importer: trivy_operator: add an endpoint describing the affected art…

…ifact Trivy operator may provide information which artifact is affected by the reported finding. However, this information was lost. This change introduces artifact details as and additional Endpoint which is affected by a finding. Artifact name put as 'host' and path to the artifact saved as 'path'.
netceteragroup · Aug 23, 2024 · aed1160 · aed1160
1 parent 9aa29d8
commit aed1160
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 11 deletions.
diff --git a/dojo/tools/trivy_operator/checks_handler.py b/dojo/tools/trivy_operator/checks_handler.py
@@ -17,7 +17,7 @@
 
 
 class TrivyChecksHandler:
-    def handle_checks(self, endpoint, service, checks, test):
+    def handle_checks(self, endpoints, service, checks, test):
         findings = []
         for check in checks:
             check_title = check.get("title")
@@ -62,6 +62,6 @@ def handle_checks(self, endpoint, service, checks, test):
             )
             if check_id:
                 finding.unsaved_vulnerability_ids = [check_id]
-            finding.unsaved_endpoints.append(endpoint)
+            finding.unsaved_endpoints += endpoints
             findings.append(finding)
         return findings
diff --git a/dojo/tools/trivy_operator/parser.py b/dojo/tools/trivy_operator/parser.py
@@ -61,22 +61,39 @@ def handle_resource(self, data, test):
             resource_name = labels.get("trivy-operator.resource.name", "")
             container_name = labels.get("trivy-operator.container.name", "")
 
-            endpoint = Endpoint(
+            endpoints = []
+            endpoints.append(Endpoint(
                 host=resource_namespace,
                 path=f"{resource_kind}/{resource_name}/{container_name}"
-            )
+            ))
+
+            if report.get("registry"):
+                if report.get("artifact"):
+                    registry = report.get("registry").get("server", "unknown_registry")
+                    artifact = report.get("artifact")
+                    repository = artifact.get("repository", "unknown_repo")
+                    tag = artifact.get("tag", "unknown_tag")
+                    # having full path to an image (forward slashes) and a tag
+                    # after colon as 'host' property of Endpoint makes an
+                    # endpoint broken, although, this is a desired value. Thus,
+                    # we abuse 'path' field for that.
+                    artifact_name = repository.split("/")[-1]
+                    endpoints.append(Endpoint(
+                        host=f"{artifact_name}",
+                        path=f"{registry}/{repository}:{tag}"
+                    ))
 
             service = ""
 
             vulnerabilities = report.get("vulnerabilities", None)
             if vulnerabilities is not None:
-                findings += TrivyVulnerabilityHandler().handle_vulns(endpoint, service, vulnerabilities, test)
+                findings += TrivyVulnerabilityHandler().handle_vulns(endpoints, service, vulnerabilities, test)
             checks = report.get("checks", None)
             if checks is not None:
-                findings += TrivyChecksHandler().handle_checks(endpoint, service, checks, test)
+                findings += TrivyChecksHandler().handle_checks(endpoints, service, checks, test)
             secrets = report.get("secrets", None)
             if secrets is not None:
-                findings += TrivySecretsHandler().handle_secrets(endpoint, service, secrets, test)
+                findings += TrivySecretsHandler().handle_secrets(endpoints, service, secrets, test)
         elif benchmarkreport is not None:
             findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
         return findings
diff --git a/dojo/tools/trivy_operator/secrets_handler.py b/dojo/tools/trivy_operator/secrets_handler.py
@@ -15,7 +15,7 @@
 
 
 class TrivySecretsHandler:
-    def handle_secrets(self, endpoint, service, secrets, test):
+    def handle_secrets(self, endpoints, service, secrets, test):
         findings = []
         for secret in secrets:
             secret_title = secret.get("title")
@@ -45,6 +45,6 @@ def handle_secrets(self, endpoint, service, secrets, test):
             )
             if secret_rule_id:
                 finding.unsaved_vulnerability_ids = [secret_rule_id]
-            finding.unsaved_endpoints.append(endpoint)
+            finding.unsaved_endpoints += endpoints
             findings.append(finding)
         return findings
diff --git a/dojo/tools/trivy_operator/vulnerability_handler.py b/dojo/tools/trivy_operator/vulnerability_handler.py
@@ -17,7 +17,7 @@
 
 
 class TrivyVulnerabilityHandler:
-    def handle_vulns(self, endpoint, service, vulnerabilities, test):
+    def handle_vulns(self, endpoints, service, vulnerabilities, test):
         findings = []
         for vulnerability in vulnerabilities:
             vuln_id = vulnerability.get("vulnerabilityID", "0")
@@ -87,6 +87,6 @@ def handle_vulns(self, endpoint, service, vulnerabilities, test):
             )
             if vuln_id:
                 finding.unsaved_vulnerability_ids = [vuln_id]
-            finding.unsaved_endpoints.append(endpoint)
+            finding.unsaved_endpoints += endpoints
             findings.append(finding)
         return findings