Fix Vuln extraction

* parses cvss bundle properly * handles reports that can't be tied to services cleanly
pluralsh · Dec 13, 2024 · 6773e56 · 6773e56
1 parent a28ae92
commit 6773e56
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 11 deletions.
diff --git a/go.mod b/go.mod
@@ -29,7 +29,7 @@ require (
 	github.com/open-policy-agent/gatekeeper/v3 v3.17.1
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/pkg/errors v0.9.1
-	github.com/pluralsh/console/go/client v1.22.6
+	github.com/pluralsh/console/go/client v1.25.1
 	github.com/pluralsh/controller-reconcile-helper v0.1.0
 	github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34
 	github.com/pluralsh/polly v0.1.10

diff --git a/go.sum b/go.sum
@@ -1188,6 +1188,10 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pluralsh/console/go/client v1.22.6 h1:ECH+bJyhfywPd8lLUJWlruBjfuKp5WGQioCXT4RD0Fk=
 github.com/pluralsh/console/go/client v1.22.6/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
+github.com/pluralsh/console/go/client v1.25.0 h1:Q4Q1gmO9b7vlyUuU+TkLOCImfJeNyyUCVdi/Z5hfj7M=
+github.com/pluralsh/console/go/client v1.25.0/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
+github.com/pluralsh/console/go/client v1.25.1 h1:XaCf0CH3TyPVM+Mf6xFKqz2Ysf+qs+qxL5GSTjZ7UkI=
+github.com/pluralsh/console/go/client v1.25.1/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k=
 github.com/pluralsh/controller-reconcile-helper v0.1.0 h1:BV3dYZFH5rn8ZvZjtpkACSv/GmLEtRftNQj/Y4ddHEo=
 github.com/pluralsh/controller-reconcile-helper v0.1.0/go.mod h1:RxAbvSB4/jkvx616krCdNQXPbpGJXW3J1L3rASxeFOA=
 github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 h1:ab2PN+6if/Aq3/sJM0AVdy1SYuMAnq4g20VaKhTm/Bw=

diff --git a/internal/controller/vulnerabilityreports_controller.go b/internal/controller/vulnerabilityreports_controller.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/aquasecurity/trivy-db/pkg/types"
 	trivy "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1"
 	cmap "github.com/orcaman/concurrent-map/v2"
 	console "github.com/pluralsh/console/go/client"
@@ -45,23 +46,23 @@ func (r *VulnerabilityReportReconciler) Reconcile(ctx context.Context, req ctrl.
 		return ctrl.Result{}, nil
 	}
 
+	var serviceId *string
 	if len(vulnerabilityReport.OwnerReferences) > 0 {
 		k8sObj, err := r.getObjectFromOwnerReference(ctx, vulnerabilityReport.OwnerReferences[0], vulnerabilityReport.Namespace)
 		if err != nil {
 			return ctrl.Result{}, err
 		}
-		serviceID, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey]
-		if !ok {
-			return ctrl.Result{}, nil
+		svcId, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey]
+		if ok {
+			serviceId = lo.ToPtr(svcId)
 		}
 
-		r.reports.Set(req.NamespacedName.String(), createAttribute(vulnerabilityReport, serviceID))
-
 	}
+	r.reports.Set(req.NamespacedName.String(), createVulnAttributes(vulnerabilityReport, serviceId))
 	return ctrl.Result{}, nil
 }
 
-func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID string) console.VulnerabilityReportAttributes {
+func createVulnAttributes(vulnerabilityReport *trivy.VulnerabilityReport, serviceID *string) console.VulnerabilityReportAttributes {
 	var namespaces []*console.NamespaceVulnAttributes
 	var vulnerabilityAttributes []*console.VulnerabilityAttributes
 	os := &console.VulnOsAttributes{
@@ -91,11 +92,13 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
 		format = "%s/%s@%s"
 	}
 	artifactURL := fmt.Sprintf(format, vulnerabilityReport.Report.Registry.Server, vulnerabilityReport.Report.Artifact.Repository, tag)
-	services := []*console.ServiceVulnAttributes{
-		{
-			ServiceID: serviceID,
-		},
+	services := []*console.ServiceVulnAttributes{}
+	if serviceID != nil {
+		services = append(services, &console.ServiceVulnAttributes{
+			ServiceID: *serviceID,
+		})
 	}
+
 	if vulnerabilityReport.Namespace != "" {
 		namespaces = []*console.NamespaceVulnAttributes{
 			{
@@ -113,6 +116,7 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
 			Score:            v.Score,
 			Title:            lo.ToPtr(v.Title),
 			Description:      lo.ToPtr(v.Description),
+			Cvss:             parseCvss(v.CVSS),
 			CvssSource:       lo.ToPtr(v.CVSSSource),
 			PrimaryLink:      lo.ToPtr(v.PrimaryLink),
 			Links:            algorithms.Map(v.Links, func(s string) *string { return &s }),
@@ -141,6 +145,29 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s
 	}
 }
 
+func parseCvss(cvss types.VendorCVSS) *console.CvssBundleAttributes {
+	result := &console.CvssBundleAttributes{}
+	if cvss == nil {
+		return result
+	}
+
+	if nvidia, ok := cvss["nvidia"]; ok {
+		result.Nvidia = &console.CvssAttributes{
+			V3Vector: lo.ToPtr(nvidia.V3Vector),
+			V3Score:  lo.ToPtr(nvidia.V3Score),
+		}
+	}
+
+	if redhat, ok := cvss["redhat"]; ok {
+		result.Redhat = &console.CvssAttributes{
+			V3Vector: lo.ToPtr(redhat.V3Vector),
+			V3Score:  lo.ToPtr(redhat.V3Score),
+		}
+	}
+
+	return result
+}
+
 func (r *VulnerabilityReportReconciler) getObjectFromOwnerReference(ctx context.Context, ref v1.OwnerReference, namespace string) (*unstructured.Unstructured, error) {
 	gv, err := apiVersionToGroupVersion(ref.APIVersion)
 	if err != nil {