Modified to check the expiration time of the allowlist when determining the vulnerability of an artifact (#18106)

Signed-off-by: hyeyoung-lee <hyeyoung.lee@nhn.com>
2023-03-08 12:25:40 +09:00 · 2023-03-08 12:25:40 +09:00 · 2c287cf27a
parent 1238384428
commit 2c287cf27a
6 changed files with 15 additions and 12 deletions
--- a/src/controller/p2p/preheat/enforcer.go
+++ b/src/controller/p2p/preheat/enforcer.go
@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can

 // getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
 func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
-	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
+	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
 	if err != nil {
 		if errors.IsNotFoundErr(err) {
 			// no vulnerability report
--- a/src/controller/p2p/preheat/enforcer_test.go
+++ b/src/controller/p2p/preheat/enforcer_test.go
@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
 		context.TODO(),
 		mock.AnythingOfType("*artifact.Artifact"),
 		mock.AnythingOfType("models.CVESet"),
+		mock.AnythingOfType("bool"),
 	).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)

 	fakeProCtl := &project.Controller{}
--- a/src/controller/scan/base_controller.go
+++ b/src/controller/scan/base_controller.go
@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
 	return nil
 }

-func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
+func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
 	if artifact == nil {
 		return nil, errors.New("no way to get vulnerable for nil artifact")
 	}
@ -816,7 +816,7 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
 		var severity vuln.Severity

 		for _, v := range vuls {
-			if allowlist.Contains(v.ID) {
+			if !allowlistIsExpired && allowlist.Contains(v.ID) {
 				// Append the by passed CVEs specified in the allowlist
 				vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)

--- a/src/controller/scan/controller.go
+++ b/src/controller/scan/controller.go
@ -120,9 +120,11 @@ type Controller interface {
 	//   Arguments:
 	//     ctx context.Context : the context for this method
 	//     artifact *artifact.Artifact : artifact to be scanned
+	//     allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
+	//     allowlistIsExpired bool : whether the allowlist is expired
 	//
 	//   Returns
 	//      *Vulnerable : the vulnerable
 	//     error        : non nil error if any errors occurred
-	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
+	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
 }
--- a/src/server/middleware/vulnerable/vulnerable.go
+++ b/src/server/middleware/vulnerable/vulnerable.go
@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {

 		projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())

-		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
+		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
 		if err != nil {
 			if errors.IsNotFoundErr(err) {
 				// No report yet?
--- a/src/testing/controller/scan/controller.go
+++ b/src/testing/controller/scan/controller.go
@ -111,13 +111,13 @@ func (_m *Controller) GetSummary(ctx context.Context, _a1 *artifact.Artifact, mi
 	return r0, r1
 }

-// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist
-func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet) (*scan.Vulnerable, error) {
-	ret := _m.Called(ctx, _a1, allowlist)
+// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist, allowlistIsExpired
+func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet, allowlistIsExpired bool) (*scan.Vulnerable, error) {
+	ret := _m.Called(ctx, _a1, allowlist, allowlistIsExpired)

 	var r0 *scan.Vulnerable
-	if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet) *scan.Vulnerable); ok {
-		r0 = rf(ctx, _a1, allowlist)
+	if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet, bool) *scan.Vulnerable); ok {
+		r0 = rf(ctx, _a1, allowlist, allowlistIsExpired)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*scan.Vulnerable)
@ -125,8 +125,8 @@ func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact,
 	}

 	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet) error); ok {
-		r1 = rf(ctx, _a1, allowlist)
+	if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet, bool) error); ok {
+		r1 = rf(ctx, _a1, allowlist, allowlistIsExpired)
 	} else {
 		r1 = ret.Error(1)
 	}