Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🎉 Make Trivy Operator K8s vulnids consistent #11188

Merged
merged 23 commits into from
Nov 12, 2024

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Nov 4, 2024

This PR fixes:

  • trivy operator vulnids are malformed (e.g. KCV0092 --> AVD-KCV-0092)
  • trivy operator vulnids can be resolved
  • trivy operator secrets ruleIDs are not resolvable (are not listed in the aquasec vulnerability database), but were listed as a vulnid

@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui parser labels Nov 4, 2024
Copy link

dryrunsecurity bot commented Nov 4, 2024

DryRun Security Summary

The pull request includes a range of improvements and updates to the security-related functionality of the DefectDojo application, focusing on enhancing vulnerability ID handling, Trivy vulnerability scanner parsing and reporting, and updating security-related settings and configurations.

Expand for full summary

Summary:

The code changes in this pull request cover a range of improvements and updates to the security-related functionality of the DefectDojo application. The changes focus on enhancing the handling and standardization of vulnerability IDs, improving the parsing and reporting of security findings from the Trivy vulnerability scanner, and updating security-related settings and configurations.

Key highlights of the changes include:

  1. Vulnerability ID Standardization: The changes introduce a UniformTrivyVulnID class to standardize the formatting of vulnerability IDs, ensuring consistency across the application and improving vulnerability tracking, reporting, and integration with external tools.

  2. Trivy Operator Enhancements: The changes update the handling of secrets, compliance, and vulnerability findings from the Trivy Operator, providing more detailed information in the security findings and improving the overall security posture of the application.

  3. Security Settings and Configuration: The changes to the settings.dist.py file update various security-related settings, such as security headers, authentication methods, API tokens, logging, and file upload restrictions, further strengthening the application's security posture.

  4. Unit Test Updates: The changes to the unit tests for the TrivyOperatorParser ensure that the parser is correctly handling the various types of reports from the Trivy Operator, maintaining the quality and reliability of the security scanning capabilities.

Overall, the code changes in this pull request appear to be focused on improving the security and security-related functionality of the DefectDojo application, which is a positive step from an application security perspective.

Files Changed:

  1. dojo/templatetags/display_tags.py: The changes to the vulnerability_url function improve the handling of different vulnerability ID formats, ensuring that the URLs are properly constructed for a wider range of vulnerability IDs.

  2. dojo/tools/trivy_operator/checks_handler.py: The changes standardize the formatting of vulnerability IDs in the Finding objects, enhancing the consistency and reliability of the vulnerability data.

  3. dojo/settings/.settings.dist.py.sha256sum: The changes to the SHA-256 hash value in this file should be reviewed to understand the impact on the application's configuration and integrity verification processes.

  4. dojo/tools/trivy_operator/secrets_handler.py: The changes improve the information provided in the security findings for detected secrets, including the specific rule ID that triggered the finding.

  5. dojo/tools/trivy_operator/compliance_handler.py: The changes standardize the vulnerability IDs in the compliance findings, improving the overall consistency and reliability of the vulnerability data.

  6. dojo/settings/settings.dist.py: The changes to this file update various security-related settings and configurations, enhancing the application's security posture.

  7. dojo/tools/trivy_operator/uniform_vulnid.py: This new file introduces the UniformTrivyVulnID class, which is responsible for standardizing the vulnerability IDs used throughout the application.

  8. dojo/tools/trivy_operator/vulnerability_handler.py: The changes in this file leverage the UniformTrivyVulnID class to ensure that vulnerability IDs are consistently formatted.

  9. unittests/tools/test_trivy_operator_parser.py: The changes to the unit tests ensure that the TrivyOperatorParser is correctly handling the expected vulnerability ID formats.

Code Analysis

We ran 9 analyzers against 9 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Copy link
Contributor

github-actions bot commented Nov 4, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

1 similar comment
Copy link
Contributor

github-actions bot commented Nov 4, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Nov 4, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Nov 4, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Nov 4, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer manuel-sommer changed the title 🎉 Uniform Trivy Operator K8s vulnids 🎉 Make Trivy Operator K8s vulnids consistent Nov 4, 2024
@manuel-sommer manuel-sommer marked this pull request as draft November 4, 2024 21:30
@manuel-sommer manuel-sommer marked this pull request as ready for review November 4, 2024 21:47
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

dojo/tools/trivy_operator/uniform_vulnid.py Outdated Show resolved Hide resolved
dojo/tools/trivy_operator/compliance_handler.py Outdated Show resolved Hide resolved
dojo/tools/trivy_operator/checks_handler.py Outdated Show resolved Hide resolved
dojo/tools/trivy_operator/vulnerability_handler.py Outdated Show resolved Hide resolved
@manuel-sommer manuel-sommer requested a review from cneill November 9, 2024 00:57
@manuel-sommer
Copy link
Contributor Author

@cneill , could we merge this in the upcomming release on Monday?

@manuel-sommer
Copy link
Contributor Author

Friendly reminder @cneill

@manuel-sommer
Copy link
Contributor Author

@Maffooch, could we introduce this PR to the upcomming release today?

@Maffooch
Copy link
Contributor

Will need sign off from @cneill first, but the release will actually go out tomorrow, as today is a US holiday

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro mtesauro merged commit 3f48a94 into DefectDojo:bugfix Nov 12, 2024
72 of 73 checks passed
@manuel-sommer manuel-sommer deleted the uniform_triyoperator_ids branch November 12, 2024 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants