From a9f98b7dce77e7177d17acffc91f1d149d56e983 Mon Sep 17 00:00:00 2001 From: Daniel Ciuraru Date: Tue, 6 Aug 2024 11:47:42 +0300 Subject: [PATCH] chore(saas-24128): update SSCS templates --- rego-templates/iac-html.rego | 31 +-------------- rego-templates/iac-jira.rego | 36 +----------------- rego-templates/iac-servicenow.rego | 34 ++--------------- rego-templates/iac-slack.rego | 61 +----------------------------- 4 files changed, 8 insertions(+), 154 deletions(-) diff --git a/rego-templates/iac-html.rego b/rego-templates/iac-html.rego index a3d864cc..3a4afe74 100644 --- a/rego-templates/iac-html.rego +++ b/rego-templates/iac-html.rego @@ -11,6 +11,7 @@ import data.postee.number_of_vulns tpl:=`

Triggered by: %s

Repository Name: %s

+

URL: %s

Vulnerability summary:

@@ -19,8 +20,6 @@ tpl:=` %s

Pipeline Misconfiguration summary:

%s - -%s

Response policy name: %s

Response policy application scopes: %s

` @@ -45,9 +44,6 @@ row_tpl:=` colored_text_tpl:="%s" -vln_list_table_tpl := `

List of Critical/High CVEs:

-%s` - ############################################## Html rendering ############################################# render_table_headers(headers) = row { count(headers) > 0 @@ -101,30 +97,7 @@ severities_stats(vuln_type) = stats{ ] } -vlnrb_headers := ["ID", "Severity", "New Finding"] - -vln_list = vlnrb { - some i - vlnrb := [r | - result := input.results[i] - is_critical_or_high_vuln(result.severity) # add only critical and high vulns - avd_id := result.avd_id - startswith(avd_id , "CVE") # add only `CVE-xxx` vulns - severity := severity_as_string(result.severity) - is_new := is_new_vuln(with_default(result, "is_new", false)) - - r := [avd_id, severity, is_new] - ] -} - -render_vuln_list_table = s { - count(vln_list) > 0 - s := sprintf(vln_list_table_tpl, [render_table(vlnrb_headers, vln_list, "33%")]) -} -render_vuln_list_table = "" { - count(vln_list) == 0 -} ############################################## result values ############################################# title = sprintf("%s repository scan report", [input.repository_name]) @@ -133,10 +106,10 @@ result = msg { msg := sprintf(tpl, [ triggered_by_as_string(with_default(input, "triggered_by", "")), input.repository_name, + input.url, input.url, render_table([], severities_stats("vulnerability"), "50%"), render_table([], severities_stats("misconfiguration"), "50%"), render_table([], severities_stats("pipeline_misconfiguration"), "50%"), - render_vuln_list_table, with_default(input, "response_policy_name", "none"), with_default(input, "application_scope", "none") ]) diff --git a/rego-templates/iac-jira.rego b/rego-templates/iac-jira.rego index 956dc844..46199694 100644 --- a/rego-templates/iac-jira.rego +++ b/rego-templates/iac-jira.rego @@ -12,9 +12,7 @@ import future.keywords.if tpl:=` *Triggered by:* %s *Repository name:* %s - -%v - +*URL:* %s %v %v @@ -34,37 +32,7 @@ severities_stats_table(vuln_type) = sprintf("\n*%s summary:*\n||*Severity* number_of_vulns(lower(replace(vuln_type, " ", "_")), 1), number_of_vulns(lower(replace(vuln_type, " ", "_")), 0)]) -vln_list = vlnrb { - some i - vlnrb := [r | - result := input.results[i] - is_critical_or_high_vuln(result.severity) # add only critical and high vulns - avd_id := result.avd_id - startswith(avd_id , "CVE") # add only `CVE-xxx` vulns - severity := severity_as_string(result.severity) - is_new := is_new_vuln(with_default(result, "is_new", false)) - - r := sprintf("|%s|%s|%s|\n",[avd_id, severity, is_new]) - ] -} - -concat_list(prefix,list) = output{ - out := array.concat(prefix, list) - x := concat("", out) - output := x -} -vln_list_table = table { - list := vln_list - count(list) > 0 - prefix := ["\n*List of Critical/High CVEs:*\n||*ID* ||*Severity* ||*New Finding* ||\n"] - table := concat_list(prefix,list) -} - -vln_list_table = "" { # no vulnerabilities of this severity - list := vln_list - count(list) == 0 -} ####################################### results ####################################### title = sprintf("%s repository scan report", [input.repository_name]) @@ -72,10 +40,10 @@ result = msg { msg := sprintf(tpl, [ triggered_by_as_string(with_default(input, "triggered_by", "")), input.repository_name, + input.url, severities_stats_table("Vulnerability"), severities_stats_table("Misconfiguration"), severities_stats_table("Pipeline Misconfiguration"), - vln_list_table, with_default(input, "response_policy_name", "none"), with_default(input, "application_scope", "none") ]) diff --git a/rego-templates/iac-servicenow.rego b/rego-templates/iac-servicenow.rego index 2ed25168..cc71c660 100644 --- a/rego-templates/iac-servicenow.rego +++ b/rego-templates/iac-servicenow.rego @@ -15,6 +15,7 @@ import future.keywords.if html_tpl:=`

Triggered by: %s

Repository Name: %s

+

URL: %s

Vulnerability summary:

@@ -23,8 +24,6 @@ html_tpl:=` %s

Pipeline Misconfiguration summary:

%s - -%s

Response policy name: %s

Response policy application scopes: %s

` @@ -52,9 +51,6 @@ row_tpl:=` colored_text_tpl:="%s" -vln_list_table_tpl := `

List of Critical/High CVEs:

-%s` - ############################################## Html rendering ############################################# render_table_headers(headers) = row { count(headers) > 0 @@ -108,30 +104,6 @@ severities_stats(vuln_type) = stats{ ] } -vlnrb_headers := ["ID", "Severity", "New Finding"] - -vln_list = vlnrb { - some i - vlnrb := [r | - result := input.results[i] - is_critical_or_high_vuln(result.severity) # add only critical and high vulns - avd_id := result.avd_id - startswith(avd_id , "CVE") # add only `CVE-xxx` vulns - severity := severity_as_string(result.severity) - is_new := is_new_vuln(with_default(result, "is_new", false)) - - r := [avd_id, severity, is_new] - ] -} - -render_vuln_list_table = s { - count(vln_list) > 0 - s := sprintf(vln_list_table_tpl, [render_table(vlnrb_headers, vln_list, "33%")]) -} - -render_vuln_list_table = "" { - count(vln_list) == 0 -} ############################################## result values ############################################# title = sprintf(`Aqua security | Repository | %s | Scan report`, [input.repository_name]) @@ -157,10 +129,10 @@ result = msg { msg := sprintf(html_tpl, [ triggered_by_as_string(with_default(input, "triggered_by", "")), input.repository_name, + input.url, input.url, render_table([], severities_stats("vulnerability"), "50%"), render_table([], severities_stats("misconfiguration"), "50%"), - render_table([], severities_stats("pipeline_misconfiguration"), "50%"), - render_vuln_list_table, + render_table([], severities_stats("pipeline_misconfiguration"), "50%"),, with_default(input, "response_policy_name", "none"), with_default(input, "application_scope", "none") ]) diff --git a/rego-templates/iac-slack.rego b/rego-templates/iac-slack.rego index d4478bd5..2465f47e 100644 --- a/rego-templates/iac-slack.rego +++ b/rego-templates/iac-slack.rego @@ -21,65 +21,6 @@ severity_stats(vuln_type) := flat_array([gr | ] ]) -# render_sections split collection of cells provided to chunks of 5 rows each and wraps every chunk with section element -render_sections(rows, caption) = a { - count(rows) > 2 # only if some vulnerabilities are found - s1 := [{ - "type": "section", - "text": { - "type": "mrkdwn", - "text": caption - } - }] - b:=[ s | - # code below converts 2 dimension array like [[row1, row2, ... row5], ....] - group_size := 10 #it's 5 but every row is represented by 2 items - num_chunks := ceil(count(rows) / group_size) - 1 - indices := { b | b := numbers.range(0, num_chunks)[_] * group_size } - fields := [array.slice(rows, i, i + group_size) | i := indices[_]][_] - - # builds markdown section based on slice - - s := [ - { - "type": "section", - "fields": fields - } - ] - ] - a := array.concat(s1, flat_array(b)) -} -render_sections(rows, caption) = [] { #do not render section if provided collection is empty - count(rows) < 3 -} - -vln_list = l { - vlnrb := [r | - result := input.results[i] - is_critical_or_high_vuln(result.severity) # add only critical and high vulns - avd_id := result.avd_id - startswith(avd_id , "CVE") # add only `CVE-xxx` vulns - severity := severity_as_string(result.severity) - is_new := is_new_vuln(with_default(result, "is_new", false)) - - r := [ - {"type": "mrkdwn", "text": avd_id}, - {"type": "mrkdwn", "text": sprintf("%s/%s", [severity, is_new])}, - ] - ] - - caption := "*List of Critical/High CVEs:*" - - headers := [ - {"type": "mrkdwn", "text": "*ID*"}, - {"type": "mrkdwn", "text": "*Severity / New Finding*"} - ] - rows := array.concat(headers, flat_array(vlnrb)) - - # split rows and wrap slices with markdown section - l := render_sections(rows, caption) -} - ####################################### results ####################################### title = sprintf("%s repository scan report", [input.repository_name]) # title is string @@ -87,6 +28,7 @@ title = sprintf("%s repository scan report", [input.repository_name]) # title is result = res { header1 := [{"type":"section","text":{"type":"mrkdwn","text":sprintf("Triggered by: %s", [triggered_by_as_string(with_default(input, "triggered_by", "")),])}}, {"type":"section","text":{"type":"mrkdwn","text":sprintf("Repository name: %s", [input.repository_name])}}, + {"type":"section","text":{"type":"mrkdwn","text":sprintf("*URL:* %s", [with_default(input, "url", "")])}} {"type": "section","text": {"type": "mrkdwn","text": "*Vulnerabilities summary:*"}}, {"type": "section","fields": severity_stats("vulnerability")}, {"type": "section","text": {"type": "mrkdwn","text": "*Misconfiguration summary:*"}}, @@ -102,7 +44,6 @@ result = res { res := flat_array([ header1, - vln_list, header2 ]) }