From dfc261bc330e4ab53f9fa05b69d1fc9b5a5d8339 Mon Sep 17 00:00:00 2001 From: Pavel Nakonechnyi Date: Wed, 31 Jul 2024 15:25:21 +0200 Subject: [PATCH] t --- dojo/tools/trivy_operator/checks_handler.py | 34 +++++++++++++++++-- dojo/tools/trivy_operator/parser.py | 19 +++++++---- dojo/tools/trivy_operator/secrets_handler.py | 3 +- .../trivy_operator/vulnerability_handler.py | 10 ++++-- 4 files changed, 54 insertions(+), 12 deletions(-) diff --git a/dojo/tools/trivy_operator/checks_handler.py b/dojo/tools/trivy_operator/checks_handler.py index e6a1ccd8bb..6364d7b60f 100644 --- a/dojo/tools/trivy_operator/checks_handler.py +++ b/dojo/tools/trivy_operator/checks_handler.py @@ -1,5 +1,13 @@ from dojo.models import Finding +CHECK_DESCRIPTION_TEMPLATE = """{description} + +**Category**: {category} +**Scope**: {scope} +**Details**: +{details} +""" + TRIVY_SEVERITIES = { "CRITICAL": "Critical", "HIGH": "High", @@ -10,7 +18,7 @@ class TrivyChecksHandler: - def handle_checks(self, service, checks, test): + def handle_checks(self, endpoint, service, checks, test): findings = [] for check in checks: check_title = check.get("title") @@ -22,19 +30,39 @@ def handle_checks(self, service, checks, test): "https://avd.aquasec.com/misconfig/kubernetes/" + check_id.lower() ) - check_description = check.get("description", "") title = f"{check_id} - {check_title}" + mitigation = check.get("remediation") + + details = "" + for message in check.get("messages"): + details += f"{message}\n" + + scope = "" + if check.get("scope"): + scope_type = check.get("scope").get("type") + scope_value = check.get("scope").get("value") + scope=f"{scope_type} {scope_value}" + + description = CHECK_DESCRIPTION_TEMPLATE.format( + category=check.get("category"), + description=check.get("description"), + details=details, + scope=scope + ) + finding = Finding( test=test, title=title, severity=check_severity, references=check_references, - description=check_description, + description=description, static_finding=True, dynamic_finding=False, service=service, + mitigation=mitigation, ) if check_id: finding.unsaved_vulnerability_ids = [check_id] + finding.unsaved_endpoints.append(endpoint) findings.append(finding) return findings diff --git a/dojo/tools/trivy_operator/parser.py b/dojo/tools/trivy_operator/parser.py index 96f6142ce0..487fa46173 100644 --- a/dojo/tools/trivy_operator/parser.py +++ b/dojo/tools/trivy_operator/parser.py @@ -9,6 +9,8 @@ from dojo.tools.trivy_operator.secrets_handler import TrivySecretsHandler from dojo.tools.trivy_operator.vulnerability_handler import TrivyVulnerabilityHandler +from dojo.models import Endpoint + class TrivyOperatorParser: def get_scan_types(self): @@ -58,18 +60,23 @@ def handle_resource(self, data, test): resource_kind = labels.get("trivy-operator.resource.kind", "") resource_name = labels.get("trivy-operator.resource.name", "") container_name = labels.get("trivy-operator.container.name", "") - service = f"{resource_namespace}/{resource_kind}/{resource_name}" - if container_name != "": - service = f"{service}/{container_name}" + + endpoint = Endpoint( + host=resource_namespace, + path=f"{resource_kind}/{resource_name}/{container_name}" + ) + + service = "" + vulnerabilities = report.get("vulnerabilities", None) if vulnerabilities is not None: - findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test) + findings += TrivyVulnerabilityHandler().handle_vulns(endpoint, service, vulnerabilities, test) checks = report.get("checks", None) if checks is not None: - findings += TrivyChecksHandler().handle_checks(service, checks, test) + findings += TrivyChecksHandler().handle_checks(endpoint, service, checks, test) secrets = report.get("secrets", None) if secrets is not None: - findings += TrivySecretsHandler().handle_secrets(service, secrets, test) + findings += TrivySecretsHandler().handle_secrets(endpoint, service, secrets, test) elif benchmarkreport is not None: findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test) return findings diff --git a/dojo/tools/trivy_operator/secrets_handler.py b/dojo/tools/trivy_operator/secrets_handler.py index c5e767a1bc..068f90d0f8 100644 --- a/dojo/tools/trivy_operator/secrets_handler.py +++ b/dojo/tools/trivy_operator/secrets_handler.py @@ -15,7 +15,7 @@ class TrivySecretsHandler: - def handle_secrets(self, service, secrets, test): + def handle_secrets(self, endpoint, service, secrets, test): findings = [] for secret in secrets: secret_title = secret.get("title") @@ -45,5 +45,6 @@ def handle_secrets(self, service, secrets, test): ) if secret_rule_id: finding.unsaved_vulnerability_ids = [secret_rule_id] + finding.unsaved_endpoints.append(endpoint) findings.append(finding) return findings diff --git a/dojo/tools/trivy_operator/vulnerability_handler.py b/dojo/tools/trivy_operator/vulnerability_handler.py index bdd282648e..8927173a1d 100644 --- a/dojo/tools/trivy_operator/vulnerability_handler.py +++ b/dojo/tools/trivy_operator/vulnerability_handler.py @@ -1,7 +1,9 @@ from dojo.models import Finding DESCRIPTION_TEMPLATE = """{title} +{description} **Fixed version:** {fixed_version} +CVE published on: {published_date} """ TRIVY_SEVERITIES = { @@ -14,7 +16,7 @@ class TrivyVulnerabilityHandler: - def handle_vulns(self, service, vulnerabilities, test): + def handle_vulns(self, endpoint, service, vulnerabilities, test): findings = [] for vulnerability in vulnerabilities: vuln_id = vulnerability.get("vulnerabilityID", "0") @@ -55,7 +57,10 @@ def handle_vulns(self, service, vulnerabilities, test): file_path = None description = DESCRIPTION_TEMPLATE.format( - title=vulnerability.get("title"), fixed_version=mitigation + title=vulnerability.get("title"), + fixed_version=mitigation, + published_date=vulnerability.get("publishedDate"), + description=vulnerability.get("description") ) title = f"{vuln_id} {package_name} {package_version}" @@ -77,5 +82,6 @@ def handle_vulns(self, service, vulnerabilities, test): ) if vuln_id: finding.unsaved_vulnerability_ids = [vuln_id] + finding.unsaved_endpoints.append(endpoint) findings.append(finding) return findings