diff --git a/docs/content/en/integrations/parsers/file/gcloud_artifact_scan.md b/docs/content/en/integrations/parsers/file/gcloud_artifact_scan.md new file mode 100644 index 00000000000..cb752af29c5 --- /dev/null +++ b/docs/content/en/integrations/parsers/file/gcloud_artifact_scan.md @@ -0,0 +1,12 @@ +--- +title: "Google Cloud Artifact Vulnerability Scan" +toc_hide: true +--- +Google Cloud has a Artifact Registry that you can enable security scans https://cloud.google.com/artifact-registry/docs/analysis +Once a scan is completed, results can be pulled via API/gcloud https://cloud.google.com/artifact-analysis/docs/metadata-storage and exported to JSON + +### File Types +DefectDojo parser accepts Google Cloud Artifact Vulnerability Scan data as a .json file. + +### Sample Scan Data +Sample reports can be found at https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/gcloud_artifact_scan \ No newline at end of file diff --git a/dojo/tools/gcloud_artifact_scan/__init__.py b/dojo/tools/gcloud_artifact_scan/__init__.py new file mode 100644 index 00000000000..99e8e118c6a --- /dev/null +++ b/dojo/tools/gcloud_artifact_scan/__init__.py @@ -0,0 +1 @@ +__author__ = "manuel_sommer" diff --git a/dojo/tools/gcloud_artifact_scan/parser.py b/dojo/tools/gcloud_artifact_scan/parser.py new file mode 100644 index 00000000000..9785d12d678 --- /dev/null +++ b/dojo/tools/gcloud_artifact_scan/parser.py @@ -0,0 +1,55 @@ +import json +from dojo.models import Finding + + +class GCloudArtifactScanParser(object): + def get_scan_types(self): + return ["Google Cloud Artifact Vulnerability Scan"] + + def get_label_for_scan_types(self, scan_type): + return scan_type # no custom label for now + + def get_description_for_scan_types(self, scan_type): + return "Import Google Cloud Artifact Vulnerability scans in JSON format." + + def parse_json(self, json_output): + try: + data = json_output.read() + try: + tree = json.loads(str(data, "utf-8")) + except Exception: + tree = json.loads(data) + except Exception: + raise ValueError("Invalid format") + return tree + + def get_findings(self, json_output, test): + findings = [] + if json_output is None: + return findings + tree = self.parse_json(json_output) + if tree: + for severity in tree["package_vulnerability_summary"]["vulnerabilities"]: + for vuln in tree["package_vulnerability_summary"]["vulnerabilities"][severity]: + description = "name: " + str(vuln["name"]) + "\n\n" + description += "resourceUri: " + str(vuln["resourceUri"]) + "\n" + description += "fixAvailable: " + str(vuln["vulnerability"]["fixAvailable"]) + "\n" + description += "packageIssue: " + str(vuln["vulnerability"]["packageIssue"]) + "\n" + description += "CVE: " + str(vuln["vulnerability"]["shortDescription"]) + "\n" + reference = "" + for ref in vuln["vulnerability"]["relatedUrls"]: + reference += ref["url"] + "\n" + finding = Finding( + title=vuln["noteName"], + test=test, + description=description, + severity=severity.lower().capitalize(), + references=reference, + component_name="affectedCPEUri: " + vuln["vulnerability"]["packageIssue"][0]["affectedCpeUri"] + " affectedPackage: " + vuln["vulnerability"]["packageIssue"][0]["affectedPackage"], + component_version=vuln["vulnerability"]["packageIssue"][0]["affectedVersion"]["fullName"], + static_finding=True, + dynamic_finding=False, + cvssv3_score=vuln["vulnerability"]["cvssScore"] + ) + findings.append(finding) + return findings diff --git a/unittests/scans/gcloud_artifact_scan/many_vulns.json b/unittests/scans/gcloud_artifact_scan/many_vulns.json new file mode 100644 index 00000000000..2ab43ad9617 --- /dev/null +++ b/unittests/scans/gcloud_artifact_scan/many_vulns.json @@ -0,0 +1,514 @@ +{ + "discovery_summary": { + "discovery": [ + { + "createTime": "2023-08-23T16:57:29.302830Z", + "discovery": { + "analysisCompleted": { + "analysisType": [ + "OS", + "GO", + "MAVEN", + "PYPI", + "NPM" + ] + }, + "analysisStatus": "FINISHED_SUCCESS", + "continuousAnalysis": "ACTIVE", + "lastScanTime": "2023-08-23T16:57:34.358092699Z" + }, + "kind": "DISCOVERY", + "name": "projects/test/occurrences/1ae41139-7c9c-4c43-817e-9186d7583563", + "noteName": "projects/goog-analysis/notes/PACKAGE_VULNERABILITY", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.487918Z" + } + ] + }, + "image_summary": { + "digest": "sha256:d2eecb48a0d1c6be1ec96d2d0a52c3b95936c4cdde2208299c04d6106b769658", + "fully_qualified_digest": "northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "registry": "northamerica-northeast1-docker.pkg.dev", + "repository": "testing", + "slsa_build_level": "unknown" + }, + "package_vulnerability_summary": { + "vulnerabilities": { + "CRITICAL": [ + { + "createTime": "2023-08-23T16:57:34.258042Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/17762f5b-88a9-4e15-b92d-ce5b4de56519", + "noteName": "projects/goog-vulnz/notes/CVE-2023-29405", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.258042Z", + "vulnerability": { + "cvssScore": 9.8, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.8, + "confidentialityImpact": "IMPACT_HIGH", + "exploitabilityScore": 3.9, + "impactScore": 5.9, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.19.10", + "kind": "NORMAL", + "name": "1.19.10" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2023-29405" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29405" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2023-29405" + } + }, + { + "createTime": "2023-08-23T16:57:34.195901Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/9375502a-c7a7-4605-88f7-caf1ca8137ae", + "noteName": "projects/goog-vulnz/notes/CVE-2023-29402", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.195901Z", + "vulnerability": { + "cvssScore": 9.8, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.8, + "confidentialityImpact": "IMPACT_HIGH", + "exploitabilityScore": 3.9, + "impactScore": 5.9, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.19.10", + "kind": "NORMAL", + "name": "1.19.10" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2023-29402" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29402" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2023-29402" + } + }, + { + "createTime": "2023-08-23T16:57:34.291202Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/94d3ba5b-8ea5-4df9-9e4b-6719f3549046", + "noteName": "projects/goog-vulnz/notes/CVE-2023-29404", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.291202Z", + "vulnerability": { + "cvssScore": 9.8, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.8, + "confidentialityImpact": "IMPACT_HIGH", + "exploitabilityScore": 3.9, + "impactScore": 5.9, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.19.10", + "kind": "NORMAL", + "name": "1.19.10" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2023-29404" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2023-29404" + } + }, + { + "createTime": "2023-08-23T16:57:34.110140Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/9534a1c6-84cf-4141-b5d2-3b80fb6935cb", + "noteName": "projects/goog-vulnz/notes/CVE-2023-24540", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.110140Z", + "vulnerability": { + "cvssScore": 9.8, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.8, + "confidentialityImpact": "IMPACT_HIGH", + "exploitabilityScore": 3.9, + "impactScore": 5.9, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.19.9", + "kind": "NORMAL", + "name": "1.19.9" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2023-24540" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24540" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2023-24540" + } + }, + { + "createTime": "2023-08-23T16:57:34.290433Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/99c6aa0f-018a-4cc9-bb93-1d90b0dbc97e", + "noteName": "projects/goog-vulnz/notes/CVE-2023-24538", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.290433Z", + "vulnerability": { + "cvssScore": 9.8, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.8, + "confidentialityImpact": "IMPACT_HIGH", + "exploitabilityScore": 3.9, + "impactScore": 5.9, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.19.8", + "kind": "NORMAL", + "name": "1.19.8" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2023-24538" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24538" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2023-24538" + } + }, + { + "createTime": "2023-08-23T16:57:33.746649Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/b0e9e452-35cd-4c14-b929-3b5e6b270903", + "noteName": "projects/goog-vulnz/notes/CVE-2022-23806", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:33.746649Z", + "vulnerability": { + "cvssScore": 9.1, + "cvssV2": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "authentication": "AUTHENTICATION_NONE", + "availabilityImpact": "IMPACT_PARTIAL", + "baseScore": 6.4, + "confidentialityImpact": "IMPACT_NONE", + "integrityImpact": "IMPACT_PARTIAL" + }, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 9.1, + "confidentialityImpact": "IMPACT_NONE", + "exploitabilityScore": 3.9, + "impactScore": 5.2, + "integrityImpact": "IMPACT_HIGH", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "CRITICAL", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "CRITICAL", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.17.7", + "kind": "NORMAL", + "name": "1.17.7" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2022-23806" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23806" + } + ], + "severity": "CRITICAL", + "shortDescription": "CVE-2022-23806" + } + } + ], + "HIGH": [ + { + "createTime": "2023-08-23T16:57:34.166285Z", + "kind": "VULNERABILITY", + "name": "projects/test/occurrences/0339e7f1-7a8a-4a89-b121-65040b8d3c84", + "noteName": "projects/goog-vulnz/notes/CVE-2022-41715", + "resourceUri": "https://northamerica-northeast1-docker.pkg.dev/testing/test-docker/test-image@sha256:deadbeef0000000000000000000000000000000000", + "updateTime": "2023-08-23T16:57:34.166285Z", + "vulnerability": { + "cvssScore": 7.5, + "cvssVersion": "CVSS_VERSION_3", + "cvssv3": { + "attackComplexity": "ATTACK_COMPLEXITY_LOW", + "attackVector": "ATTACK_VECTOR_NETWORK", + "availabilityImpact": "IMPACT_HIGH", + "baseScore": 7.5, + "confidentialityImpact": "IMPACT_NONE", + "exploitabilityScore": 3.9, + "impactScore": 3.6, + "integrityImpact": "IMPACT_NONE", + "privilegesRequired": "PRIVILEGES_REQUIRED_NONE", + "scope": "SCOPE_UNCHANGED", + "userInteraction": "USER_INTERACTION_NONE" + }, + "effectiveSeverity": "HIGH", + "fixAvailable": true, + "longDescription": "NIST vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "packageIssue": [ + { + "affectedCpeUri": "cpe:/o:debian:debian_linux:12", + "affectedPackage": "go", + "affectedVersion": { + "fullName": "1.17.6", + "kind": "NORMAL", + "name": "1.17.6" + }, + "effectiveSeverity": "HIGH", + "fileLocation": [ + { + "filePath": "/tmp/pdscan" + } + ], + "fixAvailable": true, + "fixedCpeUri": "cpe:/o:debian:debian_linux:12", + "fixedPackage": "go", + "fixedVersion": { + "fullName": "1.18.7", + "kind": "NORMAL", + "name": "1.18.7" + }, + "packageType": "GO_STDLIB" + } + ], + "relatedUrls": [ + { + "label": "More Info", + "url": "https://security-tracker.debian.org/tracker/CVE-2022-41715" + }, + { + "label": "More Info", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41715" + } + ], + "severity": "HIGH", + "shortDescription": "CVE-2022-41715" + } + } + ] + } + } +} \ No newline at end of file diff --git a/unittests/tools/test_gcloud_artifact_scan_parser.py b/unittests/tools/test_gcloud_artifact_scan_parser.py new file mode 100644 index 00000000000..fc829bf70c4 --- /dev/null +++ b/unittests/tools/test_gcloud_artifact_scan_parser.py @@ -0,0 +1,20 @@ +from ..dojo_test_case import DojoTestCase, get_unit_tests_path +from dojo.tools.gcloud_artifact_scan.parser import GCloudArtifactScanParser +from dojo.models import Test + + +class TestGCloudArtifactScanParser(DojoTestCase): + def test_parse_file_with_multiple_vuln_has_multiple_findings(self): + with open(f"{get_unit_tests_path()}/scans/gcloud_artifact_scan/many_vulns.json") as testfile: + parser = GCloudArtifactScanParser() + findings = parser.get_findings(testfile, Test()) + self.assertTrue(7, len(findings)) + finding = findings[0] + self.assertEqual("projects/goog-vulnz/notes/CVE-2023-29405", finding.title) + self.assertEqual("Critical", finding.severity) + finding = findings[1] + self.assertEqual("projects/goog-vulnz/notes/CVE-2023-29402", finding.title) + self.assertEqual("Critical", finding.severity) + finding = findings[2] + self.assertEqual("projects/goog-vulnz/notes/CVE-2023-29404", finding.title) + self.assertEqual("Critical", finding.severity)