Skip to content
This repository has been archived by the owner on Nov 10, 2019. It is now read-only.

Treshold checks don't seem to work correctly #72

Open
jmarek-sky opened this issue Oct 3, 2019 · 0 comments
Open

Treshold checks don't seem to work correctly #72

jmarek-sky opened this issue Oct 3, 2019 · 0 comments

Comments

@jmarek-sky
Copy link

Hi,
I tried to use this plugin but found that the treshold checks (both vulnerabilities and compliance) don't seem to work. I.e. I've set

TL_COMPLIANCE_THRESHOLD=critical
TL_VULNERABILITY_THRESHOLD=critical

scanned na image which doesn't have any critical issues (confirmed that in the Twistlock Console) but still got a failed result from this plugin.

After further investigating it, I think that the logic of checking the tresholds in the entrypoint.sh is not correct. It is based on the risk scores:

COMPLIANCE_RISK_SCORE=$(cat TL_report_$REPORT_NAME.json | jq ".[0].info.complianceRiskScore")
VULNERABILITY_RISK_SCORE=$(cat TL_report_$REPORT_NAME.json | jq ".[0].info.vulnerabilityRiskScore")

which are then compared to some arbitrary treshold values, e.g.:

case $TL_VULNERABILITY_THRESHOLD in
     low)
          TL_VULNERABILITY_THRESHOLD=1
          ;;
     medium)
          TL_VULNERABILITY_THRESHOLD=10
          ;;
     high)
          TL_VULNERABILITY_THRESHOLD=100
          ;;
     critical)
          TL_VULNERABILITY_THRESHOLD=1000
          ;;
     *)
          echo TL_VULNERABILITY_THRESHOLD must be low|medium|high|critical
          ;;
esac

if [ $VULNERABILITY_RISK_SCORE -ge $TL_VULNERABILITY_THRESHOLD ]; then
  err "VULNERABILITY_THRESHOLD ($TL_VULNERABILITY_THRESHOLD) EXEECED => $CVE_VULNERABILITIES_CNT issue(s) found. VULNERABILITY_RISK_SCORE = $VULNERABILITY_RISK_SCORE (lower is better)"
else
  msg "CVEVULNERABILITY CHECK => PASSED"
fi

I had an image which risk score was way more than 1000, but it didn't have any critical vulnerabilities, so I'm not sure where these hardcoded values came from, but they don't seem to be correct.

I think that better way of doing this would be to base that logic on complianceDistribution and vulnerabilityDistribution fields from the Twistlock report as they provide exact values of vulnerabilities for each severity level. Extract from example report:

"complianceDistribution": {
				"critical": 0,
				"high": 1,
				"medium": 0,
				"low": 0,
				"total": 1
			},
"vulnerabilityDistribution": {
				"critical": 0,
				"high": 0,
				"medium": 2,
				"low": 2,
				"total": 4
			}
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jmarek-sky