Skip to content

Commit ff2a37b

Browse files
skywalke34Maffooch
skywalke34
and
Maffooch
authored
Update Wiz parser documentation - Standard & SCA imports (#12259)
* Update Wiz Parser Documentation - Standard & SCA Update to Wiz Parser including detailed mapping between standard .csv format and SCA .csv format. * Update wiz.md Additional details of how to export Scanner & SCA findings. * Add `### Sample Scan Data` for tests + auto format --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
1 parent fcfb39c commit ff2a37b

File tree

1 file changed

+176
-3
lines changed
  • docs/content/en/connecting_your_tools/parsers/file

1 file changed

+176
-3
lines changed

docs/content/en/connecting_your_tools/parsers/file/wiz.md

Lines changed: 176 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,181 @@
11
---
2-
title: "Wiz Scanner"
2+
title: "Wiz Scanner Parser"
33
toc_hide: true
4+
weight: 1
45
---
5-
This parser imports scan results from [wiz](https://www.wiz.io/). You have to use Report Type *Standard* when you export the results. The file format will be .csv which is parsable within DefectDojo.
6+
7+
# Wiz Scanner Parser Documentation
8+
9+
## Overview
10+
11+
The [Wiz](https://www.wiz.io/) parser for DefectDojo supports imports from both Wiz Scanner Standard and SCA (Software Composition Analysis) .csv output from Wiz.io. This document details the parsing of both formats into DefectDojo field mappings, unmapped fields, and location of each field's parsing code for easier troubleshooting and analysis.
12+
13+
## Supported File Types
14+
15+
The Wiz parser accepts CSV file format. There are two primary formats supported:
16+
17+
1. **Standard Format** - Issues exports with "Title" field (processed by WizParserByTitle class)
18+
2. **SCA Format** - Vulnerability exports with "Name" and "DetailedName" fields (processed by WizParserByDetailedName class)
19+
20+
To generate these files, export the findings from the Wiz platform by:
21+
22+
- Standard Format: Select "Export to CSV" option from the Issues view in the Wiz.io platform
23+
- SCA Format: Select "Export to CSV" option from the Vulnerability view in the Wiz.io platform
24+
25+
## Standard Format CSV (WizParserByTitle)
26+
27+
### Total Fields in Standard Format CSV
28+
29+
- Total data fields: 32
30+
- Total data fields parsed: 32
31+
- Total data fields NOT parsed: 0
32+
33+
### Standard Format Field Mapping Details
34+
35+
| CSV Field # | CSV Field | Finding Field | Parser Line # | Notes |
36+
| ----------- | -------------------------- | ------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------- |
37+
| 1 | Created At | date | 68 | Parsed using the parse_wiz_datetime function to convert to datetime object |
38+
| 2 | Title | title | 67 | Direct mapping to Finding title |
39+
| 3 | Severity | severity | 69 | Converted to lowercase then capitalized to match DefectDojo's severity format |
40+
| 4 | Status | active, is_mitigated, mitigated | 65 | Converted through WizcliParsers.convert_status function to determine active status and mitigation status |
41+
| 5 | Description | description (partial) | 79-81 | Added to description with "Description:" prefix |
42+
| 6 | Resource Type | description (partial) | 79-81 | Added to description with "Resource Type:" prefix |
43+
| 7 | Resource external ID | description (partial) | 79-81 | Added to description with "Resource external ID:" prefix |
44+
| 8 | Subscription ID | description (partial) | 79-81 | Added to description with "Subscription ID:" prefix |
45+
| 9 | Project IDs | description (partial) | 79-81 | Added to description with "Project IDs:" prefix |
46+
| 10 | Project Names | description (partial) | 79-81 | Added to description with "Project Names:" prefix |
47+
| 11 | Resolved Time | mitigated | 71-74 | Used to set mitigated timestamp if finding is marked as mitigated |
48+
| 12 | Resolution | mitigation (partial) | 62-63 | Added to mitigation text with "Resolution:" prefix |
49+
| 13 | Control ID | description (partial) | 79-81 | Added to description with "Control ID:" prefix |
50+
| 14 | Resource Name | description (partial) | 79-81 | Added to description with "Resource Name:" prefix |
51+
| 15 | Resource Region | description (partial) | 79-81 | Added to description with "Resource Region:" prefix |
52+
| 16 | Resource Status | description (partial) | 79-81 | Added to description with "Resource Status:" prefix |
53+
| 17 | Resource Platform | description (partial) | 79-81 | Added to description with "Resource Platform:" prefix |
54+
| 18 | Resource OS | description (partial) | 79-81 | Added to description with "Resource OS:" prefix |
55+
| 19 | Resource original JSON | description (partial) | 79-81 | Added to description with "Resource original JSON:" prefix |
56+
| 20 | Issue ID | unique_id_from_tool | 85 | Used as unique identifier for the finding |
57+
| 21 | Resource vertex ID | description (partial) | 79-81 | Added to description with "Resource vertex ID:" prefix |
58+
| 22 | Ticket URLs | description (partial) | 79-81 | Added to description with "Ticket URLs:" prefix |
59+
| 23 | Note | description (partial) | 79-81 | Added to description with "Note:" prefix |
60+
| 24 | Due At | description (partial) | 79-81 | Added to description with "Due At:" prefix |
61+
| 25 | Remediation Recommendation | mitigation | 61 | Direct mapping to mitigation field |
62+
| 26 | Subscription Name | description (partial) | 79-81 | Added to description with "Subscription Name:" prefix |
63+
| 27 | Wiz URL | description (partial) | 79-81 | Added to description with "Wiz URL:" prefix |
64+
| 28 | Cloud Provider URL | description (partial) | 79-81 | Added to description with "Cloud Provider URL:" prefix |
65+
| 29 | Resource Tags | description (partial) | 79-81 | Added to description with "Resource Tags:" prefix |
66+
| 30 | Kubernetes Cluster | description (partial) | 79-81 | Added to description with "Kubernetes Cluster:" prefix |
67+
| 31 | Kubernetes Namespace | description (partial) | 79-81 | Added to description with "Kubernetes Namespace:" prefix |
68+
| 32 | Container Service | description (partial) | 79-81 | Added to description with "Container Service:" prefix |
69+
70+
### Additional Finding Field Settings (Standard Format)
71+
72+
| Finding Field | Default Value | Parser Line # | Notes |
73+
| --------------- | ------------- | ------------- | ----------------------------- |
74+
| static_finding | False | 84 | Set to False for all findings |
75+
| dynamic_finding | True | 84 | Set to True for all findings |
76+
77+
## SCA Format (WizParserByDetailedName)
78+
79+
### Total Fields in SCA CSV
80+
81+
- Total data fields: 41
82+
- Total data fields parsed: 36
83+
- Total data fields NOT parsed: 5
84+
85+
### SCA Format Field Mapping Details
86+
87+
| CSV Field # | CSV Field | Finding Field | Parser Line # | Notes |
88+
| ----------- | ------------------------------------------- | ------------------------------ | ------------- | ---------------------------------------------------------------------------------- |
89+
| 1 | ID | unique_id_from_tool | 182 | Used as unique identifier for the finding |
90+
| 2 | WizURL | description | 150-154 | Added to description with "Wiz URL" prefix |
91+
| 3 | Name | title, vulnerability_ids | 169, 182-184 | Used in title format as vulnerability ID and added to vulnerability_ids list |
92+
| 4 | CVSSSeverity | Not parsed | - | Not used in mapping |
93+
| 5 | HasExploit | description | 150-154 | Added to description with "Has Exploit" prefix |
94+
| 6 | HasCisaKevExploit | description | 150-154 | Added to description with "Has Cisa Kev Exploit" prefix |
95+
| 7 | FindingStatus | active, is_mitigated | 180 | Mapped through convert_status function to determine active state |
96+
| 8 | VendorSeverity | severity | 181 | Mapped through \_validate_severities to convert to DefectDojo severity format |
97+
| 9 | FirstDetected | date | 185 | Parsed into date object using date_parser |
98+
| 10 | LastDetected | Not parsed | - | Not used in mapping |
99+
| 11 | ResolvedAt | Not parsed | - | Not used in mapping |
100+
| 12 | ResolutionReason | Not parsed | - | Not used in mapping |
101+
| 13 | Remediation | mitigation | 155-159 | Added to mitigation with "Remediation" prefix |
102+
| 14 | LocationPath | description, mitigation | 150-159 | Added to both description and mitigation with "Location Path" prefix |
103+
| 15 | DetailedName | title, component_name | 169, 183 | Used in title format and mapped to component_name |
104+
| 16 | Version | description, component_version | 150-154, 184 | Added to description with "Version" prefix and mapped to component_version |
105+
| 17 | FixedVersion | mitigation | 155-159 | Added to mitigation with "Fixed Version" prefix |
106+
| 18 | DetectionMethod | description | 150-154 | Added to description with "Detection Method" prefix |
107+
| 19 | Link | description | 150-154 | Added to description with "Link" prefix |
108+
| 20 | Projects | description | 150-154 | Added to description with "Projects" prefix |
109+
| 21 | AssetID | description | 150-154 | Added to description with "Asset ID" prefix |
110+
| 22 | AssetName | description | 150-154 | Added to description with "Asset Name" prefix |
111+
| 23 | AssetRegion | description | 150-154 | Added to description with "Asset Region" prefix |
112+
| 24 | ProviderUniqueId | description | 150-154 | Added to description with "Provider Unique Id" prefix |
113+
| 25 | CloudProviderURL | description | 150-154 | Added to description with "Cloud Provider URL" prefix |
114+
| 26 | CloudPlatform | description | 150-154 | Added to description with "Cloud Platform" prefix |
115+
| 27 | Status | Not parsed | - | Not directly used (FindingStatus is used instead) |
116+
| 28 | SubscriptionExternalId | description | 150-154 | Added to description with "Subscription External Id" prefix |
117+
| 29 | SubscriptionId | description | 150-154 | Added to description with "Subscription Id" prefix |
118+
| 30 | SubscriptionName | description | 150-154 | Added to description with "Subscription Name" prefix |
119+
| 31 | Tags | unsaved_tags | 186 | Parsed into tags list using \_parse_tags function |
120+
| 32 | ExecutionControllers | description | 150-154 | Added to description with "Execution Controllers" prefix |
121+
| 33 | ExecutionControllersSubscriptionExternalIds | description | 150-154 | Added to description with "Execution Controllers Subscription External Ids" prefix |
122+
| 34 | ExecutionControllersSubscriptionNames | description | 150-154 | Added to description with "Execution Controllers Subscription Names" prefix |
123+
| 35 | CriticalRelatedIssuesCount | Not parsed | - | Not used in mapping |
124+
| 36 | HighRelatedIssuesCount | Not parsed | - | Not used in mapping |
125+
| 37 | MediumRelatedIssuesCount | Not parsed | - | Not used in mapping |
126+
| 38 | LowRelatedIssuesCount | Not parsed | - | Not used in mapping |
127+
| 39 | InfoRelatedIssuesCount | Not parsed | - | Not used in mapping |
128+
| 40 | OperatingSystem | description | 150-154 | Added to description with "Operating System" prefix |
129+
| 41 | IpAddresses | description | 150-154 | Added to description with "Ip Addresses" prefix |
130+
131+
### Additional Finding Field Settings (SCA Format)
132+
133+
| Finding Field | Default Value | Parser Line # | Notes |
134+
| -------------- | ------------- | ------------- | ----------------------------------- |
135+
| static_finding | True | 182 | Set to True for SCA format findings |
136+
| Severity | "Info" | 210 | Default if not a valid severity |
137+
138+
## Special Processing Notes
139+
140+
### Date Processing
141+
142+
- Parser uses function `parse_wiz_datetime()` (lines 207-246) to handle different date formats from Wiz
143+
- Handles both ISO8601 and custom Wiz timestamp formats
144+
145+
### Status Conversion
146+
147+
- Both parser formats use `WizcliParsers.convert_status()` function to determine finding status (active, mitigated, etc.)
148+
- Standard format - if a finding is mitigated, the Resolved Time is used as the mitigated timestamp
149+
150+
### Description Construction
151+
152+
- Most CSV fields maintain field name as a prefix when added to the Finding description
153+
- Description generated by iterating through predefined list of fields and adding data if present
154+
155+
### Title Format
156+
157+
- Standard format: Used directly from the "Title" field
158+
- SCA format: Combines package name (DetailedName) and vulnerability ID (Name) in format "{package_name}: {vulnerability_id}"
159+
160+
### Mitigation Construction
161+
162+
- Standard format: Primary source is "Remediation Recommendation" field with optional "Resolution" field
163+
- SCA format: Combines "Remediation", "LocationPath", and "FixedVersion" fields
164+
165+
### Deduplication
166+
167+
- Both formats use the respective ID field as the unique_id_from_tool for deduplication
168+
169+
### Tags Handling (SCA Format)
170+
171+
- "Tags" field is parsed from a JSON string format into a list of tag strings in format "key: value" (lines 186, 193-201)
6172

7173
### Sample Scan Data
8-
Sample Wiz Scanner scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/wiz).
174+
175+
Sample Wiz Scanner scans can be found in the [sample scan data folder](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/wiz).
176+
177+
## Link To Tool
178+
179+
- [Wiz.io](https://www.wiz.io/)
180+
- [Wiz Documentation](https://docs.wiz.io/)
181+

0 commit comments

Comments
 (0)