mirror of
https://github.com/goharbor/harbor.git
synced 2024-09-28 21:37:31 +02:00
Merge pull request #9686 from heww/fix-project-severity-mapping
fix(policy-checker): add func to transform project severity to vuln.Severity
This commit is contained in:
commit
a928928a43
@ -26,7 +26,7 @@ const (
|
|||||||
ProMetaSeverity = "severity"
|
ProMetaSeverity = "severity"
|
||||||
ProMetaAutoScan = "auto_scan"
|
ProMetaAutoScan = "auto_scan"
|
||||||
ProMetaReuseSysCVEWhitelist = "reuse_sys_cve_whitelist"
|
ProMetaReuseSysCVEWhitelist = "reuse_sys_cve_whitelist"
|
||||||
SeverityNone = "negligible"
|
SeverityNegligible = "negligible"
|
||||||
SeverityLow = "low"
|
SeverityLow = "low"
|
||||||
SeverityMedium = "medium"
|
SeverityMedium = "medium"
|
||||||
SeverityHigh = "high"
|
SeverityHigh = "high"
|
||||||
|
@ -231,7 +231,7 @@ func validateProjectMetadata(metas map[string]string) (map[string]string, error)
|
|||||||
value, exist := metas[models.ProMetaSeverity]
|
value, exist := metas[models.ProMetaSeverity]
|
||||||
if exist {
|
if exist {
|
||||||
switch strings.ToLower(value) {
|
switch strings.ToLower(value) {
|
||||||
case models.SeverityHigh, models.SeverityMedium, models.SeverityLow, models.SeverityNone:
|
case models.SeverityHigh, models.SeverityMedium, models.SeverityLow, models.SeverityNegligible:
|
||||||
metas[models.ProMetaSeverity] = strings.ToLower(value)
|
metas[models.ProMetaSeverity] = strings.ToLower(value)
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("invalid severity %s", value)
|
return nil, fmt.Errorf("invalid severity %s", value)
|
||||||
|
@ -366,27 +366,28 @@ func (pc PmsPolicyChecker) VulnerablePolicy(name string) (bool, vuln.Severity, m
|
|||||||
log.Errorf("Unexpected error when getting the project, error: %v", err)
|
log.Errorf("Unexpected error when getting the project, error: %v", err)
|
||||||
return true, vuln.Unknown, wl
|
return true, vuln.Unknown, wl
|
||||||
}
|
}
|
||||||
|
|
||||||
mgr := whitelist.NewDefaultManager()
|
mgr := whitelist.NewDefaultManager()
|
||||||
if project.ReuseSysCVEWhitelist() {
|
if project.ReuseSysCVEWhitelist() {
|
||||||
w, err := mgr.GetSys()
|
w, err := mgr.GetSys()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
|
log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
|
||||||
return project.VulPrevented(), vuln.Severity(project.Severity()), wl
|
} else {
|
||||||
}
|
wl = *w
|
||||||
wl = *w
|
|
||||||
|
|
||||||
// Use the real project ID
|
// Use the real project ID
|
||||||
wl.ProjectID = project.ProjectID
|
wl.ProjectID = project.ProjectID
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
w, err := mgr.Get(project.ProjectID)
|
w, err := mgr.Get(project.ProjectID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
|
log.Error(errors.Wrap(err, "policy checker: vulnerable policy"))
|
||||||
return project.VulPrevented(), vuln.Severity(project.Severity()), wl
|
} else {
|
||||||
|
wl = *w
|
||||||
}
|
}
|
||||||
wl = *w
|
|
||||||
}
|
}
|
||||||
return project.VulPrevented(), vuln.Severity(project.Severity()), wl
|
|
||||||
|
|
||||||
|
return project.VulPrevented(), getProjectVulnSeverity(project), wl
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewPMSPolicyChecker returns an instance of an pmsPolicyChecker
|
// NewPMSPolicyChecker returns an instance of an pmsPolicyChecker
|
||||||
@ -561,3 +562,20 @@ func ParseManifestInfoFromPath(req *http.Request) (*ManifestInfo, error) {
|
|||||||
|
|
||||||
return info, nil
|
return info, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getProjectVulnSeverity(project *models.Project) vuln.Severity {
|
||||||
|
mp := map[string]vuln.Severity{
|
||||||
|
models.SeverityNegligible: vuln.Negligible,
|
||||||
|
models.SeverityLow: vuln.Low,
|
||||||
|
models.SeverityMedium: vuln.Medium,
|
||||||
|
models.SeverityHigh: vuln.High,
|
||||||
|
models.SeverityCritical: vuln.Critical,
|
||||||
|
}
|
||||||
|
|
||||||
|
severity, ok := mp[project.Severity()]
|
||||||
|
if !ok {
|
||||||
|
return vuln.Unknown
|
||||||
|
}
|
||||||
|
|
||||||
|
return severity
|
||||||
|
}
|
||||||
|
@ -171,7 +171,7 @@ func TestPMSPolicyChecker(t *testing.T) {
|
|||||||
Metadata: map[string]string{
|
Metadata: map[string]string{
|
||||||
models.ProMetaEnableContentTrust: "true",
|
models.ProMetaEnableContentTrust: "true",
|
||||||
models.ProMetaPreventVul: "true",
|
models.ProMetaPreventVul: "true",
|
||||||
models.ProMetaSeverity: "Low",
|
models.ProMetaSeverity: "low", // validateProjectMetadata function make the severity to lowercase
|
||||||
models.ProMetaReuseSysCVEWhitelist: "false",
|
models.ProMetaReuseSysCVEWhitelist: "false",
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
|
Loading…
Reference in New Issue
Block a user