Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] What parameters do you run this operator? #85

Closed
iamhalje opened this issue Nov 22, 2024 · 8 comments
Closed

[Question] What parameters do you run this operator? #85

iamhalje opened this issue Nov 22, 2024 · 8 comments
Labels
question Further information is requested

Comments

@iamhalje
Copy link

iamhalje commented Nov 22, 2024

Question

If a single instance of the operator is running, it is assumed that we will send the required data from the entire cluster to DefectDojo. Once a vulnerability is resolved, we will not delete the product and replace it with a new data scope. Instead, we need to change the default parameters to:

defectDojoCloseOldFindings: true
defectDojoDoNotReactivate: false (?)

image

However, in my case, all vulnerabilities are being closed, not just those specific to the service. This is how it looks. Maybe I’m doing something wrong, but I can’t pinpoint it. Could you please advise which parameters you use and in what scenarios for this operator?

I would also like to separately ask for help from @manuel-sommer. I often see your changes related to Trivy in DefectDojo. Perhaps you’ve encountered this issue before?

@iamhalje iamhalje added the question Further information is requested label Nov 22, 2024
@manuel-sommer
Copy link
Contributor

Hi @iamhalje, at the moment I am in a test phase and noticed multiple ways to improve the Trivy operator parser yet. I personally would try out defectDojoDoNotReactivate: true to always go forward. This could also improve the performance. But I not yet can't recommend parameters here, yet.

@iamhalje
Copy link
Author

The main issue is that vulnerabilities that haven't been reported for a long time should be closed, but with the defectDojoCloseOldFindings parameter, all vulnerabilities are being closed, as shown in the screenshot, despite it stating "only the findings for this service will be closed."

I would also like to understand how to conveniently use it in this case. As far as I understand, this situation occurs because of re-importing, not because a new engagement is created for each request.

@iamhalje
Copy link
Author

And yes, I can retrieve all vulnerabilities with the default parameters, but to review which ones are currently active, I need to delete the product so it gets recreated and populated again. This is the situation I'm facing. I would like the flag for closing vulnerabilities to work as described.

Therefore, I think I might be doing something wrong on my side. If everything is working correctly for you and this issue doesn’t occur, please let me know.

@iamhalje
Copy link
Author

iamhalje commented Nov 23, 2024

image

cert-manager/ReplicaSet/cert-manager-webhook-7d977f6f7

Only one appeared in these tests, but it's clear that all were eventually marked as mitigated, and after 1,646 re-imports, there were 0 vulnerabilities overall.

image

That is, each new test closes all the others, even though each test has the service field specified. However, it seems that DefectDojo doesn't take this field into account.

image

@manuel-sommer
Copy link
Contributor

The main issue is that vulnerabilities that haven't been reported for a long time should be closed, but with the defectDojoCloseOldFindings parameter, all vulnerabilities are being closed, as shown in the screenshot, despite it stating "only the findings for this service will be closed."

I would also like to understand how to conveniently use it in this case. As far as I understand, this situation occurs because of re-importing, not because a new engagement is created for each request.

From my point of view this is rather a DefectDojo bug than a Trivy-dojo-report-operator bug. I guess you should ask in the DefectDojo slack channel for help as from my understanding you are doing / understanding something wrong:
https://support.defectdojo.com/en/articles/9424972-avoiding-duplicates-reimport-recurring-tests#h_15091c1779

I am unsubscribing here.

@rndmh3ro
Copy link
Collaborator

Yes, I don't think we can do anything here on the operator side as we're basically just using the api as-is. The same would happen if you would feed the data Directly into dojo..

@iamhalje
Copy link
Author

understood thanks, thinking just throught maybe you use it the same way and don't have this problem

@iamhalje
Copy link
Author

here will be a continuation

DefectDojo/django-DefectDojo#11320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants