Skip to content

Commit

Permalink
Support Trivy JSON files as source for the security warnings metric. C…
Browse files Browse the repository at this point in the history 
…loses #6927.
  • Loading branch information
@fniessink
fniessink committed Sep 15, 2023
1 parent 2cb043b commit f4dced8
Show file tree
Hide file tree
Showing 8 changed files with 211 additions and 63 deletions.
Binary file added components/shared_code/src/shared_data_model/logos/trivy_json.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
123 changes: 62 additions & 61 deletions components/shared_code/src/shared_data_model/metrics.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,50 @@
sources=["manual_number", "performancetest_runner"],
tags=[Tag.PERFORMANCE],
),
"security_warnings": Metric(
name="Security warnings",
description="The number of security warnings about the software.",
rationale="Monitor security warnings about the software, its source code, dependencies, or "
"infrastructure so vulnerabilities can be fixed before they end up in production.",
unit=Unit.SECURITY_WARNINGS,
near_target="5",
sources=[
"anchore",
"anchore_jenkins_plugin",
"bandit",
"cargo_audit",
"cxsast",
"generic_json",
"harbor",
"manual_number",
"openvas",
"owasp_dependency_check",
"owasp_zap",
"pyupio_safety",
"sarif_json",
"snyk",
"sonarqube",
"trivy_json",
],
tags=[Tag.SECURITY],
),
"sentiment": Metric(
name="Sentiment",
description="How are the team members feeling?",
rationale="Satisfaction is how fulfilled developers feel with their work, team, tools, or culture; "
"well-being is how healthy and happy they are, and how their work impacts it. Measuring satisfaction "
"and well-being can be beneficial for understanding productivity and perhaps even for predicting it. "
"For example, productivity and satisfaction are correlated, and it is possible that satisfaction could "
"serve as a leading indicator for productivity; a decline in satisfaction and engagement could signal "
"upcoming burnout and reduced productivity.",
rationale_urls=["https://queue.acm.org/detail.cfm?id=3454124"],
unit=Unit.NONE,
addition=Addition.MIN,
direction=Direction.MORE_IS_BETTER,
target="10",
near_target="8",
sources=["manual_number"],
),
"slow_transactions": Metric(
name="Slow transactions",
description="The number of transactions slower than their target response time.",
Expand All @@ -337,6 +381,24 @@
sources=["gatling", "manual_number", "jmeter_csv", "jmeter_json", "performancetest_runner"],
tags=[Tag.PERFORMANCE],
),
"software_version": Metric(
name="Software version",
description="The version number of the software as analyzed by the source.",
rationale="Monitor that the version of the software is at least a specific version or get notified when "
"the software version becomes higher than a specific version.",
explanation=VERSION_NUMBER_EXPLANATION,
explanation_urls=VERSION_NUMBER_EXPLANATION_URLS,
scales=["version_number"],
addition=Addition.MIN,
direction=Direction.MORE_IS_BETTER,
target="1.0",
near_target="0.9",
sources=[
"performancetest_runner",
"sonarqube",
],
tags=[Tag.CI],
),
"source_up_to_dateness": Metric(
name="Source up-to-dateness",
description="The number of days since the source was last updated.",
Expand Down Expand Up @@ -378,24 +440,6 @@
],
tags=[Tag.CI],
),
"software_version": Metric(
name="Software version",
description="The version number of the software as analyzed by the source.",
rationale="Monitor that the version of the software is at least a specific version or get notified when "
"the software version becomes higher than a specific version.",
explanation=VERSION_NUMBER_EXPLANATION,
explanation_urls=VERSION_NUMBER_EXPLANATION_URLS,
scales=["version_number"],
addition=Addition.MIN,
direction=Direction.MORE_IS_BETTER,
target="1.0",
near_target="0.9",
sources=[
"performancetest_runner",
"sonarqube",
],
tags=[Tag.CI],
),
"source_version": Metric(
name="Source version",
description="The version number of the source.",
Expand Down Expand Up @@ -438,49 +482,6 @@
],
tags=[Tag.CI],
),
"security_warnings": Metric(
name="Security warnings",
description="The number of security warnings about the software.",
rationale="Monitor security warnings about the software, its source code, dependencies, or "
"infrastructure so vulnerabilities can be fixed before they end up in production.",
unit=Unit.SECURITY_WARNINGS,
near_target="5",
sources=[
"anchore",
"anchore_jenkins_plugin",
"bandit",
"cargo_audit",
"cxsast",
"generic_json",
"harbor",
"manual_number",
"openvas",
"owasp_dependency_check",
"owasp_zap",
"pyupio_safety",
"sarif_json",
"snyk",
"sonarqube",
],
tags=[Tag.SECURITY],
),
"sentiment": Metric(
name="Sentiment",
description="How are the team members feeling?",
rationale="Satisfaction is how fulfilled developers feel with their work, team, tools, or culture; "
"well-being is how healthy and happy they are, and how their work impacts it. Measuring satisfaction "
"and well-being can be beneficial for understanding productivity and perhaps even for predicting it. "
"For example, productivity and satisfaction are correlated, and it is possible that satisfaction could "
"serve as a leading indicator for productivity; a decline in satisfaction and engagement could signal "
"upcoming burnout and reduced productivity.",
rationale_urls=["https://queue.acm.org/detail.cfm?id=3454124"],
unit=Unit.NONE,
addition=Addition.MIN,
direction=Direction.MORE_IS_BETTER,
target="10",
near_target="8",
sources=["manual_number"],
),
"suppressed_violations": Metric(
name="Suppressed violations",
description="The number of violations suppressed in the source.",
Expand Down
2 changes: 2 additions & 0 deletions components/shared_code/src/shared_data_model/sources/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
from .sonarqube import SONARQUBE
from .testng import TESTNG
from .trello import TRELLO
from .trivy import TRIVY_JSON

SOURCES = {
"anchore": ANCHORE,
Expand Down Expand Up @@ -81,5 +82,6 @@
"snyk": SNYK,
"sonarqube": SONARQUBE,
"testng": TESTNG,
"trivy_json": TRIVY_JSON,
"trello": TRELLO,
}
4 changes: 3 additions & 1 deletion components/shared_code/src/shared_data_model/sources/quality_time.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,7 @@
"Jira",
"JMeter CSV",
"JMeter JSON",
"JSON file with security warnings",
"JUnit XML report",
"Manual number",
"NCover",
Expand All @@ -199,10 +200,10 @@
"Robot Framework Jenkins plugin",
"SARIF",
"Snyk",
"JSON file with security warnings",
"SonarQube",
"TestNG",
"Trello",
"Trivy JSON",
],
api_values={
"Anchore": "anchore",
Expand Down Expand Up @@ -249,6 +250,7 @@
"SonarQube": "sonarqube",
"TestNG": "testng",
"Trello": "trello",
"Trivy JSON": "trivy_json",
},
metrics=["metrics"],
),
Expand Down
2 changes: 1 addition & 1 deletion components/shared_code/src/shared_data_model/sources/sarif.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
"""SARIF JSON for security warnings source."""
"""SARIF JSON source."""

from pydantic import HttpUrl

Expand Down
38 changes: 38 additions & 0 deletions components/shared_code/src/shared_data_model/sources/trivy.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
"""Trivy JSON source."""

from pydantic import HttpUrl

from shared_data_model.meta.entity import Color, Entity, EntityAttribute
from shared_data_model.meta.source import Source
from shared_data_model.parameters import Severities, access_parameters

TRIVY_JSON = Source(
name="Trivy JSON",
description="A Trivy vulnerability report in JSON format.",
url=HttpUrl("https://aquasecurity.github.io/trivy/v0.45/docs/configuration/reporting/#json"),
parameters={
"levels": Severities(
name="Levels",
placeholder="all levels",
help="If provided, only count security warnings with the selected levels.",
values=["unknown", "low", "medium", "high", "critical"],
metrics=["security_warnings"],
),
**access_parameters(["security_warnings"], source_type="Trivy vulnerability report", source_type_format="JSON"),
},
entities={
"security_warnings": Entity(
name="security warning",
attributes=[
EntityAttribute(name="Vulnerability ID"),
EntityAttribute(name="Title"),
EntityAttribute(
name="Level", color={"critical": Color.NEGATIVE, "high": Color.WARNING, "unknown": Color.ACTIVE}
),
EntityAttribute(name="Package name"),
EntityAttribute(name="Installed version"),
EntityAttribute(name="Fixed version"),
],
),
},
)
101 changes: 101 additions & 0 deletions components/testdata/reports/trivy/trivy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
[
{
"Target": "php-app/composer.lock",
"Vulnerabilities": null
},
{
"Target": "node-app/package-lock.json",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2018-16487",
"PkgName": "lodash",
"InstalledVersion": "4.17.4",
"FixedVersion": "\u003e=4.17.11",
"Title": "lodash: Prototype pollution in utilities function",
"Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487"
]
}
]
},
{
"Target": "trivy-ci-test (alpine 3.7.1)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2018-16840",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r1",
"Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
"Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840"
]
},
{
"VulnerabilityID": "CVE-2019-3822",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r2",
"Title": "curl: NTLMv2 type-3 header stack buffer overflow",
"Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
"Severity": "HIGH",
"References": [
"https://curl.haxx.se/docs/CVE-2019-3822.html",
"https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
]
},
{
"VulnerabilityID": "CVE-2018-16839",
"PkgName": "curl",
"InstalledVersion": "7.61.0-r0",
"FixedVersion": "7.61.1-r1",
"Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
"Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
"Severity": "HIGH",
"References": [
"https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5"
]
},
{
"VulnerabilityID": "CVE-2018-19486",
"PkgName": "git",
"InstalledVersion": "2.15.2-r0",
"FixedVersion": "2.15.3-r0",
"Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
"Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
"Severity": "HIGH",
"References": [
"https://usn.ubuntu.com/3829-1/"
]
},
{
"VulnerabilityID": "CVE-2018-17456",
"PkgName": "git",
"InstalledVersion": "2.15.2-r0",
"FixedVersion": "2.15.3-r0",
"Title": "git: arbitrary code execution via .gitmodules",
"Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
"Severity": "HIGH",
"References": [
"http://www.securitytracker.com/id/1041811"
]
}
]
},
{
"Target": "python-app/Pipfile.lock",
"Vulnerabilities": null
},
{
"Target": "ruby-app/Gemfile.lock",
"Vulnerabilities": null
},
{
"Target": "rust-app/Cargo.lock",
"Vulnerabilities": null
}
]
4 changes: 4 additions & 0 deletions docs/src/changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

- The "Reset all settings" button did not reset filtered tags. Fixes [#6947](https://github.com/ICTU/quality-time/issues/6947).

### Added

- Support Trivy JSON files as source for the security warnings metric. Closes [#6927](https://github.com/ICTU/quality-time/issues/6927).

## v5.1.0 - 2023-09-05

### Deployment notes
Expand Down

0 comments on commit f4dced8

Please sign in to comment.