Xanitizer » Integration » DefectDojo

OWASP DefectDojo logo

DefectDojo Scanner

Introduction

The Xanitizer integration into the open source vulnerability management tool DefectDojo is part of DefectDojo itself, which is available via GitHub. The integration does not run a security analysis by itself - it just collects the results of such an analysis. It parses an XML findings list report created by Xanitizer and integrates the detected security findings into DefectDojo.

Compatibility

DefectDojo works with XML findings list reports from Xanitizer ≥ 3.1.

Download and Installation

Details on download and installation can be found at GitHub and in the external DefectDojo Documentation.

Integrating Xanitizer Results into DefectDojo

  1. Adapt the build system so that Xanitizer is run on the projects to be analyzed in headless mode, and creates findings list reports as XML output files. DefectDojo does not execute Xanitizer, it just reads the results of previous Xanitizer runs. If you want to get more information for a finding in DefectDojo, like an excerpt from the affected source code lines, generate the XML findings list report with the parameter generateDetailsInFindingsListReport=true.
  2. Details on how to import the Xanitizer results from the XML findings list reports into DefectDojo can be found in the external DefectsDojo's Documentation.
    You can import the Xanitizer findings manually in the following way:

    1. Click on the menu entry “Findings” > “Import Scan Result” to open the manual import page.
      DefectDojo manual import menu
    2. Select  “Xanitizer Scan“ as scan type.
    3. Press the “Browse“ button to select the Xanitizer XML findings list report file.
    4. Press “Import“ to import the security vulnerabilities detected by Xanitizer.
      DefectDojo manual import page

Examples

A demo instance of DefectDojo is available via the DefectDojo testing environment. Please use the following default credentials:

  • Product Manager
    • username: product_manager
    • password: defectdojo@demo#appsec
  • Admin
    • username: admin
    • password: defectdojo@demo#appsec