def test_namespaces_no_vulns(distro_tuple, initialized_feed_metadata,
initialized_mappings):
i = DistroNamespace(name=distro_tuple[0],
version=distro_tuple[1],
like_distro=distro_tuple[2])
logger.info("Like names for {} = {}".format(i.namespace_name,
i.like_namespace_names))
logger.info("Mapping names for {} = {}".format(i.namespace_name,
i.mapped_names()))
assert (have_vulnerabilities_for(i) is
False), "Did not expect vulns for namespace {}".format(
i.namespace_name)
def test_namespace_has_vulns(distro_tuple, initialized_mappings,
initialized_feed_metadata):
"""
Test the mix of mappings with namespace support to ensure distro+version maps functioning as expected
"""
i = DistroNamespace(name=distro_tuple[0],
version=distro_tuple[1],
like_distro=distro_tuple[2])
logger.info("Like names for {} = {}".format(i.namespace_name,
i.like_namespace_names))
logger.info("Mapping names for {} = {}".format(i.namespace_name,
i.mapped_names()))
assert (have_vulnerabilities_for(i) is
True), "Expected vulns for namespace {}".format(i.namespace_name)
def evaluate(self, image_obj, context):
if not have_vulnerabilities_for(DistroNamespace.for_obj(image_obj)):
self._fire(
msg=
"Feed data unavailable, cannot perform CVE scan for distro: " +
str(image_obj.distro_namespace))
def evaluate(self, image_obj, context):
if not have_vulnerabilities_for(DistroNamespace.for_obj(image_obj)):
self._fire(
msg=
"Distro-specific feed data not found for distro namespace: %s. Cannot perform CVE scan OS/distro packages"
% image_obj.distro_namespace)
def get_image_vulnerabilities(
self,
image: Image,
db_session,
vendor_only: bool = True,
force_refresh: bool = False,
cache: bool = True,
):
# select the nvd class once and be done
_nvd_cls, _cpe_cls = select_nvd_classes(db_session)
# initialize the scanner
scanner = self.__scanner__()
user_id = image.user_id
image_id = image.id
results = []
if force_refresh:
log.info("Forcing refresh of vulnerabilities for {}/{}".format(
user_id, image_id))
try:
scanner.flush_and_recompute_vulnerabilities(
image, db_session=db_session)
db_session.commit()
except Exception as e:
log.exception(
"Error refreshing cve matches for image {}/{}".format(
user_id, image_id))
db_session.rollback()
return make_response_error(
"Error refreshing vulnerability listing for image.",
in_httpcode=500,
)
db_session = get_session()
db_session.refresh(image)
with timer("Image vulnerability primary lookup", log_level="debug"):
vulns = scanner.get_vulnerabilities(image)
# Has vulnerabilities?
warns = []
if not vulns:
vulns = []
ns = DistroNamespace.for_obj(image)
if not have_vulnerabilities_for(ns):
warns = [
"No vulnerability data available for image distro: {}".
format(ns.namespace_name)
]
rows = []
with timer("Image vulnerability nvd metadata merge",
log_level="debug"):
vulns = merge_nvd_metadata_image_packages(db_session, vulns,
_nvd_cls, _cpe_cls)
with timer("Image vulnerability output formatting", log_level="debug"):
for vuln, nvd_records in vulns:
fixed_artifact = vuln.fixed_artifact()
# Skip the vulnerability if the vendor_only flag is set to True and the issue won't be addressed by the vendor
if vendor_only and vuln.fix_has_no_advisory(
fixed_in=fixed_artifact):
continue
nvd_scores = [
self._make_cvss_score(score) for nvd_record in nvd_records
for score in nvd_record.get_cvss_scores_nvd()
]
results.append(
VulnerabilityMatch(
vulnerability=VulnerabilityModel(
vulnerability_id=vuln.vulnerability_id,
description="NA",
severity=vuln.vulnerability.severity,
link=vuln.vulnerability.link,
feed="vulnerabilities",
feed_group=vuln.vulnerability.namespace_name,
cvss_scores_nvd=nvd_scores,
cvss_scores_vendor=[],
created_at=vuln.vulnerability.created_at,
last_modified=vuln.vulnerability.updated_at,
),
artifact=Artifact(
name=vuln.pkg_name,
version=vuln.package.fullversion,
pkg_type=vuln.pkg_type,
pkg_path=vuln.pkg_path,
cpe="None",
cpe23="None",
),
fixes=[
FixedArtifact(
version=str(
vuln.fixed_in(fixed_in=fixed_artifact)),
wont_fix=vuln.fix_has_no_advisory(
fixed_in=fixed_artifact),
observed_at=fixed_artifact.fix_observed_at
if fixed_artifact else None,
)
],
match=Match(detected_at=vuln.created_at),
))
# TODO move dedup here so api doesn't have to
# cpe_vuln_listing = []
try:
with timer("Image vulnerabilities cpe matches", log_level="debug"):
all_cpe_matches = scanner.get_cpe_vulnerabilities(
image, _nvd_cls, _cpe_cls)
if not all_cpe_matches:
all_cpe_matches = []
api_endpoint = self._get_api_endpoint()
for image_cpe, vulnerability_cpe in all_cpe_matches:
link = vulnerability_cpe.parent.link
if not link:
link = "{}/query/vulnerabilities?id={}".format(
api_endpoint, vulnerability_cpe.vulnerability_id)
nvd_scores = [
self._make_cvss_score(score) for score in
vulnerability_cpe.parent.get_cvss_scores_nvd()
]
vendor_scores = [
self._make_cvss_score(score) for score in
vulnerability_cpe.parent.get_cvss_scores_vendor()
]
results.append(
VulnerabilityMatch(
vulnerability=VulnerabilityModel(
vulnerability_id=vulnerability_cpe.parent.
normalized_id,
description="NA",
severity=vulnerability_cpe.parent.severity,
link=link,
feed=vulnerability_cpe.feed_name,
feed_group=vulnerability_cpe.namespace_name,
cvss_scores_nvd=nvd_scores,
cvss_scores_vendor=vendor_scores,
created_at=vulnerability_cpe.parent.created_at,
last_modified=vulnerability_cpe.parent.
updated_at,
),
artifact=Artifact(
name=image_cpe.name,
version=image_cpe.version,
pkg_type=image_cpe.pkg_type,
pkg_path=image_cpe.pkg_path,
cpe=image_cpe.get_cpestring(),
cpe23=image_cpe.get_cpe23string(),
),
fixes=[
FixedArtifact(
version=item,
wont_fix=False,
observed_at=vulnerability_cpe.created_at,
) for item in vulnerability_cpe.get_fixed_in()
],
# using vulnerability created_at to indicate the match timestamp for now
match=Match(
detected_at=vulnerability_cpe.created_at),
))
except Exception as err:
log.exception("could not fetch CPE matches")
import uuid
return ImageVulnerabilitiesReport(
account_id=image.user_id,
image_id=image_id,
results=results,
metadata=VulnerabilitiesReportMetadata(
generated_at=datetime.datetime.utcnow(),
uuid=str(uuid.uuid4()),
generated_by=self._get_provider_metadata(),
),
problems=[],
)