postee.trivyoperator.slack rego template enhancements

[grglzrv]

Description

I would like to request some enhancements for postee.trivyoperator.slack template.
postee.trivyoperator.slack template gives very simple information, for example:

Could you please add more info?
for example:

• vulnerability metadata name and namespace
• report updateTimestamp
• scanner name and version
• artifact repo/image name
• artifact image tag
• vulnerability id
• vulnerability installedVersion
• vulnerability fixedVersion
• vulnerability title
• vulnerability primaryLink
• vulnerability severity
  if its possible to be in html format as severity type to be in the correct color, for example: CRITICAL - red, etc .

[simar7]

thanks for filing this, happy to review a PR if you'd like to contribute this.

cc @souravsk - this issue might be of interest to you if you're looking to contribute.

As always, let us know if you need any help getting started.

[souravsk]

@simar7 ya happy to help. can you let me know where to start

[grglzrv]

@souravsk under rego-templates dir there is a trivy-operator-slack.rego file, it should be update with the aforementioned requirements. You may also reuse trivy-jira.rego file

[souravsk]

@grglzrv what is the command to get the output that you are showing. I want to check it some explem and see the output.

[souravsk]

hey @grglzrv

[grglzrv]

@souravsk it's a slack notification message

[souravsk]

I want to know from where I can get all this data to display.
Do I just have to add here all the vulnerability id, metadata, namespace, title, etc just like critical, and high
and then use it in the trivy-operator-slack.rego

result = msg {

    msg := sprintf(tpl, [
    input.ArtifactName,
    render_vlnrb("Critical", vln_list("CRITICAL")),
    render_vlnrb("High", vln_list("HIGH")),
    render_vlnrb("Medium", vln_list("MEDIUM")),
    render_vlnrb("Low", vln_list("LOW")),
    render_vlnrb("Negligible", vln_list("NEGLIGIBLE"))
    ])
}

or i have to do something else to get all this data to show the correct information
@grglzrv

[souravsk]

I have written all of this but still, I don't know where should i collect the data for this new tag that you have asked for.

[grglzrv]

Hi @souravsk this changes wont work, you need to install Trivy Operator, which has to be integrated with Postee. Postee will receive Vulnerability reports from the Trivy Operator as json format, so you need to write rego template for that
for exmaple json

{
    "updateTimestamp": "2022-09-28 │T06:21:55Z",
    "scanner": {
        "name": "Trivy",
        "vendor": "Aqua Security",
        "version": "0.31.3"
    },
    "registry": {
        "server": "ghcr.io"
    },
    "artifact": {
        "repository": "fluxcd/image-reflector-controller",
        "tag": "v0.20.1"
    },
    "summary": {
        "criticalCount": 0,
        "highCount": 1,
        "mediumCount": 0,
        "lowCount": 0,
        "unknownCount": 0,
        "noneCount": 0
    },
    "vulnerabilities": [
        {
            "vulnerabilityID": "CVE-2022-27664",
            "resource": "golang.org/x/net",
            "installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
            "fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
            "severity": "HIGH",
            "title": "title1",
            "primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
            "links": [],
            "score": 7.5,
            "target": ""
        },
        {
            "vulnerabilityID": "CVE-2022-27664",
            "resource": "golang.org/x/net",
            "installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
            "fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
            "severity": "HIGH",
            "title": "title2",
            "primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
            "links": [],
            "score": 7.5,
            "target": ""
        }
    ]
}

you may use this website https://play.openpolicyagent.org/ in order to test the above json with your code. Bare in mind that vuln reports are maps , so you need you to use bash some loop

[grglzrv]

I just wrote some template only for Vuln reports, you may improve it and add the code from the current template

package postee.trivyoperator.slack


tpl :=`
<p> Severity: %s </p>
<p> vulnerabilityID: %s </p>
<p> primaryLink: %s </p>
`

vulnIDs := vulnIdResult {
    var := [ scan | 
   
            item1:=input.vulnerabilities[i].vulnerabilityID
            scan:=item1
    ] 
	
    vulnIdResult:= concat("n", (var))
}

svrt := svrtResult {
    var := [ scan | 
   
            item1:=input.vulnerabilities[i].severity
            scan:=item1
    ] 
	
    svrtResult:= concat("\n", (var))
}

link := linkResult {
    var := [ scan | 
   
            item1:=input.vulnerabilities[i].primaryLink
            scan:=item1
    ] 
	
    linkResult:= concat("\n", (var))
}

result:= res {
 res:= sprintf(tpl, [
 svrt,
 vulnIDs,
 link
 ])
 }

[souravsk]

okay

[souravsk]

Hey. @grglzrv do I have to make a new rego file so I just use the postee.trivyoperator.slack file

[souravsk]

hey @grglzrv these are the things that you wanted

[grglzrv]

Not exactly cuz you need to separate the both vuln reports 0: and 1: . You need make list for - vuln id, installed versio, fixed versio, severity etc then you need to use some loop function in rego language

[grglzrv]

@simar7 could you please give him some hits here, thanks

[souravsk]

Okya I understand the separation 0 and 1 index but I don't understand where we need the loop function

[grglzrv]

input.vulnerabilities[i].severity - its a current situation

I mean
vulnList: = [ severity, vulnerabilityID, etc.]
some j in vulnList

input.vulnerabilities[i].[j]

Then you need to loop them into the result:= as well

[souravsk]

Sorry for replying this late

vulnList := [VulnerabilityID,installedVersion,fixedVersion, title, primaryLink,severity]

vuln = result{
	some i in vulnList
	result = input.vulnerabilites[i].[j]

}

I tried like this but it is show error in in part of the loop.

[grglzrv]

Yes, i just gave you an example

[souravsk]

yes but it's showing an error in this some i in vulnList line

[simar7]

@souravsk - can you share the link to your rego playground so we can help you better?

[souravsk]

is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.

[simar7]

is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.

Take a look at some examples in the Postee repo. I recall there are some usages of loops.

[martijnvdp]

copied the existing jira template and made it suitable for the trivy operator report , think it can also be used for slack or at least as example: #595

looping through vulnerabilities:

vln_list(severity) = vlnrb {
	some j
	vlnrb := [r |
		item := input.report.vulnerabilities[j]
		vlnname := item.vulnerabilityID
		title := item.title
		fxvrsn := with_default(item, "fixedVersion", "none")
		resource_name = with_default(item, "packageType", "none")
		resource_path = with_default(item, "resource", "none")
		resource_version = with_default(item, "installedVersion", "none")
		primaryurl = with_default(item, "primaryLink", "none")
		references = with_default(item, "links", "none")

		item.severity == severity # only items with severity matched
	r := [vlnname, title, resource_name, resource_path, resource_version, fxvrsn, primaryurl]
	]
}

https://github.com/aquasecurity/postee/blob/512c72e6e51461185f0989316fdc29fa4914cfa9/rego-templates/trivy-operator-jira.rego

[martijnvdp]

example for slack : #597
copied the existing slack template and changed field names to match the output from the operator
can include more fields but than the message get a bit large