Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Prevent grouped vulnerability entries by including target and package path #2140

Merged
merged 3 commits into from
Jun 17, 2024
+73 −6
Merged

fix: Prevent grouped vulnerability entries by including target and package path #2140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
08063ea
Prevent grouped vulnerability entries by including target and package…
kersten Jun 13, 2024
10e78ef
Added more tests and fixed vulnKey generation
kersten Jun 13, 2024
5c67937
Refactored to constructVulnKey function to ensure unique vulnerabilit…
kersten Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 34 additions & 2 deletions pkg/metrics/collector.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package metrics
import (
"context"
"strconv"
"strings"

"github.com/aquasecurity/trivy-operator/pkg/kube"
"github.com/aquasecurity/trivy-operator/pkg/trivyoperator"
Expand Down Expand Up @@ -543,6 +544,36 @@ func getDynamicConfigLabels(config trivyoperator.ConfigData) []string {
return labels
}

// constructVulnKey constructs a unique key for a vulnerability based on its ID, target, and package path.
// The key is used to ensure that each vulnerability is uniquely identified even if it appears in multiple
// binaries or paths.
//
// Parameters:
// - vulnID: The unique identifier for the vulnerability (e.g., CVE ID).
// - target: The target location of the vulnerability (e.g., binary file path).
// - pkgPath: The package path of the vulnerability (e.g., library or module path).
//
// Returns:
// - A string representing the unique key for the vulnerability.
//
// The key is constructed by concatenating the non-empty components (vulnID, target, pkgPath) with a "|" separator.
// This approach ensures that even if target and pkgPath have identical names or are empty, the key remains unique and valid.
//
// Example usage:
// key := constructVulnKey("CVE-2024-1234", "usr/local/bin", "package/path")
// This will return: "CVE-2024-1234-P:usr/local/bin-T:package/path"
func constructVulnKey(vulnID, target, pkgPath string) string {
var parts []string
parts = append(parts, vulnID)
if target != "" {
parts = append(parts, "T:"+target)
}
if pkgPath != "" {
parts = append(parts, "P:"+pkgPath)
}
return strings.Join(parts, "-")
}

func (c *ResourcesMetricsCollector) SetupWithManager(mgr ctrl.Manager) error {
return mgr.Add(c)
}
Expand Down Expand Up @@ -641,10 +672,11 @@ func (c ResourcesMetricsCollector) collectVulnerabilityIdReports(ctx context.Con
}
var vulnList = make(map[string]bool)
for _, vuln := range r.Report.Vulnerabilities {
if vulnList[vuln.VulnerabilityID] {
vulnKey := constructVulnKey(vuln.VulnerabilityID, vuln.Target, vuln.PkgPath)
if vulnList[vulnKey] {
continue
}
vulnList[vuln.VulnerabilityID] = true
vulnList[vulnKey] = true
vulnLabelValues[9] = vuln.InstalledVersion
vulnLabelValues[10] = vuln.FixedVersion
vulnLabelValues[11] = vuln.PublishedDate
Expand Down
Loading
Loading