From 9db0e634011d6e805d3a542ab03cf2956b7d9734 Mon Sep 17 00:00:00 2001 From: Quentin Machu Date: Tue, 1 Dec 2015 16:57:16 -0500 Subject: [PATCH] api: Specify what packages cause the layer to have vulnerabilities. --- api/logic/layers.go | 6 +++--- database/vulnerability.go | 18 ++++++++++++++++-- docs/API.md | 9 ++++++--- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/api/logic/layers.go b/api/logic/layers.go index 64d53977..35ca24e2 100644 --- a/api/logic/layers.go +++ b/api/logic/layers.go @@ -182,7 +182,7 @@ func GETLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p httprout } // Find vulnerabilities. - vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription}) + vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage}) if err != nil { jsonhttp.RenderError(w, 0, err) return @@ -211,7 +211,7 @@ func GETLayersVulnerabilitiesDiff(w http.ResponseWriter, r *http.Request, p http } // Selected fields for vulnerabilities. - selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription} + selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage} // Find vulnerabilities for installed packages. addedVulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(layer.InstalledPackagesNodes, minimumPriority, selectedFields) @@ -287,7 +287,7 @@ func POSTBatchLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p ht } // Find vulnerabilities. - vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription}) + vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage}) if err != nil { jsonhttp.RenderError(w, 0, err) return diff --git a/database/vulnerability.go b/database/vulnerability.go index c8f7ae55..1ccd7f48 100644 --- a/database/vulnerability.go +++ b/database/vulnerability.go @@ -30,6 +30,8 @@ const ( FieldVulnerabilityPriority = "priority" FieldVulnerabilityDescription = "description" FieldVulnerabilityFixedIn = "fixedIn" + // FieldVulnerabilityCausedByPackage only makes sense with FindAllVulnerabilitiesByFixedIn. + FieldVulnerabilityCausedByPackage = "causedByPackage" ) var FieldVulnerabilityAll = []string{FieldVulnerabilityID, FieldVulnerabilityLink, FieldVulnerabilityPriority, FieldVulnerabilityDescription, FieldVulnerabilityFixedIn} @@ -42,6 +44,8 @@ type Vulnerability struct { Priority types.Priority Description string `json:",omitempty"` FixedInNodes []string `json:"-"` + + CausedByPackage string `json:",omitempty"` } // GetNode returns an unique identifier for the graph node @@ -340,14 +344,22 @@ func FindAllVulnerabilitiesByFixedIn(nodes []string, selectedFields []string) ([ log.Warning("Could not FindAllVulnerabilitiesByFixedIn with an empty nodes array.") return []*Vulnerability{}, nil } - return toVulnerabilities(cayley.StartPath(store, nodes...).In(FieldVulnerabilityFixedIn), selectedFields) + + // Construct path, potentially saving FieldVulnerabilityCausedByPackage + path := cayley.StartPath(store, nodes...) + if utils.Contains(FieldVulnerabilityCausedByPackage, selectedFields) { + path = path.Save(FieldPackageName, FieldVulnerabilityCausedByPackage) + } + path = path.In(FieldVulnerabilityFixedIn) + + return toVulnerabilities(path, selectedFields) } // toVulnerabilities converts a path leading to one or multiple vulnerabilities to Vulnerability structs, selecting the specified fields func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerability, error) { var vulnerabilities []*Vulnerability - saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn}) + saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn, FieldVulnerabilityCausedByPackage}) it, _ := path.BuildIterator().Optimize() defer it.Close() for cayley.RawNext(it) { @@ -372,6 +384,8 @@ func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerabili log.Errorf("could not get fixedIn on vulnerability %s: %s.", vulnerability.Node, err.Error()) return []*Vulnerability{}, err } + case FieldVulnerabilityCausedByPackage: + vulnerability.CausedByPackage = store.NameOf(tags[FieldVulnerabilityCausedByPackage]) default: panic("unknown selectedField") } diff --git a/docs/API.md b/docs/API.md index d955c842..09b7ef7a 100644 --- a/docs/API.md +++ b/docs/API.md @@ -326,7 +326,8 @@ HTTP/1.1 200 OK "ID": "CVE-2014-2583", "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583", "Priority": "Low", - "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function." + "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.", + "CausedByPackage": "pam" }, [...] } @@ -368,7 +369,8 @@ HTTP/1.1 200 OK "ID": "CVE-2014-2583", "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583", "Priority": "Low", - "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function." + "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.", + "CausedByPackage": "pam" }, [...] ], @@ -424,7 +426,8 @@ HTTP/1.1 200 OK "ID": "CVE-2014-2583", "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583", "Priority": "Low", - "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function." + "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.", + "CausedByPackage": "pam" }, [...] ]