diff --git a/api/v1/README.md b/api/v1/README.md index d2609469..8a167690 100644 --- a/api/v1/README.md +++ b/api/v1/README.md @@ -189,8 +189,8 @@ Server: clair { "Namespaces": [ - { "Name": "debian:8" }, - { "Name": "debian:9" } + { "Name": "debian", "Version": "8" }, + { "Name": "debian", "Version": "9" } ] } ``` @@ -227,14 +227,14 @@ Server: clair "Vulnerabilities": [ { "Name": "CVE-1999-1332", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Description": "gzexe in the gzip package on Red Hat Linux 5.0 and earlier allows local users to overwrite files of other users via a symlink attack on a temporary file.", "Link": "https://security-tracker.debian.org/tracker/CVE-1999-1332", "Severity": "Low" }, { "Name": "CVE-1999-1572", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Description": "cpio on FreeBSD 2.1.0, Debian GNU/Linux 3.0, and possibly other operating systems, uses a 0 umask when creating files using the -O (archive) or -F options, which creates the files with mode 0666 and allows local users to read or overwrite those files.", "Link": "https://security-tracker.debian.org/tracker/CVE-1999-1572", "Severity": "Low", @@ -266,7 +266,7 @@ POST http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities HTTP/1.1 { "Vulnerability": { "Name": "CVE-2014-9471", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", "Severity": "Low", @@ -281,7 +281,7 @@ POST http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities HTTP/1.1 "FixedIn": [ { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "8.23-1" } ] @@ -299,7 +299,7 @@ Server: clair { "Vulnerability": { "Name": "CVE-2014-9471", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", "Severity": "Low", @@ -314,7 +314,7 @@ Server: clair "FixedIn": [ { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "8.23-1" } ] @@ -350,7 +350,7 @@ Server: clair { "Vulnerability": { "Name": "CVE-2014-9471", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", "Severity": "Low", @@ -365,7 +365,7 @@ Server: clair "FixedIn": [ { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "8.23-1" } ] @@ -390,7 +390,7 @@ PUT http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities/CVE-2014-9471 { "Vulnerability": { "Name": "CVE-2014-9471", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", "Severity": "Low", @@ -415,7 +415,7 @@ Server: clair { "Vulnerability": { "Name": "CVE-2014-9471", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471", "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.", "Severity": "Low", @@ -477,7 +477,7 @@ Server: clair "Features": [ { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "8.23-1" } ] @@ -498,7 +498,7 @@ PUT http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities/CVE-2014-9471 { "Feature": { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "4.24-9" } } @@ -513,7 +513,7 @@ Server: clair { "Feature": { "Name": "coreutils", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "4.24-9" } } @@ -578,13 +578,13 @@ Server: clair "New": { "Vulnerability": { "Name": "CVE-TEST", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Description": "New CVE", "Severity": "Low", "FixedIn": [ { "Name": "grep", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Version": "2.25" } ] @@ -597,7 +597,7 @@ Server: clair "Old": { "Vulnerability": { "Name": "CVE-TEST", - "NamespaceName": "debian:8", + "Namespace": {"Name": "debian", "Version": "8"}, "Description": "New CVE", "Severity": "Low", "FixedIn": [] diff --git a/api/v1/models.go b/api/v1/models.go index c6933e3e..8ad35e44 100644 --- a/api/v1/models.go +++ b/api/v1/models.go @@ -34,13 +34,13 @@ type Error struct { } type Layer struct { - Name string `json:"Name,omitempty"` - NamespaceNames []string `json:"NamespaceNames,omitempty"` - Path string `json:"Path,omitempty"` - ParentName string `json:"ParentName,omitempty"` - Format string `json:"Format,omitempty"` - IndexedByVersion int `json:"IndexedByVersion,omitempty"` - Features []Feature `json:"Features,omitempty"` + Name string `json:"Name,omitempty"` + Namespaces []Namespace `json:"NamespaceName,omitempty"` + Path string `json:"Path,omitempty"` + ParentName string `json:"ParentName,omitempty"` + Format string `json:"Format,omitempty"` + IndexedByVersion int `json:"IndexedByVersion,omitempty"` + Features []Feature `json:"Features,omitempty"` } func LayerFromDatabaseModel(dbLayer database.Layer, withFeatures, withVulnerabilities bool) Layer { @@ -54,26 +54,26 @@ func LayerFromDatabaseModel(dbLayer database.Layer, withFeatures, withVulnerabil } for _, namespace := range dbLayer.Namespaces { - layer.NamespaceNames = append(layer.NamespaceNames, namespace.Name) + layer.Namespaces = append(layer.Namespaces, Namespace{Name: namespace.Name, Version: namespace.Version.String()}) } if withFeatures || withVulnerabilities && dbLayer.Features != nil { for _, dbFeatureVersion := range dbLayer.Features { feature := Feature{ - Name: dbFeatureVersion.Feature.Name, - NamespaceName: dbFeatureVersion.Feature.Namespace.Name, - Version: dbFeatureVersion.Version.String(), - AddedBy: dbFeatureVersion.AddedBy.Name, + Name: dbFeatureVersion.Feature.Name, + Namespace: Namespace{Name: dbFeatureVersion.Feature.Namespace.Name, Version: dbFeatureVersion.Feature.Namespace.Version.String()}, + Version: dbFeatureVersion.Version.String(), + AddedBy: dbFeatureVersion.AddedBy.Name, } for _, dbVuln := range dbFeatureVersion.AffectedBy { vuln := Vulnerability{ - Name: dbVuln.Name, - NamespaceName: dbVuln.Namespace.Name, - Description: dbVuln.Description, - Link: dbVuln.Link, - Severity: string(dbVuln.Severity), - Metadata: dbVuln.Metadata, + Name: dbVuln.Name, + Namespace: Namespace{Name: dbVuln.Namespace.Name, Version: dbVuln.Namespace.Version.String()}, + Description: dbVuln.Description, + Link: dbVuln.Link, + Severity: string(dbVuln.Severity), + Metadata: dbVuln.Metadata, } if dbVuln.FixedBy != types.MaxVersion { @@ -89,18 +89,19 @@ func LayerFromDatabaseModel(dbLayer database.Layer, withFeatures, withVulnerabil } type Namespace struct { - Name string `json:"Name,omitempty"` + Name string `json:"Name,omitempty"` + Version string `json:"Version, omitempty"` } type Vulnerability struct { - Name string `json:"Name,omitempty"` - NamespaceName string `json:"NamespaceName,omitempty"` - Description string `json:"Description,omitempty"` - Link string `json:"Link,omitempty"` - Severity string `json:"Severity,omitempty"` - Metadata map[string]interface{} `json:"Metadata,omitempty"` - FixedBy string `json:"FixedBy,omitempty"` - FixedIn []Feature `json:"FixedIn,omitempty"` + Name string `json:"Name,omitempty"` + Namespace Namespace `json:"Namespace,omitempty"` + Description string `json:"Description,omitempty"` + Link string `json:"Link,omitempty"` + Severity string `json:"Severity,omitempty"` + Metadata map[string]interface{} `json:"Metadata,omitempty"` + FixedBy string `json:"FixedBy,omitempty"` + FixedIn []Feature `json:"FixedIn,omitempty"` } func (v Vulnerability) DatabaseModel() (database.Vulnerability, error) { @@ -121,7 +122,7 @@ func (v Vulnerability) DatabaseModel() (database.Vulnerability, error) { return database.Vulnerability{ Name: v.Name, - Namespace: database.Namespace{Name: v.NamespaceName}, + Namespace: database.Namespace{Name: v.Namespace.Name, Version: types.NewVersionUnsafe(v.Namespace.Version)}, Description: v.Description, Link: v.Link, Severity: severity, @@ -132,12 +133,12 @@ func (v Vulnerability) DatabaseModel() (database.Vulnerability, error) { func VulnerabilityFromDatabaseModel(dbVuln database.Vulnerability, withFixedIn bool) Vulnerability { vuln := Vulnerability{ - Name: dbVuln.Name, - NamespaceName: dbVuln.Namespace.Name, - Description: dbVuln.Description, - Link: dbVuln.Link, - Severity: string(dbVuln.Severity), - Metadata: dbVuln.Metadata, + Name: dbVuln.Name, + Namespace: Namespace{Name: dbVuln.Namespace.Name, Version: dbVuln.Namespace.Version.String()}, + Description: dbVuln.Description, + Link: dbVuln.Link, + Severity: string(dbVuln.Severity), + Metadata: dbVuln.Metadata, } if withFixedIn { @@ -151,7 +152,7 @@ func VulnerabilityFromDatabaseModel(dbVuln database.Vulnerability, withFixedIn b type Feature struct { Name string `json:"Name,omitempty"` - NamespaceName string `json:"NamespaceName,omitempty"` + Namespace Namespace `json:"Namespace,omitempty"` Version string `json:"Version,omitempty"` Vulnerabilities []Vulnerability `json:"Vulnerabilities,omitempty"` AddedBy string `json:"AddedBy,omitempty"` @@ -164,10 +165,10 @@ func FeatureFromDatabaseModel(dbFeatureVersion database.FeatureVersion) Feature } return Feature{ - Name: dbFeatureVersion.Feature.Name, - NamespaceName: dbFeatureVersion.Feature.Namespace.Name, - Version: versionStr, - AddedBy: dbFeatureVersion.AddedBy.Name, + Name: dbFeatureVersion.Feature.Name, + Namespace: Namespace{Name: dbFeatureVersion.Feature.Namespace.Name, Version: dbFeatureVersion.Feature.Namespace.Version.String()}, + Version: versionStr, + AddedBy: dbFeatureVersion.AddedBy.Name, } } @@ -186,7 +187,7 @@ func (f Feature) DatabaseModel() (database.FeatureVersion, error) { return database.FeatureVersion{ Feature: database.Feature{ Name: f.Name, - Namespace: database.Namespace{Name: f.NamespaceName}, + Namespace: database.Namespace{Name: f.Namespace.Name, Version: types.NewVersionUnsafe(f.Namespace.Version)}, }, Version: version, }, nil diff --git a/api/v1/routes.go b/api/v1/routes.go index 408bd8c5..d280f740 100644 --- a/api/v1/routes.go +++ b/api/v1/routes.go @@ -29,6 +29,7 @@ import ( "github.com/coreos/clair/database" "github.com/coreos/clair/utils" cerrors "github.com/coreos/clair/utils/errors" + "github.com/coreos/clair/utils/types" "github.com/coreos/clair/worker" ) @@ -178,7 +179,7 @@ func getNamespaces(w http.ResponseWriter, r *http.Request, p httprouter.Params, } var namespaces []Namespace for _, dbNamespace := range dbNamespaces { - namespaces = append(namespaces, Namespace{Name: dbNamespace.Name}) + namespaces = append(namespaces, Namespace{Name: dbNamespace.Name, Version: dbNamespace.Version.String()}) } writeResponse(w, r, http.StatusOK, NamespaceEnvelope{Namespaces: &namespaces}) @@ -212,8 +213,8 @@ func getVulnerabilities(w http.ResponseWriter, r *http.Request, p httprouter.Par } } - namespace := p.ByName("namespaceName") - if namespace == "" { + namespace := getNamespace(p.ByName("namespaceName"), p.ByName("namespaceVersion")) + if namespace.IsEmpty() { writeResponse(w, r, http.StatusBadRequest, VulnerabilityEnvelope{Error: &Error{"namespace should not be empty"}}) return getNotificationRoute, http.StatusBadRequest } @@ -285,7 +286,7 @@ func postVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Para func getVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *context.RouteContext) (string, int) { _, withFixedIn := r.URL.Query()["fixedIn"] - dbVuln, err := ctx.Store.FindVulnerability(p.ByName("namespaceName"), p.ByName("vulnerabilityName")) + dbVuln, err := ctx.Store.FindVulnerability(getNamespace(p.ByName("namespaceName"), p.ByName("namespaceVersion")), p.ByName("vulnerabilityName")) if err == cerrors.ErrNotFound { writeResponse(w, r, http.StatusNotFound, VulnerabilityEnvelope{Error: &Error{err.Error()}}) return getVulnerabilityRoute, http.StatusNotFound @@ -324,7 +325,7 @@ func putVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Param return putVulnerabilityRoute, http.StatusBadRequest } - vuln.Namespace.Name = p.ByName("namespaceName") + vuln.Namespace = getNamespace(p.ByName("namespaceName"), p.ByName("namespaceVersion")) vuln.Name = p.ByName("vulnerabilityName") err = ctx.Store.InsertVulnerabilities([]database.Vulnerability{vuln}, true) @@ -344,7 +345,7 @@ func putVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Param } func deleteVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *context.RouteContext) (string, int) { - err := ctx.Store.DeleteVulnerability(p.ByName("namespaceName"), p.ByName("vulnerabilityName")) + err := ctx.Store.DeleteVulnerability(getNamespace(p.ByName("namespaceName"), p.ByName("namespaceVersion")), p.ByName("vulnerabilityName")) if err == cerrors.ErrNotFound { writeResponse(w, r, http.StatusNotFound, VulnerabilityEnvelope{Error: &Error{err.Error()}}) return deleteVulnerabilityRoute, http.StatusNotFound @@ -358,7 +359,7 @@ func deleteVulnerability(w http.ResponseWriter, r *http.Request, p httprouter.Pa } func getFixes(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *context.RouteContext) (string, int) { - dbVuln, err := ctx.Store.FindVulnerability(p.ByName("namespaceName"), p.ByName("vulnerabilityName")) + dbVuln, err := ctx.Store.FindVulnerability(getNamespace(p.ByName("namespaceName"), p.ByName("namespaceVersion")), p.ByName("vulnerabilityName")) if err == cerrors.ErrNotFound { writeResponse(w, r, http.StatusNotFound, FeatureEnvelope{Error: &Error{err.Error()}}) return getFixesRoute, http.StatusNotFound @@ -396,7 +397,7 @@ func putFix(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *co return putFixRoute, http.StatusBadRequest } - err = ctx.Store.InsertVulnerabilityFixes(p.ByName("vulnerabilityNamespace"), p.ByName("vulnerabilityName"), []database.FeatureVersion{dbFix}) + err = ctx.Store.InsertVulnerabilityFixes(getNamespace(p.ByName("vulnerabilityNamespaceName"), p.ByName("vulnerabilityNamespaceVersion")), p.ByName("vulnerabilityName"), []database.FeatureVersion{dbFix}) if err != nil { switch err.(type) { case *cerrors.ErrBadRequest: @@ -417,7 +418,7 @@ func putFix(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *co } func deleteFix(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx *context.RouteContext) (string, int) { - err := ctx.Store.DeleteVulnerabilityFix(p.ByName("vulnerabilityNamespace"), p.ByName("vulnerabilityName"), p.ByName("fixName")) + err := ctx.Store.DeleteVulnerabilityFix(getNamespace(p.ByName("vulnerabilityNamespaceName"), p.ByName("vulnerabilityNamespaceVersion")), p.ByName("vulnerabilityName"), p.ByName("fixName")) if err == cerrors.ErrNotFound { writeResponse(w, r, http.StatusNotFound, FeatureEnvelope{Error: &Error{err.Error()}}) return deleteFixRoute, http.StatusNotFound @@ -496,3 +497,7 @@ func getMetrics(w http.ResponseWriter, r *http.Request, p httprouter.Params, ctx prometheus.Handler().ServeHTTP(w, r) return getMetricsRoute, 0 } + +func getNamespace(name, version string) database.Namespace { + return database.Namespace{Name: name, Version: types.NewVersionUnsafe(version)} +}