update

Author: manuel-sommer

dojo/tools/trivy/parser.py

@@ -33,28 +33,34 @@
 **Type:** {type}
 **Fixed version:** {fixed_version}
 
-{description_text}
+{service_text}{description_text}
 """
 
 MISC_DESCRIPTION_TEMPLATE = """**Target:** {target}
 **Type:** {type}
 
-{description}
+{service_text}{description}
 {message}
 """
 
 SECRET_DESCRIPTION_TEMPLATE = """{title}
 **Category:** {category}
-**Match:** {match}
+{service_text}**Match:** {match}
 """  # noqa: S105
 
 LICENSE_DESCRIPTION_TEMPLATE = """{title}
 **Category:** {category}
-**Package:** {package}
+{service_text}**Package:** {package}
 """
 
 
 class TrivyParser:
+    @staticmethod
+    def _service_text(service_name):
+        if service_name:
+            return f"**Service:** {service_name}\n"
+        return ""
+
     def get_scan_types(self):
         return ["Trivy Scan"]
 
@@ -319,6 +325,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     title=vuln.get("Title", ""),
                     target=target,
                     type=vul_type,
+                    service_text=self._service_text(service_name),
                     fixed_version=mitigation,
                     description_text=vuln.get("Description", ""),
                 )
@@ -341,7 +348,6 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     static_finding=True,
                     dynamic_finding=False,
                     fix_available=fix_available,
-                    service=service_name,
                     **status_fields,
                 )
                 finding.unsaved_tags = [vul_type, target_class]
@@ -377,6 +383,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 description = MISC_DESCRIPTION_TEMPLATE.format(
                     target=target_target,
                     type=misc_type,
+                    service_text=self._service_text(service_name),
                     description=misc_description,
                     message=misc_message,
                 )
@@ -400,7 +407,6 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     fix_available=True,
                     static_finding=True,
                     dynamic_finding=False,
-                    service=service_name,
                 )
                 if misc_avdid:
                     finding.unsaved_vulnerability_ids = []
@@ -420,6 +426,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 description = SECRET_DESCRIPTION_TEMPLATE.format(
                     title=secret_title,
                     category=secret_category,
+                    service_text=self._service_text(service_name),
                     match=secret_match,
                 )
                 severity = TRIVY_SEVERITIES[secret_severity]
@@ -434,7 +441,6 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     static_finding=True,
                     dynamic_finding=False,
                     fix_available=True,
-                    service=service_name,
                 )
                 finding.unsaved_tags = [target_class]
                 items.append(finding)
@@ -453,6 +459,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 description = LICENSE_DESCRIPTION_TEMPLATE.format(
                     title=license_name,
                     category=license_category,
+                    service_text=self._service_text(service_name),
                     package=license_pkgname,
                 )
                 severity = TRIVY_SEVERITIES[license_severity]
@@ -468,7 +475,6 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     static_finding=True,
                     dynamic_finding=False,
                     fix_available=True,
-                    service=service_name,
                 )
                 finding.unsaved_tags = [target_class]
                 items.append(finding)

unittests/tools/test_trivy_parser.py

@@ -118,6 +118,7 @@ def test_kubernetes(self):
 **Type:** debian
 **Fixed version:** 1.8.2.2
 
+**Service:** default / Deployment / redis-follower
 APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
 """
             self.assertEqual(description, finding.description)
@@ -127,7 +128,7 @@ def test_kubernetes(self):
             self.assertEqual(["debian", "os-pkgs"], finding.unsaved_tags)
             self.assertEqual("apt", finding.component_name)
             self.assertEqual("1.8.2.1", finding.component_version)
-            self.assertEqual("default / Deployment / redis-follower", finding.service)
+            self.assertIsNone(finding.service)
             self.assertEqual(finding.file_path, "gcr.io/google_samples/gb-redis-follower:v2 (debian 10.4)")
             finding = findings[5]
             self.assertEqual("CVE-2020-27350 apt 1.8.2.1", finding.title)
@@ -137,6 +138,7 @@ def test_kubernetes(self):
 **Type:** debian
 **Fixed version:** 1.8.2.2
 
+**Service:** default / Deployment / redis-leader
 APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
 """
             self.assertEqual(description, finding.description)
@@ -146,13 +148,14 @@ def test_kubernetes(self):
             self.assertEqual(["debian", "os-pkgs"], finding.unsaved_tags)
             self.assertEqual("apt", finding.component_name)
             self.assertEqual("1.8.2.1", finding.component_version)
-            self.assertEqual("default / Deployment / redis-leader", finding.service)
+            self.assertIsNone(finding.service)
             finding = findings[10]
             self.assertEqual("KSV001 - Process can elevate its own privileges", finding.title)
             self.assertEqual("Medium", finding.severity)
             description = """**Target:** Deployment/redis-follower
 **Type:** Kubernetes Security Check
 
+**Service:** default / Deployment / redis-follower
 A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
 Container 'follower' of Deployment 'redis-follower' should set 'securityContext.allowPrivilegeEscalation' to false
 Number  Content
@@ -174,7 +177,7 @@ def test_kubernetes(self):
             self.assertEqual(["kubernetes", "config"], finding.unsaved_tags)
             self.assertIsNone(finding.component_name)
             self.assertIsNone(finding.component_version)
-            self.assertEqual("default / Deployment / redis-follower", finding.service)
+            self.assertIsNone(finding.service)
 
     def test_license_scheme(self):
         with sample_path("license_scheme.json").open(encoding="utf-8") as test_file: