Skip to content

Commit

Permalink
[core][fix] Security sync by always marking the resource vulnerable (#…
Browse files Browse the repository at this point in the history 
…2147)
  • Loading branch information
@aquamatthias
aquamatthias authored Jul 22, 2024
1 parent 4f0f973 commit 7348608
Showing 1 changed file with 12 additions and 12 deletions.
24 changes: 12 additions & 12 deletions fixcore/fixcore/db/graphdb.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -568,7 +568,7 @@ def read_checks(issues: List[Json]) -> Dict[str, SecurityIssue]:

def update_security_section(
existing_issues: List[Json], actual_issues: List[SecurityIssue]
) -> Tuple[List[Json], HistoryChange, ReportSeverity, bool, Json]:
) -> Tuple[List[Json], ReportSeverity, bool, Json]:
existing = read_checks(existing_issues)
updated: Dict[str, SecurityIssue] = {} # check id -> issue
diff_compliant: List[Json] = []
Expand Down Expand Up @@ -597,21 +597,22 @@ def update_security_section(
# the node severity is the highest severity of all issues
previous = max((a.severity for a in existing.values()), default=ReportSeverity.info)
severity = max((a.severity for a in updated.values()), default=ReportSeverity.info)
# the node is still vulnerable: the change marks either improvement or worsening
change = (
HistoryChange.node_compliant
# better #1: severity is lower, #2: severity is the same, but less issues
if (severity < previous or (severity == previous and len(existing) > len(updated)))
else HistoryChange.node_vulnerable
)
# the node is still vulnerable: the progress marks either improvement (+1), no change (0), or worsening (-1)
if severity < previous or (severity == previous and len(existing) > len(updated)):
progress = 1
elif severity == previous and len(existing) == len(updated):
progress = 0
else:
progress = -1
diff: Json = {
HistoryChange.node_compliant.value: diff_compliant,
HistoryChange.node_vulnerable.value: diff_vulnerable,
"progress": progress,
}
if existing:
diff["previous"] = previous.value
changed = bool(diff_compliant or diff_vulnerable)
return [a.to_json() for a in updated.values()], change, severity, changed, diff
return [a.to_json() for a in updated.values()], severity, changed, diff

async def update_chunk(chunk: Dict[NodeId, List[SecurityIssue]]) -> None:
nonlocal nodes_vulnerable_new, nodes_vulnerable_updated
Expand All @@ -623,7 +624,7 @@ async def update_chunk(chunk: Dict[NodeId, List[SecurityIssue]]) -> None:
node_id = NodeId(node.pop("_key", ""))
node["id"] = node_id # store the id in the id column (not _key)
existing: List[Json] = value_in_path_get(node, NodePath.security_issues, [])
updated, change, severity, changed, diff = update_security_section(existing, chunk.get(node_id, []))
updated, severity, changed, diff = update_security_section(existing, chunk.get(node_id, []))
security_section = dict(
issues=updated,
opened_at=value_in_path_get(node, NodePath.security_opened_at, now),
Expand All @@ -634,17 +635,16 @@ async def update_chunk(chunk: Dict[NodeId, List[SecurityIssue]]) -> None:
)
node["security"] = security_section
node["changed_at"] = now
node["change"] = "node_vulnerable"
if not existing: # no issues before, but now
nodes_vulnerable_new += 1
security_section["opened_at"] = now
security_section["reopen_counter"] = security_section["reopen_counter"] + 1 # type: ignore
node["change"] = "node_vulnerable"
node["diff"] = diff
nodes_to_insert.append(dict(action="node_vulnerable", node_id=node_id, data=node))
elif changed:
nodes_vulnerable_updated += 1
nodes_to_insert.append(dict(action="node_vulnerable", node_id=node_id, data=node))
node["change"] = change.value
node["diff"] = diff
else: # no change
nodes_to_insert.append(dict(action="mark", node_id=node_id, run_id=report_run_id))
Expand Down

0 comments on commit 7348608

Please sign in to comment.