Trivy: Improve package path parsing behavior (#9235)

* 🐛 fix issue #9234 * retrigger failed pipeline with additional unittest
DefectDojo · Dec 29, 2023 · 957a37d · 957a37d
1 parent 775d75c
commit 957a37d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 12 deletions.
diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py
@@ -179,7 +179,14 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                             severity = TRIVY_SEVERITIES[vuln["Severity"]]
                     else:
                         severity = TRIVY_SEVERITIES[vuln["Severity"]]
-                    file_path = vuln.get("PkgPath")
+                    if target_class == "os-pkgs" or target_class == "lang-pkgs":
+                        file_path = vuln.get("PkgPath")
+                        if file_path is None:
+                            file_path = target_target
+                    elif target_class == "config":
+                        file_path = target_target
+                    else:
+                        file_path = None
                 except KeyError as exc:
                     logger.warning("skip vulnerability due %r", exc)
                     continue

diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py
@@ -41,9 +41,7 @@ def test_scheme_2_many_vulns(self):
         test_file = open(sample_path("scheme_2_many_vulns.json"))
         parser = TrivyParser()
         findings = parser.get_findings(test_file, Test())
-
         self.assertEqual(len(findings), 5)
-
         finding = findings[0]
         self.assertEqual("Medium", finding.severity)
         self.assertEqual('CVE-2020-15999 freetype 2.9.1-r2', finding.title)
@@ -59,7 +57,6 @@ def test_scheme_2_many_vulns(self):
         self.assertEqual('CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H', finding.cvssv3)
         self.assertTrue(finding.static_finding)
         self.assertFalse(finding.dynamic_finding)
-
         finding = findings[1]
         self.assertEqual("High", finding.severity)
         self.assertEqual('CVE-2020-28196 krb5-libs 1.15.5-r0', finding.title)
@@ -80,9 +77,7 @@ def test_misconfigurations_and_secrets(self):
         test_file = open(sample_path("misconfigurations_and_secrets.json"))
         parser = TrivyParser()
         findings = parser.get_findings(test_file, Test())
-
         self.assertEqual(len(findings), 5)
-
         finding = findings[2]
         self.assertEqual('DS002 - Image user should not be \'root\'', finding.title)
         self.assertEqual('High', finding.severity)
@@ -98,7 +93,6 @@ def test_misconfigurations_and_secrets(self):
 https://docs.docker.com/develop/develop-images/dockerfile_best-practices/'''
         self.assertEqual(references, finding.references)
         self.assertEqual(['config', 'dockerfile'], finding.tags)
-
         finding = findings[3]
         self.assertEqual('Secret detected in Dockerfile - GitHub Personal Access Token', finding.title)
         self.assertEqual('Critical', finding.severity)
@@ -115,9 +109,7 @@ def test_kubernetes(self):
         test_file = open(sample_path("kubernetes.json"))
         parser = TrivyParser()
         findings = parser.get_findings(test_file, Test())
-
         self.assertEqual(len(findings), 20)
-
         finding = findings[0]
         self.assertEqual('CVE-2020-27350 apt 1.8.2.1', finding.title)
         self.assertEqual('Medium', finding.severity)
@@ -136,7 +128,7 @@ def test_kubernetes(self):
         self.assertEqual('apt', finding.component_name)
         self.assertEqual('1.8.2.1', finding.component_version)
         self.assertEqual('default / Deployment / redis-follower', finding.service)
-
+        self.assertEqual(finding.file_path, "gcr.io/google_samples/gb-redis-follower:v2 (debian 10.4)")
         finding = findings[5]
         self.assertEqual('CVE-2020-27350 apt 1.8.2.1', finding.title)
         self.assertEqual('Medium', finding.severity)
@@ -155,7 +147,6 @@ def test_kubernetes(self):
         self.assertEqual('apt', finding.component_name)
         self.assertEqual('1.8.2.1', finding.component_version)
         self.assertEqual('default / Deployment / redis-leader', finding.service)
-
         finding = findings[10]
         self.assertEqual('KSV001 - Process can elevate its own privileges', finding.title)
         self.assertEqual('Medium', finding.severity)
@@ -189,7 +180,6 @@ def test_license_scheme(self):
         test_file = open(sample_path("license_scheme.json"))
         parser = TrivyParser()
         findings = parser.get_findings(test_file, Test())
-
         self.assertEqual(len(findings), 19)
         finding = findings[0]
         self.assertEqual("High", finding.severity)
@@ -209,6 +199,7 @@ def test_issue_9092(self):
         self.assertEqual(len(findings), 1)
         finding = findings[0]
         self.assertEqual("Critical", finding.severity)
+        self.assertEqual(finding.file_path, "requirements.txt")
 
     def test_issue_9170(self):
         test_file = open(sample_path("issue_9170.json"))
@@ -217,3 +208,4 @@ def test_issue_9170(self):
         self.assertEqual(len(findings), 37)
         finding = findings[0]
         self.assertEqual("Low", finding.severity)
+        self.assertEqual("KSV116 - Runs with a root primary or supplementary GID", finding.title)