secscan: add support for new enrichment type (PROJQUAY-5981)

This change adds the ability for Quay to reason with the rhcc-enrichment that Clair will return in the vulnerability reports. This information is meant to allow users or applications to determine which packages come from rhcc layers. Signed-off-by: crozzy <joseph.crosland@gmail.com>
crozzy · Sep 14, 2023 · e0a6a52 · e0a6a52
1 parent d453882
commit e0a6a52
Show file tree

Hide file tree

Showing 4 changed files with 3,588 additions and 12 deletions.
diff --git a/data/secscan_model/secscan_v4_model.py b/data/secscan_model/secscan_v4_model.py
@@ -562,6 +562,19 @@ def features_for(report):
     Transforms a Clair v4 `VulnerabilityReport` dict into the standard shape of a
     Quay Security scanner response.
     """
+    cvss_enrichment_key = "message/vnd.clair.map.vulnerability; enricher=clair.cvss schema=https://csrc.nist.gov/schema/nvd/feed/1.1/cvss-v3.x.json"
+    rhcc_enrichment_key = "message/vnd.clair.map.vulnerability; enricher=clair.rhcc schema=??"
+
+    cvss_enrichments = (
+        {
+            key: sorted(val, key=lambda x: x["baseScore"], reverse=True)[0]
+            for key, val in list(report["enrichments"][cvss_enrichment_key])[0].items()
+        }
+        if report.get("enrichments", {}).get(cvss_enrichment_key, {})
+        else {}
+    )
+
+    rhcc_enrichments = report.get("enrichments", {}).get(rhcc_enrichment_key, {})
 
     features = []
     dedupe_vulns = {}
@@ -582,15 +595,6 @@ def features_for(report):
                 pkg_vulns.append(report["vulnerabilities"][vuln_id])
             dedupe_vulns[vuln_key] = True
 
-        enrichments = (
-            {
-                key: sorted(val, key=lambda x: x["baseScore"], reverse=True)[0]
-                for key, val in list(report["enrichments"].values())[0][0].items()
-            }
-            if report.get("enrichments", {})
-            else {}
-        )
-
         features.append(
             Feature(
                 pkg["name"],
@@ -600,7 +604,7 @@ def features_for(report):
                 pkg["version"],
                 [
                     Vulnerability(
-                        fetch_vuln_severity(vuln, enrichments),
+                        fetch_vuln_severity(vuln, cvss_enrichments),
                         vuln["updater"],
                         vuln["links"],
                         maybe_urlencoded(
@@ -616,13 +620,17 @@ def features_for(report):
                             vuln.get("distribution", {}).get("version"),
                             NVD(
                                 CVSSv3(
-                                    enrichments.get(vuln["id"], {}).get("vectorString", ""),
-                                    enrichments.get(vuln["id"], {}).get("baseScore", ""),
+                                    cvss_enrichments.get(vuln["id"], {}).get("vectorString", ""),
+                                    cvss_enrichments.get(vuln["id"], {}).get("baseScore", ""),
                                 )
                             ),
                         ),
                     )
+                    # At the moment the second clause is just True but could be replaced with
+                    # a config variable. We can also mark the vulns that come from rhcc layers
+                    # for the UI to key off of.
                     for vuln in pkg_vulns
+                    if (not rhcc_enrichments.get(pkg_id, False) and True)
                 ],
             )
         )