devsecops-engine-tools 1.59.0__py3-none-any.whl → 1.60.1__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of devsecops-engine-tools might be problematic. Click here for more details.
- devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py +15 -0
- devsecops_engine_tools/engine_core/src/domain/usecases/handle_risk.py +6 -3
- devsecops_engine_tools/engine_core/src/domain/usecases/handle_scan.py +8 -0
- devsecops_engine_tools/engine_core/src/infrastructure/entry_points/entry_point_core.py +4 -1
- devsecops_engine_tools/engine_dast/src/applications/runner_dast_scan.py +2 -2
- devsecops_engine_tools/engine_dast/src/domain/usecases/dast_scan.py +4 -2
- devsecops_engine_tools/engine_dast/src/infrastructure/entry_points/entry_point_dast.py +2 -1
- devsecops_engine_tools/engine_risk/src/applications/runner_engine_risk.py +2 -0
- devsecops_engine_tools/engine_risk/src/domain/usecases/get_exclusions.py +4 -2
- devsecops_engine_tools/engine_risk/src/infrastructure/entry_points/entry_point_risk.py +4 -2
- devsecops_engine_tools/engine_sast/engine_code/src/applications/runner_engine_code.py +2 -1
- devsecops_engine_tools/engine_sast/engine_code/src/domain/usecases/code_scan.py +4 -2
- devsecops_engine_tools/engine_sast/engine_code/src/infrastructure/entry_points/entry_point_tool.py +2 -2
- devsecops_engine_tools/engine_sast/engine_iac/src/applications/runner_iac_scan.py +2 -1
- devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/context_iac.py +2 -1
- devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/gateways/tool_gateway.py +4 -5
- devsecops_engine_tools/engine_sast/engine_iac/src/domain/usecases/iac_scan.py +18 -15
- devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_deserealizator.py +11 -8
- devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_tool.py +230 -206
- devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/kics_tool.py +123 -85
- devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kubescape/kubescape_tool.py +80 -65
- devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/entry_points/entry_point_tool.py +2 -2
- devsecops_engine_tools/engine_sast/engine_secret/src/applications/runner_secret_scan.py +2 -1
- devsecops_engine_tools/engine_sast/engine_secret/src/domain/usecases/secret_scan.py +3 -1
- devsecops_engine_tools/engine_sast/engine_secret/src/domain/usecases/set_input_core.py +3 -1
- devsecops_engine_tools/engine_sast/engine_secret/src/infrastructure/entry_points/entry_point_tool.py +4 -4
- devsecops_engine_tools/engine_sca/engine_container/src/applications/runner_container_scan.py +2 -1
- devsecops_engine_tools/engine_sca/engine_container/src/domain/model/context_container.py +2 -1
- devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/deserealizator_gateway.py +7 -2
- devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py +53 -52
- devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_deserialize_output.py +3 -3
- devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_deserialize_output.py +50 -31
- devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/entry_points/entry_point_tool.py +12 -7
- devsecops_engine_tools/engine_sca/engine_dependencies/src/applications/runner_dependencies_scan.py +2 -1
- devsecops_engine_tools/engine_sca/engine_dependencies/src/infrastructure/entry_points/entry_point_tool.py +3 -2
- devsecops_engine_tools/version.py +1 -1
- {devsecops_engine_tools-1.59.0.dist-info → devsecops_engine_tools-1.60.1.dist-info}/METADATA +7 -7
- {devsecops_engine_tools-1.59.0.dist-info → devsecops_engine_tools-1.60.1.dist-info}/RECORD +41 -41
- {devsecops_engine_tools-1.59.0.dist-info → devsecops_engine_tools-1.60.1.dist-info}/WHEEL +0 -0
- {devsecops_engine_tools-1.59.0.dist-info → devsecops_engine_tools-1.60.1.dist-info}/entry_points.txt +0 -0
- {devsecops_engine_tools-1.59.0.dist-info → devsecops_engine_tools-1.60.1.dist-info}/top_level.txt +0 -0
devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/kics/kics_tool.py
CHANGED
|
@@ -7,7 +7,7 @@ from devsecops_engine_tools.engine_sast.engine_iac.src.domain.model.gateways.too
|
|
|
7
7
|
ToolGateway,
|
|
8
8
|
)
|
|
9
9
|
from devsecops_engine_tools.engine_sast.engine_iac.src.infrastructure.driven_adapters.kics.kics_deserealizator import (
|
|
10
|
-
KicsDeserealizator
|
|
10
|
+
KicsDeserealizator,
|
|
11
11
|
)
|
|
12
12
|
from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
|
|
13
13
|
from devsecops_engine_tools.engine_utilities import settings
|
|
@@ -35,10 +35,90 @@ class KicsTool(ToolGateway):
|
|
|
35
35
|
"googledeploymentmanager": "GoogleDeploymentManager",
|
|
36
36
|
"knative": "Knative",
|
|
37
37
|
"pulumi": "Pulumi",
|
|
38
|
-
"serverlessfw": "ServerlessFW"
|
|
38
|
+
"serverlessfw": "ServerlessFW",
|
|
39
39
|
}
|
|
40
40
|
|
|
41
|
-
def
|
|
41
|
+
def run_tool(
|
|
42
|
+
self, config_tool, folders_to_scan, work_folder, platform_to_scan, **kwargs
|
|
43
|
+
):
|
|
44
|
+
kics_version = config_tool[self.TOOL_KICS]["CLI_VERSION"]
|
|
45
|
+
path_kics = config_tool[self.TOOL_KICS]["PATH_KICS"]
|
|
46
|
+
download_kics_assets = config_tool[self.TOOL_KICS]["DOWNLOAD_KICS_ASSETS"]
|
|
47
|
+
|
|
48
|
+
os_platform = platform.system()
|
|
49
|
+
path_kics = (
|
|
50
|
+
path_kics.replace("/", "\\") if os_platform == "Windows" else path_kics
|
|
51
|
+
)
|
|
52
|
+
work_folder = (
|
|
53
|
+
work_folder.replace("/", "\\") if os_platform == "Windows" else work_folder
|
|
54
|
+
)
|
|
55
|
+
|
|
56
|
+
command_prefix = (
|
|
57
|
+
f"{work_folder}\\{path_kics}.exe"
|
|
58
|
+
if os_platform == "Windows"
|
|
59
|
+
else f"{work_folder}/{path_kics}"
|
|
60
|
+
)
|
|
61
|
+
|
|
62
|
+
if not self._validate_kics(command_prefix):
|
|
63
|
+
logger.info("KICS binary not found or invalid, downloading assets...")
|
|
64
|
+
|
|
65
|
+
if download_kics_assets:
|
|
66
|
+
self._get_assets(kics_version, work_folder)
|
|
67
|
+
|
|
68
|
+
queries = self._get_queries(config_tool, platform_to_scan)
|
|
69
|
+
self._execute_kics(
|
|
70
|
+
folders_to_scan,
|
|
71
|
+
command_prefix,
|
|
72
|
+
platform_to_scan,
|
|
73
|
+
work_folder,
|
|
74
|
+
os_platform,
|
|
75
|
+
queries,
|
|
76
|
+
)
|
|
77
|
+
data = self._load_results(work_folder, queries)
|
|
78
|
+
|
|
79
|
+
if data:
|
|
80
|
+
kics_deserealizator = KicsDeserealizator()
|
|
81
|
+
total_vulnerabilities = kics_deserealizator.calculate_total_vulnerabilities(
|
|
82
|
+
data
|
|
83
|
+
)
|
|
84
|
+
path_file = os.path.join(work_folder, "results.json")
|
|
85
|
+
|
|
86
|
+
if total_vulnerabilities == 0:
|
|
87
|
+
return [], path_file
|
|
88
|
+
|
|
89
|
+
filtered_results = kics_deserealizator.get_findings(data)
|
|
90
|
+
finding_list = kics_deserealizator.get_list_finding(filtered_results)
|
|
91
|
+
|
|
92
|
+
return finding_list, path_file
|
|
93
|
+
return [], None
|
|
94
|
+
|
|
95
|
+
def get_iac_context_from_results(self, path_file_results):
|
|
96
|
+
# TODO: Implement this method
|
|
97
|
+
pass
|
|
98
|
+
|
|
99
|
+
def _validate_kics(self, command_prefix):
|
|
100
|
+
try:
|
|
101
|
+
result = subprocess.run(
|
|
102
|
+
[command_prefix, "version"], capture_output=True, text=True
|
|
103
|
+
)
|
|
104
|
+
if result.returncode == 0:
|
|
105
|
+
return True
|
|
106
|
+
else:
|
|
107
|
+
logger.error(f"KICS binary not valid: {result.stderr}")
|
|
108
|
+
return False
|
|
109
|
+
except Exception as e:
|
|
110
|
+
logger.error(f"Error validating KICS binary: {e}")
|
|
111
|
+
|
|
112
|
+
def _get_assets(self, kics_version, work_folder):
|
|
113
|
+
name_zip = "assets_compressed.zip"
|
|
114
|
+
assets_url = f"https://github.com/Checkmarx/kics/releases/download/v{kics_version}/extracted-info.zip"
|
|
115
|
+
self._download(name_zip, assets_url)
|
|
116
|
+
|
|
117
|
+
directory_assets = f"{work_folder}/kics-devsecops"
|
|
118
|
+
utils = Utils()
|
|
119
|
+
utils.unzip_file(name_zip, directory_assets)
|
|
120
|
+
|
|
121
|
+
def _download(self, file, url):
|
|
42
122
|
try:
|
|
43
123
|
response = requests.get(url)
|
|
44
124
|
with open(file, "wb") as f:
|
|
@@ -46,14 +126,39 @@ class KicsTool(ToolGateway):
|
|
|
46
126
|
except Exception as ex:
|
|
47
127
|
logger.error(f"An error ocurred downloading {file} {ex}")
|
|
48
128
|
|
|
49
|
-
def
|
|
50
|
-
|
|
51
|
-
|
|
129
|
+
def _get_queries(self, config_tool, platform_to_scan):
|
|
130
|
+
try:
|
|
131
|
+
queries = []
|
|
132
|
+
for platform in platform_to_scan:
|
|
133
|
+
platform = platform.strip().upper()
|
|
134
|
+
if f"RULES_{platform}" not in config_tool[self.TOOL_KICS]["RULES"]:
|
|
135
|
+
logger.error(f"Platform {platform} not found in RULES")
|
|
136
|
+
queries = [
|
|
137
|
+
{key: value["checkID"]}
|
|
138
|
+
for key, value in config_tool[self.TOOL_KICS]["RULES"][
|
|
139
|
+
f"RULES_{platform}"
|
|
140
|
+
].items()
|
|
141
|
+
]
|
|
142
|
+
return queries
|
|
143
|
+
except Exception as e:
|
|
144
|
+
logger.error(f"Error writing queries file: {e}")
|
|
145
|
+
|
|
146
|
+
def _execute_kics(
|
|
147
|
+
self,
|
|
148
|
+
folders_to_scan,
|
|
149
|
+
prefix,
|
|
150
|
+
platform_to_scan,
|
|
151
|
+
work_folder,
|
|
152
|
+
os_platform,
|
|
153
|
+
queries,
|
|
154
|
+
):
|
|
155
|
+
folders = ",".join(folders_to_scan)
|
|
156
|
+
queries = ",".join([list(query.values())[0] for query in queries])
|
|
52
157
|
mapped_platforms = [
|
|
53
158
|
self.scan_type_platform_mapping.get(platform.lower(), platform)
|
|
54
159
|
for platform in platform_to_scan
|
|
55
160
|
]
|
|
56
|
-
platforms =
|
|
161
|
+
platforms = ",".join(mapped_platforms)
|
|
57
162
|
|
|
58
163
|
command = [
|
|
59
164
|
prefix,
|
|
@@ -65,19 +170,22 @@ class KicsTool(ToolGateway):
|
|
|
65
170
|
"--include-queries",
|
|
66
171
|
queries,
|
|
67
172
|
"-q",
|
|
68
|
-
|
|
69
|
-
|
|
173
|
+
(
|
|
174
|
+
f"{work_folder}\\kics-devsecops\\assets\\queries"
|
|
175
|
+
if os_platform == "Windows"
|
|
176
|
+
else f"{work_folder}/kics-devsecops/assets/queries"
|
|
177
|
+
),
|
|
70
178
|
"--report-formats",
|
|
71
179
|
"json",
|
|
72
180
|
"-o",
|
|
73
|
-
work_folder
|
|
181
|
+
work_folder,
|
|
74
182
|
]
|
|
75
183
|
try:
|
|
76
184
|
subprocess.run(command, capture_output=True)
|
|
77
185
|
except subprocess.CalledProcessError as e:
|
|
78
186
|
logger.error(f"Error during KICS execution: {e}")
|
|
79
187
|
|
|
80
|
-
def
|
|
188
|
+
def _load_results(self, work_folder, queries):
|
|
81
189
|
try:
|
|
82
190
|
results_path = os.path.join(work_folder, "results.json")
|
|
83
191
|
with open(results_path, "r") as f:
|
|
@@ -87,7 +195,10 @@ class KicsTool(ToolGateway):
|
|
|
87
195
|
query_ids = {list(query.values())[0] for query in queries}
|
|
88
196
|
if finding.get("query_id") in query_ids:
|
|
89
197
|
finding["custom_vuln_id"] = next(
|
|
90
|
-
key
|
|
198
|
+
key
|
|
199
|
+
for query in queries
|
|
200
|
+
for key, value in query.items()
|
|
201
|
+
if value == finding.get("query_id")
|
|
91
202
|
)
|
|
92
203
|
|
|
93
204
|
with open(results_path, "w") as f:
|
|
@@ -97,76 +208,3 @@ class KicsTool(ToolGateway):
|
|
|
97
208
|
except Exception as ex:
|
|
98
209
|
logger.error(f"An error occurred loading or modifying KICS results {ex}")
|
|
99
210
|
return None
|
|
100
|
-
|
|
101
|
-
def get_assets(self, kics_version, work_folder):
|
|
102
|
-
name_zip = "assets_compressed.zip"
|
|
103
|
-
assets_url = f"https://github.com/Checkmarx/kics/releases/download/v{kics_version}/extracted-info.zip"
|
|
104
|
-
self.download(name_zip, assets_url)
|
|
105
|
-
|
|
106
|
-
directory_assets = f"{work_folder}/kics-devsecops"
|
|
107
|
-
utils = Utils()
|
|
108
|
-
utils.unzip_file(name_zip, directory_assets)
|
|
109
|
-
|
|
110
|
-
def validate_kics(self, command_prefix):
|
|
111
|
-
try:
|
|
112
|
-
result = subprocess.run([command_prefix, "version"], capture_output=True, text=True)
|
|
113
|
-
if result.returncode == 0:
|
|
114
|
-
return True
|
|
115
|
-
else:
|
|
116
|
-
logger.error(f"KICS binary not valid: {result.stderr}")
|
|
117
|
-
return False
|
|
118
|
-
except Exception as e:
|
|
119
|
-
logger.error(f"Error validating KICS binary: {e}")
|
|
120
|
-
|
|
121
|
-
def get_queries(self, config_tool, platform_to_scan):
|
|
122
|
-
try:
|
|
123
|
-
queries = []
|
|
124
|
-
for platform in platform_to_scan:
|
|
125
|
-
platform = platform.strip().upper()
|
|
126
|
-
if f"RULES_{platform}" not in config_tool[self.TOOL_KICS]["RULES"]:
|
|
127
|
-
logger.error(f"Platform {platform} not found in RULES")
|
|
128
|
-
queries = [{key: value["checkID"]} for key, value in config_tool[self.TOOL_KICS]["RULES"][f"RULES_{platform}"].items()]
|
|
129
|
-
return queries
|
|
130
|
-
except Exception as e:
|
|
131
|
-
logger.error(f"Error writing queries file: {e}")
|
|
132
|
-
|
|
133
|
-
def run_tool(
|
|
134
|
-
self, config_tool, folders_to_scan, work_folder, platform_to_scan, **kwargs
|
|
135
|
-
):
|
|
136
|
-
kics_version = config_tool[self.TOOL_KICS]["CLI_VERSION"]
|
|
137
|
-
path_kics = config_tool[self.TOOL_KICS]["PATH_KICS"]
|
|
138
|
-
download_kics_assets = config_tool[self.TOOL_KICS]["DOWNLOAD_KICS_ASSETS"]
|
|
139
|
-
|
|
140
|
-
os_platform = platform.system()
|
|
141
|
-
path_kics = path_kics.replace("/", "\\") if os_platform == "Windows" else path_kics
|
|
142
|
-
work_folder = work_folder.replace("/", "\\") if os_platform == "Windows" else work_folder
|
|
143
|
-
|
|
144
|
-
command_prefix = f"{work_folder}\\{path_kics}.exe" if os_platform == "Windows" else f"{work_folder}/{path_kics}"
|
|
145
|
-
|
|
146
|
-
if not self.validate_kics(command_prefix):
|
|
147
|
-
logger.info("KICS binary not found or invalid, downloading assets...")
|
|
148
|
-
|
|
149
|
-
if download_kics_assets:
|
|
150
|
-
self.get_assets(kics_version, work_folder)
|
|
151
|
-
|
|
152
|
-
queries = self.get_queries(config_tool, platform_to_scan)
|
|
153
|
-
self.execute_kics(folders_to_scan, command_prefix, platform_to_scan, work_folder, os_platform, queries)
|
|
154
|
-
data = self.load_results(work_folder, queries)
|
|
155
|
-
|
|
156
|
-
if data:
|
|
157
|
-
kics_deserealizator = KicsDeserealizator()
|
|
158
|
-
total_vulnerabilities = kics_deserealizator.calculate_total_vulnerabilities(data)
|
|
159
|
-
path_file = os.path.join(work_folder, "results.json")
|
|
160
|
-
|
|
161
|
-
if total_vulnerabilities == 0:
|
|
162
|
-
return [], path_file
|
|
163
|
-
|
|
164
|
-
filtered_results = kics_deserealizator.get_findings(data)
|
|
165
|
-
finding_list = kics_deserealizator.get_list_finding(filtered_results)
|
|
166
|
-
|
|
167
|
-
return finding_list, path_file
|
|
168
|
-
return [], None
|
|
169
|
-
|
|
170
|
-
def get_iac_context_from_results(self, path_file_results):
|
|
171
|
-
#TODO: Implement this method
|
|
172
|
-
pass
|
|
@@ -18,15 +18,61 @@ logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
|
|
|
18
18
|
|
|
19
19
|
class KubescapeTool(ToolGateway):
|
|
20
20
|
|
|
21
|
-
def
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
21
|
+
def run_tool(self, config_tool, folders_to_scan, platform_to_scan, **kwargs):
|
|
22
|
+
|
|
23
|
+
if folders_to_scan and "k8s" in platform_to_scan:
|
|
24
|
+
|
|
25
|
+
kubescape_version = config_tool["KUBESCAPE"]["VERSION"]
|
|
26
|
+
os_platform = platform.system()
|
|
27
|
+
base_url = f"https://github.com/kubescape/kubescape/releases/download/v{kubescape_version}/"
|
|
28
|
+
command_prefix = self._select_operative_system(os_platform, base_url)
|
|
29
|
+
self._execute_kubescape(folders_to_scan, command_prefix)
|
|
30
|
+
|
|
31
|
+
json_name = "results_kubescape.json"
|
|
32
|
+
data = self._load_json(json_name)
|
|
33
|
+
|
|
34
|
+
if not data:
|
|
35
|
+
return [], None
|
|
36
|
+
else:
|
|
37
|
+
kubescape_deserealizator = KubescapeDeserealizator()
|
|
38
|
+
result_extracted_data = (
|
|
39
|
+
kubescape_deserealizator.extract_failed_controls(data)
|
|
40
|
+
)
|
|
41
|
+
finding_list = kubescape_deserealizator.get_list_finding(
|
|
42
|
+
result_extracted_data
|
|
43
|
+
)
|
|
44
|
+
path_results = os.path.abspath(json_name)
|
|
45
|
+
return finding_list, path_results
|
|
46
|
+
else:
|
|
47
|
+
return [], None
|
|
48
|
+
|
|
49
|
+
def get_iac_context_from_results(self, path_file_results):
|
|
50
|
+
# TODO: Implement this method
|
|
51
|
+
pass
|
|
28
52
|
|
|
29
|
-
def
|
|
53
|
+
def _select_operative_system(self, os_platform, base_url):
|
|
54
|
+
if os_platform == "Linux":
|
|
55
|
+
distro_name = distro.name()
|
|
56
|
+
if distro_name == "Ubuntu":
|
|
57
|
+
file = "kubescape-ubuntu-latest"
|
|
58
|
+
self._install_tool(file, base_url + file)
|
|
59
|
+
return f"./{file}"
|
|
60
|
+
else:
|
|
61
|
+
logger.warning(f"{distro_name} is not supported.")
|
|
62
|
+
return None
|
|
63
|
+
elif os_platform == "Windows":
|
|
64
|
+
file = "kubescape-windows-latest.exe"
|
|
65
|
+
self._install_tool_windows(file, base_url + file)
|
|
66
|
+
return f"./{file}"
|
|
67
|
+
elif os_platform == "Darwin":
|
|
68
|
+
file = "kubescape-macos-latest"
|
|
69
|
+
self._install_tool(file, base_url + file)
|
|
70
|
+
return f"./{file}"
|
|
71
|
+
else:
|
|
72
|
+
logger.warning(f"{os_platform} is not supported.")
|
|
73
|
+
return [], None
|
|
74
|
+
|
|
75
|
+
def _install_tool(self, file, url):
|
|
30
76
|
installed = subprocess.run(
|
|
31
77
|
["which", f"./{file}"],
|
|
32
78
|
stdout=subprocess.PIPE,
|
|
@@ -34,13 +80,13 @@ class KubescapeTool(ToolGateway):
|
|
|
34
80
|
)
|
|
35
81
|
if installed.returncode == 1:
|
|
36
82
|
try:
|
|
37
|
-
self.
|
|
83
|
+
self._download_tool(file, url)
|
|
38
84
|
subprocess.run(["chmod", "+x", f"./{file}"])
|
|
39
85
|
|
|
40
86
|
except Exception as e:
|
|
41
87
|
logger.error(f"Error installing Kubescape: {e}")
|
|
42
88
|
|
|
43
|
-
def
|
|
89
|
+
def _install_tool_windows(self, file, url):
|
|
44
90
|
try:
|
|
45
91
|
subprocess.run(
|
|
46
92
|
[f"./{file}", "version"],
|
|
@@ -49,20 +95,39 @@ class KubescapeTool(ToolGateway):
|
|
|
49
95
|
)
|
|
50
96
|
except:
|
|
51
97
|
try:
|
|
52
|
-
self.
|
|
98
|
+
self._download_tool(file, url)
|
|
53
99
|
|
|
54
100
|
except Exception as e:
|
|
55
101
|
logger.error(f"Error installing Kubescape: {e}")
|
|
56
102
|
|
|
57
|
-
def
|
|
58
|
-
|
|
59
|
-
|
|
103
|
+
def _download_tool(self, file, url):
|
|
104
|
+
try:
|
|
105
|
+
response = requests.get(url, allow_redirects=True)
|
|
106
|
+
with open(file, "wb") as binary_file:
|
|
107
|
+
binary_file.write(response.content)
|
|
108
|
+
except Exception as e:
|
|
109
|
+
logger.error(f"Error downloading Kubescape: {e}")
|
|
110
|
+
|
|
111
|
+
def _execute_kubescape(self, folders_to_scan, prefix):
|
|
112
|
+
command = (
|
|
113
|
+
[prefix, "scan"]
|
|
114
|
+
+ folders_to_scan
|
|
115
|
+
+ [
|
|
116
|
+
"--format",
|
|
117
|
+
"json",
|
|
118
|
+
"--format-version",
|
|
119
|
+
"v2",
|
|
120
|
+
"--output",
|
|
121
|
+
"results_kubescape.json",
|
|
122
|
+
"-v",
|
|
123
|
+
]
|
|
124
|
+
)
|
|
60
125
|
try:
|
|
61
126
|
subprocess.run(command, capture_output=True)
|
|
62
127
|
except subprocess.CalledProcessError as e:
|
|
63
128
|
logger.error(f"Error during Kubescape execution: {e}")
|
|
64
129
|
|
|
65
|
-
def
|
|
130
|
+
def _load_json(self, json_name):
|
|
66
131
|
try:
|
|
67
132
|
with open(json_name) as file:
|
|
68
133
|
return json.load(file)
|
|
@@ -71,53 +136,3 @@ class KubescapeTool(ToolGateway):
|
|
|
71
136
|
except json.JSONDecodeError:
|
|
72
137
|
logger.error("The JSON result is empty.")
|
|
73
138
|
return None
|
|
74
|
-
|
|
75
|
-
def select_operative_system(self, os_platform, base_url):
|
|
76
|
-
if os_platform == "Linux":
|
|
77
|
-
distro_name = distro.name()
|
|
78
|
-
if distro_name == "Ubuntu":
|
|
79
|
-
file = "kubescape-ubuntu-latest"
|
|
80
|
-
self.install_tool(file, base_url + file)
|
|
81
|
-
return f"./{file}"
|
|
82
|
-
else:
|
|
83
|
-
logger.warning(f"{distro_name} is not supported.")
|
|
84
|
-
return None
|
|
85
|
-
elif os_platform == "Windows":
|
|
86
|
-
file = "kubescape-windows-latest.exe"
|
|
87
|
-
self.install_tool_windows(file, base_url + file)
|
|
88
|
-
return f"./{file}"
|
|
89
|
-
elif os_platform == "Darwin":
|
|
90
|
-
file = "kubescape-macos-latest"
|
|
91
|
-
self.install_tool(file, base_url + file)
|
|
92
|
-
return f"./{file}"
|
|
93
|
-
else:
|
|
94
|
-
logger.warning(f"{os_platform} is not supported.")
|
|
95
|
-
return [], None
|
|
96
|
-
|
|
97
|
-
def run_tool(self, config_tool, folders_to_scan, platform_to_scan, **kwargs):
|
|
98
|
-
|
|
99
|
-
if folders_to_scan and "k8s" in platform_to_scan:
|
|
100
|
-
|
|
101
|
-
kubescape_version = config_tool["KUBESCAPE"]["VERSION"]
|
|
102
|
-
os_platform = platform.system()
|
|
103
|
-
base_url = f"https://github.com/kubescape/kubescape/releases/download/v{kubescape_version}/"
|
|
104
|
-
command_prefix = self.select_operative_system(os_platform, base_url)
|
|
105
|
-
self.execute_kubescape(folders_to_scan, command_prefix)
|
|
106
|
-
|
|
107
|
-
json_name = "results_kubescape.json"
|
|
108
|
-
data = self.load_json(json_name)
|
|
109
|
-
|
|
110
|
-
if not data:
|
|
111
|
-
return [], None
|
|
112
|
-
else:
|
|
113
|
-
kubescape_deserealizator = KubescapeDeserealizator()
|
|
114
|
-
result_extracted_data = kubescape_deserealizator.extract_failed_controls(data)
|
|
115
|
-
finding_list = kubescape_deserealizator.get_list_finding(result_extracted_data)
|
|
116
|
-
path_results = os.path.abspath(json_name)
|
|
117
|
-
return finding_list, path_results
|
|
118
|
-
else:
|
|
119
|
-
return [], None
|
|
120
|
-
|
|
121
|
-
def get_iac_context_from_results(self, path_file_results):
|
|
122
|
-
#TODO: Implement this method
|
|
123
|
-
pass
|
devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/entry_points/entry_point_tool.py
CHANGED
|
@@ -2,5 +2,5 @@ from devsecops_engine_tools.engine_sast.engine_iac.src.domain.usecases.iac_scan
|
|
|
2
2
|
IacScan,
|
|
3
3
|
)
|
|
4
4
|
|
|
5
|
-
def init_engine_sast_rm(devops_platform_gateway, tool_gateway, dict_args, secret_tool, tool, env):
|
|
6
|
-
return IacScan(tool_gateway, devops_platform_gateway).process(dict_args, secret_tool, tool, env)
|
|
5
|
+
def init_engine_sast_rm(devops_platform_gateway, remote_config_source_gateway, tool_gateway, dict_args, secret_tool, tool, env):
|
|
6
|
+
return IacScan(tool_gateway, devops_platform_gateway, remote_config_source_gateway).process(dict_args, secret_tool, tool, env)
|
|
@@ -17,7 +17,7 @@ from devsecops_engine_tools.engine_utilities.git_cli.infrastructure.git_run impo
|
|
|
17
17
|
GitRun
|
|
18
18
|
)
|
|
19
19
|
|
|
20
|
-
def runner_secret_scan(dict_args, tool, devops_platform_gateway, secret_tool):
|
|
20
|
+
def runner_secret_scan(dict_args, tool, devops_platform_gateway, remote_config_source_gateway, secret_tool):
|
|
21
21
|
try:
|
|
22
22
|
tool_deserealizator = None
|
|
23
23
|
tool_gateway = None
|
|
@@ -31,6 +31,7 @@ def runner_secret_scan(dict_args, tool, devops_platform_gateway, secret_tool):
|
|
|
31
31
|
|
|
32
32
|
return engine_secret_scan(
|
|
33
33
|
devops_platform_gateway = devops_platform_gateway,
|
|
34
|
+
remote_config_source_gateway=remote_config_source_gateway,
|
|
34
35
|
tool_gateway = tool_gateway,
|
|
35
36
|
dict_args = dict_args,
|
|
36
37
|
tool=tool,
|
|
@@ -18,11 +18,13 @@ class SecretScan:
|
|
|
18
18
|
self,
|
|
19
19
|
tool_gateway: ToolGateway,
|
|
20
20
|
devops_platform_gateway: DevopsPlatformGateway,
|
|
21
|
+
remote_config_source_gateway: DevopsPlatformGateway,
|
|
21
22
|
tool_deserialize: DeseralizatorGateway,
|
|
22
23
|
git_gateway: GitGateway
|
|
23
24
|
):
|
|
24
25
|
self.tool_gateway = tool_gateway
|
|
25
26
|
self.devops_platform_gateway = devops_platform_gateway
|
|
27
|
+
self.remote_config_source_gateway = remote_config_source_gateway
|
|
26
28
|
self.tool_deserialize = tool_deserialize
|
|
27
29
|
self.git_gateway = git_gateway
|
|
28
30
|
|
|
@@ -69,7 +71,7 @@ class SecretScan:
|
|
|
69
71
|
|
|
70
72
|
def complete_config_tool(self, dict_args, tool):
|
|
71
73
|
tool = str(tool).lower()
|
|
72
|
-
init_config_tool = self.
|
|
74
|
+
init_config_tool = self.remote_config_source_gateway.get_remote_config(
|
|
73
75
|
dict_args["remote_config_repo"], "engine_sast/engine_secret/ConfigTool.json", dict_args["remote_config_branch"]
|
|
74
76
|
)
|
|
75
77
|
init_config_tool['SCOPE_PIPELINE'] = self.devops_platform_gateway.get_variable("pipeline_name")
|
|
@@ -10,11 +10,13 @@ class SetInputCore:
|
|
|
10
10
|
def __init__(
|
|
11
11
|
self,
|
|
12
12
|
tool_remote: DevopsPlatformGateway,
|
|
13
|
+
remote_config_source_gateway: DevopsPlatformGateway,
|
|
13
14
|
dict_args,
|
|
14
15
|
tool,
|
|
15
16
|
config_tool,
|
|
16
17
|
):
|
|
17
18
|
self.tool_remote = tool_remote
|
|
19
|
+
self.remote_config_source_gateway = remote_config_source_gateway
|
|
18
20
|
self.dict_args = dict_args
|
|
19
21
|
self.tool = tool
|
|
20
22
|
self.config_tool = config_tool
|
|
@@ -26,7 +28,7 @@ class SetInputCore:
|
|
|
26
28
|
Returns:
|
|
27
29
|
dict: Remote configuration.
|
|
28
30
|
"""
|
|
29
|
-
return self.
|
|
31
|
+
return self.remote_config_source_gateway.get_remote_config(
|
|
30
32
|
self.dict_args["remote_config_repo"], file_path, self.dict_args["remote_config_branch"]
|
|
31
33
|
)
|
|
32
34
|
|
devsecops_engine_tools/engine_sast/engine_secret/src/infrastructure/entry_points/entry_point_tool.py
CHANGED
|
@@ -4,13 +4,13 @@ from devsecops_engine_tools.engine_sast.engine_secret.src.domain.usecases.set_in
|
|
|
4
4
|
SetInputCore,
|
|
5
5
|
)
|
|
6
6
|
|
|
7
|
-
def engine_secret_scan(devops_platform_gateway, tool_gateway, dict_args, tool, tool_deserealizator, git_gateway, secret_tool):
|
|
8
|
-
exclusions =
|
|
7
|
+
def engine_secret_scan(devops_platform_gateway, remote_config_source_gateway, tool_gateway, dict_args, tool, tool_deserealizator, git_gateway, secret_tool):
|
|
8
|
+
exclusions = remote_config_source_gateway.get_remote_config(
|
|
9
9
|
dict_args["remote_config_repo"], "engine_sast/engine_secret/Exclusions.json", dict_args["remote_config_branch"]
|
|
10
10
|
)
|
|
11
|
-
secret_scan = SecretScan(tool_gateway, devops_platform_gateway, tool_deserealizator, git_gateway)
|
|
11
|
+
secret_scan = SecretScan(tool_gateway, devops_platform_gateway, remote_config_source_gateway, tool_deserealizator, git_gateway)
|
|
12
12
|
config_tool, skip_tool_isp = secret_scan.complete_config_tool(dict_args, tool)
|
|
13
13
|
skip_tool = secret_scan.skip_from_exclusion(exclusions, skip_tool_isp)
|
|
14
14
|
finding_list, file_path_findings = secret_scan.process(skip_tool, config_tool, secret_tool, dict_args, tool)
|
|
15
|
-
input_core = SetInputCore(devops_platform_gateway, dict_args, tool, config_tool)
|
|
15
|
+
input_core = SetInputCore(devops_platform_gateway, remote_config_source_gateway, dict_args, tool, config_tool)
|
|
16
16
|
return finding_list, input_core.set_input_core(file_path_findings)
|
devsecops_engine_tools/engine_sca/engine_container/src/applications/runner_container_scan.py
CHANGED
|
@@ -18,7 +18,7 @@ from devsecops_engine_tools.engine_sca.engine_container.src.infrastructure.drive
|
|
|
18
18
|
)
|
|
19
19
|
|
|
20
20
|
|
|
21
|
-
def runner_engine_container(dict_args, tool, secret_tool, tool_remote):
|
|
21
|
+
def runner_engine_container(dict_args, tool, secret_tool, tool_remote, remote_config_source_gateway):
|
|
22
22
|
try:
|
|
23
23
|
if tool.lower() == "trivy":
|
|
24
24
|
tool_run = TrivyScan()
|
|
@@ -30,6 +30,7 @@ def runner_engine_container(dict_args, tool, secret_tool, tool_remote):
|
|
|
30
30
|
return init_engine_sca_rm(
|
|
31
31
|
tool_run,
|
|
32
32
|
tool_remote,
|
|
33
|
+
remote_config_source_gateway,
|
|
33
34
|
tool_images,
|
|
34
35
|
tool_deseralizator,
|
|
35
36
|
dict_args,
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
from dataclasses import dataclass
|
|
2
2
|
from typing import List, Optional
|
|
3
3
|
|
|
4
|
+
|
|
4
5
|
@dataclass
|
|
5
6
|
class ContextContainer:
|
|
6
7
|
cve_id: str
|
|
@@ -20,4 +21,4 @@ class ContextContainer:
|
|
|
20
21
|
published_date: Optional[str]
|
|
21
22
|
last_modified_date: Optional[str]
|
|
22
23
|
references: Optional[List[str]]
|
|
23
|
-
source_tool: str
|
|
24
|
+
source_tool: str
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
from abc import ABCMeta, abstractmethod
|
|
2
2
|
from devsecops_engine_tools.engine_core.src.domain.model.finding import Finding
|
|
3
|
-
from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.context_container import
|
|
3
|
+
from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.context_container import (
|
|
4
|
+
ContextContainer,
|
|
5
|
+
)
|
|
4
6
|
|
|
5
7
|
|
|
6
8
|
class DeseralizatorGateway(metaclass=ABCMeta):
|
|
@@ -8,5 +10,8 @@ class DeseralizatorGateway(metaclass=ABCMeta):
|
|
|
8
10
|
def get_list_findings(self, results_scan_list: list) -> "list[Finding]":
|
|
9
11
|
"Deseralizator"
|
|
10
12
|
|
|
11
|
-
|
|
13
|
+
@abstractmethod
|
|
14
|
+
def get_container_context_from_results(
|
|
15
|
+
self, results_scan_list: list
|
|
16
|
+
) -> "list[ContextContainer]":
|
|
12
17
|
"Deseralizator"
|