Merge branch 'main' of github.com:sartography/github-actions-library
# Conflicts: # wait-for-ecr-scan-and-get-sarif/aws_scan_findings_to_sarif.py
This commit is contained in:
commit
d3a21d9f33
|
@ -23,6 +23,13 @@ def convert_to_sarif(ecr_response):
|
||||||
|
|
||||||
def process_findings(findings, is_enhanced=False):
|
def process_findings(findings, is_enhanced=False):
|
||||||
for finding in findings:
|
for finding in findings:
|
||||||
|
# make sure severity is an accepted value
|
||||||
|
# aws likes to use things lke "untriaged"
|
||||||
|
severity = finding["severity"]
|
||||||
|
severity_for_level = severity
|
||||||
|
if severity_for_level.lower() not in ["none", "note", "warning", "error"]:
|
||||||
|
severity_for_level = "none"
|
||||||
|
|
||||||
if is_enhanced:
|
if is_enhanced:
|
||||||
vulnerability_id = finding["packageVulnerabilityDetails"][
|
vulnerability_id = finding["packageVulnerabilityDetails"][
|
||||||
"vulnerabilityId"
|
"vulnerabilityId"
|
||||||
|
@ -35,16 +42,17 @@ def convert_to_sarif(ecr_response):
|
||||||
base_score = None
|
base_score = None
|
||||||
if len(cvss) > 0:
|
if len(cvss) > 0:
|
||||||
base_score = cvss[0]["baseScore"]
|
base_score = cvss[0]["baseScore"]
|
||||||
|
|
||||||
rule = {
|
rule = {
|
||||||
"id": vulnerability_id,
|
"id": vulnerability_id,
|
||||||
"name": "OsPackageVulnerability",
|
"name": "OsPackageVulnerability",
|
||||||
"shortDescription": {"text": finding["description"]},
|
"shortDescription": {"text": finding["description"]},
|
||||||
"fullDescription": {"text": finding["description"]},
|
"fullDescription": {"text": finding["description"]},
|
||||||
"defaultConfiguration": {"level": finding["severity"].lower()},
|
"defaultConfiguration": {"level": severity_for_level},
|
||||||
"helpUri": source_url,
|
"helpUri": source_url,
|
||||||
"help": {
|
"help": {
|
||||||
"text": f"Vulnerability {vulnerability_id}\nSeverity: {finding['severity']}\nPackage: {vulnerable_packages[0]['name']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})",
|
"text": f"Vulnerability {vulnerability_id}\nSeverity: {severity}\nPackage: {vulnerable_packages[0]['name']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})",
|
||||||
"markdown": f"**Vulnerability {vulnerability_id}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{vulnerable_packages[0]['name']}||[{vulnerability_id}]({source_url})\n\n{finding['description']}",
|
"markdown": f"**Vulnerability {vulnerability_id}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{vulnerable_packages[0]['name']}||[{vulnerability_id}]({source_url})\n\n{finding['description']}",
|
||||||
},
|
},
|
||||||
"properties": {
|
"properties": {
|
||||||
"precision": "very-high",
|
"precision": "very-high",
|
||||||
|
@ -52,7 +60,7 @@ def convert_to_sarif(ecr_response):
|
||||||
"tags": [
|
"tags": [
|
||||||
"vulnerability",
|
"vulnerability",
|
||||||
"security",
|
"security",
|
||||||
finding["severity"],
|
severity,
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -61,9 +69,9 @@ def convert_to_sarif(ecr_response):
|
||||||
"ruleIndex": len(
|
"ruleIndex": len(
|
||||||
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
||||||
),
|
),
|
||||||
"level": finding["severity"].lower(),
|
"level": severity.lower(),
|
||||||
"message": {
|
"message": {
|
||||||
"text": f"Package: {vulnerable_packages[0]['name']}\nInstalled Version: {vulnerable_packages[0]['version']}\nVulnerability {vulnerability_id}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})"
|
"text": f"Package: {vulnerable_packages[0]['name']}\nInstalled Version: {vulnerable_packages[0]['version']}\nVulnerability {vulnerability_id}\nSeverity: {severity}\nFixed Version: \nLink: [{vulnerability_id}]({source_url})"
|
||||||
},
|
},
|
||||||
"locations": [
|
"locations": [
|
||||||
{
|
{
|
||||||
|
@ -91,16 +99,16 @@ def convert_to_sarif(ecr_response):
|
||||||
"name": "OsPackageVulnerability",
|
"name": "OsPackageVulnerability",
|
||||||
"shortDescription": {"text": finding["description"]},
|
"shortDescription": {"text": finding["description"]},
|
||||||
"fullDescription": {"text": finding["description"]},
|
"fullDescription": {"text": finding["description"]},
|
||||||
"defaultConfiguration": {"level": finding["severity"].lower()},
|
"defaultConfiguration": {"level": severity.lower()},
|
||||||
"helpUri": finding["uri"],
|
"helpUri": finding["uri"],
|
||||||
"help": {
|
"help": {
|
||||||
"text": f"Vulnerability {finding['name']}\nSeverity: {finding['severity']}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
|
"text": f"Vulnerability {finding['name']}\nSeverity: {severity}\nPackage: {finding['attributes'][1]['value']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})",
|
||||||
"markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{finding['severity']}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}",
|
"markdown": f"**Vulnerability {finding['name']}**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|{severity}|{finding['attributes'][1]['value']}||[{finding['name']}]({finding['uri']})\n\n{finding['description']}",
|
||||||
},
|
},
|
||||||
"properties": {
|
"properties": {
|
||||||
"precision": "very-high",
|
"precision": "very-high",
|
||||||
"security-severity": finding["attributes"][3]["value"],
|
"security-severity": finding["attributes"][3]["value"],
|
||||||
"tags": ["vulnerability", "security", finding["severity"]],
|
"tags": ["vulnerability", "security", severity],
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
result = {
|
result = {
|
||||||
|
@ -108,9 +116,9 @@ def convert_to_sarif(ecr_response):
|
||||||
"ruleIndex": len(
|
"ruleIndex": len(
|
||||||
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
sarif_report["runs"][0]["tool"]["driver"]["rules"]
|
||||||
),
|
),
|
||||||
"level": finding["severity"].lower(),
|
"level": severity.lower(),
|
||||||
"message": {
|
"message": {
|
||||||
"text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {finding['severity']}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
|
"text": f"Package: {finding['attributes'][1]['value']}\nInstalled Version: {finding['attributes'][0]['value']}\nVulnerability {finding['name']}\nSeverity: {severity}\nFixed Version: \nLink: [{finding['name']}]({finding['uri']})"
|
||||||
},
|
},
|
||||||
"locations": [
|
"locations": [
|
||||||
{
|
{
|
||||||
|
@ -153,12 +161,10 @@ def convert_to_sarif(ecr_response):
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
|
|
||||||
def load_sarif_schema(schema_path):
|
def load_sarif_schema(schema_path):
|
||||||
with open(schema_path, "r") as f:
|
with open(schema_path, "r") as f:
|
||||||
return json.load(f)
|
return json.load(f)
|
||||||
|
|
||||||
|
|
||||||
def validate_sarif(sarif_report, schema):
|
def validate_sarif(sarif_report, schema):
|
||||||
try:
|
try:
|
||||||
jsonschema.validate(instance=sarif_report, schema=schema)
|
jsonschema.validate(instance=sarif_report, schema=schema)
|
||||||
|
|
|
@ -107,7 +107,7 @@
|
||||||
{
|
{
|
||||||
"ruleId": "CVE-2024-4603",
|
"ruleId": "CVE-2024-4603",
|
||||||
"ruleIndex": 0,
|
"ruleIndex": 0,
|
||||||
"level": "none",
|
"level": "untriaged",
|
||||||
"message": {
|
"message": {
|
||||||
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4603\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4603](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4603.html)"
|
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4603\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4603](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4603.html)"
|
||||||
},
|
},
|
||||||
|
@ -134,7 +134,7 @@
|
||||||
{
|
{
|
||||||
"ruleId": "CVE-2024-5535",
|
"ruleId": "CVE-2024-5535",
|
||||||
"ruleIndex": 1,
|
"ruleIndex": 1,
|
||||||
"level": "none",
|
"level": "untriaged",
|
||||||
"message": {
|
"message": {
|
||||||
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-5535\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-5535](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-5535.html)"
|
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-5535\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-5535](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-5535.html)"
|
||||||
},
|
},
|
||||||
|
@ -161,7 +161,7 @@
|
||||||
{
|
{
|
||||||
"ruleId": "CVE-2024-2511",
|
"ruleId": "CVE-2024-2511",
|
||||||
"ruleIndex": 2,
|
"ruleIndex": 2,
|
||||||
"level": "none",
|
"level": "untriaged",
|
||||||
"message": {
|
"message": {
|
||||||
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-2511\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-2511](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2511.html)"
|
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-2511\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-2511](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-2511.html)"
|
||||||
},
|
},
|
||||||
|
@ -188,7 +188,7 @@
|
||||||
{
|
{
|
||||||
"ruleId": "CVE-2024-4741",
|
"ruleId": "CVE-2024-4741",
|
||||||
"ruleIndex": 3,
|
"ruleIndex": 3,
|
||||||
"level": "none",
|
"level": "untriaged",
|
||||||
"message": {
|
"message": {
|
||||||
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4741\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4741](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4741.html)"
|
"text": "Package: libssl3t64\nInstalled Version: 3.0.13\nVulnerability CVE-2024-4741\nSeverity: UNTRIAGED\nFixed Version: \nLink: [CVE-2024-4741](https://people.canonical.com/~ubuntu-security/cve/2024/CVE-2024-4741.html)"
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue