2024-08-15 12:50:22 +00:00
|
|
|
import json
|
|
|
|
import argparse
|
2024-08-15 15:46:59 +00:00
|
|
|
import jsonschema
|
2024-08-15 12:50:22 +00:00
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
|
2024-08-15 12:50:22 +00:00
|
|
|
def convert_to_sarif(ecr_response):
|
|
|
|
sarif_report = {
|
|
|
|
"version": "2.1.0",
|
|
|
|
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
|
|
|
|
"runs": [
|
|
|
|
{
|
|
|
|
"tool": {
|
|
|
|
"driver": {
|
|
|
|
"name": "AWS ECR",
|
|
|
|
"informationUri": "https://aws.amazon.com/ecr/",
|
2024-08-15 15:40:42 +00:00
|
|
|
"rules": [],
|
2024-08-15 12:50:22 +00:00
|
|
|
}
|
|
|
|
},
|
2024-08-15 15:40:42 +00:00
|
|
|
"results": [],
|
2024-08-15 12:50:22 +00:00
|
|
|
}
|
2024-08-15 15:40:42 +00:00
|
|
|
],
|
2024-08-15 12:50:22 +00:00
|
|
|
}
|
|
|
|
|
2024-08-15 15:24:51 +00:00
|
|
|
def process_findings(findings, is_enhanced=False):
|
|
|
|
for finding in findings:
|
2024-08-15 15:52:57 +00:00
|
|
|
# make sure severity is an accepted value
|
|
|
|
# aws likes to use things lke "untriaged"
|
|
|
|
severity = finding["severity"]
|
|
|
|
severity_for_level = severity
|
|
|
|
if severity_for_level.lower() not in ["none", "note", "warning", "error"]:
|
|
|
|
severity_for_level = "none"
|
|
|
|
|
2024-08-15 15:24:51 +00:00
|
|
|
if is_enhanced:
|
2024-08-15 15:40:42 +00:00
|
|
|
vulnerability_id = finding["packageVulnerabilityDetails"][
|
|
|
|
"vulnerabilityId"
|
|
|
|
]
|
|
|
|
source_url = finding["packageVulnerabilityDetails"]["sourceUrl"]
|
|
|
|
vulnerable_packages = finding["packageVulnerabilityDetails"][
|
|
|
|
"vulnerablePackages"
|
|
|
|
]
|
|
|
|
cvss = finding["packageVulnerabilityDetails"]["cvss"]
|
|
|
|
base_score = None
|
|
|
|
if len(cvss) > 0:
|
|
|
|
base_score = cvss[0]["baseScore"]
|
2024-08-15 15:52:57 +00:00
|
|
|
|
2024-08-15 15:24:51 +00:00
|
|
|
rule = {
|
2024-08-15 15:40:42 +00:00
|
|
|
"id": vulnerability_id,
|
2024-08-15 15:24:51 +00:00
|
|
|
"name": "OsPackageVulnerability",
|
2024-08-15 15:40:42 +00:00
|
|
|
"shortDescription": {"text": finding["description"]},
|
|
|
|
"fullDescription": {"text": finding["description"]},
|
2024-08-15 15:52:57 +00:00
|
|
|
"defaultConfiguration": {"level": severity_for_level},
|
2024-08-15 15:40:42 +00:00
|
|
|
"helpUri": source_url,
|
2024-08-15 15:24:51 +00:00
|
|
|
"help": {
|
2024-08-15 15:52:57 +00:00
|
|
|
"text": f"Vulnerability {vulnerability_id}\nSeverity: {severity}\nPackage: {vulnerable_packages[0]['name']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})",
|
|
|
|
"markdown": f"**Vulnerability {vulnerability_id}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{vulnerable_packages[0]['name']}||[{vulnerability_id}]({source_url})\n\n{finding['description']}",
|
2024-08-15 12:50:22 +00:00
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
"properties": {
|
|
|
|
"precision": "very-high",
|
2024-08-15 15:40:42 +00:00
|
|
|
"security-severity": base_score,
|
2024-08-15 15:24:51 +00:00
|
|
|
"tags": [
|
|
|
|
"vulnerability",
|
|
|
|
"security",
|
2024-08-15 15:52:57 +00:00
|
|
|
severity,
|
2024-08-15 15:40:42 +00:00
|
|
|
],
|
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
}
|
|
|
|
result = {
|
2024-08-15 15:40:42 +00:00
|
|
|
"ruleId": vulnerability_id,
|
|
|
|
"ruleIndex": len(
|
|
|
|
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
|
|
|
),
|
2024-08-15 15:52:57 +00:00
|
|
|
"level": severity.lower(),
|
2024-08-15 12:50:22 +00:00
|
|
|
"message": {
|
2024-08-15 15:52:57 +00:00
|
|
|
"text": f"Package: {vulnerable_packages[0]['name']}\nInstalled Version: {vulnerable_packages[0]['version']}\nVulnerability {vulnerability_id}\nSeverity: {severity}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})"
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"locations": [
|
|
|
|
{
|
|
|
|
"physicalLocation": {
|
|
|
|
"artifactLocation": {
|
|
|
|
"uri": ecr_response["repositoryName"],
|
2024-08-15 15:40:42 +00:00
|
|
|
"uriBaseId": "ROOTPATH",
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"region": {
|
|
|
|
"startLine": 1,
|
|
|
|
"startColumn": 1,
|
|
|
|
"endLine": 1,
|
2024-08-15 15:40:42 +00:00
|
|
|
"endColumn": 1,
|
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"message": {
|
2024-08-15 15:40:42 +00:00
|
|
|
"text": f"{ecr_response['repositoryName']}: {vulnerable_packages[0]['name']}@{vulnerable_packages[0]['version']}"
|
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
}
|
2024-08-15 15:40:42 +00:00
|
|
|
],
|
2024-08-15 15:24:51 +00:00
|
|
|
}
|
|
|
|
else:
|
|
|
|
rule = {
|
|
|
|
"id": finding["name"],
|
|
|
|
"name": "OsPackageVulnerability",
|
2024-08-15 15:40:42 +00:00
|
|
|
"shortDescription": {"text": finding["description"]},
|
|
|
|
"fullDescription": {"text": finding["description"]},
|
2024-08-15 18:33:18 +00:00
|
|
|
"defaultConfiguration": {"level": severity_for_level},
|
2024-08-15 15:24:51 +00:00
|
|
|
"helpUri": finding["uri"],
|
|
|
|
"help": {
|
2024-08-15 15:52:57 +00:00
|
|
|
"text": f"Vulnerability {finding['name']}\nSeverity: {severity}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
|
|
|
|
"markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}",
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"properties": {
|
|
|
|
"precision": "very-high",
|
|
|
|
"security-severity": finding["attributes"][3]["value"],
|
2024-08-15 15:52:57 +00:00
|
|
|
"tags": ["vulnerability", "security", severity],
|
2024-08-15 15:40:42 +00:00
|
|
|
},
|
2024-08-15 12:50:22 +00:00
|
|
|
}
|
2024-08-15 15:24:51 +00:00
|
|
|
result = {
|
|
|
|
"ruleId": finding["name"],
|
2024-08-15 15:40:42 +00:00
|
|
|
"ruleIndex": len(
|
|
|
|
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
|
|
|
),
|
2024-08-15 15:52:57 +00:00
|
|
|
"level": severity.lower(),
|
2024-08-15 15:24:51 +00:00
|
|
|
"message": {
|
2024-08-15 15:52:57 +00:00
|
|
|
"text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {severity}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"locations": [
|
|
|
|
{
|
|
|
|
"physicalLocation": {
|
|
|
|
"artifactLocation": {
|
|
|
|
"uri": ecr_response["repositoryName"],
|
2024-08-15 15:40:42 +00:00
|
|
|
"uriBaseId": "ROOTPATH",
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"region": {
|
|
|
|
"startLine": 1,
|
|
|
|
"startColumn": 1,
|
|
|
|
"endLine": 1,
|
2024-08-15 15:40:42 +00:00
|
|
|
"endColumn": 1,
|
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
},
|
|
|
|
"message": {
|
|
|
|
"text": f"{ecr_response['repositoryName']}: {finding['attributes'][1]['value']}@{finding['attributes'][0]['value']}"
|
2024-08-15 15:40:42 +00:00
|
|
|
},
|
2024-08-15 15:24:51 +00:00
|
|
|
}
|
2024-08-15 15:40:42 +00:00
|
|
|
],
|
2024-08-15 15:24:51 +00:00
|
|
|
}
|
|
|
|
sarif_report["runs"][0]["tool"]["driver"]["rules"].append(rule)
|
|
|
|
sarif_report["runs"][0]["results"].append(result)
|
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
if (
|
|
|
|
"imageScanFindings" in ecr_response
|
|
|
|
and "findings" in ecr_response["imageScanFindings"]
|
|
|
|
):
|
2024-08-15 15:24:51 +00:00
|
|
|
process_findings(ecr_response["imageScanFindings"]["findings"])
|
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
if (
|
|
|
|
"imageScanFindings" in ecr_response
|
|
|
|
and "enhancedFindings" in ecr_response["imageScanFindings"]
|
|
|
|
):
|
|
|
|
process_findings(
|
|
|
|
ecr_response["imageScanFindings"]["enhancedFindings"], is_enhanced=True
|
|
|
|
)
|
2024-08-15 12:50:22 +00:00
|
|
|
|
|
|
|
return sarif_report
|
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
|
2024-08-15 18:47:37 +00:00
|
|
|
# hack. python's validator doesn't like the regex in the sarif schema. use a slightly simpler regex to validate language.
|
|
|
|
def update_schema_patterns(schema):
|
|
|
|
if isinstance(schema, dict):
|
|
|
|
# If the schema is a dictionary, check each key-value pair
|
|
|
|
for key, value in schema.items():
|
|
|
|
if key == "pattern" and value == "^(?i)[a-zA]{2}(-[a-z]{2})?$":
|
|
|
|
# Replace the pattern with the simplified version
|
|
|
|
schema[key] = "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$"
|
|
|
|
else:
|
|
|
|
# Recursively update nested dictionaries or lists
|
|
|
|
update_schema_patterns(value)
|
|
|
|
elif isinstance(schema, list):
|
|
|
|
# If the schema is a list, update each item
|
|
|
|
for item in schema:
|
|
|
|
update_schema_patterns(item)
|
|
|
|
|
2024-08-15 12:50:22 +00:00
|
|
|
def main():
|
2024-08-15 15:46:59 +00:00
|
|
|
def load_sarif_schema(schema_path):
|
|
|
|
with open(schema_path, "r") as f:
|
|
|
|
return json.load(f)
|
|
|
|
|
2024-08-15 15:54:03 +00:00
|
|
|
def validate_sarif(sarif_report, schema):
|
2024-08-15 18:47:37 +00:00
|
|
|
update_schema_patterns(schema)
|
|
|
|
|
2024-08-15 18:33:18 +00:00
|
|
|
try:
|
|
|
|
jsonschema.validate(instance=sarif_report, schema=schema)
|
|
|
|
print("SARIF report is valid.")
|
|
|
|
except jsonschema.ValidationError as e:
|
|
|
|
print(f"SARIF report is invalid: {e.message}")
|
2024-08-15 15:54:03 +00:00
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
parser = argparse.ArgumentParser(
|
|
|
|
description="Convert ECR scan findings to SARIF format."
|
|
|
|
)
|
|
|
|
parser.add_argument(
|
|
|
|
"--input_file",
|
|
|
|
required=True,
|
|
|
|
help="The input JSON file with ECR scan findings.",
|
|
|
|
)
|
2024-08-15 12:50:22 +00:00
|
|
|
parser.add_argument("--output_file", required=True, help="The output SARIF file.")
|
2024-08-15 15:46:59 +00:00
|
|
|
SCHEMA_FILE_PATH = "./wait-for-ecr-scan-and-get-sarif/sarif-schema-2.1.0.json"
|
2024-08-15 12:50:22 +00:00
|
|
|
args = parser.parse_args()
|
|
|
|
|
2024-08-15 15:46:59 +00:00
|
|
|
sarif_schema = load_sarif_schema(SCHEMA_FILE_PATH)
|
|
|
|
|
2024-08-15 12:50:22 +00:00
|
|
|
with open(args.input_file, "r") as f:
|
|
|
|
ecr_response = json.load(f)
|
|
|
|
|
|
|
|
sarif_report = convert_to_sarif(ecr_response)
|
|
|
|
|
|
|
|
with open(args.output_file, "w") as f:
|
|
|
|
json.dump(sarif_report, f, indent=2)
|
|
|
|
|
2024-08-15 18:33:18 +00:00
|
|
|
validate_sarif(sarif_report, sarif_schema)
|
|
|
|
|
2024-08-15 15:40:42 +00:00
|
|
|
|
2024-08-15 12:50:22 +00:00
|
|
|
if __name__ == "__main__":
|
|
|
|
main()
|