Skip to content

Commit

Permalink
importer: trivy_operator: add an endpoint describing the affected art…
Browse files Browse the repository at this point in the history
…ifact

Trivy operator may provide information which artifact is affected by the
reported finding. However, this information was lost. This change
introduces artifact details as and additional Endpoint which is affected
by a finding. Artifact name put as 'host' and path to the artifact saved
as 'path'.
  • Loading branch information
pna-nca committed Aug 2, 2024
1 parent 5c7874e commit 9629346
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 11 deletions.
4 changes: 2 additions & 2 deletions dojo/tools/trivy_operator/checks_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@


class TrivyChecksHandler:
def handle_checks(self, endpoint, service, checks, test):
def handle_checks(self, endpoints, service, checks, test):
findings = []
for check in checks:
check_title = check.get("title")
Expand Down Expand Up @@ -62,6 +62,6 @@ def handle_checks(self, endpoint, service, checks, test):
)
if check_id:
finding.unsaved_vulnerability_ids = [check_id]
finding.unsaved_endpoints.append(endpoint)
finding.unsaved_endpoints += endpoints
findings.append(finding)
return findings
27 changes: 22 additions & 5 deletions dojo/tools/trivy_operator/parser.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,22 +61,39 @@ def handle_resource(self, data, test):
resource_name = labels.get("trivy-operator.resource.name", "")
container_name = labels.get("trivy-operator.container.name", "")

endpoint = Endpoint(
endpoints = []
endpoints.append(Endpoint(
host=resource_namespace,
path=f"{resource_kind}/{resource_name}/{container_name}"
)
))

if report.get("registry"):
if report.get("artifact"):
registry = report.get("registry").get("server", "unknown_registry")
artifact = report.get("artifact")
repository = artifact.get("repository", "unknown_repo")
tag = artifact.get("tag", "unknown_tag")
# having full path to an image (forward slashes) and a tag
# after colon as 'host' property of Endpoint makes an
# endpoint broken, although, this is a desired value. Thus,
# we abuse 'path' field for that.
artifact_name = repository.split("/")[-1]
endpoints.append(Endpoint(
host=f"{artifact_name}",
path=f"{registry}/{repository}:{tag}"
))

service = ""

vulnerabilities = report.get("vulnerabilities", None)
if vulnerabilities is not None:
findings += TrivyVulnerabilityHandler().handle_vulns(endpoint, service, vulnerabilities, test)
findings += TrivyVulnerabilityHandler().handle_vulns(endpoints, service, vulnerabilities, test)
checks = report.get("checks", None)
if checks is not None:
findings += TrivyChecksHandler().handle_checks(endpoint, service, checks, test)
findings += TrivyChecksHandler().handle_checks(endpoints, service, checks, test)
secrets = report.get("secrets", None)
if secrets is not None:
findings += TrivySecretsHandler().handle_secrets(endpoint, service, secrets, test)
findings += TrivySecretsHandler().handle_secrets(endpoints, service, secrets, test)
elif benchmarkreport is not None:
findings += TrivyComplianceHandler().handle_compliance(benchmarkreport, test)
return findings
4 changes: 2 additions & 2 deletions dojo/tools/trivy_operator/secrets_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@


class TrivySecretsHandler:
def handle_secrets(self, endpoint, service, secrets, test):
def handle_secrets(self, endpoints, service, secrets, test):
findings = []
for secret in secrets:
secret_title = secret.get("title")
Expand Down Expand Up @@ -45,6 +45,6 @@ def handle_secrets(self, endpoint, service, secrets, test):
)
if secret_rule_id:
finding.unsaved_vulnerability_ids = [secret_rule_id]
finding.unsaved_endpoints.append(endpoint)
finding.unsaved_endpoints += endpoints
findings.append(finding)
return findings
4 changes: 2 additions & 2 deletions dojo/tools/trivy_operator/vulnerability_handler.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@


class TrivyVulnerabilityHandler:
def handle_vulns(self, endpoint, service, vulnerabilities, test):
def handle_vulns(self, endpoints, service, vulnerabilities, test):
findings = []
for vulnerability in vulnerabilities:
vuln_id = vulnerability.get("vulnerabilityID", "0")
Expand Down Expand Up @@ -87,6 +87,6 @@ def handle_vulns(self, endpoint, service, vulnerabilities, test):
)
if vuln_id:
finding.unsaved_vulnerability_ids = [vuln_id]
finding.unsaved_endpoints.append(endpoint)
finding.unsaved_endpoints += endpoints
findings.append(finding)
return findings

0 comments on commit 9629346

Please sign in to comment.