Skip to content

Commit

Permalink
tools: trivy_operator: fix Trivy operator findings description and me…
Browse files Browse the repository at this point in the history
…tadata after questionable upstream changes
  • Loading branch information
pna-nca committed Nov 26, 2024
1 parent 78c317c commit 95023c1
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 70 deletions.
11 changes: 1 addition & 10 deletions dojo/tools/trivy_operator/checks_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,8 @@


class TrivyChecksHandler:
def handle_checks(self, labels, endpoint, service, checks, test):
def handle_checks(self, labels, endpoints, service, checks, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for check in checks:
check_title = check.get("title")
check_severity = TRIVY_SEVERITIES[check.get("severity")]
Expand Down Expand Up @@ -68,8 +61,6 @@ def handle_checks(self, labels, endpoint, service, checks, test):
service=service,
mitigation=mitigation,
)
if resource_namespace != "":
finding.tags = resource_namespace
if check_id:
finding.unsaved_vulnerability_ids = [UniformTrivyVulnID().return_uniformed_vulnid(check_id)]
finding.unsaved_endpoints += endpoints
Expand Down
7 changes: 4 additions & 3 deletions dojo/tools/trivy_operator/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ def output_findings(self, data, test):
return findings

def handle_resource(self, data, test):
findings = []
metadata = data.get("metadata", None)
if metadata is None:
return []
Expand Down Expand Up @@ -96,13 +97,13 @@ def handle_resource(self, data, test):

vulnerabilities = report.get("vulnerabilities", None)
if vulnerabilities is not None:
findings += TrivyVulnerabilityHandler().handle_vulns(labels, endpoint, service, vulnerabilities, test)
findings += TrivyVulnerabilityHandler().handle_vulns(labels, endpoints, service, vulnerabilities, test)
checks = report.get("checks", None)
if checks is not None:
findings += TrivyChecksHandler().handle_checks(labels, endpoint, service, checks, test)
findings += TrivyChecksHandler().handle_checks(labels, endpoints, service, checks, test)
secrets = report.get("secrets", None)
if secrets is not None:
findings += TrivySecretsHandler().handle_secrets(labels, endpoint, service, secrets, test)
findings += TrivySecretsHandler().handle_secrets(labels, endpoints, service, secrets, test)
status = data.get("status", None)
if status is not None:
benchmarkreport = status.get("detailReport", None)
Expand Down
18 changes: 3 additions & 15 deletions dojo/tools/trivy_operator/secrets_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,13 @@
SECRET_DESCRIPTION_TEMPLATE = """{title}
**Category:** {category}
**Match:** {match}
**ruleID:** {ruleID}
"""


class TrivySecretsHandler:
def handle_secrets(self, labels, endpoint, service, secrets, test):
def handle_secrets(self, labels, endpoints, service, secrets, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for secret in secrets:
secret_title = secret.get("title")
secret_category = secret.get("category")
Expand All @@ -37,12 +31,8 @@ def handle_secrets(self, labels, endpoint, service, secrets, test):
title=secret_title,
category=secret_category,
match=secret_match,
ruleID=secret_rule_id,
)
secret_description += "\n**container.name:** " + container_name
secret_description += "\n**resource.kind:** " + resource_kind
secret_description += "\n**resource.name:** " + resource_name
secret_description += "\n**resource.namespace:** " + resource_namespace
secret_description += "\n**ruleID:** " + secret_rule_id
finding = Finding(
test=test,
title=title,
Expand All @@ -54,8 +44,6 @@ def handle_secrets(self, labels, endpoint, service, secrets, test):
dynamic_finding=False,
service=service,
)
if resource_namespace != "":
finding.tags = resource_namespace
if secret_rule_id:
finding.unsaved_vulnerability_ids = [secret_rule_id]
finding.unsaved_endpoints += endpoints
Expand Down
43 changes: 1 addition & 42 deletions dojo/tools/trivy_operator/vulnerability_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,8 @@


class TrivyVulnerabilityHandler:
def handle_vulns(self, labels, endpoint, service, vulnerabilities, test):
def handle_vulns(self, labels, endpoints, service, vulnerabilities, test):
findings = []
resource_namespace = labels.get("trivy-operator.resource.namespace", "")
resource_kind = labels.get("trivy-operator.resource.kind", "")
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")
service = f"{resource_namespace}/{resource_kind}/{resource_name}"
if container_name != "":
service = f"{service}/{container_name}"
for vulnerability in vulnerabilities:
vuln_id = vulnerability.get("vulnerabilityID", "0")
severity = TRIVY_SEVERITIES[vulnerability.get("severity")]
Expand All @@ -35,34 +28,6 @@ def handle_vulns(self, labels, endpoint, service, vulnerabilities, test):
package_name = vulnerability.get("resource")
package_version = vulnerability.get("installedVersion")
cvssv3_score = vulnerability.get("score")
finding_tags = [resource_namespace]
target_target = None
target_class = None
package_path = None

if vulnerability.get("packageType"):
package_type = vulnerability.get("packageType")
finding_tags.append(package_type)

if vulnerability.get("class"):
target_class = vulnerability.get("class")
finding_tags.append(target_class)

if vulnerability.get("packagePath"):
package_path = vulnerability.get("packagePath")

if vulnerability.get("target"):
target_target = vulnerability.get("target")

if target_class == "os-pkgs" or target_class == "lang-pkgs":
if package_path:
file_path = package_path
elif target_target:
file_path = target_target
else:
file_path = None
else:
file_path = None

vuln_description = "no details"
if len(vulnerability.get("description", "")) > 0:
Expand All @@ -74,10 +39,6 @@ def handle_vulns(self, labels, endpoint, service, vulnerabilities, test):
published_date=vulnerability.get("publishedDate"),
description=vuln_description,
)
description += "\n**container.name:** " + container_name
description += "\n**resource.kind:** " + resource_kind
description += "\n**resource.name:** " + resource_name
description += "\n**resource.namespace:** " + resource_namespace
title = f"{vuln_id} {package_name} {package_version}"
finding = Finding(
test=test,
Expand All @@ -92,8 +53,6 @@ def handle_vulns(self, labels, endpoint, service, vulnerabilities, test):
static_finding=True,
dynamic_finding=False,
service=service,
file_path=file_path,
tags=[tag for tag in finding_tags if tag != ""],
)
if vuln_id:
finding.unsaved_vulnerability_ids = [UniformTrivyVulnID().return_uniformed_vulnid(vuln_id)]
Expand Down

0 comments on commit 95023c1

Please sign in to comment.