enricher: add RHCC enricher

This change introduces an enricher who's purpose is to scope down the vulnerability report for layers that have RHCC packages. This approach helps to keep the index report unchanged and therefore state is less of an issue, it also builds on existing machinary. Signed-off-by: crozzy <[email protected]>
quay · Sep 14, 2023 · 5aca24a · 5aca24a
1 parent 840e1f6
commit 5aca24a
Show file tree

Hide file tree

Showing 2 changed files with 284 additions and 0 deletions.
diff --git a/enricher/rhcc/rhcc.go b/enricher/rhcc/rhcc.go
@@ -0,0 +1,52 @@
+package rhcc
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+type Enricher struct{}
+
+var (
+	_ driver.Enricher = (*Enricher)(nil)
+)
+
+const (
+	// Type is the type of data returned from the Enricher's Enrich method.
+	Type = `message/vnd.clair.map.vulnerability; enricher=clair.rhcc schema=??`
+)
+
+func (e *Enricher) Name() string { return "rhcc" }
+
+func (e *Enricher) Enrich(ctx context.Context, g driver.EnrichmentGetter, r *claircore.VulnerabilityReport) (string, []json.RawMessage, error) {
+	rhLayers := []claircore.Digest{}
+	// TODO: Should we look at repos here? Nicer to find but harder to use.
+	for id, p := range r.Packages {
+		if p.RepositoryHint == "rhcc" {
+			// Grab the layers where rhcc packages exist.
+			for _, e := range r.Environments[id] {
+				rhLayers = append(rhLayers, e.IntroducedIn)
+			}
+		}
+	}
+	problematicPkgs := make(map[string]claircore.Digest)
+	// Check which packages come from those layers.
+	for pkgID, es := range r.Environments {
+		for _, e := range es {
+			for _, rhl := range rhLayers {
+				if e.IntroducedIn.String() == rhl.String() && r.Packages[pkgID].RepositoryHint != "rhcc" {
+					problematicPkgs[pkgID] = e.IntroducedIn
+				}
+			}
+		}
+	}
+
+	b, err := json.Marshal(problematicPkgs)
+	if err != nil {
+		return Type, nil, err
+	}
+	return Type, []json.RawMessage{b}, nil
+}
diff --git a/enricher/rhcc/rhcc_test.go b/enricher/rhcc/rhcc_test.go
@@ -0,0 +1,232 @@
+package rhcc
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"io"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+func Digest(name string) claircore.Digest {
+	h := sha256.New()
+	io.WriteString(h, name)
+	d, err := claircore.NewDigest("sha256", h.Sum(nil))
+	if err != nil {
+		panic(err)
+	}
+	return d
+}
+
+func TestEnrich(t *testing.T) {
+	t.Parallel()
+	ctx := zlog.Test(context.Background(), t)
+	firstLayerHash := Digest("first layer")
+	secondLayerHash := Digest("second layer")
+	//thirdLayerHash := Digest("third layer")
+	tests := []struct {
+		name   string
+		vr     *claircore.VulnerabilityReport
+		layers []*claircore.Layer
+		want   map[string]string
+	}{
+		{
+			name: "vuln in package in different layer from rhcc package",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: secondLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{},
+		},
+		{
+			name: "vuln in package in same layer as rhcc package",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{"2": "sha256:362c24d1f11739a9b01cfd8867469534044b7cc36ce0f56d80b023a228a1d056"},
+		},
+		{
+			name: "vuln in package in same layer as rhcc package and rhcc vuln in same layer",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+					"5": {
+						Name:           "something bad ubi",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+					"1": {"5"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{"2": "sha256:362c24d1f11739a9b01cfd8867469534044b7cc36ce0f56d80b023a228a1d056"},
+		},
+		{
+			name: "multiple rhcc packages in different layers",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+					},
+					"2": {
+						Name:           "some-other-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+					},
+					"3": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: firstLayerHash}},
+					"3": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+					"5": {
+						Name:           "something bad ubi",
+						FixedInVersion: "v100.0.0",
+					},
+					"6": {
+						Name:           "something bad s2i",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"3": {"4"},
+					"1": {"5"},
+					"2": {"6"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{"3": "sha256:362c24d1f11739a9b01cfd8867469534044b7cc36ce0f56d80b023a228a1d056"},
+		},
+	}
+
+	e := &Enricher{}
+	nog := &noopGetter{}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			tp, data, err := e.Enrich(ctx, nog, tc.vr)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if tp != "message/vnd.clair.map.vulnerability; enricher=clair.rhcc schema=??" {
+				t.Fatal("wrong type")
+			}
+			got := make(map[string]string)
+			if err := json.Unmarshal(data[0], &got); err != nil {
+				t.Error(err)
+			}
+			if !cmp.Equal(got, tc.want) {
+				t.Error(cmp.Diff(got, tc.want))
+			}
+		})
+
+	}
+}
+
+func TestName(t *testing.T) {
+	e := &Enricher{}
+	if e.Name() != "rhcc" {
+		t.Fatal("name should be rhcc")
+	}
+}
+
+type noopGetter struct{}
+
+func (f *noopGetter) GetEnrichment(ctx context.Context, tags []string) ([]driver.EnrichmentRecord, error) {
+	return nil, nil
+}