DefectDojo Scanner
Introduction
The Xanitizer integration into the open source vulnerability management tool DefectDojo is part of DefectDojo itself, which is available via GitHub. The integration does not run a security analysis by itself - it just collects the results of such an analysis. It parses an XML findings list report created by Xanitizer and integrates the detected security findings into DefectDojo.
Compatibility
DefectDojo works with XML findings list reports from Xanitizer ≥ 3.1.
Download and Installation
Details on download and installation can be found at GitHub and in the external DefectDojo Documentation.
Integrating Xanitizer Results into DefectDojo
- Adapt the build system so that Xanitizer is run on the projects to be analyzed in headless mode, and creates findings list reports as XML output files. DefectDojo does not execute Xanitizer, it just reads the results of previous Xanitizer runs. If you want to get more information for a finding in DefectDojo, like an excerpt from the affected source code lines, generate the XML findings list report with the parameter
generateDetailsInFindingsListReport=true. - Details on how to import the Xanitizer results from the XML findings list reports into DefectDojo can be found in the external DefectsDojo's Documentation.
You can import the Xanitizer findings manually in the following way:- Click on the menu entry “Findings” > “Import Scan Result” to open the manual import page.
- Select “Xanitizer Scan“ as scan type.
- Press the “Browse“ button to select the Xanitizer XML findings list report file.
- Press “Import“ to import the security vulnerabilities detected by Xanitizer.
- Click on the menu entry “Findings” > “Import Scan Result” to open the manual import page.
Examples
A demo instance of DefectDojo is available via the DefectDojo testing environment. Please use the following default credentials:
- Product Manager
- username: product_manager
- password: defectdojo@demo#appsec
- Admin
- username: admin
- password: defectdojo@demo#appsec