Creating and auto-closing security tickets based on VulnerabilityReports in Trivy Operator

[exiett]

I am currently facing a challenge regarding the management of security tickets based on VulnerabilityReports generated by the Trivy Operator inside the cluster.

Opening security tickets is not an issue, as the operator has the webhookUrl parameter that sends the issue information in JSON format, making it possible to create a security ticket based on that info. The main problem I am encountering is how to auto-close these issues after the scan runs again and doesn't detect the vulnerability anymore.

My main point of doubt is what exactly happens after the scan doesn't detect the vulnerability in runtime anymore; if the VulnerabilityReport keeps it's uid and updates the vulnerabilities list in the JSON to an empty list or if there is another completely different VulnerabilityReport generated informing that the resource is no longer vulnerable. I was thinking about binding the security ticket to the uid but I've also noticed that each VulnerabilityReports receives two different UIDs:

{
    "apiVersion": "aquasecurity.github.io/v1alpha1",
    "kind": "VulnerabilityReport",
    "metadata": {
        "annotations": {
            "trivy-operator.aquasecurity.github.io/report-ttl": "24h0m0s"
        },
        "creationTimestamp": "2023-06-02T19:41:05Z",
        "generation": 1,
        "labels": {
            "resource-spec-hash": "548ff6cdd7",
            "trivy-operator.container.name": "kube-bench",
            "trivy-operator.resource.kind": "Job",
            "trivy-operator.resource.name": "kube-bench",
            "trivy-operator.resource.namespace": "image-crawler"
        },
        "name": "job-kube-bench-kube-bench",
        "namespace": "image-crawler",
        "ownerReferences": [
            {
                "apiVersion": "batch/v1",
                "blockOwnerDeletion": false,
                "controller": true,
                "kind": "Job",
                "name": "kube-bench",
          >>>>> "uid": "cfb0980d-cd24-474e-88ff-8abd907527a6" <<<<<
            }
        ],
        "resourceVersion": "523318517",
  >>>>> "uid": "de3abd20-86b7-454c-8ea3-b72f5adc2583" <<<<<
    }

Ideally, I would like to find an agnostic solution that does not depend on Postee or Prometheus. However, if there isn't any other way to achieve this, I am open to working with any solution as middleware.

I would greatly appreciate any guidance or examples on how you do this.

Thank you in advance for your help and support.

[exiett]

By the way, there's a similar discussion opened in Aqua's Slack, refer to it here: https://aquasecurity.slack.com/archives/C03L2H45L3H/p1685984298406179

[chen-keinan]

@exiett One way to work it out is to sign (hash) the report data and include it in Vulnerability CRD labels.
in that way you could compare prev. report hash to current report hash and find if the report has been changed.
of course empty report will produce the exact same hash every time, so you will know if the report is empty.

[exiett]

@chen-keinan that's a good suggestion. Going further, I'd like to understand how the VulnerabilityReport CRD behaves after the scan. When it first find a vulnerability in the image, it creates the VulnerabilityReport CRD for that resource. What happens when the next scan doesn't detect those vulnerabilities anymore? Does it deletes the old VulnerabilityReport and creates a new clean report? Does it keeps the uid in the original report and updates the Vulnerabilities in the report?

[chen-keinan]

Since reports has ttl, when exceeded, the report get deleted and a new scan is triggered , and every scan create a new report based on scan result