diff --git a/src/common/models/cve_allowlist.go b/src/common/models/cve_allowlist.go index 9b1883324..928e69ade 100644 --- a/src/common/models/cve_allowlist.go +++ b/src/common/models/cve_allowlist.go @@ -14,7 +14,9 @@ package models -import "time" +import ( + "time" +) // CVEAllowlist defines the data model for a CVE allowlist type CVEAllowlist struct { @@ -38,8 +40,8 @@ func (c *CVEAllowlist) TableName() string { } // CVESet returns the set of CVE id of the items in the allowlist to help filter the vulnerability list -func (c *CVEAllowlist) CVESet() map[string]struct{} { - r := map[string]struct{}{} +func (c *CVEAllowlist) CVESet() CVESet { + r := CVESet{} for _, it := range c.Items { r[it.CVEID] = struct{}{} } @@ -53,3 +55,13 @@ func (c *CVEAllowlist) IsExpired() bool { } return time.Now().Unix() >= *c.ExpiresAt } + +// CVESet defines the CVE allowlist with a hash set way for easy query. +type CVESet map[string]struct{} + +// Contains checks whether the specified CVE is in the set or not. +func (cs CVESet) Contains(cve string) bool { + _, ok := cs[cve] + + return ok +} diff --git a/src/common/models/cve_allowlist_test.go b/src/common/models/cve_allowlist_test.go index 9d5c87b71..7d06c1884 100644 --- a/src/common/models/cve_allowlist_test.go +++ b/src/common/models/cve_allowlist_test.go @@ -15,10 +15,10 @@ package models import ( - "github.com/stretchr/testify/assert" - "reflect" "testing" "time" + + "github.com/stretchr/testify/assert" ) func TestCVEAllowlist_All(t *testing.T) { @@ -26,7 +26,7 @@ func TestCVEAllowlist_All(t *testing.T) { now := time.Now().Unix() cases := []struct { input CVEAllowlist - cveset map[string]struct{} + cveset CVESet expired bool }{ { @@ -35,7 +35,7 @@ func TestCVEAllowlist_All(t *testing.T) { ProjectID: 0, Items: []CVEAllowlistItem{}, }, - cveset: map[string]struct{}{}, + cveset: CVESet{}, expired: false, }, { @@ -45,7 +45,7 @@ func TestCVEAllowlist_All(t *testing.T) { Items: []CVEAllowlistItem{}, ExpiresAt: &now, }, - cveset: map[string]struct{}{}, + cveset: CVESet{}, expired: true, }, { @@ -58,7 +58,7 @@ func TestCVEAllowlist_All(t *testing.T) { }, ExpiresAt: &future, }, - cveset: map[string]struct{}{ + cveset: CVESet{ "CVE-1999-0067": {}, "CVE-2016-7654321": {}, }, @@ -67,6 +67,6 @@ func TestCVEAllowlist_All(t *testing.T) { } for _, c := range cases { assert.Equal(t, c.expired, c.input.IsExpired()) - assert.True(t, reflect.DeepEqual(c.cveset, c.input.CVESet())) + assert.Equal(t, c.cveset, c.input.CVESet()) } } diff --git a/src/controller/p2p/preheat/enforcer.go b/src/controller/p2p/preheat/enforcer.go index c9fd55dd3..4e75b178d 100644 --- a/src/controller/p2p/preheat/enforcer.go +++ b/src/controller/p2p/preheat/enforcer.go @@ -476,7 +476,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can // getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *models.Project, art *artifact.Artifact) (uint, error) { - al := report.CVESet(p.CVEAllowlist.CVESet()) + al := p.CVEAllowlist.CVESet() r, err := de.scanCtl.GetSummary(ctx, art, []string{v1.MimeTypeNativeReport}, report.WithCVEAllowlist(&al)) if err != nil { if errors.IsNotFoundErr(err) { diff --git a/src/pkg/scan/report/summary.go b/src/pkg/scan/report/summary.go index 9f54d3f39..373c3791b 100644 --- a/src/pkg/scan/report/summary.go +++ b/src/pkg/scan/report/summary.go @@ -17,6 +17,7 @@ package report import ( "reflect" + "github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/jobservice/job" "github.com/goharbor/harbor/src/lib/errors" "github.com/goharbor/harbor/src/pkg/scan/dao/scan" @@ -24,29 +25,19 @@ import ( "github.com/goharbor/harbor/src/pkg/scan/vuln" ) -// CVESet defines the CVE allowlist with a hash set way for easy query. -type CVESet map[string]struct{} - -// Contains checks whether the specified CVE is in the set or not. -func (cs CVESet) Contains(cve string) bool { - _, ok := cs[cve] - - return ok -} - // Options provides options for getting the report w/ summary. type Options struct { // If it is set, the returned report will contains artifact digest for the vulnerabilities ArtifactDigest string // If it is set, the returned summary will not count the CVEs in the list in. - CVEAllowlist CVESet + CVEAllowlist models.CVESet } // Option for getting the report w/ summary with func template way. type Option func(options *Options) // WithCVEAllowlist is an option of setting CVE allowlist. -func WithCVEAllowlist(set *CVESet) Option { +func WithCVEAllowlist(set *models.CVESet) Option { return func(options *Options) { options.CVEAllowlist = *set } diff --git a/src/pkg/scan/report/summary_test.go b/src/pkg/scan/report/summary_test.go index dd40525a6..0f8489f4f 100644 --- a/src/pkg/scan/report/summary_test.go +++ b/src/pkg/scan/report/summary_test.go @@ -19,6 +19,7 @@ import ( "testing" "time" + "github.com/goharbor/harbor/src/common/models" "github.com/goharbor/harbor/src/pkg/scan/dao/scan" v1 "github.com/goharbor/harbor/src/pkg/scan/rest/v1" "github.com/goharbor/harbor/src/pkg/scan/vuln" @@ -108,7 +109,7 @@ func (suite *SummaryTestSuite) TestSummaryGenerateSummaryNoOptions() { // TestSummaryGenerateSummaryWithOptions ... func (suite *SummaryTestSuite) TestSummaryGenerateSummaryWithOptions() { - cveSet := make(CVESet) + cveSet := make(models.CVESet) cveSet["2019-0980-0909"] = struct{}{} summaries, err := GenerateSummary(suite.r, WithCVEAllowlist(&cveSet)) diff --git a/src/server/middleware/vulnerable/vulnerable.go b/src/server/middleware/vulnerable/vulnerable.go index d0f1278bd..c616d2e8f 100644 --- a/src/server/middleware/vulnerable/vulnerable.go +++ b/src/server/middleware/vulnerable/vulnerable.go @@ -91,7 +91,7 @@ func Middleware() func(http.Handler) http.Handler { return nil } - allowlist := report.CVESet(proj.CVEAllowlist.CVESet()) + allowlist := proj.CVEAllowlist.CVESet() summaries, err := scanController.GetSummary(ctx, art, []string{v1.MimeTypeNativeReport}, report.WithCVEAllowlist(&allowlist)) if err != nil { logger.Errorf("get vulnerability summary of the artifact %s@%s failed, error: %v", art.RepositoryName, art.Digest, err)