mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-14 03:31:27 +01:00
Modified to check the expiration time of the allowlist when determining the vulnerability of an artifact (#18106)
Signed-off-by: hyeyoung-lee <hyeyoung.lee@nhn.com>
This commit is contained in:
parent
1238384428
commit
2c287cf27a
@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can
|
|||||||
|
|
||||||
// getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
|
// getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
|
||||||
func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
|
func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
|
||||||
vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
|
vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if errors.IsNotFoundErr(err) {
|
if errors.IsNotFoundErr(err) {
|
||||||
// no vulnerability report
|
// no vulnerability report
|
||||||
|
@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
|
|||||||
context.TODO(),
|
context.TODO(),
|
||||||
mock.AnythingOfType("*artifact.Artifact"),
|
mock.AnythingOfType("*artifact.Artifact"),
|
||||||
mock.AnythingOfType("models.CVESet"),
|
mock.AnythingOfType("models.CVESet"),
|
||||||
|
mock.AnythingOfType("bool"),
|
||||||
).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
|
).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
|
||||||
|
|
||||||
fakeProCtl := &project.Controller{}
|
fakeProCtl := &project.Controller{}
|
||||||
|
@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
|
func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
|
||||||
if artifact == nil {
|
if artifact == nil {
|
||||||
return nil, errors.New("no way to get vulnerable for nil artifact")
|
return nil, errors.New("no way to get vulnerable for nil artifact")
|
||||||
}
|
}
|
||||||
@ -816,7 +816,7 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
|
|||||||
var severity vuln.Severity
|
var severity vuln.Severity
|
||||||
|
|
||||||
for _, v := range vuls {
|
for _, v := range vuls {
|
||||||
if allowlist.Contains(v.ID) {
|
if !allowlistIsExpired && allowlist.Contains(v.ID) {
|
||||||
// Append the by passed CVEs specified in the allowlist
|
// Append the by passed CVEs specified in the allowlist
|
||||||
vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
|
vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
|
||||||
|
|
||||||
|
@ -120,9 +120,11 @@ type Controller interface {
|
|||||||
// Arguments:
|
// Arguments:
|
||||||
// ctx context.Context : the context for this method
|
// ctx context.Context : the context for this method
|
||||||
// artifact *artifact.Artifact : artifact to be scanned
|
// artifact *artifact.Artifact : artifact to be scanned
|
||||||
|
// allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
|
||||||
|
// allowlistIsExpired bool : whether the allowlist is expired
|
||||||
//
|
//
|
||||||
// Returns
|
// Returns
|
||||||
// *Vulnerable : the vulnerable
|
// *Vulnerable : the vulnerable
|
||||||
// error : non nil error if any errors occurred
|
// error : non nil error if any errors occurred
|
||||||
GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
|
GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
|
||||||
}
|
}
|
||||||
|
@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {
|
|||||||
|
|
||||||
projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
|
projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
|
||||||
|
|
||||||
vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
|
vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if errors.IsNotFoundErr(err) {
|
if errors.IsNotFoundErr(err) {
|
||||||
// No report yet?
|
// No report yet?
|
||||||
|
@ -111,13 +111,13 @@ func (_m *Controller) GetSummary(ctx context.Context, _a1 *artifact.Artifact, mi
|
|||||||
return r0, r1
|
return r0, r1
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist
|
// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist, allowlistIsExpired
|
||||||
func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet) (*scan.Vulnerable, error) {
|
func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet, allowlistIsExpired bool) (*scan.Vulnerable, error) {
|
||||||
ret := _m.Called(ctx, _a1, allowlist)
|
ret := _m.Called(ctx, _a1, allowlist, allowlistIsExpired)
|
||||||
|
|
||||||
var r0 *scan.Vulnerable
|
var r0 *scan.Vulnerable
|
||||||
if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet) *scan.Vulnerable); ok {
|
if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet, bool) *scan.Vulnerable); ok {
|
||||||
r0 = rf(ctx, _a1, allowlist)
|
r0 = rf(ctx, _a1, allowlist, allowlistIsExpired)
|
||||||
} else {
|
} else {
|
||||||
if ret.Get(0) != nil {
|
if ret.Get(0) != nil {
|
||||||
r0 = ret.Get(0).(*scan.Vulnerable)
|
r0 = ret.Get(0).(*scan.Vulnerable)
|
||||||
@ -125,8 +125,8 @@ func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact,
|
|||||||
}
|
}
|
||||||
|
|
||||||
var r1 error
|
var r1 error
|
||||||
if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet) error); ok {
|
if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet, bool) error); ok {
|
||||||
r1 = rf(ctx, _a1, allowlist)
|
r1 = rf(ctx, _a1, allowlist, allowlistIsExpired)
|
||||||
} else {
|
} else {
|
||||||
r1 = ret.Error(1)
|
r1 = ret.Error(1)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user