Kubevuln support for VEX document creation (#179)

* Implementing VEX creation and update logic Signed-off-by: Ben <ben@armosec.io> * Connecting VEX creation to "Scanning for CVEs flow" Signed-off-by: Ben <ben@armosec.io> * Integration with Grype working Signed-off-by: Ben <ben@armosec.io> * Made the VEX generation an optional feature Signed-off-by: Ben <ben@armosec.io> * Removing hardcoded index Signed-off-by: Ben <ben@armosec.io> --------- Signed-off-by: Ben <ben@armosec.io>
kubescape · Oct 24, 2023 · ac94951 · ac94951
1 parent d6c1ee2
commit ac94951
Show file tree

Hide file tree

Showing 15 changed files with 36,546 additions and 15 deletions.
diff --git a/cmd/http/main.go b/cmd/http/main.go
@@ -75,7 +75,7 @@ func main() {
 		logger.L().Info("loaded backend services", helpers.String("ApiServerUrl", backendServices.GetApiServerUrl()), helpers.String("ReportReceiverHttpUrl", backendServices.GetReportReceiverHttpUrl()))
 		platform = v1.NewBackendAdapter(credentials.Account, backendServices.GetApiServerUrl(), backendServices.GetReportReceiverHttpUrl(), credentials.AccessKey)
 	}
-	service := services.NewScanService(sbomAdapter, storage, cveAdapter, storage, platform, c.Storage)
+	service := services.NewScanService(sbomAdapter, storage, cveAdapter, storage, platform, c.Storage, c.VexGeneration)
 	controller := controllers.NewHTTPController(service, c.ScanConcurrency)
 
 	gin.SetMode(gin.ReleaseMode)

diff --git a/cmd/http/main_test.go b/cmd/http/main_test.go
@@ -88,7 +88,7 @@ func TestScan(t *testing.T) {
 			sbomAdapter := adapters.NewMockSBOMAdapter(false, false, false)
 			cveAdapter := adapters.NewMockCVEAdapter()
 			platform := adapters.NewMockPlatform()
-			service := services.NewScanService(sbomAdapter, repository, cveAdapter, repository, platform, test.storage)
+			service := services.NewScanService(sbomAdapter, repository, cveAdapter, repository, platform, test.storage, false)
 			controller := controllers.NewHTTPController(service, 2)
 
 			router := gin.Default()

diff --git a/config/config.go b/config/config.go
@@ -19,6 +19,7 @@ type Config struct {
 	ScanConcurrency int           `mapstructure:"scanConcurrency"`
 	ScanTimeout     time.Duration `mapstructure:"scanTimeout"`
 	Storage         bool          `mapstructure:"storage"`
+	VexGeneration   bool          `mapstructure:"vexGeneration"`
 }
 
 // LoadConfig reads configuration from file or environment variables.
@@ -31,6 +32,7 @@ func LoadConfig(path string) (Config, error) {
 	viper.SetDefault("maxImageSize", 512*1024*1024)
 	viper.SetDefault("scanConcurrency", 1)
 	viper.SetDefault("scanTimeout", 5*time.Minute)
+	viper.SetDefault("vexGeneration", false)
 
 	viper.AutomaticEnv()
 

diff --git a/core/ports/repositories.go b/core/ports/repositories.go
@@ -11,6 +11,7 @@ type CVERepository interface {
 	GetCVE(ctx context.Context, name, SBOMCreatorVersion, CVEScannerVersion, CVEDBVersion string) (domain.CVEManifest, error)
 	StoreCVE(ctx context.Context, cve domain.CVEManifest, withRelevancy bool) error
 	StoreCVESummary(ctx context.Context, cve domain.CVEManifest, cvep domain.CVEManifest, withRelevancy bool) error
+	StoreVEX(ctx context.Context, cve domain.CVEManifest, cvep domain.CVEManifest, withRelevancy bool) error
 }
 
 // SBOMRepository is the port implemented by adapters to be used in ScanService to store SBOMs

diff --git a/core/services/scan.go b/core/services/scan.go
@@ -37,20 +37,22 @@ type ScanService struct {
 	cveRepository   ports.CVERepository
 	platform        ports.Platform
 	storage         bool
+	vexGeneration   bool
 	tooManyRequests *cache.Cache
 }
 
 var _ ports.ScanService = (*ScanService)(nil)
 
 // NewScanService initializes the ScanService with all injected dependencies
-func NewScanService(sbomCreator ports.SBOMCreator, sbomRepository ports.SBOMRepository, cveScanner ports.CVEScanner, cveRepository ports.CVERepository, platform ports.Platform, storage bool) *ScanService {
+func NewScanService(sbomCreator ports.SBOMCreator, sbomRepository ports.SBOMRepository, cveScanner ports.CVEScanner, cveRepository ports.CVERepository, platform ports.Platform, storage bool, vexGeneration bool) *ScanService {
 	return &ScanService{
 		sbomCreator:     sbomCreator,
 		sbomRepository:  sbomRepository,
 		cveScanner:      cveScanner,
 		cveRepository:   cveRepository,
 		platform:        platform,
 		storage:         storage,
+		vexGeneration:   vexGeneration,
 		tooManyRequests: cache.New(cleaningInterval),
 	}
 }
@@ -234,6 +236,13 @@ func (s *ScanService) ScanCVE(ctx context.Context) error {
 				logger.L().Ctx(ctx).Warning("error storing CVE summary", helpers.Error(err),
 					helpers.String("imageSlug", workload.ImageSlug))
 			}
+			if s.vexGeneration {
+				err = s.cveRepository.StoreVEX(ctx, cve, cvep, true)
+				if err != nil {
+					logger.L().Ctx(ctx).Warning("error storing VEX", helpers.Error(err),
+						helpers.String("imageSlug", workload.ImageSlug))
+				}
+			}
 		}
 	}
 

diff --git a/core/services/scan_test.go b/core/services/scan_test.go
@@ -88,7 +88,8 @@ func TestScanService_GenerateSBOM(t *testing.T) {
 				adapters.NewMockCVEAdapter(),
 				storage,
 				adapters.NewMockPlatform(),
-				tt.storage)
+				tt.storage,
+				false)
 			ctx := context.TODO()
 
 			workload := domain.ScanCommand{
@@ -240,7 +241,8 @@ func TestScanService_ScanCVE(t *testing.T) {
 				cveAdapter,
 				storageCVE,
 				adapters.NewMockPlatform(),
-				tt.storage)
+				tt.storage,
+				false)
 			ctx := context.TODO()
 			s.Ready(ctx)
 
@@ -310,7 +312,7 @@ func TestScanService_NginxTest(t *testing.T) {
 	storageSBOM := repositories.NewMemoryStorage(false, false)
 	storageCVE := repositories.NewMemoryStorage(false, false)
 	platform := adapters.NewMockPlatform()
-	s := NewScanService(sbomAdapter, storageSBOM, cveAdapter, storageCVE, platform, true)
+	s := NewScanService(sbomAdapter, storageSBOM, cveAdapter, storageCVE, platform, true, false)
 	s.Ready(ctx)
 	workload := domain.ScanCommand{
 		ContainerName: "nginx",
@@ -369,7 +371,7 @@ func TestScanService_ValidateGenerateSBOM(t *testing.T) {
 				adapters.NewMockCVEAdapter(),
 				repositories.NewMemoryStorage(false, false),
 				adapters.NewMockPlatform(),
-				false)
+				false, false)
 			_, err := s.ValidateGenerateSBOM(context.TODO(), tt.workload)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateGenerateSBOM() error = %v, wantErr %v", err, tt.wantErr)
@@ -414,7 +416,7 @@ func TestScanService_ValidateScanCVE(t *testing.T) {
 				adapters.NewMockCVEAdapter(),
 				repositories.NewMemoryStorage(false, false),
 				adapters.NewMockPlatform(),
-				false)
+				false, false)
 			_, err := s.ValidateScanCVE(context.TODO(), tt.workload)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateScanCVE() error = %v, wantErr %v", err, tt.wantErr)
@@ -471,7 +473,7 @@ func TestScanService_ScanRegistry(t *testing.T) {
 				adapters.NewMockCVEAdapter(),
 				storage,
 				adapters.NewMockPlatform(),
-				false)
+				false, false)
 			ctx := context.TODO()
 			workload := domain.ScanCommand{
 				ImageSlug: "imageSlug",
@@ -532,7 +534,7 @@ func TestScanService_ValidateScanRegistry(t *testing.T) {
 				adapters.NewMockCVEAdapter(),
 				repositories.NewMemoryStorage(false, false),
 				adapters.NewMockPlatform(),
-				false)
+				false, false)
 			_, err := s.ValidateScanRegistry(context.TODO(), tt.workload)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateScanRegistry() error = %v, wantErr %v", err, tt.wantErr)

diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/armosec/utils-go v0.0.40
 	github.com/armosec/utils-k8s-go v0.0.18
 	github.com/distribution/distribution v2.8.2+incompatible
+	github.com/distribution/reference v0.5.0
 	github.com/docker/docker v24.0.5+incompatible
 	github.com/eapache/go-resiliency v1.3.0
 	github.com/gammazero/workerpool v1.1.3
@@ -25,6 +26,8 @@ require (
 	github.com/kubescape/go-logger v0.0.21
 	github.com/kubescape/k8s-interface v0.0.135-0.20230730135750-e6e709507847
 	github.com/kubescape/storage v0.0.18
+	github.com/openvex/go-vex v0.2.5
+	github.com/package-url/packageurl-go v0.1.1
 	github.com/spdx/tools-golang v0.5.0-rc1
 	github.com/spf13/viper v1.16.0
 	github.com/stretchr/testify v1.8.4
@@ -134,7 +137,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/licensecheck v0.3.1 // indirect
 	github.com/google/s2a-go v0.1.4 // indirect
@@ -293,3 +296,5 @@ require (
 )
 
 replace gorm.io/gorm => gorm.io/gorm v1.23.10
+
+replace github.com/kubescape/storage => github.com/kubescape/storage v0.0.0-20231016192125-da13f3622eee
diff --git a/go.sum b/go.sum
@@ -401,6 +401,8 @@ github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+
 github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
 github.com/distribution/distribution v2.8.2+incompatible h1:k9+4DKdOG+quPFZXT/mUsiQrGu9vYCp+dXpuPkuqhk8=
 github.com/distribution/distribution v2.8.2+incompatible/go.mod h1:EgLm2NgWtdKgzF9NpMzUKgzmR7AMmb0VQi2B+ZzDRjc=
+github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
+github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy13Ul2Q5oM=
 github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -579,8 +581,9 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.14.0 h1:z58vMqHxuwvAsVwvKEkmVBz2TlgBgH5k6koEXBtlYkw=
 github.com/google/go-containerregistry v0.14.0/go.mod h1:aiJ2fp/SXvkWgmYHioXnbMdlgB8eXiiYOY55gfN91Wk=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
@@ -771,8 +774,8 @@ github.com/kubescape/opa-utils v0.0.268 h1:mIsAbpIW0aIk8xr0ECuf8q9gUntGQqJQIJACt
 github.com/kubescape/opa-utils v0.0.268/go.mod h1:95JkuIOfClgLc+DyGb2mDvefRW0STkZe4L2z6AaZJlQ=
 github.com/kubescape/rbac-utils v0.0.20 h1:1MMxsCsCZ3ntDi8f9ZYYcY+K7bv50bDW5ZvnGnhMhJw=
 github.com/kubescape/rbac-utils v0.0.20/go.mod h1:t57AhSrjuNGQ+mpZWQM/hBzrCOeKBDHegFoVo4tbikQ=
-github.com/kubescape/storage v0.0.18 h1:18UIBc0zdKl8geIluPbSKmQgkR7uAhPTEA/+4Uhs6zM=
-github.com/kubescape/storage v0.0.18/go.mod h1:rP6g1ukp4zlytnBcZw+fJHu0j6woOiQ/KfTZfrdM8kw=
+github.com/kubescape/storage v0.0.0-20231016192125-da13f3622eee h1:tSb9H3ij0bHVRXG/BFI5fzMFgpE815nXyOqG3+dBpko=
+github.com/kubescape/storage v0.0.0-20231016192125-da13f3622eee/go.mod h1:rZlTs86bJXW8WQV3PcC9GRc1qUr7Ny3LEkTo3lQARBc=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
@@ -868,7 +871,11 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0-rc4 h1:oOxKUJWnFC4YGHCCMNql1x4YaDfYBTS5Y4x/Cgeo1E0=
 github.com/opencontainers/image-spec v1.1.0-rc4/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
+github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ=
+github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
+github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
+github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=