Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parser for aquasec trivy container vulnability scanner #542

Merged
merged 16 commits into from
Jan 3, 2021
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 21 additions & 15 deletions src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
Original file line number Diff line number Diff line change
@@ -42,9 +42,14 @@ public Report parse(final ReaderFactory readerFactory) throws ParsingException,
try (Reader reader = readerFactory.create()) {
final JSONArray jsonReport = (JSONArray)new JSONTokener(reader).nextValue();

final JSONArray vulnatbilites = ((JSONObject)jsonReport.get(0)).getJSONArray("Vulnerabilities");
for (Object vulnatbility : vulnatbilites) {
report.add(convertToIssue((JSONObject)vulnatbility));
for (int i = 0; i < jsonReport.length(); i++) {
final JSONObject component = (JSONObject)jsonReport.get(i);
if (!component.isNull("Vulnerabilities")) {
final JSONArray vulnatbilites = component.getJSONArray("Vulnerabilities");
for (Object vulnatbility : vulnatbilites) {
report.add(convertToIssue((JSONObject)vulnatbility));
}
}
}
}
catch (IOException e) {
@@ -54,13 +59,13 @@ public Report parse(final ReaderFactory readerFactory) throws ParsingException,
return report;
}

private Issue convertToIssue(final JSONObject vulneratbility) {
return new IssueBuilder().setFileName(vulneratbility.getString("PkgName"))
.setCategory(vulneratbility.getString("SeveritySource"))
.setSeverity(mapSeverity(vulneratbility.getString("Severity")))
.setType(vulneratbility.getString("VulnerabilityID"))
.setMessage(vulneratbility.optString("Title", "UNKNOWN"))
.setDescription(formatDescription(vulneratbility))
private Issue convertToIssue(final JSONObject vulnerability) {
return new IssueBuilder().setFileName(vulnerability.optString("PkgName", "?"))
.setCategory(vulnerability.optString("SeveritySource", "?"))
.setSeverity(mapSeverity(vulnerability.optString("Severity", "UNKNOWN")))
.setType(vulnerability.optString("VulnerabilityID", "?"))
.setMessage(vulnerability.optString("Title", "UNKNOWN"))
.setDescription(formatDescription(vulnerability))
.build();
}

@@ -80,15 +85,16 @@ else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string) || TRIVY_VU
}
}

private String formatDescription(final JSONObject vulneratbility) {
private String formatDescription(final JSONObject vulnerability) {
return new StringBuilder().append(MessageFormat.format(
"<p><div><b>File</b>: {0}</div><div><b>Installed Version:</b> {1}</div><div><b>Fixed Version:</b> {2}</div><div><b>Severity:</b> {3}</div>",
vulneratbility.getString("PkgName"), vulneratbility.getString("InstalledVersion"),
vulneratbility.getString("FixedVersion"), vulneratbility.getString("Severity")))
vulnerability.optString("PkgName", "?"),
vulnerability.optString("InstalledVersion", "?"),
vulnerability.optString("FixedVersion", "still open"),
vulnerability.optString("Severity", "UNKOWN")))
.append("<p>")
.append(vulneratbility.getString("Description"))
.append(vulnerability.optString("Description", ""))
.append("</p>")
.toString();
}

}
31 changes: 31 additions & 0 deletions src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package edu.hm.hafner.analysis.parser;

import edu.hm.hafner.analysis.AbstractParserTest;
import edu.hm.hafner.analysis.IssueParser;
import edu.hm.hafner.analysis.Report;
import edu.hm.hafner.analysis.Severity;
import edu.hm.hafner.analysis.assertions.SoftAssertions;

class TrivyParserTest extends AbstractParserTest {

TrivyParserTest() {
super("trivy_result.json");
}

@Override
protected void assertThatIssuesArePresent(Report report, SoftAssertions softly) {
softly.assertThat(report).hasSize(282);

softly.assertThat(report.get(0))
.hasSeverity(Severity.WARNING_LOW)
.hasType("CVE-2017-6519")
.hasCategory("redhat")
.hasMessage("avahi: Multicast DNS responds to unicast queries outside of local network");
}

@Override
protected IssueParser createParser() {
return new TrivyParser();
}

}
11,715 changes: 11,715 additions & 0 deletions src/test/resources/edu/hm/hafner/analysis/parser/trivy_result.json

Large diffs are not rendered by default.