fix: update CVE's severity and store multiple same CVE's in multiple packages (#5168)

prakash100198 · web-flow · commit 4e39be642e0f · 2024-06-03T19:34:52.000+05:30
* introducing new col in image scan result table and deprecating in cve-store table and handling backward compatibility

* fix

* migration number changed
diff --git a/internal/sql/repository/security/CveStoreRepository.go b/internal/sql/repository/security/CveStoreRepository.go
@@ -30,7 +30,7 @@ type CveStore struct {
 	tableName    struct{} `sql:"cve_store" pg:",discard_unknown_columns"`
 	Name         string   `sql:"name,pk"`
 	Severity     Severity `sql:"severity,notnull"`
-	Package      string   `sql:"package,notnull"`
+	Package      string   `sql:"package,notnull"` // deprecated
 	Version      string   `sql:"version,notnull"`
 	FixedVersion string   `sql:"fixed_version,notnull"`
 	sql.AuditLog
diff --git a/internal/sql/repository/security/ImageScanResultRepository.go b/internal/sql/repository/security/ImageScanResultRepository.go
@@ -27,6 +27,7 @@ type ImageScanExecutionResult struct {
 	CveStoreName                string   `sql:"cve_store_name,notnull"`
 	ImageScanExecutionHistoryId int      `sql:"image_scan_execution_history_id"`
 	ScanToolId                  int      `sql:"scan_tool_id"`
+	Package                     string   `sql:"package"`
 	CveStore                    CveStore
 	ImageScanExecutionHistory   ImageScanExecutionHistory
 }
diff --git a/pkg/security/ImageScanService.go b/pkg/security/ImageScanService.go
@@ -372,6 +372,10 @@ func (impl ImageScanServiceImpl) FetchExecutionDetailResult(request *ImageScanRe
 				Severity: item.CveStore.Severity.String(),
 				//Permission: "BLOCK", TODO
 			}
+			if len(item.Package) > 0 {
+				// data already migrated hence get package from image_scan_execution_result
+				vulnerability.Package = item.Package
+			}
 			if item.CveStore.Severity == security.Critical {
 				highCount = highCount + 1
 			} else if item.CveStore.Severity == security.Medium {
diff --git a/pkg/security/policyService.go b/pkg/security/policyService.go
@@ -242,8 +242,10 @@ func (impl *PolicyServiceImpl) VerifyImage(verifyImageRequest *VerifyImageReques
 			impl.logger.Errorw("error in fetching vulnerability ", "err", err)
 			return nil, err
 		}
+		cveNameToScanResultPackageNameMapping := make(map[string]string)
 		var cveStores []*security.CveStore
 		for _, scanResult := range scanResults {
+			cveNameToScanResultPackageNameMapping[scanResult.CveStoreName] = scanResult.Package
 			cveStores = append(cveStores, &scanResult.CveStore)
 			if _, ok := scanResultsIdMap[scanResult.ImageScanExecutionHistoryId]; !ok {
 				scanResultsIdMap[scanResult.ImageScanExecutionHistoryId] = scanResult.ImageScanExecutionHistoryId
@@ -259,6 +261,13 @@ func (impl *PolicyServiceImpl) VerifyImage(verifyImageRequest *VerifyImageReques
 				Version:      cve.Version,
 				FixedVersion: cve.FixedVersion,
 			}
+			if packageName, ok := cveNameToScanResultPackageNameMapping[cve.Name]; ok {
+				if len(packageName) > 0 {
+					// fetch package name from image_scan_execution_result table
+					vr.Package = packageName
+				}
+
+			}
 			imageBlockedCves[image] = append(imageBlockedCves[image], vr)
 		}
 	}
diff --git a/scripts/sql/251_alter_image_scan_result_repository.down.sql b/scripts/sql/251_alter_image_scan_result_repository.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "image_scan_execution_result" DROP COLUMN "package";
diff --git a/scripts/sql/251_alter_image_scan_result_repository.up.sql b/scripts/sql/251_alter_image_scan_result_repository.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "image_scan_execution_result" ADD COLUMN "package" text;

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ type ImageScanExecutionResult struct {`
`27`	`27`	CveStoreName string `sql:"cve_store_name,notnull"`
`28`	`28`	ImageScanExecutionHistoryId int `sql:"image_scan_execution_history_id"`
`29`	`29`	ScanToolId int `sql:"scan_tool_id"`
	`30`	+ Package string `sql:"package"`
`30`	`31`	`CveStore CveStore`
`31`	`32`	`ImageScanExecutionHistory ImageScanExecutionHistory`
`32`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -242,8 +242,10 @@ func (impl PolicyServiceImpl) VerifyImage(verifyImageRequest VerifyImageReques`
`242`	`242`	`impl.logger.Errorw("error in fetching vulnerability ", "err", err)`
`243`	`243`	`return nil, err`
`244`	`244`	`}`
	`245`	`+ cveNameToScanResultPackageNameMapping := make(map[string]string)`
`245`	`246`	`var cveStores []*security.CveStore`
`246`	`247`	`for _, scanResult := range scanResults {`
	`248`	`+ cveNameToScanResultPackageNameMapping[scanResult.CveStoreName] = scanResult.Package`
`247`	`249`	`cveStores = append(cveStores, &scanResult.CveStore)`
`248`	`250`	`if _, ok := scanResultsIdMap[scanResult.ImageScanExecutionHistoryId]; !ok {`
`249`	`251`	`scanResultsIdMap[scanResult.ImageScanExecutionHistoryId] = scanResult.ImageScanExecutionHistoryId`
`@@ -259,6 +261,13 @@ func (impl PolicyServiceImpl) VerifyImage(verifyImageRequest VerifyImageReques`
`259`	`261`	`Version: cve.Version,`
`260`	`262`	`FixedVersion: cve.FixedVersion,`
`261`	`263`	`}`
	`264`	`+ if packageName, ok := cveNameToScanResultPackageNameMapping[cve.Name]; ok {`
	`265`	`+ if len(packageName) > 0 {`
	`266`	`+ // fetch package name from image_scan_execution_result table`
	`267`	`+ vr.Package = packageName`
	`268`	`+ }`
	`269`	`+`
	`270`	`+ }`
`262`	`271`	`imageBlockedCves[image] = append(imageBlockedCves[image], vr)`
`263`	`272`	`}`
`264`	`273`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TABLE "image_scan_execution_result" DROP COLUMN "package";`