new upstream image

.gitignore

@@ -3,4 +3,5 @@ defs/
 */.venv/
 __pycache__/
 .*.swp
+tmp/
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12.10-alpine3.21
+FROM python:3.12.10-alpine3.22
 
 ENV DTRACK_API_URL=""
 ENV DTRACK_TOKEN=""

src/ENV.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIapWTXVBqXIb+0sAdAaPkf/oMhzDAm6T4mEFScMs5BJa444hJEkLgYSAS
+upN+QQSY5/x0OdoghQmaUXmRcu17kaFyzFsS+EaHymru4mpmOpwS/+YerHrhpfNF
+j3YfhW/sM6v2wYJAq+8utkPhATC36LxwgTZRbGBFGgFCG7fUHlldPO1DeVJvoQNe
+idpfg5irM+x78XC7tDJOdYYrvDcz0EELBuwB7V78ZHUfjLcvKek1exhLOq8+V60A
+nZhsoaELIEfCQx52ayF1TbvNdqOTCXpWHfgE9A9aw2eqRbMn9P+HOdeRz1t0+1s=
+=rEHE
+-----END PGP MESSAGE-----

src/sbom-dt-dd.py

@@ -44,6 +44,7 @@ def generateSBOM(target='.', name='dummyName', version='0.0.0'):
         logger.error(f"SBOM scanner failed: {e.stderr}")
         raise MyLocalException(e)
 
+# ---- main starts here with preparation of config -----------------------------------------------------------------------
 
 try:
     DTRACK_API_URL = os.environ["DTRACK_API_URL"]
@@ -70,37 +71,58 @@ parser.add_argument('--type', '-t',
                     required=True)
 parser.add_argument('--classifier', '-c',
                     help='Project Classifier from DependencyTrack',
-                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
+                    choices=['APPLICATION', 'FRAMEWORK', 'LIBRARY', 'CONTAINER', 'OPERATING_SYSTEM', 'DEVICE', 
+                             'FIRMWARE', 'FILE', 'PLATFORM', 'DEVICE_DRIVER', 'MACHINE_LEARNING_MODEL', 'DATA'],
                     required=True)
+parser.add_argument('--uploadsbom', '-U',
+                    help='Upload a already existing SBOM instead of generating it. Give the SBOM file at -F instead of a target',
+                    required=False,
+                    action='store_true',
+                    default=False)
+parser.add_argument('--sbomfile', '-F',
+                    help='Filename of existing SBOM file to upload, use together with -U, do not use together with -T',
+                    required=False)
 parser.add_argument('--target', '-T',
                     help='Target to scan, either path name for sources or docker image tag',
-                    required=True)
+                    required=False)
 args = parser.parse_args()
 projectName = args.name
 projectVersion = args.version
 projectDescription = args.description
 productType = args.type
 projectClassifier = args.classifier
+
+uploadSbomFlag = args.uploadsbom
+if uploadSbomFlag:
+    sbomFileName = args.sbomfile
+else:
     target = args.target
 
 
+# ---- main starts here --------------------------------------------------------------------------------------------------
+
+if uploadSbomFlag:
+    # ------- read uploaded SBOM -------------
+    logger.info(f"Reading SBOM from file {sbomFileName}")
+    with open(sbomFileName, 'r') as sbomFile:
+        sbom = sbomFile.read()
+    logger.info("Done.")
+else:
+    # ------- generate SBOM ------------
     logger.info(f"Generating SBOM for {target}")
-sbom = generateSBOM(target, projectName, projectVersion)
+    sbomJson = generateSBOM(target, projectName, projectVersion)
+    sbom = json.dumps(sbomJson)
     logger.info("Done.")
 
 
+
+# ------- create product and engagement in DefectDojo -------
 defectdojo_configuration = defectdojo_api.Configuration(
     host = DEFECTDOJO_URL
 )
 defectdojo_configuration.api_key['tokenAuth'] = DEFECTDOJO_TOKEN
 defectdojo_configuration.api_key_prefix['tokenAuth'] = 'Token'
 
-dependencytrack_configuration = dependencytrack_api.Configuration(
-    host = f"{DTRACK_API_URL}/api"
-)
-dependencytrack_configuration.debug = False
-dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
-
 with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client:
     print("Create product in DefectDojo")
     productName = f"{projectName}:{projectVersion}"
@@ -134,6 +156,14 @@ with defectdojo_api.ApiClient(defectdojo_configuration) as defectdojo_api_client
     engagement_id = engagement_response.id
     print(f"{engagement_id=}")
 
+
+# ------- create project in DependencyTrack, connect project to engagement in DefectDojo, upload SBOM --------
+dependencytrack_configuration = dependencytrack_api.Configuration(
+    host = f"{DTRACK_API_URL}/api"
+)
+dependencytrack_configuration.debug = False
+dependencytrack_configuration.api_key['ApiKeyAuth'] = DTRACK_TOKEN
+
 with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencytrack_api_client:
     project_response = \
         executeApiCall(
@@ -149,9 +179,12 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
     print(f"{project_uuid=}")
 
     properties = [
-        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 'property_value': str(engagement_id), 'property_type': "STRING" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.engagementId", 
-        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 'property_value': "true", 'property_type': "BOOLEAN" },
+          'property_value': str(engagement_id), 'property_type': "STRING" },
-        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 'property_value': "true", 'property_type': "BOOLEAN" }
+        { 'group_name': "integrations", 'property_name': "defectdojo.doNotReactivate", 
+          'property_value': "true", 'property_type': "BOOLEAN" },
+        { 'group_name': "integrations", 'property_name': "defectdojo.reimport", 
+          'property_value': "true", 'property_type': "BOOLEAN" }
     ]
     for property in properties:
         executeApiCall(
@@ -170,6 +203,6 @@ with dependencytrack_api.ApiClient(dependencytrack_configuration) as dependencyt
             dependencytrack_api.BomApi.upload_bom,
             None,
             None,
-            [ None, False, projectName, projectVersion, None, None, None, None, True, json.dumps(sbom) ]
+            [ None, False, projectName, projectVersion, None, None, None, None, True, sbom ]
         )
 

todo.md

@@ -1,11 +1,13 @@
 - 2025-04-04
   - Dirk K.
-    - DefectDojo - Jira Integration
+    - [ ] DefectDojo - Jira Integration
-    - Monitor SLA expiry on DefectDojo
+    - [ ] Monitor SLA expiry on DefectDojo
-    - Workflow for review of assessments in DefectDojo
+    - [ ] Workflow for review of assessments in DefectDojo
-    - Trivy-Deployment in cluster shall be integrated with DefectDojo
+    - [x] Trivy-Deployment in cluster shall be integrated with DefectDojo
+      - [Import Trivy Operator reports into DefectDojo](https://medium.com/@alexander.murylev/implementing-centralized-security-scanning-across-multiple-kubernetes-clusters-with-trivy-and-989f3d5b0f4a)
+      - [Trivy Dojo Report Operator by Telekom](https://github.com/telekom-mms/trivy-dojo-report-operator)
   - Thomas O.
-    - DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities
+    - [ ] DefectDojo and/or DependencyTrack shall notify via mail in case of new vulnerabilities
-    - add switch to glue logic to disable integrated SBOM generator and read externally
+    - [x] add switch to glue logic to disable integrated SBOM generator and read externally
       generated SBOM from file
 

trivy-operator-integration.md

@@ -0,0 +1,79 @@
+# Integration of the Trivy Operator in Kubernetes with DefectDojo
+
+## Installation of the Trivy Operator
+
+*namespace*
+```
+security
+```
+
+*install.sh* 
+```
+#!/bin/bash
+
+NAMESPACE=$(cat namespace)
+VERSION=0.28.1
+
+
+helm repo add aqua https://aquasecurity.github.io/helm-charts/
+helm repo update
+helm upgrade --install trivy-operator aqua/trivy-operator \
+  -f values.yml \
+  --namespace $NAMESPACE \
+  --version $VERSION
+```
+
+*values.yml*
+```
+trivy:
+  timeout: "10m0s"
+operator:
+  scanJobTimeout: 10m
+targetNamespaces: "homea"
+```
+
+If `targetNamespaces` is skipped, all namespaces will be scanned. If only a limited set of namespaces shall be scanned, put those namespace comma-separated into this option.
+
+
+## Installation of the Trivy Dojo Report Operator
+
+*namespace*
+```
+security
+```
+
+*install.sh*
+```
+#!/bin/bash
+
+NAMESPACE=$(cat namespace)
+VERSION=0.8.8
+
+helm repo add trivy-dojo-report-operator https://telekom-mms.github.io/trivy-dojo-report-operator/
+helm repo update
+helm install chart-name trivy-dojo-report-operator/trivy-dojo-report-operator \
+  -f values.yml \
+  --namespace $NAMESPACE \
+  --version $VERSION
+```
+
+*values.yml*
+```
+defectDojoApiCredentials:
+  apiKey: "geheim"
+  url: "https://defectdojo.hottis.de"
+operator:
+  trivyDojoReportOperator:
+    env:
+      defectDojoEvalEngagementName: "true"
+      defectDojoEngagementName: "body['report']['artifact']['tag']"
+      defectDojoEvalProductName: "true"
+      defectDojoProductName: "meta['namespace']+':'+meta['name']"
+```
+
+Make sure to set the correct apiKey. And make sure not to store it in a repo. A secure approach will be provided.
+
+Details on this operator can be found [here](https://medium.com/@alexander.murylev/implementing-centralized-security-scanning-across-multiple-kubernetes-clusters-with-trivy-and-989f3d5b0f4a) and [here](https://github.com/telekom-mms/trivy-dojo-report-operator).
+
+
+