From 8f9910bc837908ec16605be63077a8df40fb779f Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Tue, 29 Oct 2024 20:53:44 +0100 Subject: [PATCH] added additional info to description --- dojo/tools/trivy_operator/checks_handler.py | 14 +++++++++++++- dojo/tools/trivy_operator/parser.py | 15 +++------------ dojo/tools/trivy_operator/secrets_handler.py | 15 +++++++++++++-- .../trivy_operator/vulnerability_handler.py | 17 +++++++++++++---- unittests/tools/test_trivy_operator_parser.py | 2 +- 5 files changed, 43 insertions(+), 20 deletions(-) diff --git a/dojo/tools/trivy_operator/checks_handler.py b/dojo/tools/trivy_operator/checks_handler.py index e6a1ccd8bb6..c42eef0fa8a 100644 --- a/dojo/tools/trivy_operator/checks_handler.py +++ b/dojo/tools/trivy_operator/checks_handler.py @@ -10,8 +10,15 @@ class TrivyChecksHandler: - def handle_checks(self, service, checks, test): + def handle_checks(self, labels, checks, test): findings = [] + resource_namespace = labels.get("trivy-operator.resource.namespace", "") + resource_kind = labels.get("trivy-operator.resource.kind", "") + resource_name = labels.get("trivy-operator.resource.name", "") + container_name = labels.get("trivy-operator.container.name", "") + service = f"{resource_namespace}/{resource_kind}/{resource_name}" + if container_name != "": + service = f"{service}/{container_name}" for check in checks: check_title = check.get("title") check_severity = TRIVY_SEVERITIES[check.get("severity")] @@ -23,6 +30,10 @@ def handle_checks(self, service, checks, test): + check_id.lower() ) check_description = check.get("description", "") + check_description += "\n**container.name:** " + container_name + check_description += "\n**resource.kind:** " + resource_kind + check_description += "\n**resource.name:** " + resource_name + check_description += "\n**resource.namespace:** " + resource_namespace title = f"{check_id} - {check_title}" finding = Finding( test=test, @@ -33,6 +44,7 @@ def handle_checks(self, service, checks, test): static_finding=True, dynamic_finding=False, service=service, + tags=[resource_namespace], ) if check_id: finding.unsaved_vulnerability_ids = [check_id] diff --git a/dojo/tools/trivy_operator/parser.py b/dojo/tools/trivy_operator/parser.py index 7c1b1b8dfcb..8be42e8e31e 100644 --- a/dojo/tools/trivy_operator/parser.py +++ b/dojo/tools/trivy_operator/parser.py @@ -48,24 +48,15 @@ def output_findings(self, data, test): benchmarkreport = benchmark.get("detailReport", None) findings = [] if report is not None: - resource_namespace = labels.get( - "trivy-operator.resource.namespace", "", - ) - resource_kind = labels.get("trivy-operator.resource.kind", "") - resource_name = labels.get("trivy-operator.resource.name", "") - container_name = labels.get("trivy-operator.container.name", "") - service = f"{resource_namespace}/{resource_kind}/{resource_name}" - if container_name != "": - service = f"{service}/{container_name}" vulnerabilities = report.get("vulnerabilities", None) if vulnerabilities is not None: - findings += TrivyVulnerabilityHandler().handle_vulns(service, vulnerabilities, test) + findings += TrivyVulnerabilityHandler().handle_vulns(labels, vulnerabilities, test) checks = report.get("checks", None) if checks is not None: - findings += TrivyChecksHandler().handle_checks(service, checks, test) + findings += TrivyChecksHandler().handle_checks(labels, checks, test) secrets = report.get("secrets", None) if secrets is not None: - findings += TrivySecretsHandler().handle_secrets(service, secrets, test) + findings += TrivySecretsHandler().handle_secrets(labels, secrets, test) elif benchmarkreport is not None: findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test) return findings diff --git a/dojo/tools/trivy_operator/secrets_handler.py b/dojo/tools/trivy_operator/secrets_handler.py index c5e767a1bc5..a00c894a034 100644 --- a/dojo/tools/trivy_operator/secrets_handler.py +++ b/dojo/tools/trivy_operator/secrets_handler.py @@ -15,8 +15,15 @@ class TrivySecretsHandler: - def handle_secrets(self, service, secrets, test): + def handle_secrets(self, labels, secrets, test): findings = [] + resource_namespace = labels.get("trivy-operator.resource.namespace", "") + resource_kind = labels.get("trivy-operator.resource.kind", "") + resource_name = labels.get("trivy-operator.resource.name", "") + container_name = labels.get("trivy-operator.container.name", "") + service = f"{resource_namespace}/{resource_kind}/{resource_name}" + if container_name != "": + service = f"{service}/{container_name}" for secret in secrets: secret_title = secret.get("title") secret_category = secret.get("category") @@ -31,7 +38,10 @@ def handle_secrets(self, service, secrets, test): category=secret_category, match=secret_match, ) - + secret_description += "\n**container.name:** " + container_name + secret_description += "\n**resource.kind:** " + resource_kind + secret_description += "\n**resource.name:** " + resource_name + secret_description += "\n**resource.namespace:** " + resource_namespace finding = Finding( test=test, title=title, @@ -42,6 +52,7 @@ def handle_secrets(self, service, secrets, test): static_finding=True, dynamic_finding=False, service=service, + tags=[resource_namespace], ) if secret_rule_id: finding.unsaved_vulnerability_ids = [secret_rule_id] diff --git a/dojo/tools/trivy_operator/vulnerability_handler.py b/dojo/tools/trivy_operator/vulnerability_handler.py index 13be3e55a41..a5a26e1288a 100644 --- a/dojo/tools/trivy_operator/vulnerability_handler.py +++ b/dojo/tools/trivy_operator/vulnerability_handler.py @@ -14,8 +14,15 @@ class TrivyVulnerabilityHandler: - def handle_vulns(self, service, vulnerabilities, test): + def handle_vulns(self, labels, vulnerabilities, test): findings = [] + resource_namespace = labels.get("trivy-operator.resource.namespace", "") + resource_kind = labels.get("trivy-operator.resource.kind", "") + resource_name = labels.get("trivy-operator.resource.name", "") + container_name = labels.get("trivy-operator.container.name", "") + service = f"{resource_namespace}/{resource_kind}/{resource_name}" + if container_name != "": + service = f"{service}/{container_name}" for vulnerability in vulnerabilities: vuln_id = vulnerability.get("vulnerabilityID", "0") severity = TRIVY_SEVERITIES[vulnerability.get("severity")] @@ -24,8 +31,7 @@ def handle_vulns(self, service, vulnerabilities, test): package_name = vulnerability.get("resource") package_version = vulnerability.get("installedVersion") cvssv3_score = vulnerability.get("score") - - finding_tags = [] + finding_tags = [resource_namespace] target_target = None target_class = None package_path = None @@ -57,7 +63,10 @@ def handle_vulns(self, service, vulnerabilities, test): description = DESCRIPTION_TEMPLATE.format( title=vulnerability.get("title"), fixed_version=mitigation, ) - + description += "\n**container.name:** " + container_name + description += "\n**resource.kind:** " + resource_kind + description += "\n**resource.name:** " + resource_name + description += "\n**resource.namespace:** " + resource_namespace title = f"{vuln_id} {package_name} {package_version}" finding = Finding( test=test, diff --git a/unittests/tools/test_trivy_operator_parser.py b/unittests/tools/test_trivy_operator_parser.py index 3ba32fd899e..5e4a71558da 100644 --- a/unittests/tools/test_trivy_operator_parser.py +++ b/unittests/tools/test_trivy_operator_parser.py @@ -135,7 +135,7 @@ def test_vulnerabilityreport_extended(self): self.assertEqual("3.6.13-2ubuntu1.10", finding.mitigation) self.assertEqual(5.9, finding.cvssv3_score) self.assertEqual("ubuntu:20.04 (ubuntu 20.04)", finding.file_path) - self.assertEqual("os-pkgs, ubuntu", str(finding.tags)) + self.assertEqual("lbc, os-pkgs, ubuntu", str(finding.tags)) def test_cis_benchmark(self): with open(sample_path("cis_benchmark.json"), encoding="utf-8") as test_file: