From aed116018166f1470b11147f00bfae8467de542e Mon Sep 17 00:00:00 2001 From: Pavel Nakonechnyi Date: Fri, 2 Aug 2024 13:54:37 +0200 Subject: [PATCH] importer: trivy_operator: add an endpoint describing the affected artifact Trivy operator may provide information which artifact is affected by the reported finding. However, this information was lost. This change introduces artifact details as and additional Endpoint which is affected by a finding. Artifact name put as 'host' and path to the artifact saved as 'path'. --- dojo/tools/trivy_operator/checks_handler.py | 4 +-- dojo/tools/trivy_operator/parser.py | 27 +++++++++++++++---- dojo/tools/trivy_operator/secrets_handler.py | 4 +-- .../trivy_operator/vulnerability_handler.py | 4 +-- 4 files changed, 28 insertions(+), 11 deletions(-) diff --git a/dojo/tools/trivy_operator/checks_handler.py b/dojo/tools/trivy_operator/checks_handler.py index 879213345cd..9c7c7ecc164 100644 --- a/dojo/tools/trivy_operator/checks_handler.py +++ b/dojo/tools/trivy_operator/checks_handler.py @@ -17,7 +17,7 @@ class TrivyChecksHandler: - def handle_checks(self, endpoint, service, checks, test): + def handle_checks(self, endpoints, service, checks, test): findings = [] for check in checks: check_title = check.get("title") @@ -62,6 +62,6 @@ def handle_checks(self, endpoint, service, checks, test): ) if check_id: finding.unsaved_vulnerability_ids = [check_id] - finding.unsaved_endpoints.append(endpoint) + finding.unsaved_endpoints += endpoints findings.append(finding) return findings diff --git a/dojo/tools/trivy_operator/parser.py b/dojo/tools/trivy_operator/parser.py index 2d5cc2c2e8b..2fc765b1922 100644 --- a/dojo/tools/trivy_operator/parser.py +++ b/dojo/tools/trivy_operator/parser.py @@ -61,22 +61,39 @@ def handle_resource(self, data, test): resource_name = labels.get("trivy-operator.resource.name", "") container_name = labels.get("trivy-operator.container.name", "") - endpoint = Endpoint( + endpoints = [] + endpoints.append(Endpoint( host=resource_namespace, path=f"{resource_kind}/{resource_name}/{container_name}" - ) + )) + + if report.get("registry"): + if report.get("artifact"): + registry = report.get("registry").get("server", "unknown_registry") + artifact = report.get("artifact") + repository = artifact.get("repository", "unknown_repo") + tag = artifact.get("tag", "unknown_tag") + # having full path to an image (forward slashes) and a tag + # after colon as 'host' property of Endpoint makes an + # endpoint broken, although, this is a desired value. Thus, + # we abuse 'path' field for that. + artifact_name = repository.split("/")[-1] + endpoints.append(Endpoint( + host=f"{artifact_name}", + path=f"{registry}/{repository}:{tag}" + )) service = "" vulnerabilities = report.get("vulnerabilities", None) if vulnerabilities is not None: - findings += TrivyVulnerabilityHandler().handle_vulns(endpoint, service, vulnerabilities, test) + findings += TrivyVulnerabilityHandler().handle_vulns(endpoints, service, vulnerabilities, test) checks = report.get("checks", None) if checks is not None: - findings += TrivyChecksHandler().handle_checks(endpoint, service, checks, test) + findings += TrivyChecksHandler().handle_checks(endpoints, service, checks, test) secrets = report.get("secrets", None) if secrets is not None: - findings += TrivySecretsHandler().handle_secrets(endpoint, service, secrets, test) + findings += TrivySecretsHandler().handle_secrets(endpoints, service, secrets, test) elif benchmarkreport is not None: findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test) return findings diff --git a/dojo/tools/trivy_operator/secrets_handler.py b/dojo/tools/trivy_operator/secrets_handler.py index 068f90d0f8e..4a5ae2345b7 100644 --- a/dojo/tools/trivy_operator/secrets_handler.py +++ b/dojo/tools/trivy_operator/secrets_handler.py @@ -15,7 +15,7 @@ class TrivySecretsHandler: - def handle_secrets(self, endpoint, service, secrets, test): + def handle_secrets(self, endpoints, service, secrets, test): findings = [] for secret in secrets: secret_title = secret.get("title") @@ -45,6 +45,6 @@ def handle_secrets(self, endpoint, service, secrets, test): ) if secret_rule_id: finding.unsaved_vulnerability_ids = [secret_rule_id] - finding.unsaved_endpoints.append(endpoint) + finding.unsaved_endpoints += endpoints findings.append(finding) return findings diff --git a/dojo/tools/trivy_operator/vulnerability_handler.py b/dojo/tools/trivy_operator/vulnerability_handler.py index 21d038f1fd5..9994d48007e 100644 --- a/dojo/tools/trivy_operator/vulnerability_handler.py +++ b/dojo/tools/trivy_operator/vulnerability_handler.py @@ -17,7 +17,7 @@ class TrivyVulnerabilityHandler: - def handle_vulns(self, endpoint, service, vulnerabilities, test): + def handle_vulns(self, endpoints, service, vulnerabilities, test): findings = [] for vulnerability in vulnerabilities: vuln_id = vulnerability.get("vulnerabilityID", "0") @@ -87,6 +87,6 @@ def handle_vulns(self, endpoint, service, vulnerabilities, test): ) if vuln_id: finding.unsaved_vulnerability_ids = [vuln_id] - finding.unsaved_endpoints.append(endpoint) + finding.unsaved_endpoints += endpoints findings.append(finding) return findings