Add security hub summary API

include with_dangerous_artifact, with_dangerous_cve option Signed-off-by: stonezdj <daojunz@vmware.com>
goharbor · Jul 8, 2023 · f5d11ca · f5d11ca
1 parent d84b1d0
commit f5d11ca
Show file tree

Hide file tree

Showing 14 changed files with 1,046 additions and 1 deletion.
diff --git a/api/v2.0/swagger.yaml b/api/v2.0/swagger.yaml
@@ -6052,7 +6052,40 @@ paths:
           $ref: '#/responses/404'
         '500':
           $ref: '#/responses/500'
-
+  /security/summary:
+    get:
+      summary: Get vulnerability system summary
+      description: Retrieve the vulnerability summary of the system
+      tags:
+        - securityhub
+      operationId: getSecuritySummary
+      parameters:
+        - $ref: '#/parameters/requestId'
+        - name: with_dangerous_cve
+          in: query
+          description: Specify whether the dangerous CVE is include in the security summary
+          type: boolean
+          required: false
+          default: false
+        - name: with_dangerous_artifact
+          in: query
+          description: Specify whether the dangerous artifacts is include in the security summary
+          type: boolean
+          required: false
+          default: false                  
+      responses:
+        '200':
+          description: Success
+          schema:
+            $ref: '#/definitions/SecuritySummary'
+        '401':
+          $ref: '#/responses/401'
+        '403':
+          $ref: '#/responses/403'
+        '404':
+          $ref: '#/responses/404'
+        '500':
+          $ref: '#/responses/500'
 parameters:
   query:
     name: q
@@ -9600,3 +9633,116 @@ definitions:
         type: boolean
         description: if the scheduler is paused
         x-omitempty: false
+  SecuritySummary:
+    type: object
+    description: the security summary
+    properties:
+      critical_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of critical vulnerabilities
+      high_cnt:
+        type: integer
+        format: int64
+        description: the count of high vulnerabilities
+      medium_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of medium vulnerabilities
+      low_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of low vulnerabilities
+      none_cnt:
+        type: integer
+        format: int64
+        description: the count of none vulnerabilities
+      unknown_cnt:
+        type: integer
+        format: int64
+        description: the count of unknown vulnerabilities
+      total_vuls:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of total vulnerabilities
+      scanned_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of scanned artifacts
+      total_artifact:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the total count of artifacts
+      fixable_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of fixable vulnerabilities
+      dangerous_cves:
+        type: array
+        x-omitempty: true
+        description: the list of dangerous CVEs
+        items:
+          $ref: '#/definitions/DangerousCVE'
+      dangerous_artifacts:
+        type: array
+        x-omitempty: true
+        description: the list of dangerous artifacts
+        items:
+          $ref: '#/definitions/DangerousArtifact'
+  DangerousCVE:
+    type: object
+    description: the dangerous CVE information
+    properties:
+      cve_id: 
+        type: string
+        description: the cve id
+      severity:
+        type: string
+        description: the severity of the CVE        
+      cvss_score_v3:
+        type: number
+        format: float64
+        description: the cvss score v3
+      desc:
+        type: string
+        description: the description of the CVE
+      package:
+        type: string
+        description: the package of the CVE      
+      version:
+        type: string
+        description: the version of the package
+  DangerousArtifact:
+    type: object
+    description: the dangerous artifact information
+    properties:
+      project_id: 
+        type: integer
+        format: int64
+        description: the project id of the artifact
+      repository_name:
+        type: string
+        description: the repository name of the artifact
+      digest: 
+        type: string
+        description: the digest of the artifact
+      critical_cnt:
+        type: integer
+        x-omitempty: false
+        description: the count of critical vulnerabilities
+      high_cnt:
+        type: integer
+        format: int64
+        x-omitempty: false
+        description: the count of high vulnerabilities
+      medium_cnt:
+        type: integer
+        x-omitempty: false
+        description: the count of medium vulnerabilities
diff --git a/src/controller/securityhub/controller.go b/src/controller/securityhub/controller.go
@@ -0,0 +1,105 @@
+// Copyright Project Harbor Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package securityhub
+
+import (
+	"context"
+
+	"github.com/goharbor/harbor/src/lib/q"
+	"github.com/goharbor/harbor/src/pkg/artifact"
+	"github.com/goharbor/harbor/src/pkg/scan/scanner"
+	"github.com/goharbor/harbor/src/pkg/securityhub"
+	secHubModel "github.com/goharbor/harbor/src/pkg/securityhub/model"
+)
+
+// Ctl is the global controller for security hub
+var Ctl = NewController()
+
+// Controller controller of security hub
+type Controller interface {
+	// SecuritySummary returns the security summary of the specified project.
+	SecuritySummary(ctx context.Context, projectID int64, withCVE bool, withArtifact bool) (*secHubModel.Summary, error)
+}
+
+type controller struct {
+	artifactMgr artifact.Manager
+	scannerMgr  scanner.Manager
+	secHubMgr   securityhub.Manager
+}
+
+// NewController ...
+func NewController() Controller {
+	return &controller{
+		artifactMgr: artifact.NewManager(),
+		scannerMgr:  scanner.New(),
+		secHubMgr:   securityhub.Mgr,
+	}
+}
+
+func (c *controller) SecuritySummary(ctx context.Context, projectID int64, withCVE bool, withArtifact bool) (*secHubModel.Summary, error) {
+	scannerUUID, err := c.defaultScannerUUID(ctx)
+	if err != nil {
+		return nil, err
+	}
+	sum, err := c.secHubMgr.Summary(ctx, scannerUUID, projectID, nil)
+	if err != nil {
+		return nil, err
+	}
+	sum.TotalArtifactCnt, err = c.totalArtifactCount(ctx, projectID)
+	if err != nil {
+		return nil, err
+	}
+	sum.ScannedCnt, err = c.secHubMgr.ScannedArtifactsCount(ctx, scannerUUID, projectID, nil)
+	if err != nil {
+		return nil, err
+	}
+	if withCVE {
+		sum.DangerousCVEs, err = c.secHubMgr.DangerousCVEs(ctx, scannerUUID, projectID, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	if withArtifact {
+		sum.DangerousArtifacts, err = c.secHubMgr.DangerousArtifacts(ctx, scannerUUID, projectID, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return sum, nil
+}
+
+func (c *controller) scannedArtifactCount(ctx context.Context, projectID int64) (int64, error) {
+	scannerUUID, err := c.defaultScannerUUID(ctx)
+	if err != nil {
+		return 0, err
+	}
+	return c.secHubMgr.ScannedArtifactsCount(ctx, scannerUUID, projectID, nil)
+}
+
+func (c *controller) totalArtifactCount(ctx context.Context, projectID int64) (int64, error) {
+	if projectID == 0 {
+		return c.artifactMgr.Count(ctx, nil)
+	}
+	return c.artifactMgr.Count(ctx, q.New(q.KeyWords{"project_id": projectID}))
+}
+
+// defaultScannerUUID returns the default scanner uuid.
+func (c *controller) defaultScannerUUID(ctx context.Context) (string, error) {
+	reg, err := c.scannerMgr.GetDefault(ctx)
+	if err != nil {
+		return "", err
+	}
+	return reg.UUID, nil
+}