add aqua vulnerabilities format (#12000)

* add aqua scan format report for api v2

* fix ruff

* Update aqua.md

---------

Co-authored-by: kzzz1 <karine.desrochers.4@gmail.com>

Author: kzzz1

docs/content/en/connecting_your_tools/parsers/file/aqua.md

@@ -2,7 +2,37 @@
 title: "Aqua"
 toc_hide: true
 ---
-JSON report format.
+
+### File Types
+DefectDojo parser accepts JSON report format.
+
+See Aqua documention: https://docs.aquasec.com
+
+### CI/CD Scans
+Aqua scanning can be integrated with several types of third-party CI/CD systems. 
+
+If there is no plugin available for a particular development tool, Aqua can be integrated with the CI/CD pipeline using Scanner CLI.
+
+CI/CD scans produces JSON scan reports that are supported by the parser. With this kind of report, the parser is able to retrieve vulnerabilities as well as sensitive datas.
+
+### REST API
+
+You can also retrieve the JSON directly from Aqua if you use one of the following endpoint:
+
+-	`/api/v1/scanner/registry/<registryName>/image/<imageName>/scan_result`
+
+-	`/api/v2/risks/vulnerabilities`
+
+Example
+```
+curl -X GET <aquaseceurl>/api/v1/scanner/registry/<registryName>/image/<imageName>/scan_result > report.json
+```
+
+```
+curl -X GET <aquaseceurl>/api/v2/risks/vulnerabilities?show_negligible=true&image_name_exact_match=true&registry_name=<registryName>&image_name=<imageName> > report.json
+```
+
+Those JSON files will only list vulnerabilities. Thus, DefectDojo parser will not retrieve findings such as sensitive datas.
 
 ### Sample Scan Data
-Sample Aqua scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/aqua).
+Sample Aqua scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/aqua).

dojo/tools/aqua/parser.py

@@ -107,13 +107,16 @@ def get_findings(self, json_output, test):
 
     def get_items(self, tree, test):
         self.items = {}
-        if isinstance(tree, list):  # Aqua Scan Report coming from Azure Devops jobs.
+        if isinstance(tree, list):  # Aqua Scan Report coming from Azure Devops jobs (Windows based image)
             vulnerabilitytree = tree[0]["results"]["resources"] if tree else []
             self.vulnerability_tree(vulnerabilitytree, test)
-        elif "resources" in tree:  # Aqua Scan Report not from Azure Devops jobs.
+        elif "resources" in tree:   # CICD Scan Report
             vulnerabilitytree = tree["resources"]
             self.vulnerability_tree(vulnerabilitytree, test)
-        elif "cves" in tree:       # Aqua Scan Report not from Azure Devops jobs.
+        elif "result" in tree:     # Aqua Scan Report from apiv2
+            resulttree = tree["result"]
+            self.result_tree(resulttree, test)
+        elif "cves" in tree:       # Aqua Scan Report from apiv1
             for cve in tree["cves"]:
                 unique_key = cve.get("file") + cve.get("name")
                 self.items[unique_key] = get_item_v2(cve, test)
@@ -137,6 +140,13 @@ def vulnerability_tree(self, vulnerabilitytree, test):
                 unique_key = resource.get("cpe") + resource.get("path", "None") + str(sensitive_item)
                 self.items[unique_key] = item
 
+    def result_tree(self, resulttree, test):
+        for vuln in resulttree:
+            resource = vuln.get("resource")
+            item = get_item(resource, vuln, test)
+            unique_key = resource.get("cpe") + vuln.get("name", "None") + resource.get("path", "None")
+            self.items[unique_key] = item
+
 
 def get_item(resource, vuln, test):
     resource_name = resource.get("name", resource.get("path"))