t

netceteragroup · Jul 31, 2024 · dfc261b · dfc261b
1 parent 7e207d1
commit dfc261b
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 12 deletions.
diff --git a/dojo/tools/trivy_operator/checks_handler.py b/dojo/tools/trivy_operator/checks_handler.py
@@ -1,5 +1,13 @@
 from dojo.models import Finding
 
+CHECK_DESCRIPTION_TEMPLATE = """{description}
+
+**Category**: {category}
+**Scope**: {scope}
+**Details**:
+{details}
+"""
+
 TRIVY_SEVERITIES = {
     "CRITICAL": "Critical",
     "HIGH": "High",
@@ -10,7 +18,7 @@
 
 
 class TrivyChecksHandler:
-    def handle_checks(self, service, checks, test):
+    def handle_checks(self, endpoint, service, checks, test):
         findings = []
         for check in checks:
             check_title = check.get("title")
@@ -22,19 +30,39 @@ def handle_checks(self, service, checks, test):
                     "https://avd.aquasec.com/misconfig/kubernetes/"
                     + check_id.lower()
                 )
-            check_description = check.get("description", "")
             title = f"{check_id} - {check_title}"
+            mitigation = check.get("remediation")
+
+            details = ""
+            for message in check.get("messages"):
+                details += f"{message}\n"
+
+            scope = ""
+            if check.get("scope"):
+                scope_type = check.get("scope").get("type")
+                scope_value = check.get("scope").get("value")
+                scope=f"{scope_type} {scope_value}"
+
+            description = CHECK_DESCRIPTION_TEMPLATE.format(
+                category=check.get("category"),
+                description=check.get("description"),
+                details=details,
+                scope=scope
+            )
+
             finding = Finding(
                 test=test,
                 title=title,
                 severity=check_severity,
                 references=check_references,
-                description=check_description,
+                description=description,
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                mitigation=mitigation,
             )
             if check_id:
                 finding.unsaved_vulnerability_ids = [check_id]
+            finding.unsaved_endpoints.append(endpoint)
             findings.append(finding)
         return findings
diff --git a/dojo/tools/trivy_operator/parser.py b/dojo/tools/trivy_operator/parser.py
@@ -9,6 +9,8 @@
 from dojo.tools.trivy_operator.secrets_handler import TrivySecretsHandler
 from dojo.tools.trivy_operator.vulnerability_handler import TrivyVulnerabilityHandler
 
+from dojo.models import Endpoint
+
 
 class TrivyOperatorParser:
     def get_scan_types(self):
@@ -58,18 +60,23 @@ def handle_resource(self, data, test):
             resource_kind = labels.get("trivy-operator.resource.kind", "")
             resource_name = labels.get("trivy-operator.resource.name", "")
             container_name = labels.get("trivy-operator.container.name", "")
-            service = f"{resource_namespace}/{resource_kind}/{resource_name}"
-            if container_name != "":
-                service = f"{service}/{container_name}"
+
+            endpoint = Endpoint(
+                host=resource_namespace,
+                path=f"{resource_kind}/{resource_name}/{container_name}"
+            )
+
+            service = ""
+
             vulnerabilities = report.get("vulnerabilities", None)
             if vulnerabilities is not None:
-                findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test)
+                findings += TrivyVulnerabilityHandler().handle_vulns(endpoint, service, vulnerabilities, test)
             checks = report.get("checks", None)
             if checks is not None:
-                findings += TrivyChecksHandler().handle_checks(service, checks, test)
+                findings += TrivyChecksHandler().handle_checks(endpoint, service, checks, test)
             secrets = report.get("secrets", None)
             if secrets is not None:
-                findings += TrivySecretsHandler().handle_secrets(service, secrets, test)
+                findings += TrivySecretsHandler().handle_secrets(endpoint, service, secrets, test)
         elif benchmarkreport is not None:
             findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
         return findings
diff --git a/dojo/tools/trivy_operator/secrets_handler.py b/dojo/tools/trivy_operator/secrets_handler.py
@@ -15,7 +15,7 @@
 
 
 class TrivySecretsHandler:
-    def handle_secrets(self, service, secrets, test):
+    def handle_secrets(self, endpoint, service, secrets, test):
         findings = []
         for secret in secrets:
             secret_title = secret.get("title")
@@ -45,5 +45,6 @@ def handle_secrets(self, service, secrets, test):
             )
             if secret_rule_id:
                 finding.unsaved_vulnerability_ids = [secret_rule_id]
+            finding.unsaved_endpoints.append(endpoint)
             findings.append(finding)
         return findings
diff --git a/dojo/tools/trivy_operator/vulnerability_handler.py b/dojo/tools/trivy_operator/vulnerability_handler.py
@@ -1,7 +1,9 @@
 from dojo.models import Finding
 
 DESCRIPTION_TEMPLATE = """{title}
+{description}
 **Fixed version:** {fixed_version}
+CVE published on: {published_date}
 """
 
 TRIVY_SEVERITIES = {
@@ -14,7 +16,7 @@
 
 
 class TrivyVulnerabilityHandler:
-    def handle_vulns(self, service, vulnerabilities, test):
+    def handle_vulns(self, endpoint, service, vulnerabilities, test):
         findings = []
         for vulnerability in vulnerabilities:
             vuln_id = vulnerability.get("vulnerabilityID", "0")
@@ -55,7 +57,10 @@ def handle_vulns(self, service, vulnerabilities, test):
                 file_path = None
 
             description = DESCRIPTION_TEMPLATE.format(
-                title=vulnerability.get("title"), fixed_version=mitigation
+                title=vulnerability.get("title"),
+                fixed_version=mitigation,
+                published_date=vulnerability.get("publishedDate"),
+                description=vulnerability.get("description")
             )
 
             title = f"{vuln_id} {package_name} {package_version}"
@@ -77,5 +82,6 @@ def handle_vulns(self, service, vulnerabilities, test):
             )
             if vuln_id:
                 finding.unsaved_vulnerability_ids = [vuln_id]
+            finding.unsaved_endpoints.append(endpoint)
             findings.append(finding)
         return findings