🎉 Make Trivy Operator K8s vulnids consistent

[manuel-sommer]

This PR fixes:

• trivy operator vulnids are malformed (e.g. KCV0092 --> AVD-KCV-0092)
• trivy operator vulnids can be resolved
• trivy operator secrets ruleIDs are not resolvable (are not listed in the aquasec vulnerability database), but were listed as a vulnid

[dryrunsecurity]

DryRun Security Summary

The pull request includes a range of improvements and updates to the security-related functionality of the DefectDojo application, focusing on enhancing vulnerability ID handling, Trivy vulnerability scanner parsing and reporting, and updating security-related settings and configurations.

Expand for full summary

Summary:

The code changes in this pull request cover a range of improvements and updates to the security-related functionality of the DefectDojo application. The changes focus on enhancing the handling and standardization of vulnerability IDs, improving the parsing and reporting of security findings from the Trivy vulnerability scanner, and updating security-related settings and configurations.

Key highlights of the changes include:

1. Vulnerability ID Standardization: The changes introduce a UniformTrivyVulnID class to standardize the formatting of vulnerability IDs, ensuring consistency across the application and improving vulnerability tracking, reporting, and integration with external tools.

2. Trivy Operator Enhancements: The changes update the handling of secrets, compliance, and vulnerability findings from the Trivy Operator, providing more detailed information in the security findings and improving the overall security posture of the application.

3. Security Settings and Configuration: The changes to the settings.dist.py file update various security-related settings, such as security headers, authentication methods, API tokens, logging, and file upload restrictions, further strengthening the application's security posture.

4. Unit Test Updates: The changes to the unit tests for the TrivyOperatorParser ensure that the parser is correctly handling the various types of reports from the Trivy Operator, maintaining the quality and reliability of the security scanning capabilities.

Overall, the code changes in this pull request appear to be focused on improving the security and security-related functionality of the DefectDojo application, which is a positive step from an application security perspective.

Files Changed:

1. dojo/templatetags/display_tags.py: The changes to the vulnerability_url function improve the handling of different vulnerability ID formats, ensuring that the URLs are properly constructed for a wider range of vulnerability IDs.

2. dojo/tools/trivy_operator/checks_handler.py: The changes standardize the formatting of vulnerability IDs in the Finding objects, enhancing the consistency and reliability of the vulnerability data.

3. dojo/settings/.settings.dist.py.sha256sum: The changes to the SHA-256 hash value in this file should be reviewed to understand the impact on the application's configuration and integrity verification processes.

4. dojo/tools/trivy_operator/secrets_handler.py: The changes improve the information provided in the security findings for detected secrets, including the specific rule ID that triggered the finding.

5. dojo/tools/trivy_operator/compliance_handler.py: The changes standardize the vulnerability IDs in the compliance findings, improving the overall consistency and reliability of the vulnerability data.

6. dojo/settings/settings.dist.py: The changes to this file update various security-related settings and configurations, enhancing the application's security posture.

7. dojo/tools/trivy_operator/uniform_vulnid.py: This new file introduces the UniformTrivyVulnID class, which is responsible for standardizing the vulnerability IDs used throughout the application.

8. dojo/tools/trivy_operator/vulnerability_handler.py: The changes in this file leverage the UniformTrivyVulnID class to ensure that vulnerability IDs are consistently formatted.

9. unittests/tools/test_trivy_operator_parser.py: The changes to the unit tests ensure that the TrivyOperatorParser is correctly handling the expected vulnerability ID formats.

Code Analysis

We ran 9 analyzers against 9 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved

[manuel-sommer]

@cneill , could we merge this in the upcomming release on Monday?

[manuel-sommer]

Friendly reminder @cneill

[manuel-sommer]

@Maffooch, could we introduce this PR to the upcomming release today?

[Maffooch]

Will need sign off from @cneill first, but the release will actually go out tomorrow, as today is a US holiday

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.