Merge pull request #91 from kubescape/dup

do not send duplicated vulns
kubescape · Mar 31, 2023 · 35e8846 · 35e8846
2 parents d4545d1 + ef01f24
commit 35e8846
Show file tree

Hide file tree

Showing 3 changed files with 408 additions and 37 deletions.
diff --git a/adapters/v1/armo.go b/adapters/v1/armo.go
@@ -180,7 +180,6 @@ func (a *ArmoAdapter) SubmitCVE(ctx context.Context, cve domain.CVEManifest, cve
 		Designators:     *armotypes.AttributesDesignatorsFromWLID(workload.Wlid),
 		Summary:         nil,
 		ContainerScanID: scanID,
-		Vulnerabilities: vulnerabilities,
 		Timestamp:       timestamp,
 	}
 

diff --git a/adapters/v1/armo_test.go b/adapters/v1/armo_test.go
@@ -8,17 +8,17 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"sync"
 	"testing"
 	"time"
 
-	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/armosec/armoapi-go/armotypes"
+	v1 "github.com/armosec/cluster-container-scanner-api/containerscan/v1"
 	"github.com/armosec/utils-go/httputils"
 	"github.com/armosec/utils-k8s-go/armometadata"
 	"github.com/go-test/deep"
 	"github.com/google/uuid"
 	"github.com/kubescape/kubevuln/core/domain"
-	"github.com/kubescape/kubevuln/internal/tools"
 )
 
 func TestArmoAdapter_GetCVEExceptions(t *testing.T) {
@@ -82,57 +82,79 @@ func TestArmoAdapter_GetCVEExceptions(t *testing.T) {
 	}
 }
 
+func fileToCVEManifest(path string) domain.CVEManifest {
+	var cve domain.CVEManifest
+	b, err := os.ReadFile(path)
+	if err != nil {
+		panic(err)
+	}
+	err = json.Unmarshal(b, &cve)
+	if err != nil {
+		panic(err)
+	}
+	return cve
+}
+
 func TestArmoAdapter_SubmitCVE(t *testing.T) {
-	type fields struct {
-		clusterConfig        armometadata.ClusterConfig
-		getCVEExceptionsFunc func(string, string, *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error)
-		httpPostFunc         func(httpClient httputils.IHttpClient, fullURL string, headers map[string]string, body []byte) (*http.Response, error)
+	getCVEExceptionsFunc := func(s string, s2 string, designator *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error) {
+		return []armotypes.VulnerabilityExceptionPolicy{}, nil
 	}
 	tests := []struct {
 		name    string
-		fields  fields
+		cve     domain.CVEManifest
+		cvep    domain.CVEManifest
 		wantErr bool
 	}{
 		{
-			name: "submit cve",
-			fields: fields{
-				getCVEExceptionsFunc: func(s string, s2 string, designator *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error) {
-					return []armotypes.VulnerabilityExceptionPolicy{}, nil
-				},
-				httpPostFunc: func(httpClient httputils.IHttpClient, fullURL string, headers map[string]string, body []byte) (*http.Response, error) {
-					return &http.Response{
-						StatusCode: 200,
-						Body:       io.NopCloser(bytes.NewBuffer([]byte{})),
-					}, nil
-				},
-			},
+			name: "submit small cve",
+			cve:  fileToCVEManifest("testdata/nginx-cve-small.json"),
+			cvep: domain.CVEManifest{},
+		},
+		{
+			name: "submit big cve",
+			cve:  fileToCVEManifest("testdata/nginx-cve.json"),
+			cvep: domain.CVEManifest{},
+		},
+		{
+			name: "submit big cve with relevancy",
+			cve:  fileToCVEManifest("testdata/nginx-cve.json"),
+			cvep: fileToCVEManifest("testdata/nginx-filtered-cve.json"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			mu := &sync.Mutex{}
+			seenCVE := map[string]struct{}{}
+			httpPostFunc := func(httpClient httputils.IHttpClient, fullURL string, headers map[string]string, body []byte) (*http.Response, error) {
+				var report v1.ScanResultReport
+				err := json.Unmarshal(body, &report)
+				if err != nil {
+					t.Errorf("failed to unmarshal report: %v", err)
+				}
+				mu.Lock()
+				for _, v := range report.Vulnerabilities {
+					id := v.Name + "+" + v.RelatedPackageName
+					if _, ok := seenCVE[id]; ok {
+						t.Errorf("duplicate cve %s", id)
+					}
+					seenCVE[id] = struct{}{}
+				}
+				mu.Unlock()
+				return &http.Response{
+					StatusCode: 200,
+					Body:       io.NopCloser(bytes.NewBuffer([]byte{})),
+				}, nil
+			}
 			a := &ArmoAdapter{
-				clusterConfig:        tt.fields.clusterConfig,
-				getCVEExceptionsFunc: tt.fields.getCVEExceptionsFunc,
-				httpPostFunc:         tt.fields.httpPostFunc,
+				clusterConfig:        armometadata.ClusterConfig{},
+				getCVEExceptionsFunc: getCVEExceptionsFunc,
+				httpPostFunc:         httpPostFunc,
 			}
 			ctx := context.TODO()
 			ctx = context.WithValue(ctx, domain.TimestampKey{}, time.Now().Unix())
 			ctx = context.WithValue(ctx, domain.ScanIDKey{}, uuid.New().String())
 			ctx = context.WithValue(ctx, domain.WorkloadKey{}, domain.ScanCommand{})
-			b, err := os.ReadFile("testdata/alpine-cve.json")
-			tools.EnsureSetup(t, err == nil)
-			var grypeCVE models.Document
-			err = json.Unmarshal(b, &grypeCVE)
-			tools.EnsureSetup(t, err == nil)
-			domainCVE, err := grypeToDomain(grypeCVE)
-			tools.EnsureSetup(t, err == nil)
-			cve := domain.CVEManifest{
-				Content: domainCVE,
-			}
-			cvep := domain.CVEManifest{
-				Content: domainCVE,
-			}
-			if err := a.SubmitCVE(ctx, cve, cvep); (err != nil) != tt.wantErr {
+			if err := a.SubmitCVE(ctx, tt.cve, tt.cvep); (err != nil) != tt.wantErr {
 				t.Errorf("SubmitCVE() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})