trivy: map status field

docs/content/en/connecting_your_tools/parsers/file/trivy.md

@@ -4,5 +4,22 @@ toc_hide: true
 ---
 JSON report of [trivy scanner](https://github.com/aquasecurity/trivy).
 
+The [status](https://trivy.dev/latest/docs/configuration/filtering/) field in Trivy is mapped to the Defect Dojo status flags in the following way:
+
+| Trivy Status         | Active | Verified | Mitigated | Remarks                                                                                                         |
+|----------------------|--------|----------|-----------|-----------------------------------------------------------------------------------------------------------------|
+| unknown              | True   | False    | False     | use default value for active which is usually True                                                              |
+| not_affected         | False  | True     | True      | false positive is the most appropriate status for not affected as out of scope might be interpreted as something else |
+| affected             | True   | True     | False     | standard case                                                                                                   |
+| fixed                | True   | True     | False     | fixed in this context means that there is a fix available by patching/updating/upgrading the package but it's still active and verified |
+| under_investigation  | True   | False    | False     | no status flag in Defect Dojo to capture this, but verified is False                                            |
+| will_not_fix         | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to risk accept this finding |
+| fix_deferred         | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to (temporarily) risk accept this finding |
+| end_of_life          | True   | True     | False     | no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor; we can't set active to False as the user needs to (temporarily) risk accept
+
+The status field contains the status as assigned by the OS/Package vendor such as Red Hat, Debian, etc.
+It is recommended to assess the appropriate action in your Product's context.
+If you want to exclude certain status from being imported into Defect Dojo, please [filter them in the export from Trivy](https://trivy.dev/latest/docs/configuration/filtering/)
+
 ### Sample Scan Data
-Sample Trivy scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/trivy).
+Sample Trivy scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/trivy)

dojo/tools/trivy/parser.py

@@ -66,6 +66,85 @@ def convert_cvss_score(self, raw_value):
             return "High"
         return "Critical"
 
+    def convert_trivy_status(self, trivy_status: str) -> dict:
+        """
+        Determine status fields based on Trivy status
+
+        From: https://trivy.dev/v0.54/docs/configuration/filtering/
+
+        Trivy has a Status field based on VEX vulnerability statuses. Please not these are statuses based on the vulnerability advisories by OS vendors such as Debian, RHEL, etc.
+
+        - `unknown`
+        - `not_affected`: this package is not affected by this vulnerability on this platform
+        - `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
+        - `fixed`: this vulnerability is fixed on this platform
+        - `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
+        - `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
+        - `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
+        - `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed
+
+
+        Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
+        These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.
+
+        Some statuses are supported in limited distributions.
+
+        |     OS     | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
+        |:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
+        |   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
+        |    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
+        | Other OSes |   ✓   |    ✓     |                     |              |              |             |
+        """
+        status_mapping = {
+            "unknown": {
+                # use default value for active which is usually True
+                "verified": False,
+            },
+            "not_affected": {
+                # false positive is the most appropriate status for not affected as out of scope might be interpreted as something else
+                "active": False,
+                "verified": True,
+                "is_mitigated": True,
+            },
+            "affected": {
+                # standard case
+                "active": True,
+                "verified": True,
+            },
+            "fixed": {
+                # fixed in this context means that there is a fix available by patching/updating/upgrading the package
+                # but it's still active and verified
+                "active": True,
+                "verified": True,
+            },
+            "under_investigation": {
+                # no status flag in Defect Dojo to capture this, but verified is False
+                "active": True,
+                "verified": False,
+            },
+            "will_not_fix": {
+                # no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor
+                # we can't set active to False as the user needs to risk accept this finding
+                "active": True,
+                "verified": True,
+            },
+            "fix_deferred": {
+                # no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor
+                # we can't set active to False as the user needs to (temporarily) risk accept this finding
+                "active": True,
+                "verified": True,
+            },
+            "end_of_life": {
+                # no different from affected as Defect Dojo doesn't have a flag to capture will_not_fix by OS/Package Vendor
+                # we can't set active to False as the user needs to (temporarily) risk accept this finding
+                "active": True,
+                "verified": True,
+            },
+        }
+
+        # default is to fallback to default Defect Dojo behaviour which takes scan parameters into account
+        return status_mapping.get(trivy_status, {})
+
     def get_findings(self, scan_file, test):
         scan_data = scan_file.read()
 
@@ -194,6 +273,8 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                 package_version = vuln.get("InstalledVersion", "")
                 references = "\n".join(vuln.get("References", []))
                 mitigation = vuln.get("FixedVersion", "")
+                impact = vuln.get("Status", "")
+                status_fields = self.convert_trivy_status(vuln.get("Status", ""))
                 cwe = int(vuln["CweIDs"][0].split("-")[1]) if len(vuln.get("CweIDs", [])) > 0 else 0
                 vul_type = target_data.get("Type", "")
                 title = f"{vuln_id} {package_name} {package_version}"
@@ -212,6 +293,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     file_path=file_path,
                     references=references,
                     description=description,
+                    impact=impact,
                     mitigation=mitigation,
                     component_name=package_name,
                     component_version=package_version,
@@ -220,6 +302,7 @@ def get_result_items(self, test, results, service_name=None, artifact_name=""):
                     dynamic_finding=False,
                     tags=[vul_type, target_class],
                     service=service_name,
+                    **status_fields,
                 )
 
                 if vuln_id: