Azure / Microsoft-Defender-for-Cloud

Welcome to the Microsoft Defender for Cloud community repository
https://azure.microsoft.com/en-us/services/security-center/
MIT License
1.71k stars 767 forks source link

ImageScanSummaryAssessmentGate.ps1 no longer finds assessments #858

Open killnine opened 8 months ago

killnine commented 8 months ago

Describe the bug The container image scan vulnerability assessment script no longer seems to be working. I don't know if there was a schema change or API change on the Graph but it never finds results, even if they do actually appear in Defender for Cloud UI dashboard.

To Reproduce Steps to reproduce the behavior:

  1. Login to Azure CR via `az acr login -n ''
  2. Navigate to the ps1 script
  3. Execute the ps1 script:
    .\ImageScanSummaryAssessmentGate.ps1 -registryName "<companyregistry_without_cr.io_suffix>" -repository "<apprepository>" -tag 932
  4. See error:
    
    Image Digest: sha256:4a3e5843...snip...2063
    Query: securityresources
    | where type == 'microsoft.security/assessments/subassessments'
    | where id matches regex  '(.+?)/providers/Microsoft.ContainerRegistry/registries/(.+)/providers/Microsoft.Security/assessments/dbd0cb49-b563-45e7-9724-889e799fa648/'
    | extend registryResourceId = tostring(split(id, '/providers/Microsoft.Security/assessments/')[0])
    | extend registryResourceName = tostring(split(registryResourceId, '/providers/Microsoft.ContainerRegistry/registries/')[1])
    | extend imageDigest = tostring(properties.additionalData.imageDigest)
    | extend repository = tostring(properties.additionalData.repositoryName)
    | extend patchable = tobool(properties.additionalData.patchable)
    | extend scanFindingSeverity = tostring(properties.status.severity), scanStatus = tostring(properties.status.code)
    | summarize findingsCountOverAll = count(), scanFindingSeverityCount = countif(patchable or not(tobool(False))) by scanFindingSeverity, scanStatus, registryResourceId, registryResourceName, repository, imageDigest
    | summarize findingsCountOverAll = sum(findingsCountOverAll), severitySummary = make_bag(pack(scanFindingSeverity, scanFindingSeverityCount)) by registryResourceId, registryResourceName, repository, imageDigest, scanStatus
    | summarize findingsCountOverAll = sum(findingsCountOverAll) , scanReport = make_bag_if(pack('scanStatus', scanStatus, 'scanSummary', severitySummary), scanStatus != 'NotApplicable')by registryResourceId, registryResourceName, repository, imageDigest
    | extend IsScanned = iif(findingsCountOverAll > 0, true, false)
    | where imageDigest =~ 'sha256:4a3e5843...snip...2063' and repository =~ '<apprepository>' and registryResourceName =~ '<companyregistry_without_cr.io_suffix>'

No results for image :932 yet ... No results for image :932 yet ... Write-Error: No results were found for digest: sha256:4a3e5843...snip...2063 after 3 retries!



**Expected behavior**
Historically, this script has executed locally just fine for me.

**Additional context**
This script is integrated into my AzDO pipeline and it halts pushes to Development environments if it does not pass. It's pretty slow already, requiring a 5 minute waiting period on the previous step, but now that it's not even finding results, it's even more frustrating.
killnine commented 8 months ago

I did see this in the past when I inadvertently included azurecr.io to my registry name. The script gives a log message saying it scrubs it from the input, but I don't think that's accurate and only once I set the registry to the name without the suffix did it finally work. It was tricky to find this issue because it was running on a build pipeline with injected envrionment vars for the registry and repo names. But running locally I was able to troubleshoot.

Now it just stopped working entirely.

killnine commented 7 months ago

@wtomw is this kinda a "YMMV" sorta script or something Microsoft officially supports? Or is there some other tooling that would make it easier to tap into Defender results for new images?

applefacts commented 4 months ago

@killnine I don't think it's supported anymore, but check this: https://learn.microsoft.com/en-us/azure/defender-for-cloud/transition-to-defender-vulnerability-management the assessment keys are different with Defender now