Skip to content

Commit

Permalink
AnchoreCTL Policies: Additional checks for severity in description (#…
Browse files Browse the repository at this point in the history 
…11269)

* change severity and active

* Include UNKNOWN option

* status, not gate

* And add unittest

* newline
  • Loading branch information
@hblankenship
hblankenship authored Nov 22, 2024
1 parent 1111ff6 commit 7dfc46c
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 5 deletions.
29 changes: 24 additions & 5 deletions dojo/tools/anchorectl_policies/parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ def get_findings(self, filename, test):
image_name = result["tag"]
trigger_id = result["triggerId"]
repo, tag = image_name.split(":", 2)
severity = map_gate_action_to_severity(status)
severity, active = get_severity(status, description)
vulnerability_id = extract_vulnerability_id(trigger_id)
title = (
policy_id
Expand All @@ -54,6 +54,7 @@ def get_findings(self, filename, test):
test=test,
description=description,
severity=severity,
active=active,
references=f"Policy ID: {policy_id}\nTrigger ID: {trigger_id}",
file_path=search_filepath(description),
component_name=repo,
Expand All @@ -77,14 +78,32 @@ def get_findings(self, filename, test):
return items


def map_gate_action_to_severity(gate):
def map_gate_action_to_severity(status):
gate_action_to_severity = {
"stop": "Critical",
"warn": "Medium",
}
if gate in gate_action_to_severity:
return gate_action_to_severity[gate]
return "Low"
if status in gate_action_to_severity:
return gate_action_to_severity[status], True

return "Low", True


def get_severity(status, description):
parsed_severity = description.split()[0]
valid_severities = ["LOW", "INFO", "UNKNOWN", "CRITICAL", "MEDIUM"]
if parsed_severity in valid_severities:
severity = "Info"
if parsed_severity == "UNKNOWN":
severity = "Info"
elif status != "go":
severity = parsed_severity.lower().capitalize()

active = False if status == "go" else True

return severity, active

return map_gate_action_to_severity(status)


def policy_name(policies, policy_id):
Expand Down
23 changes: 23 additions & 0 deletions unittests/scans/anchorectl_policies/one_violation_description_severity.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
[
{
"detail": [
{
"description": "CRITICAL User root found as effective user, which is not on the allowed list",
"gate": "dockerfile",
"imageId": "d26f0119b9634091a541b081dd8bdca435ab52e114e4b4328575c0bc2c69768b",
"policyId": "RootUser",
"status": "warn",
"tag": "test/testimage:testtag",
"triggerId": "b2605c2ddbdb02b8e2365c9248dada5a",
"triggerName": "effective_user"
}
],
"digest": "sha256:8htz0bf942cfcd6hg8cf6435afd318b65d23e4c1a80044304c6e3ed20",
"finalAction": "stop",
"finalActionReason": "policy_evaluation",
"lastEvaluation": "2022-09-20T08:25:52Z",
"policyId": "9e104ade-7b57-4cdc-93fb-4949bf3b36b6",
"status": "fail",
"tag": "test/testimage:testtag"
}
]
10 changes: 10 additions & 0 deletions unittests/tools/test_anchorectl_policies_parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,13 @@ def test_anchore_engine_parser_has_many_findings(self):
parser = AnchoreCTLPoliciesParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(3, len(findings))

def test_anchore_engine_parser_has_one_finding_and_description_has_severity(self):
with open("unittests/scans/anchorectl_policies/one_violation_description_severity.json", encoding="utf-8") as testfile:
parser = AnchoreCTLPoliciesParser()
findings = parser.get_findings(testfile, Test())
self.assertEqual(1, len(findings))
singleFinding = findings[0]
self.assertEqual(singleFinding.severity, "Critical")
self.assertEqual(singleFinding.title, "RootUser - gate|dockerfile - trigger|b2605c2ddbdb02b8e2365c9248dada5a")
self.assertEqual(singleFinding.description, "CRITICAL User root found as effective user, which is not on the allowed list")

0 comments on commit 7dfc46c

Please sign in to comment.