Add vulnerability class to the report (#565)

This commit adds the vulnarability class (`os-pkgs` or `lang-pkgs`) to the report so that it becomes possible to identify vulnarabilies based on this. Fixes #564
aquasecurity · Oct 19, 2022 · 2a440e3 · 2a440e3
1 parent 434dad9
commit 2a440e3
Show file tree

Hide file tree

Showing 8 changed files with 46 additions and 30 deletions.
diff --git a/deploy/crd/aquasecurity.github.io_vulnerabilityreports.yaml b/deploy/crd/aquasecurity.github.io_vulnerabilityreports.yaml
@@ -176,6 +176,8 @@ spec:
                 items:
                   description: Vulnerability is the spec for a vulnerability record.
                   properties:
+                    class:
+                      type: string
                     cvss:
                       additionalProperties:
                         properties:

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -175,7 +175,7 @@ trivy:
   mode: Standalone
 
   # additionalVulnerabilityReportFields is a comma separated list of additional fields which
-  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS and Target
+  # can be added to the VulnerabilityReport. Supported parameters: Description, Links, CVSS, Target and Class
   additionalVulnerabilityReportFields: ""
 
   # httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub.

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -1074,6 +1074,8 @@ spec:
                 items:
                   description: Vulnerability is the spec for a vulnerability record.
                   properties:
+                    class:
+                      type: string
                     cvss:
                       additionalProperties:
                         properties:

diff --git a/docs/vulnerability-scanning/trivy.md b/docs/vulnerability-scanning/trivy.md
diff --git a/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go b/pkg/apis/aquasecurity/v1alpha1/vulnerability_types.go
@@ -88,6 +88,8 @@ type Vulnerability struct {
 	Target string `json:"target"`
 	//+optional
 	CVSS types.VendorCVSS `json:"cvss,omitempty"`
+	//+optional
+	Class string `json:"class"`
 }
 
 //+kubebuilder:object:root=true

diff --git a/pkg/plugins/trivy/model.go b/pkg/plugins/trivy/model.go
@@ -7,6 +7,7 @@ import (
 
 type ScanResult struct {
 	Target          string          `json:"Target"`
+	Class           string          `json:"Class"`
 	Vulnerabilities []Vulnerability `json:"Vulnerabilities"`
 	Secrets         []Secret        `json:"Secrets"`
 }
@@ -28,6 +29,7 @@ type Vulnerability struct {
 	References       []string          `json:"References"`
 	CVSS             types.VendorCVSS  `json:"CVSS"`
 	Target           string            `json:"Target"`
+	Class            string            `json:"Class"`
 }
 
 type CVSS struct {

diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -104,6 +104,7 @@ type AdditionalFields struct {
 	Links       bool
 	CVSS        bool
 	Target      bool
+	Class       bool
 }
 
 // Config defines configuration params for this plugin.
@@ -132,6 +133,9 @@ func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields {
 		if field == "Target" {
 			addFields.Target = true
 		}
+		if field == "Class" {
+			addFields.Class = true
+		}
 	}
 
 	return addFields
@@ -1476,6 +1480,9 @@ func getVulnerabilitiesFromScanResult(report ScanResult, addFields AdditionalFie
 		if addFields.Target {
 			vulnerability.Target = report.Target
 		}
+		if addFields.Class {
+			vulnerability.Class = report.Class
+		}
 
 		vulnerabilities = append(vulnerabilities, vulnerability)
 	}

diff --git a/pkg/webhook/webhookreporter_test.go b/pkg/webhook/webhookreporter_test.go
@@ -23,7 +23,7 @@ func Test_sendReports(t *testing.T) {
 	}{
 		{
 			name: "happy path, vuln report data",
-			want: `{"metadata":{"creationTimestamp":null},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","resource":"","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz","links":null,"target":""}]}}`,
+			want: `{"metadata":{"creationTimestamp":null},"report":{"updateTimestamp":null,"scanner":{"name":"","vendor":"","version":""},"registry":{"server":""},"artifact":{"repository":""},"summary":{"criticalCount":0,"highCount":0,"mediumCount":0,"lowCount":0,"unknownCount":0,"noneCount":0},"vulnerabilities":[{"vulnerabilityID":"CVE-2022-1234","resource":"","installedVersion":"1.2.3","fixedVersion":"3.4.5","severity":"CRITICAL","title":"foo bar very baz","links":null,"target":"","class":"os-pkgs"}]}}`,
 			inputReport: v1alpha1.VulnerabilityReport{
 				Report: v1alpha1.VulnerabilityReportData{
 					Vulnerabilities: []v1alpha1.Vulnerability{
@@ -33,6 +33,7 @@ func Test_sendReports(t *testing.T) {
 							FixedVersion:     "3.4.5",
 							Severity:         "CRITICAL",
 							Title:            "foo bar very baz",
+							Class:            "os-pkgs",
 						},
 					},
 				},