Skip to content

Commit

Permalink
Fix Vuln extraction (#317)
Browse files Browse the repository at this point in the history
* parses cvss bundle properly
* handles reports that can't be tied to services cleanly
  • Loading branch information
michaeljguarino authored Dec 13, 2024
1 parent a28ae92 commit f00c0e6
Show file tree
Hide file tree
Showing 4 changed files with 43 additions and 12 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/lint-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ jobs:
- name: Set up python
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.13

- name: Setup Chart Linting
id: lint
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ require (
github.com/open-policy-agent/gatekeeper/v3 v3.17.1
github.com/orcaman/concurrent-map/v2 v2.0.1
github.com/pkg/errors v0.9.1
github.com/pluralsh/console/go/client v1.22.6
github.com/pluralsh/console/go/client v1.25.1
github.com/pluralsh/controller-reconcile-helper v0.1.0
github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34
github.com/pluralsh/polly v0.1.10
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1188,6 +1188,10 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pluralsh/console/go/client v1.22.6 h1:ECH+bJyhfywPd8lLUJWlruBjfuKp5WGQioCXT4RD0Fk=
github.com/pluralsh/console/go/client v1.22.6/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
github.com/pluralsh/console/go/client v1.25.0 h1:Q4Q1gmO9b7vlyUuU+TkLOCImfJeNyyUCVdi/Z5hfj7M=
github.com/pluralsh/console/go/client v1.25.0/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
github.com/pluralsh/console/go/client v1.25.1 h1:XaCf0CH3TyPVM+Mf6xFKqz2Ysf+qs+qxL5GSTjZ7UkI=
github.com/pluralsh/console/go/client v1.25.1/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
github.com/pluralsh/controller-reconcile-helper v0.1.0 h1:BV3dYZFH5rn8ZvZjtpkACSv/GmLEtRftNQj/Y4ddHEo=
github.com/pluralsh/controller-reconcile-helper v0.1.0/go.mod h1:RxAbvSB4/jkvx616krCdNQXPbpGJXW3J1L3rASxeFOA=
github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 h1:ab2PN+6if/Aq3/sJM0AVdy1SYuMAnq4g20VaKhTm/Bw=
Expand Down
47 changes: 37 additions & 10 deletions internal/controller/vulnerabilityreports_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"strings"
"time"

"github.com/aquasecurity/trivy-db/pkg/types"
trivy "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
cmap "github.com/orcaman/concurrent-map/v2"
console "github.com/pluralsh/console/go/client"
Expand Down Expand Up @@ -45,23 +46,23 @@ func (r *VulnerabilityReportReconciler) Reconcile(ctx context.Context, req ctrl.
return ctrl.Result{}, nil
}

var serviceId *string
if len(vulnerabilityReport.OwnerReferences) > 0 {
k8sObj, err := r.getObjectFromOwnerReference(ctx, vulnerabilityReport.OwnerReferences[0], vulnerabilityReport.Namespace)
if err != nil {
return ctrl.Result{}, err
}
serviceID, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey]
if !ok {
return ctrl.Result{}, nil
svcId, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey]
if ok {
serviceId = lo.ToPtr(svcId)
}

r.reports.Set(req.NamespacedName.String(), createAttribute(vulnerabilityReport, serviceID))

}
r.reports.Set(req.NamespacedName.String(), createVulnAttributes(vulnerabilityReport, serviceId))
return ctrl.Result{}, nil
}

func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID string) console.VulnerabilityReportAttributes {
func createVulnAttributes(vulnerabilityReport *trivy.VulnerabilityReport, serviceID *string) console.VulnerabilityReportAttributes {
var namespaces []*console.NamespaceVulnAttributes
var vulnerabilityAttributes []*console.VulnerabilityAttributes
os := &console.VulnOsAttributes{
Expand Down Expand Up @@ -91,11 +92,13 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
format = "%s/%s@%s"
}
artifactURL := fmt.Sprintf(format, vulnerabilityReport.Report.Registry.Server, vulnerabilityReport.Report.Artifact.Repository, tag)
services := []*console.ServiceVulnAttributes{
{
ServiceID: serviceID,
},
services := []*console.ServiceVulnAttributes{}
if serviceID != nil {
services = append(services, &console.ServiceVulnAttributes{
ServiceID: *serviceID,
})
}

if vulnerabilityReport.Namespace != "" {
namespaces = []*console.NamespaceVulnAttributes{
{
Expand All @@ -113,6 +116,7 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
Score: v.Score,
Title: lo.ToPtr(v.Title),
Description: lo.ToPtr(v.Description),
Cvss: parseCvss(v.CVSS),
CvssSource: lo.ToPtr(v.CVSSSource),
PrimaryLink: lo.ToPtr(v.PrimaryLink),
Links: algorithms.Map(v.Links, func(s string) *string { return &s }),
Expand Down Expand Up @@ -141,6 +145,29 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
}
}

func parseCvss(cvss types.VendorCVSS) *console.CvssBundleAttributes {
result := &console.CvssBundleAttributes{}
if cvss == nil {
return result
}

if nvidia, ok := cvss["nvidia"]; ok {
result.Nvidia = &console.CvssAttributes{
V3Vector: lo.ToPtr(nvidia.V3Vector),
V3Score: lo.ToPtr(nvidia.V3Score),
}
}

if redhat, ok := cvss["redhat"]; ok {
result.Redhat = &console.CvssAttributes{
V3Vector: lo.ToPtr(redhat.V3Vector),
V3Score: lo.ToPtr(redhat.V3Score),
}
}

return result
}

func (r *VulnerabilityReportReconciler) getObjectFromOwnerReference(ctx context.Context, ref v1.OwnerReference, namespace string) (*unstructured.Unstructured, error) {
gv, err := apiVersionToGroupVersion(ref.APIVersion)
if err != nil {
Expand Down

0 comments on commit f00c0e6

Please sign in to comment.