chore: add totalResources, summary, type and score in Vulnerability t…

…ypes

api/zora/v1alpha1/vulnerabilityreport_types.go

@@ -26,8 +26,11 @@ type VulnerabilityReportSpec struct {
 	Tag        string `json:"tag,omitempty"`
 	Digest     string `json:"digest,omitempty"`
 
+	TotalResources  int                 `json:"totalResources"`
 	Resources       map[string][]string `json:"resources"`
 	Vulnerabilities []Vulnerability     `json:"vulnerabilities"`
+
+	Summary VulnerabilitySummary `json:"summary"`
 }
 
 type Vulnerability struct {
@@ -39,6 +42,18 @@ type Vulnerability struct {
 	FixVersion  string `json:"fixVersion,omitempty"`
 	URL         string `json:"url,omitempty"`
 	Status      string `json:"status,omitempty"`
+	Type        string `json:"type,omitempty"`
+	Score       string `json:"score,omitempty"`
+}
+
+type VulnerabilitySummary struct {
+	Total int `json:"total"`
+
+	Critical int `json:"critical"`
+	High     int `json:"high"`
+	Medium   int `json:"medium"`
+	Low      int `json:"low"`
+	Unknown  int `json:"unknown"`
 }
 
 // VulnerabilityReportStatus defines the observed state of VulnerabilityReport

charts/zora/crds/zora.undistro.io_vulnerabilityreports.yaml

@@ -64,8 +64,32 @@ spec:
                     type: string
                   type: array
                 type: object
+              summary:
+                properties:
+                  critical:
+                    type: integer
+                  high:
+                    type: integer
+                  low:
+                    type: integer
+                  medium:
+                    type: integer
+                  total:
+                    type: integer
+                  unknown:
+                    type: integer
+                required:
+                - critical
+                - high
+                - low
+                - medium
+                - total
+                - unknown
+                type: object
               tag:
                 type: string
+              totalResources:
+                type: integer
               vulnerabilities:
                 items:
                   properties:
@@ -77,10 +101,14 @@ spec:
                       type: string
                     package:
                       type: string
+                    score:
+                      type: string
                     severity:
                       type: string
                     status:
                       type: string
+                    type:
+                      type: string
                     url:
                       type: string
                     version:
@@ -97,6 +125,8 @@ spec:
             - cluster
             - image
             - resources
+            - summary
+            - totalResources
             - vulnerabilities
             type: object
           status:

config/crd/bases/zora.undistro.io_vulnerabilityreports.yaml

@@ -50,8 +50,32 @@ spec:
                     type: string
                   type: array
                 type: object
+              summary:
+                properties:
+                  critical:
+                    type: integer
+                  high:
+                    type: integer
+                  low:
+                    type: integer
+                  medium:
+                    type: integer
+                  total:
+                    type: integer
+                  unknown:
+                    type: integer
+                required:
+                - critical
+                - high
+                - low
+                - medium
+                - total
+                - unknown
+                type: object
               tag:
                 type: string
+              totalResources:
+                type: integer
               vulnerabilities:
                 items:
                   properties:
@@ -63,10 +87,14 @@ spec:
                       type: string
                     package:
                       type: string
+                    score:
+                      type: string
                     severity:
                       type: string
                     status:
                       type: string
+                    type:
+                      type: string
                     url:
                       type: string
                     version:
@@ -83,6 +111,8 @@ spec:
             - cluster
             - image
             - resources
+            - summary
+            - totalResources
             - vulnerabilities
             type: object
           status:

pkg/worker/report/trivy/parse.go

@@ -60,7 +60,8 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityRepo
 			if _, ok := vulnsByImage[img]; !ok {
 				vulnsByImage[img] = &v1alpha1.VulnerabilityReportSpec{Image: img}
 			}
-			addResource(vulnsByImage[img], f.Kind, f.Namespace, f.Name)
+			spec := vulnsByImage[img]
+			addResource(spec, f.Kind, f.Namespace, f.Name)
 
 			k := fmt.Sprintf("%s;%s", img, result.Class)
 			if _, ok := parsed[k]; ok {
@@ -69,18 +70,19 @@ func Parse(ctx context.Context, results io.Reader) ([]v1alpha1.VulnerabilityRepo
 			parsed[k] = true
 
 			for _, vuln := range result.Vulnerabilities {
-				vulnsByImage[img].Vulnerabilities = append(vulnsByImage[img].Vulnerabilities, newVulnerability(vuln))
+				spec.Vulnerabilities = append(spec.Vulnerabilities, newVulnerability(vuln, result.Type))
 			}
 		}
 	}
 	specs := make([]v1alpha1.VulnerabilityReportSpec, 0, len(vulnsByImage))
 	for _, spec := range vulnsByImage {
+		summarize(spec)
 		specs = append(specs, *spec)
 	}
 	return specs, nil
 }
 
-func newVulnerability(vuln trivytypes.DetectedVulnerability) v1alpha1.Vulnerability {
+func newVulnerability(vuln trivytypes.DetectedVulnerability, resultType string) v1alpha1.Vulnerability {
 	return v1alpha1.Vulnerability{
 		ID:          vuln.VulnerabilityID,
 		Severity:    vuln.Severity,
@@ -90,9 +92,28 @@ func newVulnerability(vuln trivytypes.DetectedVulnerability) v1alpha1.Vulnerabil
 		FixVersion:  vuln.FixedVersion,
 		URL:         vuln.PrimaryURL,
 		Status:      vuln.Status.String(),
+		Score:       getScore(vuln),
+		Type:        resultType,
 	}
 }
 
+func getScore(vuln trivytypes.DetectedVulnerability) string {
+	var vendor *float64
+	for id, cvss := range vuln.CVSS {
+		if cvss.V3Score == 0.0 {
+			continue
+		}
+		if string(id) == "nvd" {
+			return fmt.Sprintf("%v", cvss.V3Score)
+		}
+		vendor = &cvss.V3Score
+	}
+	if vendor == nil {
+		return ""
+	}
+	return fmt.Sprintf("%v", *vendor)
+}
+
 func getImage(finding trivyreport.Resource) string {
 	for _, r := range finding.Results {
 		if r.Class == "os-pkgs" {
@@ -102,20 +123,41 @@ func getImage(finding trivyreport.Resource) string {
 	return ""
 }
 
-func addResource(in *v1alpha1.VulnerabilityReportSpec, kind, namespace, name string) {
-	if in.Resources == nil {
-		in.Resources = map[string][]string{}
+func addResource(spec *v1alpha1.VulnerabilityReportSpec, kind, namespace, name string) {
+	if spec.Resources == nil {
+		spec.Resources = map[string][]string{}
 	}
 	id := name
 	if namespace != "" {
 		id = fmt.Sprintf("%s/%s", namespace, name)
 	}
-	if res, ok := in.Resources[kind]; ok {
+	if res, ok := spec.Resources[kind]; ok {
 		for _, re := range res {
 			if re == id {
 				return
 			}
 		}
 	}
-	in.Resources[kind] = append(in.Resources[kind], id)
+	spec.Resources[kind] = append(spec.Resources[kind], id)
+	spec.TotalResources++
+}
+
+func summarize(spec *v1alpha1.VulnerabilityReportSpec) {
+	s := &v1alpha1.VulnerabilitySummary{}
+	for _, v := range spec.Vulnerabilities {
+		s.Total++
+		switch v.Severity {
+		case "CRITICAL":
+			s.Critical++
+		case "HIGH":
+			s.High++
+		case "MEDIUM":
+			s.Medium++
+		case "LOW":
+			s.Low++
+		default:
+			s.Unknown++
+		}
+	}
+	spec.Summary = *s
 }