Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: improve vuln report verifier report messages #1238

Merged
merged 6 commits into from
Jan 5, 2024
Merged

fix: improve vuln report verifier report messages #1238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
0be1ef0
fix: improve vuln report messages
akashsinghal Dec 27, 2023
fd105cb
Merge branch 'main' into akashsinghal/improvevulnerrors
akashsinghal Dec 27, 2023
10ba316
Merge branch 'main' into akashsinghal/improvevulnerrors
akashsinghal Jan 2, 2024
b733450
Merge branch 'main' into akashsinghal/improvevulnerrors
akashsinghal Jan 4, 2024
29c375c
update error messages
akashsinghal Jan 4, 2024
c7a8739
Merge branch 'main' into akashsinghal/improvevulnerrors
akashsinghal Jan 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 29 additions & 27 deletions plugins/verifier/vulnerabilityreport/vulnerability_report.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error extracting create timestamp annotation:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error extracting create timestamp annotation:[%v]", err.Error()),
}, nil
}

Expand All @@ -109,7 +109,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error validating maximum age:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error validating maximum age:[%v]", err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -120,7 +120,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: report is older than maximum age:[%s]", input.MaximumAge),
Message: fmt.Sprintf("Validation failed: report is older than maximum age:[%s]", input.MaximumAge),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -136,7 +136,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("error fetching reference manifest for subject: %s reference descriptor: %v: [%v]", subjectReference, referenceDescriptor.Descriptor, err.Error()),
Message: fmt.Sprintf("Validation failed: error fetching reference manifest for subject: %s reference descriptor: %v: [%v]", subjectReference, referenceDescriptor.Descriptor, err.Error()),

Check warning on line 139 in plugins/verifier/vulnerabilityreport/vulnerability_report.go

View check run for this annotation

Codecov / codecov/patch

plugins/verifier/vulnerabilityreport/vulnerability_report.go#L139 

Added line #L139 was not covered by tests
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -148,7 +148,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
Message: fmt.Sprintf("Validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -162,7 +162,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("error fetching blob for subject:[%s] digest:[%s]: [%v]", subjectReference, blobDesc.Digest, err.Error()),
Message: fmt.Sprintf("Validation failed: error fetching blob for subject:[%s] digest:[%s]: [%v]", subjectReference, blobDesc.Digest, err.Error()),

Check warning on line 165 in plugins/verifier/vulnerabilityreport/vulnerability_report.go

View check run for this annotation

Codecov / codecov/patch

plugins/verifier/vulnerabilityreport/vulnerability_report.go#L165 

Added line #L165 was not covered by tests
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -175,7 +175,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation skipped",
Message: "Validation skipped. passthrough enabled",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
"passthrough": true,
Expand All @@ -190,7 +190,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: schema validation failed for digest:[%s],artifact type:[%s],parse errors:[%v]", blobDesc.Digest, referenceDescriptor.ArtifactType, err.Error()),
Message: fmt.Sprintf("Validation failed: schema validation failed for digest:[%s],artifact type:[%s],parse errors:[%v]", blobDesc.Digest, referenceDescriptor.ArtifactType, err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -205,7 +205,7 @@
Name: input.Name,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",

Check warning on line 208 in plugins/verifier/vulnerabilityreport/vulnerability_report.go

View check run for this annotation

Codecov / codecov/patch

plugins/verifier/vulnerabilityreport/vulnerability_report.go#L208 

Added line #L208 was not covered by tests
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand Down Expand Up @@ -238,7 +238,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error parsing sarif report:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error parsing sarif report:[%v]", err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -250,7 +250,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: "vulnerability report validation failed: no runs found in sarif report",
Message: "Validation failed: no runs found in sarif report",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand Down Expand Up @@ -280,7 +280,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
"scanner": scannerName,
Expand All @@ -305,7 +305,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule id not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule id not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -332,18 +332,19 @@
IsSuccess: false,
Extensions: map[string]interface{}{
"scanner": scannerName,
"denylistCVEs": denylistViolations,
"denylistCVEs": denylistCVEs,
"cveViolations": denylistViolations,
CreatedAnnotation: createdTime,
},
Message: "vulnerability report validation failed",
Message: "Validation failed: found denied CVEs. See extensions field for details.",
}, nil
}

return &verifier.VerifierResult{
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -354,7 +355,7 @@
// verifyDisallowedSeverities verifies that the report does not contain any disallowed severity levels
func verifyDisallowedSeverities(verifierName string, verifierType string, scannerName string, sarifReport *sarif.Report, disallowedSeverities []string, createdTime time.Time) (*verifier.VerifierResult, error) {
ruleMap := make(map[string]*sarif.ReportingDescriptor)
violatingRules := make([]sarif.ReportingDescriptor, 0)
violatingRules := make(map[string]string)
// create a map of rule id to rule for easy lookup
for _, rule := range sarifReport.Runs[0].Tool.Driver.Rules {
ruleMap[rule.ID] = rule
Expand All @@ -366,7 +367,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule id not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule id not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -379,7 +380,7 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -392,17 +393,17 @@
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error extracting severity:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error extracting severity:[%v]", err.Error()),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
},
}, nil
}
// check if the severity is disallowed and add it to the list of violating rules
// check if the severity is disallowed and add it to the map of violating CVE IDs
for _, disallowed := range disallowedSeverities {
if strings.EqualFold(severity, disallowed) {
violatingRules = append(violatingRules, *rule)
violatingRules[rule.ID] = severity
}
}
}
Expand All @@ -413,18 +414,19 @@
Type: verifierType,
IsSuccess: false,
Extensions: map[string]interface{}{
"scanner": scannerName,
"severityViolations": violatingRules,
CreatedAnnotation: createdTime,
"scanner": scannerName,
"disallowedSeverities": disallowedSeverities,
"severityViolations": violatingRules,
CreatedAnnotation: createdTime,
},
Message: "vulnerability report validation failed",
Message: "Validation failed: found disallowed severities. See extensions field for details.",
}, nil
}
return &verifier.VerifierResult{
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand Down
Loading
Loading