DefectDojo has the ability to import reports from other security tools.
Arachni JSON report format.
Use the VulnerabilitiesSummary.xml file found in the zipped report download.
JSON report format
When the Burp report is generated, the recommended option is Base64 encoding both the request and response fields. These fields will be processed and made available in the ‘Finding View’ page.
‘Vulnerabilities’ section of the JSON report format.
Detailed XML Report
OWASP Dependency Check output can be imported in Xml format.
Generic Findings Import¶
Import Generic findings in CSV format.
Reports can be imported in the CSV, and .nessus (XML) report formats.
Nexpose XML 2.0 (Rapid7)¶
Use the full XML export template from Nexpose.
XML output (use -oX)
Node Security Platform¶
Node Security Platform (NSP) output file can be imported in JSON format.
Node Package Manager (NPM) Audit plugin output file can be imported in JSON format. Only imports the ‘advisories’ subtree.
Import OpenVAS Scan in CSV format. Export as CSV Results on OpenVAS.
Qualys output files can be imported in XML format. Qualys WebScan - Qualys WebScan output files can be imported in XML format.
Output of SKF Sprint summary export.
Snyk output file (snyk test –json > snyk.json) can be imported in JSON format.
JSON Output of ssllabs-scan cli.
JSON Output of Trufflehog.
Visual Code Grepper (VCG)¶
VCG output can be imported in CSV or Xml formats.
Detailed XML Report
Zed Attack Proxy¶
ZAP XML report format.
The importers analyze each report and create new Findings for each item reported. DefectDojo collapses duplicate Findings by capturing the individual hosts vulnerable.
Additionally, DefectDojo allows for re-imports of previously uploaded reports. DefectDojo will attempt to capture the deltas between the original and new import and automatically add or mitigate findings as appropriate.
Bulk import of findings can be done using a CSV file with the following column headers:
- Date: ::
- Date of the finding in mm/dd/yyyy format.
- Title: ::
- Title of the finding
- CweId: ::
- Cwe identifier, must be an integer value.
- Url: ::
- Url associated with the finding.
- Severity: ::
- Severity of the finding. Must be one of Info, Low, Medium, High, or Critical.
- Description: ::
- Description of the finding. Can be multiple lines if enclosed in double quotes.
- Mitigation: ::
- Possible Mitigations for the finding. Can be multiple lines if enclosed in double quotes.
- Impact: ::
- Detailed impact of the finding. Can be multiple lines if enclosed in double quotes.
- References: ::
- References associated with the finding. Can be multiple lines if enclosed in double quotes.
- Active: ::
- Indicator if the finding is active. Must be empty, True or False
- Verified: ::
- Indicator if the finding has been verified. Must be empty, True, or False
- FalsePositive: ::
- Indicator if the finding is a false positive. Must be empty, True, or False
- Duplicate: ::
- Indicator if the finding is a duplicate. Must be empty, True, or False