Приложение 16. Шаблоны дефектов безопасности
Актуальные шаблоны для всех типов дефектов безопасности можно найти в репозитории GitHub с шаблонами дефектов.
Базовые примеры шаблонов различных типов дефектов безопасности
Базовые примеры готовых шаблонов всех типов приведены ниже.
SAST
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>File</th>
<th>Severity</th>
<th>Tool</th>
<th>Category</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.path[0].fileName}:${issue.path[0].line}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td>${issue.category}</td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>File: ${issue.path[0].fileName}:${issue.path[0].line}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Category: ${issue.category}</p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td><p>Path</p><br>
<#list issue.path as item>
${item.fileName}:${item.line}<br><code>${item.sourceCode?html}</code><#sep><br></#sep>
</#list>
<br>
<p>Description</p><br>
${issue.description}
</td>
</tr>
</#list>
</table>
SCA Security
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Component</th>
<th>Severity</th>
<th>Tool</th>
<th>Vulnerability</th>
<#if issues[0].foundBy=="trivy">
<th>Fix Version</th>
</#if>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td><a href="${issue.cve.link}">${issue.cve.id}</a></td>
<#if issue.foundBy=="trivy">
<td>${issue.fixVersion}</td>
</#if>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues?sort_by("severity") as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Component: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Vulnerability: <a href="${issue.cve.link}">${issue.cve.id}</a></p>
<#if issue.foundBy=="trivy"><p>Fix version: ${issue.fixVersion}</p></#if>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
SCA Compliance
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Component</th>
<th>Severity</th>
<th>Tool</th>
<th>Category</th>
<td>Threat group</td>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td>${issue.category}</td>
<td>${issue.threatGroup}</td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Component: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Category: ${issue.category}</p>
<p>Threat group: ${issue.threatGroup}</p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
DAST
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Location</th>
<th>Severity</th>
<th>Tool</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Location: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
Summary
Параметры шаблонов
Примечание
При использовании параметров, не соответствующих выбранному типу дефекта, в описании дефекта отображаются пустые строки.
Для проблем безопасности (issues)
Параметр | Доп. поля | SAST | SCA Sec. |
SCA Com. |
DAST | Пример использования |
---|---|---|---|---|---|---|
Тип проблемы безопасности (type ) |
— | SAST | SCA Sec. |
SCA Com. |
DAST | ${issues.type} |
Описание проблемы безопасности (description ) |
— | + | + | + | + | ${issues. description} |
Путь (path ) |
fileName line sourceCode |
+ | — | — | — | ${issues.path. fileName} ${issues.path. line} ${issues.path. sourceCode} |
Комментарии (comments ) |
author text |
+ | + | + | + | ${issues.comments. author} ${issues.comments. text} |
Рекомендации (recommendation ) |
— | + | + | + | + | ${issues. recommendation} |
Идентификатор проблемы безопасности (id ) |
— | + | + | + | + | ${issues.id} |
Серьезность (severity ) |
— | + | + | + | + | ${issues.severity} |
Название обнаружившего инструмента (foundBy ) |
— | + | + | + | + | ${issues.foundBy} |
Ссылка на уязвимость в инструменте (externalLink ) |
— | + | + | + | + | ${issues. externalLink} |
Категория уязвимости (category ) |
— | + | + | + | + | ${issues.category} |
CWE (cwes ) |
id link |
+ | + | — | + | ${issues.cwes.id} ${issues.cwes.link} |
Язык исходного кода (language ) |
— | + | — | — | — | ${issues.language} |
Связанный сканируемый объект (scanObject ) |
id name |
+ | + | + | + | ${issues.scanObject. id}<br>${issues.scanObject. name} |
Объект сканирования (lastScan ) |
date initiator environment scanTarget. branch scanTarget. commit scanTarget. version scanTarget. build scanTarget. Url |
+ | + | + | + | ${issues.lastScan. date} ${issues.lastScan. initiator} ${issues.lastScan. environment} ${issues.lastScan. scanTarget.branch} ${issues.lastScan. scanTarget.commit} ${issues.lastScan. scanTarget.version} ${issues.lastScan. scanTarget.build} ${issues.lastScan. scanTarget.url} ${issues.scanObject. name} |
Связанный с проблемой релизный объект (releaseObject ) |
id name |
+ | + | + | + | ${issues. releaseObject. id} ${issues. releaseObject. name} |
Информация об AVC (avc ) |
status accuracy |
+ | — | — | — | ${issues.avc. status} ${issues.avc. accuracy} |
Дата создания проблемы (created ) |
— | + | + | + | + | ${issues.created} |
Дата обновления уязвимости (updated ) |
— | + | + | + | + | ${issues.updated} |
Ссылка на проблему в интерфейсе AppSec.Hub (<hub-url>/#/appprofile/{appId}/issues/{issueType}/{issueId} ) (link ) |
— | + | + | + | + | ${issues.link} |
Заголовок проблемы (title ) |
— | назв. файла |
назв. комп. |
назв. комп. |
URL | ${issues.title} |
Названия пакетов (packages ) |
— | — | + | — | — | ${issues.packages} |
CVE-объект (cve ) |
id link |
— | + | — | — | ${issues.cve.id} ${issues.cve.link} |
CVSS (cvss ) |
score |
— | + | — | — | ${issues.cvss. score} |
Для приложений (application)
Параметр | Пример использования |
---|---|
Имя приложения (name ) |
${application.name} |
Идентификатор приложения (id ) |
${application.id} |
Ссылка на приложение в AppSec.Hub (link ) |
${application.link} |