Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AnchoreCTL Policies: Additional checks for severity in description #11269

Merged
merged 5 commits into from
Nov 22, 2024

Conversation

hblankenship
Copy link
Collaborator

@hblankenship hblankenship commented Nov 15, 2024

[sc-1018]

Modified the way severity is used in the anchorectl_policies parser. Now, if the description contains the severity as the first word, it will use that. Otherwise, it drops back to using the status to determine severity.

Finally, in the case of the 'go' status, severity is set to Low by default.

Copy link

dryrunsecurity bot commented Nov 15, 2024

DryRun Security Summary

The pull request focuses on improving the accuracy and reliability of the severity and active status determination for security findings identified by the Anchore Container Toolkit (AnchoreCTL) policies parser, including updating the get_findings function, modifying the map_gate_action_to_severity function, adding a new get_severity function, and adding a new test case to verify the parser's ability to handle a JSON file with a single finding where the severity level is included in the description.

Expand for full summary

Summary:

The changes in this pull request focus on improving the accuracy and reliability of the severity and active status determination for security findings identified by the Anchore Container Toolkit (AnchoreCTL) policies parser. The key changes include:

  1. Updating the get_findings function to use a new get_severity function to determine the severity and active status of the findings.
  2. Modifying the map_gate_action_to_severity function to return a tuple of severity and active status, instead of just the severity.
  3. Adding a new get_severity function to handle more complex severity determination logic, including parsing the severity from the description text and determining the active status based on the status value.
  4. Adding a new test case to verify the parser's ability to handle a JSON file with a single finding where the severity level is included in the description.

From an application security perspective, these changes are aimed at enhancing the security analysis capabilities of the application security engineering tool, which is a positive development. The improvements to the severity and active status determination will help security teams prioritize and address the most critical vulnerabilities.

Files Changed:

  1. dojo/tools/anchorectl_policies/parser.py: The changes in this file are focused on improving the accuracy and reliability of the severity and active status determination for the identified findings.
  2. unittests/tools/test_anchorectl_policies_parser.py: The changes in this file add a new test case to verify the parser's ability to handle a JSON file with a single finding where the severity level is included in the description.
  3. unittests/scans/anchorectl_policies/one_violation_description_severity.json: This file has been added to the repository, and it contains a JSON object representing a policy violation detected during a scan of a Docker image. The details of the violation, such as the effective user, gate, image ID, policy ID, and status, are provided in the JSON object.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@Maffooch Maffooch changed the title Hb update severity anchore ctl AnchoreCTL Policies: Additional checks for severity in description Nov 15, 2024
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 7dfc46c into bugfix Nov 22, 2024
75 checks passed
@Maffooch Maffooch deleted the hb-update-severity-anchore-ctl branch November 22, 2024 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants