custom ca, 13

.gitignore

@@ -3,4 +3,5 @@ defs/
 */.venv/
 __pycache__/
 .*.swp
+tmp/
 

.gitlab-ci.yml

@@ -0,0 +1,130 @@
+stages:
+  - generate-api-clients
+  - dockerize
+
+variables:
+  REGISTRY: devnexus.krohne.com:18079/repository/docker-krohne
+  IMAGE_NAME: $REGISTRY/$CI_PROJECT_NAME
+  DTRACK_API_URL: https://dtrack-api-rd.krohne.com
+  DEFECTDOJO_API_URL: https://defectdojo-rd.krohne.com
+  KROHNE_CA_URL: https://devwiki.krohnegroup.com/lib/exe/fetch.php?media=krohne-ca.crt
+  KROHNE_CA_CHECKSUM: a921e440a742f1e67c7714306e2c0d76
+
+.generate-api:
+  stage: generate-api-clients
+  image: openapitools/openapi-generator-cli:v7.12.0
+  tags:
+    - linux
+    - docker
+    - bash
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "main"'
+    - if: '$CI_COMMIT_TAG'
+  before_script:
+    - curl --insecure $KROHNE_CA_URL -o krohne-ca.crt
+    - echo "$KROHNE_CA_CHECKSUM  krohne-ca.crt" | md5sum -c 
+    - mv krohne-ca.crt /usr/local/share/ca-certificates
+    - update-ca-certificates
+
+
+generate-dtrack-api:
+  extends: .generate-api
+  artifacts:
+    paths:
+      - dtrack-api-client.tgz
+    expire_in: 1 week
+  script:
+    - curl ${DTRACK_API_URL}/api/openapi.json > dependencytrack-openapi.json
+    - |
+      docker-entrypoint.sh \
+      author template \
+        -g python \
+        -o dependencytrack-openapi-custom-template 
+    - sed -i 's/import re/import regex as re/' dependencytrack-openapi-custom-template/model_anyof.mustache 
+    - sed -i 's/import re/import regex as re/' dependencytrack-openapi-custom-template/model_generic.mustache 
+    - |
+      docker-entrypoint.sh \
+      generate \
+        -i dependencytrack-openapi.json \
+        -g python \
+        -o dependencytrack-client \
+        --package-name dependencytrack_api \
+        -t dependencytrack-openapi-custom-template
+    - tar -czvf dtrack-api-client.tgz dependencytrack-client
+
+
+generate-defectdojo-api:
+  extends: .generate-api
+  artifacts:
+    paths:
+      - defectdojo-api-client.tgz
+    expire_in: 1 week
+  script:
+    - curl ${DEFECTDOJO_API_URL}/api/v2/oa3/schema/?format=json > defectdojo-openapi.json
+    - |
+      docker-entrypoint.sh \
+      generate \
+        -i defectdojo-openapi.json \
+        -g python \
+        -o defectdojo-client \
+        --package-name defectdojo_api 
+    - tar -czvf defectdojo-api-client.tgz defectdojo-client
+
+dockerize:
+  stage: dockerize
+  image: devnexus.krohne.com:18079/repository/docker-krohne/krohnedockerbash:0.5
+  tags:
+    - linux
+    - docker
+    - bash
+  rules:
+    - if: '$CI_COMMIT_TAG'
+  script:
+    - tar -xzf defectdojo-api-client.tgz
+    - tar -xzf dtrack-api-client.tgz
+    - docker build --build-arg ADDITIONAL_CA_URL="$KROHNE_CA_URL"
+                   --build-arg ADDITIONAL_CA_CHECKSUM=$KROHNE_CA_CHECKSUM
+                   --tag $IMAGE_NAME:latest 
+                   --tag $IMAGE_NAME:$CI_COMMIT_SHA
+                   --tag $IMAGE_NAME:$CI_COMMIT_TAG
+                   .
+    - docker login -u $NEXUS_USER -p $NEXUS_PASSWORD $REGISTRY
+    - docker push $IMAGE_NAME:latest
+    - docker push $IMAGE_NAME:$CI_COMMIT_SHA
+    - docker push $IMAGE_NAME:$CI_COMMIT_TAG
+
+
+
+#
+#  build:
+#    image: plugins/kaniko
+#    settings:
+#      repo: ${FORGE_NAME}/${CI_REPO}
+#      registry:
+#        from_secret: container_registry
+#      tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
+#      username:
+#        from_secret: container_registry_username
+#      password:
+#        from_secret: container_registry_password
+#      dockerfile: Dockerfile
+#    when:
+#      - event: [ push, tag ]
+#
+#  build-for-quay:
+#    image: plugins/kaniko
+#    settings:
+#      repo: quay.io/wollud1969/${CI_REPO_NAME}
+#      registry: quay.io
+#      tags: 
+#        - latest
+#        - ${CI_COMMIT_TAG}
+#      username:
+#        from_secret: quay_username
+#      password:
+#        from_secret: quay_password
+#      dockerfile: Dockerfile
+#    when:
+#      - event: [tag]
+#
+

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.10-alpine3.21
+FROM python:3.12.10-alpine3.22
 
 ENV DTRACK_API_URL=""
 ENV DTRACK_TOKEN=""
@@ -6,12 +6,26 @@ ENV DEFECTDOJO_URL=""
 ENV DEFECTDOJO_TOKEN=""
 
 ARG APP_DIR=/opt/app
+ARG ADDITIONAL_CA_URL="x"
+ARG ADDITIONAL_CA_CHECKSUM="y"
 
 RUN \
+  set -e &&\
   apk add --no-cache syft &&\
   adduser -s /bin/sh -D user &&\
   mkdir -p $APP_DIR &&\
-  chown user:user $APP_DIR
+  chown user:user $APP_DIR &&\
+  echo $ADDITIONAL_CA_URL &&\
+  echo $ADDITIONAL_CA_CHECKSUM &&\
+  if [ "$ADDITIONAL_CA_URL" != "x" ]; then \
+    cd /usr/share/ca-certificates; \
+    wget --no-check-certificate -O custom-ca.crt $ADDITIONAL_CA_URL; \
+    echo "a$ADDITIONAL_CA_CHECKSUM  custom-ca.crt" | md5sum -c; \
+    /usr/sbin/update-ca-certificates; \
+    echo "custom ca added"; \
+  else \
+    echo "no additional ca"; \
+  fi 
 
 USER user
 WORKDIR $APP_DIR

src/ENV.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIapWTXVBqXIb+0sAdAaPkf/oMhzDAm6T4mEFScMs5BJa444hJEkLgYSAS
+upN+QQSY5/x0OdoghQmaUXmRcu17kaFyzFsS+EaHymru4mpmOpwS/+YerHrhpfNF
+j3YfhW/sM6v2wYJAq+8utkPhATC36LxwgTZRbGBFGgFCG7fUHlldPO1DeVJvoQNe
+idpfg5irM+x78XC7tDJOdYYrvDcz0EELBuwB7V78ZHUfjLcvKek1exhLOq8+V60A
+nZhsoaELIEfCQx52ayF1TbvNdqOTCXpWHfgE9A9aw2eqRbMn9P+HOdeRz1t0+1s=
+=rEHE
+-----END PGP MESSAGE-----

src/sbom-dt-dd.py

@@ -44,6 +44,7 @@ def generateSBOM(target='.', name='dummyName', version='0.0.0'):
         logger.error(f"SBOM scanner failed: {e.stderr}")
         raise MyLocalException(e)
 
+# ---- main starts here with preparation of config -----------------------------------------------------------------------
 
 try:
     DTRACK_API_URL = os.environ["DTRACK_API_URL"]
@@ -70,37 +71,58 @@ parser.add_argument('--type', '-t',
                     required=True)
 parser.add_argument('--classifier', '-c',
                     help='Project Classifier from DependencyTrack',
-                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
+                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 
+                             'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
                     required=True)
+parser.add_argument('--uploadsbom', '-U',
+                    help='Upload a already existing SBOM instead of generating it. Give the SBOM file at -F instead of a target',
+                    required=False,
+                    action='store_true',
+                    default=False)
+parser.add_argument('--sbomfile', '-F',
+                    help='Filename of existing SBOM file to upload, use together with -U, do not use together with -T',
+                    required=False)
 parser.add_argument('--target', '-T',
                     help='Target to scan, either path name for sources or docker image tag',
-                    required=True)
+                    required=False)
 args = parser.parse_args()
 projectName = args.name
 projectVersion = args.version
 projectDescription = args.description
 productType = args.type
 projectClassifier = args.classifier
-target = args.target
+
+uploadSbomFlag = args.uploadsbom
+if uploadSbomFlag:
+    sbomFileName = args.sbomfile
+else:
+    target = args.target
 
 
-logger.info(f"Generating SBOM for {target}")
+# ---- main starts here --------------------------------------------------------------------------------------------------
-sbom = generateSBOM(target, projectName, projectVersion)
+
-logger.info("Done.")
+if uploadSbomFlag:
+    # ------- read uploaded SBOM -------------
+    logger.info(f"Reading SBOM from file {sbomFileName}")
+    with open(sbomFileName, 'r') as sbomFile:
+        sbom = sbomFile.read()
+    logger.info("Done.")
+else:
+    # ------- generate SBOM ------------
+    logger.info(f"Generating SBOM for {target}")
+    sbomJson = generateSBOM(target, projectName, projectVersion)
+    sbom = json.dumps(sbomJson)
+    logger.info("Done.")
 
 
+
+# ------- create product and engagement in DefectDojo -------
 defectdojo_configuration = defectdojo_api.Configuration(
     host = DEFECTDOJO_URL
 )
 defectdojo_configuration.api_key['tokenAuth'] = DEFECTDOJO_TOKEN
 defectdojo_configuration.api_key_prefix['tokenAuth'] = 'Token'
 
-dependencytrack_configuration = dependencytrack_api.Configuration(
-    host = f"{DTRACK_API_URL}/api"
-)
-dependencytrack_configuration.debug = False
-dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
-
 with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client:
     print("Create product in DefectDojo")
     productName = f"{projectName}:{projectVersion}"
@@ -134,6 +156,14 @@ with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client
     engagement_id = engagement_response.id
     print(f"{engagement_id=}")
 
+
+# ------- create project in DependencyTrack, connect project to engagement in DefectDojo, upload SBOM --------
+dependencytrack_configuration = dependencytrack_api.Configuration(
+    host = f"{DTRACK_API_URL}/api"
+)
+dependencytrack_configuration.debug = False
+dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
+
 with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencytrack_api_client:
     project_response = \
         executeApiCall(
@@ -149,9 +179,12 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
     print(f"{project_uuid=}")
 
     properties = [
-        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 'property_value': str(engagement_id), 'property_type': "STRING" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 
-        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 'property_value': "true", 'property_type': "BOOLEAN" },
+          'property_value': str(engagement_id), 'property_type': "STRING" },
-        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 'property_value': "true", 'property_type': "BOOLEAN" }
+        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 
+          'property_value': "true", 'property_type': "BOOLEAN" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 
+          'property_value': "true", 'property_type': "BOOLEAN" }
     ]
     for property in properties:
         executeApiCall(
@@ -170,6 +203,6 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
             dependencytrack_api.BomApi.upload_bom,
             None,
             None,
-            [ None, False, projectName, projectVersion, None, None, None, None, True, json.dumps(sbom) ]
+            [ None, False, projectName, projectVersion, None, None, None, None, True, sbom ]
         )
 

todo.md

@@ -1,11 +1,13 @@
 - 2025-04-04
   - Dirk K.
-    - DefectDojo - Jira Integration
+    - [ ] DefectDojo - Jira Integration
-    - Monitor SLA expiry on DefectDojo
+    - [ ] Monitor SLA expiry on DefectDojo
-    - Workflow for review of assessments in DefectDojo
+    - [ ] Workflow for review of assessments in DefectDojo
-    - Trivy-Deployment in cluster shall be integrated with DefectDojo
+    - [x] Trivy-Deployment in cluster shall be integrated with DefectDojo
+      - [Import Trivy Operator reports into DefectDojo](https://medium.com/@alexander.murylev/implementing-centralized-security-scanning-across-multiple-kubernetes-clusters-with-trivy-and-989f3d5b0f4a)
+      - [Trivy Dojo Report Operator by Telekom](https://github.com/telekom-mms/trivy-dojo-report-operator)
   - Thomas O.
-    - DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities
+    - [ ] DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities
-    - add switch to glue logic to disable integrated SBOM generator and read externally
+    - [x] add switch to glue logic to disable integrated SBOM generator and read externally
       generated SBOM from file
 

trivy-operator-integration.md

@@ -0,0 +1,79 @@
+# Integration of the Trivy Operator in Kubernetes with DefectDojo
+
+## Installation of the Trivy Operator
+
+*namespace*
+```
+security
+```
+
+*install.sh* 
+```
+#!/bin/bash
+
+NAMESPACE=$(cat namespace)
+VERSION=0.28.1
+
+
+helm repo add aqua https://aquasecurity.github.io/helm-charts/
+helm repo update
+helm upgrade --install trivy-operator aqua/trivy-operator \
+  -f values.yml \
+  --namespace $NAMESPACE \
+  --version $VERSION
+```
+
+*values.yml*
+```
+trivy:
+  timeout: "10m0s"
+operator:
+  scanJobTimeout: 10m
+targetNamespaces: "homea"
+```
+
+If `targetNamespaces` is skipped, all namespaces will be scanned. If only a limited set of namespaces shall be scanned, put those namespace comma-separated into this option.
+
+
+## Installation of the Trivy Dojo Report Operator
+
+*namespace*
+```
+security
+```
+
+*install.sh*
+```
+#!/bin/bash
+
+NAMESPACE=$(cat namespace)
+VERSION=0.8.8
+
+helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
+helm repo update
+helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator \
+  -f values.yml \
+  --namespace $NAMESPACE \
+  --version $VERSION
+```
+
+*values.yml*
+```
+defectDojoApiCredentials:
+  apiKey: "geheim"
+  url: "https://defectdojo.hottis.de"
+operator:
+  trivyDojoReportOperator:
+    env:
+      defectDojoEvalEngagementName: "true"
+      defectDojoEngagementName: "body['report']['artifact']['tag']"
+      defectDojoEvalProductName: "true"
+      defectDojoProductName: "meta['namespace']+':'+meta['name']"
+```
+
+Make sure to set the correct apiKey. And make sure not to store it in a repo. A secure approach will be provided.
+
+Details on this operator can be found [here](https://medium.com/@alexander.murylev/implementing-centralized-security-scanning-across-multiple-kubernetes-clusters-with-trivy-and-989f3d5b0f4a) and [here](https://github.com/telekom-mms/trivy-dojo-report-operator).
+
+
+