Skip to main content

DefectDojo integration

Spectra Assure integrates with DefectDojo to augment existing vulnerability triage processes. The integration is most useful to software producers who already use DefectDojo to track and prioritize vulnerabilities for remediation.

DefectDojo is a free and open source ASPM (Application Security Posture Management) tool and a flagship OWASP project since 2015. It aggregates results from many different software scanning tools and manual penetration testing findings to contextualize them and assist in remediation efforts.

In this guide, you will learn how to use the Spectra Assure integration in DefectDojo to import vulnerability information from rl-json reports. You can use any Spectra Assure product to create the reports.

DefectDojo experience required

If you're not an experienced user, we recommend you learn at least the basics of DefectDojo before proceeding with this guide.

Throughout this guide, we'll refer to the official DefectDojo documentation for additional context and details.

Prerequisitesโ€‹

  1. An active instance of DefectDojo version 2.48.0 or later. The Spectra Assure integration is available in free (self-hosted) and paid (cloud-hosted) versions of DefectDojo.

  2. An active, valid license for a Spectra Assure product. You can use the Spectra Assure CLI, or the Spectra Assure Portal, or both products to produce the rl-json reports required for this integration. Note that the report can only be exported with the Portal API, not from the Portal UI.

1. Create the rl-json reportโ€‹

The integration parses information about vulnerabilities from the Spectra Assure rl-json report and adapts it for displaying and further management in DefectDojo.

To successfully use the integration, you need to create the rl-json report for a software package. You can create the report with any Spectra Assure product.

  1. Scan the software package with the rl-secure scan command.

  2. Use the rl-secure report command to create the rl-json report.

Example: rl-secure report rl-json pkg:rl/my-project/my-package@1.0.1

2. Import the report into DefectDojoโ€‹

After creating the Spectra Assure rl-json report, you can import it into DefectDojo.

Specifically, the report needs to be imported into DefectDojo Findings in the following way:

  1. In DefectDojo, access the Product part of the interface. In this context, the product refers to the software you analyzed with Spectra Assure and for which you want to manage vulnerabilities.
  2. On the Product page, select Findings > Import scan results.
  3. In the dialog that opens, select ReversingLabs Spectra Assure as the Scan Type.
  4. Under Scan File, select the Choose button and use the file picker dialog to find the rl-json report you previously created.
  5. After selecting the correct report file, submit your changes in the dialog.

When the rl-json report is processed by DefectDojo, vulnerability data from the report will be loaded under a new Engagement for the selected Product. You can then continue using DefectDojo to prioritize the discovered vulnerabilities.

Next stepsโ€‹

If your DefectDojo instance has the Jira integration configured, you can use it to send CVE findings from Spectra Assure to Jira and automatically open work items for vulnerabilities in your Jira projects.

Note that Findings must be set to active and verified in DefectDojo so that they can be sent to Jira.