From 823b3f1ba839b506637e5f60806cb1f602d9dd78 Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Tue, 2 Jul 2024 13:37:22 +0100 Subject: [PATCH 1/3] WIP trivy analyzer integration Co-authored-by: Marlon Pina Tojal --- src/main/java/org/dependencytrack/model/AnalyzerIdentity.java | 1 + .../org/dependencytrack/model/ConfigPropertyConstants.java | 4 ++++ src/main/java/org/dependencytrack/model/Vulnerability.java | 3 ++- .../parser/dependencytrack/ModelConverterCdxToVuln.java | 1 + src/main/java/org/dependencytrack/util/VulnerabilityUtil.java | 1 + .../org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto | 1 + 6 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/dependencytrack/model/AnalyzerIdentity.java b/src/main/java/org/dependencytrack/model/AnalyzerIdentity.java index 9ad9a3995..4316812a3 100644 --- a/src/main/java/org/dependencytrack/model/AnalyzerIdentity.java +++ b/src/main/java/org/dependencytrack/model/AnalyzerIdentity.java @@ -29,5 +29,6 @@ public enum AnalyzerIdentity { NPM_AUDIT_ANALYZER, VULNDB_ANALYZER, SNYK_ANALYZER, + TRIVY_ANALYZER, NONE } diff --git a/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java b/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java index 29b9d9864..d749b79ab 100644 --- a/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java +++ b/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java @@ -57,6 +57,10 @@ public enum ConfigPropertyConstants { SCANNER_SNYK_API_VERSION("scanner", "snyk.api.version", "2022-11-14", PropertyType.STRING, "Snyk API version", ConfigPropertyAccessMode.READ_WRITE), SCANNER_SNYK_CVSS_SOURCE("scanner", "snyk.cvss.source", "NVD", PropertyType.STRING, "Type of source to be prioritized for cvss calculation", ConfigPropertyAccessMode.READ_WRITE), SCANNER_SNYK_BASE_URL("scanner", "snyk.base.url", "https://api.snyk.io", PropertyType.URL, "Base Url pointing to the hostname and path for Snyk analysis", ConfigPropertyAccessMode.READ_WRITE), + SCANNER_TRIVY_ENABLED("scanner", "trivy.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Trivy Vulnerability Analysis", ConfigPropertyAccessMode.READ_WRITE), + SCANNER_TRIVY_API_TOKEN("scanner", "trivy.api.token", null, PropertyType.ENCRYPTEDSTRING, "The API token used for Trivy API authentication", ConfigPropertyAccessMode.READ_WRITE), + SCANNER_TRIVY_BASE_URL("scanner", "trivy.base.url", "http://localhost:8081", PropertyType.URL, "Base Url pointing to the hostname and path for Trivy analysis", ConfigPropertyAccessMode.READ_WRITE), + SCANNER_TRIVY_IGNORE_UNFIXED("scanner", "trivy.ignore.unfixed", "false", PropertyType.BOOLEAN, "Flag to ignore unfixed vulnerabilities", ConfigPropertyAccessMode.READ_WRITE), VULNERABILITY_POLICY_FILE_LAST_MODIFIED_HASH("vulnerability-policy", "vulnerability.policy.file.last.modified.hash", null, PropertyType.STRING, "Hash value or etag of the last fetched bundle if any", ConfigPropertyAccessMode.READ_ONLY), VULNERABILITY_SOURCE_NVD_ENABLED("vuln-source", "nvd.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable National Vulnerability Database", ConfigPropertyAccessMode.READ_WRITE), VULNERABILITY_SOURCE_NVD_FEEDS_URL("vuln-source", "nvd.feeds.url", "https://nvd.nist.gov/feeds", PropertyType.URL, "A base URL pointing to the hostname and path of the NVD feeds", ConfigPropertyAccessMode.READ_WRITE), diff --git a/src/main/java/org/dependencytrack/model/Vulnerability.java b/src/main/java/org/dependencytrack/model/Vulnerability.java index 2c3a8cd84..b9546ecbd 100644 --- a/src/main/java/org/dependencytrack/model/Vulnerability.java +++ b/src/main/java/org/dependencytrack/model/Vulnerability.java @@ -126,7 +126,8 @@ public enum Source { RETIREJS, // Retire.js INTERNAL, // Internally-managed (and manually entered) vulnerability OSV, // Google OSV Advisories - SNYK; // Snyk Purl Vulnerability + SNYK, // Snyk Purl Vulnerability + TRIVY; // Trivy from Aqua Security public static boolean isKnownSource(String source) { return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source)); diff --git a/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java b/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java index b18e34cd7..617d34e60 100644 --- a/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java +++ b/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java @@ -274,6 +274,7 @@ public static AnalyzerIdentity convert(final Scanner scanner) { case SCANNER_INTERNAL -> AnalyzerIdentity.INTERNAL_ANALYZER; case SCANNER_OSSINDEX -> AnalyzerIdentity.OSSINDEX_ANALYZER; case SCANNER_SNYK -> AnalyzerIdentity.SNYK_ANALYZER; + case SCANNER_TRIVY -> AnalyzerIdentity.TRIVY_ANALYZER; default -> AnalyzerIdentity.NONE; }; } diff --git a/src/main/java/org/dependencytrack/util/VulnerabilityUtil.java b/src/main/java/org/dependencytrack/util/VulnerabilityUtil.java index 9c8b1b9c8..859f1c4d7 100644 --- a/src/main/java/org/dependencytrack/util/VulnerabilityUtil.java +++ b/src/main/java/org/dependencytrack/util/VulnerabilityUtil.java @@ -248,6 +248,7 @@ public static boolean isAuthoritativeSource(final Vulnerability vulnerability, case OSSINDEX_ANALYZER -> Vulnerability.Source.OSSINDEX.name().equals(vulnerability.getSource()); case SNYK_ANALYZER -> Vulnerability.Source.SNYK.name().equals(vulnerability.getSource()); case VULNDB_ANALYZER -> Vulnerability.Source.VULNDB.name().equals(vulnerability.getSource()); + case TRIVY_ANALYZER -> Vulnerability.Source.TRIVY.name().equals(vulnerability.getSource()); default -> false; }; } diff --git a/src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto b/src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto index 218bbf01c..0c35776b6 100644 --- a/src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto +++ b/src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto @@ -33,6 +33,7 @@ enum Scanner { SCANNER_INTERNAL = 2; SCANNER_OSSINDEX = 3; SCANNER_SNYK = 4; + SCANNER_TRIVY = 5; } message ScanCommand { From 3bbf65a65d5b89251d5e214d9ad7f45ae20d88a1 Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Fri, 5 Jul 2024 10:09:45 +0100 Subject: [PATCH 2/3] Update VulnerabilityScanResultProcessorTest.java --- .../kafka/processor/VulnerabilityScanResultProcessorTest.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java b/src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java index 3002106f4..c8ac30120 100644 --- a/src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java +++ b/src/test/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java @@ -98,6 +98,7 @@ import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_INTERNAL; import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_OSSINDEX; import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_SNYK; +import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_TRIVY; import static org.dependencytrack.util.KafkaTestUtil.deserializeKey; import static org.dependencytrack.util.KafkaTestUtil.deserializeValue; @@ -439,6 +440,7 @@ private Object[] canUpdateExistingVulnerabilityTestParams() { new Object[]{"SNYK-001", "SNYK", SCANNER_OSSINDEX, null, null, false}, new Object[]{"sonatype-001", "OSSINDEX", SCANNER_SNYK, null, null, false}, new Object[]{"SNYK-001", "SNYK", SCANNER_SNYK, null, null, true}, + new Object[]{"CVE-009", "NVD", SCANNER_TRIVY, ConfigPropertyConstants.VULNERABILITY_SOURCE_NVD_ENABLED, "true", false}, // Updating of internal vulnerabilities must always be forbidden. new Object[]{"INT-001", "INTERNAL", SCANNER_OSSINDEX, null, null, false}, new Object[]{"INT-001", "INTERNAL", SCANNER_SNYK, null, null, false}, From be61ff48d05f05cd18f149003ad9646638d72e30 Mon Sep 17 00:00:00 2001 From: Sahiba Mittal Date: Mon, 8 Jul 2024 15:26:08 +0100 Subject: [PATCH 3/3] Update ConfigPropertyConstants.java --- .../java/org/dependencytrack/model/ConfigPropertyConstants.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java b/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java index d749b79ab..0b8a437ad 100644 --- a/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java +++ b/src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java @@ -59,7 +59,7 @@ public enum ConfigPropertyConstants { SCANNER_SNYK_BASE_URL("scanner", "snyk.base.url", "https://api.snyk.io", PropertyType.URL, "Base Url pointing to the hostname and path for Snyk analysis", ConfigPropertyAccessMode.READ_WRITE), SCANNER_TRIVY_ENABLED("scanner", "trivy.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Trivy Vulnerability Analysis", ConfigPropertyAccessMode.READ_WRITE), SCANNER_TRIVY_API_TOKEN("scanner", "trivy.api.token", null, PropertyType.ENCRYPTEDSTRING, "The API token used for Trivy API authentication", ConfigPropertyAccessMode.READ_WRITE), - SCANNER_TRIVY_BASE_URL("scanner", "trivy.base.url", "http://localhost:8081", PropertyType.URL, "Base Url pointing to the hostname and path for Trivy analysis", ConfigPropertyAccessMode.READ_WRITE), + SCANNER_TRIVY_BASE_URL("scanner", "trivy.base.url", null, PropertyType.URL, "Base Url pointing to the hostname and path for Trivy analysis", ConfigPropertyAccessMode.READ_WRITE), SCANNER_TRIVY_IGNORE_UNFIXED("scanner", "trivy.ignore.unfixed", "false", PropertyType.BOOLEAN, "Flag to ignore unfixed vulnerabilities", ConfigPropertyAccessMode.READ_WRITE), VULNERABILITY_POLICY_FILE_LAST_MODIFIED_HASH("vulnerability-policy", "vulnerability.policy.file.last.modified.hash", null, PropertyType.STRING, "Hash value or etag of the last fetched bundle if any", ConfigPropertyAccessMode.READ_ONLY), VULNERABILITY_SOURCE_NVD_ENABLED("vuln-source", "nvd.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable National Vulnerability Database", ConfigPropertyAccessMode.READ_WRITE),