Modified to check the expiration time of the allowlist when determining the vulnerability of an artifact (#18106)

Signed-off-by: hyeyoung-lee <hyeyoung.lee@nhn.com>
This commit is contained in:
hyeyoung-leee 2023-03-08 12:25:40 +09:00 committed by GitHub
parent 1238384428
commit 2c287cf27a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 12 deletions

View File

@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can
// getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
if err != nil {
if errors.IsNotFoundErr(err) {
// no vulnerability report

View File

@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
context.TODO(),
mock.AnythingOfType("*artifact.Artifact"),
mock.AnythingOfType("models.CVESet"),
mock.AnythingOfType("bool"),
).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
fakeProCtl := &project.Controller{}

View File

@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
return nil
}
func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
if artifact == nil {
return nil, errors.New("no way to get vulnerable for nil artifact")
}
@ -816,7 +816,7 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
var severity vuln.Severity
for _, v := range vuls {
if allowlist.Contains(v.ID) {
if !allowlistIsExpired && allowlist.Contains(v.ID) {
// Append the by passed CVEs specified in the allowlist
vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)

View File

@ -120,9 +120,11 @@ type Controller interface {
// Arguments:
// ctx context.Context : the context for this method
// artifact *artifact.Artifact : artifact to be scanned
// allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
// allowlistIsExpired bool : whether the allowlist is expired
//
// Returns
// *Vulnerable : the vulnerable
// error : non nil error if any errors occurred
GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
}

View File

@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {
projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
if err != nil {
if errors.IsNotFoundErr(err) {
// No report yet?

View File

@ -111,13 +111,13 @@ func (_m *Controller) GetSummary(ctx context.Context, _a1 *artifact.Artifact, mi
return r0, r1
}
// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist
func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet) (*scan.Vulnerable, error) {
ret := _m.Called(ctx, _a1, allowlist)
// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist, allowlistIsExpired
func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet, allowlistIsExpired bool) (*scan.Vulnerable, error) {
ret := _m.Called(ctx, _a1, allowlist, allowlistIsExpired)
var r0 *scan.Vulnerable
if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet) *scan.Vulnerable); ok {
r0 = rf(ctx, _a1, allowlist)
if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet, bool) *scan.Vulnerable); ok {
r0 = rf(ctx, _a1, allowlist, allowlistIsExpired)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).(*scan.Vulnerable)
@ -125,8 +125,8 @@ func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact,
}
var r1 error
if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet) error); ok {
r1 = rf(ctx, _a1, allowlist)
if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet, bool) error); ok {
r1 = rf(ctx, _a1, allowlist, allowlistIsExpired)
} else {
r1 = ret.Error(1)
}