Allow feature specific whitelists

klar.go

@@ -17,14 +17,16 @@ import (
 
 //Used to represent the structure of the whitelist YAML file
 type vulnerabilitiesWhitelistYAML struct {
-	General []string
-	Images  map[string][]string
+	General  []string
+	Images   map[string][]string
+	Features map[string][]string
 }
 
 //Map structure used for ease of searching for whitelisted vulnerabilites
 type vulnerabilitiesWhitelist struct {
-	General map[string]bool            //key: CVE and value: true
-	Images  map[string]map[string]bool //key: image name and value: [key: CVE and value: true]
+	General  map[string]bool            //key: CVE and value: true
+	Images   map[string]map[string]bool //key: image name and value: [key: CVE and value: true]
+	Features map[string]map[string]bool //key: feature name and value: [key: CVE and value: true]
 }
 
 const (
@@ -200,6 +202,7 @@ func parseWhitelistFile(whitelistFile string) (*vulnerabilitiesWhitelist, error)
 	//Initialize the whitelist maps
 	whitelist.General = make(map[string]bool)
 	whitelist.Images = make(map[string]map[string]bool)
+	whitelist.Features = make(map[string]map[string]bool)
 
 	//Populate the maps
 	for _, cve := range whitelistYAML.General {
@@ -213,5 +216,12 @@ func parseWhitelistFile(whitelistFile string) (*vulnerabilitiesWhitelist, error)
 		}
 	}
 
+	for feature, cveList := range whitelistYAML.Features {
+		whitelist.Features[feature] = make(map[string]bool)
+		for _, cve := range cveList {
+			whitelist.Images[feature][cve] = true
+		}
+	}
+
 	return &whitelist, nil
 }

main.go

@@ -133,16 +133,25 @@ func vulnsBy(sev string, store map[string][]*clair.Vulnerability) []*clair.Vulne
 func filterWhitelist(whitelist *vulnerabilitiesWhitelist, vs []*clair.Vulnerability, imageName string) []*clair.Vulnerability {
 	generalWhitelist := whitelist.General
 	imageWhitelist := whitelist.Images
+	featureWhitelist := whitelist.Features
 
 	filteredVs := make([]*clair.Vulnerability, 0, len(vs))
 
 	for _, v := range vs {
-		if _, exists := generalWhitelist[v.Name]; !exists {
-			if _, exists := imageWhitelist[imageName][v.Name]; !exists {
-				//vulnerability is not in the image whitelist, so add it to the list to return
-				filteredVs = append(filteredVs, v)
-			}
+		if _, exists := generalWhitelist[v.Name]; exists {
+			//vulnerability is whitelisted generally
+			continue
+		}
+		if _, exists := imageWhitelist[imageName][v.Name]; exists {
+			//vulnerability is whitelisted for this imageName
+			continue
+		}
+		if _, exists := featureWhitelist[v.FeatureName][v.Name]; exists {
+			//vulnerability is whitelisted for this feature name
+			continue
 		}
+		//vulnerability has not been whitelisted, so add it to the list to return
+		filteredVs = append(filteredVs, v)
 	}
 
 	return filteredVs

whitelist-example.yaml

@@ -9,3 +9,6 @@ images:
   fluent/fluent-bit:
     - CVE-2017-14062
     - CVE-2018-6485
+features:
+  "db5.3":
+    - CVE-2019-8457