# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|Trivy|compliancecow|-|This report summarizes container vulnerability scans, focusing on EPSS Percentile and severity to support vulnerability management controls.|

```
RecomendedEvidenceName:
ContainerVulnerabilitySummaryReport
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)

# Step 2a: Define the Extended Schema

In [None]:
# Output of TrivyContainerVulnerability Scanner
{
    # Meta
    "System": "trivy",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "N/A",
    "ResourceName": "target:project1(image)",
    "ResourceType": "image",
    "ResourceLocation": "N/A",
    "ResourceTags": "N/A",
    "ResourceURL": "N/A",

    # Data
    "IssueName": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", # [Vulnerabilities.Title]
    "IssueType": "alpine",
    "PackageName": "expat",
    "PackageID": "expat@2.2.6-r0",
    "PackageInstalledVersion": "2.2.6-r0",
    "PackageFixedVersion": "2.2.7-r0",
    "CVEID": "CVE-2018-20843",
    "Severity": "HIGH",
    "EPSSPercentile": 97.8,
    "PlatformStatus": "fixed",

    # Compliance details
    "ValidationStatusCode": "HIGH_SEV_CRT_EPSS",
    "ValidationStatusNotes": "Contains a high-severity issue with a critical EPSS Percentile (>90).",
    "ComplianceStatus": "NON_COMPLIANT",
    "ComplianceStatusReason": "The record is non-compliant due to a high-severity vulnerability with a critical EPSS percentile.",
    "EvaluatedTime": "2023-11-07T02:56:21.553Z",

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
}

# Step 3: Define the Standard Schema

In [None]:
{
    # Meta
    "System": "trivy",
    "Source": "compliancecow",

    # Resource info
    "ResourceID": "N/A",
    "ResourceName": "target:project1(image)",
    "ResourceType": "image",
    "ResourceLocation": "N/A",
    "ResourceTags": "N/A",
    "ResourceURL": "N/A",

    # Data
    "CriticalVulnCount": 0,
    "HighVulnCount": 0,
    "MediumVulnCount": 6,
    "LowVulnCount": 5,
    "EPSSPercentileBand_>90": 0,
    "EPSSPercentileBand_70-90": 0,
    "EPSSPercentileBand_50-70": 2,
    "EPSSPercentileBand_<50": 8,

    # Compliance details
    "ValidationStatusCode": "NO_CRT_HIGH_VL_PR_NO_CRT_HIGH_EPSS_PR",
    "ValidationStatusNotes": "No Critical or High severity vulnerabilities and no vulnerabilities with High or Critical EPSS Percentile.",
    "ComplianceStatus": "COMPLIANT",
    "ComplianceStatusReason": "No Critical or High severity vulnerabilities with EPSS Percentile in the High(70-90) or Critical(>90) range.",
    "EvaluatedTime": "2024-08-22T09:24:08.183Z",

    # User editable data
    "UserAction":"",

    # Action editable data
    "ActionStatus":"",
    "ActionResponseURL":""
}

# Step 3.a: Sample Data

|System|Source|ResourceID|ResourceName|ResourceType|ResourceLocation|ResourceURL|ResourceTags|Severity|CriticalVulnCount|HighVulnCount|MediumVulnCount|LowVulnCount|EPSSPercentileBand_>90|EPSSPercentileBand_70-90|EPSSPercentileBand_50-70|EPSSPercentileBand_<50|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|EvaluatedTime|UserAction|ActionStatus|ActionResponseURL|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|trivy|compliancecow|N/A|target:project1|image|N/A|N/A|N/A|low|0|0|0|5|0|0|0|4|0_CRT_0_HI_VL_PR_0_CRT_EPSS_0_HI_EPSS_PR|Contains 0 Critical and 0 High severity vulnerabilities, and 0 vulnerabilities with critical(>90) EPSS Percentile and 0 vulnerabilities with High(70-90) EPSS Percentile.|COMPLIANT|No Critical or High severity vulnerabilities with EPSS Percentile in the High(70-90) or Critical(>90) range.|2024-08-22T09:24:08.183Z|||



# Step 4: Describe the Compliance Taxonomy

|ValidationStatusCode|ValidationStatusNotes|ComplianceStatus|ComplianceStatusReason|
|---|---|---|---|
|NO_CRT_HIGH_VL_PR_NO_CRT_HIGH_EPSS_PR | No Critical or High severity vulnerabilities and no vulnerabilities with High or Critical EPSS Percentile. | COMPLIANT | No Critical or High severity vulnerabilities with EPSS Percentile in the High(70-90) or Critical(>90) range. |
| NO_CRT_HIGH_VL_PR_X_CRT_EPSS_X_HIGH_EPSS_PR | No Critical or High severity vulnerabilities, but X vulnerabilities with critical(>90) EPSS Percentile and X vulnerabilities with High(70-90) EPSS Percentile. | NON_COMPLIANT | Critical or High severity code vulnerabilities found with EPSS Percentile in the High(70-90) or Critical(>90) range. |
| X_CRT_X_HIGH_VL_PR_NO_CRT_HGH_EPSS_PR | Contains X Critical and X High severity vulnerabilities, but no vulnerabilities with High or Critical EPSS Percentile. | NON_COMPLIANT | Critical or High severity code vulnerabilities found with EPSS Percentile in the High(70-90) or Critical(>90) range. |
| X_CRT_X_HIGH_VL_PR_X_CRT_EPSS_X_HIGH_EPSS_PR | Contains X Critical and X High severity vulnerabilities, and X vulnerabilities with critical(>90) EPSS Percentile and X vulnerabilities with High(70-90) EPSS Percentile. | NON_COMPLIANT | Critical or High severity code vulnerabilities found with EPSS Percentile in the High(70-90) or Critical(>90) range. |

# Step 5: Calculation for Compliance Percentage and Status

In [None]:
# Calculation of Compliance Percentage

TotalCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
CompliantCount = Count of 'COMPLIANT' records

CompliancePCT = (CompliantCount / TotalCount) * 100

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%
NOT_DETERMINED - If no records are found.

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance
N/A

# Step 7: Control Setup Details

| Control Details            |                                   |
|----------------------------|-----------------------------------|
| **RuleName**               |ContainerVulnerabilitySummaryReport|
| **PreRequisiteRuleNames**  |TrivyContainerVulnerabilityScanner  |
| **ExtendedSchemaRuleNames**| N/A                               |
| **ApplicationClassName**   |  nocredapp                        |
| **PostSynthesizerName**    |             N/A                   |