Приложение 16. Шаблоны дефектов безопасности
Актуальные шаблоны для всех типов дефектов безопасности можно найти в репозитории GitHub с шаблонами дефектов.
Базовые примеры шаблонов различных типов дефектов безопасности
Базовые примеры готовых шаблонов всех типов приведены ниже.
SAST
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>File</th>
<th>Severity</th>
<th>Tool</th>
<th>Category</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.path[0].fileName}:${issue.path[0].line}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td>${issue.category}</td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>File: ${issue.path[0].fileName}:${issue.path[0].line}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Category: ${issue.category}</p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td><p>Path</p><br>
<#list issue.path as item>
${item.fileName}:${item.line}<br><code>${item.sourceCode?html}</code><#sep><br></#sep>
</#list>
<br>
<p>Description</p><br>
${issue.description}
</td>
</tr>
</#list>
</table>
SCA Security
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Component</th>
<th>Severity</th>
<th>Tool</th>
<th>Vulnerability</th>
<#if issues[0].foundBy=="trivy">
<th>Fix Version</th>
</#if>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td><a href="${issue.cve.link}">${issue.cve.id}</a></td>
<#if issue.foundBy=="trivy">
<td>${issue.fixVersion}</td>
</#if>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues?sort_by("severity") as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Component: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Vulnerability: <a href="${issue.cve.link}">${issue.cve.id}</a></p>
<#if issue.foundBy=="trivy"><p>Fix version: ${issue.fixVersion}</p></#if>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
SCA Compliance
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Component</th>
<th>Severity</th>
<th>Tool</th>
<th>Category</th>
<td>Threat group</td>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
<td>${issue.category}</td>
<td>${issue.threatGroup}</td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Component: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
<p>Category: ${issue.category}</p>
<p>Threat group: ${issue.threatGroup}</p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
DAST
<#macro tableRowIfParamIsNotEmptyString name param>
<#if param!="">
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyDateTime name param>
<#if param??>
<tr>
<th>${name}</th>
<td>${param}</td>
</tr>
</#if>
</#macro>
<#macro tableRowIfParamIsNotEmptyIdName name param1 param2>
<#if param1?? && param2!="">
<tr>
<th>${name}</th>
<td>#${param1}: ${param2}</td>
</tr>
</#if>
</#macro>
<h3>Scan target info:</h3>
<#assign firstIssue=issues?sort_by(['lastScan','date'])?reverse[0]>
<table>
<#list firstIssue.lastScan.scanTarget as target>
<@tableRowIfParamIsNotEmptyDateTime name="Scan date" param=firstIssue.lastScan.date?datetime/>
<@tableRowIfParamIsNotEmptyIdName name="Scan target" param1=firstIssue.scanObject.id param2=firstIssue.scanObject.name />
<@tableRowIfParamIsNotEmptyString name="Branch" param=target.branch/>
<@tableRowIfParamIsNotEmptyString name="Commit" param=target.commit/>
<@tableRowIfParamIsNotEmptyString name="Version" param=target.version/>
<@tableRowIfParamIsNotEmptyString name="Build" param=target.build/>
<@tableRowIfParamIsNotEmptyString name="Target URL" param=target.url/>
</#list>
<@tableRowIfParamIsNotEmptyString name="Initiator" param=firstIssue.lastScan.initiator/>
<@tableRowIfParamIsNotEmptyString name="Environment" param=firstIssue.lastScan.environment/>
</table>
<h3>Issues brief info:</h3>
<#if issues?size gt 1>
<table>
<tr>
<th>ID</th>
<th>Location</th>
<th>Severity</th>
<th>Tool</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.title}</td>
<td>${issue.severity}</td>
<td><a href="${issue.externalLink}">${issue.foundBy}</a></td>
</tr>
</#list>
</table>
</#if>
<#if issues?size == 1>
<#list issues as issue>
<p>ID: <a href="${issue.link}">${issue.id}</a></p>
<p>Location: ${issue.title}</p>
<p>Severity: ${issue.severity}</p>
<p>Tool: <a href="${issue.externalLink}">${issue.foundBy}</a></p>
</#list>
</#if>
<h3>Issues detailed info:</h3>
<table>
<tr>
<th>ID</th>
<th>Description</th>
</tr>
<#list issues?sort_by("severity") as issue>
<tr>
<td><a href="${issue.link}">${issue.id}</a></td>
<td>${issue.description}</td>
</tr>
</#list>
</table>
Summary
Параметры шаблонов
Примечание
При использовании параметров, не соответствующих выбранному типу дефекта, в описании дефекта отображаются пустые строки.
Для проблем безопасности (issues)
| Параметр | Доп. поля | SAST | SCA Sec. |
SCA Com. |
DAST | Пример использования |
|---|---|---|---|---|---|---|
Тип проблемы безопасности (type) |
— | SAST | SCA Sec. |
SCA Com. |
DAST | ${issues.type} |
Описание проблемы безопасности (description) |
— | + | + | + | + | ${issues.description} |
Путь (path) |
fileNamelinesourceCode |
+ | — | — | — | ${issues.path.fileName}${issues.path.line}${issues.path.sourceCode} |
Комментарии (comments) |
authortext |
+ | + | + | + | ${issues.comments.author}${issues.comments.text} |
Рекомендации (recommendation) |
— | + | + | + | + | ${issues.recommendation} |
Идентификатор проблемы безопасности (id) |
— | + | + | + | + | ${issues.id} |
Серьезность (severity) |
— | + | + | + | + | ${issues.severity} |
Название обнаружившего инструмента (foundBy) |
— | + | + | + | + | ${issues.foundBy} |
Ссылка на уязвимость в инструменте (externalLink) |
— | + | + | + | + | ${issues.externalLink} |
Категория уязвимости (category) |
— | + | + | + | + | ${issues.category} |
CWE (cwes) |
idlink |
+ | + | — | + | ${issues.cwes.id}${issues.cwes.link} |
Язык исходного кода (language) |
— | + | — | — | — | ${issues.language} |
Связанный сканируемый объект (scanObject) |
idname |
+ | + | + | + | ${issues.scanObject.id}<br>${issues.scanObject.name} |
Объект сканирования (lastScan) |
dateinitiatorenvironmentscanTarget.branchscanTarget.commitscanTarget.versionscanTarget.buildscanTarget.Url |
+ | + | + | + | ${issues.lastScan.date}${issues.lastScan.initiator}${issues.lastScan.environment}${issues.lastScan.scanTarget.branch}${issues.lastScan.scanTarget.commit}${issues.lastScan.scanTarget.version}${issues.lastScan.scanTarget.build}${issues.lastScan.scanTarget.url}${issues.scanObject.name} |
Связанный с проблемой релизный объект (releaseObject) |
idname |
+ | + | + | + | ${issues.releaseObject.id}${issues.releaseObject.name} |
Информация об AVC (avc) |
statusaccuracy |
+ | — | — | — | ${issues.avc.status}${issues.avc.accuracy} |
Дата создания проблемы (created) |
— | + | + | + | + | ${issues.created} |
Дата обновления уязвимости (updated) |
— | + | + | + | + | ${issues.updated} |
Ссылка на проблему в интерфейсе AppSec.Hub (<hub-url>/#/appprofile/{appId}/issues/{issueType}/{issueId}) (link) |
— | + | + | + | + | ${issues.link} |
Заголовок проблемы (title) |
— | назв. файла |
назв. комп. |
назв. комп. |
URL | ${issues.title} |
Названия пакетов (packages) |
— | — | + | — | — | ${issues.packages} |
CVE-объект (cve) |
idlink |
— | + | — | — | ${issues.cve.id}${issues.cve.link} |
CVSS (cvss) |
score |
— | + | — | — | ${issues.cvss.score} |
Для приложений (application)
| Параметр | Пример использования |
|---|---|
Имя приложения (name) |
${application.name} |
Идентификатор приложения (id) |
${application.id} |
Ссылка на приложение в AppSec.Hub (link) |
${application.link} |