capture-website \
	"http://YOUR_DDJ_IP_HERE:8080/metrics?view=dashboard" \
	--cookie="sessionid=YOUR_SESSION_COOKIE" \
	--remove-elements="#base-content > div.row.metric-data > div:nth-child(1)" \
	--remove-elements="#base-content > div.row.metric-data > div:nth-child(2)" \
	--remove-elements="#base-content > div.row.metric-data > div:nth-child(3)" \
	--remove-elements="#base-content > div.row.metric-data > div:nth-child(4)" \
	--height=1000 \
	--type=jpeg \
	--quality=1 \
	--output=ddj.jpeg

Check for the file ddj.jpeg. You should see something like this (if you have imported any reports, of course):

I think this is a good point for start. Let’s automate the delivery process!

Sending DefectDojo Dashboard to Telegram Bot

First of all we have to create your own bot and get the API token for it. You can use this manual.

Then we need to get our own chat ID. This post will be helpful.

Create the script:

#!/bin/bash

# Remove temp files
rm -rf /tmp/ddj.jpeg

# Get screenshot
/usr/bin/capture-website \
        "http://YOUR_DDJ_IP_HERE:8080/metrics?view=dashboard" \
        --cookie="sessionid=SCREENSHOTREPORTER_COOKIE_HERE" \
        --remove-elements="#base-content > div.row.metric-data > div:nth-child(1)" \
        --remove-elements="#base-content > div.row.metric-data > div:nth-child(2)" \
        --remove-elements="#base-content > div.row.metric-data > div:nth-child(3)" \
        --remove-elements="#base-content > div.row.metric-data > div:nth-child(4)" \
        --height=1000 \
        --type=jpeg \
        --quality=1 \
        --output=/tmp/ddj.jpeg

# Set Values for the Bot
TGTOKEN="YOUR_BOT_TOKEN_HERE"
TGCHATID="YOUR_CHAT_ID_HERE"
FILETOSEND="/tmp/ddj.jpeg"

# Send message to TG chat
/usr/bin/curl -m 20 \
        -F "chat_id=${TGCHATID}" \
        -F photo=@${FILETOSEND} \
        https://api.telegram.org/bot${TGTOKEN}/sendPhoto

Check your script and set it to crontab. I decided to receive notification once per day after all my daily scans will be finished.

IMPORTANT: use crontab of the user which is configured to run capture-website.

Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *