-
Notifications
You must be signed in to change notification settings - Fork 174
Expand file tree
/
Copy pathconvert.go
More file actions
200 lines (179 loc) · 6.61 KB
/
convert.go
File metadata and controls
200 lines (179 loc) · 6.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
package clair
import (
"encoding/json"
"github.com/stackrox/rox/generated/storage"
"github.com/stackrox/rox/pkg/cvss/cvssv2"
"github.com/stackrox/rox/pkg/cvss/cvssv3"
"github.com/stackrox/rox/pkg/logging"
"github.com/stackrox/rox/pkg/protoconv"
"github.com/stackrox/rox/pkg/scans"
clairV1 "github.com/stackrox/scanner/api/v1"
clairConvert "github.com/stackrox/scanner/api/v1/convert"
clientMetadata "github.com/stackrox/scanner/pkg/clairify/client/metadata"
"github.com/stackrox/scanner/pkg/component"
)
var (
log = logging.LoggerForModule()
// VersionFormatsToSource maps common package formats to their respective source types.
VersionFormatsToSource = map[string]storage.SourceType{
component.GemSourceType.String(): storage.SourceType_RUBY,
component.JavaSourceType.String(): storage.SourceType_JAVA,
component.NPMSourceType.String(): storage.SourceType_NODEJS,
component.PythonSourceType.String(): storage.SourceType_PYTHON,
component.DotNetCoreRuntimeSourceType.String(): storage.SourceType_DOTNETCORERUNTIME,
}
)
type metadata struct {
PublishedOn string `json:"PublishedDateTime"`
LastModified string `json:"LastModifiedDateTime"`
CvssV2 *cvss `json:"CVSSv2"`
CvssV3 *cvss `json:"CVSSv3"`
}
type cvss struct {
Score float32
Vectors string
ExploitabilityScore float32
ImpactScore float32
}
// SeverityToStorageSeverity converts the given string representation of a severity into a storage.VulnerabilitySeverity.
func SeverityToStorageSeverity(severity string) storage.VulnerabilitySeverity {
switch severity {
case string(clairConvert.UnknownSeverity):
return storage.VulnerabilitySeverity_UNKNOWN_VULNERABILITY_SEVERITY
case string(clairConvert.LowSeverity):
return storage.VulnerabilitySeverity_LOW_VULNERABILITY_SEVERITY
case string(clairConvert.ModerateSeverity):
return storage.VulnerabilitySeverity_MODERATE_VULNERABILITY_SEVERITY
case string(clairConvert.ImportantSeverity):
return storage.VulnerabilitySeverity_IMPORTANT_VULNERABILITY_SEVERITY
case string(clairConvert.CriticalSeverity):
return storage.VulnerabilitySeverity_CRITICAL_VULNERABILITY_SEVERITY
}
return storage.VulnerabilitySeverity_UNKNOWN_VULNERABILITY_SEVERITY
}
// ConvertVulnerability converts a clair vulnerability to a proto vulnerability
func ConvertVulnerability(v clairV1.Vulnerability) *storage.EmbeddedVulnerability {
var vulnMetadataMap interface{}
var link string
if metadata, ok := v.Metadata[clientMetadata.NVD]; ok {
vulnMetadataMap = metadata
link = scans.GetVulnLink(v.Name)
} else if metadata, ok := v.Metadata[clientMetadata.RedHat]; ok {
vulnMetadataMap = metadata
link = scans.GetRedHatVulnLink(v.Name)
} else {
return nil
}
if v.Link == "" {
v.Link = link
}
vul := &storage.EmbeddedVulnerability{
Cve: v.Name,
Summary: v.Description,
Link: v.Link,
SetFixedBy: &storage.EmbeddedVulnerability_FixedBy{
FixedBy: v.FixedBy,
},
VulnerabilityType: storage.EmbeddedVulnerability_IMAGE_VULNERABILITY,
Severity: SeverityToStorageSeverity(v.Severity),
}
d, err := json.Marshal(vulnMetadataMap)
if err != nil {
return vul
}
var m metadata
if err := json.Unmarshal(d, &m); err != nil {
return vul
}
vul.PublishedOn = protoconv.ConvertTimeString(m.PublishedOn)
vul.LastModified = protoconv.ConvertTimeString(m.LastModified)
if m.CvssV2 != nil && m.CvssV2.Vectors != "" {
if cvssV2, err := cvssv2.ParseCVSSV2(m.CvssV2.Vectors); err == nil {
cvssV2.ExploitabilityScore = m.CvssV2.ExploitabilityScore
cvssV2.ImpactScore = m.CvssV2.ImpactScore
cvssV2.Score = m.CvssV2.Score
vul.CvssV2 = cvssV2
// This sets the top level score for use in policies. It will be overwritten if v3 exists
vul.Cvss = m.CvssV2.Score
vul.ScoreVersion = storage.EmbeddedVulnerability_V2
vul.GetCvssV2().Severity = cvssv2.Severity(vul.GetCvss())
} else {
log.Error(err)
}
}
if m.CvssV3 != nil && m.CvssV3.Vectors != "" {
if cvssV3, err := cvssv3.ParseCVSSV3(m.CvssV3.Vectors); err == nil {
cvssV3.ExploitabilityScore = m.CvssV3.ExploitabilityScore
cvssV3.ImpactScore = m.CvssV3.ImpactScore
cvssV3.Score = m.CvssV3.Score
vul.CvssV3 = cvssV3
vul.Cvss = m.CvssV3.Score
vul.ScoreVersion = storage.EmbeddedVulnerability_V3
vul.GetCvssV3().Severity = cvssv3.Severity(vul.GetCvss())
} else {
log.Error(err)
}
}
return vul
}
func convertFeature(feature clairV1.Feature, os string) *storage.EmbeddedImageScanComponent {
component := &storage.EmbeddedImageScanComponent{
Name: feature.Name,
Version: feature.Version,
Location: feature.Location,
FixedBy: feature.FixedBy,
}
if source, ok := VersionFormatsToSource[feature.VersionFormat]; ok {
component.Source = source
}
component.Vulns = make([]*storage.EmbeddedVulnerability, 0, len(feature.Vulnerabilities))
for _, v := range feature.Vulnerabilities {
if convertedVuln := ConvertVulnerability(v); convertedVuln != nil {
component.Vulns = append(component.Vulns, convertedVuln)
}
}
return component
}
// BuildSHAToIndexMap takes image metadata and maps each layer's SHA to its index.
func BuildSHAToIndexMap(metadata *storage.ImageMetadata) map[string]int32 {
layerSHAToIndex := make(map[string]int32)
if metadata.GetV2() != nil {
var layerIdx int
for i, l := range metadata.GetV1().GetLayers() {
if !l.GetEmpty() {
if layerIdx >= len(metadata.GetLayerShas()) {
log.Error("More layers than expected when correlating V2 instructions to V1 layers")
break
}
sha := metadata.GetLayerShas()[layerIdx]
layerSHAToIndex[sha] = int32(i)
layerIdx++
}
}
} else {
// If it's V1 then we should have a 1:1 mapping of layer SHAs to the layerOrdering slice
for i := range metadata.GetV1().GetLayers() {
if i >= len(metadata.GetLayerShas()) {
log.Error("More layers than expected when correlating V1 instructions to V1 layers")
break
}
layerSHAToIndex[metadata.GetLayerShas()[i]] = int32(i)
}
}
return layerSHAToIndex
}
// ConvertFeatures converts clair features to proto components
func ConvertFeatures(image *storage.Image, features []clairV1.Feature, os string) (components []*storage.EmbeddedImageScanComponent) {
layerSHAToIndex := BuildSHAToIndexMap(image.GetMetadata())
components = make([]*storage.EmbeddedImageScanComponent, 0, len(features))
for _, feature := range features {
convertedComponent := convertFeature(feature, os)
if val, ok := layerSHAToIndex[feature.AddedBy]; ok {
convertedComponent.HasLayerIndex = &storage.EmbeddedImageScanComponent_LayerIndex{
LayerIndex: val,
}
}
components = append(components, convertedComponent)
}
return
}