From f00c0e6a249a4ff8b346618c3bf435b765a61bd1 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Fri, 13 Dec 2024 12:55:17 -0500 Subject: [PATCH] Fix Vuln extraction (#317) * parses cvss bundle properly * handles reports that can't be tied to services cleanly --- .github/workflows/lint-and-test.yml | 2 +- go.mod | 2 +- go.sum | 4 ++ .../vulnerabilityreports_controller.go | 47 +++++++++++++++---- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/.github/workflows/lint-and-test.yml b/.github/workflows/lint-and-test.yml index 985de2cf..431d037b 100644 --- a/.github/workflows/lint-and-test.yml +++ b/.github/workflows/lint-and-test.yml @@ -17,7 +17,7 @@ jobs: - name: Set up python uses: actions/setup-python@v4 with: - python-version: 3.7 + python-version: 3.13 - name: Setup Chart Linting id: lint diff --git a/go.mod b/go.mod index 71c412cc..d33a5b84 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/open-policy-agent/gatekeeper/v3 v3.17.1 github.com/orcaman/concurrent-map/v2 v2.0.1 github.com/pkg/errors v0.9.1 - github.com/pluralsh/console/go/client v1.22.6 + github.com/pluralsh/console/go/client v1.25.1 github.com/pluralsh/controller-reconcile-helper v0.1.0 github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 github.com/pluralsh/polly v0.1.10 diff --git a/go.sum b/go.sum index f66d59d7..9c9ceaf8 100644 --- a/go.sum +++ b/go.sum @@ -1188,6 +1188,10 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pluralsh/console/go/client v1.22.6 h1:ECH+bJyhfywPd8lLUJWlruBjfuKp5WGQioCXT4RD0Fk= github.com/pluralsh/console/go/client v1.22.6/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k= +github.com/pluralsh/console/go/client v1.25.0 h1:Q4Q1gmO9b7vlyUuU+TkLOCImfJeNyyUCVdi/Z5hfj7M= +github.com/pluralsh/console/go/client v1.25.0/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k= +github.com/pluralsh/console/go/client v1.25.1 h1:XaCf0CH3TyPVM+Mf6xFKqz2Ysf+qs+qxL5GSTjZ7UkI= +github.com/pluralsh/console/go/client v1.25.1/go.mod h1:lpoWASYsM9keNePS3dpFiEisUHEfObIVlSL3tzpKn8k= github.com/pluralsh/controller-reconcile-helper v0.1.0 h1:BV3dYZFH5rn8ZvZjtpkACSv/GmLEtRftNQj/Y4ddHEo= github.com/pluralsh/controller-reconcile-helper v0.1.0/go.mod h1:RxAbvSB4/jkvx616krCdNQXPbpGJXW3J1L3rASxeFOA= github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 h1:ab2PN+6if/Aq3/sJM0AVdy1SYuMAnq4g20VaKhTm/Bw= diff --git a/internal/controller/vulnerabilityreports_controller.go b/internal/controller/vulnerabilityreports_controller.go index e2b28427..982a0d53 100644 --- a/internal/controller/vulnerabilityreports_controller.go +++ b/internal/controller/vulnerabilityreports_controller.go @@ -6,6 +6,7 @@ import ( "strings" "time" + "github.com/aquasecurity/trivy-db/pkg/types" trivy "github.com/aquasecurity/trivy-operator/pkg/apis/aquasecurity/v1alpha1" cmap "github.com/orcaman/concurrent-map/v2" console "github.com/pluralsh/console/go/client" @@ -45,23 +46,23 @@ func (r *VulnerabilityReportReconciler) Reconcile(ctx context.Context, req ctrl. return ctrl.Result{}, nil } + var serviceId *string if len(vulnerabilityReport.OwnerReferences) > 0 { k8sObj, err := r.getObjectFromOwnerReference(ctx, vulnerabilityReport.OwnerReferences[0], vulnerabilityReport.Namespace) if err != nil { return ctrl.Result{}, err } - serviceID, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey] - if !ok { - return ctrl.Result{}, nil + svcId, ok := k8sObj.GetAnnotations()[inventory.OwningInventoryKey] + if ok { + serviceId = lo.ToPtr(svcId) } - r.reports.Set(req.NamespacedName.String(), createAttribute(vulnerabilityReport, serviceID)) - } + r.reports.Set(req.NamespacedName.String(), createVulnAttributes(vulnerabilityReport, serviceId)) return ctrl.Result{}, nil } -func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID string) console.VulnerabilityReportAttributes { +func createVulnAttributes(vulnerabilityReport *trivy.VulnerabilityReport, serviceID *string) console.VulnerabilityReportAttributes { var namespaces []*console.NamespaceVulnAttributes var vulnerabilityAttributes []*console.VulnerabilityAttributes os := &console.VulnOsAttributes{ @@ -91,11 +92,13 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s format = "%s/%s@%s" } artifactURL := fmt.Sprintf(format, vulnerabilityReport.Report.Registry.Server, vulnerabilityReport.Report.Artifact.Repository, tag) - services := []*console.ServiceVulnAttributes{ - { - ServiceID: serviceID, - }, + services := []*console.ServiceVulnAttributes{} + if serviceID != nil { + services = append(services, &console.ServiceVulnAttributes{ + ServiceID: *serviceID, + }) } + if vulnerabilityReport.Namespace != "" { namespaces = []*console.NamespaceVulnAttributes{ { @@ -113,6 +116,7 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s Score: v.Score, Title: lo.ToPtr(v.Title), Description: lo.ToPtr(v.Description), + Cvss: parseCvss(v.CVSS), CvssSource: lo.ToPtr(v.CVSSSource), PrimaryLink: lo.ToPtr(v.PrimaryLink), Links: algorithms.Map(v.Links, func(s string) *string { return &s }), @@ -141,6 +145,29 @@ func createAttribute(vulnerabilityReport *trivy.VulnerabilityReport, serviceID s } } +func parseCvss(cvss types.VendorCVSS) *console.CvssBundleAttributes { + result := &console.CvssBundleAttributes{} + if cvss == nil { + return result + } + + if nvidia, ok := cvss["nvidia"]; ok { + result.Nvidia = &console.CvssAttributes{ + V3Vector: lo.ToPtr(nvidia.V3Vector), + V3Score: lo.ToPtr(nvidia.V3Score), + } + } + + if redhat, ok := cvss["redhat"]; ok { + result.Redhat = &console.CvssAttributes{ + V3Vector: lo.ToPtr(redhat.V3Vector), + V3Score: lo.ToPtr(redhat.V3Score), + } + } + + return result +} + func (r *VulnerabilityReportReconciler) getObjectFromOwnerReference(ctx context.Context, ref v1.OwnerReference, namespace string) (*unstructured.Unstructured, error) { gv, err := apiVersionToGroupVersion(ref.APIVersion) if err != nil {