Skip to content

Commit

Permalink
feat: allow filtering of CertifyVuln query results based on whether t…
Browse files Browse the repository at this point in the history 
…hey have vulnerabilities (guacsec#1073)

Signed-off-by: Dejan Bosanac <dbosanac@redhat.com>
  • Loading branch information
@dejanb
dejanb committed Jul 19, 2023
1 parent 08bfd91 commit d438521
Show file tree
Hide file tree
Showing 5 changed files with 50 additions and 37 deletions.
2 changes: 1 addition & 1 deletion pkg/assembler/backends/helper/validation.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ func ValidateVulnerabilityQueryFilter(vulnerability *model.VulnerabilitySpec, no
if vulnerability.Cve != nil {
vulnDefined = vulnDefined + 1
}
if noVulnAllowed && vulnerability.NoVuln != nil && *vulnerability.NoVuln {
if noVulnAllowed && vulnerability.NoVuln != nil {
if vulnDefined != 0 {
return gqlerror.Errorf("Since NoVuln is set, no other vulnerability type is allowed")
}
Expand Down
55 changes: 34 additions & 21 deletions pkg/assembler/backends/inmem/certifyVuln.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package inmem

import (
"context"
"reflect"
"strconv"
"time"

Expand Down Expand Up @@ -299,7 +300,6 @@ func (c *demoClient) CertifyVuln(ctx context.Context, filter *model.CertifyVulnS
}
if !foundOne && filter != nil && filter.Vulnerability != nil &&
filter.Vulnerability.NoVuln != nil && *filter.Vulnerability.NoVuln {

search = append(search, c.noKnownVulnNode.certifyVulnLinks...)
foundOne = true
}
Expand Down Expand Up @@ -358,7 +358,7 @@ func (c *demoClient) addCVIfMatch(out []*model.CertifyVuln,
if err != nil {
return nil, err
}
if foundCertifyVuln == nil {
if foundCertifyVuln == nil || reflect.ValueOf(foundCertifyVuln.Vulnerability).IsNil() {
return out, nil
}
return append(out, foundCertifyVuln), nil
Expand All @@ -383,7 +383,7 @@ func (c *demoClient) buildCertifyVulnerability(link *vulnerabilityLink, filter *
}
}

if filter != nil && filter.Vulnerability != nil {
if filter != nil && filter.Vulnerability != nil && filter.Vulnerability.NoVuln == nil {
if filter.Vulnerability.Osv != nil && link.osvID != 0 {
osv, err = c.buildOsvResponse(link.osvID, filter.Vulnerability.Osv)
if err != nil {
Expand All @@ -409,28 +409,32 @@ func (c *demoClient) buildCertifyVulnerability(link *vulnerabilityLink, filter *
}
}
} else {
if link.osvID != 0 {
osv, err = c.buildOsvResponse(link.osvID, nil)
if err != nil {
return nil, err
if checkNoVulnFilter(filter, false) {
if link.osvID != 0 {
osv, err = c.buildOsvResponse(link.osvID, nil)
if err != nil {
return nil, err
}
}
}
if link.cveID != 0 {
cve, err = c.buildCveResponse(link.cveID, nil)
if err != nil {
return nil, err
if link.cveID != 0 {
cve, err = c.buildCveResponse(link.cveID, nil)
if err != nil {
return nil, err
}
}
}
if link.ghsaID != 0 {
ghsa, err = c.buildGhsaResponse(link.ghsaID, nil)
if err != nil {
return nil, err
if link.ghsaID != 0 {
ghsa, err = c.buildGhsaResponse(link.ghsaID, nil)
if err != nil {
return nil, err
}
}
}
if link.noKnownVulnID != 0 {
noVuln, err = c.buildNoVulnResponse()
if err != nil {
return nil, err
if checkNoVulnFilter(filter, true) {
if link.noKnownVulnID != 0 {
noVuln, err = c.buildNoVulnResponse()
if err != nil {
return nil, err
}
}
}
}
Expand Down Expand Up @@ -488,3 +492,12 @@ func (c *demoClient) buildCertifyVulnerability(link *vulnerabilityLink, filter *
}
return &certifyVuln, nil
}

// Checks if the given filter satisfies the condition for NoVuln in the CertifyVulnSpec.
// It returns true if any of the following conditions are met:
// 1. The filter is nil.
// 2. The filter.Vulnerability is nil.
// 3. The value of filter.Vulnerability.NoVuln matches the expected value.
func checkNoVulnFilter(filter *model.CertifyVulnSpec, expected bool) bool {
return filter == nil || filter.Vulnerability == nil || *filter.Vulnerability.NoVuln == expected
}
10 changes: 5 additions & 5 deletions pkg/assembler/graphql/generated/root_.generated.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions pkg/assembler/graphql/model/nodes.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 5 additions & 5 deletions pkg/assembler/graphql/schema/certifyVuln.graphql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,11 @@ union Vulnerability = OSV | CVE | GHSA | NoVuln
VulnerabilitySpec allows using Vulnerability union as input type to be used in
read queries.
Either noVuln must be set to true or exactly one of osv, cve or ghsa
must be set to non-nil. Setting noVuln to true means retrieving nodes where
there is no vulnerability attached (thus, the special NoVuln node). Setting one
of the other fields means retrieving certifications for the corresponding
vulnerability types.
Either noVuln must be set or exactly one of osv, cve or ghsa
must be set to non-nil. Setting noVuln to true means retrieving only nodes where
there is no vulnerability attached. Setting it to false means retrieving only nodes
with identified vulnerabilities. Setting one of the other fields means retrieving
certifications for the corresponding vulnerability types.
"""
input VulnerabilitySpec {
osv: OSVSpec
Expand Down

0 comments on commit d438521

Please sign in to comment.