devsecops-engine-tools 1.83.0__py3-none-any.whl → 1.84.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of devsecops-engine-tools might be problematic. Click here for more details.
- devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py +2 -2
- devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py +9 -4
- devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py +6 -4
- devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py +36 -19
- devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py +9 -4
- devsecops_engine_tools/version.py +1 -1
- {devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/METADATA +1 -1
- {devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/RECORD +11 -11
- {devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/WHEEL +0 -0
- {devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/entry_points.txt +0 -0
- {devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/top_level.txt +0 -0
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py
CHANGED
|
@@ -7,11 +7,11 @@ class ImagesGateway(metaclass=ABCMeta):
|
|
|
7
7
|
"get image to scan"
|
|
8
8
|
|
|
9
9
|
@abstractmethod
|
|
10
|
-
def get_base_image(self, image_to_scan) -> str:
|
|
10
|
+
def get_base_image(self, image_to_scan, base_image_labels: list, label_keys: dict = None) -> str:
|
|
11
11
|
"get base image"
|
|
12
12
|
|
|
13
13
|
@abstractmethod
|
|
14
|
-
def validate_base_image_date(self, image_to_scan, referenced_date) -> str:
|
|
14
|
+
def validate_base_image_date(self, image_to_scan, referenced_date, base_image_labels: list, label_keys: dict = None) -> str:
|
|
15
15
|
"validate base image date"
|
|
16
16
|
|
|
17
17
|
@abstractmethod
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py
CHANGED
|
@@ -48,7 +48,7 @@ class ContainerScaScan:
|
|
|
48
48
|
base_image = None
|
|
49
49
|
image_scanned = None
|
|
50
50
|
matching_image = self._get_image(self.image_to_scan)
|
|
51
|
-
if self.remote_config["GET_IMAGE_BASE"]:
|
|
51
|
+
if self.remote_config["GET_IMAGE_BASE"]["ENABLED"]:
|
|
52
52
|
base_image = self._get_base_image(matching_image)
|
|
53
53
|
if self.remote_config["VALIDATE_BASE_IMAGE_DATE"][
|
|
54
54
|
"ENABLED"
|
|
@@ -123,7 +123,7 @@ class ContainerScaScan:
|
|
|
123
123
|
Returns:
|
|
124
124
|
String: base image.
|
|
125
125
|
"""
|
|
126
|
-
return self.tool_images.get_base_image(matching_image)
|
|
126
|
+
return self.tool_images.get_base_image(matching_image, self.remote_config["GET_IMAGE_BASE"]["BASE_IMAGE_LABELS"]), self.remote_config["GET_IMAGE_BASE"].get("LABEL_KEYS", None)
|
|
127
127
|
|
|
128
128
|
def _validate_base_image_date(self, matching_image, referenced_date):
|
|
129
129
|
"""
|
|
@@ -133,7 +133,10 @@ class ContainerScaScan:
|
|
|
133
133
|
string: base image date.
|
|
134
134
|
"""
|
|
135
135
|
return self.tool_images.validate_base_image_date(
|
|
136
|
-
matching_image,
|
|
136
|
+
matching_image,
|
|
137
|
+
referenced_date,
|
|
138
|
+
self.remote_config["GET_IMAGE_BASE"]["BASE_IMAGE_LABELS"],
|
|
139
|
+
self.remote_config["GET_IMAGE_BASE"].get("LABEL_KEYS")
|
|
137
140
|
)
|
|
138
141
|
|
|
139
142
|
def _validate_black_list_base_image(self, base_image, black_list):
|
|
@@ -143,7 +146,9 @@ class ContainerScaScan:
|
|
|
143
146
|
Returns:
|
|
144
147
|
string: blacklist.
|
|
145
148
|
"""
|
|
146
|
-
|
|
149
|
+
if not base_image or not base_image[0]:
|
|
150
|
+
return True
|
|
151
|
+
return self.tool_images.validate_black_list_base_image(base_image[0][0], black_list)
|
|
147
152
|
|
|
148
153
|
def _get_images_already_scanned(self):
|
|
149
154
|
"""
|
|
@@ -14,17 +14,19 @@ class SetInputCore:
|
|
|
14
14
|
|
|
15
15
|
def get_exclusions(self, exclusions_data, pipeline_name, tool, base_image):
|
|
16
16
|
list_exclusions = []
|
|
17
|
-
|
|
17
|
+
base_image_list = base_image[0][0] if base_image else None
|
|
18
|
+
print("The base image used is:", base_image_list)
|
|
18
19
|
for key, value in exclusions_data.items():
|
|
19
20
|
if key not in {"All", pipeline_name} or not value.get(tool):
|
|
20
21
|
continue
|
|
21
22
|
|
|
22
23
|
for item in value[tool]:
|
|
23
24
|
if key == "All":
|
|
24
|
-
|
|
25
|
-
|
|
25
|
+
key_image_exception = self.remote_config.get("GET_IMAGE_BASE", {}).get("LABEL_KEYS", {}).get("key_image_exception", None)
|
|
26
|
+
source_images = item.get(key_image_exception, [])
|
|
27
|
+
if source_images and not base_image_list:
|
|
26
28
|
continue
|
|
27
|
-
if source_images and not any(
|
|
29
|
+
if source_images and not any(img in source for img in base_image_list for source in source_images):
|
|
28
30
|
continue
|
|
29
31
|
|
|
30
32
|
list_exclusions.append(
|
|
@@ -33,19 +33,19 @@ class DockerImages(ImagesGateway):
|
|
|
33
33
|
f"Error listing images, docker must be running and added to PATH: {e}"
|
|
34
34
|
)
|
|
35
35
|
|
|
36
|
-
def get_base_image(self, matching_image):
|
|
36
|
+
def get_base_image(self, matching_image, base_image_labels: list, label_keys: dict = None):
|
|
37
37
|
try:
|
|
38
38
|
image_details = self.get_image_details(matching_image.id)
|
|
39
39
|
if not image_details:
|
|
40
40
|
return None
|
|
41
41
|
|
|
42
42
|
labels = image_details.get("Config", {}).get("Labels", {})
|
|
43
|
-
return self.extract_base_image_from_labels(labels, matching_image)
|
|
43
|
+
return self.extract_base_image_from_labels(labels, base_image_labels, matching_image, label_keys)
|
|
44
44
|
except Exception as e:
|
|
45
45
|
logger.warning(f"Error obtaining base image: {e}")
|
|
46
|
-
return None
|
|
46
|
+
return None, False
|
|
47
47
|
|
|
48
|
-
def validate_base_image_date(self, matching_image, referenced_date):
|
|
48
|
+
def validate_base_image_date(self, matching_image, referenced_date, base_image_labels: list, label_keys: dict = None):
|
|
49
49
|
if matching_image is None or matching_image.id is None:
|
|
50
50
|
logger.error("Error: matching_image ID is None")
|
|
51
51
|
return False
|
|
@@ -54,13 +54,17 @@ class DockerImages(ImagesGateway):
|
|
|
54
54
|
return False
|
|
55
55
|
|
|
56
56
|
labels = image_details.get("Config", {}).get("Labels", {})
|
|
57
|
-
|
|
57
|
+
|
|
58
|
+
baseline_date = None
|
|
59
|
+
if label_keys and "baseline_date" in label_keys:
|
|
60
|
+
baseline_date_key = label_keys["baseline_date"]
|
|
61
|
+
baseline_date = labels.get(baseline_date_key)
|
|
58
62
|
date_image = None
|
|
59
63
|
if baseline_date:
|
|
60
64
|
date_image = self.parse_date(baseline_date)
|
|
61
65
|
else:
|
|
62
|
-
base_image = self.extract_base_image_from_labels(labels)
|
|
63
|
-
if not base_image
|
|
66
|
+
base_image, is_uso_especifico = self.extract_base_image_from_labels(labels, base_image_labels, None, label_keys)
|
|
67
|
+
if not is_uso_especifico and base_image:
|
|
64
68
|
date_image = self.extract_date_from_image(base_image[0])
|
|
65
69
|
|
|
66
70
|
return self.validate_date(date_image, referenced_date)
|
|
@@ -73,13 +77,20 @@ class DockerImages(ImagesGateway):
|
|
|
73
77
|
logger.error(f"Error obtaining image details for '{image_id}': {e}")
|
|
74
78
|
return None
|
|
75
79
|
|
|
76
|
-
def extract_base_image_from_labels(self, labels, matching_image=None):
|
|
80
|
+
def extract_base_image_from_labels(self, labels, base_image_labels: list, matching_image=None, label_keys: dict = None):
|
|
77
81
|
try:
|
|
78
82
|
if labels:
|
|
79
|
-
source_image =
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
+
source_image = []
|
|
84
|
+
for label in base_image_labels:
|
|
85
|
+
value = labels.get(label)
|
|
86
|
+
if value:
|
|
87
|
+
source_image.append(value)
|
|
88
|
+
|
|
89
|
+
# Only check for specific_use if it's configured in remote config
|
|
90
|
+
is_uso_especifico = False
|
|
91
|
+
if label_keys and "specific_use" in label_keys:
|
|
92
|
+
specific_use_value = label_keys["specific_use"]
|
|
93
|
+
is_uso_especifico = labels.get("repository") == specific_use_value
|
|
83
94
|
if source_image and matching_image:
|
|
84
95
|
logger.info(f"Base image for '{matching_image}' found: {source_image}")
|
|
85
96
|
elif matching_image:
|
|
@@ -126,12 +137,18 @@ class DockerImages(ImagesGateway):
|
|
|
126
137
|
return True
|
|
127
138
|
|
|
128
139
|
def validate_black_list_base_image(self, base_image, black_list):
|
|
129
|
-
if not isinstance(base_image,
|
|
130
|
-
logger.error("Invalid input types: expected a
|
|
140
|
+
if not isinstance(base_image, list) or not isinstance(black_list, list):
|
|
141
|
+
logger.error("Invalid input types: expected a list of images and a list of strings.")
|
|
131
142
|
return False
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
f"
|
|
136
|
-
|
|
143
|
+
|
|
144
|
+
for image in base_image:
|
|
145
|
+
if not isinstance(image, str):
|
|
146
|
+
logger.warning(f"Skipping non-string image: {image}")
|
|
147
|
+
continue
|
|
148
|
+
|
|
149
|
+
for black in black_list:
|
|
150
|
+
if black in image:
|
|
151
|
+
raise ValueError(
|
|
152
|
+
f"Compliance issue: the image: {image} is blacklisted for {black}"
|
|
153
|
+
)
|
|
137
154
|
return True
|
|
@@ -97,21 +97,26 @@ class PrismaCloudManagerScan(ToolGateway):
|
|
|
97
97
|
except subprocess.CalledProcessError as e:
|
|
98
98
|
logger.error(f"Error during image scan of {image_name}: {e.stderr}")
|
|
99
99
|
|
|
100
|
-
def _write_image_base(self, result_file, base_image, exclusions_data):
|
|
100
|
+
def _write_image_base(self, result_file, base_image, exclusions_data, remoteconfig):
|
|
101
101
|
try:
|
|
102
102
|
with open(result_file, "r") as file:
|
|
103
103
|
data = json.load(file)
|
|
104
104
|
|
|
105
105
|
prisma_exclusions = exclusions_data.get("All", {}).get("PRISMA", [])
|
|
106
106
|
modified = False
|
|
107
|
+
base_image_list = base_image[0][0] if base_image and base_image[0][0] else []
|
|
108
|
+
|
|
109
|
+
|
|
110
|
+
key_image_exception = remoteconfig.get("GET_IMAGE_BASE", {}).get("LABEL_KEYS", {}).get("key_image_exception", None)
|
|
111
|
+
|
|
107
112
|
for result in data.get("results", []):
|
|
108
113
|
for vulnerability in result.get("vulnerabilities", []):
|
|
109
114
|
for exclusion in prisma_exclusions:
|
|
110
115
|
if (
|
|
111
116
|
vulnerability.get("id") == exclusion.get("id") and
|
|
112
|
-
any(
|
|
117
|
+
any(b_image.startswith(ex_image) for b_image in base_image_list for ex_image in exclusion.get(key_image_exception, []))
|
|
113
118
|
):
|
|
114
|
-
vulnerability["baseImage"] =
|
|
119
|
+
vulnerability["baseImage"] = str(base_image_list) if base_image_list else ""
|
|
115
120
|
modified = True
|
|
116
121
|
|
|
117
122
|
if modified:
|
|
@@ -191,7 +196,7 @@ class PrismaCloudManagerScan(ToolGateway):
|
|
|
191
196
|
prisma_key
|
|
192
197
|
)
|
|
193
198
|
if base_image:
|
|
194
|
-
self._write_image_base(result_file, base_image, exclusions)
|
|
199
|
+
self._write_image_base(result_file, base_image, exclusions, remoteconfig)
|
|
195
200
|
if generate_sbom:
|
|
196
201
|
sbom_components = self._generate_sbom(
|
|
197
202
|
image_scanned,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
version = '1.
|
|
1
|
+
version = '1.84.0'
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
devsecops_engine_tools/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
2
|
-
devsecops_engine_tools/version.py,sha256=
|
|
2
|
+
devsecops_engine_tools/version.py,sha256=UgVl9rc_61RJvwB6OW8L1fuUdfvuBRvHRwXq0rDsGrM,19
|
|
3
3
|
devsecops_engine_tools/engine_core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
4
4
|
devsecops_engine_tools/engine_core/src/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
5
5
|
devsecops_engine_tools/engine_core/src/applications/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
@@ -200,18 +200,18 @@ devsecops_engine_tools/engine_sca/engine_container/src/domain/model/__init__.py,
|
|
|
200
200
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/context_container.py,sha256=_BSNeHSWJHS-G1pdkOvrO2fA2UTUlI8N3KYEUI3Uh-c,602
|
|
201
201
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
202
202
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/deserealizator_gateway.py,sha256=AVPZvwwhV-Vns7cM58vHzd4_no2xSdzHUKiI6-2lpNM,576
|
|
203
|
-
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py,sha256
|
|
203
|
+
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/images_gateway.py,sha256=-bsTPQW6m6aVJ1NsWC0gQnmhsYMhsNL7HpC0ONvjJjU,648
|
|
204
204
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/model/gateways/tool_gateway.py,sha256=2fT2DFb4IPqQczCrAI0qEuWQUb3XsqFhI5M0OzNYalo,286
|
|
205
205
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
206
|
-
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py,sha256=
|
|
206
|
+
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/container_sca_scan.py,sha256=apfZ7wibpSsfGg0DbZ5kPXTOyNZmJfHOsOrFlBtg848,6146
|
|
207
207
|
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/handle_remote_config_patterns.py,sha256=4wgBTQSDE-C5v01C3Vxzeq0DJKZUSqQ5TVLG7yPZPKs,926
|
|
208
|
-
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py,sha256=
|
|
208
|
+
devsecops_engine_tools/engine_sca/engine_container/src/domain/usecases/set_input_core.py,sha256=A5PpY0li7Pil2vPMpOHi0kkliqCxGbpQyBcB9VKyx5c,2904
|
|
209
209
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
210
210
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
211
211
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
212
|
-
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py,sha256=
|
|
212
|
+
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/docker/docker_images.py,sha256=VvkRP1knlRGUa6PE2zKTeByQuJVW27PF2FJ0zRy2TDA,6371
|
|
213
213
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
214
|
-
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py,sha256=
|
|
214
|
+
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_cloud_manager_scan.py,sha256=Qg_EdwkoElv9u58boP9Sva5VZCB7W4WhaWcziMND3VY,7650
|
|
215
215
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/prisma_cloud/prisma_deserialize_output.py,sha256=Eb7eRLyKQizPvaeX9uH8E1wxIKXCaAyNKUpmldw_iL8,2680
|
|
216
216
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
|
|
217
217
|
devsecops_engine_tools/engine_sca/engine_container/src/infrastructure/driven_adapters/trivy_tool/trivy_deserialize_output.py,sha256=f74mfDkzA7MD7QsaG-LDbcc2fX9nMvHHp-AkrcBg-h0,5294
|
|
@@ -350,8 +350,8 @@ devsecops_engine_tools/engine_utilities/utils/name_conversion.py,sha256=ADJrRGax
|
|
|
350
350
|
devsecops_engine_tools/engine_utilities/utils/printers.py,sha256=amYAr9YQfYgR6jK9a2l26z3oovFPQ3FAKmhq6BKhEBA,623
|
|
351
351
|
devsecops_engine_tools/engine_utilities/utils/session_manager.py,sha256=Z0fdhB3r-dxU0nGSD9zW_B4r2Qol1rUnUCkhFR0U-HQ,487
|
|
352
352
|
devsecops_engine_tools/engine_utilities/utils/utils.py,sha256=HCjS900TBoNcHrC4LaiP-Kf9frVdtagF130qOUgnO2M,6757
|
|
353
|
-
devsecops_engine_tools-1.
|
|
354
|
-
devsecops_engine_tools-1.
|
|
355
|
-
devsecops_engine_tools-1.
|
|
356
|
-
devsecops_engine_tools-1.
|
|
357
|
-
devsecops_engine_tools-1.
|
|
353
|
+
devsecops_engine_tools-1.84.0.dist-info/METADATA,sha256=MpjnGU8N4xbZRKHymPHIiCTzFhZRdqISn49XipIrrF0,12093
|
|
354
|
+
devsecops_engine_tools-1.84.0.dist-info/WHEEL,sha256=iAkIy5fosb7FzIOwONchHf19Qu7_1wCWyFNR5gu9nU0,91
|
|
355
|
+
devsecops_engine_tools-1.84.0.dist-info/entry_points.txt,sha256=MHCTFFs9bdNKo6YcWCcBW2_8X6yTisgLOlmVx-V8Rxc,276
|
|
356
|
+
devsecops_engine_tools-1.84.0.dist-info/top_level.txt,sha256=ge6y0X_xBAU1aG3EMWFtl9djbVyg5BxuSp2r2Lg6EQU,23
|
|
357
|
+
devsecops_engine_tools-1.84.0.dist-info/RECORD,,
|
|
File without changes
|
{devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/entry_points.txt
RENAMED
|
File without changes
|
{devsecops_engine_tools-1.83.0.dist-info → devsecops_engine_tools-1.84.0.dist-info}/top_level.txt
RENAMED
|
File without changes
|