Comments (8)
Hi @nixboot,
thanks for submitting this issue. We'll investigate this.
from securecodebox.
Hi @J12934
Yes, I believe it can handle trivy k8s
output - at least in the test I've done :)
Manually uploading the results of
trivy k8s -n security-insights deploy/name-of-my-deployment --scanners vuln --format json > out.json
DefectDojo can parse the findings from both containers in the deployment and reports on some Python package in the in ofthe containers 👍
from securecodebox.
@Weltraumschaf Thanks for the update. I have an update aswell - albeit it being a bit late.
I took the hints @J12934 mentioned, and tried changing the mappings in ScanNameMapping
in https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java#L17. I've added the following
TRIVY_IMAGE("trivy-image", ScanType.TRIVY_SCAN),
TRIVY_K8S("trivy-k8s", ScanType.TRIVY_SCAN),
TRIVY_FILESYSTEM("trivy-filesystem", ScanType.TRIVY_SCAN),
TRIVY_REPO("trivy-repo", ScanType.TRIVY_SCAN),
And that works 🚀 ... At least on the SecureCodeBox side.
Unfortunately, the Trivy scans I have produced using the SCB ScanType trivy-k8s
do not fill in the ClusterName
in the output. It is just empty
{
"ClusterName": "",
"Resources": [
{
"Namespace": "test-namespace",
"Kind": "Deployment",
"Name": "my-deployment-name",
...
This has the unfortunate effect on the Trivy parser in DefectDojo that it reports "Schema of Trivy json report is not supported".
The parser has a check on ClusterName
, but interprets an empty string as the same as the object value ClusterName
not being there at all (see the ifcase in the parser here https://github.com/DefectDojo/django-DefectDojo/blob/master/dojo/tools/trivy/parser.py#L94).
If I, behind the back of DefectDojo, modified the parser, and replaces
elif cluster_name:
with
elif cluster_name is not None:
the scanning result is successfully uploaded.
from securecodebox.
If we can find the cause of the issue, we would be willing to contribute a fix for it.
from securecodebox.
Hi @nixboot
I'm relativly sure that this is caused by a missing mapping in the mapping between SCB ScanType and DefectDojo tool names which is found here: https://github.com/secureCodeBox/secureCodeBox/blob/main/hooks/persistence-defectdojo/hook/src/main/java/io/securecodebox/persistence/util/ScanNameMapping.java#L17
It still only has the single "trivy" scantype in it, which has been split into the trivy-image
, trivy-filesystem
and so on scantypes. Basically any of the names which can be found in this file: https://github.com/secureCodeBox/secureCodeBox/blob/main/scanners/trivy/templates/trivy-scan-type.yaml#L8
Do you know if DefectDojo can properly handle the trivy k8s output? The format is quit a bit different than the normal trivy output if i remember correctly, we might want to still do our generic mapping if DefectDojo doesn't properly support it natively.
from securecodebox.
@nixboot ok thats really good, especially as our generic mapping for the trivy-k8s scan apparently is broken right now :D
Changing it to use the DefectDojo mapping should then also resolve #2324
from securecodebox.
Oh. Yikes 😅 Is this something you have time to look into soon, or should we dust off our Java skills?
from securecodebox.
@nixboot We're working on it. The fix itself is very simple. We're discussing at the moment what a good URL would be for this scanner.
from securecodebox.
Related Issues (20)
- Ncrack Parser is using a depracated encryption padding mechanism removed in the newest node security patch
- Switch (optional) encryption of identified passwords from ncrack to use AGE
- Passing parameters to ScheduledScan HOT 1
- add no ssl_use value
- Trivy Parser Creates Malformed Location URL HOT 4
- controleur crash with SchedulScan HOT 6
- The scan status displays 'Scanning,' even though the job has reached the specified backoff limit HOT 1
- Lurker terminated with 'OOMKilled' event HOT 5
- NodeSelector configuration not working as documented in SecureCodeBox v4.4.0 HOT 4
- improve security Deployment Workload HOT 4
- 📚 Recurring documentation issue
- "Exception while attaching findings to engagement" error in Persistence-defectdojo HOT 6
- Auto-Discovery service in Cluster Internal Central Scans architecture HOT 1
- 📚 Recurring documentation issue
- Analytics for securecodebox.io
- 📚 Recurring documentation issue
- DEFECTDOJO and MINIO ISSUE WITH CERTIFCATE HOT 3
- zap-advanced: disable spider for API scanning HOT 1
- 📚 Recurring documentation issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securecodebox.