Перейти к содержанию

Приложение 16. Шаблоны дефектов безопасности

Актуальные шаблоны для всех типов дефектов безопасности можно найти в репозитории GitHub с шаблонами дефектов.

Базовые примеры шаблонов различных типов дефектов безопасности

Базовые примеры готовых шаблонов всех типов приведены ниже.

SAST
<#macro tableRowIfParamIsNotEmptyString name param>
    <#if param!="">
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
    <#if param??>
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
    <#if param1?? && param2!="">
        <tr>
            <th>${name}</th>
            <td>#${param1}: ${param2}</td>
        </tr>
    </#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
    <#list firstIssue.lastScan.scanTarget as target>
        <@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
        <@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
        <@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
        <@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
        <@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
        <@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
        <@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
    </#list>
    <@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
    <@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>

<h3>Issues brief info:</h3>
<#if issues?size gt 1>
    <table>
        <tr>
            <th>ID</th>
            <th>File</th>
            <th>Severity</th>
            <th>Tool</th>
            <th>Category</th>
        </tr>

        <#list issues?sort_by("severity") as issue>
            <tr>
                <td><a href="${issue.link}">${issue.id}</a></td>
                <td>${issue.path[0].fileName}:${issue.path[0].line}</td>
                <td>${issue.severity}</td>
                <td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
                <td>${issue.category}</td>
            </tr>
        </#list>
    </table>
</#if>
<#if issues?size == 1>
    <#list issues as issue>
        <p>ID: <a href="${issue.link}">${issue.id}</a></p>
        <p>File: ${issue.path[0].fileName}:${issue.path[0].line}</p>
        <p>Severity: ${issue.severity}</p>
        <p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
        <p>Category: ${issue.category}</p>
    </#list>
</#if>

<h3>Issues detailed info:</h3>
<table>
    <tr>
        <th>ID</th>
        <th>Description</th>
    </tr>
    <#list issues?sort_by("severity") as issue>
        <tr>
            <td><a href="${issue.link}">${issue.id}</a></td>
            <td><p>Path</p><br>
                <#list issue.path as item>
                    ${item.fileName}:${item.line}<br><code>${item.sourceCode?html}</code><#sep><br></#sep>
                </#list>
                <br>
                <p>Description</p><br>
                ${issue.description}
            </td>
        </tr>
    </#list>
</table>
SCA Security
<#macro tableRowIfParamIsNotEmptyString name param>
    <#if param!="">
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
    <#if param??>
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
    <#if param1?? && param2!="">
        <tr>
            <th>${name}</th>
            <td>#${param1}: ${param2}</td>
        </tr>
    </#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
    <#list firstIssue.lastScan.scanTarget as target>
        <@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
        <@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
        <@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
        <@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
        <@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
        <@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
        <@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
    </#list>
    <@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
    <@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>

<h3>Issues brief info:</h3>
<#if issues?size gt 1>
    <table>
        <tr>
            <th>ID</th>
            <th>Component</th>
            <th>Severity</th>
            <th>Tool</th>
            <th>Vulnerability</th>
            <#if issues[0].foundBy=="trivy">
                <th>Fix Version</th>
            </#if>
        </tr>

        <#list issues?sort_by("severity") as issue>
            <tr>
                <td><a href="${issue.link}">${issue.id}</a></td>
                <td>${issue.title}</td>
                <td>${issue.severity}</td>
                <td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
                <td><a href="${issue.cve.link}">${issue.cve.id}</a></td>
                <#if issue.foundBy=="trivy">
                    <td>${issue.fixVersion}</td>
                </#if>
            </tr>
        </#list>
    </table>
</#if>
<#if issues?size == 1>
    <#list issues?sort_by("severity") as issue>
        <p>ID: <a href="${issue.link}">${issue.id}</a></p>
        <p>Component: ${issue.title}</p>
        <p>Severity: ${issue.severity}</p>
        <p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
        <p>Vulnerability: <a href="${issue.cve.link}">${issue.cve.id}</a></p>
        <#if issue.foundBy=="trivy"><p>Fix version: ${issue.fixVersion}</p></#if>
    </#list>
</#if>

<h3>Issues detailed info:</h3>
<table>
    <tr>
        <th>ID</th>
        <th>Description</th>
    </tr>
    <#list issues?sort_by("severity") as issue>
        <tr>
            <td><a href="${issue.link}">${issue.id}</a></td>
            <td>${issue.description}</td>
        </tr>
    </#list>
</table>
SCA Compliance
<#macro tableRowIfParamIsNotEmptyString name param>
    <#if param!="">
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
    <#if param??>
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
    <#if param1?? && param2!="">
        <tr>
            <th>${name}</th>
            <td>#${param1}: ${param2}</td>
        </tr>
    </#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
    <#list firstIssue.lastScan.scanTarget as target>
        <@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
        <@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
        <@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
        <@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
        <@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
        <@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
        <@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
    </#list>
    <@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
    <@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>

<h3>Issues brief info:</h3>
<#if issues?size gt 1>
    <table>
        <tr>
            <th>ID</th>
            <th>Component</th>
            <th>Severity</th>
            <th>Tool</th>
            <th>Category</th>
            <td>Threat group</td>
        </tr>

        <#list issues?sort_by("severity") as issue>
            <tr>
                <td><a href="${issue.link}">${issue.id}</a></td>
                <td>${issue.title}</td>
                <td>${issue.severity}</td>
                <td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
                <td>${issue.category}</td>
                <td>${issue.threatGroup}</td>
            </tr>
        </#list>
    </table>
</#if>
<#if issues?size == 1>
    <#list issues as issue>
        <p>ID: <a href="${issue.link}">${issue.id}</a></p>
        <p>Component: ${issue.title}</p>
        <p>Severity: ${issue.severity}</p>
        <p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
        <p>Category: ${issue.category}</p>
        <p>Threat group: ${issue.threatGroup}</p>
    </#list>
</#if>

<h3>Issues detailed info:</h3>
<table>
    <tr>
        <th>ID</th>
        <th>Description</th>
    </tr>
    <#list issues?sort_by("severity") as issue>
        <tr>
            <td><a href="${issue.link}">${issue.id}</a></td>
            <td>${issue.description}</td>
        </tr>
    </#list>
</table>
DAST
<#macro tableRowIfParamIsNotEmptyString name param>
    <#if param!="">
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
    <#if param??>
        <tr>
            <th>${name}</th>
            <td>${param}</td>
        </tr>
    </#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
    <#if param1?? && param2!="">
        <tr>
            <th>${name}</th>
            <td>#${param1}: ${param2}</td>
        </tr>
    </#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
    <#list firstIssue.lastScan.scanTarget as target>
        <@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
        <@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
        <@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
        <@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
        <@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
        <@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
        <@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
    </#list>
    <@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
    <@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>

<h3>Issues brief info:</h3>
<#if issues?size gt 1>
    <table>
        <tr>
            <th>ID</th>
            <th>Location</th>
            <th>Severity</th>
            <th>Tool</th>
        </tr>

        <#list issues?sort_by("severity") as issue>
            <tr>
                <td><a href="${issue.link}">${issue.id}</a></td>
                <td>${issue.title}</td>
                <td>${issue.severity}</td>
                <td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
            </tr>
        </#list>
    </table>
</#if>
<#if issues?size == 1>
    <#list issues as issue>
        <p>ID: <a href="${issue.link}">${issue.id}</a></p>
        <p>Location: ${issue.title}</p>
        <p>Severity: ${issue.severity}</p>
        <p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
    </#list>
</#if>

<h3>Issues detailed info:</h3>
<table>
    <tr>
        <th>ID</th>
        <th>Description</th>
    </tr>
    <#list issues?sort_by("severity") as issue>
        <tr>
            <td><a href="${issue.link}">${issue.id}</a></td>
            <td>${issue.description}</td>
        </tr>
    </#list>
</table>
Summary
<#assign issue=issues?sort_by("severity")[0]>
${issue.severity?capitalize} ${issue.type} issues in ${issue.scanObject.name}

Параметры шаблонов

Примечание

При использовании параметров, не соответствующих выбранному типу дефекта, в описании дефекта отображаются пустые строки.

Для проблем безопасности (issues)

Параметр Доп. поля SAST SCA
Sec.
SCA
Com.
DAST Пример использования
Тип проблемы безопасности (type) SAST SCA
Sec.
SCA
Com.
DAST ${issues.type}
Описание проблемы безопасности (description) + + + + ${issues.
description}
Путь (path) fileName
line
sourceCode
+ ${issues.path.
fileName}
${issues.path.
line}
${issues.path.
sourceCode}
Комментарии (comments) author
text
+ + + + ${issues.comments.
author}
${issues.comments.
text}
Рекомендации (recommendation) + + + + ${issues.
recommendation}
Идентификатор проблемы безопасности (id) + + + + ${issues.id}
Серьезность (severity) + + + + ${issues.severity}
Название обнаружившего инструмента (foundBy) + + + + ${issues.foundBy}
Ссылка на уязвимость в инструменте (externalLink) + + + + ${issues.
externalLink}
Категория уязвимости (category) + + + + ${issues.category}
CWE (cwes) id
link
+ + + ${issues.cwes.id}
${issues.cwes.link}
Язык исходного кода (language) + ${issues.language}
Связанный сканируемый объект (scanObject) id
name
+ + + + ${issues.scanObject.
id}<br>${issues.scanObject.
name}
Объект сканирования (lastScan) date
initiator
environment
scanTarget.
branch
scanTarget.
commit
scanTarget.
version
scanTarget.
build
scanTarget.
Url
+ + + + ${issues.lastScan.
date}
${issues.lastScan.
initiator}
${issues.lastScan.
environment}
${issues.lastScan.
scanTarget.branch}
${issues.lastScan.
scanTarget.commit}
${issues.lastScan.
scanTarget.version}
${issues.lastScan.
scanTarget.build}
${issues.lastScan.
scanTarget.url}
${issues.scanObject.
name}
Связанный с проблемой релизный объект (releaseObject) id
name
+ + + + ${issues.
releaseObject.
id}
${issues.
releaseObject.
name}
Информация об AVC (avc) status
accuracy
+ ${issues.avc.
status}
${issues.avc.
accuracy}
Дата создания проблемы (created) + + + + ${issues.created}
Дата обновления уязвимости (updated) + + + + ${issues.updated}
Ссылка на проблему в интерфейсе AppSec.Hub (<hub-url>/#/appprofile/{appId}/issues/{issueType}/{issueId}) (link) + + + + ${issues.link}
Заголовок проблемы (title) назв.
файла
назв.
комп.
назв.
комп.
URL ${issues.title}
Названия пакетов (packages) + ${issues.packages}
CVE-объект (cve) id
link
+ ${issues.cve.id}
${issues.cve.link}
CVSS (cvss) score + ${issues.cvss.
score}

Для приложений (application)

Параметр Пример использования
Имя приложения (name) ${application.name}
Идентификатор приложения (id) ${application.id}
Ссылка на приложение в AppSec.Hub (link) ${application.link}
К началу