While it is ideal and most efficient to orchestrate all of your security scanning via the ZeroNorth platform, you may have a situation where scan results are provided to you by another team. The ZeroNorth platform provides a way to easily upload such results so that the results are shown along with the results from your ZeroNorth-orchestrated scans.
The process for manually uploading a scan results file is as follows:
- You have the output file from a scan tool. Such file is usually in JSON or XML. CSV and PDF files are not acceptable.
- The output file must be from a scan tool that ZeroNorth has an integration with. For a list of these scan tools, see znADM > Scenarios in the ZeroNorth UI.
- You add an appropriate Target .
- You add a Receiver Policy . A receiver policy is like any ZeroNorth policy, but can be constructed using Scenarios and Targets that are basically empty shells.
- Use the Receiver Policy to upload your scan output file to your ZeroNorth account.
The above steps are explained in more detail below.
Add an Appropriate Target
Create a Target to represent the system that the scan file targeted. You will want to create a Target of the correct Integration Type. For example:
- SAST/SCA scanning tools - the Target should be of “Artifact” type.
- Container scanning tools - the Target should be of “Docker” type.
- DAST scanning tools - the Target should be of “Custom” type.
Add a Receiver Policy
(See the article Creating a ZeroNorth™ Scan for basic information about adding ZeroNorth Policies).
A Receiver Policy is identical to any other Scan Policy, except that it has the Initiate Scan From attribute set to “Manual Issue Upload”. This attribute can be set either at the Integration level or at the Policy level. Additionally, Targets can be based on Integrations that are empty shells (e.g a Docker Integration does not need to authenticate to Docker Hub and so you can just provide dummy values for the credentials fields) and the same applies to Scenarios.
- Go to znOPS > Policies.
- Click +Add Policy .
- Provide the necessary information as usual, including the appropriate Target you created (see above).
- Set Initiate Scan From to “Manual Issue Upload”.
- Select the Scenario that matches the scan tool for the file you want to upload. If you are using a Scenario that requires credentials, you may leave them empty or provide dummy values.
- If using a Scenarios that offers option between “Orchestrated Scan” and “Data Load”, select “Orchestrated Scan”.
- Click Save .
The Receiver Policy is now ready and is indicated as follows:
Upload the Scan Output File
To upload your scan output file using the Receiver Policy:
- Go to znOPS > Policies.
- Locate your Receiver Policy.
- Click on to far right of the Policy, and then select Upload File .
- In the modal pop-up window, click Choose File .
- Select the file from your local computer.
- Click Run .
The upload takes seconds to minutes depending on the size of the file and your network speed. After the upload completes, ZeroNorth performs post processing which may take a few seconds.
Results can be viewed in the same way results of any ZeroNorth-orchestrated scan are viewed.
File Formats by Scanner
The following list outlines the file formats ZeroNorth can accept for manual uploads:
- Burp - XML
- Checkmarx - XML
- Fortify - XML (see below for details about the FPR file)
- Nessus - XML (see below for details about the .nessus file format)
- Qualys - XML ( ASSET_DATA_REPORT , WAS_WEBAPP_REPORT)
- Reapsaw - JSON
- ScoutSuite - the main
scoutsuite_results_aws-*.jsfile or the .zip bundle
- SonarQube - JSON (both Issues and Measures)
- Twistlock - JSON
- OWASP Zap - JSON
Special Cases for Some Files
Some scanner output files require some preprocessing or special handling:
- .nessus - Nessus or Tenable output files in .nessus format are actually XML files. To upload these via the UI, add the “.xml” suffix to the file name prior to manual upload via the UI. If you are using ZeroNorth’s upload_issues.bash script (download link below), there is no need to add the “.xml” extension to the file name.
- .fpr - Fortify FPR files are actually zip archives that contain multiple files. Only the audit.fvdl file from that archive is needed for the upload. Use your favorite zip archive utility to extract that file prior to upload via UI. Alternatively, if you are using ZeroNorth’s zn_upload_issues.bash or zn_upload_issues.ps1 scripts (download links below), they will handle .fpr files automatically.
ScoutSuite - ZeroNorth support uploading ScoutSuite scan results for AWS scans. You can upload either the entire ZIP archive of the scan result (ZeroNorth will find the scan file inside it), or just the
Uploading a Scan Output File in Batch
To facilitate automation of uploads in batch mode, use the attached BASH or PowerShell script(s). The bash scripts run natively in Linux , Unix , or MacOS and requires jq, cURL, and sed installed. If in a Windows environment, install Cygwin , making sure to include jq, cURL, and sed during the install, or use the PowerShell version, which requires PowerShell version 5 or later.
For most scanner outputs, use upload_issues.bash. For SonarQube output, use upload_issues_sonar-w-metric.bash.
10 KB Download
9 KB Download
10 KB Download