🎉 fix TrivyOperator new report structure (#11156)

* 🎉 fix TrivyOperator new report structure

* added additional info to description

dojo/tools/trivy_operator/checks_handler.py

@@ -10,8 +10,15 @@
 
 
 class TrivyChecksHandler:
-    def handle_checks(self, service, checks, test):
+    def handle_checks(self, labels, checks, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for check in checks:
             check_title = check.get("title")
             check_severity = TRIVY_SEVERITIES[check.get("severity")]
@@ -23,6 +30,10 @@ def handle_checks(self, service, checks, test):
                     + check_id.lower()
                 )
             check_description = check.get("description", "")
+            check_description += "\n**container.name:** " + container_name
+            check_description += "\n**resource.kind:** " + resource_kind
+            check_description += "\n**resource.name:** " + resource_name
+            check_description += "\n**resource.namespace:** " + resource_namespace
             title = f"{check_id} - {check_title}"
             finding = Finding(
                 test=test,
@@ -33,6 +44,7 @@ def handle_checks(self, service, checks, test):
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                tags=[resource_namespace],
             )
             if check_id:
                 finding.unsaved_vulnerability_ids = [check_id]

dojo/tools/trivy_operator/parser.py

@@ -25,7 +25,15 @@ def get_findings(self, scan_file, test):
             data = json.loads(str(scan_data, "utf-8"))
         except Exception:
             data = json.loads(scan_data)
+        findings = []
+        if type(data) is list:
+            for listitems in data:
+                findings += self.output_findings(listitems, test)
+        else:
+            findings += self.output_findings(data, test)
+        return findings
 
+    def output_findings(self, data, test):
         if data is None:
             return []
         metadata = data.get("metadata", None)
@@ -40,24 +48,15 @@ def get_findings(self, scan_file, test):
             benchmarkreport = benchmark.get("detailReport", None)
         findings = []
         if report is not None:
-            resource_namespace = labels.get(
-                "trivy-operator.resource.namespace", "",
-            )
-            resource_kind = labels.get("trivy-operator.resource.kind", "")
-            resource_name = labels.get("trivy-operator.resource.name", "")
-            container_name = labels.get("trivy-operator.container.name", "")
-            service = f"{resource_namespace}/{resource_kind}/{resource_name}"
-            if container_name != "":
-                service = f"{service}/{container_name}"
             vulnerabilities = report.get("vulnerabilities", None)
             if vulnerabilities is not None:
-                findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test)
+                findings += TrivyVulnerabilityHandler().handle_vulns(labels, vulnerabilities, test)
             checks = report.get("checks", None)
             if checks is not None:
-                findings += TrivyChecksHandler().handle_checks(service, checks, test)
+                findings += TrivyChecksHandler().handle_checks(labels, checks, test)
             secrets = report.get("secrets", None)
             if secrets is not None:
-                findings += TrivySecretsHandler().handle_secrets(service, secrets, test)
+                findings += TrivySecretsHandler().handle_secrets(labels, secrets, test)
         elif benchmarkreport is not None:
             findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
         return findings

dojo/tools/trivy_operator/secrets_handler.py

@@ -15,8 +15,15 @@
 
 
 class TrivySecretsHandler:
-    def handle_secrets(self, service, secrets, test):
+    def handle_secrets(self, labels, secrets, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for secret in secrets:
             secret_title = secret.get("title")
             secret_category = secret.get("category")
@@ -31,7 +38,10 @@ def handle_secrets(self, service, secrets, test):
                 category=secret_category,
                 match=secret_match,
             )
-
+            secret_description += "\n**container.name:** " + container_name
+            secret_description += "\n**resource.kind:** " + resource_kind
+            secret_description += "\n**resource.name:** " + resource_name
+            secret_description += "\n**resource.namespace:** " + resource_namespace
             finding = Finding(
                 test=test,
                 title=title,
@@ -42,6 +52,7 @@ def handle_secrets(self, service, secrets, test):
                 static_finding=True,
                 dynamic_finding=False,
                 service=service,
+                tags=[resource_namespace],
             )
             if secret_rule_id:
                 finding.unsaved_vulnerability_ids = [secret_rule_id]

dojo/tools/trivy_operator/vulnerability_handler.py

@@ -14,8 +14,15 @@
 
 
 class TrivyVulnerabilityHandler:
-    def handle_vulns(self, service, vulnerabilities, test):
+    def handle_vulns(self, labels, vulnerabilities, test):
         findings = []
+        resource_namespace = labels.get("trivy-operator.resource.namespace", "")
+        resource_kind = labels.get("trivy-operator.resource.kind", "")
+        resource_name = labels.get("trivy-operator.resource.name", "")
+        container_name = labels.get("trivy-operator.container.name", "")
+        service = f"{resource_namespace}/{resource_kind}/{resource_name}"
+        if container_name != "":
+            service = f"{service}/{container_name}"
         for vulnerability in vulnerabilities:
             vuln_id = vulnerability.get("vulnerabilityID", "0")
             severity = TRIVY_SEVERITIES[vulnerability.get("severity")]
@@ -24,8 +31,7 @@ def handle_vulns(self, service, vulnerabilities, test):
             package_name = vulnerability.get("resource")
             package_version = vulnerability.get("installedVersion")
             cvssv3_score = vulnerability.get("score")
-
-            finding_tags = []
+            finding_tags = [resource_namespace]
             target_target = None
             target_class = None
             package_path = None
@@ -57,7 +63,10 @@ def handle_vulns(self, service, vulnerabilities, test):
             description = DESCRIPTION_TEMPLATE.format(
                 title=vulnerability.get("title"), fixed_version=mitigation,
             )
-
+            description += "\n**container.name:** " + container_name
+            description += "\n**resource.kind:** " + resource_kind
+            description += "\n**resource.name:** " + resource_name
+            description += "\n**resource.namespace:** " + resource_namespace
             title = f"{vuln_id} {package_name} {package_version}"
             finding = Finding(
                 test=test,