|
|
|
@ -35,36 +35,67 @@ func (pgSQL *pgSQL) FindVulnerability(namespaceName, name string) (database.Vuln
|
|
|
|
|
func findVulnerability(queryer Queryer, namespaceName, name string, forUpdate bool) (database.Vulnerability, error) {
|
|
|
|
|
defer observeQueryTime("findVulnerability", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
vulnerability := database.Vulnerability{
|
|
|
|
|
Name: name,
|
|
|
|
|
Namespace: database.Namespace{
|
|
|
|
|
Name: namespaceName,
|
|
|
|
|
},
|
|
|
|
|
queryName := "f_vulnerability"
|
|
|
|
|
query := getQuery("f_vulnerability_base") + getQuery("f_vulnerability_+by_name_namespace")
|
|
|
|
|
if forUpdate {
|
|
|
|
|
queryName = queryName + "+for_update"
|
|
|
|
|
query = query + getQuery("f_vulnerability_for_update")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Find Vulnerability.
|
|
|
|
|
return scanVulnerability(queryer, queryName, queryer.QueryRow(query, namespaceName, name))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) findVulnerabilityByIDWithDeleted(id int) (database.Vulnerability, error) {
|
|
|
|
|
defer observeQueryTime("findVulnerabilityByIDWithDeleted", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
queryName := "f_vulnerability"
|
|
|
|
|
if forUpdate {
|
|
|
|
|
queryName = "f_vulnerability_for_update"
|
|
|
|
|
query := getQuery("f_vulnerability_base") + getQuery("f_vulnerability_+by_id")
|
|
|
|
|
|
|
|
|
|
return scanVulnerability(pgSQL, queryName, pgSQL.QueryRow(query, id))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func scanVulnerability(queryer Queryer, queryName string, vulnerabilityRow *sql.Row) (database.Vulnerability, error) {
|
|
|
|
|
var vulnerability database.Vulnerability
|
|
|
|
|
|
|
|
|
|
err := vulnerabilityRow.Scan(
|
|
|
|
|
&vulnerability.ID,
|
|
|
|
|
&vulnerability.Name,
|
|
|
|
|
&vulnerability.Namespace.ID,
|
|
|
|
|
&vulnerability.Namespace.Name,
|
|
|
|
|
&vulnerability.Description,
|
|
|
|
|
&vulnerability.Link,
|
|
|
|
|
&vulnerability.Severity,
|
|
|
|
|
&vulnerability.Metadata,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return vulnerability, handleError(queryName+".Scan()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rows, err := queryer.Query(getQuery(queryName), namespaceName, name)
|
|
|
|
|
if vulnerability.ID == 0 {
|
|
|
|
|
return vulnerability, cerrors.ErrNotFound
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Query the FixedIn FeatureVersion now.
|
|
|
|
|
rows, err := queryer.Query(getQuery("f_vulnerability_fixedin"), vulnerability.ID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return vulnerability, handleError(queryName, err)
|
|
|
|
|
return vulnerability, handleError("f_vulnerability_fixedin.Scan()", err)
|
|
|
|
|
}
|
|
|
|
|
defer rows.Close()
|
|
|
|
|
|
|
|
|
|
// Iterate to scan the Vulnerability and its FixedIn FeatureVersions.
|
|
|
|
|
for rows.Next() {
|
|
|
|
|
var featureVersionID zero.Int
|
|
|
|
|
var featureVersionVersion zero.String
|
|
|
|
|
var featureVersionFeatureName zero.String
|
|
|
|
|
|
|
|
|
|
err := rows.Scan(&vulnerability.ID, &vulnerability.Namespace.ID, &vulnerability.Description,
|
|
|
|
|
&vulnerability.Link, &vulnerability.Severity, &vulnerability.Metadata,
|
|
|
|
|
&featureVersionVersion, &featureVersionID, &featureVersionFeatureName)
|
|
|
|
|
err := rows.Scan(
|
|
|
|
|
&featureVersionVersion,
|
|
|
|
|
&featureVersionID,
|
|
|
|
|
&featureVersionFeatureName,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return vulnerability, handleError(queryName+".Scan()", err)
|
|
|
|
|
return vulnerability, handleError("f_vulnerability_fixedin.Scan()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !featureVersionID.IsZero() {
|
|
|
|
@ -82,11 +113,9 @@ func findVulnerability(queryer Queryer, namespaceName, name string, forUpdate bo
|
|
|
|
|
vulnerability.FixedIn = append(vulnerability.FixedIn, featureVersion)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if err = rows.Err(); err != nil {
|
|
|
|
|
return vulnerability, handleError("s_featureversions_vulnerabilities.Rows()", err)
|
|
|
|
|
}
|
|
|
|
|
if vulnerability.ID == 0 {
|
|
|
|
|
return vulnerability, cerrors.ErrNotFound
|
|
|
|
|
|
|
|
|
|
if err := rows.Err(); err != nil {
|
|
|
|
|
return vulnerability, handleError("f_vulnerability_fixedin.Rows()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return vulnerability, nil
|
|
|
|
@ -96,7 +125,7 @@ func findVulnerability(queryer Queryer, namespaceName, name string, forUpdate bo
|
|
|
|
|
// By setting the fixed version to minVersion, we can say that the vuln does'nt affect anymore.
|
|
|
|
|
func (pgSQL *pgSQL) InsertVulnerabilities(vulnerabilities []database.Vulnerability) error {
|
|
|
|
|
for _, vulnerability := range vulnerabilities {
|
|
|
|
|
err := pgSQL.insertVulnerability(vulnerability)
|
|
|
|
|
err := pgSQL.insertVulnerability(vulnerability, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
fmt.Printf("%#v\n", vulnerability)
|
|
|
|
|
return err
|
|
|
|
@ -105,22 +134,27 @@ func (pgSQL *pgSQL) InsertVulnerabilities(vulnerabilities []database.Vulnerabili
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability) error {
|
|
|
|
|
func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability, onlyFixedIn bool) error {
|
|
|
|
|
tf := time.Now()
|
|
|
|
|
|
|
|
|
|
// Verify parameters
|
|
|
|
|
if vulnerability.Name == "" || len(vulnerability.FixedIn) == 0 ||
|
|
|
|
|
vulnerability.Namespace.Name == "" || !vulnerability.Severity.IsValid() {
|
|
|
|
|
log.Warning("could not insert an invalid vulnerability")
|
|
|
|
|
return cerrors.NewBadRequestError("could not insert an invalid vulnerability")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, fixedInFeatureVersion := range vulnerability.FixedIn {
|
|
|
|
|
if fixedInFeatureVersion.Feature.Namespace.Name == "" {
|
|
|
|
|
fixedInFeatureVersion.Feature.Namespace.Name = vulnerability.Namespace.Name
|
|
|
|
|
} else if fixedInFeatureVersion.Feature.Namespace.Name != vulnerability.Namespace.Name {
|
|
|
|
|
msg := "could not insert an invalid vulnerability: FixedIn FeatureVersion must be in the " +
|
|
|
|
|
"same namespace as the Vulnerability"
|
|
|
|
|
if vulnerability.Name == "" || vulnerability.Namespace.Name == "" {
|
|
|
|
|
return cerrors.NewBadRequestError("insertVulnerability needs at least the Name and the Namespace")
|
|
|
|
|
}
|
|
|
|
|
if !onlyFixedIn && !vulnerability.Severity.IsValid() {
|
|
|
|
|
msg := fmt.Sprintf("could not insert a vulnerability that has an invalid Severity: %s", vulnerability.Severity)
|
|
|
|
|
log.Warning(msg)
|
|
|
|
|
return cerrors.NewBadRequestError(msg)
|
|
|
|
|
}
|
|
|
|
|
for i := 0; i < len(vulnerability.FixedIn); i++ {
|
|
|
|
|
fifv := &vulnerability.FixedIn[i]
|
|
|
|
|
|
|
|
|
|
if fifv.Feature.Namespace.Name == "" {
|
|
|
|
|
// As there is no Namespace on that FixedIn FeatureVersion, set it to the Vulnerability's
|
|
|
|
|
// Namespace.
|
|
|
|
|
fifv.Feature.Namespace.Name = vulnerability.Namespace.Name
|
|
|
|
|
} else if fifv.Feature.Namespace.Name != vulnerability.Namespace.Name {
|
|
|
|
|
msg := "could not insert an invalid vulnerability that contains FixedIn FeatureVersion that are not in the same namespace as the Vulnerability"
|
|
|
|
|
log.Warning(msg)
|
|
|
|
|
return cerrors.NewBadRequestError(msg)
|
|
|
|
|
}
|
|
|
|
@ -129,12 +163,6 @@ func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability) er
|
|
|
|
|
// We do `defer observeQueryTime` here because we don't want to observe invalid vulnerabilities.
|
|
|
|
|
defer observeQueryTime("insertVulnerability", "all", tf)
|
|
|
|
|
|
|
|
|
|
// Find or insert Vulnerability's Namespace.
|
|
|
|
|
namespaceID, err := pgSQL.insertNamespace(vulnerability.Namespace)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Begin transaction.
|
|
|
|
|
tx, err := pgSQL.Begin()
|
|
|
|
|
if err != nil {
|
|
|
|
@ -142,71 +170,84 @@ func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability) er
|
|
|
|
|
return handleError("insertVulnerability.Begin()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Find vulnerability and its Vulnerability_FixedIn_Features.
|
|
|
|
|
existingVulnerability, err := findVulnerability(tx, vulnerability.Namespace.Name,
|
|
|
|
|
vulnerability.Name, true)
|
|
|
|
|
// Find existing vulnerability and its Vulnerability_FixedIn_Features (for update).
|
|
|
|
|
existingVulnerability, err := findVulnerability(tx, vulnerability.Namespace.Name, vulnerability.Name, true)
|
|
|
|
|
if err != nil && err != cerrors.ErrNotFound {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Insert or update vulnerability.
|
|
|
|
|
if existingVulnerability.ID == 0 {
|
|
|
|
|
// The vulnerability is a new one, insert it.
|
|
|
|
|
err = tx.QueryRow(getQuery("i_vulnerability"), namespaceID, vulnerability.Name,
|
|
|
|
|
vulnerability.Description, vulnerability.Link, &vulnerability.Severity,
|
|
|
|
|
&vulnerability.Metadata).Scan(&vulnerability.ID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("i_vulnerability", err)
|
|
|
|
|
if onlyFixedIn {
|
|
|
|
|
// Because this call tries to update FixedIn FeatureVersion, import all other data from the
|
|
|
|
|
// existing one.
|
|
|
|
|
if existingVulnerability.ID == 0 {
|
|
|
|
|
return cerrors.ErrNotFound
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
// The vulnerability exists, update it.
|
|
|
|
|
if vulnerability.Description != existingVulnerability.Description ||
|
|
|
|
|
|
|
|
|
|
fixedIn := vulnerability.FixedIn
|
|
|
|
|
vulnerability = existingVulnerability
|
|
|
|
|
vulnerability.FixedIn = fixedIn
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if existingVulnerability.ID != 0 {
|
|
|
|
|
updateMetadata := vulnerability.Description != existingVulnerability.Description ||
|
|
|
|
|
vulnerability.Link != existingVulnerability.Link ||
|
|
|
|
|
vulnerability.Severity != existingVulnerability.Severity ||
|
|
|
|
|
!reflect.DeepEqual(castMetadata(vulnerability.Metadata), existingVulnerability.Metadata) {
|
|
|
|
|
_, err = tx.Exec(getQuery("u_vulnerability"), existingVulnerability.ID,
|
|
|
|
|
vulnerability.Description, vulnerability.Link, &vulnerability.Severity,
|
|
|
|
|
&vulnerability.Metadata)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("u_vulnerability", err)
|
|
|
|
|
}
|
|
|
|
|
!reflect.DeepEqual(castMetadata(vulnerability.Metadata), existingVulnerability.Metadata)
|
|
|
|
|
|
|
|
|
|
// Construct the entire list of FixedIn FeatureVersion, by using the
|
|
|
|
|
// the FixedIn list of the old vulnerability.
|
|
|
|
|
//
|
|
|
|
|
// TODO(Quentin-M): We could use !updateFixedIn to just copy FixedIn/Affects rows from the
|
|
|
|
|
// existing vulnerability in order to make metadata updates much faster.
|
|
|
|
|
fixedIn, updateFixedIn := applyFixedInDiff(existingVulnerability.FixedIn, vulnerability.FixedIn)
|
|
|
|
|
vulnerability.FixedIn = fixedIn
|
|
|
|
|
|
|
|
|
|
if !updateMetadata && !updateFixedIn {
|
|
|
|
|
tx.Commit()
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
vulnerability.ID = existingVulnerability.ID
|
|
|
|
|
// Mark the old vulnerability as non latest.
|
|
|
|
|
_, err = tx.Exec(getQuery("r_vulnerability"), vulnerability.Namespace.Name, vulnerability.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("r_vulnerability", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the new/updated/removed FeatureVersions and the resulting full list.
|
|
|
|
|
var newFIFV, updatedFIFV, removedFIFV []database.FeatureVersion
|
|
|
|
|
if existingVulnerability.ID == 0 {
|
|
|
|
|
// The vulnerability is a new new, the new FeatureVersions are the entire list of FixedIn.
|
|
|
|
|
newFIFV = vulnerability.FixedIn
|
|
|
|
|
} else {
|
|
|
|
|
// The vulnerability exists, compute the lists using diffFixedIn.
|
|
|
|
|
// We overwrite vulnerability.FixedIn with the entire list of FixedIn FeatureVersions, we'll
|
|
|
|
|
// then use the vulnerability in the notification, with that list instead of a potential diff.
|
|
|
|
|
newFIFV, updatedFIFV, removedFIFV, vulnerability.FixedIn =
|
|
|
|
|
diffFixedIn(existingVulnerability.FixedIn, vulnerability.FixedIn)
|
|
|
|
|
// Find or insert Vulnerability's Namespace.
|
|
|
|
|
namespaceID, err := pgSQL.insertNamespace(vulnerability.Namespace)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update Vulnerability_FixedIn_Feature and Vulnerability_Affects_FeatureVersion now.
|
|
|
|
|
if err = pgSQL.updateVulnerabilityFeatureVersions(tx, vulnerability.ID, newFIFV, updatedFIFV,
|
|
|
|
|
removedFIFV); err != nil {
|
|
|
|
|
// Insert vulnerability.
|
|
|
|
|
err = tx.QueryRow(
|
|
|
|
|
getQuery("i_vulnerability"),
|
|
|
|
|
namespaceID,
|
|
|
|
|
vulnerability.Name,
|
|
|
|
|
vulnerability.Description,
|
|
|
|
|
vulnerability.Link,
|
|
|
|
|
&vulnerability.Severity,
|
|
|
|
|
&vulnerability.Metadata,
|
|
|
|
|
).Scan(&vulnerability.ID)
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
return handleError("i_vulnerability", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create notification.
|
|
|
|
|
notification := database.VulnerabilityNotification{
|
|
|
|
|
NewVulnerability: vulnerability,
|
|
|
|
|
}
|
|
|
|
|
if existingVulnerability.ID != 0 {
|
|
|
|
|
notification.OldVulnerability = &existingVulnerability
|
|
|
|
|
// Update Vulnerability_FixedIn_Feature and Vulnerability_Affects_FeatureVersion now.
|
|
|
|
|
err = pgSQL.insertVulnerabilityFixedInFeatureVersions(tx, vulnerability.ID, vulnerability.FixedIn)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := pgSQL.insertNotification(tx, notification); err != nil {
|
|
|
|
|
// Create a notification.
|
|
|
|
|
err = createNotification(tx, existingVulnerability.ID, vulnerability.ID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -231,55 +272,48 @@ func castMetadata(m database.MetadataMap) database.MetadataMap {
|
|
|
|
|
return c
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func diffFixedIn(existingFIFVList, newFIFVList []database.FeatureVersion) (newFIFV, updatedFIFV, removedFIFV, allFIFV []database.FeatureVersion) {
|
|
|
|
|
// Build FeatureVersion.Feature.Namespace.Name:FeatureVersion.Feature.Name (NaN) structures.
|
|
|
|
|
allFIFVMap, _ := createFeatureVersionNameMap(existingFIFVList)
|
|
|
|
|
vulnerabilityFixedInNameMap, vulnerabilityFixedInNameSlice := createFeatureVersionNameMap(newFIFVList)
|
|
|
|
|
existingFixedInMapNameMap, existingFixedInNameSlice := createFeatureVersionNameMap(existingFIFVList)
|
|
|
|
|
// applyFixedInDiff applies a FeatureVersion diff on a FeatureVersion list and returns the result.
|
|
|
|
|
func applyFixedInDiff(currentList, diff []database.FeatureVersion) ([]database.FeatureVersion, bool) {
|
|
|
|
|
currentMap, currentNames := createFeatureVersionNameMap(currentList)
|
|
|
|
|
diffMap, diffNames := createFeatureVersionNameMap(diff)
|
|
|
|
|
|
|
|
|
|
// Calculate the new FixedIn FeatureVersion NaN and updated ones.
|
|
|
|
|
newFixedInName := utils.CompareStringLists(vulnerabilityFixedInNameSlice,
|
|
|
|
|
existingFixedInNameSlice)
|
|
|
|
|
updatedFixedInName := utils.CompareStringListsInBoth(vulnerabilityFixedInNameSlice,
|
|
|
|
|
existingFixedInNameSlice)
|
|
|
|
|
addedNames := utils.CompareStringLists(diffNames, currentNames)
|
|
|
|
|
inBothNames := utils.CompareStringListsInBoth(diffNames, currentNames)
|
|
|
|
|
|
|
|
|
|
for _, nan := range newFixedInName {
|
|
|
|
|
fv := vulnerabilityFixedInNameMap[nan]
|
|
|
|
|
if fv.Version == types.MinVersion {
|
|
|
|
|
// We don't want to mark a Feature as fixed in MinVersion. MinVersion only makes sense when a
|
|
|
|
|
// Feature is already marked as fixed in some version, in which case we would be in the
|
|
|
|
|
// "updatedFixedInFeatureVersions" loop and removes the fixed in mark.
|
|
|
|
|
different := false
|
|
|
|
|
|
|
|
|
|
for _, name := range addedNames {
|
|
|
|
|
if diffMap[name].Version == types.MinVersion {
|
|
|
|
|
// MinVersion only makes sense when a Feature is already fixed in some version,
|
|
|
|
|
// in which case we would be in the "inBothNames".
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newFIFV = append(newFIFV, fv)
|
|
|
|
|
allFIFVMap[fv.Feature.Namespace.Name+":"+fv.Feature.Name] = fv
|
|
|
|
|
currentMap[name] = diffMap[name]
|
|
|
|
|
different = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, nan := range updatedFixedInName {
|
|
|
|
|
fv := existingFixedInMapNameMap[nan]
|
|
|
|
|
fv.Version = vulnerabilityFixedInNameMap[nan].Version
|
|
|
|
|
for _, name := range inBothNames {
|
|
|
|
|
fv := diffMap[name]
|
|
|
|
|
|
|
|
|
|
if existingFixedInMapNameMap[nan].Version == fv.Version {
|
|
|
|
|
// Versions are actually the same!
|
|
|
|
|
// Even though they appear in both lists, it's not an update.
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if fv.Version != types.MinVersion {
|
|
|
|
|
updatedFIFV = append(updatedFIFV, fv)
|
|
|
|
|
allFIFVMap[fv.Feature.Namespace.Name+":"+fv.Feature.Name] = fv
|
|
|
|
|
} else {
|
|
|
|
|
removedFIFV = append(removedFIFV, fv)
|
|
|
|
|
delete(allFIFVMap, fv.Feature.Namespace.Name+":"+fv.Feature.Name)
|
|
|
|
|
if fv.Version == types.MinVersion {
|
|
|
|
|
// MinVersion means that the Feature doesn't affect the Vulnerability anymore.
|
|
|
|
|
delete(currentMap, name)
|
|
|
|
|
different = true
|
|
|
|
|
} else if fv.Version != currentMap[name].Version {
|
|
|
|
|
// The version got updated.
|
|
|
|
|
currentMap[name] = diffMap[name]
|
|
|
|
|
different = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, fv := range allFIFVMap {
|
|
|
|
|
allFIFV = append(allFIFV, fv)
|
|
|
|
|
// Convert currentMap to a slice and return it.
|
|
|
|
|
var newList []database.FeatureVersion
|
|
|
|
|
for _, fv := range currentMap {
|
|
|
|
|
newList = append(newList, fv)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
|
return newList, different
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createFeatureVersionNameMap(features []database.FeatureVersion) (map[string]database.FeatureVersion, []string) {
|
|
|
|
@ -295,123 +329,19 @@ func createFeatureVersionNameMap(features []database.FeatureVersion) (map[string
|
|
|
|
|
return m, s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) InsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []database.FeatureVersion) error {
|
|
|
|
|
// Verify parameters
|
|
|
|
|
for _, fifv := range fixes {
|
|
|
|
|
if fifv.Feature.Namespace.Name == "" {
|
|
|
|
|
fifv.Feature.Namespace.Name = vulnerabilityNamespace
|
|
|
|
|
} else if fifv.Feature.Namespace.Name != vulnerabilityNamespace {
|
|
|
|
|
msg := "could not add/update a FixedIn FeatureVersion: FixedIn FeatureVersion must be in the " +
|
|
|
|
|
"same namespace as the Vulnerability"
|
|
|
|
|
log.Warning(msg)
|
|
|
|
|
return cerrors.NewBadRequestError(msg)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
f := func(vulnerability database.Vulnerability) (newFIFV, updatedFIFV, removedFIFV, allFIFV []database.FeatureVersion, err error) {
|
|
|
|
|
newFIFV, updatedFIFV, _, allFIFV = diffFixedIn(vulnerability.FixedIn, fixes)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pgSQL.doVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName, f)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error {
|
|
|
|
|
f := func(vulnerability database.Vulnerability) (newFIFV, updatedFIFV, removedFIFV, allFIFV []database.FeatureVersion, err error) {
|
|
|
|
|
// Search the specified featureName.
|
|
|
|
|
for i, vulnerabilityFV := range vulnerability.FixedIn {
|
|
|
|
|
if vulnerabilityFV.Feature.Name == featureName {
|
|
|
|
|
removedFIFV = append(removedFIFV, vulnerabilityFV)
|
|
|
|
|
allFIFV = append(vulnerability.FixedIn[:i], vulnerability.FixedIn[i+1:]...)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = cerrors.ErrNotFound
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pgSQL.doVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName, f)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// doVulnerabilityFixes is used by InsertVulnerabilityFixes and DeleteVulnerabilityFix. It
|
|
|
|
|
// adds/updates/removes FeatureVersions on the specified vulnerability using
|
|
|
|
|
// updateVulnerabilityFeatureVersions and creates a database.VulnerabilityNotification.
|
|
|
|
|
func (pgSQL *pgSQL) doVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, f func(vulnerability database.Vulnerability) (newFIFV, updatedFIFV, removedFIFV, allFIFV []database.FeatureVersion, err error)) error {
|
|
|
|
|
// Begin transaction.
|
|
|
|
|
tx, err := pgSQL.Begin()
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("doVulnerabilityFixes.Begin()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Select for update the vulnerability in order to prevent everyone else from executing updates
|
|
|
|
|
// on the vulnerability (and consequently on Vulnerability_FixedIn_Feature for that particular
|
|
|
|
|
// vulnerability)
|
|
|
|
|
vulnerability, err := findVulnerability(tx, vulnerabilityNamespace, vulnerabilityName, true)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the new/updated/removed FeatureVersions and the resulting full list, using the given fct.
|
|
|
|
|
newFIFV, updatedFIFV, removedFIFV, allFIFV, err := f(vulnerability)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if len(newFIFV) == 0 && len(updatedFIFV) == 0 && len(removedFIFV) == 0 {
|
|
|
|
|
// Nothing to do.
|
|
|
|
|
tx.Commit()
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Update Vulnerability_FixedIn_Feature and Vulnerability_Affects_FeatureVersion now.
|
|
|
|
|
err = pgSQL.updateVulnerabilityFeatureVersions(tx, vulnerability.ID, newFIFV, updatedFIFV,
|
|
|
|
|
removedFIFV)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Create notification.
|
|
|
|
|
newVulnerability := vulnerability
|
|
|
|
|
newVulnerability.FixedIn = allFIFV
|
|
|
|
|
|
|
|
|
|
notification := database.VulnerabilityNotification{
|
|
|
|
|
NewVulnerability: newVulnerability,
|
|
|
|
|
OldVulnerability: &vulnerability,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := pgSQL.insertNotification(tx, notification); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Commit transaction.
|
|
|
|
|
err = tx.Commit()
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("insertVulnerability.Commit()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) updateVulnerabilityFeatureVersions(tx *sql.Tx, vulnerabilityID int, newFIFV, updatedFIFV, removedFIFV []database.FeatureVersion) error {
|
|
|
|
|
defer observeQueryTime("updateVulnerabilityFeatureVersions", "all", time.Now())
|
|
|
|
|
// insertVulnerabilityFixedInFeatureVersions populates Vulnerability_FixedIn_Feature for the given
|
|
|
|
|
// vulnerability with the specified database.FeatureVersion list and uses
|
|
|
|
|
// linkVulnerabilityToFeatureVersions to propagate the changes on Vulnerability_FixedIn_Feature to
|
|
|
|
|
// Vulnerability_Affects_FeatureVersion.
|
|
|
|
|
func (pgSQL *pgSQL) insertVulnerabilityFixedInFeatureVersions(tx *sql.Tx, vulnerabilityID int, fixedIn []database.FeatureVersion) error {
|
|
|
|
|
defer observeQueryTime("insertVulnerabilityFixedInFeatureVersions", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
// Insert or find the Features.
|
|
|
|
|
// TODO(Quentin-M): Batch me.
|
|
|
|
|
var err error
|
|
|
|
|
var features []*database.Feature
|
|
|
|
|
for _, fv := range newFIFV {
|
|
|
|
|
features = append(features, &fv.Feature)
|
|
|
|
|
}
|
|
|
|
|
for _, fv := range updatedFIFV {
|
|
|
|
|
features = append(features, &fv.Feature)
|
|
|
|
|
}
|
|
|
|
|
for _, fv := range removedFIFV {
|
|
|
|
|
features = append(features, &fv.Feature)
|
|
|
|
|
for i := 0; i < len(fixedIn); i++ {
|
|
|
|
|
features = append(features, &fixedIn[i].Feature)
|
|
|
|
|
}
|
|
|
|
|
for _, feature := range features {
|
|
|
|
|
if feature.ID == 0 {
|
|
|
|
@ -434,56 +364,27 @@ func (pgSQL *pgSQL) updateVulnerabilityFeatureVersions(tx *sql.Tx, vulnerability
|
|
|
|
|
return handleError("insertVulnerability.l_vulnerability_affects_featureversion", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var fixedInID int
|
|
|
|
|
for _, fv := range fixedIn {
|
|
|
|
|
var fixedInID int
|
|
|
|
|
|
|
|
|
|
for _, fv := range newFIFV {
|
|
|
|
|
// Insert Vulnerability_FixedIn_Feature.
|
|
|
|
|
err = tx.QueryRow(getQuery("i_vulnerability_fixedin_feature"), vulnerabilityID, fv.Feature.ID,
|
|
|
|
|
&fv.Version).Scan(&fixedInID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return handleError("i_vulnerability_fixedin_feature", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Insert Vulnerability_Affects_FeatureVersion.
|
|
|
|
|
err = linkVulnerabilityToFeatureVersions(tx, fixedInID, vulnerabilityID, fv.Feature.ID,
|
|
|
|
|
fv.Version)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
err = tx.QueryRow(
|
|
|
|
|
getQuery("i_vulnerability_fixedin_feature"),
|
|
|
|
|
vulnerabilityID, fv.Feature.ID,
|
|
|
|
|
&fv.Version,
|
|
|
|
|
).Scan(&fixedInID)
|
|
|
|
|
|
|
|
|
|
for _, fv := range updatedFIFV {
|
|
|
|
|
// Update Vulnerability_FixedIn_Feature.
|
|
|
|
|
err = tx.QueryRow(getQuery("u_vulnerability_fixedin_feature"), vulnerabilityID,
|
|
|
|
|
fv.Feature.ID, &fv.Version).Scan(&fixedInID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return handleError("u_vulnerability_fixedin_feature", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Drop all old Vulnerability_Affects_FeatureVersion.
|
|
|
|
|
_, err = tx.Exec(getQuery("r_vulnerability_affects_featureversion"), fixedInID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return handleError("r_vulnerability_affects_featureversion", err)
|
|
|
|
|
return handleError("i_vulnerability_fixedin_feature", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Insert Vulnerability_Affects_FeatureVersion.
|
|
|
|
|
err = linkVulnerabilityToFeatureVersions(tx, fixedInID, vulnerabilityID, fv.Feature.ID,
|
|
|
|
|
fv.Version)
|
|
|
|
|
err = linkVulnerabilityToFeatureVersions(tx, fixedInID, vulnerabilityID, fv.Feature.ID, fv.Version)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, fv := range removedFIFV {
|
|
|
|
|
// Drop it from Vulnerability_FixedIn_Feature and let it cascade to
|
|
|
|
|
// Vulnerability_Affects_FeatureVersion.
|
|
|
|
|
err = tx.QueryRow(getQuery("r_vulnerability_fixedin_feature"), vulnerabilityID,
|
|
|
|
|
fv.Feature.ID).Scan(&fixedInID)
|
|
|
|
|
if err != nil && err != sql.ErrNoRows {
|
|
|
|
|
return handleError("r_vulnerability_fixedin_feature", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -529,21 +430,72 @@ func linkVulnerabilityToFeatureVersions(tx *sql.Tx, fixedInID, vulnerabilityID,
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) InsertVulnerabilityFixes(vulnerabilityNamespace, vulnerabilityName string, fixes []database.FeatureVersion) error {
|
|
|
|
|
defer observeQueryTime("InsertVulnerabilityFixes", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
v := database.Vulnerability{
|
|
|
|
|
Name: vulnerabilityName,
|
|
|
|
|
Namespace: database.Namespace{
|
|
|
|
|
Name: vulnerabilityNamespace,
|
|
|
|
|
},
|
|
|
|
|
FixedIn: fixes,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pgSQL.insertVulnerability(v, true)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerabilityName, featureName string) error {
|
|
|
|
|
defer observeQueryTime("DeleteVulnerabilityFix", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
v := database.Vulnerability{
|
|
|
|
|
Name: vulnerabilityName,
|
|
|
|
|
Namespace: database.Namespace{
|
|
|
|
|
Name: vulnerabilityNamespace,
|
|
|
|
|
},
|
|
|
|
|
FixedIn: []database.FeatureVersion{
|
|
|
|
|
database.FeatureVersion{
|
|
|
|
|
Feature: database.Feature{
|
|
|
|
|
Name: featureName,
|
|
|
|
|
Namespace: database.Namespace{
|
|
|
|
|
Name: vulnerabilityNamespace,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
Version: types.MinVersion,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pgSQL.insertVulnerability(v, true)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pgSQL *pgSQL) DeleteVulnerability(namespaceName, name string) error {
|
|
|
|
|
defer observeQueryTime("DeleteVulnerability", "all", time.Now())
|
|
|
|
|
|
|
|
|
|
result, err := pgSQL.Exec(getQuery("r_vulnerability"), namespaceName, name)
|
|
|
|
|
// Begin transaction.
|
|
|
|
|
tx, err := pgSQL.Begin()
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("DeleteVulnerability.Begin()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var vulnerabilityID int
|
|
|
|
|
err = tx.QueryRow(getQuery("r_vulnerability"), namespaceName, name).Scan(&vulnerabilityID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("r_vulnerability", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
affected, err := result.RowsAffected()
|
|
|
|
|
// Create a notification.
|
|
|
|
|
err = createNotification(tx, vulnerabilityID, 0)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return handleError("r_vulnerability.RowsAffected()", err)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if affected <= 0 {
|
|
|
|
|
return cerrors.ErrNotFound
|
|
|
|
|
// Commit transaction.
|
|
|
|
|
err = tx.Commit()
|
|
|
|
|
if err != nil {
|
|
|
|
|
tx.Rollback()
|
|
|
|
|
return handleError("DeleteVulnerability.Commit()", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|