diff --git a/.gitignore b/.gitignore index 70226312..68457ff3 100644 --- a/.gitignore +++ b/.gitignore @@ -28,6 +28,7 @@ go.work.sum cli-v2 codacy-cli **/.codacy/logs/ +.codacy/ #Ignore cursor AI rules diff --git a/tools/trivyConfigCreator.go b/tools/trivyConfigCreator.go index 36be28ba..275c7dc0 100644 --- a/tools/trivyConfigCreator.go +++ b/tools/trivyConfigCreator.go @@ -8,12 +8,13 @@ import ( // CreateTrivyConfig generates a Trivy configuration based on the tool configuration func CreateTrivyConfig(config []domain.PatternConfiguration) string { + // Default settings - include all severities and scanners - includeLow := true - includeMedium := true - includeHigh := true - includeCritical := true - includeSecret := true + includeLow := false + includeMedium := false + includeHigh := false + includeCritical := false + includeSecret := false // Process patterns from Codacy API for _, pattern := range config { @@ -32,11 +33,18 @@ func CreateTrivyConfig(config []domain.PatternConfiguration) string { if pattern.PatternDefinition.Id == "Trivy_vulnerability_medium" { includeMedium = patternEnabled } - if pattern.PatternDefinition.Id == "Trivy_vulnerability" { - // This covers HIGH and CRITICAL + if pattern.PatternDefinition.Id == "Trivy_vulnerability_high" { includeHigh = patternEnabled + } + if pattern.PatternDefinition.Id == "Trivy_vulnerability_critical" { includeCritical = patternEnabled } + if pattern.PatternDefinition.Id == "Trivy_vulnerability" { + // This covers HIGH and CRITICAL + // Now there are other patterns that turn these severities on + includeHigh = patternEnabled || includeHigh + includeCritical = patternEnabled || includeCritical + } if pattern.PatternDefinition.Id == "Trivy_secret" { includeSecret = patternEnabled } diff --git a/tools/trivyConfigCreator_test.go b/tools/trivyConfigCreator_test.go index 3c8d78d4..e68e1992 100644 --- a/tools/trivyConfigCreator_test.go +++ b/tools/trivyConfigCreator_test.go @@ -16,15 +16,10 @@ func TestCreateTrivyConfigEmptyConfig(t *testing.T) { testTrivyConfig(t, []domain.PatternConfiguration{}, `severity: - - LOW - - MEDIUM - - HIGH - - CRITICAL scan: scanners: - vuln - - secret `) } @@ -53,6 +48,28 @@ func TestCreateTrivyConfigAllEnabled(t *testing.T) { }, }, }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_vulnerability_high", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_vulnerability_critical", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, { PatternDefinition: domain.PatternDefinition{ Id: "Trivy_vulnerability", @@ -94,12 +111,56 @@ func TestCreateTrivyConfigNoLow(t *testing.T) { []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_minor", + Id: "Trivy_vulnerability_medium", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_vulnerability_high", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_vulnerability_critical", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_vulnerability", + }, + Parameters: []domain.ParameterConfiguration{ + { + Name: "enabled", + Value: "true", + }, + }, + }, + { + PatternDefinition: domain.PatternDefinition{ + Id: "Trivy_secret", }, Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, @@ -116,31 +177,34 @@ scan: `) } -func TestCreateTrivyConfigOnlyHigh(t *testing.T) { +func TestCreateTrivyConfigOnlyHighAndCritical(t *testing.T) { testTrivyConfig(t, []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_minor", - }, - Parameters: []domain.ParameterConfiguration{ - { - Name: "enabled", - Value: "false", - }, - }, - }, - { - PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_medium", + Id: "Trivy_vulnerability", }, Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, + }, + `severity: + - HIGH + - CRITICAL + +scan: + scanners: + - vuln +`) +} + +func TestCreateTrivyConfigNoVulnerabilitiesWithSecret(t *testing.T) { + testTrivyConfig(t, + []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ Id: "Trivy_secret", @@ -148,22 +212,21 @@ func TestCreateTrivyConfigOnlyHigh(t *testing.T) { Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, }, `severity: - - HIGH - - CRITICAL scan: scanners: - vuln + - secret `) } -func TestCreateTrivyConfigNoVulnerabilities(t *testing.T) { +func TestCreateTrivyConfigOnlyLowWithSecrets(t *testing.T) { testTrivyConfig(t, []domain.PatternConfiguration{ { @@ -173,48 +236,62 @@ func TestCreateTrivyConfigNoVulnerabilities(t *testing.T) { Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_medium", + Id: "Trivy_secret", }, Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "enabled", }, }, }, + }, + `severity: + - LOW + +scan: + scanners: + - vuln + - secret +`) +} + +func TestCreateTrivyConfigOnlyHigh(t *testing.T) { + testTrivyConfig(t, + []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability", + Id: "Trivy_vulnerability_high", }, Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, }, `severity: + - HIGH scan: scanners: - vuln - - secret `) } -func TestCreateTrivyConfigOnlySecretsLow(t *testing.T) { +func TestCreateTrivyConfigOnlyCriticalWithSecrets(t *testing.T) { testTrivyConfig(t, []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_minor", + Id: "Trivy_vulnerability_critical", }, Parameters: []domain.ParameterConfiguration{ { @@ -225,15 +302,29 @@ func TestCreateTrivyConfigOnlySecretsLow(t *testing.T) { }, { PatternDefinition: domain.PatternDefinition{ - Id: "Trivy_vulnerability_medium", + Id: "Trivy_secret", }, Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, + }, + `severity: + - CRITICAL + +scan: + scanners: + - vuln + - secret +`) +} + +func TestCreateTrivyConfigOnlyHighAndCriticalEventIfPatternsOverlap(t *testing.T) { + testTrivyConfig(t, + []domain.PatternConfiguration{ { PatternDefinition: domain.PatternDefinition{ Id: "Trivy_vulnerability", @@ -241,17 +332,17 @@ func TestCreateTrivyConfigOnlySecretsLow(t *testing.T) { Parameters: []domain.ParameterConfiguration{ { Name: "enabled", - Value: "false", + Value: "true", }, }, }, }, `severity: - - LOW + - HIGH + - CRITICAL scan: scanners: - vuln - - secret `) }