From 78cfa85f49a2d12465a4b0142002eb53ae4e895b Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Wed, 21 Jan 2026 13:57:26 +0100 Subject: [PATCH 1/2] :tada: add Trivy misconfiguration fields #14136 --- dojo/tools/trivy/parser.py | 49 +++++------ unittests/scans/trivy/issue_14136.json | 108 +++++++++++++++++++++++++ unittests/tools/test_trivy_parser.py | 10 ++- 3 files changed, 142 insertions(+), 25 deletions(-) create mode 100644 unittests/scans/trivy/issue_14136.json diff --git a/dojo/tools/trivy/parser.py b/dojo/tools/trivy/parser.py index 6308070d71a..573758ab5ee 100644 --- a/dojo/tools/trivy/parser.py +++ b/dojo/tools/trivy/parser.py @@ -335,52 +335,53 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""): misconfigurations = target_data.get("Misconfigurations", []) for misconfiguration in misconfigurations: + misc_id = misconfiguration.get("ID", None) + misc_avdid = misconfiguration.get("AVDID", misc_id) + misc_title = misconfiguration.get("Title", "Unknown Misconfiguration") misc_type = misconfiguration.get("Type") - misc_id = misconfiguration.get("ID") - misc_title = misconfiguration.get("Title") - misc_description = misconfiguration.get("Description") - misc_message = misconfiguration.get("Message") + misc_description = misconfiguration.get("Description", "") + misc_message = misconfiguration.get("Message", "") misc_resolution = misconfiguration.get("Resolution") - misc_severity = misconfiguration.get("Severity") + misc_severity = misconfiguration.get("Severity", "Low") misc_primary_url = misconfiguration.get("PrimaryURL") misc_references = misconfiguration.get("References", []) - misc_causemetadata = misconfiguration.get("CauseMetadata", {}) - misc_cause_code = misc_causemetadata.get("Code", {}) - misc_cause_lines = misc_cause_code.get("Lines", []) - string_lines_table = self.get_lines_as_string_table(misc_cause_lines) + causemeta = misconfiguration.get("CauseMetadata", {}) + cause_code = causemeta.get("Code", {}) + cause_lines = cause_code.get("Lines", []) + string_lines_table = self.get_lines_as_string_table(cause_lines) if string_lines_table: - misc_message += ("\n" + string_lines_table) - - title = f"{misc_id} - {misc_title}" + misc_message += "\n" + string_lines_table description = MISC_DESCRIPTION_TEMPLATE.format( target=target_target, type=misc_type, description=misc_description, message=misc_message, ) - severity = TRIVY_SEVERITIES[misc_severity] - references = None + refs = [] if misc_primary_url: - references = f"{misc_primary_url}\n" - if misc_primary_url in misc_references: - misc_references.remove(misc_primary_url) - if references: - references += "\n".join(misc_references) - else: - references = "\n".join(misc_references) - + refs.append(misc_primary_url) + refs.extend(r for r in misc_references if r != misc_primary_url) + references = "\n".join(refs) if refs else None + severity = TRIVY_SEVERITIES.get(misc_severity, "Info") + file_path = target_target finding = Finding( test=test, - title=title, + title=f"{misc_id} - {misc_title}", severity=severity, - references=references, description=description, mitigation=misc_resolution, + references=references, + url=misc_primary_url, + file_path=file_path, + impact=misc_description, fix_available=True, static_finding=True, dynamic_finding=False, service=service_name, ) + if misc_avdid: + finding.unsaved_vulnerability_ids = [] + finding.unsaved_vulnerability_ids.append(misc_avdid) finding.unsaved_tags = [target_type, target_class] items.append(finding) diff --git a/unittests/scans/trivy/issue_14136.json b/unittests/scans/trivy/issue_14136.json new file mode 100644 index 00000000000..464f6f8bd8e --- /dev/null +++ b/unittests/scans/trivy/issue_14136.json @@ -0,0 +1,108 @@ +{ + "SchemaVersion": 2, + "ReportID": "019bdfd9-f774-7da7-917a-6b15e3b0b2a0", + "CreatedAt": "2026-01-21T10:19:22.484900675+01:00", + "ArtifactName": "tofu/clusters/sandbox", + "ArtifactType": "filesystem", + "Results": [ + { + "Target": "../../aws-credentials/main.tf", + "Class": "config", + "Type": "terraform", + "MisconfSummary": { + "Successes": 0, + "Failures": 1 + }, + "Misconfigurations": [ + { + "Type": "Terraform Security Check", + "ID": "AVD-AWS-0143", + "AVDID": "AVD-AWS-0143", + "Title": "IAM policies should not be granted directly to users.", + "Description": "CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.\n", + "Message": "One or more policies are attached directly to a user", + "Namespace": "builtin.aws.iam.aws0143", + "Query": "data.builtin.aws.iam.aws0143.deny", + "Resolution": "Grant policies at the group level instead.", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0143", + "References": [ + "https://console.aws.amazon.com/iam/", + "https://avd.aquasec.com/misconfig/avd-aws-0143" + ], + "Status": "FAIL", + "CauseMetadata": { + "Resource": "module.aws_credentials", + "Provider": "AWS", + "Service": "iam", + "StartLine": 20, + "EndLine": 24, + "Code": { + "Lines": [ + { + "Number": 20, + "Content": "resource \"aws_iam_user\" \"this\" {", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[38;5;33mresource\u001b[0m \u001b[38;5;37m\"aws_iam_user\"\u001b[0m \u001b[38;5;37m\"this\"\u001b[0m {", + "FirstCause": true, + "LastCause": false + }, + { + "Number": 21, + "Content": " for_each = var.users", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;245mfor_each\u001b[0m = \u001b[38;5;33mvar\u001b[0m.users", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 22, + "Content": "", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "FirstCause": false, + "LastCause": false + }, + { + "Number": 23, + "Content": " name = \"cluster-${var.cluster_name}-${each.key}\"", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": " \u001b[38;5;245mname\u001b[0m = \u001b[38;5;37m\"cluster-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33mvar\u001b[0m.cluster_name\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m-\u001b[0m\u001b[38;5;37m${\u001b[0m\u001b[38;5;33meach\u001b[0m.key\u001b[38;5;37m}\u001b[0m\u001b[38;5;37m\"", + "FirstCause": false, + "LastCause": false + }, + { + "Number": 24, + "Content": "}", + "IsCause": true, + "Annotation": "", + "Truncated": false, + "Highlighted": "\u001b[0m}", + "FirstCause": false, + "LastCause": true + } + ] + }, + "Occurrences": [ + { + "Resource": "module.aws_credentials", + "Filename": "main.tf", + "Location": { + "StartLine": 183, + "EndLine": 248 + } + } + ] + } + } + ] + } + ] +} diff --git a/unittests/tools/test_trivy_parser.py b/unittests/tools/test_trivy_parser.py index c5333c2bd16..5711620a49e 100644 --- a/unittests/tools/test_trivy_parser.py +++ b/unittests/tools/test_trivy_parser.py @@ -170,7 +170,7 @@ def test_kubernetes(self): re_finding_description = re.sub(r"\s+", " ", finding.description) self.assertEqual(re_description.strip(), re_finding_description.strip()) self.assertEqual("Set 'set containers[].securityContext.allowPrivilegeEscalation' to 'false'.", finding.mitigation) - self.assertIsNone(finding.unsaved_vulnerability_ids) + self.assertEqual(finding.unsaved_vulnerability_ids, ["KSV001"]) self.assertEqual(["kubernetes", "config"], finding.unsaved_tags) self.assertIsNone(finding.component_name) self.assertIsNone(finding.component_version) @@ -337,3 +337,11 @@ def test_severity_prio(self): self.assertEqual("Critical", finding.severity) self.assertEqual("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", finding.cvssv3) self.assertEqual(7.5, finding.cvssv3_score) + + def test_misconfig_fields(self): + # this tests issue #14136. The unittest file is just a copy of cvss_severity_source.json with edited severities + with sample_path("issue_14136.json").open(encoding="utf-8") as test_file: + parser = TrivyParser() + findings = parser.get_findings(test_file, Test()) + self.assertEqual(len(findings), 1) + self.assertEqual("Low", findings[0].severity) From b65b41c3e8391b359747102b5a27d138c14663a9 Mon Sep 17 00:00:00 2001 From: Manuel Sommer Date: Thu, 22 Jan 2026 12:52:41 +0100 Subject: [PATCH 2/2] update --- docs/content/en/open_source/upgrading/2.54.3.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 docs/content/en/open_source/upgrading/2.54.3.md diff --git a/docs/content/en/open_source/upgrading/2.54.3.md b/docs/content/en/open_source/upgrading/2.54.3.md new file mode 100644 index 00000000000..515192579a4 --- /dev/null +++ b/docs/content/en/open_source/upgrading/2.54.3.md @@ -0,0 +1,9 @@ +--- +title: 'Upgrading to DefectDojo Version 2.54.3' +toc_hide: true +weight: -20250602 +description: Trivy parser deduplication +--- + +## Trivy parser deduplication +Deduplication of Trivy misconfiguration findings is improved for newly imported findings, but existing findings may no longer match because they don’t contain the new vulnerability_id or file_path fields. \ No newline at end of file