Skip to content

Commit

Permalink
enricher: add RHCC enricher
Browse files Browse the repository at this point in the history
This change introduces an enricher who's purpose is to scope down the
vulnerability report for layers that have RHCC packages. This approach
helps to keep the index report unchanged and therefore state is less
of an issue, it also builds on existing machinary.

Signed-off-by: crozzy <joseph.crosland@gmail.com>
  • Loading branch information
crozzy committed Sep 8, 2023
1 parent dd6c601 commit da2ddd0
Show file tree
Hide file tree
Showing 2 changed files with 291 additions and 0 deletions.
64 changes: 64 additions & 0 deletions enricher/rhcc/rhcc.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
package rhcc

import (
"context"
"encoding/json"

"github.com/quay/claircore"
"github.com/quay/claircore/libvuln/driver"
)

type Enricher struct{}

var (
_ driver.Enricher = (*Enricher)(nil)
)

func (e *Enricher) Name() string { return "rhcc" }

func (e *Enricher) Enrich(ctx context.Context, g driver.EnrichmentGetter, r *claircore.VulnerabilityReport) (string, []json.RawMessage, error) {
rhLayers := []claircore.Digest{}
// TODO: Should we look at repos here? Nicer to find but harder to use.
for id, p := range r.Packages {
if p.RepositoryHint == "rhcc" {
// Grab the layers where rhcc packages exist.
for _, e := range r.Environments[id] {
rhLayers = append(rhLayers, e.IntroducedIn)
}
}
}
problematicPkgIDs := make(map[string]struct{})
// Check which packages come from those layers.
for pkgID, es := range r.Environments {
for _, e := range es {
for _, rhl := range rhLayers {
if e.IntroducedIn.String() == rhl.String() {
problematicPkgIDs[pkgID] = struct{}{}
}
}
}
}

problematicVulnIDs := make(map[string]string)
// Check if the packages have any vulnerabilities
for pkgID, pkgV := range r.PackageVulnerabilities {
if _, ok := problematicPkgIDs[pkgID]; ok {
for _, vID := range pkgV {
problematicVulnIDs[vID] = pkgID
}
}
}

// Scope down the vulnerabilities
finalVulnerabilities := make(map[string]*claircore.Vulnerability)
finalPackageVulnerabilities := make(map[string][]string)
for vID, vuln := range r.Vulnerabilities {
if pkgID, ok := problematicVulnIDs[vID]; !ok || r.Packages[pkgID].RepositoryHint == "rhcc" {
finalVulnerabilities[vID] = vuln
finalPackageVulnerabilities[pkgID] = append(finalPackageVulnerabilities[pkgID], vID)
}
}
r.Vulnerabilities = finalVulnerabilities
r.PackageVulnerabilities = finalPackageVulnerabilities
return "", nil, nil
}
227 changes: 227 additions & 0 deletions enricher/rhcc/rhcc_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,227 @@
package rhcc

import (
"context"
"crypto/sha256"
"io"
"testing"

"github.com/quay/zlog"

"github.com/quay/claircore"
"github.com/quay/claircore/libvuln/driver"
)

func Digest(name string) claircore.Digest {
h := sha256.New()
io.WriteString(h, name)
d, err := claircore.NewDigest("sha256", h.Sum(nil))
if err != nil {
panic(err)
}
return d
}

func TestEnrich(t *testing.T) {
t.Parallel()
ctx := zlog.Test(context.Background(), t)
firstLayerHash := Digest("first layer")
secondLayerHash := Digest("second layer")
//thirdLayerHash := Digest("third layer")
tests := []struct {
name string
vr *claircore.VulnerabilityReport
layers []*claircore.Layer
lenVulns, lenPkgVulns int
}{
{
name: "vuln in package in different layer from rhcc package",
vr: &claircore.VulnerabilityReport{
Packages: map[string]*claircore.Package{
"1": {
Name: "some-rh-package-slash-image",
RepositoryHint: "rhcc",
Version: "v1.0.0",
},
"2": {
Name: "grafana",
Version: "v4.7.0",
},
},
Environments: map[string][]*claircore.Environment{
"1": {{IntroducedIn: firstLayerHash}},
"2": {{IntroducedIn: secondLayerHash}},
},
Vulnerabilities: map[string]*claircore.Vulnerability{
"4": {
Name: "something bad with grafana",
FixedInVersion: "v100.0.0",
},
},
PackageVulnerabilities: map[string][]string{
"2": {"4"},
},
},
layers: []*claircore.Layer{
{Hash: firstLayerHash},
{Hash: secondLayerHash},
},
lenVulns: 1,
lenPkgVulns: 1,
},
{
name: "vuln in package in same layer as rhcc package",
vr: &claircore.VulnerabilityReport{
Packages: map[string]*claircore.Package{
"1": {
Name: "some-rh-package-slash-image",
RepositoryHint: "rhcc",
Version: "v1.0.0",
},
"2": {
Name: "grafana",
Version: "v4.7.0",
},
},
Environments: map[string][]*claircore.Environment{
"1": {{IntroducedIn: firstLayerHash}},
"2": {{IntroducedIn: firstLayerHash}},
},
Vulnerabilities: map[string]*claircore.Vulnerability{
"4": {
Name: "something bad with grafana",
FixedInVersion: "v100.0.0",
},
},
PackageVulnerabilities: map[string][]string{
"2": {"4"},
},
},
layers: []*claircore.Layer{
{Hash: firstLayerHash},
{Hash: secondLayerHash},
},
lenVulns: 0,
lenPkgVulns: 0,
},
{
name: "vuln in package in same layer as rhcc package and rhcc vuln in same layer",
vr: &claircore.VulnerabilityReport{
Packages: map[string]*claircore.Package{
"1": {
Name: "some-rh-package-slash-image",
RepositoryHint: "rhcc",
Version: "v1.0.0",
},
"2": {
Name: "grafana",
Version: "v4.7.0",
},
},
Environments: map[string][]*claircore.Environment{
"1": {{IntroducedIn: firstLayerHash}},
"2": {{IntroducedIn: firstLayerHash}},
},
Vulnerabilities: map[string]*claircore.Vulnerability{
"4": {
Name: "something bad with grafana",
FixedInVersion: "v100.0.0",
},
"5": {
Name: "something bad ubi",
FixedInVersion: "v100.0.0",
},
},
PackageVulnerabilities: map[string][]string{
"2": {"4"},
"1": {"5"},
},
},
layers: []*claircore.Layer{
{Hash: firstLayerHash},
{Hash: secondLayerHash},
},
lenVulns: 1,
lenPkgVulns: 1,
},
{
name: "multiple rhcc packages in different layers",
vr: &claircore.VulnerabilityReport{
Packages: map[string]*claircore.Package{
"1": {
Name: "some-rh-package-slash-image",
RepositoryHint: "rhcc",
Version: "v1.0.0",
},
"2": {
Name: "some-other-rh-package-slash-image",
RepositoryHint: "rhcc",
Version: "v1.0.0",
},
"3": {
Name: "grafana",
Version: "v4.7.0",
},
},
Environments: map[string][]*claircore.Environment{
"1": {{IntroducedIn: firstLayerHash}},
"2": {{IntroducedIn: firstLayerHash}},
"3": {{IntroducedIn: firstLayerHash}},
},
Vulnerabilities: map[string]*claircore.Vulnerability{
"4": {
Name: "something bad with grafana",
FixedInVersion: "v100.0.0",
},
"5": {
Name: "something bad ubi",
FixedInVersion: "v100.0.0",
},
"6": {
Name: "something bad s2i",
FixedInVersion: "v100.0.0",
},
},
PackageVulnerabilities: map[string][]string{
"3": {"4"},
"1": {"5"},
"2": {"6"},
},
},
layers: []*claircore.Layer{
{Hash: firstLayerHash},
{Hash: secondLayerHash},
},
lenVulns: 2,
lenPkgVulns: 2,
},
}

e := &Enricher{}
nog := &noopGetter{}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
_, _, err := e.Enrich(ctx, nog, tc.vr)
if err != nil {
t.Fatal(err)
}
if len(tc.vr.Vulnerabilities) != tc.lenVulns {
t.Fatalf("wrong number of vulns: expected: %d got: %d", tc.lenVulns, len(tc.vr.Vulnerabilities))
}
lenPkgVulns := 0
for _, vulns := range tc.vr.PackageVulnerabilities {
lenPkgVulns = lenPkgVulns + len(vulns)
}
if lenPkgVulns != tc.lenPkgVulns {
t.Fatalf("wrong number of vulns: expected: %d got: %d", tc.lenPkgVulns, lenPkgVulns)
}
})

}
}

type noopGetter struct{}

func (f *noopGetter) GetEnrichment(ctx context.Context, tags []string) ([]driver.EnrichmentRecord, error) {
return nil, nil
}

0 comments on commit da2ddd0

Please sign in to comment.