Skip to content

Commit

Permalink
add fields totalPackages and totalUniquePackages in v1alpha2 Vuln…
Browse files Browse the repository at this point in the history 
…erabilityReport
  • Loading branch information
@matheusfm
matheusfm committed May 20, 2024
1 parent f6e4977 commit edec9c7
Show file tree
Hide file tree
Showing 7 changed files with 334 additions and 3 deletions.
2 changes: 2 additions & 0 deletions api/zora/v1alpha2/vulnerabilityreport_conversion_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,8 @@ func TestVulnerabilityReportConversion(t *testing.T) {
ObjectMeta: meta,
Spec: VulnerabilityReportSpec{
VulnerabilityReportCommon: newVulnerabilityReportCommon(v1alpha1.VulnerabilitySummary{Total: 1, High: 1}),
TotalPackages: 2,
TotalUniquePackages: 2,
Vulnerabilities: []Vulnerability{{
VulnerabilityCommon: vulnCommon,
Packages: []v1alpha1.Package{
Expand Down
19 changes: 18 additions & 1 deletion api/zora/v1alpha2/vulnerabilityreport_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,21 @@ import (
// VulnerabilityReportSpec defines the desired state of VulnerabilityReport
type VulnerabilityReportSpec struct {
v1alpha1.VulnerabilityReportCommon `json:",inline"`
Vulnerabilities []Vulnerability `json:"vulnerabilities"`

// TotalPackages represents the total number of affected packages in this image.
// A package affected by two vulnerabilities is counted twice.
TotalPackages int `json:"totalPackages"`

// TotalUniquePackages represents the total number of unique affected packages in this image.
// A package affected by multiple vulnerabilities is counted only once.
TotalUniquePackages int `json:"totalUniquePackages"`

Vulnerabilities []Vulnerability `json:"vulnerabilities"`
}

func (in *VulnerabilityReportSpec) Summarize() {
total := 0
unique := make(map[string]bool)
s := &v1alpha1.VulnerabilitySummary{}
for _, v := range in.Vulnerabilities {
s.Total++
Expand All @@ -41,8 +52,14 @@ func (in *VulnerabilityReportSpec) Summarize() {
default:
s.Unknown++
}
for _, p := range v.Packages {
total++
unique[p.String()] = true
}
}
in.Summary = *s
in.TotalPackages = total
in.TotalUniquePackages = len(unique)
}

type Vulnerability struct {
Expand Down
12 changes: 12 additions & 0 deletions charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,8 +371,18 @@ spec:
items:
type: string
type: array
totalPackages:
description: |-
TotalPackages represents the total number of affected packages in this image.
A package affected by two vulnerabilities is counted twice.
type: integer
totalResources:
type: integer
totalUniquePackages:
description: |-
TotalUniquePackages represents the total number of unique affected packages in this image.
A package affected by multiple vulnerabilities is counted only once.
type: integer
vulnerabilities:
items:
properties:
Expand Down Expand Up @@ -425,7 +435,9 @@ spec:
- image
- resources
- summary
- totalPackages
- totalResources
- totalUniquePackages
- vulnerabilities
type: object
status:
Expand Down
12 changes: 12 additions & 0 deletions config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -357,8 +357,18 @@ spec:
items:
type: string
type: array
totalPackages:
description: |-
TotalPackages represents the total number of affected packages in this image.
A package affected by two vulnerabilities is counted twice.
type: integer
totalResources:
type: integer
totalUniquePackages:
description: |-
TotalUniquePackages represents the total number of unique affected packages in this image.
A package affected by multiple vulnerabilities is counted only once.
type: integer
vulnerabilities:
items:
properties:
Expand Down Expand Up @@ -411,7 +421,9 @@ spec:
- image
- resources
- summary
- totalPackages
- totalResources
- totalUniquePackages
- vulnerabilities
type: object
status:
Expand Down
33 changes: 32 additions & 1 deletion pkg/worker/report/trivy/parse_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ func TestParse(t *testing.T) {
Resources: map[string][]string{"Pod": {"kube-system/kube-apiserver-kind-control-plane"}},
Summary: v1alpha1.VulnerabilitySummary{Total: 1, High: 1},
},
TotalPackages: 1,
TotalUniquePackages: 1,
Vulnerabilities: []v1alpha2.Vulnerability{
{
Packages: []v1alpha1.Package{{
Expand Down Expand Up @@ -86,8 +88,10 @@ func TestParse(t *testing.T) {
Distro: &v1alpha1.Distro{Name: "alpine", Version: "3.16.3"},
TotalResources: 2,
Resources: map[string][]string{"Deployment": {"apps/app1", "apps/app2"}},
Summary: v1alpha1.VulnerabilitySummary{Total: 2, Critical: 1, High: 1},
Summary: v1alpha1.VulnerabilitySummary{Total: 3, Critical: 1, High: 2},
},
TotalPackages: 4,
TotalUniquePackages: 3,
Vulnerabilities: []v1alpha2.Vulnerability{
{
Packages: []v1alpha1.Package{
Expand Down Expand Up @@ -136,6 +140,27 @@ func TestParse(t *testing.T) {
LastModifiedDate: newTime("2023-08-12T06:16:00Z"),
},
},
{
Packages: []v1alpha1.Package{
{
Package: "libssl1.1",
Version: "1.1.1s-r0",
FixVersion: "1.1.1t-r0",
Status: "fixed",
Type: "alpine",
},
},
VulnerabilityCommon: v1alpha1.VulnerabilityCommon{
ID: "CVE-2023-0286",
Severity: "HIGH",
Title: "openssl: X.400 address type confusion in X.509 GeneralName",
Description: "There is a type confusion vulnerability relating to X.400 address processing\ninside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but\nthe public structure definition for GENERAL_NAME incorrectly specified the type\nof the x400Address field as ASN1_TYPE. This field is subsequently interpreted by\nthe OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an\nASN1_STRING.\n\nWhen CRL checking is enabled (i.e. the application sets the\nX509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass\narbitrary pointers to a memcmp call, enabling them to read memory contents or\nenact a denial of service. In most cases, the attack requires the attacker to\nprovide both the certificate chain and CRL, neither of which need to have a\nvalid signature. If the attacker only controls one of these inputs, the other\ninput must already contain an X.400 address as a CRL distribution point, which\nis uncommon. As such, this vulnerability is most likely to only affect\napplications which have implemented their own functionality for retrieving CRLs\nover a network.\n\n",
URL: "https://avd.aquasec.com/nvd/cve-2023-0286",
Score: "7.4",
PublishedDate: newTime("2023-02-08T20:15:24.267Z"),
LastModifiedDate: newTime("2024-02-04T09:15:09.113Z"),
},
},
},
},
{
Expand All @@ -150,6 +175,8 @@ func TestParse(t *testing.T) {
Resources: map[string][]string{"Deployment": {"apps/app1"}},
Summary: v1alpha1.VulnerabilitySummary{Total: 3, High: 1, Medium: 1, Unknown: 1},
},
TotalPackages: 3,
TotalUniquePackages: 3,
Vulnerabilities: []v1alpha2.Vulnerability{
{
Packages: []v1alpha1.Package{{
Expand Down Expand Up @@ -222,6 +249,8 @@ func TestParse(t *testing.T) {
Resources: map[string][]string{"Deployment": {"apps/app2"}},
Summary: v1alpha1.VulnerabilitySummary{Total: 2, High: 1, Low: 1},
},
TotalPackages: 2,
TotalUniquePackages: 2,
Vulnerabilities: []v1alpha2.Vulnerability{
{
Packages: []v1alpha1.Package{{
Expand Down Expand Up @@ -275,6 +304,8 @@ func TestParse(t *testing.T) {
Resources: map[string][]string{"Deployment": {"default/nginx"}},
Summary: v1alpha1.VulnerabilitySummary{Total: 1, Medium: 1},
},
TotalPackages: 1,
TotalUniquePackages: 1,
Vulnerabilities: []v1alpha2.Vulnerability{
{
Packages: []v1alpha1.Package{{
Expand Down
Loading

0 comments on commit edec9c7

Please sign in to comment.