Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

Add optional policy parameter for vulnerabilities older than N days #156

Merged
merged 3 commits into from
Apr 10, 2019
Merged

Add optional policy parameter for vulnerabilities older than N days #156

merged 3 commits into from
Apr 10, 2019

Conversation

emaildanwilson
Copy link
Contributor

fixes #149
cc @nurmi

Let me know how this looks, and what other changes would need to be made for it to be included. How are tests handled for policy filters like this? Does the cli need to be updated to include the creation date in vulnerability output?

optional filter for vulnerability date created
a9536a9 
Signed-off-by: i845783 <dan.wilson01@sap.com>
@zhill
Copy link
Member

zhill commented Mar 12, 2019

Thanks @emaildanwilson ! We'll take a look at comment here!

@emaildanwilson
Copy link
Contributor Author

Any chance someone could take a look this week?

@nurmi
Copy link
Member

nurmi commented Mar 25, 2019

hello!

We’re finishing up some feature work, and you’ll see some flurry of work in the next couple of weeks as we gear up for the next oss engine release - your pr is on the list for adressing for that next release - stay tuned and appreciate your patience!

@zhill zhill self-assigned this Mar 28, 2019
@zhill
Copy link
Member

zhill commented Mar 28, 2019

I think the primary question is the semantics you're trying to achieve. The created_at timestamp on vulnerability records in anchore is when the db entry was created, not when the vulnerability was created in in the upstream source. So, for example, none of the created_at timestamps will be older than the anchore deployment date itself. Is that what you're expecting?

@emaildanwilson
Copy link
Contributor Author

Yes, given that some of the sources do not contain a discovery date it seems like it's the best we can do right now. Aside from the caveat of the installation being brand new or the local scan database getting deleted/recreated, the created_at date should match the discovery date within the polling period. Using the created_at date for feeds where the discovery date is not available might create even more confusion. I'm open to ideas if there are ways we could make this better.

@zhill
Copy link
Member

zhill commented Apr 1, 2019

Ack, just wanted to make sure the semantics were understood and acceptable. I tend to agree that there isn't a cleaner way to do it in this case given the diversity of input data.

zhill
zhill reviewed Apr 2, 2019
View reviewed changes
Copy link
Member

@zhill zhill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One little naming change for broader policy naming consistency, but otherwise looks good.

anchore_engine/services/policy_engine/engine/policy/gates/vulnerabilities.py Outdated Show resolved Hide resolved
Change parameter name to match feed sematics
9665cb7 
Signed-off-by: i845783 <dan.wilson01@sap.com>
change parameter name to max_days_since_creation
c717cb1 
Signed-off-by: i845783 <dan.wilson01@sap.com>
@zhill zhill merged commit 66059e1 into anchore:master Apr 10, 2019
@zhill
Copy link
Member

zhill commented Apr 10, 2019

Thanks! Much appreciated, this is a super-useful feature.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@zhill zhill zhill left review comments

Assignees

@zhill zhill

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature: Add optional policy parameter for vulnerabilities older than N days
3 participants
@emaildanwilson @zhill @nurmi