Upload Failure of Scan Results to DefectDojo

[90n20]

The security-infra-scan-pipeline jobs defined in:

• nuclei.yaml
• owasp-zap.yaml
• greenbone.yaml

are not successfully uploading scan results to DefectDojo. The upload tasks are skipped with the output:

skipping: Conditional result was False

Expected Behavior

Scan results from Nuclei, OWASP ZAP, and Greenbone should be uploaded to DefectDojo after each job execution.

Actual Behavior

The upload tasks are being skipped, potentially due to conditional checks or missing variable definitions.

Analysis and Troubleshooting Steps

• Conditional Checks: The upload tasks have when conditions checking for engagement and pipeline_conf variables. These may not be resolving correctly, causing the tasks to skip.
• Authorization: The Authorization header for DefectDojo API access may not be set correctly if dojo_api_key or dojo_auth is missing from pipeline_conf.
• Debugging Steps:
  • Verified if pipeline_conf and engagement variables are defined within the job.
  • Added debug statements to print zj_item['content'] before the upload task to confirm it contains valid data.
  • Verified access to secrets and specific DefectDojo configuration (URL, API key) for periodic and non-test jobs => Those were updated with new SCS Defect Dojo instance in Configuration and secrets update #10

[90n20]

We are testing this behaviour in a local Zuul environment in order to analize the following:

• Ensure engagement and pipeline_conf variables are correctly defined and accessible within each job that uploads to DefectDojo.
• Include debug statements in the upload tasks to confirm pipeline_conf and engagement values, as well as Base64-decoded content in zj_item['content'].
• Confirm that all periodic jobs (scs-baseline-security-scan, scs-full-security-scan, scs-greenbone-security-scan) have access to the SECRET_SECURITY_INFRA_SCAN_PIPELINE secret and associated DefectDojo credentials.
• Verify that dojo_api_key or dojo_auth exists in pipeline_conf to ensure proper authorization headers.