devsecops-engine-tools 1.25.0__py3-none-any.whl → 1.25.1__py3-none-any.whl

devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py

@@ -5,3 +5,7 @@ class ImagesGateway(metaclass=ABCMeta):
     @abstractmethod
     def list_images(self, image_to_scan) -> str:
         "get image to scan"
+
+    @abstractmethod
+    def get_base_image(self, image_to_scan) -> str:
+        "get base image"

devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/tool_gateway.py

@@ -3,5 +3,5 @@ from abc import ABCMeta, abstractmethod
 
 class ToolGateway(metaclass=ABCMeta):
     @abstractmethod
-    def run_tool_container_sca(self, dict_args, secret_tool, token_engine_container, scan_image, release) -> str:
+    def run_tool_container_sca(self, dict_args, secret_tool, token_engine_container, scan_image, release, base_image, exclusions) -> str:
         "run tool container sca"

devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py

@@ -22,6 +22,7 @@ class ContainerScaScan:
         secret_tool,
         token_engine_container,
         image_to_scan,
+        exclusions
     ):
         self.tool_run = tool_run
         self.remote_config = remote_config
@@ -31,6 +32,7 @@ class ContainerScaScan:
         self.secret_tool = secret_tool
         self.token_engine_container = token_engine_container
         self.image_to_scan = image_to_scan
+        self.exclusions = exclusions
 
     def get_image(self, image_to_scan):
         """
@@ -41,6 +43,15 @@ class ContainerScaScan:
         """
         return self.tool_images.list_images(image_to_scan)
 
+    def get_base_image(self, matching_image):
+            """
+            Process the base image.
+
+            Returns:
+                String: base image.
+            """
+            return self.tool_images.get_base_image(matching_image)
+
     def get_images_already_scanned(self):
         """
         Create images scanned file if it does not exist and get the images that have already been scanned.
@@ -66,21 +77,24 @@ class ContainerScaScan:
         Returns:
             string: file scanning results name.
         """
-        matching_image = self.get_image(self.image_to_scan)
+        base_image = None
         image_scanned = None
+        matching_image = self.get_image(self.image_to_scan)
+        if self.remote_config['GET_IMAGE_BASE']:
+            base_image = self.get_base_image(matching_image)
         if matching_image:
             image_name = matching_image.tags[0]
             result_file = image_name.replace("/","_") + "_scan_result.json"
             if image_name in self.get_images_already_scanned():
                 print(f"The image {image_name} has already been scanned previously.")
-                return image_scanned
+                return image_scanned, base_image
             image_scanned = self.tool_run.run_tool_container_sca(
-                self.remote_config, self.secret_tool, self.token_engine_container, image_name, result_file
+                self.remote_config, self.secret_tool, self.token_engine_container, image_name, result_file, base_image, self.exclusions
             )
             self.set_image_scanned(image_name)
         else:
             print(f"'Not image found for {self.image_to_scan}'. Tool skipped.")
-        return image_scanned
+        return image_scanned, base_image
 
     def deseralizator(self, image_scanned):
         """

devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py

@@ -12,25 +12,37 @@ class SetInputCore:
         self.tool = tool
         self.stage = stage
 
-    def get_exclusions(self, exclusions_data, pipeline_name, tool):
-        list_exclusions = [
-            Exclusions(
-                id=item.get("id", ""),
-                where=item.get("where", ""),
-                cve_id=item.get("cve_id", ""),
-                create_date=item.get("create_date", ""),
-                expired_date=item.get("expired_date", ""),
-                severity=item.get("severity", ""),
-                hu=item.get("hu", ""),
-                reason=item.get("reason", "Risk acceptance"),
-            )
-            for key, value in exclusions_data.items()
-            if key in {"All", pipeline_name} and value.get(tool)
-            for item in value[tool]
-        ]
+    def get_exclusions(self, exclusions_data, pipeline_name, tool, base_image):
+        list_exclusions = []
+        print("The base image used is:", base_image)
+        for key, value in exclusions_data.items():
+            if key not in {"All", pipeline_name} or not value.get(tool):
+                continue
+
+            for item in value[tool]:
+                if key == "All":
+                    source_images = item.get("source_images", [])
+                    if source_images and base_image is None:
+                        continue
+                    if source_images and not any(base_image in source for source in source_images):
+                        continue
+                    
+                list_exclusions.append(
+                    Exclusions(
+                        id=item.get("id", ""),
+                        where=item.get("where", ""),
+                        cve_id=item.get("cve_id", ""),
+                        create_date=item.get("create_date", ""),
+                        expired_date=item.get("expired_date", ""),
+                        severity=item.get("severity", ""),
+                        hu=item.get("hu", ""),
+                        reason=item.get("reason", "Risk acceptance"),
+                    )
+                )
+
         return list_exclusions
 
-    def set_input_core(self, image_scanned):
+    def set_input_core(self, image_scanned,base_image):
         """
         Set the input core.
 
@@ -42,6 +54,7 @@ class SetInputCore:
                 self.exclusions,
                 self.pipeline_name,
                 self.tool,
+                base_image
             ),
             Utils.update_threshold(
                 self,

devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py

@@ -31,3 +31,20 @@ class DockerImages(ImagesGateway):
             logger.error(
                 f"Error listing images, docker must be running and added to PATH: {e}"
             )
+
+    def get_base_image(self, matching_image):
+        try:
+            client = docker.from_env()
+            image_details = client.api.inspect_image(matching_image.id)
+            labels = image_details.get("Config", {}).get("Labels", {})
+            source_image = labels.get("source-image")
+            if source_image:
+                logger.info(f"Base image for '{matching_image}' from source-image label: {source_image}")
+                return source_image
+
+            logger.warning(f"Base image not found for '{matching_image}'.")
+            return None
+
+        except Exception as e:
+            logger.error(f"Error getting base image: {e}")
+            return None

devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py

@@ -4,6 +4,7 @@ import os
 import subprocess
 import logging
 import base64
+import json
 from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.tool_gateway import (
     ToolGateway,
 )
@@ -68,14 +69,36 @@ class PrismaCloudManagerScan(ToolGateway):
                 text=True,
             )
             print(f"The image {image_name} was scanned")
-
             return result_file
 
         except subprocess.CalledProcessError as e:
             logger.error(f"Error during image scan of {image_name}: {e.stderr}")
 
+    def _write_image_base(self, result_file, base_image, exclusions_data):
+        try:
+            with open(result_file, "r") as file:
+                data = json.load(file)
+
+            prisma_exclusions = exclusions_data.get("All", {}).get("PRISMA", [])
+            modified = False
+            for result in data.get("results", []):
+                for vulnerability in result.get("vulnerabilities", []):
+                    for exclusion in prisma_exclusions:
+                        if (
+                            vulnerability.get("id") == exclusion.get("id") and
+                            any(image.startswith(base_image) for image in exclusion.get("source_images", []))
+                        ):
+                            vulnerability["baseImage"] = base_image
+                            modified = True
+
+            if modified:
+                with open(result_file, "w") as file:
+                    json.dump(data, file, indent=4)
+        except subprocess.CalledProcessError as e:
+             logger.error(f"Error during write image base of {base_image}: {e.stderr}")
+            
     def run_tool_container_sca(
-        self, remoteconfig, secret_tool, token_engine_container, image_name, result_file
+        self, remoteconfig, secret_tool, token_engine_container, image_name, result_file, base_image, exclusions
     ):
         prisma_secret_key = secret_tool["token_prisma_cloud"] if secret_tool else token_engine_container
         file_path = os.path.join(
@@ -95,7 +118,9 @@ class PrismaCloudManagerScan(ToolGateway):
             image_name,
             result_file,
             remoteconfig,
-            prisma_secret_key,
+            prisma_secret_key
         )
+        if base_image:
+            self._write_image_base(result_file, base_image, exclusions)
 
         return image_scanned

devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_manager_scan.py

@@ -7,6 +7,7 @@ import platform
 import requests
 import tarfile
 import zipfile
+import json
 
 from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
 from devsecops_engine_tools.engine_utilities import settings
@@ -52,7 +53,7 @@ class TrivyScan(ToolGateway):
             except Exception as e:
                 logger.error(f"Error installing trivy: {e}")
 
-    def scan_image(self, prefix, image_name, result_file):
+    def scan_image(self, prefix, image_name, result_file, base_image):
         command = [
             prefix,
             "--scanners",
@@ -78,7 +79,7 @@ class TrivyScan(ToolGateway):
         except Exception as e:
             logger.error(f"Error during image scan of {image_name}: {e}")
 
-    def run_tool_container_sca(self, remoteconfig, secret_tool, token_engine_container, image_name, result_file):
+    def run_tool_container_sca(self, remoteconfig, secret_tool, token_engine_container, image_name, result_file ,base_image, exclusions):
         trivy_version = remoteconfig["TRIVY"]["TRIVY_VERSION"]
         os_platform = platform.system()
         arch_platform = platform.architecture()[0]
@@ -101,7 +102,7 @@ class TrivyScan(ToolGateway):
             return None
 
         image_scanned = (
-            self.scan_image(command_prefix, image_name, result_file)
+            self.scan_image(command_prefix, image_name, result_file, base_image)
         )
 
         return image_scanned

devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/entry_points/entry_point_tool.py

@@ -38,6 +38,7 @@ def init_engine_sca_rm(
     stage = tool_remote.get_variable("stage")
     image_to_scan = dict_args["image_to_scan"]
     image_scanned = None
+    base_image = None
     deseralized = []
     input_core = SetInputCore(remote_config, exclusions, pipeline_name, tool, stage)
     if scan_flag and not (skip_flag):
@@ -50,13 +51,14 @@ def init_engine_sca_rm(
             secret_tool,
             dict_args["token_engine_container"],
             image_to_scan,
+            exclusions
         )
-        image_scanned = container_sca_scan.process()
+        image_scanned,base_image = container_sca_scan.process()
         if image_scanned:
             deseralized = container_sca_scan.deseralizator(image_scanned)
     else:
         print("Tool skipped by DevSecOps policy")
         dict_args["send_metrics"] = "false"
-    core_input = input_core.set_input_core(image_scanned)
+    core_input = input_core.set_input_core(image_scanned,base_image)
 
     return deseralized, core_input

devsecops_engine_tools/version.py

@@ -1 +1 @@
-version = '1.25.0'
+version = '1.25.1'

{devsecops_engine_tools-1.25.0.dist-info → devsecops_engine_tools-1.25.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.25.0
+Version: 1.25.1
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team

{devsecops_engine_tools-1.25.0.dist-info → devsecops_engine_tools-1.25.1.dist-info}/RECORD

@@ -1,5 +1,5 @@
 devsecops_engine_tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/version.py,sha256=H5emCtCaqtHr-9dLv_SG9PwZ_mJKNcZ0wZ2S_f-TQHQ,19
+devsecops_engine_tools/version.py,sha256=qfAYf9RsqCPGpf2oH5qMg1YfoP33JS4SDFWM3eS8bUU,19
 devsecops_engine_tools/engine_core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/applications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -169,24 +169,24 @@ devsecops_engine_tools/engine_sca/engine_container/src/domain/__init__.py,sha256
 devsecops_engine_tools/engine_sca/engine_container/src/domain/model/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/deserealizator_gateway.py,sha256=sE7-GnNSNLWbA1H0mvTwXmxcOJXl8uvw-0hxMyX4oMc,290
-devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py,sha256=4I0x7qT97mT1kuyIYMWHz7KH_XEMwNm9_eB0SUcEKrE,179
-devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/tool_gateway.py,sha256=oMeCeSjAjT-efISOAjAfRv85fRhsX6ZNszrKraHAdTE,254
+devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py,sha256=cXafS4v7tflUAaqf9t468gL8P6Wa9hY09BTNzKIuAWQ,277
+devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/tool_gateway.py,sha256=hQ_4Qmcx9tebf-2Mvu4EeZHwaobVl-hUuzU7vB0U5lw,278
 devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py,sha256=SXwMqqUSjaJlFUkfnLJp_2o2kJn4zVUXM0oNTP8cJ-k,3250
+devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py,sha256=8h4qV_xbH9InocBhk3oWkLuma-RWhkZDhjt_lrjTd8E,3749
 devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/handle_remote_config_patterns.py,sha256=4wgBTQSDE-C5v01C3Vxzeq0DJKZUSqQ5TVLG7yPZPKs,926
-devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py,sha256=-X4wIUAMF3ru1HBEfNz9JhrCg6tcgX40FBKdmamDEIU,2020
+devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py,sha256=n-SjcDl6YPAnUWqkOYXsVr-mTiS4rGxj4sS2YkXo6xw,2632
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py,sha256=DtjjScV0WYDRme2JgCjGf3BB8btqcJObWMu-xvHZgNY,1173
+devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py,sha256=99-KEv62RoHAkY-S2mR7GjuHsMF0ELt_x4mW5ZMKubE,1855
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py,sha256=vGQUGbYUzab_TvLHmH8lkb9jf2ZNCY3IiuhhYAz8lN0,3337
+devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py,sha256=UA-tU1ppfWpEUh_QZLBX3IJxRQPkC6f91dpeRI31EXg,4597
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_deserialize_output.py,sha256=oK0NKuPODm38qDgQjf6w40lfNG6NFJS43p5k44wDoMA,2562
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_deserialize_output.py,sha256=LGqnO10Zt-0-TxUW6F1S46jVktlIwxWSYATKSVblCWI,2535
-devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_manager_scan.py,sha256=LWiCQsL7BukEJPCoPkC_zYDfYQMLo2LNYwMbIIXBGfs,3722
+devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_manager_scan.py,sha256=RG8H9pYcqo554VQGXWZUYsLPQkanERscs3MVQOQ_vc8,3782
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/entry_points/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/entry_points/entry_point_tool.py,sha256=HSDhub6kPcbSfAo5uJOxY8Pc4kyZ8VszJmwH-p8vkx4,2437
+devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/entry_points/entry_point_tool.py,sha256=OSXZs45XmuhGMOMJUa0AZKmsLi2jqPP93GI1FaJP5Ug,2506
 devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_dependencies/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sca/engine_dependencies/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -308,8 +308,8 @@ devsecops_engine_tools/engine_utilities/utils/name_conversion.py,sha256=ADJrRGax
 devsecops_engine_tools/engine_utilities/utils/printers.py,sha256=amYAr9YQfYgR6jK9a2l26z3oovFPQ3FAKmhq6BKhEBA,623
 devsecops_engine_tools/engine_utilities/utils/session_manager.py,sha256=yNtlT-8Legz1sHbGPH8LNYjL-LgDUE0zXG2rYjiab7U,290
 devsecops_engine_tools/engine_utilities/utils/utils.py,sha256=yvCbPKAWa7wxk5S-s_Xkvx9VtnIpv9eWUMG8wtlmrhs,5870
-devsecops_engine_tools-1.25.0.dist-info/METADATA,sha256=oJKPtxsdfGzrdqYgZg1sokubbszwx1AceewY7AJkqWg,11010
-devsecops_engine_tools-1.25.0.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
-devsecops_engine_tools-1.25.0.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
-devsecops_engine_tools-1.25.0.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
-devsecops_engine_tools-1.25.0.dist-info/RECORD,,
+devsecops_engine_tools-1.25.1.dist-info/METADATA,sha256=DniDER-9_UQl3ajfi-gEheUEb7Ec-aDbHrSW_WyVcWU,11010
+devsecops_engine_tools-1.25.1.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
+devsecops_engine_tools-1.25.1.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
+devsecops_engine_tools-1.25.1.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
+devsecops_engine_tools-1.25.1.dist-info/RECORD,,