From 5a449da9d0462bc8f4d90a2c5c9fa1e53dba059e Mon Sep 17 00:00:00 2001
From: gnmahanth <mahanth@deepfence.io>
Date: Thu, 19 Jan 2023 12:21:46 +0000
Subject: [PATCH] fix image vulnerability scan

---
 Makefile                                      |  6 +-
 deepfence_agent/plugins/package-scanner       |  2 +-
 .../apache/scope/probe/host/generate_sbom.go  | 16 +++---
 deepfence_server/handler/scan_reports.go      | 55 ++++++++++++++++++-
 4 files changed, 67 insertions(+), 12 deletions(-)

diff --git a/Makefile b/Makefile
index 0fad77e98f..aff54c8990 100644
--- a/Makefile
+++ b/Makefile
@@ -30,9 +30,9 @@ console_plugins: secretscanner malwarescanner packagescanner
 
 .PHONY: bootstrap-agent-plugins
 bootstrap-agent-plugins:
-	cd $(DEEPFENCE_AGENT_DIR)/plugins && bash bootstrap.sh && cd -
-	cd $(SECRET_SCANNER_DIR) && bash bootstrap.sh && cd -
-	cd $(MALWARE_SCANNER_DIR) && bash bootstrap.sh && cd -
+	(cd $(DEEPFENCE_AGENT_DIR)/plugins && bash bootstrap.sh)
+	(cd $(SECRET_SCANNER_DIR) && bash bootstrap.sh)
+	(cd $(MALWARE_SCANNER_DIR) && bash bootstrap.sh)
 
 .PHONY: agent
 agent:
diff --git a/deepfence_agent/plugins/package-scanner b/deepfence_agent/plugins/package-scanner
index 383a6b2c3f..10148b0005 160000
--- a/deepfence_agent/plugins/package-scanner
+++ b/deepfence_agent/plugins/package-scanner
@@ -1 +1 @@
-Subproject commit 383a6b2c3ffbf9ee51513fb35608ded84a385d9a
+Subproject commit 10148b0005d881fec76e3c2d60c26f8e2e1d16d1
diff --git a/deepfence_agent/tools/apache/scope/probe/host/generate_sbom.go b/deepfence_agent/tools/apache/scope/probe/host/generate_sbom.go
index 3dad672efc..1e60345735 100644
--- a/deepfence_agent/tools/apache/scope/probe/host/generate_sbom.go
+++ b/deepfence_agent/tools/apache/scope/probe/host/generate_sbom.go
@@ -55,10 +55,10 @@ func GenerateSbomForVulnerabilityScan(nodeType, imageName, imageId, scanId, cont
 	if nodeType == "host" {
 		source = scanPath
 	} else if nodeType == "container_image" {
-		if imageId != "" {
-			source = imageId
-		} else {
+		if imageName != "" {
 			source = imageName
+		} else {
+			source = imageId
 		}
 	} else if nodeType == "container" {
 		if containerId != "" {
@@ -107,13 +107,15 @@ func StartVulnerabilityScan(req ctl.StartVulnerabilityScanRequest) error {
 		node_id = node_id_Arg
 	}
 
+	if image_name_Arg, ok := req.BinArgs["image_name"]; ok {
+		imageName = image_name_Arg
+	}
+
 	switch node_type {
 	case "container":
 		containerId = node_id
-		containerName = node_id
 	case "image":
 		imageId = node_id
-		imageName = node_id
 		node_type = "container_image"
 	}
 
@@ -121,8 +123,8 @@ func StartVulnerabilityScan(req ctl.StartVulnerabilityScanRequest) error {
 		kubernetesClusterName = kubernetesClusterNameArg
 	}
 	if (node_type == "container" && containerId == "") ||
-		(node_type == "container_image" && imageId == "") {
-		return errors.New("image_id/container_id is required for container/image vulnerability scan")
+		(node_type == "container_image" && (imageId == "" || imageName == "")) {
+		return errors.New("image_id/image_name/container_id is required for container/image vulnerability scan")
 	}
 	if scanTypeArg, ok := req.BinArgs["scan_type"]; ok {
 		scanType = scanTypeArg
diff --git a/deepfence_server/handler/scan_reports.go b/deepfence_server/handler/scan_reports.go
index 25de874155..e2d83e8418 100644
--- a/deepfence_server/handler/scan_reports.go
+++ b/deepfence_server/handler/scan_reports.go
@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -21,6 +22,7 @@ import (
 	httpext "github.com/go-playground/pkg/v5/net/http"
 	"github.com/gorilla/schema"
 	"github.com/minio/minio-go/v7"
+	"github.com/neo4j/neo4j-go-driver/v4/neo4j"
 	"github.com/twmb/franz-go/pkg/kgo"
 )
 
@@ -28,6 +30,44 @@ func scanId(req model.ScanTriggerReq) string {
 	return fmt.Sprintf("%s-%d", req.NodeId, time.Now().Unix())
 }
 
+func GetImageFromId(ctx context.Context, node_id string) (string, string, error) {
+	var name string
+	var tag string
+
+	driver, err := directory.Neo4jClient(ctx)
+	if err != nil {
+		return name, tag, err
+	}
+
+	session := driver.NewSession(neo4j.SessionConfig{AccessMode: neo4j.AccessModeRead})
+	if err != nil {
+		return name, tag, err
+	}
+	defer session.Close()
+
+	tx, err := session.BeginTransaction()
+	if err != nil {
+		return name, tag, err
+	}
+	defer tx.Close()
+
+	query := "MATCH (n:ContainerImage{node_id:$node_id}) return  n.docker_image_name,n.docker_image_tag"
+	res, err := tx.Run(query, map[string]interface{}{"node_id": node_id})
+	if err != nil {
+		return name, tag, err
+	}
+
+	rec, err := res.Single()
+	if err != nil {
+		return name, tag, err
+	}
+
+	name = rec.Values[0].(string)
+	tag = rec.Values[1].(string)
+
+	return name, tag, nil
+}
+
 func (h *Handler) StartVulnerabilityScanHandler(w http.ResponseWriter, r *http.Request) {
 	req, err := extractScanTrigger(w, r)
 	if err != nil {
@@ -42,9 +82,22 @@ func (h *Handler) StartVulnerabilityScanHandler(w http.ResponseWriter, r *http.R
 		"node_id":   req.NodeId,
 	}
 
+	nodeTypeInternal := ctl.StringToResourceType(req.NodeType)
+
+	if nodeTypeInternal == ctl.Image {
+		name, tag, err := GetImageFromId(r.Context(), req.NodeId)
+		if err != nil {
+			log.Error().Msg(err.Error())
+			httpext.JSON(w, http.StatusInternalServerError, model.Response{Success: false})
+			return
+		}
+		binArgs["image_name"] = name + ":" + tag
+		log.Info().Msgf("node_id=%s image_name=%s", req.NodeId, binArgs["image_name"])
+	}
+
 	internal_req := ctl.StartSecretScanRequest{
 		NodeId:   req.NodeId,
-		NodeType: ctl.StringToResourceType(req.NodeType),
+		NodeType: nodeTypeInternal,
 		BinArgs:  binArgs,
 	}