feat: add metric-target

Signed-off-by: Christian Kotzbauer <[email protected]>
ckotzbauer · Feb 17, 2022 · 2a17878 · 2a17878
1 parent 757704b
commit 2a17878
Show file tree

Hide file tree

Showing 9 changed files with 276 additions and 9 deletions.
diff --git a/go.mod b/go.mod
@@ -4,6 +4,7 @@ go 1.17
 
 require (
 	github.com/anchore/syft v0.38.0
+	github.com/prometheus/client_golang v1.12.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/viper v1.10.1
@@ -24,9 +25,11 @@ require (
 	github.com/anchore/stereoscope v0.0.0-20220214165125-25ebd49a842b // indirect
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/aws/aws-sdk-go v1.42.52 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
 	github.com/bmatcuk/doublestar/v2 v2.0.4 // indirect
 	github.com/bmatcuk/doublestar/v4 v4.0.2 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containerd/containerd v1.5.9 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
 	github.com/docker/cli v20.10.12+incompatible // indirect
@@ -66,6 +69,7 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d // indirect
 	github.com/mattn/go-runewidth v0.0.7 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mholt/archiver/v3 v3.5.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
@@ -76,6 +80,9 @@ require (
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/pierrec/lz4/v4 v4.1.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/scylladb/go-set v1.0.2 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/spdx/tools-golang v0.2.0 // indirect

diff --git a/go.sum b/go.sum
diff --git a/internal/vuln/daemon/daemon.go b/internal/vuln/daemon/daemon.go
@@ -117,15 +117,19 @@ func initTargets(targetKeys []string) []target.Target {
 
 	for _, ta := range targetKeys {
 		var err error
+		var t target.Target
 
 		if ta == "json" {
-			t := target.NewJsonTarget()
-			err = t.ValidateConfig()
-			targets = append(targets, t)
+			t = target.NewJsonTarget()
+		} else if ta == "metrics" {
+			t = target.NewMetricTarget()
 		} else {
 			logrus.Fatalf("Unknown target %s", ta)
 		}
 
+		err = t.ValidateConfig()
+		targets = append(targets, t)
+
 		if err != nil {
 			logrus.WithError(err).Fatal("Config-Validation failed!")
 		}

diff --git a/internal/vuln/grype/grype.go b/internal/vuln/grype/grype.go
@@ -59,7 +59,7 @@ func (s *Grype) ScanSbom(sbom source.Sbom) ([]Vulnerability, error) {
 	}
 
 	allMatches := grype.FindVulnerabilitiesForPackage(s.provider, context.Distro, packages...)
-	vulns := buildVulnerabilities(allMatches, s.metadataProvider)
+	vulns := buildVulnerabilities(allMatches, s.metadataProvider, sbom.ImageID)
 	return filterVulnerabilities(vulns), nil
 }
 
@@ -76,7 +76,7 @@ func validateDBLoad(loadErr error, status *db.Status) error {
 	return nil
 }
 
-func buildVulnerabilities(matches match.Matches, metadataProvider vulnerability.MetadataProvider) []Vulnerability {
+func buildVulnerabilities(matches match.Matches, metadataProvider vulnerability.MetadataProvider, imageID string) []Vulnerability {
 	vulnerabilities := make([]Vulnerability, 0)
 
 	for m := range matches.Enumerate() {
@@ -99,6 +99,7 @@ func buildVulnerabilities(matches match.Matches, metadataProvider vulnerability.
 			FixedIn:   fixedIn,
 			FixState:  string(m.Vulnerability.Fix.State),
 			URLs:      metadata.URLs,
+			ImageID:   imageID,
 		})
 	}
 

diff --git a/internal/vuln/grype/types.go b/internal/vuln/grype/types.go
@@ -9,4 +9,5 @@ type Vulnerability struct {
 	FixedIn   []string
 	FixState  string
 	URLs      []string
+	ImageID   string
 }
diff --git a/internal/vuln/source/git_source.go b/internal/vuln/source/git_source.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/ckotzbauer/vulnerability-operator/internal/vuln"
 	"github.com/ckotzbauer/vulnerability-operator/internal/vuln/source/git"
@@ -100,11 +101,20 @@ func (g *GitSource) filterSboms(ignoreDirs, sbomFileNames []string) filepath.Wal
 					continue
 				}
 
-				sbom := Sbom{Sbom: string(content), FileName: p}
+				imageID := g.extractImageIDFromFile(p)
+				sbom := Sbom{Sbom: string(content), ImageID: imageID}
 				g.sboms = append(g.sboms, sbom)
 			}
 		}
 
 		return nil
 	}
 }
+
+func (g *GitSource) extractImageIDFromFile(f string) string {
+	cleaned, _ := filepath.Rel(g.workingTree, f)
+	cleaned, _ = filepath.Rel(g.workPath, cleaned)
+	cleaned = strings.Replace(cleaned, "/sha256_", "@sha256:", 1)
+	cleaned = filepath.Dir(cleaned)
+	return cleaned
+}
diff --git a/internal/vuln/source/source.go b/internal/vuln/source/source.go
@@ -1,8 +1,8 @@
 package source
 
 type Sbom struct {
-	Sbom     string
-	FileName string
+	Sbom    string
+	ImageID string
 }
 
 type Source interface {

diff --git a/internal/vuln/target/metric_target.go b/internal/vuln/target/metric_target.go
@@ -0,0 +1,43 @@
+package target
+
+import (
+	"github.com/ckotzbauer/vulnerability-operator/internal/vuln/grype"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var (
+	vulnMetric = promauto.NewGaugeVec(prometheus.GaugeOpts{
+		Name: "vuln_operator_cves",
+		Help: "Number of CVE occurrences.",
+	}, []string{"cve", "severity", "package", "version", "type", "fix_state", "image_id"})
+)
+
+type MetricTarget struct {
+}
+
+func NewMetricTarget() *MetricTarget {
+	return &MetricTarget{}
+}
+
+func (t *MetricTarget) Initialize() {
+	vulnMetric.Reset()
+}
+
+func (t *MetricTarget) ValidateConfig() error {
+	return nil
+}
+
+func (t *MetricTarget) ProcessVulns(vulns []grype.Vulnerability) error {
+	for _, v := range vulns {
+		if v.FixState != "wont-fix" {
+			vulnMetric.WithLabelValues(v.ID, v.Severity, v.Package, v.Installed, v.Type, v.FixState, v.ImageID).Add(1)
+		}
+	}
+
+	return nil
+}
+
+func (t *MetricTarget) Finalize() error {
+	return nil
+}
diff --git a/main.go b/main.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"runtime"
 
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -39,6 +40,7 @@ var (
 			logrus.Info("Webserver is running at port 8080")
 			http.HandleFunc("/health", health)
 			http.Handle("/report/", http.StripPrefix("/report", fs))
+			http.Handle("/metrics", promhttp.Handler())
 			logrus.WithError(http.ListenAndServe(":8080", nil)).Fatal("Starting webserver failed!")
 		},
 	}
@@ -50,7 +52,7 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&verbosity, vuln.ConfigKeyVerbosity, "v", logrus.InfoLevel.String(), "Log-level (debug, info, warn, error, fatal, panic)")
 	rootCmd.PersistentFlags().StringVarP(&daemonCron, vuln.ConfigKeyCron, "c", "@hourly", "Backround-Service interval (CRON)")
 	rootCmd.PersistentFlags().StringSlice(vuln.ConfigKeySources, []string{"git"}, "Sources for created SBOMs (git).")
-	rootCmd.PersistentFlags().StringSlice(vuln.ConfigKeyTargets, []string{"git"}, "Targets for created SBOMs (git).")
+	rootCmd.PersistentFlags().StringSlice(vuln.ConfigKeyTargets, []string{"git"}, "Targets for created SBOMs (json, metrics).")
 	rootCmd.PersistentFlags().Bool(vuln.ConfigKeyOnlyFixed, false, "Only display CVEs where a fix is available.")
 	rootCmd.PersistentFlags().String(vuln.ConfigKeyMinSeverity, "medium", "Only display CVEs with a severity greater or equal ().")
 	rootCmd.PersistentFlags().String(vuln.ConfigKeyGitWorkingTree, "/work", "Directory to place the git-repo.")