api: Specify what packages cause the layer to have vulnerabilities.

9 years ago · 9db0e63401
parent 867279a5c9
commit 9db0e63401
3 changed files with 25 additions and 8 deletions
--- a/api/logic/layers.go
+++ b/api/logic/layers.go
@ -182,7 +182,7 @@ func GETLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p httprout
 	}

 	// Find vulnerabilities.
-	vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription})
+	vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage})
 	if err != nil {
 		jsonhttp.RenderError(w, 0, err)
 		return
@ -211,7 +211,7 @@ func GETLayersVulnerabilitiesDiff(w http.ResponseWriter, r *http.Request, p http
 	}

 	// Selected fields for vulnerabilities.
-	selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription}
+	selectedFields := []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage}

 	// Find vulnerabilities for installed packages.
 	addedVulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(layer.InstalledPackagesNodes, minimumPriority, selectedFields)
@ -287,7 +287,7 @@ func POSTBatchLayersVulnerabilities(w http.ResponseWriter, r *http.Request, p ht
 		}

 		// Find vulnerabilities.
-		vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription})
+		vulnerabilities, err := getVulnerabilitiesFromLayerPackagesNodes(packagesNodes, minimumPriority, []string{database.FieldVulnerabilityID, database.FieldVulnerabilityLink, database.FieldVulnerabilityPriority, database.FieldVulnerabilityDescription, database.FieldVulnerabilityCausedByPackage})
 		if err != nil {
 			jsonhttp.RenderError(w, 0, err)
 			return
--- a/database/vulnerability.go
+++ b/database/vulnerability.go
@ -30,6 +30,8 @@ const (
 	FieldVulnerabilityPriority    = "priority"
 	FieldVulnerabilityDescription = "description"
 	FieldVulnerabilityFixedIn     = "fixedIn"
+	// FieldVulnerabilityCausedByPackage only makes sense with FindAllVulnerabilitiesByFixedIn.
+	FieldVulnerabilityCausedByPackage = "causedByPackage"
 )

 var FieldVulnerabilityAll = []string{FieldVulnerabilityID, FieldVulnerabilityLink, FieldVulnerabilityPriority, FieldVulnerabilityDescription, FieldVulnerabilityFixedIn}
@ -42,6 +44,8 @@ type Vulnerability struct {
 	Priority     types.Priority
 	Description  string   `json:",omitempty"`
 	FixedInNodes []string `json:"-"`
+
+	CausedByPackage string `json:",omitempty"`
 }

 // GetNode returns an unique identifier for the graph node
@ -340,14 +344,22 @@ func FindAllVulnerabilitiesByFixedIn(nodes []string, selectedFields []string) ([
 		log.Warning("Could not FindAllVulnerabilitiesByFixedIn with an empty nodes array.")
 		return []*Vulnerability{}, nil
 	}
-	return toVulnerabilities(cayley.StartPath(store, nodes...).In(FieldVulnerabilityFixedIn), selectedFields)
+
+	// Construct path, potentially saving FieldVulnerabilityCausedByPackage
+	path := cayley.StartPath(store, nodes...)
+	if utils.Contains(FieldVulnerabilityCausedByPackage, selectedFields) {
+		path = path.Save(FieldPackageName, FieldVulnerabilityCausedByPackage)
+	}
+	path = path.In(FieldVulnerabilityFixedIn)
+
+	return toVulnerabilities(path, selectedFields)
 }

 // toVulnerabilities converts a path leading to one or multiple vulnerabilities to Vulnerability structs, selecting the specified fields
 func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerability, error) {
 	var vulnerabilities []*Vulnerability

-	saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn})
+	saveFields(path, selectedFields, []string{FieldVulnerabilityFixedIn, FieldVulnerabilityCausedByPackage})
 	it, _ := path.BuildIterator().Optimize()
 	defer it.Close()
 	for cayley.RawNext(it) {
@ -372,6 +384,8 @@ func toVulnerabilities(path *path.Path, selectedFields []string) ([]*Vulnerabili
 					log.Errorf("could not get fixedIn on vulnerability %s: %s.", vulnerability.Node, err.Error())
 					return []*Vulnerability{}, err
 				}
+			case FieldVulnerabilityCausedByPackage:
+				vulnerability.CausedByPackage = store.NameOf(tags[FieldVulnerabilityCausedByPackage])
 			default:
 				panic("unknown selectedField")
 			}
--- a/docs/API.md
+++ b/docs/API.md
@ -326,7 +326,8 @@ HTTP/1.1 200 OK
            "ID": "CVE-2014-2583",
            "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
            "Priority": "Low",
-            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+            "CausedByPackage": "pam"
        },
        [...]
 }
@ -368,7 +369,8 @@ HTTP/1.1 200 OK
            "ID": "CVE-2014-2583",
            "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
            "Priority": "Low",
-            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+            "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+            "CausedByPackage": "pam"
        },
        [...]
    ],
@ -424,7 +426,8 @@ HTTP/1.1 200 OK
                "ID": "CVE-2014-2583",
                "Link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2583",
                "Priority": "Low",
-                "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function."
+                "Description": "Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function.",
+                "CausedByPackage": "pam"
            },
            [...]
 					]