fix(scanner): enrich vulnerability data instead of using first vulner…

…ability (#1971) * fix: enrich vulnerability instead of using first * refactor: code review
openclarity · Aug 2, 2024 · 85e936d · 85e936d
1 parent 940d351
commit 85e936d
Show file tree

Hide file tree

Showing 18 changed files with 198 additions and 1,009 deletions.
diff --git a/cli/go.mod b/cli/go.mod
@@ -413,8 +413,6 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yudai/gojsondiff v1.0.0 // indirect
-	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.etcd.io/bbolt v1.3.10 // indirect

diff --git a/cli/go.sum b/cli/go.sum
@@ -1559,12 +1559,6 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
-github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3IfnEUduWvb9is428/nNb5L3U01M=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
-github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
-github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/cli/presenter/apimodel.go b/cli/presenter/apimodel.go
@@ -60,28 +60,26 @@ func ConvertSBOMResultToPackages(result *sbom.Result) []apitypes.Package {
 func ConvertVulnResultToVulnerabilities(result *vulnerabilities.Result) []apitypes.Vulnerability {
 	vuls := []apitypes.Vulnerability{}
 
-	if result == nil || result.MergedVulnerabilitiesByKey == nil {
+	if result == nil || result.VulnerabilitiesByKey == nil {
 		return vuls
 	}
 
-	for _, vulCandidates := range result.MergedVulnerabilitiesByKey {
-		if len(vulCandidates) < 1 {
+	for _, vulCandidate := range result.VulnerabilitiesByKey {
+		if vulCandidate.ID == "" {
 			continue
 		}
 
-		vulCandidate := vulCandidates[0]
-
 		vul := apitypes.Vulnerability{
-			Cvss:              ConvertVulnCvssToAPIModel(vulCandidate.Vulnerability.CVSS),
-			Description:       to.Ptr(vulCandidate.Vulnerability.Description),
-			Distro:            ConvertVulnDistroToAPIModel(vulCandidate.Vulnerability.Distro),
-			Fix:               ConvertVulnFixToAPIModel(vulCandidate.Vulnerability.Fix),
-			LayerId:           to.Ptr(vulCandidate.Vulnerability.LayerID),
-			Links:             to.Ptr(vulCandidate.Vulnerability.Links),
-			Package:           ConvertVulnPackageToAPIModel(vulCandidate.Vulnerability.Package),
-			Path:              to.Ptr(vulCandidate.Vulnerability.Path),
-			Severity:          ConvertVulnSeverityToAPIModel(vulCandidate.Vulnerability.Severity),
-			VulnerabilityName: to.Ptr(vulCandidate.Vulnerability.ID),
+			Cvss:              ConvertVulnCvssToAPIModel(vulCandidate.CVSS),
+			Description:       to.Ptr(vulCandidate.Description),
+			Distro:            ConvertVulnDistroToAPIModel(vulCandidate.Distro),
+			Fix:               ConvertVulnFixToAPIModel(vulCandidate.Fix),
+			LayerId:           to.Ptr(vulCandidate.LayerID),
+			Links:             to.Ptr(vulCandidate.Links),
+			Package:           ConvertVulnPackageToAPIModel(vulCandidate.Package),
+			Path:              to.Ptr(vulCandidate.Path),
+			Severity:          ConvertVulnSeverityToAPIModel(vulCandidate.Severity),
+			VulnerabilityName: to.Ptr(vulCandidate.ID),
 		}
 		vuls = append(vuls, vul)
 	}

diff --git a/cli/presenter/apimodel_test.go b/cli/presenter/apimodel_test.go
@@ -161,108 +161,98 @@ func Test_ConvertVulnResultToVulnerabilities(t *testing.T) {
 			name: "Vuls",
 			args: args{
 				result: &vulnerabilities.Result{
-					MergedVulnerabilitiesByKey: map[vulnerabilities.VulnerabilityKey][]vulnerabilities.MergedVulnerability{
+					VulnerabilitiesByKey: map[vulnerabilities.VulnerabilityKey]vulnerabilities.Vulnerability{
 						"vulkey1": {
-							{
-								ID: "id1",
-								Vulnerability: vulnerabilities.Vulnerability{
-									ID:          "CVE-test-test-foo",
-									Description: "testbleed",
-									Links:       []string{"link1", "link2"},
-									Distro: vulnerabilities.Distro{
-										Name:    "distro1",
-										Version: "distrov1",
-										IDLike:  []string{"IDLike1", "IDLike2"},
-									},
-									CVSS: []vulnerabilities.CVSS{
-										{
-											Version: "v1",
-											Vector:  "vector1",
-											Metrics: vulnerabilities.CvssMetrics{
-												BaseScore:           1,
-												ExploitabilityScore: nil,
-												ImpactScore:         nil,
-											},
-										},
-										{
-											Version: "v2",
-											Vector:  "vector2",
-											Metrics: vulnerabilities.CvssMetrics{
-												BaseScore:           2,
-												ExploitabilityScore: to.Ptr(2.1),
-												ImpactScore:         to.Ptr(2.2),
-											},
-										},
-									},
-									Fix: vulnerabilities.Fix{
-										Versions: []string{"fv1", "fv2"},
-										State:    "fixed",
+							ID:          "CVE-test-test-foo",
+							Description: "testbleed",
+							Links:       []string{"link1", "link2"},
+							Distro: vulnerabilities.Distro{
+								Name:    "distro1",
+								Version: "distrov1",
+								IDLike:  []string{"IDLike1", "IDLike2"},
+							},
+							CVSS: []vulnerabilities.CVSS{
+								{
+									Version: "v1",
+									Vector:  "vector1",
+									Metrics: vulnerabilities.CvssMetrics{
+										BaseScore:           1,
+										ExploitabilityScore: nil,
+										ImpactScore:         nil,
 									},
-									Severity: string(apitypes.CRITICAL),
-									Package: vulnerabilities.Package{
-										Name:     "package1",
-										Version:  "pv1",
-										Type:     "pt1",
-										Language: "pl1",
-										Licenses: []string{"plic1", "plic2"},
-										CPEs:     []string{"cpe1", "cpe2"},
-										PURL:     "purl1",
+								},
+								{
+									Version: "v2",
+									Vector:  "vector2",
+									Metrics: vulnerabilities.CvssMetrics{
+										BaseScore:           2,
+										ExploitabilityScore: to.Ptr(2.1),
+										ImpactScore:         to.Ptr(2.2),
 									},
-									LayerID: "lid1",
-									Path:    "path1",
 								},
 							},
+							Fix: vulnerabilities.Fix{
+								Versions: []string{"fv1", "fv2"},
+								State:    "fixed",
+							},
+							Severity: string(apitypes.CRITICAL),
+							Package: vulnerabilities.Package{
+								Name:     "package1",
+								Version:  "pv1",
+								Type:     "pt1",
+								Language: "pl1",
+								Licenses: []string{"plic1", "plic2"},
+								CPEs:     []string{"cpe1", "cpe2"},
+								PURL:     "purl1",
+							},
+							LayerID: "lid1",
+							Path:    "path1",
 						},
 						"vulkey2": {
-							{
-								ID: "id2",
-								Vulnerability: vulnerabilities.Vulnerability{
-									ID:          "CVE-test-test-bar",
-									Description: "solartest",
-									Links:       []string{"link3", "link4"},
-									Distro: vulnerabilities.Distro{
-										Name:    "distro2",
-										Version: "distrov2",
-										IDLike:  []string{"IDLike3", "IDLike4"},
-									},
-									CVSS: []vulnerabilities.CVSS{
-										{
-											Version: "v3",
-											Vector:  "vector3",
-											Metrics: vulnerabilities.CvssMetrics{
-												BaseScore:           3,
-												ExploitabilityScore: nil,
-												ImpactScore:         nil,
-											},
-										},
-										{
-											Version: "v4",
-											Vector:  "vector4",
-											Metrics: vulnerabilities.CvssMetrics{
-												BaseScore:           4,
-												ExploitabilityScore: to.Ptr(4.1),
-												ImpactScore:         to.Ptr(4.2),
-											},
-										},
-									},
-									Fix: vulnerabilities.Fix{
-										Versions: []string{"fv3", "fv4"},
-										State:    "not-fixed",
+							ID:          "CVE-test-test-bar",
+							Description: "solartest",
+							Links:       []string{"link3", "link4"},
+							Distro: vulnerabilities.Distro{
+								Name:    "distro2",
+								Version: "distrov2",
+								IDLike:  []string{"IDLike3", "IDLike4"},
+							},
+							CVSS: []vulnerabilities.CVSS{
+								{
+									Version: "v3",
+									Vector:  "vector3",
+									Metrics: vulnerabilities.CvssMetrics{
+										BaseScore:           3,
+										ExploitabilityScore: nil,
+										ImpactScore:         nil,
 									},
-									Severity: string(apitypes.HIGH),
-									Package: vulnerabilities.Package{
-										Name:     "package2",
-										Version:  "pv2",
-										Type:     "pt2",
-										Language: "pl2",
-										Licenses: []string{"plic3", "plic4"},
-										CPEs:     []string{"cpe3", "cpe4"},
-										PURL:     "purl2",
+								},
+								{
+									Version: "v4",
+									Vector:  "vector4",
+									Metrics: vulnerabilities.CvssMetrics{
+										BaseScore:           4,
+										ExploitabilityScore: to.Ptr(4.1),
+										ImpactScore:         to.Ptr(4.2),
 									},
-									LayerID: "lid2",
-									Path:    "path2",
 								},
 							},
+							Fix: vulnerabilities.Fix{
+								Versions: []string{"fv3", "fv4"},
+								State:    "not-fixed",
+							},
+							Severity: string(apitypes.HIGH),
+							Package: vulnerabilities.Package{
+								Name:     "package2",
+								Version:  "pv2",
+								Type:     "pt2",
+								Language: "pl2",
+								Licenses: []string{"plic3", "plic4"},
+								CPEs:     []string{"cpe3", "cpe4"},
+								PURL:     "purl2",
+							},
+							LayerID: "lid2",
+							Path:    "path2",
 						},
 						"vulkey3": {},
 					},

diff --git a/core/to/to.go b/core/to/to.go
@@ -78,3 +78,31 @@ func Values[K comparable, V any](m map[K]V) []V {
 
 	return s
 }
+
+// UniqueSlice returns a slice without duplicate elements.
+func UniqueSlice[T comparable](items []T) []T {
+	var filtered []T
+	unique := make(map[T]bool, len(items))
+	for _, item := range items {
+		if !unique[item] {
+			filtered = append(filtered, item)
+			unique[item] = true
+		}
+	}
+	return filtered
+}
+
+// UniqueSliceByKey returns a slice without duplicate elements using a custom get key function.
+func UniqueSliceByKey[T any](items []T, getKey func(T) string) []T {
+	var filtered []T
+
+	unique := make(map[string]bool, len(items))
+	for _, item := range items {
+		if key := getKey(item); key != "" && !unique[key] {
+			filtered = append(filtered, item)
+			unique[key] = true
+		}
+	}
+
+	return filtered
+}
diff --git a/e2e/go.mod b/e2e/go.mod
@@ -462,8 +462,6 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yudai/gojsondiff v1.0.0 // indirect
-	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.etcd.io/bbolt v1.3.10 // indirect

diff --git a/e2e/go.sum b/e2e/go.sum
@@ -1705,12 +1705,6 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
-github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3IfnEUduWvb9is428/nNb5L3U01M=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
-github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
-github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/orchestrator/go.mod b/orchestrator/go.mod
@@ -428,8 +428,6 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yudai/gojsondiff v1.0.0 // indirect
-	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.etcd.io/bbolt v1.3.10 // indirect

diff --git a/orchestrator/go.sum b/orchestrator/go.sum
@@ -1629,12 +1629,6 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
-github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3IfnEUduWvb9is428/nNb5L3U01M=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
-github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
-github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/provider/go.mod b/provider/go.mod
@@ -430,8 +430,6 @@ require (
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
-	github.com/yudai/gojsondiff v1.0.0 // indirect
-	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	github.com/zclconf/go-cty-yaml v1.0.3 // indirect
 	go.etcd.io/bbolt v1.3.10 // indirect

diff --git a/provider/go.sum b/provider/go.sum
@@ -1580,12 +1580,6 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
-github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA=
-github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 h1:BHyfKlQyqbsFN5p3IfnEUduWvb9is428/nNb5L3U01M=
-github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM=
-github.com/yudai/pp v2.0.1+incompatible h1:Q4//iY4pNF6yPLZIigmvcl7k/bPgrcTPIFIcmawg5bI=
-github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/scanner/families/exploits/family.go b/scanner/families/exploits/family.go
@@ -81,17 +81,14 @@ func (e Exploits) Run(ctx context.Context, res *families.Results) (*types.Result
 }
 
 // create a comma separated representation of cveIDs array, as an input for the exploits scanners.
-func getCVEIDsFromVulnerabilitiesResults(vulnerabilities *vulnerabilitytypes.Result) string {
-	if vulnerabilities == nil {
+func getCVEIDsFromVulnerabilitiesResults(result *vulnerabilitytypes.Result) string {
+	if result == nil {
 		return ""
 	}
 
 	cvesMap := make(map[string]bool)
-
-	for _, mergedVulnerabilities := range vulnerabilities.MergedVulnerabilitiesByKey {
-		for _, vulnerability := range mergedVulnerabilities {
-			cvesMap[vulnerability.Vulnerability.ID] = true
-		}
+	for _, vulnerability := range result.VulnerabilitiesByKey {
+		cvesMap[vulnerability.ID] = true
 	}
 
 	cves := strings.Join(to.Keys(cvesMap), ",")