sartography
/
github-actions-library
mirror of https://github.com/sartography/github-actions-library.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:sartography/github-actions-library 

# Conflicts:
#	wait-for-ecr-scan-and-get-sarif/aws_scan_findings_to_sarif.py
This commit is contained in:
burnettk 2024-08-15 11:54:58 -04:00
parent 72e5ae694a 10ac219858
commit d3a21d9f33
No known key found for this signature in database
2 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
wait-for-ecr-scan-and-get-sarif/aws_scan_findings_to_sarif.py
View File

@ -23,6 +23,13 @@ def convert_to_sarif(ecr_response):
def process_findings(findings, is_enhanced=False): def process_findings(findings, is_enhanced=False):
for finding in findings: for finding in findings:
# make sure severity is an accepted value
# aws likes to use things lke "untriaged"
severity = finding["severity"]
severity_for_level = severity
if severity_for_level.lower() not in ["none", "note", "warning", "error"]:
severity_for_level = "none"
if is_enhanced: if is_enhanced:
vulnerability_id = finding["packageVulnerabilityDetails"][ vulnerability_id = finding["packageVulnerabilityDetails"][
"vulnerabilityId" "vulnerabilityId"
@ -35,16 +42,17 @@ def convert_to_sarif(ecr_response):
base_score = None base_score = None
if len(cvss) > 0: if len(cvss) > 0:
base_score = cvss[0]["baseScore"] base_score = cvss[0]["baseScore"]
rule = { rule = {
"id": vulnerability_id, "id": vulnerability_id,
"name": "OsPackageVulnerability", "name": "OsPackageVulnerability",
"shortDescription": {"text": finding["description"]}, "shortDescription": {"text": finding["description"]},
"fullDescription": {"text": finding["description"]}, "fullDescription": {"text": finding["description"]},
"defaultConfiguration": {"level": finding["severity"].lower()}, "defaultConfiguration": {"level": severity_for_level},
"helpUri": source_url, "helpUri": source_url,
"help": { "help": {
"text": f"Vulnerability {vulnerability_id}\nSeverity: {finding['severity']}\nPackage: {vulnerable_packages[0]['name']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})", "text": f"Vulnerability {vulnerability_id}\nSeverity: {severity}\nPackage: {vulnerable_packages[0]['name']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})",
"markdown": f"**Vulnerability {vulnerability_id}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{vulnerable_packages[0]['name']}||[{vulnerability_id}]({source_url})\n\n{finding['description']}", "markdown": f"**Vulnerability {vulnerability_id}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{vulnerable_packages[0]['name']}||[{vulnerability_id}]({source_url})\n\n{finding['description']}",
}, },
"properties": { "properties": {
"precision": "very-high", "precision": "very-high",
@ -52,7 +60,7 @@ def convert_to_sarif(ecr_response):
"tags": [ "tags": [
"vulnerability", "vulnerability",
"security", "security",
finding["severity"], severity,
], ],
}, },
} }
@ -61,9 +69,9 @@ def convert_to_sarif(ecr_response):
"ruleIndex": len( "ruleIndex": len(
sarif_report["runs"][0]["tool"]["driver"]["rules"] sarif_report["runs"][0]["tool"]["driver"]["rules"]
), ),
"level": finding["severity"].lower(), "level": severity.lower(),
"message": { "message": {
"text": f"Package: {vulnerable_packages[0]['name']}\nInstalled Version: {vulnerable_packages[0]['version']}\nVulnerability {vulnerability_id}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})" "text": f"Package: {vulnerable_packages[0]['name']}\nInstalled Version: {vulnerable_packages[0]['version']}\nVulnerability {vulnerability_id}\nSeverity: {severity}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})"
}, },
"locations": [ "locations": [
{ {
@ -91,16 +99,16 @@ def convert_to_sarif(ecr_response):
"name": "OsPackageVulnerability", "name": "OsPackageVulnerability",
"shortDescription": {"text": finding["description"]}, "shortDescription": {"text": finding["description"]},
"fullDescription": {"text": finding["description"]}, "fullDescription": {"text": finding["description"]},
"defaultConfiguration": {"level": finding["severity"].lower()}, "defaultConfiguration": {"level": severity.lower()},
"helpUri": finding["uri"], "helpUri": finding["uri"],
"help": { "help": {
"text": f"Vulnerability {finding['name']}\nSeverity: {finding['severity']}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})", "text": f"Vulnerability {finding['name']}\nSeverity: {severity}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
"markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}", "markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}",
}, },
"properties": { "properties": {
"precision": "very-high", "precision": "very-high",
"security-severity": finding["attributes"][3]["value"], "security-severity": finding["attributes"][3]["value"],
"tags": ["vulnerability", "security", finding["severity"]], "tags": ["vulnerability", "security", severity],
}, },
} }
result = { result = {
@ -108,9 +116,9 @@ def convert_to_sarif(ecr_response):
"ruleIndex": len( "ruleIndex": len(
sarif_report["runs"][0]["tool"]["driver"]["rules"] sarif_report["runs"][0]["tool"]["driver"]["rules"]
), ),
"level": finding["severity"].lower(), "level": severity.lower(),
"message": { "message": {
"text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})" "text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {severity}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
}, },
"locations": [ "locations": [
{ {
@ -153,12 +161,10 @@ def convert_to_sarif(ecr_response):
def main(): def main():
def load_sarif_schema(schema_path): def load_sarif_schema(schema_path):
with open(schema_path, "r") as f: with open(schema_path, "r") as f:
return json.load(f) return json.load(f)
def validate_sarif(sarif_report, schema): def validate_sarif(sarif_report, schema):
try: try:
jsonschema.validate(instance=sarif_report, schema=schema) jsonschema.validate(instance=sarif_report, schema=schema)

8
wait-for-ecr-scan-and-get-sarif/tests/expected_ubuntu_unit_test_output.json
View File

@ -107,7 +107,7 @@
{ {
"ruleId": "CVE-2024-4603", "ruleId": "CVE-2024-4603",
"ruleIndex": 0, "ruleIndex": 0,
"level": "none", "level": "untriaged",
"message": { "message": {
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4603\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4603](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4603.html)" "text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4603\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4603](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4603.html)"
}, },
@ -134,7 +134,7 @@
{ {
"ruleId": "CVE-2024-5535", "ruleId": "CVE-2024-5535",
"ruleIndex": 1, "ruleIndex": 1,
"level": "none", "level": "untriaged",
"message": { "message": {
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-5535\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-5535](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-5535.html)" "text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-5535\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-5535](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-5535.html)"
}, },
@ -161,7 +161,7 @@
{ {
"ruleId": "CVE-2024-2511", "ruleId": "CVE-2024-2511",
"ruleIndex": 2, "ruleIndex": 2,
"level": "none", "level": "untriaged",
"message": { "message": {
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-2511\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-2511](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2511.html)" "text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-2511\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-2511](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2511.html)"
}, },
@ -188,7 +188,7 @@
{ {
"ruleId": "CVE-2024-4741", "ruleId": "CVE-2024-4741",
"ruleIndex": 3, "ruleIndex": 3,
"level": "none", "level": "untriaged",
"message": { "message": {
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4741\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4741](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4741.html)" "text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4741\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4741](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4741.html)"
}, },