🐛 fix trivy operator deduplication setting

[manuel-sommer]

Provide the mitigation information as soon as it becomes available. Then, the finding can be fixed.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are related to the Trivy Operator Scan and Trivy Scan parsers in the DefectDojo application. The key changes are the addition of the 'description' field to the list of fields that are parsed and stored in the DefectDojo database for both the 'Trivy Operator Scan' and 'Trivy Scan' parsers.

From an application security perspective, these changes are positive as they ensure that the 'description' field from the Trivy Operator Scan and Trivy Scan results is captured and available in the DefectDojo application. The 'description' field often contains valuable information about the vulnerability, which can help security teams better understand and prioritize the findings. Additionally, the consistent inclusion of the 'description' field across different scan types can improve the overall quality and usefulness of the data stored in the DefectDojo application, which is important for effective vulnerability management.

The other change in the pull request is an update to the SHA-256 hash file for the settings.dist.py configuration file. This change is not immediately concerning, but it's important to ensure that the new hash value is correct and that the configuration file itself does not contain any sensitive information that could introduce security vulnerabilities.

Files Changed:

1. dojo/settings/settings.dist.py: The changes in this file are related to the Trivy Operator Scan and Trivy Scan parsers in the DefectDojo application. The 'description' field has been added to the list of fields that are parsed and stored in the DefectDojo database for both the 'Trivy Operator Scan' and 'Trivy Scan' parsers.

2. dojo/settings/.settings.dist.py.sha256sum: This file contains the SHA-256 hash value for the settings.dist.py configuration file. The previous hash value has been updated to a new value, which should be verified to ensure that the configuration file has not been tampered with or modified in an unexpected way.

Powered by DryRun Security

[Maffooch]

@manuel-sommer I am curious about this one.. Do you have an example for why the mitigation needs to be added to deduplication settings? This also makes me wonder if maybe there is some info in the mitigation that would be better served in the description or something

[manuel-sommer]

Hi @Maffooch. So the point is that we either need the description or the mitigation field to be used in the deduplication. The reason is the following scenario.

1. A CVE gets detected from Trivy Operator. But a fix is not yet existing. Thus, a developer does not have the information to fix the vulnerability:
   
2. A fix is now present which is recognized by the trivy operator. Then, this information should be parsed from DefectDojo and become available through deduplication as there is no mechanism right now to update an existing finding:
   

[Maffooch]

Ahh I see.. This does make more sense now. I think the description would be more appropriate than the mitigation

[manuel-sommer]

Done @Maffooch. Could we merge this fast please? It would be awesome if we could get it into the next release.

[mtesauro]

Approved