devsecops-engine-tools 1.7.16__tar.gz → 1.7.18__tar.gz

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: devsecops-engine-tools
-Version: 1.7.16
+Version: 1.7.18
 Summary: Tool for DevSecOps strategy
 Home-page: https://github.com/bancolombia/devsecops-engine-tools
 Author: Bancolombia DevSecOps Team

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_core/src/applications/runner_engine_core.py

@@ -28,6 +28,20 @@ from devsecops_engine_tools.version import version
 
 logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
 
+def parse_separated_list(value, choices):
+    values = value.split(',')
+    # Validar cada elemento de la lista
+    for val in values:
+        if val not in choices:
+            raise argparse.ArgumentTypeError(f"Invalid value: {val}. Valid values are: {', '.join(choices)}")
+    
+    return values
+
+def parse_choices(choices):
+    def parse_with_choices(value):
+        return parse_separated_list(value, choices)
+    return parse_with_choices
+
 def get_inputs_from_cli(args):
     parser = argparse.ArgumentParser()
     parser.add_argument("-v", "--version", action='version', version='{version}'.format(version=version))
@@ -49,7 +63,7 @@ def get_inputs_from_cli(args):
     )
     parser.add_argument("-fp", "--folder_path", type=str, required=False, help="Folder Path to scan, only apply engine_iac tool")
     parser.add_argument("-p",
-        "--platform", choices=["eks", "openshift"], type=str, required=False, help="Platform to execute,  only apply engine_iac tool"
+        "--platform", type=parse_choices({"all", "docker", "k8s", "cloudformation"}), required=False, default="all" ,help="Platform to scan, only apply engine_iac tool"
     )
     parser.add_argument(
         "--use_secrets_manager",

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_core/src/infrastructure/driven_adapters/defect_dojo/defect_dojo.py

@@ -54,6 +54,7 @@ class DefectDojoPlatform(VulnerabilityManagementGateway):
                 "PRISMA": "Twistlock Image Scan",
                 "XRAY": "JFrog Xray On Demand Binary Scan",
                 "TRUFFLEHOG": "Trufflehog Scan",
+                "TRIVY": "Trivy Scan",
             }
 
             if any(

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/config_tool.py

@@ -6,7 +6,6 @@ class ConfigTool:
         self.version = json_data[tool]["VERSION"]
         self.search_pattern = json_data["SEARCH_PATTERN"]
         self.ignore_search_pattern = json_data["IGNORE_SEARCH_PATTERN"]
-        self.exclusions_path = json_data["EXCLUSIONS_PATH"]
         self.use_external_checks_git = json_data[tool]["USE_EXTERNAL_CHECKS_GIT"]
         self.external_checks_git = json_data[tool]["EXTERNAL_CHECKS_GIT"]
         self.repository_ssh_host = json_data[tool]["EXTERNAL_GIT_SSH_HOST"]

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sast/engine_iac/src/domain/model/gateways/tool_gateway.py

@@ -2,5 +2,5 @@ from abc import ABCMeta, abstractmethod
 
 class ToolGateway(metaclass=ABCMeta):
     @abstractmethod
-    def run_tool(self, config_tool, folders_to_scan, environment, container_platform, secret_tool):
+    def run_tool(self, config_tool, folders_to_scan, environment, platform_to_scan, secret_tool):
         "run_tool"

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/driven_adapters/checkov/checkov_tool.py

@@ -38,6 +38,7 @@ class CheckovTool(ToolGateway):
     CHECKOV_CONFIG_FILE = "checkov_config.yaml"
     TOOL = "CHECKOV"
     framework_mapping = {"RULES_DOCKER": "dockerfile", "RULES_K8S": "kubernetes", "RULES_CLOUDFORMATION": "cloudformation"}
+    framework_external_checks = ["RULES_K8S", "RULES_CLOUDFORMATION","RULES_DOCKER"]
 
 
     def create_config_file(self, checkov_config: CheckovConfig):
@@ -113,58 +114,50 @@ class CheckovTool(ToolGateway):
         output = self.execute(checkov_config)
         result.append(json.loads(output))
         queue.put(result)
-    
-    def if_platform(self,value,container_platform):
-        if value.get("platform_not_apply"):
-            if value.get("platform_not_apply") != container_platform:
-                return True
-            else:
-                return False
-        else:
-            return True
         
     def scan_folders(
-        self, folders_to_scan, config_tool: ConfigTool, agent_env, environment, container_platform
+        self, folders_to_scan, config_tool: ConfigTool, agent_env, environment, platform_to_scan
     ):
         output_queue = queue.Queue()
         # Crea una lista para almacenar los hilos
         threads = []  
         for folder in folders_to_scan:
             for rule in config_tool.rules_data_type:
-                checkov_config = CheckovConfig(
-                    path_config_file="",
-                    config_file_name=rule,
-                    framework=self.framework_mapping[rule],
-                    checks=[
-                        key
-                        for key, value in config_tool.rules_data_type[rule].items()
-                        if value["environment"].get(environment) and self.if_platform(value,container_platform)
-                    ],
-                    soft_fail=False,
-                    directories=folder,
-                    external_checks_git=[
-                        f"{config_tool.external_checks_git}/{self.framework_mapping[rule]}"
-                    ]
-                    if config_tool.use_external_checks_git == "True"
-                    and agent_env is not None
-                    and rule in ["RULES_K8S", "RULES_CLOUDFORMATION","RULES_DOCKER"]
-                    else [],
-                    env=agent_env,
-                    external_checks_dir=f"/tmp/rules/{self.framework_mapping[rule]}"
-                    if config_tool.use_external_checks_dir == "True"
-                    and rule in ["RULES_K8S", "RULES_CLOUDFORMATION","RULES_DOCKER"]
-                    else [],
-                )
-
-                checkov_config.create_config_dict()
-                self.create_config_file(checkov_config)
-                config_tool.rules_all.update(config_tool.rules_data_type[rule])
-                t = threading.Thread(
-                    target=self.async_scan,
-                    args=(output_queue, checkov_config),
-                )
-                t.start()
-                threads.append(t)
+                if "all" in platform_to_scan or any(elem.upper() in rule for elem in platform_to_scan):
+                    checkov_config = CheckovConfig(
+                        path_config_file="",
+                        config_file_name=rule,
+                        framework=self.framework_mapping[rule],
+                        checks=[
+                            key
+                            for key, value in config_tool.rules_data_type[rule].items()
+                            if value["environment"].get(environment)
+                        ],
+                        soft_fail=False,
+                        directories=folder,
+                        external_checks_git=[
+                            f"{config_tool.external_checks_git}/{self.framework_mapping[rule]}"
+                        ]
+                        if config_tool.use_external_checks_git == "True"
+                        and agent_env is not None
+                        and rule in self.framework_external_checks
+                        else [],
+                        env=agent_env,
+                        external_checks_dir=f"/tmp/rules/{self.framework_mapping[rule]}"
+                        if config_tool.use_external_checks_dir == "True"
+                        and rule in self.framework_external_checks
+                        else [],
+                    )
+
+                    checkov_config.create_config_dict()
+                    self.create_config_file(checkov_config)
+                    config_tool.rules_all.update(config_tool.rules_data_type[rule])
+                    t = threading.Thread(
+                        target=self.async_scan,
+                        args=(output_queue, checkov_config),
+                    )
+                    t.start()
+                    threads.append(t)
         # Espera a que todos los hilos terminen
         for t in threads:
             t.join()
@@ -176,12 +169,12 @@ class CheckovTool(ToolGateway):
         return result_scans
 
     def run_tool(
-        self, config_tool: ConfigTool, folders_to_scan, environment, container_platform, secret_tool
+        self, config_tool: ConfigTool, folders_to_scan, environment, platform_to_scan, secret_tool
     ):
         agent_env = self.configurate_external_checks(config_tool, secret_tool)
 
         result_scans = self.scan_folders(
-            folders_to_scan, config_tool, agent_env, environment, container_platform
+            folders_to_scan, config_tool, agent_env, environment, platform_to_scan
         )
 
         checkov_deserealizator = CheckovDeserealizator()

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sast/engine_iac/src/infrastructure/helpers/file_generator_tool.py

@@ -35,27 +35,27 @@ def generate_file_from_tool(tool, result_list, rules_doc):
                         "checkov_version", None
                     )
 
-            file_name = "results.json"
-            results_data = {
-                "check_type": "Dockerfile, Kubernetes and CloudFormation",
-                "results": {
-                    "failed_checks": all_failed_checks,
-                },
-                "summary": {
-                    "passed": summary_passed,
-                    "failed": summary_failed,
-                    "skipped": summary_skipped,
-                    "parsing_errors": summary_parsing_errors,
-                    "resource_count": summary_resource_count,
-                    "checkov_version": checkov_version,
-                },
-            }
+                file_name = "results.json"
+                results_data = {
+                    "check_type": "Dockerfile, Kubernetes and CloudFormation",
+                    "results": {
+                        "failed_checks": all_failed_checks,
+                    },
+                    "summary": {
+                        "passed": summary_passed,
+                        "failed": summary_failed,
+                        "skipped": summary_skipped,
+                        "parsing_errors": summary_parsing_errors,
+                        "resource_count": summary_resource_count,
+                        "checkov_version": checkov_version,
+                    },
+                }
 
-            with open(file_name, "w") as json_file:
-                json.dump(results_data, json_file, indent=4)
+                with open(file_name, "w") as json_file:
+                    json.dump(results_data, json_file, indent=4)
 
-            absolute_path = os.path.abspath(file_name)
-            return absolute_path
+                absolute_path = os.path.abspath(file_name)
+                return absolute_path
         except Exception as ex:
             logger.error(f"Error during handling checkov json integrator {ex}")
 

devsecops_engine_tools-1.7.18/devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py

@@ -0,0 +1,90 @@
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.tool_gateway import (
+    ToolGateway,
+)
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.images_gateway import (
+    ImagesGateway,
+)
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.deserealizator_gateway import (
+    DeseralizatorGateway,
+)
+
+import os
+
+
+class ContainerScaScan:
+    def __init__(
+        self,
+        tool_run: ToolGateway,
+        remote_config,
+        tool_images: ImagesGateway,
+        tool_deseralizator: DeseralizatorGateway,
+        build_id,
+        token,
+    ):
+        self.tool_run = tool_run
+        self.remote_config = remote_config
+        self.tool_images = tool_images
+        self.tool_deseralizator = tool_deseralizator
+        self.build_id = build_id
+        self.token = token
+
+    def get_latest_image(self):
+        """
+        Process the list of images.
+
+        Returns:
+            list: List of processed images.
+        """
+        return self.tool_images.list_images()
+
+    def get_images_already_scanned(self):
+        """
+        Create images scanned file if it does not exist and get the images that have already been scanned.
+        """
+        scanned_images_file = os.path.join(os.getcwd(), "scanned_images.txt")
+        if not os.path.exists(scanned_images_file):
+            open(scanned_images_file, "w").close()
+        with open(scanned_images_file, "r") as file:
+            images_scanned = file.read().splitlines()
+        return images_scanned
+
+    def set_image_scanned(self, result_file):
+        """
+        Write in scanned_images.txt the result file
+        """
+        with open("scanned_images.txt", "a") as file:
+            file.write(result_file + "\n")
+
+    def process(self):
+        """
+        Process SCA scanning.
+
+        Returns:
+            string: file scanning results name.
+        """
+        latest_image = self.get_latest_image()
+        image_name = latest_image.tags[0]
+        image_scanned = None
+        if str(self.build_id) in image_name:
+            result_file = image_name + "_scan_result.json"
+            if result_file in self.get_images_already_scanned():
+                print(f"The image {image_name} has already been scanned previously.")
+                return image_scanned
+            image_scanned = self.tool_run.run_tool_container_sca(
+                self.remote_config, self.token, image_name, result_file
+            )
+            self.set_image_scanned(result_file)
+        else:
+            print(
+                f"'{image_name}' name does not contain build number '{self.build_id}'. Tool skipped."
+            )
+        return image_scanned
+
+    def deseralizator(self, image_scanned):
+        """
+        Process the results deserializer.
+
+        Returns:
+            list: Deserialized list of findings.
+        """
+        return self.tool_deseralizator.get_list_findings(image_scanned)

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py

@@ -31,7 +31,7 @@ class SetInputCore:
         ]
         return list_exclusions
 
-    def set_input_core(self, images_scanned):
+    def set_input_core(self, image_scanned):
         """
         Set the input core.
 
@@ -45,7 +45,7 @@ class SetInputCore:
                 self.tool,
             ),
             Threshold(self.remote_config["THRESHOLD"]),
-            images_scanned[-1] if images_scanned else None,
+            image_scanned,
             self.remote_config["MESSAGE_INFO_ENGINE_CONTAINER"],
             self.pipeline_name,
             self.stage.capitalize(),

{devsecops_engine_tools-1.7.16 → devsecops_engine_tools-1.7.18}/devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py

@@ -4,6 +4,11 @@ from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateway
 )
 import docker
 
+from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
+from devsecops_engine_tools.engine_utilities import settings
+
+logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
+
 
 class DockerImages(ImagesGateway):
     def list_images(self):
@@ -18,5 +23,7 @@ class DockerImages(ImagesGateway):
             print("Tag last image:", latest_image.tags)
             print("Created date last image:", latest_image.attrs["Created"])
             return latest_image
-        except subprocess.CalledProcessError as e:
-            raise ValueError(f"Error listing images:{e.stderr}")
+        except Exception as e:
+            logger.error(
+                f"Error listing images, docker must be running and added to PATH: {e}"
+            )

devsecops_engine_tools-1.7.18/devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py

@@ -0,0 +1,100 @@
+import stat
+import requests
+import os
+import subprocess
+import logging
+import base64
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.tool_gateway import (
+    ToolGateway,
+)
+from devsecops_engine_tools.engine_utilities.utils.logger_info import MyLogger
+from devsecops_engine_tools.engine_utilities import settings
+
+logger = MyLogger.__call__(**settings.SETTING_LOGGER).get_logger()
+
+
+class PrismaCloudManagerScan(ToolGateway):
+    def download_twistcli(
+        self,
+        file_path,
+        prisma_access_key,
+        prisma_secret_key,
+        prisma_console_url,
+        prisma_api_version,
+    ):
+        url = f"{prisma_console_url}/api/{prisma_api_version}/util/twistcli"
+        credentials = base64.b64encode(
+            f"{prisma_access_key}:{prisma_secret_key}".encode()
+        ).decode()
+        headers = {"Authorization": f"Basic {credentials}"}
+        try:
+            response = requests.get(url, headers=headers)
+            response.raise_for_status()
+
+            with open(file_path, "wb") as file:
+                file.write(response.content)
+
+            os.chmod(file_path, stat.S_IRWXU)
+            logging.info(f"twistcli downloaded and saved to: {file_path}")
+            return 0
+
+        except Exception as e:
+            raise ValueError(f"Error downloading twistcli: {e}")
+
+    def scan_image(
+        self, file_path, image_name, result_file, remoteconfig, prisma_secret_key
+    ):
+        command = (
+            file_path,
+            "images",
+            "scan",
+            "--address",
+            remoteconfig["PRISMA_CLOUD"]["PRISMA_CONSOLE_URL"],
+            "--user",
+            remoteconfig["PRISMA_CLOUD"]["PRISMA_ACCESS_KEY"],
+            "--password",
+            prisma_secret_key,
+            "--output-file",
+            result_file,
+            "--details",
+            image_name,
+        )
+        try:
+            subprocess.run(
+                command,
+                check=True,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE,
+                text=True,
+            )
+            print(f"The image {image_name} was scanned")
+
+            return result_file
+
+        except subprocess.CalledProcessError as e:
+            logger.error(f"Error during image scan of {image_name}: {e.stderr}")
+
+    def run_tool_container_sca(
+        self, remoteconfig, prisma_secret_key, image_name, result_file
+    ):
+        file_path = os.path.join(
+            os.getcwd(), remoteconfig["PRISMA_CLOUD"]["TWISTCLI_PATH"]
+        )
+
+        if not os.path.exists(file_path):
+            self.download_twistcli(
+                file_path,
+                remoteconfig["PRISMA_CLOUD"]["PRISMA_ACCESS_KEY"],
+                prisma_secret_key,
+                remoteconfig["PRISMA_CLOUD"]["PRISMA_CONSOLE_URL"],
+                remoteconfig["PRISMA_CLOUD"]["PRISMA_API_VERSION"],
+            )
+        image_scanned = self.scan_image(
+            file_path,
+            image_name,
+            result_file,
+            remoteconfig,
+            prisma_secret_key,
+        )
+
+        return image_scanned

devsecops_engine_tools-1.7.18/devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_deserialize_output.py

@@ -0,0 +1,64 @@
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.deserealizator_gateway import (
+    DeseralizatorGateway,
+)
+from devsecops_engine_tools.engine_core.src.domain.model.finding import (
+    Finding,
+    Category,
+)
+from datetime import datetime
+from dataclasses import dataclass
+import json
+
+
+@dataclass
+class PrismaDeserealizator(DeseralizatorGateway):
+    def get_list_findings(self, image_scanned) -> "list[Finding]":
+        list_open_vulnerabilities = []
+        SEVERITY_MAP = {
+            "unimportant": "low",
+            "unassigned": "low",
+            "negligible": "low",
+            "not yet assigned": "low",
+            "low": "low",
+            "medium": "medium",
+            "moderate": "medium",
+            "high": "high",
+            "important": "high",
+            "critical": "critical",
+        }
+        with open(image_scanned, "rb") as file:
+            image_object = file.read()
+
+            json_data = json.loads(image_object)
+            vulnerabilities_data = (
+                json_data["results"][0]["vulnerabilities"]
+                if "vulnerabilities" in json_data["results"][0]
+                else []
+            )
+
+            # Create a list of findings instances from the JSON data
+            vulnerabilities = [
+                Finding(
+                    id=vul.get("id", ""),
+                    cvss=float(vul.get("cvss", 0.0)),
+                    where=vul.get("packageName", "")
+                    + ":"
+                    + vul.get("packageVersion", ""),
+                    description=vul.get("description", "")[:150],
+                    severity=SEVERITY_MAP.get(vul.get("severity", ""), ""),
+                    identification_date=datetime.strptime(
+                        vul.get("discoveredDate", ""), "%Y-%m-%dT%H:%M:%S%z"
+                    ),
+                    published_date_cve=vul.get("publishedDate", "").replace("Z", "+00:00"),
+                    module="engine_container",
+                    category=Category.VULNERABILITY,
+                    requirements=vul.get("status", ""),
+                    tool="PrismaCloud",
+                )
+                for vul in vulnerabilities_data
+            ]
+
+            # Add the Vulnerability instances to the list
+            list_open_vulnerabilities.extend(vulnerabilities)
+
+        return list_open_vulnerabilities

devsecops_engine_tools-1.7.18/devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_deserialize_output.py

@@ -0,0 +1,63 @@
+from devsecops_engine_tools.engine_sca.engine_container.src.domain.model.gateways.deserealizator_gateway import (
+    DeseralizatorGateway,
+)
+from devsecops_engine_tools.engine_core.src.domain.model.finding import (
+    Finding,
+    Category,
+)
+from dataclasses import dataclass
+import json
+from datetime import datetime, timezone
+
+
+@dataclass
+class TrivyDeserializator(DeseralizatorGateway):
+    def check_date_format(self, vul):
+        try:
+            published_date_cve=datetime.strptime(
+                vul.get("PublishedDate"),
+                "%Y-%m-%dT%H:%M:%S.%fZ"
+            ).replace(tzinfo=timezone.utc).isoformat()
+        except:
+            published_date_cve=datetime.strptime(
+                vul.get("PublishedDate"),
+                "%Y-%m-%dT%H:%M:%SZ"
+            ).replace(tzinfo=timezone.utc).isoformat()
+        return published_date_cve
+
+    def get_list_findings(self, image_scanned) -> "list[Finding]":
+        list_open_vulnerabilities = []
+        with open(image_scanned, "rb") as file:
+            image_object = file.read()
+            json_data = json.loads(image_object)
+            vulnerabilities_data = json_data["Results"][0].get("Vulnerabilities", [])
+            vulnerabilities = [
+                Finding(
+                    id=vul.get("VulnerabilityID", ""),
+                    cvss=str(next(
+                        (
+                            v["V3Score"]
+                            for v in vul["CVSS"].values()
+                            if "V3Score" in v
+                        ),
+                        None,
+                    )),
+                    where=vul.get("PkgName", "")
+                    + " "
+                    + vul.get("InstalledVersion", ""),
+                    description=vul.get("Description", "").replace("\n", "")[:150],
+                    severity=vul.get("Severity", "").lower(),
+                    identification_date=datetime.now().strftime(
+                        "%Y-%m-%dT%H:%M:%S%z"
+                    ),
+                    published_date_cve=self.check_date_format(vul),
+                    module="engine_container",
+                    category=Category.VULNERABILITY,
+                    requirements=vul.get("FixedVersion") or vul.get("Status", ""),
+                    tool="Trivy",
+                )
+                for vul in vulnerabilities_data
+                if vul.get("CVSS") and vul.get("PublishedDate")
+            ]
+            list_open_vulnerabilities.extend(vulnerabilities)
+        return list_open_vulnerabilities