Merge pull request #113 from kubescape/backoff

do not pull image for 10m after error 421
kubescape · May 28, 2023 · ec47ee8 · ec47ee8
2 parents f9c77d5 + 62c0c5e
commit ec47ee8
Show file tree

Hide file tree

Showing 16 changed files with 206 additions and 118 deletions.
diff --git a/adapters/mocksbom.go b/adapters/mocksbom.go
@@ -2,9 +2,11 @@ package adapters
 
 import (
 	"context"
-	"errors"
+	"fmt"
+	"net/http"
 	"time"
 
+	"github.com/google/go-containerregistry/pkg/v1/remote/transport"
 	"github.com/kubescape/go-logger"
 	"github.com/kubescape/k8s-interface/instanceidhandler/v1"
 	"github.com/kubescape/kubevuln/core/domain"
@@ -15,26 +17,35 @@ import (
 
 // MockSBOMAdapter implements a mocked SBOMCreator to be used for tests
 type MockSBOMAdapter struct {
-	error   bool
-	timeout bool
+	error           bool
+	timeout         bool
+	toomanyrequests bool
 }
 
 var _ ports.SBOMCreator = (*MockSBOMAdapter)(nil)
 
 // NewMockSBOMAdapter initializes the MockSBOMAdapter struct
-func NewMockSBOMAdapter(error, timeout bool) *MockSBOMAdapter {
+func NewMockSBOMAdapter(error, timeout, toomanyrequests bool) *MockSBOMAdapter {
 	logger.L().Info("NewMockSBOMAdapter")
 	return &MockSBOMAdapter{
-		error:   error,
-		timeout: timeout,
+		error:           error,
+		timeout:         timeout,
+		toomanyrequests: toomanyrequests,
 	}
 }
 
 // CreateSBOM returns a dummy SBOM for the given imageID
 func (m MockSBOMAdapter) CreateSBOM(ctx context.Context, imageID string, _ domain.RegistryOptions) (domain.SBOM, error) {
 	logger.L().Info("CreateSBOM")
 	if m.error {
-		return domain.SBOM{}, errors.New("mock error")
+		return domain.SBOM{}, domain.ErrMockError
+	}
+	if m.toomanyrequests {
+		return domain.SBOM{}, fmt.Errorf("failed to get image descriptor from registry: %w",
+			&transport.Error{
+				StatusCode: http.StatusTooManyRequests,
+			},
+		)
 	}
 	sbom := domain.SBOM{
 		ID:                 imageID,

diff --git a/adapters/mocksbom_test.go b/adapters/mocksbom_test.go
@@ -10,24 +10,24 @@ import (
 )
 
 func TestMockSBOMAdapter_CreateSBOM(t *testing.T) {
-	m := NewMockSBOMAdapter(false, false)
+	m := NewMockSBOMAdapter(false, false, false)
 	sbom, _ := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
 	assert.NotNil(t, sbom.Content)
 }
 
 func TestMockSBOMAdapter_CreateSBOM_Error(t *testing.T) {
-	m := NewMockSBOMAdapter(true, false)
+	m := NewMockSBOMAdapter(true, false, false)
 	_, err := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
 	assert.Error(t, err)
 }
 
 func TestMockSBOMAdapter_CreateSBOM_Timeout(t *testing.T) {
-	m := NewMockSBOMAdapter(false, true)
+	m := NewMockSBOMAdapter(false, true, false)
 	sbom, _ := m.CreateSBOM(context.TODO(), "image", domain.RegistryOptions{})
 	assert.Equal(t, sbom.Status, instanceidhandler.Incomplete)
 }
 
 func TestMockSBOMAdapter_Version(t *testing.T) {
-	m := NewMockSBOMAdapter(false, false)
+	m := NewMockSBOMAdapter(false, false, false)
 	assert.Equal(t, m.Version(), "Mock SBOM 1.0")
 }
diff --git a/adapters/v1/armo.go b/adapters/v1/armo.go
@@ -2,7 +2,6 @@ package v1
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -71,7 +70,7 @@ func (a *ArmoAdapter) GetCVEExceptions(ctx context.Context) (domain.CVEException
 	// retrieve workload from context
 	workload, ok := ctx.Value(domain.WorkloadKey{}).(domain.ScanCommand)
 	if !ok {
-		return nil, errors.New("no workload found in context")
+		return nil, domain.ErrMissingWorkload
 	}
 
 	designator := armotypes.PortalDesignator{
@@ -100,7 +99,7 @@ func (a *ArmoAdapter) SendStatus(ctx context.Context, step int) error {
 	// retrieve workload from context
 	workload, ok := ctx.Value(domain.WorkloadKey{}).(domain.ScanCommand)
 	if !ok {
-		return errors.New("no workload found in context")
+		return domain.ErrMissingWorkload
 	}
 
 	lastAction := workload.LastAction + 1
@@ -133,17 +132,17 @@ func (a *ArmoAdapter) SubmitCVE(ctx context.Context, cve domain.CVEManifest, cve
 	// retrieve timestamp from context
 	timestamp, ok := ctx.Value(domain.TimestampKey{}).(int64)
 	if !ok {
-		return errors.New("no timestamp found in context")
+		return domain.ErrMissingTimestamp
 	}
 	// retrieve scanID from context
 	scanID, ok := ctx.Value(domain.ScanIDKey{}).(string)
 	if !ok {
-		return errors.New("no scanID found in context")
+		return domain.ErrMissingScanID
 	}
 	// retrieve workload from context
 	workload, ok := ctx.Value(domain.WorkloadKey{}).(domain.ScanCommand)
 	if !ok {
-		return errors.New("no workload found in context")
+		return domain.ErrMissingWorkload
 	}
 
 	// get exceptions

diff --git a/adapters/v1/armo_test.go b/adapters/v1/armo_test.go
@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"os"
@@ -45,7 +45,7 @@ func TestArmoAdapter_GetCVEExceptions(t *testing.T) {
 			workload: true,
 			fields: fields{
 				getCVEExceptionsFunc: func(s string, s2 string, designator *armotypes.PortalDesignator) ([]armotypes.VulnerabilityExceptionPolicy, error) {
-					return nil, errors.New("error")
+					return nil, fmt.Errorf("error")
 				},
 			},
 			wantErr: true,

diff --git a/adapters/v1/domain_to_armo.go b/adapters/v1/domain_to_armo.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 
 	"github.com/anchore/syft/syft/source"
 	"github.com/armosec/armoapi-go/armotypes"
@@ -20,17 +19,17 @@ func domainToArmo(ctx context.Context, grypeDocument v1beta1.GrypeDocument, vuln
 	// retrieve timestamp from context
 	timestamp, ok := ctx.Value(domain.TimestampKey{}).(int64)
 	if !ok {
-		return vulnerabilityResults, errors.New("no timestamp found in context")
+		return vulnerabilityResults, domain.ErrMissingTimestamp
 	}
 	// retrieve scanID from context
 	scanID, ok := ctx.Value(domain.ScanIDKey{}).(string)
 	if !ok {
-		return vulnerabilityResults, errors.New("no scanID found in context")
+		return vulnerabilityResults, domain.ErrMissingScanID
 	}
 	// retrieve workload from context
 	workload, ok := ctx.Value(domain.WorkloadKey{}).(domain.ScanCommand)
 	if !ok {
-		return vulnerabilityResults, errors.New("no workload found in context")
+		return vulnerabilityResults, domain.ErrMissingWorkload
 	}
 
 	if grypeDocument.Source != nil {

diff --git a/adapters/v1/grype.go b/adapters/v1/grype.go
@@ -2,7 +2,6 @@ package v1
 
 import (
 	"context"
-	"errors"
 	"path"
 	"sync"
 	"time"
@@ -111,7 +110,7 @@ func (g *GrypeAdapter) ScanSBOM(ctx context.Context, sbom domain.SBOM) (domain.C
 	defer g.mu.RUnlock()
 
 	if g.dbStatus == nil {
-		return domain.CVEManifest{}, errors.New("grype DB is not initialized, run readiness probe first")
+		return domain.CVEManifest{}, domain.ErrInitVulnDB
 	}
 
 	logger.L().Debug("decoding SBOM", helpers.String("imageID", sbom.ID))

diff --git a/cmd/http/main_test.go b/cmd/http/main_test.go
@@ -85,7 +85,7 @@ func TestScan(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			repository := repositories.NewFakeAPIServerStorage("kubescape")
-			sbomAdapter := adapters.NewMockSBOMAdapter(false, false)
+			sbomAdapter := adapters.NewMockSBOMAdapter(false, false, false)
 			cveAdapter := adapters.NewMockCVEAdapter()
 			platform := adapters.NewMockPlatform()
 			service := services.NewScanService(sbomAdapter, repository, cveAdapter, repository, platform, test.storage)

diff --git a/core/domain/scan.go b/core/domain/scan.go
@@ -1,15 +1,29 @@
 package domain
 
 import (
+	"errors"
+
 	"github.com/armosec/armoapi-go/armotypes"
 	"github.com/docker/docker/api/types"
 )
 
 const (
-	AttributeUseHTTP = armotypes.AttributeUseHTTP
+	AttributeUseHTTP       = armotypes.AttributeUseHTTP
 	AttributeSkipTLSVerify = armotypes.AttributeSkipTLSVerify
 )
 
+var (
+	ErrExpectedError    = errors.New("expected error")
+	ErrInitVulnDB       = errors.New("vulnerability DB is not initialized, run readiness probe")
+	ErrIncompleteSBOM   = errors.New("incomplete SBOM, skipping CVE scan")
+	ErrMissingImageID   = errors.New("missing imageID")
+	ErrMissingScanID    = errors.New("missing scanID")
+	ErrMissingTimestamp = errors.New("missing timestamp")
+	ErrMissingWorkload  = errors.New("missing workload")
+	ErrMockError        = errors.New("mock error")
+	ErrTooManyRequests  = errors.New("too many requests")
+)
+
 type ScanIDKey struct{}
 type TimestampKey struct{}
 type WorkloadKey struct{}

diff --git a/core/services/mockscan.go b/core/services/mockscan.go
@@ -2,7 +2,6 @@ package services
 
 import (
 	"context"
-	"errors"
 
 	"github.com/kubescape/kubevuln/core/domain"
 	"github.com/kubescape/kubevuln/core/ports"
@@ -22,7 +21,7 @@ func (m MockScanService) GenerateSBOM(context.Context) error {
 	if m.happy {
 		return nil
 	}
-	return errors.New("mock error")
+	return domain.ErrMockError
 }
 
 func (m MockScanService) Ready(context.Context) bool {
@@ -33,33 +32,33 @@ func (m MockScanService) ScanCVE(context.Context) error {
 	if m.happy {
 		return nil
 	}
-	return errors.New("mock error")
+	return domain.ErrMockError
 }
 
 func (m MockScanService) ScanRegistry(context.Context) error {
 	if m.happy {
 		return nil
 	}
-	return errors.New("mock error")
+	return domain.ErrMockError
 }
 
 func (m MockScanService) ValidateGenerateSBOM(ctx context.Context, _ domain.ScanCommand) (context.Context, error) {
 	if m.happy {
 		return ctx, nil
 	}
-	return ctx, errors.New("mock error")
+	return ctx, domain.ErrMockError
 }
 
 func (m MockScanService) ValidateScanCVE(ctx context.Context, _ domain.ScanCommand) (context.Context, error) {
 	if m.happy {
 		return ctx, nil
 	}
-	return ctx, errors.New("mock error")
+	return ctx, domain.ErrMockError
 }
 
 func (m MockScanService) ValidateScanRegistry(ctx context.Context, _ domain.ScanCommand) (context.Context, error) {
 	if m.happy {
 		return ctx, nil
 	}
-	return ctx, errors.New("mock error")
+	return ctx, domain.ErrMockError
 }