postee
postee copied to clipboard
aquasecurity
postee.trivyoperator.slack rego template enhancements
Description
I would like to request some enhancements for postee.trivyoperator.slack template.
postee.trivyoperator.slack template gives very simple information, for example:
Could you please add more info? for example:
- vulnerability metadata name and namespace
- report updateTimestamp
- scanner name and version
- artifact repo/image name
- artifact image tag
- vulnerability id
- vulnerability installedVersion
- vulnerability fixedVersion
- vulnerability title
- vulnerability primaryLink
- vulnerability severity if its possible to be in html format as severity type to be in the correct color, for example: CRITICAL - red, etc .
thanks for filing this, happy to review a PR if you'd like to contribute this.
cc @souravsk - this issue might be of interest to you if you're looking to contribute.
As always, let us know if you need any help getting started.
@souravsk under rego-templates dir there is a trivy-operator-slack.rego file, it should be update with the aforementioned requirements. You may also reuse trivy-jira.rego file
@grglzrv what is the command to get the output that you are showing. I want to check it some explem and see the output.
I want to know from where I can get all this data to display.
Do I just have to add here all the vulnerability id, metadata, namespace, title, etc just like critical, and high
and then use it in the trivy-operator-slack.rego
result = msg {
msg := sprintf(tpl, [
input.ArtifactName,
render_vlnrb("Critical", vln_list("CRITICAL")),
render_vlnrb("High", vln_list("HIGH")),
render_vlnrb("Medium", vln_list("MEDIUM")),
render_vlnrb("Low", vln_list("LOW")),
render_vlnrb("Negligible", vln_list("NEGLIGIBLE"))
])
}
or i have to do something else to get all this data to show the correct information @grglzrv
I have written all of this but still, I don't know where should i collect the data for this new tag that you have asked for.
Hi @souravsk this changes wont work, you need to install Trivy Operator, which has to be integrated with Postee. Postee will receive Vulnerability reports from the Trivy Operator as json format, so you need to write rego template for that for exmaple json
{
"updateTimestamp": "2022-09-28 │T06:21:55Z",
"scanner": {
"name": "Trivy",
"vendor": "Aqua Security",
"version": "0.31.3"
},
"registry": {
"server": "ghcr.io"
},
"artifact": {
"repository": "fluxcd/image-reflector-controller",
"tag": "v0.20.1"
},
"summary": {
"criticalCount": 0,
"highCount": 1,
"mediumCount": 0,
"lowCount": 0,
"unknownCount": 0,
"noneCount": 0
},
"vulnerabilities": [
{
"vulnerabilityID": "CVE-2022-27664",
"resource": "golang.org/x/net",
"installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
"fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
"severity": "HIGH",
"title": "title1",
"primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
"links": [],
"score": 7.5,
"target": ""
},
{
"vulnerabilityID": "CVE-2022-27664",
"resource": "golang.org/x/net",
"installedVersion": "v0.0.0-20220722155237-a1 58d28d115b",
"fixedVersion": "0.0.0-20220906165146-f3363e06e74c",
"severity": "HIGH",
"title": "title2",
"primaryLink": "https://avd.aquasec.com/nvd/cve-2022-27664",
"links": [],
"score": 7.5,
"target": ""
}
]
}
you may use this website https://play.openpolicyagent.org/ in order to test the above json with your code. Bare in mind that vuln reports are maps , so you need you to use bash some loop
I just wrote some template only for Vuln reports, you may improve it and add the code from the current template
package postee.trivyoperator.slack
tpl :=`
<p> Severity: %s </p>
<p> vulnerabilityID: %s </p>
<p> primaryLink: %s </p>
`
vulnIDs := vulnIdResult {
var := [ scan |
item1:=input.vulnerabilities[i].vulnerabilityID
scan:=item1
]
vulnIdResult:= concat("n", (var))
}
svrt := svrtResult {
var := [ scan |
item1:=input.vulnerabilities[i].severity
scan:=item1
]
svrtResult:= concat("\n", (var))
}
link := linkResult {
var := [ scan |
item1:=input.vulnerabilities[i].primaryLink
scan:=item1
]
linkResult:= concat("\n", (var))
}
result:= res {
res:= sprintf(tpl, [
svrt,
vulnIDs,
link
])
}
Hey. @grglzrv do I have to make a new rego file so I just use the postee.trivyoperator.slack file
hey @grglzrv these are the things that you wanted
Not exactly cuz you need to separate the both vuln reports 0: and 1: . You need make list for - vuln id, installed versio, fixed versio, severity etc then you need to use some loop function in rego language
Okya I understand the separation 0 and 1 index but I don't understand where we need the loop function
input.vulnerabilities[i].severity - its a current situation
I mean vulnList: = [ severity, vulnerabilityID, etc.] some j in vulnList
input.vulnerabilities[i].[j]
Then you need to loop them into the result:= as well
Sorry for replying this late
vulnList := [VulnerabilityID,installedVersion,fixedVersion, title, primaryLink,severity]
vuln = result{
some i in vulnList
result = input.vulnerabilites[i].[j]
}
I tried like this but it is show error in in part of the loop.
@souravsk - can you share the link to your rego playground so we can help you better?
is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.
is there any example of this type of rego file I just learn the basics of the rego language for this issue that's why I'm having head time understanding how this works. if this was in another language then I would have done it. so if you have any rego file where function and array are used then I can understand better.
Take a look at some examples in the Postee repo. I recall there are some usages of loops.