api: Specify what packages cause the layer to have vulnerabilities.

api/logic/layers.go

@@ -182,7 +182,7 @@ func GETLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p httprout
 	}
 
 	// Find vulnerabilities.
-	vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription})
+	vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage})
 	if err != nil {
 		jsonhttp.RenderError(w, 0, err)
 		return
@@ -211,7 +211,7 @@ func GETLayersVulnerabilitiesDiff(w http.ResponseWriter, r *http.Request, p http
 	}
 
 	// Selected fields for vulnerabilities.
-	selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription}
+	selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage}
 
 	// Find vulnerabilities for installed packages.
 	addedVulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(layer.InstalledPackagesNodes, minimumPriority, selectedFields)
@@ -287,7 +287,7 @@ func POSTBatchLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p ht
 		}
 
 		// Find vulnerabilities.
-		vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription})
+		vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage})
 		if err != nil {
 			jsonhttp.RenderError(w, 0, err)
 			return

database/vulnerability.go

@@ -30,6 +30,8 @@ const (
 	FieldVulnerabilityPriority    = "priority"
 	FieldVulnerabilityDescription = "description"
 	FieldVulnerabilityFixedIn     = "fixedIn"
+	// FieldVulnerabilityCausedByPackage only makes sense with FindAllVulnerabilitiesByFixedIn.
+	FieldVulnerabilityCausedByPackage = "causedByPackage"
 )
 
 var FieldVulnerabilityAll = []string{FieldVulnerabilityID, FieldVulnerabilityLink, FieldVulnerabilityPriority, FieldVulnerabilityDescription, FieldVulnerabilityFixedIn}
@@ -42,6 +44,8 @@ type Vulnerability struct {
 	Priority     types.Priority
 	Description  string   `json:",omitempty"`
 	FixedInNodes []string `json:"-"`
+
+	CausedByPackage string `json:",omitempty"`
 }
 
 // GetNode returns an unique identifier for the graph node
@@ -340,14 +344,22 @@ func FindAllVulnerabilitiesByFixedIn(nodes []string, selectedFields []string) ([
 		log.Warning("Could not FindAllVulnerabilitiesByFixedIn with an empty nodes array.")
 		return []*Vulnerability{}, nil
 	}
-	return toVulnerabilities(cayley.StartPath(store, nodes...).In(FieldVulnerabilityFixedIn), selectedFields)
+
+	// Construct path, potentially saving FieldVulnerabilityCausedByPackage
+	path := cayley.StartPath(store, nodes...)
+	if utils.Contains(FieldVulnerabilityCausedByPackage, selectedFields) {
+		path = path.Save(FieldPackageName, FieldVulnerabilityCausedByPackage)
+	}
+	path = path.In(FieldVulnerabilityFixedIn)
+
+	return toVulnerabilities(path, selectedFields)
 }
 
 // toVulnerabilities converts a path leading to one or multiple vulnerabilities to Vulnerability structs, selecting the specified fields
 func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerability, error) {
 	var vulnerabilities []*Vulnerability
 
-	saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn})
+	saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn, FieldVulnerabilityCausedByPackage})
 	it, _ := path.BuildIterator().Optimize()
 	defer it.Close()
 	for cayley.RawNext(it) {
@@ -372,6 +384,8 @@ func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerabili
 					log.Errorf("could not get fixedIn on vulnerability %s: %s.", vulnerability.Node, err.Error())
 					return []*Vulnerability{}, err
 				}
+			case FieldVulnerabilityCausedByPackage:
+				vulnerability.CausedByPackage = store.NameOf(tags[FieldVulnerabilityCausedByPackage])
 			default:
 				panic("unknown selectedField")
 			}

docs/API.md

@@ -326,7 +326,8 @@ HTTP/1.1 200 OK
             "ID": "CVE-2014-2583",
             "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
             "Priority": "Low",
-            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+            "CausedByPackage": "pam"
         },
         [...]
 }
@@ -368,7 +369,8 @@ HTTP/1.1 200 OK
             "ID": "CVE-2014-2583",
             "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
             "Priority": "Low",
-            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+            "CausedByPackage": "pam"
         },
         [...]
     ],
@@ -424,7 +426,8 @@ HTTP/1.1 200 OK
                 "ID": "CVE-2014-2583",
                 "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
                 "Priority": "Low",
-                "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+                "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+                "CausedByPackage": "pam"
             },
             [...]
 					]