Allow disabling of SSL certificate verification; Adds Branch-Tag description to engagement test

README.md

@@ -101,11 +101,13 @@ docker run -it -v /path/to/your/.kube/config:/root/.kube/config \
 | `defectDojoEvalProductName`           | `"false"`                  | Specifies whether the product name should be evaluated as a python function.                 |
 | `defectDojoEvalProductTypeName`       | `"false"`                  | Specifies whether the product type name should be evaluated as a python function.            |
 | `defectDojoEvalEnvName`               | `"false"`                  | Specifies whether the enviroment type name should be evaluated as a python function.         |
+| `defectDojoEvalBranchTag`             | `"false"`                  | Specifies whether the Branch/Tag name should be evaluated as a python function.         |
 | `defectDojoEvalTestTitle`             | `"false"`                  | Specifies whether the test title should be evaluated as a python function.                   |
 | `defectDojoMinimumSeverity`           | `Info`                     | The minimum severity level for findings in DefectDojo.                                       |
 | `defectDojoProductName`               | `product`                  | The name of the product in DefectDojo.                                                       |
 | `defectDojoProductTypeName`           | `Research and Development` | The type of the product in DefectDojo.                                                       |
 | `defectDojoEnvName`                   | `Development`              | The type of the env in DefectDojo.                                                           |
+| `defectDojoBranchTag`                 | `branch-tag`               | The name of the Branch/Tag to be specified in DefectDojo.                                                           |
 | `defectDojoPushToJira`                | `"false"`                  | Specifies whether findings should be pushed to Jira in DefectDojo.                           |
 | `defectDojoTestTitle`                 | `Kubernetes`               | The title of the test in DefectDojo.                                                         |
 | `defectDojoVerified`                  | `"false"`                  | Specifies whether findings should be marked as verified in DefectDojo.                       |
@@ -125,6 +127,10 @@ evaluated and used as the engagement name.
 If you set defectDojoEngagementName to `body["report"]["artifact"]["tag"]`,
 then the engagement will get the name of the specified image-tag.
 
+### A note on DefectDojo Credentials
+
+In case your installation of DefectDojo doesn't has a verifiable SSL certificate (e.g. it is only accessible in a very well controlled environment), you are able to disable the verification of the SSL certificate by assigning the verifySSL flag as false on the Helm Chart `values.yaml` configuration.
+
 ## Metrics
 
 The operator provides a Prometheus metrics endpoint, where successful and failed

charts/templates/deployment.yaml

@@ -30,6 +30,12 @@ spec:
               key: url
               name: {{ include "charts.fullname" . }}-defect-dojo-api-credentials
               optional: false
+        - name: DEFECT_DOJO_VERIFY_SSL
+          valueFrom:
+            secretKeyRef:
+              key: verifySSL
+              name: {{ include "charts.fullname" . }}-defect-dojo-api-credentials
+              optional: true
         - name: DEFECT_DOJO_ACTIVE
           value: {{ quote .Values.operator.trivyDojoReportOperator.env.defectDojoActive
             }}
@@ -78,6 +84,12 @@ spec:
         - name: DEFECT_DOJO_EVAL_ENGAGEMENT_NAME
           value: {{ quote .Values.operator.trivyDojoReportOperator.env.defectDojoEvalEngagementName
             }}
+        - name: DEFECT_DOJO_BRANCH_TAG
+          value: {{ quote .Values.operator.trivyDojoReportOperator.env.defectDojoBranchTag
+            }}
+        - name: DEFECT_DOJO_EVAL_BRANCH_TAG
+          value: {{ quote .Values.operator.trivyDojoReportOperator.env.defectDojoEvalBranchTag
+            }}
         - name: DEFECT_DOJO_PRODUCT_NAME
           value: {{ quote .Values.operator.trivyDojoReportOperator.env.defectDojoProductName
             }}

charts/templates/secret.yaml

@@ -9,4 +9,9 @@ stringData:
     | quote }}
   url: {{ required "defectDojoApiCredentials.url is required" .Values.defectDojoApiCredentials.url
     | quote }}
+  verifySSL: {{ if .Values.defectDojoApiCredentials.verifySSL }}
+      {{ .Values.defectDojoApiCredentials.verifySSL | quote }}
+    {{ else }}
+      "true"
+    {{ end }}
 type: Opaque

charts/values.yaml

@@ -1,6 +1,7 @@
 defectDojoApiCredentials:
   apiKey: "YOUR_DEFECTDOJO_API_KEY"
   url: "YOUR_DEFECTDOJO_URL"
+  verifySSL: "true"
 kubernetesClusterDomain: cluster.local
 account:
   serviceAccount:
@@ -36,9 +37,11 @@ operator:
       defectDojoEnvName: Development
       defectDojoEvalEngagementName: "false"
       defectDojoEvalEnvName: "false"
+      defectDojoEvalBranchTag: "false"
       defectDojoEvalProductName: "false"
       defectDojoEvalProductTypeName: "false"
       defectDojoEvalTestTitle: "false"
+      defectDojoBranchTag: "branch-tag"
       defectDojoMinimumSeverity: Info
       defectDojoProductName: product
       defectDojoProductTypeName: Research and Development

deploy/trivy-dojo-report-operator.yaml

@@ -27,6 +27,7 @@ metadata:
 stringData:
   apiKey: "YOUR_DEFECTDOJO_API_KEY"
   url: "YOUR_DEFECTDOJO_URL"
+  verifySSL: "true"
 type: Opaque
 ---
 # Source: trivy-dojo-report-operator/templates/rbac.yaml
@@ -156,6 +157,12 @@ spec:
               key: url
               name: telekom-mms-trivy-dojo-report-operator-defect-dojo-api-credentials
               optional: false
+        - name: DEFECT_DOJO_VERIFY_SSL
+          valueFrom:
+            secretKeyRef:
+              key: verifySSL
+              name: telekom-mms-trivy-dojo-report-operator-defect-dojo-api-credentials
+              optional: true
         - name: DEFECT_DOJO_ACTIVE
           value: "true"
         - name: DEFECT_DOJO_VERIFIED
@@ -194,6 +201,10 @@ spec:
           value: "false"
         - name: DEFECT_DOJO_DO_NOT_REACTIVATE
           value: "true"
+        - name: DEFECT_DOJO_BRANCH_TAG
+          value: "branch-tag"
+        - name: DEFECT_DOJO_EVAL_BRANCH_TAG
+          value: "false"
         - name: REPORTS
           value: "vulnerabilityreports"
         - name: KUBERNETES_CLUSTER_DOMAIN

src/env_vars.py

@@ -13,6 +13,11 @@ def get_required_env_var(name):
         exit(1)
 
 
-def get_env_var_bool(name):
-    """Gets value of environment variable as a boolean. If not 'true', returns False"""
-    return os.getenv(name) == "true"
+def get_env_var_bool(name, default_value:bool=False):
+    """Gets value of environment variable as a boolean. If not 'true', returns False.
+        In case the environment variable does not exist, returns a default value of False or True if specified."""
+
+    if os.getenv(name) is not None:
+        return os.getenv(name) == "true"
+    else:
+        return default_value

src/handlers.py

@@ -119,6 +119,12 @@ def send_to_dojo(body, meta, logger, **_):
             else settings.DEFECT_DOJO_TEST_TITLE
         )
 
+        _DEFECT_DOJO_BRANCH_TAG = (
+            eval(settings.DEFECT_DOJO_BRANCH_TAG)
+            if settings.DEFECT_DOJO_EVAL_BRANCH_TAG
+            else settings.DEFECT_DOJO_BRANCH_TAG
+        )
+
         # define the vulnerabilityreport as a json-file so DD accepts it
         json_string: str = json.dumps(full_object)
         json_file: BytesIO = BytesIO(json_string.encode("utf-8"))
@@ -142,6 +148,7 @@ def send_to_dojo(body, meta, logger, **_):
             "engagement_name": _DEFECT_DOJO_ENGAGEMENT_NAME,
             "product_name": _DEFECT_DOJO_PRODUCT_NAME,
             "product_type_name": _DEFECT_DOJO_PRODUCT_TYPE_NAME,
+            "branch_tag": _DEFECT_DOJO_BRANCH_TAG,
             "environment": _DEFECT_DOJO_ENV_NAME,
             "test_title": _DEFECT_DOJO_TEST_TITLE,
             "do_not_reactivate": settings.DEFECT_DOJO_DO_NOT_REACTIVATE,
@@ -155,7 +162,7 @@ def send_to_dojo(body, meta, logger, **_):
                 headers=headers,
                 data=data,
                 files=report_file,
-                verify=True,
+                verify=settings.DEFECT_DOJO_VERIFY_SSL,
             )
             response.raise_for_status()
         except HTTPError as http_err:

src/settings.py

@@ -17,6 +17,7 @@
 
 DEFECT_DOJO_API_KEY: str = get_required_env_var("DEFECT_DOJO_API_KEY")
 DEFECT_DOJO_URL: str = get_required_env_var("DEFECT_DOJO_URL")
+DEFECT_DOJO_VERIFY_SSL: bool = get_env_var_bool("DEFECT_DOJO_VERIFY_SSL", True)
 
 DEFECT_DOJO_ACTIVE: bool = get_env_var_bool("DEFECT_DOJO_ACTIVE")
 DEFECT_DOJO_VERIFIED: bool = get_env_var_bool("DEFECT_DOJO_VERIFIED")
@@ -57,6 +58,11 @@
     "DEFECT_DOJO_EVAL_ENGAGEMENT_NAME"
 )
 
+DEFECT_DOJO_BRANCH_TAG: str | None = os.getenv("DEFECT_DOJO_BRANCH_TAG")
+DEFECT_DOJO_EVAL_BRANCH_TAG: bool = get_env_var_bool(
+    "DEFECT_DOJO_EVAL_BRANCH_TAG"
+)
+
 DEFECT_DOJO_PRODUCT_NAME: str = os.getenv(
     "DEFECT_DOJO_PRODUCT_NAME", "Research and Development"
 )