[Enhancement] Add more kind of reports and make them configurables

telekom-mms / trivy-dojo-report-operator

This Kubernetes operator listens for vulnerability reports generated by the Trivy Operator and forwards them to Defect Dojo for further analysis and tracking.

GNU General Public License v3.0

13 stars 15 forks source link

[Enhancement] Add more kind of reports and make them configurables #52

Closed corvusmod closed 9 months ago

corvusmod commented 10 months ago

Description

Currently, only vulnerability reports can be sent to DefectDojo. This is configured here: https://github.com/telekom-mms/trivy-dojo-report-operator/blob/ec52e330f3d6da1eb7026a48b4ee2625fc01daa7/src/handlers.py#L53C18-L53C61

But other reports can be sent, such as: https://aquasecurity.github.io/trivy-operator/v0.18.3/docs/crds/

It would be great to add these reports to DD and configure which ones we want to send with a variable/value (in the helm chart).

Other than that... thanks for this operator, it's working great.

Additional information

No response

corvusmod commented 10 months ago

This is how a ConfigAuditReports is shown in DD

corvusmod commented 10 months ago

And a RbacAssessmentReport

rndmh3ro commented 9 months ago

Awesome idea, @corvusmod, thank you for this. I agree that this would be very nice to have.

Some ideas:

It should be configurable what reports to send to DefectDojo (with a default to send all)
all report-CRDs should have the field x-kubernetes-preserve-unknown-fields set to true (see). This is needed so the operator can set annotations on the reports to know which one it already sent to DD. This is a change in the trivy-operator.
we finally need some proper tests :)

I you or anyone wants to implement int, that'd be great. I'll probably find some time in the coming weeks.

corvusmod commented 9 months ago

Thanks for reviewing that @rndmh3ro I could try implementing that, but we will probably get into something messy. So, I prefer to leave it to professionals. But if you need any help with testing IRL, ping me, and I will be more than happy to help you in any way.

You save me with this tool, so feel free to ask for help.

rndmh3ro commented 9 months ago

I could not help myself and tried to implement it as an early version: https://github.com/telekom-mms/trivy-dojo-report-operator/tree/support_reports

To test it, you need to run the operator from the branch and export the REPORTS-variable like this:

export REPORTS=sbomreports,vulnerabilityreports,ConfigAuditReports

Basically a comma-separated list of reports.

Keep in mind that you will receive error-messages from the operator (Patching failed with inconsistencies) as long as x-kubernetes-preserve-unknown-fields is not set on the CRDs, but the reports should land in DD nonetheless.

rndmh3ro commented 9 months ago

https://github.com/aquasecurity/trivy-operator/pull/1839

corvusmod commented 9 months ago

I see that you created a new version with the needed changes. Thanks. While testing it seems that the changes are working, but there is a problem with permissions in helm charts. No access to some resources.

I fixed it with that change:

diff --git a/templates/rbac.yaml b/templates/rbac.yaml
index 1555487..598e7ea 100644
--- a/templates/rbac.yaml
+++ b/templates/rbac.yaml
@@ -18,6 +18,10 @@ rules:
   - aquasecurity.github.io
   resources:
   - vulnerabilityreports
+  - rbacassessmentreports
+  - configauditreports
+  - infraassessmentreports
+  - exposedsecretreports
   verbs:
   - list
   - watch

rndmh3ro commented 9 months ago

Great catch, thanks! Do you want to create a PR to fix this?

corvusmod commented 9 months ago

Done

https://github.com/telekom-mms/trivy-dojo-report-operator/pull/55