Merge pull request #9686 from heww/fix-project-severity-mapping

fix(policy-checker): add func to transform project severity to vuln.Severity
2024-06-26 23:05:04 +02:00 · 2019-11-01 11:12:13 +08:00 · 2019-11-01 11:12:13 +08:00 · a928928a43
commit a928928a43
parent a21349fc66 ae8931e816
4 changed files with 29 additions and 11 deletions
--- a/src/common/models/pro_meta.go
+++ b/src/common/models/pro_meta.go
@ -26,7 +26,7 @@ const (
 	ProMetaSeverity             = "severity"
 	ProMetaAutoScan             = "auto_scan"
 	ProMetaReuseSysCVEWhitelist = "reuse_sys_cve_whitelist"
-	SeverityNone                = "negligible"
+	SeverityNegligible          = "negligible"
 	SeverityLow                 = "low"
 	SeverityMedium              = "medium"
 	SeverityHigh                = "high"
--- a/src/core/api/metadata.go
+++ b/src/core/api/metadata.go
@ -231,7 +231,7 @@ func validateProjectMetadata(metas map[string]string) (map[string]string, error)
 	value, exist := metas[models.ProMetaSeverity]
 	if exist {
 		switch strings.ToLower(value) {
-		case models.SeverityHigh, models.SeverityMedium, models.SeverityLow, models.SeverityNone:
+		case models.SeverityHigh, models.SeverityMedium, models.SeverityLow, models.SeverityNegligible:
 			metas[models.ProMetaSeverity] = strings.ToLower(value)
 		default:
 			return nil, fmt.Errorf("invalid severity %s", value)
--- a/src/core/middlewares/util/util.go
+++ b/src/core/middlewares/util/util.go
@ -366,27 +366,28 @@ func (pc PmsPolicyChecker) VulnerablePolicy(name string) (bool, vuln.Severity, m
 		log.Errorf("Unexpected error when getting the project, error: %v", err)
 		return true, vuln.Unknown, wl
 	}
+
 	mgr := whitelist.NewDefaultManager()
 	if project.ReuseSysCVEWhitelist() {
 		w, err := mgr.GetSys()
 		if err != nil {
 			log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
-			return project.VulPrevented(), vuln.Severity(project.Severity()), wl
-		}
-		wl = *w
+		} else {
+			wl = *w

-		// Use the real project ID
-		wl.ProjectID = project.ProjectID
+			// Use the real project ID
+			wl.ProjectID = project.ProjectID
+		}
 	} else {
 		w, err := mgr.Get(project.ProjectID)
 		if err != nil {
 			log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
-			return project.VulPrevented(), vuln.Severity(project.Severity()), wl
+		} else {
+			wl = *w
 		}
-		wl = *w
 	}
-	return project.VulPrevented(), vuln.Severity(project.Severity()), wl

+	return project.VulPrevented(), getProjectVulnSeverity(project), wl
 }

 // NewPMSPolicyChecker returns an instance of an pmsPolicyChecker
@ -561,3 +562,20 @@ func ParseManifestInfoFromPath(req *http.Request) (*ManifestInfo, error) {

 	return info, nil
 }
+
+func getProjectVulnSeverity(project *models.Project) vuln.Severity {
+	mp := map[string]vuln.Severity{
+		models.SeverityNegligible: vuln.Negligible,
+		models.SeverityLow:        vuln.Low,
+		models.SeverityMedium:     vuln.Medium,
+		models.SeverityHigh:       vuln.High,
+		models.SeverityCritical:   vuln.Critical,
+	}
+
+	severity, ok := mp[project.Severity()]
+	if !ok {
+		return vuln.Unknown
+	}
+
+	return severity
+}
--- a/src/core/middlewares/util/util_test.go
+++ b/src/core/middlewares/util/util_test.go
@ -171,7 +171,7 @@ func TestPMSPolicyChecker(t *testing.T) {
 		Metadata: map[string]string{
 			models.ProMetaEnableContentTrust:   "true",
 			models.ProMetaPreventVul:           "true",
-			models.ProMetaSeverity:             "Low",
+			models.ProMetaSeverity:             "low", // validateProjectMetadata function make the severity to lowercase
 			models.ProMetaReuseSysCVEWhitelist: "false",
 		},
 	})