devsecops-engine-tools 1.11.2__tar.gz → 1.16.0__tar.gz

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.11.2
+Version: 1.16.0
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team
@@ -67,7 +67,7 @@ pip3 install devsecops-engine-tools
 ### Scan running - flags (CLI)
 
 ```bash
-devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_config_repo ["remote_config_repo"] --tool ["engine_iac", "engine_dast", "engine_secret", "engine_dependencies", "engine_container", "engine_risk", "engine_code"] --folder_path ["Folder path scan engine_iac, engine_code and engine_dependencies"] --platform ["k8s","cloudformation","docker", "openapi"] --use_secrets_manager ["false", "true"] --use_vulnerability_management ["false", "true"] --send_metrics ["false", "true"] --token_cmdb ["token_cmdb"] --token_vulnerability_management ["token_vulnerability_management"] --token_engine_container ["token_engine_container"] --token_engine_dependencies ["token_engine_dependencies"] --token_external_checks ["token_external_checks"] --xray_mode ["scan", "audit"] --image_to_scan ["image_to_scan"]
+devsecops-engine-tools --platform_devops ["local","azure","github"] --remote_config_repo ["remote_config_repo"] --tool ["engine_iac", "engine_dast", "engine_secret", "engine_dependencies", "engine_container", "engine_risk", "engine_code"] --folder_path ["Folder path scan engine_iac, engine_code and engine_dependencies"] --platform ["k8s","cloudformation","docker", "openapi", "terraform"] --use_secrets_manager ["false", "true"] --use_vulnerability_management ["false", "true"] --send_metrics ["false", "true"] --token_cmdb ["token_cmdb"] --token_vulnerability_management ["token_vulnerability_management"] --token_engine_container ["token_engine_container"] --token_engine_dependencies ["token_engine_dependencies"] --token_external_checks ["token_external_checks"] --xray_mode ["scan", "audit"] --image_to_scan ["image_to_scan"]
 ```
 
 ### Structure Remote Config

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py

@@ -97,7 +97,7 @@ def get_inputs_from_cli(args):
     parser.add_argument(
         "-p",
         "--platform",
-        type=parse_choices({"all", "docker", "k8s", "cloudformation", "openapi"}),
+        type=parse_choices({"all", "docker", "k8s", "cloudformation", "openapi", "terraform"}),
         required=False,
         default="all",
         help="Platform to scan, only apply engine_iac tool",
@@ -144,7 +144,7 @@ def get_inputs_from_cli(args):
     parser.add_argument(
         "--token_external_checks",
         required=False,
-        help="Token for downloading external checks from engine_iac if is necessary. Ej: github:token, ssh:privatekey:pass",
+        help="Token for downloading external checks from engine_iac or engine_secret if is necessary. Ej: github:token, ssh:privatekey:pass",
     )
     parser.add_argument(
         "--xray_mode",

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/model/exclusions.py

@@ -5,10 +5,10 @@ from dataclasses import dataclass
 class Exclusions:
     def __init__(self, **kwargs):
         self.id = kwargs.get("id", "")
-        self.where = kwargs.get("where", "")
+        self.where = kwargs.get("where", "all")
         self.cve_id = kwargs.get("cve_id", "")
         self.create_date = kwargs.get("create_date", "")
         self.expired_date = kwargs.get("expired_date", "")
         self.severity = kwargs.get("severity", "")
         self.hu = kwargs.get("hu", "")
-        self.reason = kwargs.get("reason", "Risk acceptance")
+        self.reason = kwargs.get("reason", "Risk Accepted")

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/model/gateway/vulnerability_management_gateway.py

@@ -1,7 +1,7 @@
 from abc import ABCMeta, abstractmethod
 
 from devsecops_engine_tools.engine_core.src.domain.model.vulnerability_management import VulnerabilityManagement
-
+from devsecops_engine_tools.engine_core.src.domain.model.gateway.devops_platform_gateway import DevopsPlatformGateway
 
 class VulnerabilityManagementGateway(metaclass=ABCMeta):
     @abstractmethod
@@ -10,6 +10,10 @@ class VulnerabilityManagementGateway(metaclass=ABCMeta):
     ):
         "send_vulnerability_management"
 
+    @abstractmethod
+    def get_product_type_service(self, service, dict_args, secret_tool, config_tool):
+        "get_product_type_service"
+
     @abstractmethod
     def get_findings_excepted(
         self, service, dict_args, secret_tool, config_tool

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/model/report.py

@@ -31,4 +31,6 @@ class Report:
         self.component_name = kwargs.get("component_name", "")
         self.component_version = kwargs.get("component_version", "")
         self.file_path = kwargs.get("file_path", "")
-        self.endpoints = kwargs.get("endpoints", "")
+        self.endpoints = kwargs.get("endpoints", "")
+        self.unique_id_from_tool = kwargs.get("unique_id_from_tool", "")
+        self.out_of_scope = kwargs.get("out_of_scope", "")

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/model/threshold.py

@@ -4,13 +4,10 @@ from devsecops_engine_tools.engine_core.src.domain.model.level_vulnerability imp
 from devsecops_engine_tools.engine_core.src.domain.model.level_compliance import (
     LevelCompliance,
 )
-from devsecops_engine_tools.engine_core.src.domain.model.custom_level_vulnerability import (
-    CustomLevelVulnerability,
-)
 
 class Threshold:
     def __init__(self, data):
         self.vulnerability = LevelVulnerability(data.get("VULNERABILITY"))
         self.compliance = LevelCompliance(data.get("COMPLIANCE"))
         self.cve = data.get("CVE",[])
-        self.custom_vulnerability = CustomLevelVulnerability(data.get("CUSTOM_VULNERABILITY")) if data.get("CUSTOM_VULNERABILITY") else None
+        self.quality_vulnerability_management = data.get("QUALITY_VULNERABILITY_MANAGEMENT") if data.get("QUALITY_VULNERABILITY_MANAGEMENT") else None

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/usecases/break_build.py

@@ -67,9 +67,6 @@ class BreakBuild:
             "compliances": {},
         }
 
-        if threshold.custom_vulnerability and bool(re.match(threshold.custom_vulnerability.pattern_apps, input_core.scope_pipeline, re.IGNORECASE)):
-            threshold.vulnerability = threshold.custom_vulnerability.vulnerability
-
         if len(findings_list) != 0:
             self._apply_policie_exception_new_vulnerability_industry(
                 findings_list, exclusions, args

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/usecases/handle_risk.py

@@ -63,14 +63,23 @@ class HandleRisk:
         ]
         check_words_regex = risk_config["HANDLE_SERVICE_NAME"]["REGEX_CHECK_WORDS"]
         min_word_amount = risk_config["HANDLE_SERVICE_NAME"]["MIN_WORD_AMOUNT"]
+        endings = risk_config["HANDLE_SERVICE_NAME"]["CHECK_ENDING"]
+
         for engagement in engagements:
-            if service.lower() in engagement.name.lower():
+            if service.lower() == engagement.name.lower():
                 filtered_engagements += [engagement.name]
             elif re.search(check_words_regex, engagement.name.lower()) and (
                 sum(1 for word in words if word.lower() in engagement.name.lower())
                 >= min_word_amount
             ):
                 filtered_engagements += [engagement.name]
+            elif endings:
+                if any(
+                    (service.lower() + ending.lower() == engagement.name.lower())
+                    for ending in endings
+                ):
+                    filtered_engagements += [engagement.name]
+
         return filtered_engagements
 
     def _exclude_services(self, dict_args, pipeline_name, service_list):
@@ -82,28 +91,54 @@ class HandleRisk:
             and risk_exclusions[pipeline_name].get("SKIP_SERVICE", 0)
             and risk_exclusions[pipeline_name]["SKIP_SERVICE"].get("services", 0)
         ):
-            services_to_exclude = risk_exclusions[pipeline_name]["SKIP_SERVICE"].get(
-                "services", []
+            services_to_exclude = set(
+                risk_exclusions[pipeline_name]["SKIP_SERVICE"].get("services", [])
             )
-            service_excluded = []
-            for service in service_list:
-                if service in services_to_exclude:
-                    service_list.remove(service)
-                    service_excluded += [service]
+            service_set = set(service_list)
+
+            remaining_services = list(service_set - services_to_exclude)
+            service_excluded = list(service_set & services_to_exclude)
+
             print(f"Services to exclude: {service_excluded}")
             logger.info(f"Services to exclude: {service_excluded}")
+
+            return remaining_services
         return service_list
 
-    def process(self, dict_args: any, remote_config: any):
-        secret_tool = None
-        if dict_args["use_secrets_manager"] == "true":
-            secret_tool = self.secrets_manager_gateway.get_secret(remote_config)
+    def _should_skip_analysis(self, remote_config, pipeline_name, exclusions):
+        ignore_pattern = remote_config["IGNORE_ANALYSIS_PATTERN"]
+        return re.match(ignore_pattern, pipeline_name, re.IGNORECASE) or (
+            pipeline_name in exclusions
+            and exclusions[pipeline_name].get("SKIP_TOOL", 0)
+        )
 
+    def process(self, dict_args: any, remote_config: any):
         risk_config = self.devops_platform_gateway.get_remote_config(
             dict_args["remote_config_repo"], "engine_risk/ConfigTool.json"
         )
-
+        risk_exclusions = self.devops_platform_gateway.get_remote_config(
+            dict_args["remote_config_repo"], "engine_risk/Exclusions.json"
+        )
         pipeline_name = self.devops_platform_gateway.get_variable("pipeline_name")
+
+        input_core = InputCore(
+            [],
+            {},
+            "",
+            "",
+            pipeline_name,
+            self.devops_platform_gateway.get_variable("stage").capitalize(),
+        )
+
+        if self._should_skip_analysis(risk_config, pipeline_name, risk_exclusions):
+            print("Tool skipped by DevSecOps Policy.")
+            logger.info("Tool skipped by DevSecOps Policy.")
+            return [], input_core
+
+        secret_tool = None
+        if dict_args["use_secrets_manager"] == "true":
+            secret_tool = self.secrets_manager_gateway.get_secret(remote_config)
+
         service = pipeline_name
         service_list = []
 
@@ -111,9 +146,7 @@ class HandleRisk:
             service = next(
                 (
                     pipeline_name.replace(ending, "")
-                    for ending in risk_config["HANDLE_SERVICE_NAME"][
-                        "ERASE_SERVICE_ENDING"
-                    ]
+                    for ending in risk_config["HANDLE_SERVICE_NAME"]["CHECK_ENDING"]
                     if pipeline_name.endswith(ending)
                 ),
                 pipeline_name,
@@ -164,15 +197,9 @@ class HandleRisk:
             dict_args,
             findings,
             exclusions,
+            new_service_list,
             self.devops_platform_gateway,
             self.print_table_gateway,
         )
-        input_core = InputCore(
-            [],
-            {},
-            "",
-            "",
-            pipeline_name,
-            self.devops_platform_gateway.get_variable("stage").capitalize(),
-        )
+
         return result, input_core

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/domain/usecases/handle_scan.py

@@ -19,6 +19,10 @@ from devsecops_engine_tools.engine_core.src.domain.model.gateway.devops_platform
 from devsecops_engine_tools.engine_core.src.domain.model.vulnerability_management import (
     VulnerabilityManagement,
 )
+from devsecops_engine_tools.engine_core.src.domain.model.input_core import InputCore
+from devsecops_engine_tools.engine_core.src.domain.model.level_vulnerability import (
+    LevelVulnerability,
+)
 from devsecops_engine_tools.engine_core.src.domain.model.customs_exceptions import (
     ExceptionVulnerabilityManagement,
     ExceptionFindingsExcepted,
@@ -52,6 +56,37 @@ class HandleScan:
         self.secrets_manager_gateway = secrets_manager_gateway
         self.devops_platform_gateway = devops_platform_gateway
 
+    def _define_threshold_quality_vuln(
+        self, input_core: InputCore, dict_args, secret_tool, config_tool
+    ):
+        quality_vulnerability_management = (
+            input_core.threshold_defined.quality_vulnerability_management
+        )
+        if quality_vulnerability_management:
+            product_type = self.vulnerability_management.get_product_type_service(
+                input_core.scope_pipeline, dict_args, secret_tool, config_tool
+            )
+            if product_type:
+                pt_name = product_type.name
+                apply_qualitypt = next(
+                    filter(
+                        lambda qapt: pt_name in qapt,
+                        quality_vulnerability_management["PTS"],
+                    ),
+                    None,
+                )
+                if apply_qualitypt:
+                    pt_info = apply_qualitypt[pt_name]
+                    pt_profile = pt_info["PROFILE"]
+                    pt_apps = pt_info["APPS"]
+
+                    input_core.threshold_defined.vulnerability = (
+                        LevelVulnerability(quality_vulnerability_management[pt_profile])
+                        if pt_apps == "ALL"
+                        or any(map(lambda pd: pd in input_core.scope_pipeline, pt_apps))
+                        else input_core.threshold_defined.vulnerability
+                    )
+
     def _use_vulnerability_management(
         self, config_tool, input_core, dict_args, secret_tool, env
     ):
@@ -72,9 +107,14 @@ class HandleScan:
                     self.devops_platform_gateway.get_variable("build_id"),
                     self.devops_platform_gateway.get_variable("branch_tag"),
                     self.devops_platform_gateway.get_variable("commit_hash"),
-                    env
+                    env,
                 )
             )
+
+            self._define_threshold_quality_vuln(
+                input_core, dict_args, secret_tool, config_tool
+            )
+
         except ExceptionVulnerabilityManagement as ex1:
             logger.error(str(ex1))
         try:
@@ -92,23 +132,33 @@ class HandleScan:
     def process(self, dict_args: any, config_tool: any):
         secret_tool = None
         env = define_env(
-                    self.devops_platform_gateway.get_variable("environment"),
-                    self.devops_platform_gateway.get_variable("branch_name"),
-                )
+            self.devops_platform_gateway.get_variable("environment"),
+            self.devops_platform_gateway.get_variable("branch_name"),
+        )
         if dict_args["use_secrets_manager"] == "true":
             secret_tool = self.secrets_manager_gateway.get_secret(config_tool)
         if "engine_iac" in dict_args["tool"]:
             findings_list, input_core = runner_engine_iac(
-                dict_args, config_tool["ENGINE_IAC"]["TOOL"], secret_tool,self.devops_platform_gateway, env
+                dict_args,
+                config_tool["ENGINE_IAC"]["TOOL"],
+                secret_tool,
+                self.devops_platform_gateway,
+                env,
             )
-            if dict_args["use_vulnerability_management"] == "true" and input_core.path_file_results:
+            if (
+                dict_args["use_vulnerability_management"] == "true"
+                and input_core.path_file_results
+            ):
                 self._use_vulnerability_management(
                     config_tool, input_core, dict_args, secret_tool, env
                 )
             return findings_list, input_core
         elif "engine_container" in dict_args["tool"]:
             findings_list, input_core = runner_engine_container(
-                dict_args, config_tool["ENGINE_CONTAINER"]["TOOL"], secret_tool, self.devops_platform_gateway
+                dict_args,
+                config_tool["ENGINE_CONTAINER"]["TOOL"],
+                secret_tool,
+                self.devops_platform_gateway,
             )
             if (
                 dict_args["use_vulnerability_management"] == "true"
@@ -122,7 +172,9 @@ class HandleScan:
             print(MESSAGE_ENABLED)
         elif "engine_code" in dict_args["tool"]:
             findings_list, input_core = runner_engine_code(
-                dict_args, config_tool["ENGINE_CODE"]["TOOL"], self.devops_platform_gateway
+                dict_args,
+                config_tool["ENGINE_CODE"]["TOOL"],
+                self.devops_platform_gateway,
             )
             if (
                 dict_args["use_vulnerability_management"] == "true"
@@ -136,7 +188,8 @@ class HandleScan:
             findings_list, input_core = runner_secret_scan(
                 dict_args,
                 config_tool["ENGINE_SECRET"]["TOOL"],
-                self.devops_platform_gateway
+                self.devops_platform_gateway,
+                secret_tool
             )
             if (
                 dict_args["use_vulnerability_management"] == "true"
@@ -158,4 +211,4 @@ class HandleScan:
                 self._use_vulnerability_management(
                     config_tool, input_core, dict_args, secret_tool, env
                 )
-            return findings_list, input_core
+            return findings_list, input_core

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/aws/secrets_manager.py

@@ -36,5 +36,5 @@ class SecretsManager(SecretsManagerGateway):
             secret_dict = json.loads(secret)
             return secret_dict
         except NoCredentialsError as e:
-            logger.error("Error getting secret: {e}")
+            logger.error(f"Error getting secret: {e}")
             return None

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/defect_dojo/defect_dojo.py

@@ -5,12 +5,16 @@ from devsecops_engine_tools.engine_core.src.domain.model.gateway.vulnerability_m
 from devsecops_engine_tools.engine_core.src.domain.model.vulnerability_management import (
     VulnerabilityManagement,
 )
+from devsecops_engine_tools.engine_core.src.domain.model.gateway.devops_platform_gateway import (
+    DevopsPlatformGateway
+)
 from devsecops_engine_tools.engine_utilities.defect_dojo import (
     DefectDojo,
     ImportScanRequest,
     Connect,
     Finding,
     Engagement,
+    Product,
 )
 from devsecops_engine_tools.engine_core.src.domain.model.exclusions import Exclusions
 from devsecops_engine_tools.engine_core.src.domain.model.report import Report
@@ -19,7 +23,7 @@ from devsecops_engine_tools.engine_core.src.domain.model.customs_exceptions impo
     ExceptionVulnerabilityManagement,
     ExceptionFindingsExcepted,
     ExceptionGettingFindings,
-    ExceptionGettingEngagements
+    ExceptionGettingEngagements,
 )
 from devsecops_engine_tools.engine_core.src.infrastructure.helpers.util import (
     format_date,
@@ -66,7 +70,8 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
                 "KUBESCAPE": "Kubescape Scanner",
                 "KICS": "KICS Scanner",
                 "BEARER": "Bearer CLI",
-                "DEPENDENCY_CHECK": "Dependency Check Scan"
+                "DEPENDENCY_CHECK": "Dependency Check Scan",
+                "SONARQUBE": "SonarQube API Import"
             }
 
             if any(
@@ -142,6 +147,38 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
                 )
             )
 
+    def get_product_type_service(self, service, dict_args, secret_tool, config_tool):
+        try:
+            session_manager = self._get_session_manager(
+                dict_args, secret_tool, config_tool
+            )
+
+            dd_max_retries = config_tool["VULNERABILITY_MANAGER"]["DEFECT_DOJO"][
+                "MAX_RETRIES_QUERY"
+            ]
+
+            def request_func():
+                response = Product.get_product(
+                    session=session_manager,
+                    request={
+                        "name": Connect.get_code_app(
+                            service,
+                            config_tool["VULNERABILITY_MANAGER"]["DEFECT_DOJO"][
+                                "REGEX_EXPRESSION_CMDB"
+                            ],
+                        ),
+                        "prefetch": "prod_type",
+                    },
+                )
+                return response.prefetch.prod_type[str(response.results[0].prod_type)] if response.prefetch else None
+
+            return self._retries_requests(request_func, dd_max_retries, retry_delay=5)
+
+        except Exception as ex:
+            raise ExceptionVulnerabilityManagement(
+                "Error getting product type with the following error: {0} ".format(ex)
+            )
+
     def get_findings_excepted(self, service, dict_args, secret_tool, config_tool):
         try:
             session_manager = self._get_session_manager(
@@ -220,7 +257,8 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
             all_findings_query_params = {
                 "limit": config_tool["VULNERABILITY_MANAGER"]["DEFECT_DOJO"][
                     "LIMITS_QUERY"
-                ]
+                ],
+                "duplicate": "false"
             }
             max_retries = config_tool["VULNERABILITY_MANAGER"]["DEFECT_DOJO"][
                 "MAX_RETRIES_QUERY"
@@ -251,7 +289,9 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
                 "Error getting all findings with the following error: {0} ".format(ex)
             )
 
-    def get_active_engagements(self, engagement_name, dict_args, secret_tool, config_tool):
+    def get_active_engagements(
+        self, engagement_name, dict_args, secret_tool, config_tool
+    ):
         try:
             request_is = ImportScanRequest(
                 token_defect_dojo=dict_args.get("token_vulnerability_management")
@@ -390,6 +430,8 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
             risk_accepted=finding.risk_accepted,
             false_p=finding.false_p,
             service=finding.service,
+            unique_id_from_tool=finding.unique_id_from_tool,
+            out_of_scope=finding.out_of_scope
         )
 
     def _format_date_to_dd_format(self, date_string):

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/runtime_local/runtime_local.py

@@ -42,7 +42,7 @@ class RuntimeLocal(DevopsPlatformGateway):
         return os.environ.get("DET_SOURCE_CODE_MANAGEMENT_URI")
 
     def get_base_compact_remote_config_url(self, remote_config_repo):
-        return os.environ.get("DET_BASE_COMPACT_REMOTE_CONFIG_URL")
+        return f"{os.environ.get('DET_BASE_COMPACT_REMOTE_CONFIG_URL')}?path=/"
 
     def get_variable(self, variable):
         env_variables = {

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_risk/src/applications/runner_engine_risk.py

@@ -13,7 +13,12 @@ logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
 
 
 def runner_engine_risk(
-    dict_args, findings, vm_exclusions, devops_platform_gateway, print_table_gateway
+    dict_args,
+    findings,
+    vm_exclusions,
+    services,
+    devops_platform_gateway,
+    print_table_gateway,
 ):
     add_epss_gateway = FirstCsv()
 
@@ -23,5 +28,6 @@ def runner_engine_risk(
         print_table_gateway,
         dict_args,
         findings,
+        services,
         vm_exclusions,
     )

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_risk/src/domain/usecases/break_build.py

@@ -118,9 +118,11 @@ class BreakBuild:
 
     def _remediation_rate_control(self, all_report: "list[Report]"):
         remote_config = self.remote_config
-        remediation_rate_value = self._get_percentage(
-            (sum(1 for report in all_report if report.mitigated)) / len(all_report)
-        )
+        mitigated = sum(1 for report in all_report if report.mitigated)
+        total = len(all_report)
+        print(f"Mitigated count: {mitigated}   Total count: {total}")
+        remediation_rate_value = self._get_percentage(mitigated / total)
+
         risk_threshold = remote_config["THRESHOLD"]["REMEDIATION_RATE"]
         self.remediation_rate = remediation_rate_value
 
@@ -151,14 +153,6 @@ class BreakBuild:
     def _get_percentage(self, decimal):
         return round(decimal * 100, 3)
 
-    def _get_applied_exclusion(self, report: Report):
-        for exclusion in self.exclusions:
-            if exclusion.id and (report.id == exclusion.id):
-                return exclusion
-            elif exclusion.id and (report.vuln_id_from_tool == exclusion.id):
-                return exclusion
-        return None
-
     def _map_applied_exclusion(self, exclusions: "list[Exclusions]"):
         return [
             {
@@ -173,22 +167,27 @@ class BreakBuild:
         ]
 
     def _apply_exclusions(self, report_list: "list[Report]"):
-        new_report_list = []
+        filtered_reports = []
         applied_exclusions = []
-        exclusions_ids = {exclusion.id for exclusion in self.exclusions if exclusion.id}
 
         for report in report_list:
-            if report.vuln_id_from_tool and (
-                report.vuln_id_from_tool in exclusions_ids
-            ):
-                applied_exclusions.append(self._get_applied_exclusion(report))
-            elif report.id and (report.id in exclusions_ids):
-                applied_exclusions.append(self._get_applied_exclusion(report))
-            else:
+            exclude = False
+            for exclusion in self.exclusions:
+                if (
+                    (
+                        report.vuln_id_from_tool
+                        and report.vuln_id_from_tool == exclusion.id
+                    )
+                    or (report.id and report.id == exclusion.id)
+                ) and ((exclusion.where in report.where) or (exclusion.where == "all")):
+                    exclude = True
+                    applied_exclusions.append(exclusion)
+                    break
+            if not exclude:
                 report.reason = "Remediation Rate"
-                new_report_list.append(report)
+                filtered_reports.append(report)
 
-        return new_report_list, applied_exclusions
+        return filtered_reports, applied_exclusions
 
     def _tag_blacklist_control(self, report_list: "list[Report]"):
         remote_config = self.remote_config
@@ -245,7 +244,10 @@ class BreakBuild:
                 report.risk_score = round(
                     remote_config["WEIGHTS"]["severity"].get(report.severity.lower(), 0)
                     + remote_config["WEIGHTS"]["epss_score"] * report.epss_score
-                    + remote_config["WEIGHTS"]["age"] * report.age
+                    + min(
+                        remote_config["WEIGHTS"]["age"] * report.age,
+                        remote_config["WEIGHTS"]["max_age"],
+                    )
                     + sum(
                         remote_config["WEIGHTS"]["tags"].get(tag, 0)
                         for tag in report.tags

{devsecops_engine_tools-1.11.2 → devsecops_engine_tools-1.16.0}/devsecops_engine_tools/engine_risk/src/domain/usecases/get_exclusions.py

@@ -11,14 +11,14 @@ class GetExclusions:
         findings,
         risk_config,
         risk_exclusions,
-        pipeline_name,
+        services,
     ):
         self.devops_platform_gateway = devops_platform_gateway
         self.dict_args = dict_args
         self.findings = findings
         self.risk_config = risk_config
         self.risk_exclusions = risk_exclusions
-        self.pipeline_name = pipeline_name
+        self.services = services
 
     def process(self):
         core_config = self.devops_platform_gateway.get_remote_config(
@@ -49,7 +49,8 @@ class GetExclusions:
 
     def _get_exclusions(self, config, key):
         exclusions = []
-        for scope in ["All", self.pipeline_name]:
+        scope_list = ["All"] + self.services
+        for scope in scope_list:
             if config.get(scope, None) and config[scope].get(key, None):
                 exclusions.extend(
                     [