filter exceptions with "ExpiredOnFix" for Vulnerabilities with a fix

Signed-off-by: Avraham Shalev <8184528+avrahams@users.noreply.github.com>
kubescape · May 30, 2023 · 0545618 · 0545618
1 parent ec47ee8
commit 0545618
Show file tree

Hide file tree

Showing 5 changed files with 64 additions and 4 deletions.
diff --git a/adapters/v1/armo_utils.go b/adapters/v1/armo_utils.go
@@ -257,12 +257,15 @@ func summarize(report v1.ScanResultReport, vulnerabilities []containerscan.Commo
 	return &summary, vulnerabilities
 }
 
-func getCVEExceptionMatchCVENameFromList(srcCVEList []armotypes.VulnerabilityExceptionPolicy, CVEName string) []armotypes.VulnerabilityExceptionPolicy {
+func getCVEExceptionMatchCVENameFromList(srcCVEList []armotypes.VulnerabilityExceptionPolicy, CVEName string, filterFixed bool) []armotypes.VulnerabilityExceptionPolicy {
 	var l []armotypes.VulnerabilityExceptionPolicy
 
 	for i := range srcCVEList {
 		for j := range srcCVEList[i].VulnerabilityPolicies {
 			if srcCVEList[i].VulnerabilityPolicies[j].Name == CVEName {
+				if filterFixed && srcCVEList[i].ExpiredOnFix != nil && *srcCVEList[i].ExpiredOnFix {
+					continue
+				}
 				l = append(l, srcCVEList[i])
 			}
 		}

diff --git a/adapters/v1/armo_utils_test.go b/adapters/v1/armo_utils_test.go
@@ -19,6 +19,7 @@ func TestGetCVEExceptionMatchCVENameFromList(t *testing.T) {
 		srcCVEList []armotypes.VulnerabilityExceptionPolicy
 		CVEName    string
 		expected   []armotypes.VulnerabilityExceptionPolicy
+		isFixed    bool
 	}{
 		{
 			name:       "empty source list",
@@ -78,6 +79,7 @@ func TestGetCVEExceptionMatchCVENameFromList(t *testing.T) {
 				},
 			},
 			CVEName: "CVE-2021-1234",
+			isFixed: true,
 			expected: []armotypes.VulnerabilityExceptionPolicy{
 				{
 					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
@@ -98,11 +100,64 @@ func TestGetCVEExceptionMatchCVENameFromList(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:    "multiple matches in source list filtered by with expiration on fix",
+			isFixed: true,
+			srcCVEList: []armotypes.VulnerabilityExceptionPolicy{
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-1234"},
+					},
+					ExpiredOnFix: pointer.BoolPtr(true),
+				},
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-5678"},
+						{Name: "CVE-2021-1234"},
+					},
+				},
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-1234"},
+						{Name: "CVE-2021-9012"},
+					},
+					ExpiredOnFix: pointer.BoolPtr(true),
+				},
+			},
+			CVEName: "CVE-2021-1234",
+			expected: []armotypes.VulnerabilityExceptionPolicy{
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-5678"},
+						{Name: "CVE-2021-1234"},
+					},
+				},
+			},
+		},
+		{
+			name:    "one match in source list, filter fix with no expire on fix",
+			isFixed: true,
+			srcCVEList: []armotypes.VulnerabilityExceptionPolicy{
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-1234"},
+					},
+				},
+			},
+			CVEName: "CVE-2021-1234",
+			expected: []armotypes.VulnerabilityExceptionPolicy{
+				{
+					VulnerabilityPolicies: []armotypes.VulnerabilityPolicy{
+						{Name: "CVE-2021-1234"},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			actual := getCVEExceptionMatchCVENameFromList(tc.srcCVEList, tc.CVEName)
+			actual := getCVEExceptionMatchCVENameFromList(tc.srcCVEList, tc.CVEName, tc.isFixed)
 			assert.Equal(t, actual, tc.expected)
 		})
 	}

diff --git a/adapters/v1/domain_to_armo.go b/adapters/v1/domain_to_armo.go
@@ -89,7 +89,7 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 							Version: version,
 						},
 					},
-					ExceptionApplied: getCVEExceptionMatchCVENameFromList(vulnerabilityExceptionPolicyList, match.Vulnerability.ID),
+					ExceptionApplied: getCVEExceptionMatchCVENameFromList(vulnerabilityExceptionPolicyList, match.Vulnerability.ID, isFixed == 1),
 					IsRelevant:       nil, // TODO add relevancy here?
 				},
 			}

diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/anchore/stereoscope v0.0.0-20230323161519-d7551b7f46f5
 	github.com/anchore/syft v0.76.0
 	github.com/aquilax/truncate v1.0.0
-	github.com/armosec/armoapi-go v0.0.176
+	github.com/armosec/armoapi-go v0.0.189
 	github.com/armosec/cluster-container-scanner-api v0.0.54
 	github.com/armosec/logger-go v0.0.14
 	github.com/armosec/utils-go v0.0.16

diff --git a/go.sum b/go.sum
@@ -260,6 +260,8 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armosec/armoapi-go v0.0.176 h1:C0TWqU1BrKpfJGKT9rhqGVzUZBUxLOvcSOFOoWEkFAA=
 github.com/armosec/armoapi-go v0.0.176/go.mod h1:cC43pDRr6tLMIVQGdgH1G/UxBiV5QI2QttxE9pkbqmo=
+github.com/armosec/armoapi-go v0.0.189 h1:x9937uaCzbJKUTgsIDufFi6Txt7TRyUGQ5XL0MwoJ2U=
+github.com/armosec/armoapi-go v0.0.189/go.mod h1:ANarxE0icSvdufFB1x3JAax7XKrWIKe8b/SvLnuDtGw=
 github.com/armosec/cluster-container-scanner-api v0.0.54 h1:m9R7+bQrGf7vkKKiFDxGU3/+kzn37uecZPjdNwAhqf8=
 github.com/armosec/cluster-container-scanner-api v0.0.54/go.mod h1:HP1ZdO9/R8x8IMiTwO3dwI+MNH1oBTrIwtqdE40lfuI=
 github.com/armosec/logger-go v0.0.14 h1:5YpXMlYt/7zIAcmJP4q1BmWNH/7bpkSndfZTyysrtUE=