Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🔨 rework kubescape parser #11229

Merged
merged 13 commits into from
Nov 16, 2024
Merged

Conversation

manuel-sommer
Copy link
Contributor

Fix multiple Kubescape parser issues:

@manuel-sommer manuel-sommer marked this pull request as draft November 10, 2024 22:24
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR parser labels Nov 10, 2024
Copy link

dryrunsecurity bot commented Nov 10, 2024

DryRun Security Summary

The pull request covers various updates to the DefectDojo application, including improvements to the Kubescape parser, security-related enhancements to the settings configuration, and associated unit test updates, all aimed at enhancing the security and functionality of the application.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the DefectDojo application, including updates to the Kubescape parser, the settings configuration, and the associated unit tests. The changes aim to enhance the security and functionality of the application.

The key highlights from the changes are:

  1. Kubescape Parser Improvements: The changes to the Kubescape parser enhance the parsing and reporting of findings, including handling failed rules, providing more detailed information in the finding descriptions, and associating control IDs with the findings. These improvements help security teams better understand and address the identified security issues in their Kubernetes environments.

  2. Settings Configuration Updates: The changes to the settings.dist.py file introduce several security-related enhancements, such as adding new vulnerability URLs, improving the deduplication configuration, customizing the hashcode computation, and restricting file upload types. These changes help strengthen the overall security posture of the DefectDojo application.

  3. Unit Test Updates: The changes to the Kubescape parser unit tests update the expected number of findings in a specific test case. While this change does not directly impact the security of the application, it is important to review the reasoning behind the change and ensure that it does not result in any unintended consequences or missed security vulnerabilities.

Overall, the code changes in this pull request appear to be focused on improving the security, usability, and configurability of the DefectDojo application, which is an important tool for vulnerability management and application security.

Files Changed:

  1. dojo/templatetags/display_tags.py: The change adds a new vulnerability ID prefix "C-" to the list of accepted vulnerability ID prefixes in the vulnerability_url function, which is used to generate links to external vulnerability databases.
  2. dojo/settings/.settings.dist.py.sha256sum: The change updates the SHA-256 checksum of the settings.dist.py configuration file, which is a common practice to ensure the integrity of the configuration file.
  3. dojo/tools/kubescape/parser.py: The changes enhance the Kubescape parser by improving the parsing and reporting of findings, including handling failed rules, providing more detailed information in the finding descriptions, and associating control IDs with the findings.
  4. unittests/tools/test_kubescape_parser.py: The changes update the expected number of findings in a specific test case for the KubescapeParser class.
  5. dojo/settings/settings.dist.py: The changes introduce several security-related enhancements to the settings configuration, such as adding new vulnerability URLs, improving the deduplication configuration, customizing the hashcode computation, and restricting file upload types.

Code Analysis

We ran 9 analyzers against 5 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@manuel-sommer manuel-sommer marked this pull request as ready for review November 11, 2024 07:14
@manuel-sommer manuel-sommer marked this pull request as draft November 11, 2024 07:14
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer manuel-sommer marked this pull request as ready for review November 12, 2024 20:10
@github-actions github-actions bot added the ui label Nov 12, 2024
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link
Contributor

@cneill cneill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding a link for the C- prefix is fine, but the link should still be included in references.

@@ -1744,6 +1744,7 @@ def saml2_attrib_map_format(dict):
"ELSA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELSA-2024-12714.html
"ELBA": "https://linux.oracle.com/errata/&&.html", # e.g. https://linux.oracle.com/errata/ELBA-2024-7457.html
"RXSA": "https://errata.rockylinux.org/", # e.g. https://errata.rockylinux.org/RXSA-2024:4928
"C-": "https://hub.armosec.io/docs/", # e.g. https://hub.armosec.io/docs/c-0085
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems somewhat unlikely that a C- prefix will be completely unique to ARMO... We may need to think in the future about how to better categorize different vulnerability IDs. It's getting increasingly convoluted to handle all these different patterns in this way with display tags.

No action needed on this PR, mostly leaving this as a note for myself and to get others' feedback.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, you are right. This C- prefix is used to not mix C with CVE.

dojo/tools/kubescape/parser.py Outdated Show resolved Hide resolved
dojo/tools/kubescape/parser.py Outdated Show resolved Hide resolved
dojo/tools/kubescape/parser.py Outdated Show resolved Hide resolved
manuel-sommer and others added 2 commits November 15, 2024 07:44
Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com>
@manuel-sommer manuel-sommer requested a review from cneill November 15, 2024 06:58
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch Maffooch merged commit 5168154 into DefectDojo:bugfix Nov 16, 2024
72 of 73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants