🐞 Bug report
Describe the bug
When SecureCodeBox uploads a Trivy scan to Defect Dojo it is uploaded as the type Generic Findings Import and not Trivy Scan.
This seems to have the effect that most metadata about the finding are not set.
E.g. CWE, Vulnerability ID (CVE), Location etc.
In some cases (I have seen it 1 time) severity is even reported wrongly (as High instead of Critical). See the screenshot below.
This is both an issue with trivy image and trivy k8s. Probably the other types as well.
Steps To Reproduce
-
Install the operator, the Trivy scanner and the persistence dojo hook in the below mentioned versions.
-
Start a scan by applying the following scan
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "juice-shop"
spec:
scanType: "trivy-image"
parameters:
- bkimminich/juice-shop:v10.2.0
-
Open a finding in Defect Dojo.
-
See that CWE is not set, the no tags are set, the location is not set etc.
-
(See the attached screenshot for a comparison between a manually uploaded Trivy scan and the SCB uploaded Trivy scan)
Expected behavior
The scan is being uploaded with the type Trivy scan, and metadata findings are populated as if I uploaded the scan manually.
System (please complete the following information):
- operator: 4.4.1
- persistence-defectdojo: 1.12.0
- Trivy 0.49.1
- DefectDojo version: 2.31.5
- Kubernetes version 1.28.3
For the Operator, Trivy and persistence-defectdojo I am using the Helm chart version 4.4.1 with default values.
Screenshots
The screenshot compares a SCB uploaded Trivy finding with a manually uploaded Trviy finding.
It is the same finding, in the same deployment, scanned using the same version of Trivy in the same version.
Additional context
I tried to upload the Trivy scan that was saved in MinIO with import type Trivy scan. This worked as expected: metadata fields are populated and the severity is correctly set.
🐞 Bug report
Describe the bug
When SecureCodeBox uploads a Trivy scan to Defect Dojo it is uploaded as the type
Generic Findings Importand notTrivy Scan.This seems to have the effect that most metadata about the finding are not set.
E.g. CWE, Vulnerability ID (CVE), Location etc.
In some cases (I have seen it 1 time) severity is even reported wrongly (as High instead of Critical). See the screenshot below.
This is both an issue with
trivy imageandtrivy k8s. Probably the other types as well.Steps To Reproduce
Install the operator, the Trivy scanner and the persistence dojo hook in the below mentioned versions.
Start a scan by applying the following scan
Open a finding in Defect Dojo.
See that CWE is not set, the no tags are set, the location is not set etc.
(See the attached screenshot for a comparison between a manually uploaded Trivy scan and the SCB uploaded Trivy scan)
Expected behavior
The scan is being uploaded with the type Trivy scan, and metadata findings are populated as if I uploaded the scan manually.
System (please complete the following information):
For the Operator, Trivy and persistence-defectdojo I am using the Helm chart version 4.4.1 with default values.
Screenshots
The screenshot compares a SCB uploaded Trivy finding with a manually uploaded Trviy finding.
It is the same finding, in the same deployment, scanned using the same version of Trivy in the same version.
Additional context
I tried to upload the Trivy scan that was saved in MinIO with import type Trivy scan. This worked as expected: metadata fields are populated and the severity is correctly set.