Need support for Noseyparker latest version in DefectDojo

[Himan10]

Hey Team,

We have been using DefectDojo in our organisation for quiet a few time and we recently made a change in the tools that we use for secret scanning in github/gitlab repositories, previously we were using gitleaks to collect the secrets and we replaced it with Noseyparker. However, with the versions we are using of defectdojo i.e., v 2.42.0 and below, we are not able to upload the secret scanning report obtained from noseyparker recent latest version i.e., 0.21.0 and above. We are receiving an error that says

An exception error occurred during the report import: ['Invalid Nosey Parker data, make sure to use Nosey Parker v0.16.0']

We have a requirement in our organisation to use latest version of Noseyparker and Defectdojo both but due to this issue, we can't meet the compliance requirements of our organisation.

I've also compared the finding stats of both the version of Noseyparker i.e., 0.16 VS 0.21. I ran both the versions of noseyparker on the same repository and here's the generated finding summary.

Running the scan using noseyparker v16

Running the scan using noseyparker v21

As shown in the above two images, both the version have different set of findings and the latest version often groups a specific category of findings. Also, as mentioned in the documentation of Noseyparker latest version, there have been some changes in the JSON output report i.e.,

The JSON output format from report has changed slightly (https://github.com/praetorian-inc/noseyparker/pull/236).

Now, the JSON representation of provenance entries from extensible enumerators (i.e., scan --enumerator=FILE, introduced in v0.20.0) includes an additional "payload" field around the actual provenance content. For example, an extended provenance entry that previously would look like this:

{"kind": "extended", "filename": "input.txt"}
is now represented like this:

{"kind": "extended", "payload": {"filename": "input.txt"}}

along with some changes in the representation of report in human format and datastore schema.

Could you please look into this issue and let us know if there'll be support for latest noseyparker versions in the upcoming defectdojo versions or if there's a way we could do this on our own, for example: by writing a parser or change the format of latest noseyparker report.

[manuel-sommer]

Hi @Himan10 ,

I will submit a PR to support the latest version of Noseyparker.

[Himan10]

Hey @manuel-sommer, thanks for the update. I'll keep this issue open till then, whenever you're done with the support changes pls. do @ me here.

[Himan10]

@manuel-sommer hey buddy, any update on this issue? we can also raise a PR for this in case you're not available.

[manuel-sommer]

I am working on it @Himan10 Should be done this week.

[Himan10]

Hey @manuel-sommer, I just wanted to confirm if you're caught up with other tasks then I'll pick this one but anyways lemme know.

thanks

[manuel-sommer]

could you take a look at the PR @Himan10 ?

[Himan10]

Thanks for the PR, will take a look @manuel-sommer and let you know soon.

[manuel-sommer]

Can we close this @mtesauro?