Skip to content

Commit

Permalink
added additional info to description
Browse files Browse the repository at this point in the history
  • Loading branch information
manuel-sommer committed Oct 29, 2024
1 parent fd0bcc5 commit 8f9910b
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 20 deletions.
14 changes: 13 additions & 1 deletion dojo/tools/trivy_operator/checks_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,15 @@


class TrivyChecksHandler:
def handle_checks(self, service, checks, test):
def handle_checks(self, labels, checks, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for check in checks:
check_title = check.get("title")
check_severity = TRIVY_SEVERITIES[check.get("severity")]
Expand All @@ -23,6 +30,10 @@ def handle_checks(self, service, checks, test):
+ check_id.lower()
)
check_description = check.get("description", "")
check_description += "\n**container.name:** " + container_name
check_description += "\n**resource.kind:** " + resource_kind
check_description += "\n**resource.name:** " + resource_name
check_description += "\n**resource.namespace:** " + resource_namespace
title = f"{check_id} - {check_title}"
finding = Finding(
test=test,
Expand All @@ -33,6 +44,7 @@ def handle_checks(self, service, checks, test):
static_finding=True,
dynamic_finding=False,
service=service,
tags=[resource_namespace],
)
if check_id:
finding.unsaved_vulnerability_ids = [check_id]
Expand Down
15 changes: 3 additions & 12 deletions dojo/tools/trivy_operator/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,24 +48,15 @@ def output_findings(self, data, test):
benchmarkreport = benchmark.get("detailReport", None)
findings = []
if report is not None:
resource_namespace = labels.get(
"trivy-operator.resource.namespace", "",
)
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
vulnerabilities = report.get("vulnerabilities", None)
if vulnerabilities is not None:
findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test)
findings += TrivyVulnerabilityHandler().handle_vulns(labels, vulnerabilities, test)
checks = report.get("checks", None)
if checks is not None:
findings += TrivyChecksHandler().handle_checks(service, checks, test)
findings += TrivyChecksHandler().handle_checks(labels, checks, test)
secrets = report.get("secrets", None)
if secrets is not None:
findings += TrivySecretsHandler().handle_secrets(service, secrets, test)
findings += TrivySecretsHandler().handle_secrets(labels, secrets, test)
elif benchmarkreport is not None:
findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
return findings
15 changes: 13 additions & 2 deletions dojo/tools/trivy_operator/secrets_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,15 @@


class TrivySecretsHandler:
def handle_secrets(self, service, secrets, test):
def handle_secrets(self, labels, secrets, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for secret in secrets:
secret_title = secret.get("title")
secret_category = secret.get("category")
Expand All @@ -31,7 +38,10 @@ def handle_secrets(self, service, secrets, test):
category=secret_category,
match=secret_match,
)

secret_description += "\n**container.name:** " + container_name
secret_description += "\n**resource.kind:** " + resource_kind
secret_description += "\n**resource.name:** " + resource_name
secret_description += "\n**resource.namespace:** " + resource_namespace
finding = Finding(
test=test,
title=title,
Expand All @@ -42,6 +52,7 @@ def handle_secrets(self, service, secrets, test):
static_finding=True,
dynamic_finding=False,
service=service,
tags=[resource_namespace],
)
if secret_rule_id:
finding.unsaved_vulnerability_ids = [secret_rule_id]
Expand Down
17 changes: 13 additions & 4 deletions dojo/tools/trivy_operator/vulnerability_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,15 @@


class TrivyVulnerabilityHandler:
def handle_vulns(self, service, vulnerabilities, test):
def handle_vulns(self, labels, vulnerabilities, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for vulnerability in vulnerabilities:
vuln_id = vulnerability.get("vulnerabilityID", "0")
severity = TRIVY_SEVERITIES[vulnerability.get("severity")]
Expand All @@ -24,8 +31,7 @@ def handle_vulns(self, service, vulnerabilities, test):
package_name = vulnerability.get("resource")
package_version = vulnerability.get("installedVersion")
cvssv3_score = vulnerability.get("score")

finding_tags = []
finding_tags = [resource_namespace]
target_target = None
target_class = None
package_path = None
Expand Down Expand Up @@ -57,7 +63,10 @@ def handle_vulns(self, service, vulnerabilities, test):
description = DESCRIPTION_TEMPLATE.format(
title=vulnerability.get("title"), fixed_version=mitigation,
)

description += "\n**container.name:** " + container_name
description += "\n**resource.kind:** " + resource_kind
description += "\n**resource.name:** " + resource_name
description += "\n**resource.namespace:** " + resource_namespace
title = f"{vuln_id} {package_name} {package_version}"
finding = Finding(
test=test,
Expand Down
2 changes: 1 addition & 1 deletion unittests/tools/test_trivy_operator_parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def test_vulnerabilityreport_extended(self):
self.assertEqual("3.6.13-2ubuntu1.10", finding.mitigation)
self.assertEqual(5.9, finding.cvssv3_score)
self.assertEqual("ubuntu:20.04 (ubuntu 20.04)", finding.file_path)
self.assertEqual("os-pkgs, ubuntu", str(finding.tags))
self.assertEqual("lbc, os-pkgs, ubuntu", str(finding.tags))

def test_cis_benchmark(self):
with open(sample_path("cis_benchmark.json"), encoding="utf-8") as test_file:
Expand Down

0 comments on commit 8f9910b

Please sign in to comment.