"Failed to attach findings to engagement" error when sending trivy k8s scan results to DefectDojo #2271
Description
🐞 Bug report
Describe the bug
We scan Kubernetes cluster using trivy k8s command with the flag --scanners=misconfig,rbac and the hook secureCodeBox/persistence-defectdojo fails with the following error:
Exception in thread "main" io.securecodebox.persistence.defectdojo.exception.PersistenceException: Failed to attach findings to engagement.
at io.securecodebox.persistence.defectdojo.service.DefaultImportScanService.createFindings(DefaultImportScanService.java:124)
at io.securecodebox.persistence.defectdojo.service.DefaultImportScanService.reimportScan(DefaultImportScanService.java:75)
at io.securecodebox.persistence.strategies.VersionedEngagementsStrategy.run(VersionedEngagementsStrategy.java:105)
at io.securecodebox.persistence.DefectDojoPersistenceProvider.main(DefectDojoPersistenceProvider.java:43)
Steps To Reproduce
Run trivy scan with the following yaml:
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "trivy-k8s"
spec:
scanType: "trivy-k8s"
parameters:
- "--scanners"
- "misconfig,rbac"
- "cluster"
Check if the hook persistence-defectdojo succeeds.
Expected behavior
The hook should succeed.
System (please complete the following information):
- operator-4.3.0
- trivy-4.3.0
- persistence-defectdojo-4.3.0
Google Kubernetes Engine
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.4", GitCommit:"872a965c6c6526caa949f0c6ac028ef7aff3fb78", GitTreeState:"clean", BuildDate:"2022-11-09T13:28:30Z", GoVersion:"go1.19.3", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.10-gke.1101000", GitCommit:"375ed214cfa092ed25d2472c1709db5d7dcda078", GitTreeState:"clean", BuildDate:"2023-11-06T09:23:17Z", GoVersion:"go1.20.10 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}
Screenshots / Logs
Additional context
Metadata
Metadata
Assignees
Labels
Type
Projects
Status