DefectDojo Report

DefectDojo Report is a tool made to export the security debt of an application from DefectDojo with support for additional features:

• Calculation of the resultant criticity from the impact (severity), the ease of exploitation (set using a tag) and a mapping matrix
• Support for additional information provided using tags:
  • Audit origin
  • Vulnerability fix under the service provider responsibility
• Generation of customizable reports in HTML, CSV and JSON formats
• Aggregation of the debt associated to multiple products

Usage

Install Node.js >= 18 and NPM, then run the following commands:

npm i -g defectdojo-report
defectdojo-report [options]

Run defectdojo-report --help to show the help message.

Options are documented here: src/cli.js.

A proxy can be configured using the conventional http_proxy, https_proxy and no_proxy environment variables.

Example

The following command allows to export the security debt associated to the product product-name and the engagement engagement-name to 2 files (./secdebt.csv and ./secdebt.html) including only active and not out of scope vulnerabilities:

defectdojo-report                                          \
  --url "https://defectdojo.acme.corp:8080"                \
  --token "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"       \
  --product "product-name" --engagement "engagement-name"  \
  --status "active,!out_of_scope"                          \
  --output "./secdebt"     --format "csv,html"             \
  --config "./config.json"

The config.json file (optional) allows to customize the tool configuration, e.g. :

{
  "title": "Custom HTML report title",
  "criticities": ["unknown", "low", "moderate", "high", "critical"]
}

License

DefectDojo Report is licensed under the GNU General Public License.