django-DefectDojo: Unable to import from Github vulnerability scan

Bug description When I am trying to import a Github vulnerability scan using the template given at [https://defectdojo.github.io/django-DefectDojo/integrations/import/#github-vulnerability]. I am receiving the error An exception error occurred during the report import:Expecting value: line 1 column 1 (char 0).

I did some digging on the internet and found that in some Ubuntu systems, python2.7 can’t identify json even if it’s a built-in function. Hence, I used the shebang #!/usr/local/bin python3 to prioritise python3. But I am still getting the error.

Steps to reproduce Steps to reproduce the behaviour:

  1. Go to ‘Products’
  2. Click on ‘Product name’
  3. Click on ‘Findings’ dropdown
  4. Click on ‘Import Scan Results’
  5. Select scan type as ‘Github Vulnerability Scan’
  6. Choose a report file to import

Expected behaviour Issues should populate in Finding. Because when I run the same python script locally on a terminal. It gives me expected results

Deployment method (select with an X)

  • Docker
  • Kubernetes
  • GoDojo
  • setup.bash / legacy-setup.bash

Environment information

  • Operating System: [e.g. Ubuntu 18.04.1]
  • DefectDojo Commit Message: [[2021-07-09 16:41:23 -0500] 24477ef3: Add release cadence to README (#4796) [ (HEAD -> master, origin/master, origin/HEAD)]

Sample scan files (optional)

#!/usr/bin/python3

import json
import requests

query = """
query getVulnerabilitiesByRepoAndOwner($name: String!, $owner: String!) {
  repository(name: $name, owner: $owner) {
    vulnerabilityAlerts(first: 100) {
      nodes {
        id
        createdAt
        securityVulnerability {
          severity
          package {
            name
            ecosystem
          }
          advisory {
            description
            summary
            identifiers {
              type
              value
            }
            references {
              url
            }
            cvss {
              vectorString
            }
          }
        }
        vulnerableManifestPath
      }
    }
  }
}
"""

token = '...' # generated from GitHub settings
header = {"Authorization": "Bearer " + token}


request = requests.post(url='https://api.github.com/graphql',
                        json={
                          "operationName": "getVulnerabilitiesByRepoAndOwner",
                          'query': query,
                          'variables': {
                            'name': '...',
                            'owner': '...'
                          }
                        },
                        headers=header)

result = request.json()
print(json.dumps(result, indent=2))

Screenshots (optional) If applicable, add screenshots to help explain your problem.

Console logs (optional) If applicable, add console logs to help explain your problem.

Additional context (optional) Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 16 (9 by maintainers)

Most upvoted comments

This is exactly what I did. When you are on version 2.1.0 it should work for you as well. Please make sure you are really using the same file that you uploaded here.

+1
StefanFl on Aug 17, 2021

This report works fine with my 2.1.0 version: 2021-08-17 11_41_57-

+1
StefanFl on Aug 17, 2021

Hi @vyastj, what you provided under Sample scan files is not the result of a scan but a example for a shell script to retrieve results from GitHub. Please attach an actual example of a vulnerabilities scan of GitLab, which must be a JSON file.

+1
StefanFl on Aug 6, 2021
Read more comments on GitHub
← django-DefectDojo: SonarQube tool returns error on save
django-DefectDojo: Unable to serialize database with dumpdata →