Our website uses cookies to enhance your browsing experience.
Accept
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

  • Promotion
  • Updates
  • Spam

Webinar: C++ semantics - 06.11

>
>
DefectDojo and PVS-Studio: tracking err…

DefectDojo and PVS-Studio: tracking errors and vulnerabilities

Aug 15 2023

How to simplify the process of bug fixing and prevent vulnerable code from being released? Use quality control tools. We will use PVS-Studio to search for errors and vulnerabilities, and DefectDojo will help us handling a report. In this article, we are going to discuss how to use these tools together.

1062_Integrating_PVS-Studio_with_DefectDojo/image1.png

PVS‑Studio is a static code analyzer that finds errors and potential vulnerabilities in projects written in C, C++, C#, and Java. 

DefectDojo is a DevSecOps system for tracking errors and vulnerabilities. It provides features for handling reports, including the ability to memorize false positives and delete duplicate warnings. DefectDojo can integrate with JIRA, saves metrics, and builds graphs of their changes.

With the new PVS-Studio report format for DefectDojo, you can take full advantage of the platform's features when handling analysis results and managing the error fixing process.

Installing PVS-Studio and DefectDojo

Installing the PVS-Studio analyzer

You can get the PVS-Studio installer and a trial key here. The installation process for different environments is described in the documentation:

Deploying DefectDojo

You can install DefectDojo in several ways: for example, use a Docker image, obtain it as a SaaS, or deploy it locally. Visit this page if you want to learn more about installation methods.

Let's see how to install DefectDojo using docker-compose.yml.

To do this, we need at least Docker 19.03.0 and Docker Compose 1.28.0.

First, we are going to clone the DefectDojo GitHub repository.

git clone https://github.com/DefectDojo/django-DefectDojo.git

After that, go to the django-DefectDojo directory and run the Docker image build. To run docker-compose, add the '‑‑profile' and '‑‑env-file' parameters.

  • ‑‑profile determines which database (MySQL or PostgreSQL) and message broker (RabbitMQ or Redis) DefectDojo will use.
  • ‑‑env-file is a path to the file containing the environment parameters for the selected database and broker.

In this case, I use a combination of PostgreSQL and RabbitMQ. The docker-compose run command looks like this:

docker-compose --profile postgres-rabbitmq ^
  --env-file .\docker\enviroment\postgres-rabbitmq.env up

Once the containers are started, you can access DefectDojo from an administrator account. To get the administrator password, use one of the following commands:

docker-compose logs initializer | grep "Admin password:"

or

docker-compose logs initializer | find "Admin password:"

By default, DefectDojo is deployed on port 8080. You can change it in the docker-compose.yml file.

Configuring DefectDojo to work with the PVS-Studio report

In order for the PVS-Studio report to operate properly in DefectDojo, we need to edit the 'local_settings.py' file. In our case, this file should be located in the /docker/extra_settings/ directory. In 'local_settings.py', add the following line:

HASHCODE_FIELDS_PER_SCANNER=
{"PVS-Studio Scan (Generic Findings Import)":["unique_id_from_tool"]}.

Enabling this setting helps DefectDojo to understand which field in the report to use for identifying duplicate messages.

You also need to enable 'False positive history' in the DefectDojo settings. It ensures that information about false positives is retained between reports.

Now that DefectDojo is deployed, it needs to be configured to work with projects and reports. We are using the COVID-19 CovidSim Model, an open-source project written in C++, to test if everything works properly.

First, create a Product in DefectDojo: 'Products'->'Add Product'.

1062_Integrating_PVS-Studio_with_DefectDojo/image2.png

Then, fill out the project information. For the test, I filled in only the mandatory fields and transferred the project description from its GitHub repository.

Now add a new engagement to the created Product. It's the main entity into which the analyzer report will be loaded. We are going to work with it.

There are two kinds of engagements in DefectDojo: Interactive and CI/CD. You can also transfer information from the CI/CD system, such as the build number, to the second one. This choice doesn't affect the report handling.

1062_Integrating_PVS-Studio_with_DefectDojo/image3.png

It's worth mentioning that there are several options for handling the analysis results. One of them is creating a new engagement for each new report. In this case, make sure that the 'Deduplication within this engagement only' setting is disabled. If you leave it enabled, the information about warnings that have already been marked will disappear when a new report is uploaded.

1062_Integrating_PVS-Studio_with_DefectDojo/image4.png

In this example, I am uploading all reports to one engagement. DefectDojo is a flexible tool, it allows you to customize the workflow to your needs.

Automating the process of uploading analysis results to DefectDojo

To automate the process of checking and uploading a report to DefectDojo, I created a small Jenkins task. Let's take a closer look.

The first step is to deploy the covid-sim project and a Python helper script to Jenkins. To do this, let's add the following steps to the pipeline:

stage('Checkout'){
  steps{
    dir('defectdojo'){
      checkout([  
        $class: 'GitSCM', 
        branches: [[name: 'main']], 
        userRemoteConfigs: 
   [[url: 'https://github.com/viva64/DefectDojo-QualityGate.git']]
      ])
    }
    dir('covid-sim'){
      checkout([  
        $class: 'GitSCM', 
        branches: [[name: 'master']], 
        userRemoteConfigs: [[url: 'https://github.com/mrc-ide/covid-sim.git']]
      ])
    }
  }
}

The next step is to run the project check. Let's add the following step to the script:

stage('Analyze'){
  steps{
    dir('covid-sim'){
      bat"""
        PVS-Studio_Cmd.exe -t covid-sim.sln 
        IF %ERRORLEVEL% == 256 SET /A \"ERRORLEVEL=0\"
        EXIT /B %ERRORLEVEL%
      """
    }
  }
}

Note. The analysis may run differently depending on the operating system and the programming language of the project being analyzed. You can consult the PVS‑Studio documentation to find the guidelines on how to run the analysis specifically for your case.

The exit code 256 of the PVS-Studio_Cmd.exe utility indicates that potential errors have been detected in the project. This step will create the 'covid-sim.plog' report in the project directory.

After the report is received, we need to convert it to a special format. Let's add a conversion step to our pipeline:

stage('Convert'){
  steps{
    dir('covid-sim'){
      bat """
        PlogConverter.exe -t DefectDojo -a GA:1,2,3 covid-sim.plog
      """
    }
  }
}

The command uses the following parameters:

  • -t — formats to which the report will be converted.
  • -a — a warning filter. In our case, only the warnings from the general diagnostic group will remain.

The DefectDojo format is available in PlogConverter that comes with PVS-Studio 7.26. You can learn more about the conversion utility in the documentation.

This step will create the 'covid-sim.plog.defectdojo.json' report. That's what we need to upload to DefectDojo. To make it possible, let's add the following step to the pipeline:

stage('Upload report'){
  steps{
    dir('covid-sim'){
      bat"""
        curl -X POST ^
        -H Authorization:"Token 44ac826dc4f3b6add1161dab11b49402618efaba" ^
        -F scan_type="Generic Findings Import" ^
        -F file=@covid-sim.plog.defectdojo.json ^
        -F engagement=6 ^
        -H Content-Type:multipart/form-data ^
        -H accept:application/json ^
        http://localhost:8080/api/v2/import-scan/
      """
    }
  }
}

Specify the path to the report in the 'file' parameter. In the 'engagement' parameter, specify the number of the engagement to which the report will be loaded.

The token for this command can be obtained from the API v2 Key page.

1062_Integrating_PVS-Studio_with_DefectDojo/image5.png

1062_Integrating_PVS-Studio_with_DefectDojo/image6.png

Handling the PVS-Studio report in DefectDojo

Upon completion of the previous step, the report should appear in the specified engagement.

1062_Integrating_PVS-Studio_with_DefectDojo/image7.png

The last uploaded report is the first in the list (if there are no other types of reports in the engagement). Click the report to open a page with a list of analyzer warnings.

1062_Integrating_PVS-Studio_with_DefectDojo/image8.png

DefectDojo supports filtering and sorting warnings by various parameters including certainty levels, the CWE number, status, etc.

Click the 'Name' field to open a warning description.

1062_Integrating_PVS-Studio_with_DefectDojo/image9.png

There you can find a detailed description of the error and its location.

All messages will have the 'Inactive' status once the report is uploaded. When you start working with a warning, change its status to 'Active'. You will then be able to find this message in the 'Findings' tab.

1062_Integrating_PVS-Studio_with_DefectDojo/image10.png

After checking the warning, mark it as either 'Verified' and 'Mitigated' if you fixed the error, or 'False Positive' if the warning was false.

1062_Integrating_PVS-Studio_with_DefectDojo/image11.png

Let's label several warnings as false. The check statistics will be displayed on the engagement description page.

1062_Integrating_PVS-Studio_with_DefectDojo/image12.png

Quality Gate in DefectDojo

DefectDojo is a flexible tool that can be customized to fit your needs. This allows it to be integrated into custom processes. DefectDojo has an API that you can use to automate and customize your work. Let's look at how to implement a mechanism like Quality Gate using an API.

Quality Gate indicates whether the project's code complies with the threshold values of metrics. Code quality and code security are inseparable. Quality Gate prevents code that fails to comply with standards from being implemented.

I wrote a small Python script to implement Quality Gate. You can find and download it here. The script retrieves the latest uploaded report from the provided engagement, determines the number of warnings by certainty levels, and compares it with the reference value.

Let's add a new step to the Jenkins pipeline to automate the Quality Gate check.

stage('Quality Gate'){
  steps{
    dir('defectdojo'){
      sleep(time:10,unit:"SECONDS")
      bat """
        python ./qualitygate.py --engagement 1 ^
                         --critical 0 --high 10 ^
                         --medium 50 --low 250
      """
    }
  }
}

As we can see from the example above, the pipeline step will fail if the report contains at least one Critical warning or more than 10 High, 50 Medium, 250 Low warnings.

The delay before executing the script is necessary because we uploaded the report, and the DefectDojo server needs time to process it.

Set the DD_HOST and DD_API_TOKEN environment variables so that the script can work. To do this, add an environment block to the pipeline.

environment {
  DD_HOST = 'http://localhost:8080/'
  DD_API_TOKEN='44ac826dc4f3b6add1161dab11b49402618efaba'
}

Conclusion

As we have seen, setting up the PVS-Studio report in DefectDojo is quite simple. This allows us to easily handle the warnings issued by the analyzer and manage their fixing.

If you have read this article and now want to use these tools together, you can download the analyzer and find out more about DefectDojo.

Popular related articles


Comments (0)

Next comments next comments
close comment form