Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/improving false positive #66

Merged
merged 6 commits into from
Oct 16, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
SQL "github.com/ZupIT/horusec/development-kit/pkg/databases/relational"
"github.com/ZupIT/horusec/development-kit/pkg/entities/api/dto"
"github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
horusecEnums "github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
"github.com/ZupIT/horusec/development-kit/pkg/utils/pagination"
"github.com/google/uuid"
Expand All @@ -26,7 +27,7 @@ import (

type IRepository interface {
ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnHash string) (vulnManagement dto.VulnManagement, err error)
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error)
UpdateVulnType(vulnerabilityID uuid.UUID,
updateTypeData *dto.UpdateVulnType) (*horusec.Vulnerability, error)
GetVulnByID(vulnerabilityID uuid.UUID) (*horusec.Vulnerability, error)
Expand All @@ -44,43 +45,55 @@ func NewManagementRepository(databaseRead SQL.InterfaceRead, databaseWrite SQL.I
}
}

func (r *Repository) ListVulnManagementData(repositoryID uuid.UUID, page, size int,
vulnSeverity severity.Severity, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
query := r.databaseRead.GetConnection().
Select("DISTINCT ON (vulnerabilities.vulnerability_id) vulnerabilities.vulnerability_id," +
" vulnerabilities.type, vulnerabilities.vuln_hash, vulnerabilities.line, vulnerabilities.column," +
" vulnerabilities.confidence, vulnerabilities.file, vulnerabilities.code, vulnerabilities.details," +
" vulnerabilities.security_tool, vulnerabilities.language, vulnerabilities.severity").
Table("analysis").
Joins("JOIN analysis_vulnerabilities ON analysis.analysis_id = analysis_vulnerabilities.analysis_id").
Joins("JOIN vulnerabilities ON vulnerabilities.vulnerability_id = analysis_vulnerabilities.vulnerability_id").
Limit(size).
Offset(pagination.GetSkip(int64(page), int64(size)))

vulnManagement.TotalItems = r.getTotalVulnManagementData(repositoryID, vulnSeverity, vulnHash)
return vulnManagement, r.setWhereFilter(query, repositoryID, vulnSeverity, vulnHash).Find(&vulnManagement.Data).Error
func (r *Repository) ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
query := r.databaseRead.GetConnection().Raw("SELECT * FROM ? AS tmpTable"+
" ORDER BY CASE tmpTable.severity"+
" WHEN 'HIGH' THEN 1 WHEN 'MEDIUM' THEN 2 WHEN 'LOW' THEN 3 WHEN 'AUDIT' THEN 4"+
" WHEN 'INFO' THEN 5 END, tmpTable.type DESC LIMIT ? OFFSET ?",
r.listVulnManagementDataSubQuery(repositoryID, vulnSeverity, vulnType, vulnHash),
size, pagination.GetSkip(int64(page), int64(size)))

vulnManagement.TotalItems = r.getTotalVulnManagementData(repositoryID, vulnSeverity, vulnType, vulnHash)
return vulnManagement, query.Find(&vulnManagement.Data).Error
}

func (r *Repository) getTotalVulnManagementData(repositoryID uuid.UUID,
vulnSeverity severity.Severity, vulnHash string) (count int) {
vulnSeverity severity.Severity, vulnType horusecEnums.VulnerabilityType, vulnHash string) (count int) {
query := r.databaseRead.
GetConnection().
Select("COUNT( DISTINCT ( vulnerabilities.vulnerability_id ) )").
Table("analysis").
Joins("JOIN analysis_vulnerabilities ON analysis.analysis_id = analysis_vulnerabilities.analysis_id").
Joins("JOIN vulnerabilities ON vulnerabilities.vulnerability_id = analysis_vulnerabilities.vulnerability_id")

_ = r.setWhereFilter(query, repositoryID, vulnSeverity, vulnHash).Count(&count)
_ = r.setWhereFilter(query, repositoryID, vulnSeverity, vulnType, vulnHash).Count(&count)
return count
}

func (r *Repository) setWhereFilter(query *gorm.DB, repositoryID uuid.UUID,
vulnSeverity severity.Severity, vulnHash string) *gorm.DB {
// nolint
func (r *Repository) setWhereFilter(query *gorm.DB, repositoryID uuid.UUID, vulnSeverity severity.Severity,
vulnType horusecEnums.VulnerabilityType, vulnHash string) *gorm.DB {
if vulnHash != "" && vulnSeverity != "" && vulnType != "" {
return query.Where("repository_id = ? AND vulnerabilities.severity = ? AND vulnerabilities.type = ?"+
" AND vulnerabilities.vuln_hash ~ ?", repositoryID, vulnSeverity, vulnType, vulnHash)
}

if vulnHash != "" && vulnSeverity != "" {
return query.Where("repository_id = ? AND vulnerabilities.severity = ? AND vulnerabilities.vuln_hash ~ ?",
repositoryID, vulnSeverity, vulnHash)
}

if vulnHash != "" && vulnType != "" {
return query.Where("repository_id = ? AND vulnerabilities.type = ? AND vulnerabilities.vuln_hash ~ ?",
repositoryID, vulnType, vulnHash)
}

if vulnSeverity != "" && vulnType != "" {
return query.Where("repository_id = ? AND vulnerabilities.type = ? AND vulnerabilities.severity = ?",
repositoryID, vulnType, vulnSeverity)
}

if vulnHash != "" {
return query.Where("repository_id = ? AND vulnerabilities.vuln_hash ~ ?", repositoryID, vulnHash)
}
Expand All @@ -89,6 +102,10 @@ func (r *Repository) setWhereFilter(query *gorm.DB, repositoryID uuid.UUID,
return query.Where("repository_id = ? AND vulnerabilities.severity = ?", repositoryID, vulnSeverity)
}

if vulnType != "" {
return query.Where("repository_id = ? AND vulnerabilities.type = ?", repositoryID, vulnType)
}

return query.Where("repository_id = ?", repositoryID)
}

Expand All @@ -112,3 +129,17 @@ func (r *Repository) GetVulnByID(vulnerabilityID uuid.UUID) (*horusec.Vulnerabil

return vulnerability, response.GetError()
}

func (r *Repository) listVulnManagementDataSubQuery(repositoryID uuid.UUID,
vulnSeverity severity.Severity, vulnType horusecEnums.VulnerabilityType, vulnHash string) *gorm.SqlExpr {
query := r.databaseRead.GetConnection().
Select("DISTINCT ON (vulnerabilities.vulnerability_id) vulnerabilities.vulnerability_id," +
" vulnerabilities.type, vulnerabilities.vuln_hash, vulnerabilities.line, vulnerabilities.column," +
" vulnerabilities.confidence, vulnerabilities.file, vulnerabilities.code, vulnerabilities.details," +
" vulnerabilities.security_tool, vulnerabilities.language, vulnerabilities.severity").
Table("analysis").
Joins("JOIN analysis_vulnerabilities ON analysis.analysis_id = analysis_vulnerabilities.analysis_id").
Joins("JOIN vulnerabilities ON vulnerabilities.vulnerability_id = analysis_vulnerabilities.vulnerability_id")

return r.setWhereFilter(query, repositoryID, vulnSeverity, vulnType, vulnHash).SubQuery()
}
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package vulnerability
import (
"github.com/ZupIT/horusec/development-kit/pkg/entities/api/dto"
"github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
horusecEnums "github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
mockUtils "github.com/ZupIT/horusec/development-kit/pkg/utils/mock"
"github.com/google/uuid"
Expand All @@ -28,7 +29,7 @@ type Mock struct {
}

func (m *Mock) ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnHash string) (vulnManagement dto.VulnManagement, err error) {
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
args := m.MethodCalled("ListVulnManagementData")
return args.Get(0).(dto.VulnManagement), mockUtils.ReturnNilOrError(args, 1)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,8 @@ func TestGetAllVulnManagementData(t *testing.T) {
t.Run("should return error sqlite do not supports distinct on", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1, "", "")
result, err := repo.ListVulnManagementData(repository.RepositoryID,
1, 1, "", "", "")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
Expand All @@ -142,7 +143,8 @@ func TestGetAllVulnManagementData(t *testing.T) {
t.Run("should return error sqlite do not supports distinct on", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1, "test", "")
result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"test", "", "")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
Expand All @@ -151,7 +153,8 @@ func TestGetAllVulnManagementData(t *testing.T) {
t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1, "", "test")
result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"", "", "test")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
Expand All @@ -160,7 +163,48 @@ func TestGetAllVulnManagementData(t *testing.T) {
t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1, "test", "test")
result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"test", "", "test")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
})

t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"test", "test", "test")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
})

t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"", "test", "test")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
})

t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"test", "test", "")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
})

t.Run("should success get vulnerability data with no errors", func(t *testing.T) {
repo := NewManagementRepository(databaseRead, databaseWrite)

result, err := repo.ListVulnManagementData(repository.RepositoryID, 1, 1,
"", "test", "")

assert.Error(t, err)
assert.Len(t, result.Data, 0)
Expand Down
6 changes: 6 additions & 0 deletions horusec-api/docs/docs.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,12 @@ var doc = `{
"description": "vulnType query string",
"name": "vulnType",
"in": "query"
},
{
"type": "string",
"description": "vulnSeverity query string",
"name": "vulnSeverity",
"in": "query"
}
],
"responses": {
Expand Down
6 changes: 6 additions & 0 deletions horusec-api/docs/swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,12 @@
"description": "vulnType query string",
"name": "vulnType",
"in": "query"
},
{
"type": "string",
"description": "vulnSeverity query string",
"name": "vulnSeverity",
"in": "query"
}
],
"responses": {
Expand Down
4 changes: 4 additions & 0 deletions horusec-api/docs/swagger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,10 @@ paths:
in: query
name: vulnType
type: string
- description: vulnSeverity query string
in: query
name: vulnSeverity
type: string
produces:
- application/json
responses:
Expand Down
9 changes: 5 additions & 4 deletions horusec-api/internal/controllers/management/management.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,14 @@ import (
"github.com/ZupIT/horusec/development-kit/pkg/databases/relational/repository/vulnerability"
"github.com/ZupIT/horusec/development-kit/pkg/entities/api/dto"
"github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
horusecEnums "github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
"github.com/google/uuid"
)

type IController interface {
ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnHash string) (vulnManagement dto.VulnManagement, err error)
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error)
UpdateVulnType(vulnerabilityID uuid.UUID, vulnType *dto.UpdateVulnType) (*horusec.Vulnerability, error)
}

Expand All @@ -40,9 +41,9 @@ func NewManagementController(postgresRead relational.InterfaceRead,
}
}

func (c *Controller) ListVulnManagementData(repositoryID uuid.UUID, page, size int,
vulnSeverity severity.Severity, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
return c.managementRepository.ListVulnManagementData(repositoryID, page, size, vulnSeverity, vulnHash)
func (c *Controller) ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
return c.managementRepository.ListVulnManagementData(repositoryID, page, size, vulnSeverity, vulnType, vulnHash)
}

func (c *Controller) UpdateVulnType(vulnerabilityID uuid.UUID,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package management
import (
"github.com/ZupIT/horusec/development-kit/pkg/entities/api/dto"
"github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
horusecEnums "github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
mockUtils "github.com/ZupIT/horusec/development-kit/pkg/utils/mock"
"github.com/google/uuid"
Expand All @@ -28,7 +29,7 @@ type Mock struct {
}

func (m *Mock) ListVulnManagementData(repositoryID uuid.UUID, page, size int, vulnSeverity severity.Severity,
vulnHash string) (vulnManagement dto.VulnManagement, err error) {
vulnType horusecEnums.VulnerabilityType, vulnHash string) (vulnManagement dto.VulnManagement, err error) {
args := m.MethodCalled("ListVulnManagementData")
return args.Get(0).(dto.VulnManagement), mockUtils.ReturnNilOrError(args, 1)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,8 @@ func TestListVulnManagementData(t *testing.T) {

controller := Controller{managementRepository: repositoryMock}

result, err := controller.ListVulnManagementData(uuid.New(), 1, 10, "", "")
result, err := controller.ListVulnManagementData(uuid.New(), 1, 10,
"", "", "")
assert.NoError(t, err)
assert.Equal(t, 1, result.TotalItems)
assert.Len(t, result.Data, 1)
Expand Down
8 changes: 7 additions & 1 deletion horusec-api/internal/handlers/management/management.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/ZupIT/horusec/development-kit/pkg/databases/relational"
_ "github.com/ZupIT/horusec/development-kit/pkg/entities/api/dto" // [swagger-import]
"github.com/ZupIT/horusec/development-kit/pkg/enums/errors"
horusecEnums "github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
managementUseCases "github.com/ZupIT/horusec/development-kit/pkg/usecases/management"
httpUtil "github.com/ZupIT/horusec/development-kit/pkg/utils/http"
Expand Down Expand Up @@ -55,6 +56,7 @@ func (h *Handler) Options(w netHTTP.ResponseWriter, _ *netHTTP.Request) {
// @Param size query string false "size query string"
// @Param vulnHash query string false "vulnHash query string"
// @Param vulnType query string false "vulnType query string"
// @Param vulnSeverity query string false "vulnSeverity query string"
// @Success 200 {object} http.Response{content=string} "OK"
// @Failure 400 {object} http.Response{content=string} "BAD REQUEST"
// @Failure 500 {object} http.Response{content=string} "INTERNAL SERVER ERROR"
Expand All @@ -68,7 +70,7 @@ func (h *Handler) Get(w netHTTP.ResponseWriter, r *netHTTP.Request) {

page, size := h.getPageSize(r)
result, err := h.managementController.ListVulnManagementData(repositoryID, page, size,
h.getVulnSeverity(r), h.getVulnHash(r))
h.getVulnSeverity(r), h.getVulnType(r), h.getVulnHash(r))
if err != nil {
httpUtil.StatusInternalServerError(w, err)
return
Expand All @@ -87,6 +89,10 @@ func (h *Handler) getVulnSeverity(r *netHTTP.Request) severity.Severity {
return severity.Severity(r.URL.Query().Get("vulnSeverity"))
}

func (h *Handler) getVulnType(r *netHTTP.Request) horusecEnums.VulnerabilityType {
return horusecEnums.VulnerabilityType(r.URL.Query().Get("vulnType"))
}

func (h *Handler) getVulnHash(r *netHTTP.Request) string {
return r.URL.Query().Get("vulnHash")
}
Expand Down