fix: block trigger for vulnerable image (#3888)

devtron-labs · Sep 14, 2023 · cdb33ed · cdb33ed
1 parent cd1be97
commit cdb33ed
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/pkg/pipeline/WorkflowDagExecutor.go b/pkg/pipeline/WorkflowDagExecutor.go
@@ -534,6 +534,26 @@ func (impl *WorkflowDagExecutorImpl) TriggerPreStage(ctx context.Context, cdWf *
 		return err
 	}
 
+	//checking vulnerability for the selected image
+	isVulnerable, err := impl.GetArtifactVulnerabilityStatus(artifact, pipeline, ctx)
+	if err != nil {
+		return err
+	}
+	if isVulnerable {
+		// if image vulnerable, update timeline status and return
+		runner.Status = pipelineConfig.WorkflowFailed
+		runner.Message = "Found vulnerability on image"
+		runner.FinishedOn = time.Now()
+		runner.UpdatedOn = time.Now()
+		runner.UpdatedBy = triggeredBy
+		err = impl.cdWorkflowRepository.UpdateWorkFlowRunner(runner)
+		if err != nil {
+			impl.logger.Errorw("error in updating wfr status due to vulnerable image", "err", err)
+			return err
+		}
+		return fmt.Errorf("found vulnerability for image digest %s", artifact.ImageDigest)
+	}
+
 	_, span = otel.Tracer("orchestrator").Start(ctx, "buildWFRequest")
 	cdStageWorkflowRequest, err := impl.buildWFRequest(runner, cdWf, pipeline, triggeredBy)
 	span.End()
@@ -619,6 +639,34 @@ func (impl *WorkflowDagExecutorImpl) TriggerPostStage(cdWf *pipelineConfig.CdWor
 	if err != nil {
 		return err
 	}
+
+	if cdWf.CiArtifact == nil || cdWf.CiArtifact.Id == 0 {
+		cdWf.CiArtifact, err = impl.ciArtifactRepository.Get(cdWf.CiArtifactId)
+		if err != nil {
+			impl.logger.Errorw("error fetching artifact data", "err", err)
+			return err
+		}
+	}
+	//checking vulnerability for the selected image
+	isVulnerable, err := impl.GetArtifactVulnerabilityStatus(cdWf.CiArtifact, pipeline, context.Background())
+	if err != nil {
+		return err
+	}
+	if isVulnerable {
+		// if image vulnerable, update timeline status and return
+		runner.Status = pipelineConfig.WorkflowFailed
+		runner.Message = "Found vulnerability on image"
+		runner.FinishedOn = time.Now()
+		runner.UpdatedOn = time.Now()
+		runner.UpdatedBy = triggeredBy
+		err = impl.cdWorkflowRepository.UpdateWorkFlowRunner(runner)
+		if err != nil {
+			impl.logger.Errorw("error in updating wfr status due to vulnerable image", "err", err)
+			return err
+		}
+		return fmt.Errorf("found vulnerability for image digest %s", cdWf.CiArtifact.ImageDigest)
+	}
+
 	cdStageWorkflowRequest, err := impl.buildWFRequest(runner, cdWf, pipeline, triggeredBy)
 	if err != nil {
 		impl.logger.Errorw("error in building wfRequest", "err", err, "runner", runner, "cdWf", cdWf, "pipeline", pipeline)
@@ -1705,6 +1753,16 @@ func (impl *WorkflowDagExecutorImpl) ManualCdTrigger(overrideRequest *bean.Value
 		}
 		if isVulnerable == true {
 			// if image vulnerable, update timeline status and return
+			runner.Status = pipelineConfig.WorkflowFailed
+			runner.Message = "Found vulnerability on image"
+			runner.FinishedOn = time.Now()
+			runner.UpdatedOn = time.Now()
+			runner.UpdatedBy = overrideRequest.UserId
+			err = impl.cdWorkflowRepository.UpdateWorkFlowRunner(runner)
+			if err != nil {
+				impl.logger.Errorw("error in updating wfr status due to vulnerable image", "err", err)
+				return 0, err
+			}
 			runner.CdWorkflow = &pipelineConfig.CdWorkflow{
 				Pipeline: cdPipeline,
 			}
@@ -1789,6 +1847,10 @@ func (impl *WorkflowDagExecutorImpl) ManualCdTrigger(overrideRequest *bean.Value
 		_, span = otel.Tracer("orchestrator").Start(ctx, "TriggerPostStage")
 		err = impl.TriggerPostStage(cdWf, cdPipeline, overrideRequest.UserId)
 		span.End()
+		if err != nil {
+			impl.logger.Errorw("err", "err", err)
+			return 0, err
+		}
 	}
 	return releaseId, err
 }