Merge pull request #51 from devtron-labs/release-candidate-v0.17.0

Release candidate v0.17.0

Author: vikramdevtron

internal/step-lib/util/common-util/util.go

@@ -69,6 +69,12 @@ func ReadFile(fileName string) ([]byte, error) {
 func ParseJsonTemplate(inputTemplate string, data []byte) (string, error) {
 	tmpl := template.Must(template.New("").Funcs(template.FuncMap{
 		"add": func(a, b int) int { return a + b },
+		"len": func(sliceIf interface{}) int {
+			if slice, ok := sliceIf.([]any); ok {
+				return len(slice)
+			}
+			return 0
+		},
 	}).Parse(inputTemplate))
 	jsonMap := map[string]interface{}{}
 	err := json.Unmarshal(data, &jsonMap)

pkg/security/ImageScanService.go

@@ -274,6 +274,7 @@ func (impl *ImageScanServiceImpl) RegisterScanExecutionHistoryAndState(scanEvent
 		impl.Logger.Errorw("Failed to save executionHistory", "err", err, "model", executionHistoryModel)
 		return nil, executionHistoryDirPath, err
 	}
+
 	// creating folder for storing all details if not exist
 	isExist, err := helper.DoesFileExist(bean.ScanOutputDirectory)
 	if err != nil {
@@ -509,9 +510,9 @@ func (impl *ImageScanServiceImpl) ConvertEndStepOutputAndSaveVulnerabilities(ste
 	for _, vul := range uniqueVulnerabilityMap {
 		if val, ok := allSavedCvesMap[vul.Name]; ok {
 			// updating cve here if vulnerability has a new severity
-			vulnerabilitySeverity := bean.SeverityStringToEnum(bean.ConvertToLowerCase(vul.Severity))
-			if vulnerabilitySeverity != val.Severity {
-				val.UpdateNewSeverityInCveStore(vulnerabilitySeverity, userId)
+			vulnerabilityStandardSeverity := bean.StandardSeverityStringToEnum(bean.ConvertToLowerCase(vul.Severity))
+			if vulnerabilityStandardSeverity != val.GetSeverity() {
+				val.UpdateNewSeverityInCveStore(vul.Severity, userId)
 				cvesToUpdate = append(cvesToUpdate, val)
 			}
 		} else {
@@ -522,7 +523,7 @@ func (impl *ImageScanServiceImpl) ConvertEndStepOutputAndSaveVulnerabilities(ste
 
 	imageScanExecutionResults := make([]*repository.ImageScanExecutionResult, 0, len(vulnerabilities))
 	for _, vul := range vulnerabilities {
-		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistoryId, vul.Name, vul.Package, vul.PackageVersion, vul.FixedInVersion, tool.Id)
+		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistoryId, vul.Name, vul.Package, vul.PackageVersion, vul.FixedInVersion, vul.Class, vul.Type, vul.TargetName, tool.Id)
 		imageScanExecutionResults = append(imageScanExecutionResults, imageScanExecutionResult)
 	}
 	tx, err := impl.CveStoreRepository.GetConnection().Begin()
@@ -562,7 +563,7 @@ func (impl *ImageScanServiceImpl) ConvertEndStepOutputAndSaveVulnerabilities(ste
 }
 
 func isV1Template(resultDescriptorTemplate string) bool {
-	var mappings []bean.Mapping
+	var mappings []map[string]interface{}
 	err := json.Unmarshal([]byte(resultDescriptorTemplate), &mappings)
 	return err != nil && isValidGoTemplate(resultDescriptorTemplate) //checking error too because our new result descriptor template can pass go templating too as it contains a simple json
 }
@@ -593,33 +594,46 @@ func (impl *ImageScanServiceImpl) getImageScanOutputObjectsV1(stepOutput []byte,
 
 func (impl *ImageScanServiceImpl) getImageScanOutputObjectsV2(stepOutput []byte, resultDescriptorTemplate string) ([]*bean.ImageScanOutputObject, error) {
 	var vulnerabilities []*bean.ImageScanOutputObject
-	var mappings []bean.Mapping
+	var mappings []map[string]interface{}
 	err := json.Unmarshal([]byte(resultDescriptorTemplate), &mappings)
 	if err != nil {
 		impl.Logger.Errorw("error in un-marshaling result descriptor template", "err", err, "resultDescriptorTemplate", resultDescriptorTemplate)
 		return nil, err
 	}
-	var processArray func(mapping bean.Mapping, value gjson.Result)
-	processArray = func(mapping bean.Mapping, value gjson.Result) {
+	var processArray func(mapping map[string]interface{}, value gjson.Result)
+	processArray = func(mapping map[string]interface{}, value gjson.Result) {
+		vulnerabilitiesPath := mapping[bean.MappingKeyPathToVulnerabilitiesArray].(string)
+		vulnerabilityDataKeyPathsMap := mapping[bean.MappingKeyPathToVulnerabilityDataKeys].(map[string]interface{})
+		resultDataKeyPathsMap := mapping[bean.MappingKeyPathToResultDataKeys].(map[string]interface{})
+
 		value.ForEach(func(_, nestedValue gjson.Result) bool {
-			if nestedValue.IsArray() {
-				// if the nested value is an array, recursively process it
-				processArray(mapping, nestedValue)
-			} else {
-				vulnerability := &bean.ImageScanOutputObject{
-					Name:           nestedValue.Get(mapping[bean.MappingKeyName]).String(),
-					Package:        nestedValue.Get(mapping[bean.MappingKeyPackage]).String(),
-					PackageVersion: nestedValue.Get(mapping[bean.MappingKeyPackageVersion]).String(),
-					FixedInVersion: nestedValue.Get(mapping[bean.MappingKeyFixedInVersion]).String(),
-					Severity:       nestedValue.Get(mapping[bean.MappingKeySeverity]).String(),
+			targetName, class, resType := "", "", ""
+			if nestedValue.IsObject() {
+				targetName, class, resType = nestedValue.Get(resultDataKeyPathsMap[bean.MappingTarget].(string)).String(), nestedValue.Get(resultDataKeyPathsMap[bean.MappingClass].(string)).String(), nestedValue.Get(resultDataKeyPathsMap[bean.MappingType].(string)).String()
+
+				if nestedValue.Get(vulnerabilitiesPath).IsArray() {
+					nestedValue.Get(vulnerabilitiesPath).ForEach(func(_, vul gjson.Result) bool {
+						vulnerability := &bean.ImageScanOutputObject{
+							Name:           vul.Get(vulnerabilityDataKeyPathsMap[bean.MappingKeyName].(string)).String(),
+							Package:        vul.Get(vulnerabilityDataKeyPathsMap[bean.MappingKeyPackage].(string)).String(),
+							PackageVersion: vul.Get(vulnerabilityDataKeyPathsMap[bean.MappingKeyPackageVersion].(string)).String(),
+							FixedInVersion: vul.Get(vulnerabilityDataKeyPathsMap[bean.MappingKeyFixedInVersion].(string)).String(),
+							Severity:       vul.Get(vulnerabilityDataKeyPathsMap[bean.MappingKeySeverity].(string)).String(),
+							TargetName:     targetName,
+							Class:          class,
+							Type:           resType,
+						}
+						vulnerabilities = append(vulnerabilities, vulnerability)
+						return true
+					})
 				}
-				vulnerabilities = append(vulnerabilities, vulnerability)
 			}
 			return true
 		})
 	}
+
 	for _, mapping := range mappings {
-		result := gjson.Get(string(stepOutput), mapping[bean.MappingKeyPathToVulnerabilitiesArray])
+		result := gjson.Get(string(stepOutput), mapping[bean.MappingKeyPathToResultsArray].(string))
 		if !result.Exists() {
 			continue
 		}
@@ -734,13 +748,13 @@ func (impl *ImageScanServiceImpl) CreateScanExecutionRegistryForClairV4(vs []*cl
 			cvesToBeSaved = append(cvesToBeSaved, cveStore)
 		} else {
 			// updating cve here if vulnerability has a new severity
-			vulnerabilitySeverity := bean.SeverityStringToEnum(bean.ConvertToLowerCase(item.Severity))
-			if vulnerabilitySeverity != cveStore.Severity {
-				cveStore.UpdateNewSeverityInCveStore(vulnerabilitySeverity, userId)
+			vulnerabilityStandardSeverity := bean.StandardSeverityStringToEnum(bean.ConvertToLowerCase(item.Severity))
+			if vulnerabilityStandardSeverity != cveStore.GetSeverity() {
+				cveStore.UpdateNewSeverityInCveStore(item.Severity, userId)
 				cvesToUpdate = append(cvesToUpdate, cveStore)
 			}
 		}
-		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistory.Id, item.Name, item.Package.Name, item.Package.Version, item.FixedInVersion, toolId)
+		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistory.Id, item.Name, item.Package.Name, item.Package.Version, item.FixedInVersion, "", "", "", toolId)
 		imageScanExecutionResultsToBeSaved = append(imageScanExecutionResultsToBeSaved, imageScanExecutionResult)
 	}
 	tx, err := impl.CveStoreRepository.GetConnection().Begin()
@@ -797,13 +811,13 @@ func (impl *ImageScanServiceImpl) CreateScanExecutionRegistryForClairV2(vs []*cl
 			cvesToBeSaved = append(cvesToBeSaved, cveStore)
 		} else {
 			// updating cve here if vulnerability has a new severity
-			vulnerabilitySeverity := bean.SeverityStringToEnum(bean.ConvertToLowerCase(item.Severity))
-			if vulnerabilitySeverity != cveStore.Severity {
-				cveStore.UpdateNewSeverityInCveStore(vulnerabilitySeverity, userId)
+			vulnerabilityStandardSeverity := bean.StandardSeverityStringToEnum(bean.ConvertToLowerCase(item.Severity))
+			if vulnerabilityStandardSeverity != cveStore.GetSeverity() {
+				cveStore.UpdateNewSeverityInCveStore(item.Severity, userId)
 				cvesToUpdate = append(cvesToUpdate, cveStore)
 			}
 		}
-		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistory.Id, item.Name, item.FeatureName, item.FeatureVersion, item.FixedBy, toolId)
+		imageScanExecutionResult := createImageScanExecutionResultObject(executionHistory.Id, item.Name, item.FeatureName, item.FeatureVersion, item.FixedBy, "", "", "", toolId)
 		imageScanExecutionResultsToBeSaved = append(imageScanExecutionResultsToBeSaved, imageScanExecutionResult)
 	}
 	tx, err := impl.CveStoreRepository.GetConnection().Begin()

pkg/security/helper.go

@@ -13,18 +13,21 @@ func createCveStoreObject(name, version, fixedInVersion, severity string, userId
 	}
 	lowerCaseSeverity := bean.ConvertToLowerCase(severity)
 	cveStore.Severity = bean.SeverityStringToEnum(lowerCaseSeverity)
-	cveStore.StandardSeverity = bean.StandardSeverityStringToEnum(lowerCaseSeverity)
+	cveStore.SetStandardSeverity(bean.StandardSeverityStringToEnum(lowerCaseSeverity))
 	cveStore.CreateAuditLog(userId)
 	return cveStore
 }
 
-func createImageScanExecutionResultObject(executionHistoryId int, vulName, packageName, version, fixedInVersion string, toolId int) *repository.ImageScanExecutionResult {
+func createImageScanExecutionResultObject(executionHistoryId int, vulName, packageName, version, fixedInVersion, className, typeName, targetName string, toolId int) *repository.ImageScanExecutionResult {
 	return &repository.ImageScanExecutionResult{
 		ImageScanExecutionHistoryId: executionHistoryId,
 		CveStoreName:                vulName,
 		Package:                     packageName,
 		ScanToolId:                  toolId,
 		Version:                     version,
 		FixedVersion:                fixedInVersion,
+		Target:                      targetName,
+		Type:                        typeName,
+		Class:                       className,
 	}
 }

pkg/security/imageScanService_test.go

@@ -0,0 +1,65 @@
+package security
+
+import (
+	"fmt"
+	"github.com/devtron-labs/image-scanner/pkg/logger"
+	"github.com/tidwall/gjson"
+	"os"
+	"testing"
+)
+
+const jsonKeys = "[    \n      { \n        \"pathToResultArray\": \"Results\",\n        \"pathToVulnerabilitiesArray\": \"Vulnerabilities\",\n        \"vulnerabilityData\":{\n       \t\t\"name\": \"VulnerabilityID\",\n        \t\"package\": \"PkgName\", \n        \t\"packageVersion\": \"InstalledVersion\",\n        \t\"fixedInVersion\": \"FixedVersion\",\n        \t\"severity\": \"Severity\"\n        },\n        \"resultData\":{\n  \t\t\t\"target\":\"Target\",\n        \t\"class\":\"Class\",\n        \t\"type\":\"Type\"   \n       }\n      }\n]"
+
+func TestScan(t *testing.T) {
+	bytes, err := os.ReadFile("testTrivyScanResultV2.json")
+	if err != nil {
+		t.Fail()
+	}
+
+	logger, _ := logger.InitLogger()
+	impl := ImageScanServiceImpl{Logger: logger}
+	out, err := impl.getImageScanOutputObjectsV2(bytes, jsonKeys)
+	fmt.Println(out, err)
+	if err != nil || len(out) == 0 {
+		t.Fail()
+	}
+
+	cnt, err := countVuln(bytes)
+	if err != nil {
+		t.Fail()
+	}
+
+	if cnt != len(out) {
+		t.Fail()
+	}
+}
+
+func countVuln(jsonStr []byte) (int, error) {
+	result := gjson.Get(string(jsonStr), "Results")
+	if !result.Exists() {
+		return 0, nil
+	}
+
+	targetCountMap := make(map[string]int)
+
+	result.ForEach(func(_, nestedValue gjson.Result) bool {
+		if nestedValue.IsObject() {
+			count := 0
+			targetName := nestedValue.Get("Target").String()
+			if nestedValue.Get("Vulnerabilities").IsArray() {
+				nestedValue.Get("Vulnerabilities").ForEach(func(_, vul gjson.Result) bool {
+					count++
+					return true
+				})
+			}
+			targetCountMap[targetName] += count
+		}
+		return true
+	})
+
+	count := 0
+	for _, cnt := range targetCountMap {
+		count += cnt
+	}
+	return count, nil
+}

pkg/sql/bean/bean.go

@@ -50,6 +50,9 @@ const (
 )
 
 type ImageScanOutputObject struct {
+	TargetName     string `json:"targetName"`
+	Class          string `json:"class"`
+	Type           string `json:"type"`
 	Name           string `json:"name"`
 	Package        string `json:"package"`
 	PackageVersion string `json:"packageVersion"`
@@ -61,12 +64,18 @@ type ImageScanOutputObject struct {
 type Mapping map[string]string
 
 const (
-	MappingKeyPathToVulnerabilitiesArray = "pathToVulnerabilitiesArray"
-	MappingKeyName                       = "name"
-	MappingKeyPackage                    = "package"
-	MappingKeyPackageVersion             = "packageVersion"
-	MappingKeyFixedInVersion             = "fixedInVersion"
-	MappingKeySeverity                   = "severity"
+	MappingKeyPathToResultDataKeys        = "resultData"
+	MappingKeyPathToVulnerabilityDataKeys = "vulnerabilityData"
+	MappingKeyPathToResultsArray          = "pathToResultArray"
+	MappingKeyPathToVulnerabilitiesArray  = "pathToVulnerabilitiesArray"
+	MappingKeyName                        = "name"
+	MappingKeyPackage                     = "package"
+	MappingKeyPackageVersion              = "packageVersion"
+	MappingKeyFixedInVersion              = "fixedInVersion"
+	MappingKeySeverity                    = "severity"
+	MappingTarget                         = "target"
+	MappingType                           = "type"
+	MappingClass                          = "class"
 )
 
 type Severity int
@@ -78,6 +87,7 @@ const (
 	LOW      string = "low"
 	MEDIUM   string = "medium"
 	MODERATE string = "moderate"
+	UNKNOWN  string = "unknown"
 )
 
 const (
@@ -86,10 +96,11 @@ const (
 	Critical
 	High
 	Safe
+	Unknown
 )
 
 func (sev Severity) String() string {
-	return [...]string{"low", "medium", "critical", "high", "safe"}[sev]
+	return [...]string{LOW, MEDIUM, CRITICAL, HIGH, SAFE, UNKNOWN}[sev]
 }
 func ConvertToLowerCase(input string) string {
 	return strings.ToLower(input)
@@ -98,24 +109,29 @@ func ConvertToLowerCase(input string) string {
 func SeverityStringToEnum(severity string) Severity {
 	if severity == LOW || severity == SAFE {
 		return Low
-	} else if severity == MEDIUM {
+	} else if severity == MEDIUM || severity == MODERATE {
 		return Medium
 	} else if severity == HIGH || severity == CRITICAL {
 		return Critical
+	} else if severity == UNKNOWN {
+		return Unknown
 	}
 	return Low
 }
+
 func StandardSeverityStringToEnum(severity string) Severity {
 	if severity == LOW {
 		return Low
-	} else if severity == MEDIUM {
+	} else if severity == MEDIUM || severity == MODERATE {
 		return Medium
 	} else if severity == HIGH {
 		return High
 	} else if severity == CRITICAL {
 		return Critical
 	} else if severity == SAFE {
 		return Safe
+	} else if severity == UNKNOWN {
+		return Unknown
 	}
 	return Low
 }

pkg/sql/repository/CveStoreRepository.go

@@ -24,30 +24,55 @@ import (
 )
 
 type CveStore struct {
-	tableName        struct{}      `sql:"cve_store" pg:",discard_unknown_columns"`
-	Name             string        `sql:"name,pk"`
-	Severity         bean.Severity `sql:"severity,notnull"`
-	Package          string        `sql:"package,notnull"` // deprecated, storing package data in image_scan_execution_result table
-	Version          string        `sql:"version,notnull"`
-	FixedVersion     string        `sql:"fixed_version,notnull"`
-	StandardSeverity bean.Severity `sql:"standard_severity,notnull"`
+	tableName struct{} `sql:"cve_store" pg:",discard_unknown_columns"`
+	Name      string   `sql:"name,pk"`
+
+	// Deprecated: Severity, use StandardSeverity for all read purposes
+	Severity bean.Severity `sql:"severity,notnull"`
+	// Deprecated: Package
+	Package string `sql:"package,notnull"` // deprecated, storing package data in image_scan_execution_result table
+	// Deprecated: Version
+	Version string `sql:"version,notnull"`
+	// Deprecated: FixedVersion
+	FixedVersion string `sql:"fixed_version,notnull"`
+
+	// StandardSeverity is the actual severity. use GetSeverity method to get severity of the vulnerability
+	// earlier severity is maintained in Severity column by merging HIGH and CRITICAL severities.
+	// later we introduced new column StandardSeverity to store raw severity, but didn't migrate the existing Severity data to StandardSeverity.
+	// currently, we deprecated Severity.
+	StandardSeverity *bean.Severity `sql:"standard_severity"`
 	AuditLog
 }
 
+// GetSeverity returns the actual severity of the vulnerability.
+func (cve *CveStore) GetSeverity() bean.Severity {
+	if cve.StandardSeverity == nil {
+		// we need this as there was a time when StandardSeverity didn't exist.
+		// and migration of Severity data to StandardSeverity is not done.
+		return cve.Severity
+	}
+	return *cve.StandardSeverity
+}
+
 func (cve *CveStore) CreateAuditLog(userId int32) {
 	cve.CreatedBy = userId
 	cve.CreatedOn = time.Now()
 	cve.UpdatedBy = userId
 	cve.UpdatedOn = time.Now()
 }
 
-func (cve *CveStore) UpdateNewSeverityInCveStore(severity bean.Severity, userId int32) {
-	cve.Severity = severity
-	cve.StandardSeverity = severity
+func (cve *CveStore) UpdateNewSeverityInCveStore(severity string, userId int32) {
+	lowerCaseSeverity := bean.ConvertToLowerCase(severity)
+	cve.Severity = bean.SeverityStringToEnum(lowerCaseSeverity)
+	cve.SetStandardSeverity(bean.StandardSeverityStringToEnum(lowerCaseSeverity))
 	cve.UpdatedOn = time.Now()
 	cve.UpdatedBy = userId
 }
 
+func (cve *CveStore) SetStandardSeverity(severity bean.Severity) {
+	cve.StandardSeverity = &severity
+}
+
 type CveStoreRepository interface {
 	GetConnection() (dbConnection *pg.DB)
 	Save(model *CveStore) error