Trivy Scans persisted to Defect Dojo are missing multiple metadata fields about securecodebox HOT 8 CLOSED

Hi @nixboot,

thanks for submitting this issue. We'll investigate this.

from securecodebox.

Hi @J12934

Yes, I believe it can handle trivy k8s output - at least in the test I've done :)

Manually uploading the results of

trivy k8s -n security-insights  deploy/name-of-my-deployment --scanners vuln --format json > out.json

DefectDojo can parse the findings from both containers in the deployment and reports on some Python package in the in ofthe containers 👍

from securecodebox.

@Weltraumschaf Thanks for the update. I have an update aswell - albeit it being a bit late.

I took the hints @J12934 mentioned, and tried changing the mappings in ScanNameMapping in https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java#L17. I've added the following

  TRIVY_IMAGE("trivy-image", ScanType.TRIVY_SCAN),
  TRIVY_K8S("trivy-k8s", ScanType.TRIVY_SCAN),
  TRIVY_FILESYSTEM("trivy-filesystem", ScanType.TRIVY_SCAN),
  TRIVY_REPO("trivy-repo", ScanType.TRIVY_SCAN),

And that works 🚀 ... At least on the SecureCodeBox side.

Unfortunately, the Trivy scans I have produced using the SCB ScanType trivy-k8s do not fill in the ClusterName in the output. It is just empty

{
  "ClusterName": "",
  "Resources": [
    {
      "Namespace": "test-namespace",
      "Kind": "Deployment",
      "Name": "my-deployment-name",
...

This has the unfortunate effect on the Trivy parser in DefectDojo that it reports "Schema of Trivy json report is not supported".

The parser has a check on ClusterName, but interprets an empty string as the same as the object value ClusterName not being there at all (see the ifcase in the parser here https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/trivy/parser.py#L94).

If I, behind the back of DefectDojo, modified the parser, and replaces

elif cluster_name:

with

elif cluster_name is not None:

the scanning result is successfully uploaded.

from securecodebox.

If we can find the cause of the issue, we would be willing to contribute a fix for it.

from securecodebox.

Hi @nixboot

I'm relativly sure that this is caused by a missing mapping in the mapping between SCB ScanType and DefectDojo tool names which is found here: https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java#L17

It still only has the single "trivy" scantype in it, which has been split into the trivy-image, trivy-filesystem and so on scantypes. Basically any of the names which can be found in this file: https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/trivy/templates/trivy-scan-type.yaml#L8

Do you know if DefectDojo can properly handle the trivy k8s output? The format is quit a bit different than the normal trivy output if i remember correctly, we might want to still do our generic mapping if DefectDojo doesn't properly support it natively.

from securecodebox.

@nixboot ok thats really good, especially as our generic mapping for the trivy-k8s scan apparently is broken right now :D
Changing it to use the DefectDojo mapping should then also resolve #2324

from securecodebox.

Oh. Yikes 😅 Is this something you have time to look into soon, or should we dust off our Java skills?

from securecodebox.

@nixboot We're working on it. The fix itself is very simple. We're discussing at the moment what a good URL would be for this scanner.

from securecodebox.