Feature/lab12

labs/lab10/imports/import-grype-vuln-results.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":5,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":12,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":12},"low":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"medium":{"active":32,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":32},"high":{"active":64,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":64},"critical":{"active":11,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":11},"total":{"active":122,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":122}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Anchore Grype","close_old_findings":false,"close_old_findings_product_scope":false,"test":5}

labs/lab10/imports/import-nuclei-results.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":4,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"low":{"active":1,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":1},"medium":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"high":{"active":1,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":1},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":8,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":8}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Nuclei Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":4}

labs/lab10/imports/import-semgrep-results.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":2,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"medium":{"active":5,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":5},"high":{"active":3,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":3},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":8,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":8}}},"pro":["Did you know, Pro has an automated no-code connector for Semgrep JSON Report? Try today for free or email us at hello@defectdojo.com"],"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Semgrep JSON Report","close_old_findings":false,"close_old_findings_product_scope":false,"test":2}

labs/lab10/imports/import-trivy-vuln-detailed.json.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":3,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"low":{"active":18,"verified":18,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":18},"medium":{"active":36,"verified":34,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":36},"high":{"active":83,"verified":81,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":83},"critical":{"active":10,"verified":10,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":10},"total":{"active":147,"verified":143,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":147}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"Trivy Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":3}

labs/lab10/imports/import-zap-report-noauth.json.json

@@ -0,0 +1 @@
+{"message":"['Internal error: Wrong file format, please use xml.']","pro":["Pro comes with support. Try today for free or email us at hello@defectdojo.com"]}

labs/lab10/imports/import-zap-report-noauth.xml.json

@@ -0,0 +1 @@
+{"minimum_severity":"Info","active":false,"verified":false,"endpoint_to_add":null,"product_type_name":"Engineering","product_name":"Juice Shop","engagement_name":"Labs Security Testing","auto_create_context":true,"deduplication_on_engagement":false,"lead":null,"push_to_jira":false,"api_scan_configuration":null,"create_finding_groups_for_all_findings":true,"test_id":6,"engagement_id":1,"product_id":1,"product_type_id":2,"statistics":{"after":{"info":{"active":2,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":2},"low":{"active":4,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":4},"medium":{"active":1,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":1},"high":{"active":2,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":2},"critical":{"active":0,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":0},"total":{"active":9,"verified":0,"duplicate":0,"false_p":0,"out_of_scope":0,"is_mitigated":0,"risk_accepted":0,"total":9}}},"apply_tags_to_findings":false,"apply_tags_to_endpoints":false,"scan_type":"ZAP Scan","close_old_findings":false,"close_old_findings_product_scope":false,"test":6}

labs/lab10/imports/run-imports.sh

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# Batch import helper for Lab 10
-# - Auto-detects scan_type names from your Dojo instance
+# Batch import helper for Lab 10 (macOS-compatible)
+# - Uses hardcoded scan_type names (known-good defaults for DefectDojo)
 # - Imports whichever files exist among ZAP, Semgrep, Trivy, Nuclei (and optional Grype)
 #
 # Usage:
@@ -14,19 +14,17 @@ set -euo pipefail
 #   export DD_ENGAGEMENT="${DD_ENGAGEMENT:-Labs Security Testing}"
 #   bash labs/lab10/imports/run-imports.sh
 
-here_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+here_dir="$(cd "$(dirname "$0")" && pwd)"
 out_dir="$here_dir"
 
-require_env() {
-  local name="$1"
-  if [[ -z "${!name:-}" ]]; then
-    echo "ERROR: env var $name is required" >&2
-    exit 1
-  fi
-}
-
-require_env DD_API
-require_env DD_TOKEN
+if [ -z "${DD_API:-}" ]; then
+  echo "ERROR: env var DD_API is required" >&2
+  exit 1
+fi
+if [ -z "${DD_TOKEN:-}" ]; then
+  echo "ERROR: env var DD_TOKEN is required" >&2
+  exit 1
+fi
 
 DD_PRODUCT_TYPE="${DD_PRODUCT_TYPE:-Engineering}"
 DD_PRODUCT="${DD_PRODUCT:-Juice Shop}"
@@ -38,48 +36,11 @@ echo "  DD_PRODUCT_TYPE=$DD_PRODUCT_TYPE"
 echo "  DD_PRODUCT=$DD_PRODUCT"
 echo "  DD_ENGAGEMENT=$DD_ENGAGEMENT"
 
-have_jq=true
-command -v jq >/dev/null 2>&1 || have_jq=false
-if ! $have_jq; then
-  echo "WARN: jq not found; falling back to defaults for scan_type names." >&2
-fi
-
-# Discover scan type names from your instance if jq is available
-SCAN_ZAP="${SCAN_ZAP:-}"
-SCAN_SEMGREP="${SCAN_SEMGREP:-}"
-SCAN_TRIVY="${SCAN_TRIVY:-}"
-SCAN_NUCLEI="${SCAN_NUCLEI:-}"
-
-if $have_jq; then
-  echo "Discovering importer names from /test_types/ ..."
-  mapfile -t types < <(curl -sS -H "Authorization: Token $DD_TOKEN" "$DD_API/test_types/?limit=2000" | jq -r '.results[].name')
-  choose_type() {
-    local pat="$1"
-    local fallback="$2"
-    local val=""
-    for t in "${types[@]}"; do
-      if [[ "$t" =~ $pat ]]; then val="$t"; break; fi
-    done
-    if [[ -z "$val" ]]; then val="$fallback"; fi
-    echo "$val"
-  }
-  SCAN_ZAP="${SCAN_ZAP:-$(choose_type '^ZAP' 'ZAP Scan')}"
-  SCAN_SEMGREP="${SCAN_SEMGREP:-$(choose_type '^Semgrep' 'Semgrep JSON Report')}"
-  SCAN_TRIVY="${SCAN_TRIVY:-$(choose_type '^Trivy' 'Trivy Scan')}"
-  SCAN_NUCLEI="${SCAN_NUCLEI:-$(choose_type '^Nuclei' 'Nuclei Scan')}"
-  # Grype importer (commonly named "Anchore Grype")
-  if [[ -z "${SCAN_GRYPE:-}" ]]; then
-    SCAN_GRYPE=$(printf '%s\n' "${types[@]}" | grep -i '^Anchore Grype' | head -n1)
-    if [[ -z "$SCAN_GRYPE" ]]; then
-      SCAN_GRYPE=$(printf '%s\n' "${types[@]}" | grep -i 'Grype' | head -n1)
-    fi
-  fi
-else
-  SCAN_ZAP="${SCAN_ZAP:-ZAP Scan}"
-  SCAN_SEMGREP="${SCAN_SEMGREP:-Semgrep JSON Report}"
-  SCAN_TRIVY="${SCAN_TRIVY:-Trivy Scan}"
-  SCAN_NUCLEI="${SCAN_NUCLEI:-Nuclei Scan}"
-fi
+# Use known scan_type names for DefectDojo
+SCAN_ZAP="${SCAN_ZAP:-ZAP Scan}"
+SCAN_SEMGREP="${SCAN_SEMGREP:-Semgrep JSON Report}"
+SCAN_TRIVY="${SCAN_TRIVY:-Trivy Scan}"
+SCAN_NUCLEI="${SCAN_NUCLEI:-Nuclei Scan}"
 SCAN_GRYPE="${SCAN_GRYPE:-Anchore Grype}"
 
 echo "Importer names:"
@@ -92,13 +53,13 @@ echo "  Grype    = $SCAN_GRYPE"
 import_scan() {
   local scan_type="$1"; shift
   local file="$1"; shift
-  if [[ ! -f "$file" ]]; then
+  if [ ! -f "$file" ]; then
     echo "SKIP: $scan_type file not found: $file"
     return 0
   fi
   local base out
   base="$(basename "$file")"
-  out="$out_dir/import-${base//[^A-Za-z0-9_.-]/_}.json"
+  out="$out_dir/import-$(echo "$base" | sed 's/[^A-Za-z0-9_.-]/_/g').json"
   echo "Importing $scan_type from $file"
   curl -sS -X POST "$DD_API/import-scan/" \
     -H "Authorization: Token $DD_TOKEN" \
@@ -112,6 +73,7 @@ import_scan() {
     -F "close_old_findings=false" \
     -F "push_to_jira=false" \
     | tee "$out"
+  echo ""
 }
 
 # Candidate paths per tool

labs/lab10/report/dojo-report.html

@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<html><head><meta charset="utf-8"><title>DefectDojo Executive Report</title>
+<style>
+body { font-family: Arial, sans-serif; margin: 40px; color: #333; }
+h1 { color: #1a237e; border-bottom: 3px solid #1a237e; padding-bottom: 10px; }
+h2 { color: #283593; margin-top: 30px; }
+table { border-collapse: collapse; margin: 15px 0; width: 100%; }
+th, td { border: 1px solid #ddd; padding: 8px 12px; text-align: left; }
+th { background: #e8eaf6; font-weight: bold; }
+.sev { padding: 3px 10px; border-radius: 4px; color: white; font-weight: bold; }
+.box { background: #f5f5f5; padding: 20px; border-radius: 8px; margin: 15px 0; }
+.stat { display: inline-block; margin: 10px 20px; text-align: center; }
+.stat .num { font-size: 2em; font-weight: bold; }
+.stat .lbl { font-size: 0.9em; color: #666; }
+footer { margin-top: 40px; padding-top: 20px; border-top: 1px solid #ddd; color: #999; }
+</style></head><body>
+<h1>DefectDojo Executive Security Report</h1>
+<p><strong>Product:</strong> Juice Shop | <strong>Engagement:</strong> Labs Security Testing | <strong>Date:</strong> April 13, 2026</p>
+<h2>Executive Summary</h2>
+<div class="box">
+<p>This report consolidates vulnerability findings from <strong>5 security scanning tools</strong> (ZAP, Semgrep, Trivy, Nuclei, Grype) imported into OWASP DefectDojo for the Juice Shop application.</p>
+<div>
+<div class="stat"><div class="num" style="color:#d32f2f">21</div><div class="lbl">Critical</div></div>
+<div class="stat"><div class="num" style="color:#f57c00">153</div><div class="lbl">High</div></div>
+<div class="stat"><div class="num" style="color:#fbc02d">77</div><div class="lbl">Medium</div></div>
+<div class="stat"><div class="num" style="color:#388e3c">26</div><div class="lbl">Low</div></div>
+<div class="stat"><div class="num" style="color:#1976d2">17</div><div class="lbl">Info</div></div>
+</div>
+<p><strong>Total active findings: 294</strong> | All Open (none closed/mitigated yet).</p>
+</div>
+<h2>Findings by Severity</h2>
+<table><tr><th>Severity</th><th>Count</th><th>Percentage</th></tr>
+<tr><td><span class="sev" style="background:#d32f2f">Critical</span></td><td>21</td><td>7.1%</td></tr>
+<tr><td><span class="sev" style="background:#f57c00">High</span></td><td>153</td><td>52.0%</td></tr>
+<tr><td><span class="sev" style="background:#fbc02d">Medium</span></td><td>77</td><td>26.2%</td></tr>
+<tr><td><span class="sev" style="background:#388e3c">Low</span></td><td>26</td><td>8.8%</td></tr>
+<tr><td><span class="sev" style="background:#1976d2">Info</span></td><td>17</td><td>5.8%</td></tr>
+<tr style="font-weight:bold"><td>Total</td><td>294</td><td>100%</td></tr></table>
+<h2>Findings by Tool</h2>
+<table><tr><th>Tool</th><th>Findings</th><th>Share</th></tr>
+<tr><td>ZAP</td><td>9</td><td>3.1%</td></tr>
+<tr><td>Semgrep</td><td>8</td><td>2.7%</td></tr>
+<tr><td>Trivy</td><td>147</td><td>50.0%</td></tr>
+<tr><td>Nuclei</td><td>8</td><td>2.7%</td></tr>
+<tr><td>Grype</td><td>122</td><td>41.5%</td></tr>
+</table>
+<h2>Top CWE Categories</h2>
+<table><tr><th>CWE ID</th><th>Count</th></tr>
+<tr><td>CWE-1333: ReDoS</td><td>29</td></tr>
+<tr><td>CWE-407: Algorithmic Complexity</td><td>13</td></tr>
+<tr><td>CWE-22: Path Traversal</td><td>12</td></tr>
+<tr><td>CWE-79: XSS</td><td>6</td></tr>
+<tr><td>CWE-674: Uncontrolled Recursion</td><td>6</td></tr>
+<tr><td>CWE-1321: Prototype Pollution</td><td>6</td></tr>
+<tr><td>CWE-20: Improper Input Validation</td><td>6</td></tr>
+<tr><td>CWE-400: Uncontrolled Resource Consumption</td><td>5</td></tr>
+<tr><td>CWE-94: Code Injection</td><td>4</td></tr>
+<tr><td>CWE-200: Information Exposure</td><td>4</td></tr>
+</table>
+<h2>SLA and Risk Outlook</h2>
+<div class="box"><ul>
+<li><strong>Critical findings (21):</strong> Require immediate attention within 7 days per standard SLA.</li>
+<li><strong>High findings (153):</strong> Should be triaged and remediated within 30 days.</li>
+<li><strong>No findings are currently closed or mitigated</strong> - initial import baseline.</li>
+<li><strong>Next review date:</strong> April 27, 2026 (14 days from capture).</li>
+</ul></div>
+<h2>Recommendations</h2><ol>
+<li><strong>Patch dependencies:</strong> Update vulnerable npm and OS packages (Trivy/Grype).</li>
+<li><strong>Fix injection flaws:</strong> Address SQL injection and XSS (ZAP/Semgrep).</li>
+<li><strong>Harden security headers:</strong> Implement CSP, HSTS, X-Frame-Options.</li>
+<li><strong>Remove hardcoded secrets:</strong> Rotate and externalize JWT secrets.</li>
+<li><strong>Establish deduplication:</strong> Review Trivy/Grype overlaps to reduce noise.</li>
+</ol>
+<footer><p>Generated from OWASP DefectDojo | Product: Juice Shop | Report date: April 13, 2026</p></footer>
+</body></html>