# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|trivy|compliancecow|-|This control assesses container image vulnerabilities using the Trivy CLI by evaluating the overall security posture and compliance of the container images based on vulnerability data retrieved from the CLI output.|

```
RecomendedEvidenceName:
TrivyContainerScannerReport
```

**Reference:** <br>
https://aquasecurity.github.io/trivy/v0.54/docs/advanced/private-registries/ <br>
https://aquasecurity.github.io/trivy/v0.54/docs/  <br>
https://learn.microsoft.com/en-us/rest/api/containerregistry/registries/get?view=rest-containerregistry-2023-01-01-preview&tabs=HTTP

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

## Step 2a: IncludeCriteria and ExcludeCriteria

1.	**Understanding IncludeCriteria and ExcludeCriteria:**
	- `IncludeCriteria` and `ExcludeCriteria` are used to filter projects for analysis.
	- They help in specifying which projects should be included or excluded during the scan.
2.	**Default Values Handling:**
	- If the user does not provide any input for `IncludeCriteria` or `ExcludeCriteria`, default values will be used.
	- The default values ensure that all relevant projects are included unless explicitly excluded.
3.	**Using IncludeCriteria:**
	- Example: `registry/registry1/repo/repo1/tag/latest`, `registry/registry1/repo/repo1/tag/*`, `registry/registry1/repo/*/tag/*`
	- This will include the specified repositories and tags in the scan.
4.	**Using ExcludeCriteria:**
	- Example: `registry/registry1/repo/repo1/tag/latest`
	- This will exclude the specified repositories and tags from the scan.
5.	**Exact Match Requirement:**
	-	The criteria matching is case-sensitive and requires an exact match unless wildcards are used.
	-	Invalid paths in `ExcludeCriteria` will not affect the valid `IncludeCriteria`.

# Step 2b: API & Flow

  - POST  https://login.microsoftonline.com/{tenantID}/oauth2/token
     - This API is used to generate an access token for authenticating requests to Azure services. It requires client credentials such as client ID, client secret, and tenant ID.
  - GET  https://management.azure.com/subscriptions/{subscriptionID}/providers/Microsoft.ContainerRegistry/registries?api-version=2023-01-01-preview
     - This API lists all container registries under a specific subscription ID. It requires an access token obtained from the Azure Active Directory authentication.
  - GET  https://{registry_name}.azurecr.io/acr/v1/_catalog
     - This API retrieves a catalog of all repositories (images) in a specific Azure container registry. It requires the access token obtained from the previous API.
  - GET  https://{registry_name}.azurecr.io/acr/v1/{image_name}/_tags
     - This API provides the tag details of a specific image in an Azure container registry. It uses the repository name and an access token for authorization.

# Step 2a: Define the Extended Schema

In [None]:
{
  "Target": "python:3.4-alpine (alpine 3.9.2)",
  "Class": "os-pkgs",
  "Type": "alpine",
  "Vulnerabilities": [
    {
      "VulnerabilityID": "CVE-2018-20843",
      "PkgID": "expat@2.2.6-r0",
      "PkgName": "expat",
      "PkgIdentifier": {
        "PURL": "pkg:apk/alpine/expat@2.2.6-r0?arch=x86_64\u0026distro=3.9.2",
        "UID": "e24e675030cb5f4e"
      },
      "InstalledVersion": "2.2.6-r0",
      "FixedVersion": "2.2.7-r0",
      "Status": "fixed",
      "Layer": {
        "Digest": "sha256:aafecf9bbbfd514858f0d93fa0f65c2d59c8a1c46ec4b55963e42619f00a0a61",
        "DiffID": "sha256:fbe16fc07f0d81390525c348fbd720725dcae6498bd5e902ce5d37f2b7eed743"
      },
      "SeveritySource": "nvd",
      "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-20843",
      "DataSource": {
        "ID": "alpine",
        "Name": "Alpine Secdb",
        "URL": "https://secdb.alpinelinux.org/"
      },
      "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS",
      "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
      "Severity": "HIGH",
      "CweIDs": [
        "CWE-611"
      ],
      "VendorSeverity": {
        "alma": 2,
        "amazon": 2,
        "cbl-mariner": 3,
        "nvd": 3,
        "oracle-oval": 2,
        "photon": 3,
        "redhat": 2,
        "ubuntu": 1
      },
      "CVSS": {
        "nvd": {
          "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "V2Score": 7.8,
          "V3Score": 7.5
        },
        "redhat": {
          "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "V3Score": 7.5
        }
      },
      "References": [
        "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html",
        "https://access.redhat.com/security/cve/CVE-2018-20843",
        "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226",
        "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031",
        "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes",
        "https://github.com/libexpat/libexpat/issues/186",
        "https://github.com/libexpat/libexpat/pull/262",
        "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6",
        "https://linux.oracle.com/cve/CVE-2018-20843.html",
        "https://linux.oracle.com/errata/ELSA-2020-4484.html",
        "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html",
        "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/",
        "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/",
        "https://nvd.nist.gov/vuln/detail/CVE-2018-20843",
        "https://seclists.org/bugtraq/2019/Jun/39",
        "https://security.gentoo.org/glsa/201911-08",
        "https://security.netapp.com/advisory/ntap-20190703-0001/",
        "https://support.f5.com/csp/article/K51011533",
        "https://ubuntu.com/security/notices/USN-4040-1",
        "https://ubuntu.com/security/notices/USN-4040-2",
        "https://ubuntu.com/security/notices/USN-4852-1",
        "https://ubuntu.com/security/notices/USN-5455-1",
        "https://usn.ubuntu.com/4040-1/",
        "https://usn.ubuntu.com/4040-2/",
        "https://www.cve.org/CVERecord?id=CVE-2018-20843",
        "https://www.debian.org/security/2019/dsa-4472",
        "https://www.oracle.com/security-alerts/cpuApr2021.html",
        "https://www.oracle.com/security-alerts/cpuapr2020.html",
        "https://www.oracle.com/security-alerts/cpuoct2020.html",
        "https://www.oracle.com/security-alerts/cpuoct2021.html",
        "https://www.tenable.com/security/tns-2021-11"
      ],
      "PublishedDate": "2019-06-24T17:15:09.98Z",
      "LastModifiedDate": "2023-11-07T02:56:21.553Z"
    }
  ]
}

# Step 3: Define the Standard Schema

In [None]:
{
    # Meta
    "System": "trivy",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "N/A",
    "ResourceName": "target:project1(image)",
    "ResourceType": "image",
    "ResourceLocation": "N/A",
    "ResourceTags": "N/A",
    "ResourceURL": "N/A",

    # Data
    "IssueName": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", # [Vulnerabilities.Title]
    "IssueType": "alpine", # [Type]
    "PackageName": "expat", # [Vulnerabilities.PkgName]
    "PackageID": "expat@2.2.6-r0", # [Vulnerabilities.PkgID]
    "PackageInstalledVersion": "2.2.6-r0", # [Vulnerabilities.InstalledVersion]
    "PackageFixedVersion": "2.2.7-r0", # [Vulnerabilities.FixedVersion]
    "CVEID": "CVE-2018-20843",
    "Severity": "HIGH", # [Vulnerabilities.Severity]
    "EPSSPercentile": 97.8,
    "PlatformStatus": "fixed", # [Vulnerabilities.Status]

    # Compliance details
    "ValidationStatusCode": "HIGH_SEV_CRT_EPSS",
    "ValidationStatusNotes": "Contains a high-severity issue with a critical EPSS Percentile (>90).",
    "ComplianceStatus": "NON_COMPLIANT",
    "ComplianceStatusReason": "The record is non-compliant due to a high-severity vulnerability with a critical EPSS percentile.",
    "EvaluatedTime": "2023-11-07T02:56:21.553Z", # [Vulnerabilities.LastModifiedDate]

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceURL|ResourceTags|IssueName|IssueType|PackageName|PackageID|PackageFixedVersion|PackageInstalledVersion|CVEID|Severity|EPSSPercentile|PlatformStatus|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|trivy|compliancecow|N/A|target/project1(image)|image|N/A|N/A|N/A|expat: large number of colons in input makes parser consume high amount of resources, leading to DoS|alpine|expat|expat@2.2.6-r0|2.2.6-r0|2.2.7-r0|CVE-2018-20843|HIGH|13.9|fixed|HIGH_SEV_CRT_EPSS|Contains a high-severity issue with a critical EPSS Percentile (>90).|NON_COMPLIANT|The record is non-compliant due to a high-severity vulnerability with a critical EPSS percentile.|2023-11-07T02:56:21.553Z||||



# Step 4: Describe the Compliance Taxonomy

|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|
| LOW_SEV_LOW_EPSS | Contains a low-severity issue with a low EPSS Percentile (<50).| COMPLIANT| The record is compliant as it has a low-severity vulnerability with a low EPSS percentile. |
| LOW_SEV_MED_EPSS | Contains a low-severity issue with a medium EPSS Percentile (50-70).| COMPLIANT| The record is compliant as it has a low-severity vulnerability with a medium EPSS percentile.|
| LOW_SEV_HIGH_EPSS| Contains a low-severity issue with a high EPSS Percentile (70-90).| NON_COMPLIANT| The record is non-compliant due to a low-severity vulnerability with a high EPSS percentile. |
| LOW_SEV_CRT_EPSS| Contains a low-severity issue with a critical EPSS Percentile (>90).| NON_COMPLIANT| The record is non-compliant due to a low-severity vulnerability with a critical EPSS percentile. |
| LOW_SEV_NO_EPSS| Contains a low-severity issue with no EPSS Percentile.| COMPLIANT| The record is compliant due to a low-severity vulnerability with no EPSS percentile. |
| MED_SEV_LOW_EPSS | Contains a medium-severity issue with a low EPSS Percentile (<50).| COMPLIANT| The record is compliant as it has a medium-severity vulnerability with a low EPSS percentile. |
| MED_SEV_MED_EPSS | Contains a medium-severity issue with a medium EPSS Percentile (50-70). | COMPLIANT| The record is compliant as it has a medium-severity vulnerability with a medium EPSS percentile. |
| MED_SEV_HIGH_EPSS| Contains a medium-severity issue with a high EPSS Percentile (70-90). | NON_COMPLIANT| The record is non-compliant due to a medium-severity vulnerability with a high EPSS percentile. |
| MED_SEV_CRT_EPSS| Contains a medium-severity issue with a critical EPSS Percentile (>90). | NON_COMPLIANT| The record is non-compliant due to a medium-severity vulnerability with a critical EPSS percentile. |
| MED_SEV_NO_EPSS| Contains a medium-severity issue with no EPSS Percentile. | COMPLIANT| The record is compliant due to a medium-severity vulnerability with no EPSS percentile. |
| HIGH_SEV_LOW_EPSS| Contains a high-severity issue with a low EPSS Percentile (<50).| NON_COMPLIANT| The record is non-compliant due to a high-severity vulnerability with a low EPSS percentile. |
| HIGH_SEV_MED_EPSS| Contains a high-severity issue with a medium EPSS Percentile (50-70). | NON_COMPLIANT| The record is non-compliant due to a high-severity vulnerability with a medium EPSS percentile. |
| HIGH_SEV_HIGH_EPSS | Contains a high-severity issue with a high EPSS Percentile (70-90). | NON_COMPLIANT| The record is non-compliant due to a high-severity vulnerability with a high EPSS percentile. |
| HIGH_SEV_CRT_EPSS | Contains a high-severity issue with a critical EPSS Percentile (>90). | NON_COMPLIANT| The record is non-compliant due to a high-severity vulnerability with a critical EPSS percentile. |
| HIGH_SEV_NO_EPSS | Contains a high-severity issue with no EPSS Percentile. | NON_COMPLIANT| The record is non-compliant due to a high-severity vulnerability with no EPSS percentile. |
| CRT_SEV_LOW_EPSS| Contains a critical-severity issue with a low EPSS Percentile (<50).| NON_COMPLIANT| The record is non-compliant due to a critical-severity vulnerability with a low EPSS percentile. |
| CRT_SEV_MED_EPSS| Contains a critical-severity issue with a medium EPSS Percentile (50-70). | NON_COMPLIANT| The record is non-compliant due to a critical-severity vulnerability with a medium EPSS percentile. |
| CRT_SEV_HIGH_EPSS | Contains a critical-severity issue with a high EPSS Percentile (70-90). | NON_COMPLIANT| The record is non-compliant due to a critical-severity vulnerability with a high EPSS percentile. |
| CRT_SEV_CRT_EPSS | Contains a critical-severity issue with a critical EPSS Percentile (>90). | NON_COMPLIANT| The record is non-compliant due to a critical-severity vulnerability with a critical EPSS percentile. |
| CRT_SEV_NO_EPSS | Contains a critical-severity issue with no EPSS Percentile. | NON_COMPLIANT| The record is non-compliant due to a critical-severity vulnerability with no EPSS percentile. |

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# Calculation of Compliance Percentage

TotalCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
CompliantCount = Count of 'COMPLIANT' records

CompliancePCT = (CompliantCount / TotalCount) * 100

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%
NOT_DETERMINED - If no records are found.

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

N/A

# Step 7: Control Setup Details

| Control Details            |                                   |
|----------------------------|-----------------------------------|
| **RuleName**               |TrivyContainerVulnerabilityScanner |
| **PreRequisiteRuleNames**  |  N/A                              |
| **ExtendedSchemaRuleNames**| N/A                               |
| **ApplicationClassName**   |  azureappconnector                |
| **PostSynthesizerName**    |             N/A                   |