Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parser for aquasec trivy container vulnability scanner #542

Merged
merged 16 commits into from
Jan 3, 2021
+264 −7
Merged

Add parser for aquasec trivy container vulnability scanner #542

Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
8de5aee
remove duplicated maven items
tofuatjava Dec 11, 2020
fb5e0a9
basic json report parser for aquasec trivy container vulnability scanner
tofuatjava Dec 11, 2020
f834a69
fix build checks for ubuntu by reformat the javadoc
tofuatjava Dec 11, 2020
07e3183
fix some checkstyles
tofuatjava Dec 11, 2020
bd51f4f
fix analysis issues
tofuatjava Jan 1, 2021
d59cb7d
fix typo again
tofuatjava Jan 1, 2021
a4a6b94
test and parse a real life sample of jenkins docker image
tofuatjava Jan 1, 2021
4bd1741
fix PMD issues
tofuatjava Jan 1, 2021
1fb309b
Update src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
tofuatjava Jan 3, 2021
e0132f0
Update src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
tofuatjava Jan 3, 2021
04d4ea2
Update src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
tofuatjava Jan 3, 2021
7bf2616
fix typo again
tofuatjava Jan 3, 2021
3a3f304
improve code base after review
tofuatjava Jan 3, 2021
487857b
replace real world sample to a constructed one to reduce the amount of
tofuatjava Jan 3, 2021
c5b687b
increase version
tofuatjava Jan 3, 2021
afbd64d
Merge branch 'master' into master
tofuatjava Jan 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
test and parse a real life sample of jenkins docker image
@tofuatjava
tofuatjava committed Jan 1, 2021
commit a4a6b94049f7e1006041519258a61f5257831353
36 changes: 21 additions & 15 deletions src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java
View file
Original file line number Diff line number Diff line change
@@ -42,9 +42,14 @@ public Report parse(final ReaderFactory readerFactory) throws ParsingException,
try (Reader reader = readerFactory.create()) {
final JSONArray jsonReport = (JSONArray)new JSONTokener(reader).nextValue();

final JSONArray vulnatbilites = ((JSONObject)jsonReport.get(0)).getJSONArray("Vulnerabilities");
for (Object vulnatbility : vulnatbilites) {
report.add(convertToIssue((JSONObject)vulnatbility));
for (int i = 0; i < jsonReport.length(); i++) {
final JSONObject component = (JSONObject)jsonReport.get(i);
if (!component.isNull("Vulnerabilities")) {
final JSONArray vulnatbilites = component.getJSONArray("Vulnerabilities");
for (Object vulnatbility : vulnatbilites) {
report.add(convertToIssue((JSONObject)vulnatbility));
}
}
}
}
catch (IOException e) {
@@ -54,13 +59,13 @@ public Report parse(final ReaderFactory readerFactory) throws ParsingException,
return report;
}

private Issue convertToIssue(final JSONObject vulneratbility) {
return new IssueBuilder().setFileName(vulneratbility.getString("PkgName"))
.setCategory(vulneratbility.getString("SeveritySource"))
.setSeverity(mapSeverity(vulneratbility.getString("Severity")))
.setType(vulneratbility.getString("VulnerabilityID"))
.setMessage(vulneratbility.optString("Title", "UNKNOWN"))
.setDescription(formatDescription(vulneratbility))
private Issue convertToIssue(final JSONObject vulnerability) {
return new IssueBuilder().setFileName(vulnerability.optString("PkgName", "?"))
.setCategory(vulnerability.optString("SeveritySource", "?"))
.setSeverity(mapSeverity(vulnerability.optString("Severity", "UNKNOWN")))
.setType(vulnerability.optString("VulnerabilityID", "?"))
.setMessage(vulnerability.optString("Title", "UNKNOWN"))
.setDescription(formatDescription(vulnerability))
.build();
}

@@ -80,15 +85,16 @@ else if (TRIVY_VULNERABILITY_LEVEL_TAG_HIGH.equalsIgnoreCase(string) || TRIVY_VU
}
}

private String formatDescription(final JSONObject vulneratbility) {
private String formatDescription(final JSONObject vulnerability) {
return new StringBuilder().append(MessageFormat.format(
"<p><div><b>File</b>: {0}</div><div><b>Installed Version:</b> {1}</div><div><b>Fixed Version:</b> {2}</div><div><b>Severity:</b> {3}</div>",
vulneratbility.getString("PkgName"), vulneratbility.getString("InstalledVersion"),
vulneratbility.getString("FixedVersion"), vulneratbility.getString("Severity")))
vulnerability.optString("PkgName", "?"),
vulnerability.optString("InstalledVersion", "?"),
vulnerability.optString("FixedVersion", "still open"),
vulnerability.optString("Severity", "UNKOWN")))
.append("<p>")
.append(vulneratbility.getString("Description"))
.append(vulnerability.optString("Description", ""))
.append("</p>")
.toString();
}

}
31 changes: 31 additions & 0 deletions src/test/java/edu/hm/hafner/analysis/parser/TrivyParserTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
package edu.hm.hafner.analysis.parser;

import edu.hm.hafner.analysis.AbstractParserTest;
import edu.hm.hafner.analysis.IssueParser;
import edu.hm.hafner.analysis.Report;
import edu.hm.hafner.analysis.Severity;
import edu.hm.hafner.analysis.assertions.SoftAssertions;

class TrivyParserTest extends AbstractParserTest {

TrivyParserTest() {
super("trivy_result.json");
}

@Override
protected void assertThatIssuesArePresent(Report report, SoftAssertions softly) {
softly.assertThat(report).hasSize(282);

softly.assertThat(report.get(0))
.hasSeverity(Severity.WARNING_LOW)
.hasType("CVE-2017-6519")
.hasCategory("redhat")
.hasMessage("avahi: Multicast DNS responds to unicast queries outside of local network");
}

@Override
protected IssueParser createParser() {
return new TrivyParser();
}

}
11,715 changes: 11,715 additions & 0 deletions src/test/resources/edu/hm/hafner/analysis/parser/trivy_result.json
View file

Large diffs are not rendered by default.