How to get full list of affected digest for ACR vulnerability via REST API? #64
Comments
zhongyi-zhang
changed the title
|
Hello @zhongyi-zhang , SubAssessments API is yet to support resource filtering. You can use this guide as a reference for Image scan findings extraction using ARG query API. |
|
Hi @wtomw, thanks for the points! Appreciate it! The guide is very helpful. I can get the data what I expect to get. The only problem is that, it can return at most 1000 rows. That's fine. I'd like to remediate the vulnerability one by one until all of them resolved... |
|
Hi @zhongyi-zhang, As for ARG REST API permissions requirements you can read more here, which should be correlated to Azure Security Center permissions requirements where you can read more on in here. |
|
@wtomw thanks for the prompt reply! |
|
@zhongyi-zhang |
|
@wtomw yes, I even tried adding the same option Then I got: No "$skipToken" returned. This is my script: |
|
@wtomw is there any update/ETA for a a reasonable REST API to obtain findings for a given image Id ? I am looking for something that's similar to https://docs.aws.amazon.com/cli/latest/reference/ecr/describe-image-scan-findings.html |
|
@gadinaor, the way to extract specific image findings is using Azure resource graph (ARG) resource query API. You can use this guide as a reference for Image scan findings extraction using ARG query API. Unfortunately, currently there is no support for filtering a specific image using the Sub Assessment REST API. |
|
@wtomw so, I am down this rabbit 🐇 hole ... and the ARG query I have based on the guide you shared doesn't return the package name as a structured field (see info below) - am I missing anything? if not, what's the plan to add this field to the returned object? My query: here's the properties object returned from this query: {
"description": "Debian has released security update for systemd to fix the vulnerabilities.<P>",
"displayName": "Debian Security Update for systemd",
"resourceDetails": {
"source": "Azure",
"id": "/repositories/myrepo/manyvuln/images/sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
},
"additionalData": {
"assessedResourceType": "ContainerRegistryVulnerability",
"vendorReferences": [
{
"title": "CVE-2018-1049",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1049"
},
{
"title": "CVE-2018-15686",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-15686"
}
],
"publishedTime": "2019-05-06T10:54:00.0000000Z",
"patchable": true,
"type": "Vulnerability",
"cvss": {
"2.0": {
"base": 10
},
"3.0": {
"base": 9.8
}
},
"cve": [
{
"title": "CVE-2018-1049",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049"
},
{
"title": "CVE-2018-15686",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686"
}
],
"repositoryName": "myrepo/manyvuln",
"registryHost": "myregistry.azurecr.io",
"imageDigest": "sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
},
"status": {
"severity": "High",
"code": "Unhealthy"
},
"timeGenerated": "2020-10-17T07:35:03.4900000Z",
"remediation": "Refer to <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">Debian 9 - CVE-2018-15686</A> and <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-1049\" TARGET=\"_blank\">Debian 9 - CVE-2018-1049</A> to address this issue and obtain further details.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-15686: Debian</A><P> <A HREF=\"https://security-tracker.debian.org/tracker/https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-1049: Debian</A>",
"category": "Debian",
"id": "176875",
"impact": "This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability."
} |
|
@gadinaor, what do you mean by package name? which property is missing? |
|
@wtomw in the example above ... the findings are on systemd package - it’s noted in the description field , however there is no field in the properties that this information is available . Normally - the information includes the vulnerable package name and vulnerable package version |
|
@gadinaor, Currently there is no property in the SubAssessment object that reflects the specific package the vulnerability is related to. |
|
Knowing the specific package and version the vulnerability was found for in a container image is a crucial piece of information so that you can address the vulnerability. Are there any plans to add this information to the SubAssessment Object? |
|
@sean-keane25, the package details are available in finding's description. Currently we don't have a dedicated property for package version. |
|
@wtomw - is there an open issue for this ? or shall I create one? |
|
@sean-keane25, are you referring perhaps to specifying the layer of which the finds were found on? if so, this is in our plans, no ETA at the moment. |
|
@gadinaor, you can add dedicated affected package property as a feature request. |
In Portal, I can see the full list of an ACR vulnerability like above.
I tried this API: https://docs.microsoft.com/en-us/rest/api/securitycenter/subassessments/list
For each vulnerability in one repo, it returns only one digest.
It is important to get the full list for our team. Could you guide me how to do this? Thanks a bunch!
The text was updated successfully, but these errors were encountered: