Add new "evaluations" format support to Anchorectl parser

[cosmel-dojo]

⚠️ Note on feature completeness ⚠️

Description

This PR fixes the AnchoreCTL Policies Report parser to support both legacy and new formats generated by the AnchoreCTL tool. Users reported issues importing newer format policy reports from AnchoreCTL with the -o json flag, as the parser expected a list at the root level, but new format has an object with an evaluations array.

The changes:

• Add detection logic to identify the new format (object with 'evaluations' array)
• Implement transformation logic to convert new format data into a structure compatible with existing parser logic
• Improve error handling with more descriptive messages
• Make field extraction more robust with proper fallbacks for both formats

Test results

Extended the test suite by adding 4 new test cases that specifically target the new format:

• test_new_format_anchore_engine_parser_has_no_finding
• test_new_format_anchore_engine_parser_has_one_finding_and_it_is_correctly_parsed
• test_new_format_anchore_engine_parser_has_many_findings
• test_new_format_anchore_engine_parser_has_one_finding_and_description_has_severity

All tests pass successfully, verifying that both the legacy and new formats are properly supported.

Commands to run tests locally:

# Make sure the testing environment is running
docker compose -f docker-compose.yml -f docker-compose.override.unit_tests.yml up -d

# Run the tests
./run-unittest.sh --test-case unittests.tools.test_anchorectl_policies_parser.TestAnchoreCTLPoliciesParser

Documentation

No documentation update needed as the parser description already mentions both formats are supported.

Checklist

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

[dryrunsecurity]

This pull request reveals multiple security concerns, including potential information disclosure through verbose error handling, unsafe JSON parsing, root user permissions in Docker images, and two significant vulnerabilities (high and medium severity) in a test binary, which collectively suggest the need for improved security practices and vulnerability management.

💭 Unconfirmed Findings (5)

Vulnerability	Potential Information Disclosure through Verbose Error Handling
Description	Located in dojo/tools/anchorectl_policies/parser.py, this vulnerability involves logging warnings instead of raising exceptions, which could allow partial or incomplete scan results without clear user indication, potentially leading to missed security findings.

Vulnerability	Unsafe JSON Parsing with Multiple Decoding Attempts
Description	Found in dojo/tools/anchorectl_policies/parser.py, this risk involves multiple JSON decoding attempts that could expose the parser to inconsistent parsing behaviors, potentially causing parsing errors or unexpected results.

Vulnerability	Root User Effective Permissions
Description	Discovered in multiple test JSON files (unittests/scans/anchorectl_policies/), this vulnerability involves Docker images running with root user privileges, which presents elevated security risks if the container is compromised.

Vulnerability	High Severity Vulnerability in Non-OS Package
Description	Located in unittests/scans/anchorectl_policies/new_format_many_violations.json, this is a HIGH severity vulnerability (CVE-2022-1234) in /usr/local/bin/testbinary with a 'stop' status, indicating a critical security concern.

Vulnerability	Medium Severity Vulnerability in Non-OS Package
Description	Found in unittests/scans/anchorectl_policies/new_format_many_violations.json, this is a MEDIUM severity vulnerability (GHSA-1234-abcd-5678) in /usr/local/bin/testbinary with a 'stop' status, representing a significant security risk.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

Hello @cosmel-dojo, welcome to the team. Does this PR fix #12362? I think it does, but the example report in there contains a little bit more date than the samples in this PR.

[cosmel-dojo]

Hello @cosmel-dojo, welcome to the team. Does this PR fix #12362? I think it does, but the example report in there contains a little bit more date than the samples in this PR.

I used the sample file the user attached, to apply the solution.

The tests I added are using the new format that the AnchoreCTL uses.

[dogboat]

Nice! 🙌

[valentijnscholten]

@cosmel-dojo Would it make sense to one or two lines to ./docs/content/en/connecting_your_tools/parsers/file/anchorectl_policies.md to explain the command needed to generate the report(s)? It might be very straightforward because I don't know anchore. But in general I think it's good to have an example command in the docs.

[cosmel-dojo]

@cosmel-dojo Would it make sense to one or two lines to ./docs/content/en/connecting_your_tools/parsers/file/anchorectl_policies.md to explain the command needed to generate the report(s)? It might be very straightforward because I don't know anchore. But in general I think it's good to have an example command in the docs.

Hey @valentijnscholten

I updated the Anchorectl Policies.

[mtesauro]

Approved