DefectDojo Report is a tool made to export the security debt of an application from DefectDojo with support for additional features:
- Calculation of the resultant criticity from the impact (
severity), the ease of exploitation (set using a tag) and a mapping matrix - Support for additional information provided using tags:
- Audit origin
- Vulnerability fix under the service provider responsibility
- Generation of customizable reports in HTML, CSV and JSON formats
- Aggregation of the debt associated to multiple products
Install Node.js >= 20 and NPM, then run the following commands:
npm i -g defectdojo-report
defectdojo-report [options]Run defectdojo-report --help to show the help message.
Options are documented here: src/cli.js.
A proxy can be configured using the conventional http_proxy, https_proxy
and no_proxy environment variables.
The following command allows to export the security debt associated to the
product product-name and the engagement engagement-name to 2 files
(./secdebt.csv and ./secdebt.html) including only active and not out of
scope vulnerabilities:
defectdojo-report \
--url "https://defectdojo.acme.corp:8080" \
--token "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
--product "product-name" --engagement "engagement-name" \
--status "active,!out_of_scope" \
--output "./secdebt" --format "csv,html" \
--config "./config.json"The config.json file (optional) allows to customize the tool
configuration, e.g. :
{
"title": "Custom HTML report title",
"criticities": ["unknown", "low", "moderate", "high", "critical"]
}DefectDojo Report is licensed under the GNU General Public License.