Feature/lab12

.github/pull_request_template.md

@@ -0,0 +1,26 @@
+# Pull Request
+
+## Goal
+<!-- Describe the purpose of this PR in 1-2 sentences -->
+
+
+## Changes
+<!-- List the main changes made in this PR -->
+- 
+- 
+- 
+
+## Testing
+<!-- Describe how you verified these changes work correctly -->
+
+
+## Artifacts & Screenshots
+<!-- Include any relevant screenshots, logs, or other evidence -->
+
+
+---
+
+## Checklist
+- [ ] Clear, descriptive PR title
+- [ ] Documentation updated if needed
+- [ ] No secrets or large temporary files committed

labs/lab10/imports/import-grype-vuln-results.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":4,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":12,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":12},"low":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"medium":{"active":32,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":32},"high":{"active":62,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":62},"critical":{"active":11,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":11},"total":{"active":120,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":120}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Anchore Grype","close_old_findings":false,"close_old_findings_product_scope":false,"test":4}

labs/lab10/imports/import-semgrep-results.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":2,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":18,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"high":{"active":7,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":7},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":25,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":25}}},"pro":["Did you know, Pro has an automated no-code connector for Semgrep JSON Report? Try today for free or email us at hello@defectdojo.com"],"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Semgrep JSON Report","close_old_findings":false,"close_old_findings_product_scope":false,"test":2}

labs/lab10/imports/import-trivy-vuln-detailed.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":3,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":18,"verified":18,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"medium":{"active":36,"verified":34,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":36},"high":{"active":83,"verified":81,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":83},"critical":{"active":10,"verified":10,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":10},"total":{"active":147,"verified":143,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":147}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Trivy Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":3}

labs/lab10/imports/import-zap-report-noauth.json

@@ -0,0 +1 @@
+{"message":"['Internal error: Wrong file format, please use xml.']","pro":["Pro comes with support. Try today for free or email us at hello@defectdojo.com"]}

labs/lab10/imports/run-imports.sh

@@ -96,9 +96,10 @@ import_scan() {
     echo "SKIP: $scan_type file not found: $file"
     return 0
   fi
-  local base out
+  local base stem out
   base="$(basename "$file")"
-  out="$out_dir/import-${base//[^A-Za-z0-9_.-]/_}.json"
+  stem="${base%.*}"
+  out="$out_dir/import-${stem//[^A-Za-z0-9_.-]/_}.json"
   echo "Importing $scan_type from $file"
   curl -sS -X POST "$DD_API/import-scan/" \
     -H "Authorization: Token $DD_TOKEN" \

labs/lab10/report/dojo-report.html

@@ -0,0 +1,73 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <title>Lab 10 — Vulnerability program snapshot (Juice Shop)</title>
+  <style>
+    body { font-family: system-ui, sans-serif; max-width: 900px; margin: 2rem auto; line-height: 1.5; color: #222; }
+    h1 { font-size: 1.5rem; }
+    h2 { font-size: 1.15rem; margin-top: 1.75rem; }
+    table { border-collapse: collapse; width: 100%; margin: 1rem 0; }
+    th, td { border: 1px solid #ccc; padding: 0.4rem 0.6rem; text-align: left; }
+    th { background: #f4f4f4; }
+    .note { background: #fff8e6; border: 1px solid #e6c200; padding: 0.75rem 1rem; border-radius: 4px; }
+    footer { margin-top: 2rem; font-size: 0.85rem; color: #555; }
+  </style>
+</head>
+<body>
+  <h1>Vulnerability management snapshot — Juice Shop (labs)</h1>
+  <p><strong>Audience:</strong> engineering leads &amp; security stakeholders<br />
+     <strong>Source:</strong> OWASP DefectDojo (local Docker Compose), API v2 export on <strong>2026-04-09</strong><br />
+     <strong>Engagement:</strong> Labs Security Testing &nbsp;|&nbsp; <strong>Product:</strong> Juice Shop</p>
+
+  <div class="note">
+    <strong>Note on DAST coverage:</strong> The bundled ZAP output in this repo is <code>zap-report-noauth.json</code>.
+    The DefectDojo importer <strong>ZAP Scan</strong> rejected it (expects XML). DAST findings are therefore <strong>not</strong> included in the counts below.
+    Re-import after exporting a ZAP XML report, or add a JSON-capable pipeline (e.g. custom parser / alternate tool output).
+  </div>
+
+  <h2>Executive summary</h2>
+  <ul>
+    <li><strong>292</strong> active findings aggregated from Semgrep, Trivy, and Grype imports.</li>
+    <li>Severity is dominated by <strong>High</strong> (152) and <strong>Medium</strong> (86); <strong>Critical</strong> count is 21 — prioritize validation and patch paths for these first.</li>
+    <li><strong>143 / 292</strong> findings are already marked <em>verified</em>; the remainder still need analyst validation (false-positive review, severity tuning, ownership).</li>
+    <li><strong>21</strong> items show SLA horizon ≤ 14 days (expiration <strong>2026-04-16</strong> in API data); none are past due in this snapshot.</li>
+    <li>Recurring themes in CWE mapping include <strong>CWE-1333</strong>, <strong>CWE-22</strong>, <strong>CWE-79</strong>, and dependency-related issues — align remediation with dependency upgrades and secure coding standards.</li>
+  </ul>
+
+  <h2>Severity distribution</h2>
+  <table>
+    <thead><tr><th>Severity</th><th>Count</th></tr></thead>
+    <tbody>
+      <tr><td>Critical</td><td>21</td></tr>
+      <tr><td>High</td><td>152</td></tr>
+      <tr><td>Medium</td><td>86</td></tr>
+      <tr><td>Low</td><td>21</td></tr>
+      <tr><td>Info</td><td>12</td></tr>
+    </tbody>
+  </table>
+
+  <h2>Findings by scanner</h2>
+  <table>
+    <thead><tr><th>Scanner</th><th>Findings</th></tr></thead>
+    <tbody>
+      <tr><td>Semgrep JSON Report</td><td>25</td></tr>
+      <tr><td>Trivy Scan</td><td>147</td></tr>
+      <tr><td>Anchore Grype</td><td>120</td></tr>
+      <tr><td>ZAP Scan</td><td>0 (import blocked — wrong format)</td></tr>
+    </tbody>
+  </table>
+
+  <h2>Recommended next steps</h2>
+  <ol>
+    <li>Fix ZAP import path (XML export or alternate DAST importer) and re-run import for full stack visibility.</li>
+    <li>Drive down <strong>Critical</strong> and <strong>High</strong> through patching (Trivy/Grype) and targeted code fixes (Semgrep).</li>
+    <li>Complete verification on the 149 unverified items; mark false positives with rationale in Dojo.</li>
+    <li>Track the 21 near-term SLA items to closure before <strong>2026-04-16</strong>.</li>
+  </ol>
+
+  <footer>
+    Generated for coursework (Lab 10). Raw machine-readable export: <code>labs/lab10/report/findings.csv</code>.
+  </footer>
+</body>
+</html>