Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy analyzer integration #768

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Trivy analyzer integration #768

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
823b3f1
WIP trivy analyzer integration
sahibamittal Jul 2, 2024
3bbf65a
Update VulnerabilityScanResultProcessorTest.java
sahibamittal Jul 5, 2024
be61ff4
Update ConfigPropertyConstants.java
sahibamittal Jul 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/main/java/org/dependencytrack/model/AnalyzerIdentity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,6 @@ public enum AnalyzerIdentity {
NPM_AUDIT_ANALYZER,
VULNDB_ANALYZER,
SNYK_ANALYZER,
TRIVY_ANALYZER,
NONE
}
4 changes: 4 additions & 0 deletions src/main/java/org/dependencytrack/model/ConfigPropertyConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ public enum ConfigPropertyConstants {
SCANNER_SNYK_API_VERSION("scanner", "snyk.api.version", "2022-11-14", PropertyType.STRING, "Snyk API version", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_SNYK_CVSS_SOURCE("scanner", "snyk.cvss.source", "NVD", PropertyType.STRING, "Type of source to be prioritized for cvss calculation", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_SNYK_BASE_URL("scanner", "snyk.base.url", "https://api.snyk.io", PropertyType.URL, "Base Url pointing to the hostname and path for Snyk analysis", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_TRIVY_ENABLED("scanner", "trivy.enabled", "false", PropertyType.BOOLEAN, "Flag to enable/disable Trivy Vulnerability Analysis", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_TRIVY_API_TOKEN("scanner", "trivy.api.token", null, PropertyType.ENCRYPTEDSTRING, "The API token used for Trivy API authentication", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_TRIVY_BASE_URL("scanner", "trivy.base.url", null, PropertyType.URL, "Base Url pointing to the hostname and path for Trivy analysis", ConfigPropertyAccessMode.READ_WRITE),
SCANNER_TRIVY_IGNORE_UNFIXED("scanner", "trivy.ignore.unfixed", "false", PropertyType.BOOLEAN, "Flag to ignore unfixed vulnerabilities", ConfigPropertyAccessMode.READ_WRITE),
VULNERABILITY_POLICY_FILE_LAST_MODIFIED_HASH("vulnerability-policy", "vulnerability.policy.file.last.modified.hash", null, PropertyType.STRING, "Hash value or etag of the last fetched bundle if any", ConfigPropertyAccessMode.READ_ONLY),
VULNERABILITY_SOURCE_NVD_ENABLED("vuln-source", "nvd.enabled", "true", PropertyType.BOOLEAN, "Flag to enable/disable National Vulnerability Database", ConfigPropertyAccessMode.READ_WRITE),
VULNERABILITY_SOURCE_NVD_FEEDS_URL("vuln-source", "nvd.feeds.url", "https://nvd.nist.gov/feeds", PropertyType.URL, "A base URL pointing to the hostname and path of the NVD feeds", ConfigPropertyAccessMode.READ_WRITE),
Expand Down
3 changes: 2 additions & 1 deletion src/main/java/org/dependencytrack/model/Vulnerability.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,8 @@ public enum Source {
RETIREJS, // Retire.js
INTERNAL, // Internally-managed (and manually entered) vulnerability
OSV, // Google OSV Advisories
SNYK; // Snyk Purl Vulnerability
SNYK, // Snyk Purl Vulnerability
TRIVY; // Trivy from Aqua Security

public static boolean isKnownSource(String source) {
return Arrays.stream(values()).anyMatch(enumSource -> enumSource.name().equalsIgnoreCase(source));
Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,6 +274,7 @@ public static AnalyzerIdentity convert(final Scanner scanner) {
case SCANNER_INTERNAL -> AnalyzerIdentity.INTERNAL_ANALYZER;
case SCANNER_OSSINDEX -> AnalyzerIdentity.OSSINDEX_ANALYZER;
case SCANNER_SNYK -> AnalyzerIdentity.SNYK_ANALYZER;
case SCANNER_TRIVY -> AnalyzerIdentity.TRIVY_ANALYZER;
default -> AnalyzerIdentity.NONE;
};
}
Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/dependencytrack/util/VulnerabilityUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ public static boolean isAuthoritativeSource(final Vulnerability vulnerability,
case OSSINDEX_ANALYZER -> Vulnerability.Source.OSSINDEX.name().equals(vulnerability.getSource());
case SNYK_ANALYZER -> Vulnerability.Source.SNYK.name().equals(vulnerability.getSource());
case VULNDB_ANALYZER -> Vulnerability.Source.VULNDB.name().equals(vulnerability.getSource());
case TRIVY_ANALYZER -> Vulnerability.Source.TRIVY.name().equals(vulnerability.getSource());
default -> false;
};
}
Expand Down
1 change: 1 addition & 0 deletions src/main/proto/org/dependencytrack/vulnanalysis/v1/vuln_analysis.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ enum Scanner {
SCANNER_INTERNAL = 2;
SCANNER_OSSINDEX = 3;
SCANNER_SNYK = 4;
SCANNER_TRIVY = 5;
}

message ScanCommand {
Expand Down
2 changes: 2 additions & 0 deletions .../java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@
import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_INTERNAL;
import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_OSSINDEX;
import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_SNYK;
import static org.dependencytrack.proto.vulnanalysis.v1.Scanner.SCANNER_TRIVY;
import static org.dependencytrack.util.KafkaTestUtil.deserializeKey;
import static org.dependencytrack.util.KafkaTestUtil.deserializeValue;

Expand Down Expand Up @@ -439,6 +440,7 @@ private Object[] canUpdateExistingVulnerabilityTestParams() {
new Object[]{"SNYK-001", "SNYK", SCANNER_OSSINDEX, null, null, false},
new Object[]{"sonatype-001", "OSSINDEX", SCANNER_SNYK, null, null, false},
new Object[]{"SNYK-001", "SNYK", SCANNER_SNYK, null, null, true},
new Object[]{"CVE-009", "NVD", SCANNER_TRIVY, ConfigPropertyConstants.VULNERABILITY_SOURCE_NVD_ENABLED, "true", false},
// Updating of internal vulnerabilities must always be forbidden.
new Object[]{"INT-001", "INTERNAL", SCANNER_OSSINDEX, null, null, false},
new Object[]{"INT-001", "INTERNAL", SCANNER_SNYK, null, null, false},
Expand Down