Comments (19)
wtomw
commented on July 21, 2024
Hello @zhongyi-zhang ,
SubAssessments API is yet to support resource filtering.
For a specific repository or image scan findings, I would recommend using Azure resource graph (ARG) resource query API.
You can use this guide as a reference for Image scan findings extraction using ARG query API.
from microsoft-defender-for-cloud.
zhongyi-zhang
commented on July 21, 2024
Hi @wtomw, thanks for the points! Appreciate it! The guide is very helpful. I can get the data what I expect to get. The only problem is that, it can return at most 1000 rows. That's fine. I'd like to remediate the vulnerability one by one until all of them resolved...
One more question, what's the least permission to assign to a service principal so that it can call the ARG REST API? Hope it doesn't require permission as large as a subscription contributor...
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
Hi @zhongyi-zhang,
ARG REST API supports paging, so you can use that to extract the all records.
As for ARG REST API permissions requirements you can read more here, which should be correlated to Azure Security Center permissions requirements where you can read more on in here.
from microsoft-defender-for-cloud.
zhongyi-zhang
commented on July 21, 2024
@wtomw thanks for the prompt reply!
Yeah, I find the $skipToken for paging in doc. But somehow in the response to my request, it doesn't return $skipToken, and returns "resultTruncated": "true". The result is indeed not complete since it shows "totalRecords": 8585, "count": 1000, in the response. Is there any required parameter to enable paging?
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@zhongyi-zhang
ARG REST API query paging can be found in quey request options under here
from microsoft-defender-for-cloud.
zhongyi-zhang
commented on July 21, 2024
@wtomw yes, I even tried adding the same option
"options": {
"$top": 3,
"$skip": 0
}
Then I got:
{
"totalRecords": 8585,
"count": 3,
"data": "<a-lot-of-rows>",
"facets": [],
"resultTruncated": "true"
}
No "$skipToken" returned.
This is my script:
DATA='{
"subscriptions": [ <mySub> ],
"query":"<myQuery>",
"options": {
"$top": 3,
"$skip": 0
}
}'
curl \
-H "Content-Type:application/json" \
-H "Authorization: Bearer ${accessToken}" \
-d "${DATA}" \
"https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2019-04-01"
from microsoft-defender-for-cloud.
YuriDio
commented on July 21, 2024
Looks like @wtomw - addressed the question from ASC perspective, now is more an ARG question and @wtomw provided the ARG documentation link.
from microsoft-defender-for-cloud.
gadinaor
commented on July 21, 2024
@wtomw is there any update/ETA for a a reasonable REST API to obtain findings for a given image Id ?
I am looking for something that's similar to https://docs.aws.amazon.com/cli/latest/reference/ecr/describe-image-scan-findings.html
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@gadinaor, the way to extract specific image findings is using Azure resource graph (ARG) resource query API.
You can use this guide as a reference for Image scan findings extraction using ARG query API.
Unfortunately, currently there is no support for filtering a specific image using the Sub Assessment REST API.
from microsoft-defender-for-cloud.
gadinaor
commented on July 21, 2024
@wtomw so, I am down this rabbit π hole ... and the ARG query I have based on the guide you shared doesn't return the package name as a structured field (see info below) - am I missing anything? if not, what's the plan to add this field to the returned object?
My query:
securityresources
| where type == "microsoft.security/assessments"
//| where properties.displayName contains "Vulnerabilities in Azure Container Registry images should be remediated"
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
securityresources
| where type == "microsoft.security/assessments/subassessments"
| extend assessmentKey = extract(".*assessments/(.+?)/.*",1, id)
) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| where properties.additionalData.imageDigest == "sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
| extend description = properties.description,
displayName = properties.displayName,
resourceId = properties.resourceDetails.id,
resourceSource = properties.resourceDetails.source,
category = properties.category,
severity = properties.status.severity,
code = properties.status.code,
timeGenerated = properties.timeGenerated,
remediation = properties.remediation,
impact = properties.impact,
vulnId = properties.id,
additionalData = properties.additionalData,
repositoryName = properties.additionalData.repositoryName,
imageDigest = properties.additionalData.imageDigest
here's the properties object returned from this query:
{
"description": "Debian has released security update for systemd to fix the vulnerabilities.<P>",
"displayName": "Debian Security Update for systemd",
"resourceDetails": {
"source": "Azure",
"id": "/repositories/myrepo/manyvuln/images/sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
},
"additionalData": {
"assessedResourceType": "ContainerRegistryVulnerability",
"vendorReferences": [
{
"title": "CVE-2018-1049",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-1049"
},
{
"title": "CVE-2018-15686",
"link": "https://security-tracker.debian.org/tracker/CVE-2018-15686"
}
],
"publishedTime": "2019-05-06T10:54:00.0000000Z",
"patchable": true,
"type": "Vulnerability",
"cvss": {
"2.0": {
"base": 10
},
"3.0": {
"base": 9.8
}
},
"cve": [
{
"title": "CVE-2018-1049",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049"
},
{
"title": "CVE-2018-15686",
"link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686"
}
],
"repositoryName": "myrepo/manyvuln",
"registryHost": "myregistry.azurecr.io",
"imageDigest": "sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
},
"status": {
"severity": "High",
"code": "Unhealthy"
},
"timeGenerated": "2020-10-17T07:35:03.4900000Z",
"remediation": "Refer to <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">Debian 9 - CVE-2018-15686</A> and <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-1049\" TARGET=\"_blank\">Debian 9 - CVE-2018-1049</A> to address this issue and obtain further details.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-15686: Debian</A><P> <A HREF=\"https://security-tracker.debian.org/tracker/https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-1049: Debian</A>",
"category": "Debian",
"id": "176875",
"impact": "This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability."
}from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@gadinaor, what do you mean by package name? which property is missing?
from microsoft-defender-for-cloud.
gadinaor
commented on July 21, 2024
@wtomw in the example above ... the findings are on systemd package - itβs noted in the description field , however there is no field in the properties that this information is available . Normally - the information includes the vulnerable package name and vulnerable package version
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@gadinaor, Currently there is no property in the SubAssessment object that reflects the specific package the vulnerability is related to.
from microsoft-defender-for-cloud.
sean-keane25
commented on July 21, 2024
Knowing the specific package and version the vulnerability was found for in a container image is a crucial piece of information so that you can address the vulnerability. Are there any plans to add this information to the SubAssessment Object?
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@sean-keane25, the package details are available in finding's description. Currently we don't have a dedicated property for package version.
from microsoft-defender-for-cloud.
gadinaor
commented on July 21, 2024
@wtomw - is there an open issue for this ? or shall I create one?
from microsoft-defender-for-cloud.
sean-keane25
commented on July 21, 2024
@wtomw I do not see the package details in findings description. Even in the example @gadinaor posts above I do not see this information. Perhaps I am missing something ?
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@sean-keane25, are you referring perhaps to specifying the layer of which the finds were found on? if so, this is in our plans, no ETA at the moment.
from microsoft-defender-for-cloud.
wtomw
commented on July 21, 2024
@gadinaor, you can add dedicated affected package property as a feature request.
from microsoft-defender-for-cloud.
Related Issues (20)
- [email protected] HOT 1
- Security Center REST API Endpoint missing
- Reproduce behaviour HOT 1
- Alternative HOT 1
- Permission and Variables HOT 1
- New-ASCVASolution.ps1 Rapid 7 Insight Agent BYOL deployment confusion HOT 2
- Defender for Cloud Environment settings, "Workload protections" views report incorrect resource coverage HOT 1
- this is the official domain for the website and email for teachers and students in the public sector of Kuwait ministry of education: moe.edu.kw
- https://learn.microsoft.com/ar-sa/users/12771345/
- D4Storage-PricingEstimation-Per-Storage.ps1 requires az.Storage HOT 1
- Instructions are outdated and should be updated
- Inconsistent CSV Export Log CSV HOT 1
- Support form link doesn't exist anymore
- Missing Images
- Line 47 provides error of "unexpected token" HOT 1
- Cannot Connect Subscription Based Sentinel Connector for MDC
- ARM Template Issue
- Subscription Not Found (HTTP - Get Azure VM) HOT 2
- ImageScanSummaryAssessmentGate.ps1 no longer finds assessments HOT 2
- CVE Dashboard- old version HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from microsoft-defender-for-cloud.