Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🎉 All Trivy Operator findings in one json #11252

Merged
merged 4 commits into from
Nov 15, 2024
Merged

🎉 All Trivy Operator findings in one json #11252

merged 4 commits into from
Nov 15, 2024

Conversation

manuel-sommer
Copy link
Contributor

No description provided.

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Nov 13, 2024
edited
Loading

DryRun Security Summary

The pull request improves the test coverage and flexibility of the TrivyOperatorParser class, which parses the output of the Trivy Operator security scanning tool, without introducing any security vulnerabilities, and enhances the reliability and robustness of the parser.

Expand for full summary

Summary:

The changes in this pull request focus on improving the test coverage and flexibility of the TrivyOperatorParser class, which is responsible for parsing the output of the Trivy Operator security scanning tool. The changes do not introduce any security vulnerabilities, but instead aim to enhance the reliability and robustness of the parser.

The key changes include:

  1. Adding a new test case to verify the parser's ability to handle a JSON file containing all types of Trivy Operator reports (configuration audit, vulnerability, and exposed secret).
  2. Enhancing the get_findings() method of the TrivyOperatorParser class to better handle different data structures returned by the Trivy Operator scan report.

These changes are positive from an application security perspective, as they help ensure that the parser can correctly process and extract the relevant security findings from the Trivy Operator scan reports, regardless of the format.

Files Changed:

  1. unittests/tools/test_trivy_operator_parser.py: This file has been updated to include a new test case, test_findings_all_reports_in_dict, which verifies the behavior of the TrivyOperatorParser class when parsing a JSON file containing all types of Trivy Operator reports.

  2. dojo/tools/trivy_operator/parser.py: The changes in this file focus on improving the get_findings() method of the TrivyOperatorParser class. The method now checks if the data object is a dictionary and if it contains specific keys related to different Trivy Operator report types. This helps the parser handle various data structures returned by the Trivy Operator scan report.

  3. unittests/scans/trivy_operator/all_reports_in_dict.json: This file appears to be a sample Trivy Operator scan report that contains configuration audit, exposed secret, and vulnerability findings. The report highlights several security issues, such as a lack of read-only root file system, exposed AWS credentials, and multiple third-party library vulnerabilities. These issues should be addressed by the application owner to improve the overall security posture.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@Maffooch Maffooch self-requested a review November 13, 2024 19:32
mtesauro
mtesauro approved these changes Nov 14, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 2becdb9 into DefectDojo:bugfix Nov 15, 2024
73 checks passed
@manuel-sommer manuel-sommer deleted the trivy_structureupdate branch November 15, 2024 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
parser unittests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@manuel-sommer @cneill @mtesauro @Maffooch @blakeaowens