PyPI - devsecops-engine-tools - Versions diffs - 1.56.5__py3-none-any.whl → 1.58.0__py3-none-any.whl - Mend

devsecops-engine-tools 1.56.5py3-none-any.whl → 1.58.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of devsecops-engine-tools might be problematic. Click here for more details.

Files changed (11) hide show

devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py CHANGED Viewed

@@ -123,6 +123,13 @@ def get_inputs_from_cli(args):
         required=False,
         help="Folder Path to scan, only apply engine_iac, engine_code, engine_secret and engine_dependencies tools",
     )
+    parser.add_argument(
+        "-tr",
+        "--terraform_repo_root",
+        type=str,
+        required=False,
+        help="Folder Path containing the terraform code used to generate a given plan file, only apply engine_iac with checkov",
+    )
     parser.add_argument(
         "-p",
         "--platform",
@@ -223,6 +230,7 @@ def get_inputs_from_cli(args):
         "tool": args.tool,
         "module": args.module,
         "folder_path": args.folder_path,
+        "terraform_repo_root": args.terraform_repo_root,
         "platform": args.platform,
         "use_secrets_manager": args.use_secrets_manager,
         "use_vulnerability_management": args.use_vulnerability_management,

devsecops_engine_tools/engine_risk/src/domain/usecases/break_build.py CHANGED Viewed

@@ -15,6 +15,8 @@ from collections import Counter
 import copy
 import sympy as sp
 import math
+from datetime import datetime, timedelta
+import holidays
 class BreakBuild:
@@ -138,7 +140,16 @@ class BreakBuild:
         formula = sp.Eq(
             remediation_rate_name,
             100
-            * (mitigated_name / (all_findings_name - new_findings - white_list_name - transferred_name - base_image_name)),
+            * (
+                mitigated_name
+                / (
+                    all_findings_name
+                    - new_findings
+                    - white_list_name
+                    - transferred_name
+                    - base_image_name
+                )
+            ),
         )
         print("\n")
         sp.pretty_print(formula)
@@ -167,7 +178,13 @@ class BreakBuild:
         print(
             f"Mitigated: {mitigated_count}   AllFindings: {all_findings_count}   BaseImage: {base_image_count}   NewFindings: {self.policy_excluded}   Transferred: {transferred_list_count}   WhiteList: {white_list_count}\n\n"
         )
-        total = all_findings_count - self.policy_excluded - white_list_count - base_image_count - transferred_list_count
+        total = (
+            all_findings_count
+            - self.policy_excluded
+            - white_list_count
+            - base_image_count
+            - transferred_list_count
+        )
         if total == 0:
             print(
@@ -198,7 +215,9 @@ class BreakBuild:
             )
             self.warning_build = True
         else:
-            missing_findings = math.ceil((risk_threshold / 100 * total) - mitigated_count)
+            missing_findings = math.ceil(
+                (risk_threshold / 100 * total) - mitigated_count
+            )
             print(
                 self.devops_platform_gateway.message(
                     "error",
@@ -281,62 +300,85 @@ class BreakBuild:
         remote_config = self.remote_config
         if report_list:
             tag_blacklist = set(remote_config["TAG_BLACKLIST_EXCLUSION_DAYS"].keys())
+            colombian_holidays = holidays.Colombia()
-            filtered_reports_above_threshold = [
-                (report, tag)
-                for report in report_list
-                for tag in report.tags
-                if tag in tag_blacklist
-                and report.age >= remote_config["TAG_BLACKLIST_EXCLUSION_DAYS"][tag]
-            ]
+        def calculate_working_days(start_date, days):
+            current_date = start_date
+            working_days = 0
+            while working_days < days:
+                current_date += timedelta(days=1)
+                if (
+                    current_date.weekday() < 5
+                    and current_date not in colombian_holidays
+                ):
+                    working_days += 1
+            return current_date
-            filtered_reports_below_threshold = [
-                (report, tag)
-                for report in report_list
-                for tag in report.tags
-                if tag in tag_blacklist
-                and report.age < remote_config["TAG_BLACKLIST_EXCLUSION_DAYS"][tag]
-            ]
+        filtered_reports_above_threshold = []
+        filtered_reports_below_threshold = []
-            for report, tag in filtered_reports_above_threshold:
-                report.reason = "Blacklisted"
-                print(
-                    self.devops_platform_gateway.message(
-                        "error",
-                        f"Report {report.vm_id} with tag '{tag}' is blacklisted and age {report.age} is above threshold {remote_config['TAG_BLACKLIST_EXCLUSION_DAYS'][tag]}",
-                    )
+        for report in report_list:
+            for tag in report.tags:
+                if tag in tag_blacklist:
+                    exclusion_value = remote_config["TAG_BLACKLIST_EXCLUSION_DAYS"][tag]
+                    if isinstance(exclusion_value, str) and "WD" in exclusion_value:
+                        working_days_threshold = int(exclusion_value.replace("WD", ""))
+                        report_created_date = datetime.strptime(
+                            report.created.split("T")[0], "%Y-%m-%d"
+                        )
+                        threshold_date = calculate_working_days(
+                            report_created_date, working_days_threshold
+                        )
+                        if datetime.now() >= threshold_date:
+                            filtered_reports_above_threshold.append((report, tag))
+                        else:
+                            filtered_reports_below_threshold.append((report, tag))
+                    else:
+                        numeric_threshold = int(exclusion_value)
+                        if report.age >= numeric_threshold:
+                            filtered_reports_above_threshold.append((report, tag))
+                        else:
+                            filtered_reports_below_threshold.append((report, tag))
+        for report, tag in filtered_reports_above_threshold:
+            report.reason = "Blacklisted"
+            print(
+                self.devops_platform_gateway.message(
+                    "error",
+                    f"Report {report.vm_id} with tag '{tag}' is blacklisted and age {report.age} is above threshold {remote_config['TAG_BLACKLIST_EXCLUSION_DAYS'][tag]}",
                 )
+            )
-            for report, tag in filtered_reports_below_threshold:
-                print(
-                    self.devops_platform_gateway.message(
-                        "warning",
-                        f"Report {report.vm_id} with tag '{tag}' is blacklisted but age {report.age} is below threshold {remote_config['TAG_BLACKLIST_EXCLUSION_DAYS'][tag]}",
-                    )
+        for report, tag in filtered_reports_below_threshold:
+            print(
+                self.devops_platform_gateway.message(
+                    "warning",
+                    f"Report {report.vm_id} with tag '{tag}' is blacklisted but age {report.age} is below threshold {remote_config['TAG_BLACKLIST_EXCLUSION_DAYS'][tag]}",
                 )
-                self.policy_excluded += 1
+            )
+            self.policy_excluded += 1
-            if filtered_reports_above_threshold:
-                self.break_build = True
-                self.blacklisted += len(filtered_reports_above_threshold)
-                self.report_breaker.extend(
-                    copy.deepcopy(
-                        [report for report, _ in filtered_reports_above_threshold]
-                    )
+        if filtered_reports_above_threshold:
+            self.break_build = True
+            self.blacklisted += len(filtered_reports_above_threshold)
+            self.report_breaker.extend(
+                copy.deepcopy(
+                    [report for report, _ in filtered_reports_above_threshold]
                 )
+            )
-            for report in report_list:
-                if "On Blacklist" in report.risk_status:
-                    self.break_build = True
-                    report.reason = "Blacklisted"
-                    self.blacklisted += 1
-                    self.report_breaker.append(copy.deepcopy(report))
-                    print(
-                        self.devops_platform_gateway.message(
-                            "error",
-                            f"Report {report.vm_id} is blacklisted.",
-                        )
+        for report in report_list:
+            if "On Blacklist" in report.risk_status:
+                self.break_build = True
+                report.reason = "Blacklisted"
+                self.blacklisted += 1
+                self.report_breaker.append(copy.deepcopy(report))
+                print(
+                    self.devops_platform_gateway.message(
+                        "error",
+                        f"Report {report.vm_id} is blacklisted.",
                     )
+                )
     def _risk_score_control(self, report_list: "list[Report]"):
         remote_config = self.remote_config

devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py CHANGED Viewed

@@ -48,6 +48,7 @@ class IacScan:
                 secret_tool=secret_tool,
                 secret_external_checks=dict_args["token_external_checks"],
                 work_folder=self.devops_platform_gateway.get_variable("temp_directory"),
+                dict_args=dict_args
             )
         else:
             print("Tool skipped by DevSecOps policy")

devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_config.py CHANGED Viewed

@@ -22,7 +22,8 @@ class CheckovConfigEnum(Enum):
     DOCKERFILEPATH = "dockerfile-path"
     EXTERNAL_CHECKS_GIT = "external-checks-git"
     SKIP_DOWNLOAD = "skip-download"
+    REPO_ROOT_FOR_PLAN_ENRICHMENT = "repo-root-for-plan-enrichment"
+    DEEP_ANALYSIS = "deep-analysis"
 class CheckovConfig:
     dict_confg_file = {}
@@ -45,6 +46,8 @@ class CheckovConfig:
         external_checks_git=None,
         skip_checks=None,
         skip_download=True,
+        repo_root_for_plan_enrichment=None,
+        deep_analysis=None
     ):
         self.path_config_file = path_config_file
         self.config_file_name = config_file_name
@@ -62,6 +65,8 @@ class CheckovConfig:
         self.skip_checks = skip_checks
         self.skip_download = skip_download
         self.env = env
+        self.repo_root_for_plan_enrichment = repo_root_for_plan_enrichment
+        self.deep_analysis = deep_analysis
     def create_config_dict(self):
         if self.framework is not None:
@@ -111,6 +116,20 @@ class CheckovConfig:
             raise ValueError(
                 MESSAGE_VALUE + CheckovConfigEnum.DIRECTORIES.value + MESSAGE_NIL
             )
+        if self.repo_root_for_plan_enrichment is not None:
+            self.dict_confg_file[
+                CheckovConfigEnum.REPO_ROOT_FOR_PLAN_ENRICHMENT.value
+            ] = self.repo_root_for_plan_enrichment
+        else:
+            self.dict_confg_file.pop(CheckovConfigEnum.REPO_ROOT_FOR_PLAN_ENRICHMENT.value, None)
+        if self.deep_analysis is not None:
+            self.dict_confg_file[
+                CheckovConfigEnum.DEEP_ANALYSIS.value
+            ] = self.deep_analysis
+        else:
+            self.dict_confg_file.pop(CheckovConfigEnum.DEEP_ANALYSIS.value, None)
         if self.evaluate_variables is not None:
             self.dict_confg_file[

devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_tool.py CHANGED Viewed

@@ -148,7 +148,8 @@ class CheckovTool(ToolGateway):
         agent_env,
         environment,
         platform_to_scan,
-        command_prefix
+        command_prefix,
+        dict_args
     ):
         output_queue = queue.Queue()
         # Crea una lista para almacenar los hilos
@@ -160,8 +161,10 @@ class CheckovTool(ToolGateway):
                     elem.upper() in rule for elem in platform_to_scan
                 ):
                     framework = [self.framework_mapping[rule]]
+                    repo_root = None
                     if "terraform" in platform_to_scan or ("all" in platform_to_scan and self.framework_mapping[rule] == "terraform"):
                         framework.append("terraform_plan")
+                        repo_root = dict_args.get("terraform_repo_root", None)
                     checkov_config = CheckovConfig(
                         path_config_file="",
@@ -192,6 +195,12 @@ class CheckovTool(ToolGateway):
                             and rule in self.framework_external_checks
                             else []
                         ),
+                        repo_root_for_plan_enrichment=repo_root,
+                        deep_analysis=(
+                            True
+                            if repo_root
+                            else None
+                        )
                     )
                     checkov_config.create_config_dict()
@@ -240,7 +249,7 @@ class CheckovTool(ToolGateway):
         if command_prefix is not None:
             result_scans, rules_run = self.scan_folders(
-                folders_to_scan, config_tool, agent_env, environment, platform_to_scan, command_prefix
+                folders_to_scan, config_tool, agent_env, environment, platform_to_scan, command_prefix, kwargs.get("dict_args")
             )
             checkov_deserealizator = CheckovDeserealizator()

devsecops_engine_tools/version.py CHANGED Viewed

	@@ -1 +1 @@
1	- version = '1.56.5'
1	+ version = '1.58.0'

{devsecops_engine_tools-1.56.5.dist-info → devsecops_engine_tools-1.58.0.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.56.5
+Version: 1.58.0
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team
@@ -32,6 +32,7 @@ Requires-Dist: ruamel.yaml==0.18.6
 Requires-Dist: Authlib==1.3.2
 Requires-Dist: PyJWT==2.9.0
 Requires-Dist: sympy==1.13.3
+Requires-Dist: holidays==0.58
 # DevSecOps Engine Tools

{devsecops_engine_tools-1.56.5.dist-info → devsecops_engine_tools-1.58.0.dist-info}/RECORD RENAMED Viewed

@@ -1,9 +1,9 @@
 devsecops_engine_tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/version.py,sha256=aqyKZWt4-g6j8-a4jw8MAG7YF-Cm3ClF0toAQNwApmY,19
+devsecops_engine_tools/version.py,sha256=az0Lu4HqJfr2fFy_Az3mdBs66w7djPHVRbb1T0hjDmQ,19
 devsecops_engine_tools/engine_core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/applications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py,sha256=7KqgqvdENk5e0uFkMbRWx5fSmQK0MAnX2NOlj9R57eI,9429
+devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py,sha256=oGzG_YAnGw1YNOFG_llMMeYzQRXrjmHiBVoPvsjgHeU,9736
 devsecops_engine_tools/engine_core/src/deployment/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/deployment/infrastructure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_core/src/domain/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -101,7 +101,7 @@ devsecops_engine_tools/engine_risk/src/domain/model/gateways/__init__.py,sha256=
 devsecops_engine_tools/engine_risk/src/domain/model/gateways/add_epss_gateway.py,sha256=cTm4QSxiaUt7ETCdXWZxKEus8pmEDA3e9k5b39SLDDE,178
 devsecops_engine_tools/engine_risk/src/domain/usecases/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_risk/src/domain/usecases/add_data.py,sha256=4wqDj-q7hJfJscvrbMDcy7tONqxdxl-CSl_TWTRUGKA,402
-devsecops_engine_tools/engine_risk/src/domain/usecases/break_build.py,sha256=KjEdbna0eMaIFcAQa36X3p_UFhexk3d4wnBOTK5ZrIU,15552
+devsecops_engine_tools/engine_risk/src/domain/usecases/break_build.py,sha256=nCUvHa4azCfQSdVzoJcyWOn3vzdSlgibzBS2J3Qqfsc,17011
 devsecops_engine_tools/engine_risk/src/domain/usecases/check_threshold.py,sha256=VYdmcbAuNNvdHCegRfvza7YJ8FHbFNyDosrKJrMW93I,765
 devsecops_engine_tools/engine_risk/src/domain/usecases/get_exclusions.py,sha256=1UNNq_Yhg3R78jLRSKcMNQYe8T8gl1C31C0ttBF0OAk,3992
 devsecops_engine_tools/engine_risk/src/domain/usecases/handle_filters.py,sha256=R53fnuIQYfr7YbpMz1BGPJ1d5z9jY_Hnm7EmPt99wlE,3608
@@ -146,13 +146,13 @@ devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/config_tool.py,sh
 devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/gateways/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/gateways/tool_gateway.py,sha256=ClElxyHbwfDCW0fgcehaNfQLq00zozhO71EnyCjzt-U,182
 devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py,sha256=k8w4lLiWKrjNuAP2A_EadjAcpjWLkbj1YtIPHOVGoyw,6208
+devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py,sha256=NbA3urTxxXVWiPmzWcV2mQctIng3RZSmXLOuiCnQbX0,6244
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_config.py,sha256=qbE6wUO5_WFXF_QolL0JYelaRGEOUakPEZR_6HAKzzI,4355
+devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_config.py,sha256=TctUDUvNsErWQ7B41eYCJ0REzGTSyMXJl19mFu33Lv4,5245
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_deserealizator.py,sha256=l_opY909gh1m3k2ud2xDrCVnDTBe3ApYT75juBf_uMk,1836
-devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_tool.py,sha256=dI71x8QfhVOmq6FmzHsiHoUFWCwHjr4W4BgikyLiMjA,12645
+devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_tool.py,sha256=Nzc3uZPitLT7mKiyM4KxtwmFLVZQIgQ1TaNtejc_4Zs,13048
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/kics_deserealizator.py,sha256=tZq3jutZL2M9XIxm5K_xd3mWwTCMVmHQPFNvrslCqCM,2092
 devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/kics_tool.py,sha256=pVNZclcBKA6Ebm9kUfBWlHFI37ROT58CdqcczeM1UGs,6656
@@ -349,8 +349,8 @@ devsecops_engine_tools/engine_utilities/utils/name_conversion.py,sha256=ADJrRGax
 devsecops_engine_tools/engine_utilities/utils/printers.py,sha256=amYAr9YQfYgR6jK9a2l26z3oovFPQ3FAKmhq6BKhEBA,623
 devsecops_engine_tools/engine_utilities/utils/session_manager.py,sha256=Z0fdhB3r-dxU0nGSD9zW_B4r2Qol1rUnUCkhFR0U-HQ,487
 devsecops_engine_tools/engine_utilities/utils/utils.py,sha256=HCjS900TBoNcHrC4LaiP-Kf9frVdtagF130qOUgnO2M,6757
-devsecops_engine_tools-1.56.5.dist-info/METADATA,sha256=6tSXijWLZwEOWzgLxKsAGfQ2PMaz_z5M4d1M7CB4ZzU,11779
-devsecops_engine_tools-1.56.5.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
-devsecops_engine_tools-1.56.5.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
-devsecops_engine_tools-1.56.5.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
-devsecops_engine_tools-1.56.5.dist-info/RECORD,,
+devsecops_engine_tools-1.58.0.dist-info/METADATA,sha256=OIufybH_vyGaVr0a4k3V7fhev7UYUgEBQ8dQdZtLepM,11809
+devsecops_engine_tools-1.58.0.dist-info/WHEEL,sha256=R0nc6qTxuoLk7ShA2_Y-UWkN8ZdfDBG2B6Eqpz2WXbs,91
+devsecops_engine_tools-1.58.0.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
+devsecops_engine_tools-1.58.0.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
+devsecops_engine_tools-1.58.0.dist-info/RECORD,,

{devsecops_engine_tools-1.56.5.dist-info → devsecops_engine_tools-1.58.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{devsecops_engine_tools-1.56.5.dist-info → devsecops_engine_tools-1.58.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{devsecops_engine_tools-1.56.5.dist-info → devsecops_engine_tools-1.58.0.dist-info}/top_level.txt RENAMED Viewed

File without changes

devsecops-engine-tools 1.56.5__py3-none-any.whl → 1.58.0__py3-none-any.whl

Potentially problematic release.

devsecops-engine-tools 1.56.5py3-none-any.whl → 1.58.0py3-none-any.whl