Open grglzrv opened 1 year ago
simar7
commented
1 year ago thanks for filing this, happy to review a PR if you'd like to contribute this.
cc @souravsk - this issue might be of interest to you if you're looking to contribute.
As always, let us know if you need any help getting started.
souravsk
commented
1 year ago @simar7 ya happy to help. can you let me know where to start
grglzrv
commented
1 year ago @souravsk under rego-templates dir there is a trivy-operator-slack.rego file, it should be update with the aforementioned requirements. You may also reuse trivy-jira.rego file
souravsk
commented
1 year ago @grglzrv what is the command to get the output that you are showing. I want to check it some explem and see the output.
souravsk
commented
1 year ago hey @grglzrv
grglzrv
commented
1 year ago @souravsk it's a slack notification message
souravsk
commented
1 year ago I want to know from where I can get all this data to display.
Do I just have to add here all the vulnerability id, metadata, namespace, title, etc just like critical, and high
and then use it in the trivy-operator-slack.rego
result = msg {
msg := sprintf(tpl, [
input.ArtifactName,
render_vlnrb("Critical", vln_list("CRITICAL")),
render_vlnrb("High", vln_list("HIGH")),
render_vlnrb("Medium", vln_list("MEDIUM")),
render_vlnrb("Low", vln_list("LOW")),
render_vlnrb("Negligible", vln_list("NEGLIGIBLE"))
])
}or i have to do something else to get all this data to show the correct information @grglzrv
souravsk
commented
1 year ago 
I have written all of this but still, I don't know where should i collect the data for this new tag that you have asked for.
grglzrv
commented
1 year ago Hi @souravsk this changes wont work, you need to install Trivy Operator, which has to be integrated with Postee. Postee will receive Vulnerability reports from the Trivy Operator as json format, so you need to write rego template for that for exmaple json
{
"updateTimestamp": "2022-09-28 │T06:21:55Z",
"scanner": {
"name": "Trivy",
"vendor": "Aqua Security",
"version": "0.31.3"
},
"registry": {
"server": "ghcr.io"
},
"artifact": {
"repository": "fluxcd/image-reflector-controller",
"tag": "v0.20.1"
},
"summary": {
"criticalCount": 0,
"highCount": 1,
"mediumCount": 0,
"lowCount": 0,
"unknownCount": 0,
"noneCount": 0
},
"vulnerabilities": [
{
"vulnerabilityID": "CVE-2022-27664",
"resource": "golang.org/x/net",
"installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
"fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
"severity": "HIGH",
"title": "title1",
"primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
"links": [],
"score": 7.5,
"target": ""
},
{
"vulnerabilityID": "CVE-2022-27664",
"resource": "golang.org/x/net",
"installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
"fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
"severity": "HIGH",
"title": "title2",
"primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
"links": [],
"score": 7.5,
"target": ""
}
]
}you may use this website https://play.openpolicyagent.org/ in order to test the above json with your code. Bare in mind that vuln reports are maps , so you need you to use bash some loop
grglzrv
commented
1 year ago I just wrote some template only for Vuln reports, you may improve it and add the code from the current template
package postee.trivyoperator.slack
tpl :=`
<p> Severity: %s </p>
<p> vulnerabilityID: %s </p>
<p> primaryLink: %s </p>
`
vulnIDs := vulnIdResult {
var := [ scan |
item1:=input.vulnerabilities[i].vulnerabilityID
scan:=item1
]
vulnIdResult:= concat("n", (var))
}
svrt := svrtResult {
var := [ scan |
item1:=input.vulnerabilities[i].severity
scan:=item1
]
svrtResult:= concat("\n", (var))
}
link := linkResult {
var := [ scan |
item1:=input.vulnerabilities[i].primaryLink
scan:=item1
]
linkResult:= concat("\n", (var))
}
result:= res {
res:= sprintf(tpl, [
svrt,
vulnIDs,
link
])
}okay
souravsk
commented
1 year ago Hey. @grglzrv do I have to make a new rego file so I just use the postee.trivyoperator.slack file
souravsk
commented
1 year ago 
hey @grglzrv these are the things that you wanted
grglzrv
commented
1 year ago Not exactly cuz you need to separate the both vuln reports 0: and 1: . You need make list for - vuln id, installed versio, fixed versio, severity etc then you need to use some loop function in rego language
grglzrv
commented
1 year ago @simar7 could you please give him some hits here, thanks
souravsk
commented
1 year ago Okya I understand the separation 0 and 1 index but I don't understand where we need the loop function
grglzrv
commented
1 year ago input.vulnerabilities[i].severity - its a current situation
I mean vulnList: = [ severity, vulnerabilityID, etc.] some j in vulnList
input.vulnerabilities[i].[j]
Then you need to loop them into the result:= as well
souravsk
commented
1 year ago Sorry for replying this late
vulnList := [VulnerabilityID,installedVersion,fixedVersion, title, primaryLink,severity]
vuln = result{
some i in vulnList
result = input.vulnerabilites[i].[j]
}I tried like this but it is show error in in part of the loop.
grglzrv
commented
1 year ago Yes, i just gave you an example
souravsk
commented
1 year ago yes but it's showing an error in this some i in vulnList line
simar7
commented
1 year ago @souravsk - can you share the link to your rego playground so we can help you better?
souravsk
commented
1 year ago is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.
simar7
commented
1 year ago is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.
Take a look at some examples in the Postee repo. I recall there are some usages of loops.
martijnvdp
commented
1 year ago copied the existing jira template and made it suitable for the trivy operator report , think it can also be used for slack or at least as example: https://github.com/aquasecurity/postee/pull/595
looping through vulnerabilities:
vln_list(severity) = vlnrb {
some j
vlnrb := [r |
item := input.report.vulnerabilities[j]
vlnname := item.vulnerabilityID
title := item.title
fxvrsn := with_default(item, "fixedVersion", "none")
resource_name = with_default(item, "packageType", "none")
resource_path = with_default(item, "resource", "none")
resource_version = with_default(item, "installedVersion", "none")
primaryurl = with_default(item, "primaryLink", "none")
references = with_default(item, "links", "none")
item.severity == severity # only items with severity matched
r := [vlnname, title, resource_name, resource_path, resource_version, fxvrsn, primaryurl]
]
}
example for slack : https://github.com/aquasecurity/postee/pull/597
copied the existing slack template and changed field names to match the output from the operator
can include more fields but than the message get a bit large
Description
I would like to request some enhancements for postee.trivyoperator.slack template. postee.trivyoperator.slack template gives very simple information, for example:
Could you please add more info? for example: