🔨 rework kubescape parser

[manuel-sommer]

Fix multiple Kubescape parser issues:

• Add vulnid
• Remove passed rules https://hub.armosec.io/docs/scan-status
• Add vulnid to VULNERABILITY_URLS

[dryrunsecurity]

DryRun Security Summary

The pull request covers various updates to the DefectDojo application, including improvements to the Kubescape parser, security-related enhancements to the settings configuration, and associated unit test updates, all aimed at enhancing the security and functionality of the application.

Expand for full summary

Summary:

The code changes in this pull request cover various aspects of the DefectDojo application, including updates to the Kubescape parser, the settings configuration, and the associated unit tests. The changes aim to enhance the security and functionality of the application.

The key highlights from the changes are:

1. Kubescape Parser Improvements: The changes to the Kubescape parser enhance the parsing and reporting of findings, including handling failed rules, providing more detailed information in the finding descriptions, and associating control IDs with the findings. These improvements help security teams better understand and address the identified security issues in their Kubernetes environments.

2. Settings Configuration Updates: The changes to the settings.dist.py file introduce several security-related enhancements, such as adding new vulnerability URLs, improving the deduplication configuration, customizing the hashcode computation, and restricting file upload types. These changes help strengthen the overall security posture of the DefectDojo application.

3. Unit Test Updates: The changes to the Kubescape parser unit tests update the expected number of findings in a specific test case. While this change does not directly impact the security of the application, it is important to review the reasoning behind the change and ensure that it does not result in any unintended consequences or missed security vulnerabilities.

Overall, the code changes in this pull request appear to be focused on improving the security, usability, and configurability of the DefectDojo application, which is an important tool for vulnerability management and application security.

Files Changed:

1. dojo/templatetags/display_tags.py: The change adds a new vulnerability ID prefix "C-" to the list of accepted vulnerability ID prefixes in the vulnerability_url function, which is used to generate links to external vulnerability databases.
2. dojo/settings/.settings.dist.py.sha256sum: The change updates the SHA-256 checksum of the settings.dist.py configuration file, which is a common practice to ensure the integrity of the configuration file.
3. dojo/tools/kubescape/parser.py: The changes enhance the Kubescape parser by improving the parsing and reporting of findings, including handling failed rules, providing more detailed information in the finding descriptions, and associating control IDs with the findings.
4. unittests/tools/test_kubescape_parser.py: The changes update the expected number of findings in a specific test case for the KubescapeParser class.
5. dojo/settings/settings.dist.py: The changes introduce several security-related enhancements to the settings configuration, such as adding new vulnerability URLs, improving the deduplication configuration, customizing the hashcode computation, and restricting file upload types.

Code Analysis

We ran 9 analyzers against 5 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	2 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Approved

[cneill]

Adding a link for the C- prefix is fine, but the link should still be included in references.

[cneill]

It seems somewhat unlikely that a C- prefix will be completely unique to ARMO... We may need to think in the future about how to better categorize different vulnerability IDs. It's getting increasingly convoluted to handle all these different patterns in this way with display tags.

No action needed on this PR, mostly leaving this as a note for myself and to get others' feedback.

[manuel-sommer]

Yeah, you are right. This C- prefix is used to not mix C with CVE.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.