diff --git a/README.md b/README.md
index 64213161..dd1150ec 100644
--- a/README.md
+++ b/README.md
@@ -190,12 +190,12 @@ input: |
Details
-Key | Description | Possible Values | Example
---- | --- | --- | ---
-*aggregate-message-number*|Number of messages to aggregate into one message.| any integer value | 10
-*aggregate-message-timeout*|number of seconds, minutes, hours to aggregate|Maximum is 24 hours Xs or Xm or Xh | 1h
-*unique-message-props*|Optional. Comma separated list of properties which uniquely identifies an event message. If message with same property values is received more than once, consequitive messages will be ignored. | Array of properties that their value uniquely identifies a message | To avoid duplicate scanning messages you can use the following properties: ```unique-message-props: ["digest","image","registry", "vulnerability_summary.high", "vulnerability_summary.medium", "vulnerability_summary.low"]```
-*unique-message-timeout*|Optional. Used along with *unique-message-props*, has no effect if unique props are not specified. Number of seconds/minutes/hours/days before expiring of a message. Expired messages are removed from db. If option is empty message is never deleted | 1d
+Key | Description | Possible Values | Example
+--- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| --- | ---
+*aggregate-message-number*| Number of messages to aggregate into one message. | any integer value | 10
+*aggregate-message-timeout*| number of seconds, minutes, hours to aggregate |Maximum is 24 hours Xs or Xm or Xh | 1h
+*unique-message-props*| Optional. Comma separated list of properties which uniquely identifies an event message. If message with same property values is received more than once, consecutive messages will be ignored. | Array of properties that their value uniquely identifies a message | To avoid duplicate scanning messages you can use the following properties: ```unique-message-props: ["digest","image","registry", "vulnerability_summary.high", "vulnerability_summary.medium", "vulnerability_summary.low"]```
+*unique-message-timeout*| Optional. Used along with *unique-message-props*, has no effect if unique props are not specified. Number of seconds/minutes/hours/days before expiring of a message. Expired messages are removed from db. If option is empty message is never deleted | 1d
### Templates
diff --git a/msgservice/testdata/all-in-one-image.json b/msgservice/testdata/all-in-one-image.json
index 3df3f1c7..206b7d37 100644
--- a/msgservice/testdata/all-in-one-image.json
+++ b/msgservice/testdata/all-in-one-image.json
@@ -599,7 +599,7 @@
},
{
"name": "CVE-2019-1551",
- "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+ "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to reuse the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -644,7 +644,7 @@
},
{
"name": "CVE-2020-1968",
- "description": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
+ "description": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation reuses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
"nvd_score": 4.3,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
@@ -792,7 +792,7 @@
},
{
"name": "CVE-2019-1551",
- "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+ "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to reuse the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
"nvd_score": 5,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
@@ -837,7 +837,7 @@
},
{
"name": "CVE-2020-1968",
- "description": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
+ "description": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation reuses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
"nvd_score": 4.3,
"nvd_score_version": "CVSS v2",
"nvd_vectors": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
diff --git a/rego-templates/vuls-html.rego b/rego-templates/vuls-html.rego
index ebd341aa..3def45d8 100644
--- a/rego-templates/vuls-html.rego
+++ b/rego-templates/vuls-html.rego
@@ -7,7 +7,7 @@ import data.postee.with_default
################################################ Templates ################################################
#main template to render message
tpl:=`
-Image name: %s
+%s name: %s
Registry: %s
%s
%s
@@ -164,17 +164,24 @@ vln_list(severity) = vlnrb {
postee := with_default(input, "postee", {})
aqua_server := with_default(postee, "AquaServer", "")
-title = sprintf("%s vulnerability scan report", [input.image])
+report_type := "Function" if{
+ input.entity_type == 1
+} else = "VM" if{
+ input.entity_type == 2
+} else = "Image"
+
+title = sprintf(`Aqua security | %s | %s | Scan report`, [report_type, input.image])
aggregation_pkg := "postee.vuls.html.aggregation"
result = msg {
msg := sprintf(tpl, [
+ report_type,
input.image,
input.registry,
by_flag(
- "Image is non-compliant",
- "Image is compliant",
+ sprintf("%s is non-compliant", [report_type]),
+ sprintf("%s is compliant", [report_type]),
with_default(input.image_assurance_results, "disallowed", false)
),
by_flag(
diff --git a/rego-templates/vuls-jira.rego b/rego-templates/vuls-jira.rego
index d139405a..a92851e7 100644
--- a/rego-templates/vuls-jira.rego
+++ b/rego-templates/vuls-jira.rego
@@ -5,11 +5,16 @@ import data.postee.with_default
import data.postee.flat_array #converts [[{...},{...}], [{...},{...}]] to [{...},{...},{...},{...}]
import data.postee.array_concat
-title = sprintf("%s vulnerability scan report", [input.image])
+report_type := "Function" if{
+ input.entity_type == 1
+} else = "VM" if{
+ input.entity_type == 2
+} else = "Image"
+title = sprintf(`Aqua security | %s | %s | Scan report`, [report_type, input.image])
tpl:=`
-*Image name:* %s
+*%s name:* %s
*Registry:* %s
%s
%s
@@ -42,11 +47,12 @@ assurance_controls(inp) = l {
result = msg {
msg := sprintf(tpl, [
+ report_type,
input.image,
input.registry,
by_flag(
- "Image is _*non-compliant*_",
- "Image is _*compliant*_",
+ sprintf("%s is _*non-compliant*_", [report_type]),
+ sprintf("%s is _*compliant*_", [report_type]),
with_default(input.image_assurance_results, "disallowed", false)
),
by_flag(
diff --git a/rego-templates/vuls-servicenow.rego b/rego-templates/vuls-servicenow.rego
index c005d5b2..d8a54a69 100644
--- a/rego-templates/vuls-servicenow.rego
+++ b/rego-templates/vuls-servicenow.rego
@@ -194,11 +194,11 @@ postee := with_default(input, "postee", {})
aqua_server := with_default(postee, "AquaServer", "")
server_url := trim_suffix(aqua_server, "images/")
-report_type := "function" if{
+report_type := "Function" if{
input.entity_type == 1
-} else = "vm" if{
+} else = "VM" if{
input.entity_type == 2
-} else = "image"
+} else = "Image"
title = sprintf(`Aqua security | %s | %s | Scan report`, [report_type, input.image])
@@ -207,15 +207,15 @@ title = sprintf(`Aqua security | %s | %s | Scan report`, [report_type, input.ima
## vm: /#/infrastructure//node
## image: /#/image//
href := sprintf("%s%s/%s/%s", [server_url, "functions", urlquery.encode(input.registry), urlquery.encode(input.image)]) if{
- report_type == "function"
+ report_type == "Function"
} else = sprintf("%s%s/%s/%s", [server_url, "infrastructure", urlquery.encode(input.image), "node"]){
- report_type == "vm"
+ report_type == "VM"
} else = sprintf("%s%s/%s/%s", [server_url, "image", urlquery.encode(input.registry), urlquery.encode(input.image)])
text := sprintf("%s%s/%s/%s", [server_url, "functions", input.registry, input.image]) if{
- report_type == "function"
+ report_type == "Function"
} else = sprintf("%s%s/%s/%s", [server_url, "infrastructure", input.image, "node"]) {
- report_type == "vm"
+ report_type == "VM"
} else = sprintf("%s%s/%s/%s", [server_url, report_type, input.registry, input.image])
url := by_flag("", href, server_url == "")
@@ -269,9 +269,9 @@ result = msg {
result_date = input.scan_started.seconds
result_category = "Serverless functions Scanning" if {
- report_type == "function"
+ report_type == "Function"
}else = "Security - VM Scan results" if {
- report_type == "vm"
+ report_type == "VM"
}else = "Security Image Scan results"
result_subcategory = "Security incident"
diff --git a/rego-templates/vuls-slack.rego b/rego-templates/vuls-slack.rego
index 15d841a7..ec5b1b7c 100644
--- a/rego-templates/vuls-slack.rego
+++ b/rego-templates/vuls-slack.rego
@@ -117,7 +117,13 @@ got_vulns(vulnsAll) = [] { #do not render section if provided collection is empt
}
###########################################################################################################
-title = sprintf("%s vulnerability scan report", [input.image]) # title is string
+report_type := "Function" if{
+ input.entity_type == 1
+} else = "VM" if{
+ input.entity_type == 2
+} else = "Image"
+
+title = sprintf(`Aqua security | %s | %s | Scan report`, [report_type, input.image])
aggregation_pkg := "postee.vuls.slack.aggregation"
@@ -142,11 +148,11 @@ result = res {
])
- headers1 := [{"type":"section","text":{"type":"mrkdwn","text":sprintf("Image name: %s", [input.image])}},
+ headers1 := [{"type":"section","text":{"type":"mrkdwn","text":sprintf("%s name: %s", [report_type ,input.image])}},
{"type":"section","text":{"type":"mrkdwn","text":sprintf("Registry: %s", [input.registry])}},
{"type":"section","text":{"type":"mrkdwn","text": by_flag(
- "Image is non-compliant",
- "Image is compliant",
+ sprintf("%s is non-compliant", [report_type]),
+ sprintf("%s is compliant", [report_type]),
with_default(input.image_assurance_results, "disallowed", false)
)}},
{"type":"section","text":{"type":"mrkdwn","text": by_flag(