(cherry-pick) Refine total artifact and scanned artifact (#19229)

Refine total artifact and scanned artifact Artifact include all accessory, child artifact fixes #19215 Signed-off-by: stonezdj <daojunz@vmware.com>
2023-08-22 16:03:47 +08:00 · 2023-08-22 16:03:47 +08:00 · 63668282db
parent 90e526e2b9
commit 63668282db
2 changed files with 9 additions and 30 deletions
--- a/src/pkg/securityhub/dao/security.go
+++ b/src/pkg/securityhub/dao/security.go
@ -48,38 +48,16 @@ where a.digest = s.digest
 order by s.critical_cnt desc, s.high_cnt desc, s.medium_cnt desc, s.low_cnt desc
 limit 5`

-	// sql to query the total artifact count,
-	// 1. exclude the artifact accessory,
-	// 2. exclude child artifact without tag
-	// 3. include top level artifact in image index
-	// The totalArtifactCountSQL and scannedArtifactCountSQL should use the same criteria to filter the artifact
-	totalArtifactCountSQL = `SELECT COUNT(1)
-FROM artifact a
-WHERE NOT EXISTS (select 1 from artifact_accessory acc WHERE acc.artifact_id = a.id)
-  AND (EXISTS (SELECT 1 FROM tag WHERE tag.artifact_id = a.id)
-    OR NOT EXISTS (SELECT 1 FROM artifact_reference ref WHERE ref.child_id = a.id))`
+	// sql to query the total artifact count, include all artifacts in the artifact table
+	totalArtifactCountSQL = `SELECT COUNT(1) FROM artifact`

-	// sql to query the scanned artifact count,
-	// exclude the artifact accessory, and child artifact in image index (without tag),
-	// include the image index artifact which at least one child artifact is scanned
+	// sql to query the scanned artifact count, include all artifacts in the artifact table
 	scannedArtifactCountSQL = `SELECT COUNT(1)
 FROM artifact a
 WHERE EXISTS (SELECT 1
              FROM scan_report s
              WHERE a.digest = s.digest
-                AND s.registration_uuid = ?)
-    -- exclude artifact accessory
-    AND NOT EXISTS (SELECT 1 FROM artifact_accessory acc WHERE acc.artifact_id = a.id)
-    -- not a child without tag
-    AND NOT EXISTS (SELECT 1 FROM artifact_reference WHERE child_id = a.id AND NOT EXISTS (SELECT 1 FROM tag WHERE artifact_id = a.id))
-    -- include image index which is scanned
-    OR EXISTS (SELECT 1
-              FROM scan_report s,
-                   artifact_reference ref
-              WHERE s.digest = ref.child_digest
-                AND ref.parent_id = a.id AND s.registration_uuid = ?  AND NOT EXISTS (SELECT 1
-                                                                                      FROM scan_report s
-                                                                                      WHERE s.digest = a.digest and s.registration_uuid = ?))`
+                AND s.registration_uuid = ?)`

 	// sql to query the dangerous CVEs
 	// sort the CVEs by CVSS score and severity level, make sure it is referred by a report
@ -268,7 +246,7 @@ func (d *dao) ScannedArtifactsCount(ctx context.Context, scannerUUID string, pro
 	if err != nil {
 		return cnt, err
 	}
-	err = o.Raw(scannedArtifactCountSQL, scannerUUID, scannerUUID, scannerUUID).QueryRow(&cnt)
+	err = o.Raw(scannedArtifactCountSQL, scannerUUID).QueryRow(&cnt)
 	return cnt, err
 }
 func (d *dao) DangerousCVEs(ctx context.Context, scannerUUID string, projectID int64, query *q.Query) ([]*scan.VulnerabilityRecord, error) {
--- a/src/pkg/securityhub/dao/security_test.go
+++ b/src/pkg/securityhub/dao/security_test.go
@ -79,9 +79,9 @@ func (suite *SecurityDaoTestSuite) TearDownTest() {
 	testDao.ExecuteBatchSQL([]string{
 		`delete from scan_report where uuid = 'uuid'`,
 		`delete from tag where id = 1001`,
-		`delete from artifact where digest = 'digest1001'`,
 		`delete from artifact_accessory where id = 1001`,
 		`delete from artifact_reference where id = 1001`,
+		`delete from artifact where digest = 'digest1001'`,
 		`delete from scanner_registration where uuid='ruuid'`,
 		`delete from scanner_registration where uuid='uuid2'`,
 		`delete from vulnerability_record where cve_id='2023-4567-12345'`,
@ -149,7 +149,7 @@ func Test_checkQFilter(t *testing.T) {
 	}
 }

-func (suite *SecurityDaoTestSuite) TestExacthMatchFilter() {
+func (suite *SecurityDaoTestSuite) TestExactMatchFilter() {
 	type args struct {
 		ctx   context.Context
 		key   string
@ -199,7 +199,8 @@ func (suite *SecurityDaoTestSuite) TestRangeFilter() {
 func (suite *SecurityDaoTestSuite) TestCountArtifact() {
 	count, err := suite.dao.TotalArtifactsCount(suite.Context(), 0)
 	suite.NoError(err)
-	suite.Equal(int64(1), count)
+	// includes artifact_accessory(1), child artifact of image index(1), image index(1)
+	suite.Equal(int64(3), count)
 }
 func (suite *SecurityDaoTestSuite) TestCountVul() {
 	count, err := suite.dao.CountVulnerabilities(suite.Context(), "ruuid", 0, true, nil)