feat(cli): include status in vuln ctr scan assesment output (#853)

* feat(cli): include status in vuln ctr scan assesment output * fix(cli): fix regex for vulnerability exceptions create * test: updated vulnerability tests * test: disable TestEventCommandListSeverityWithJsonFlag * test: renable events test Signed-off-by: Darren Murray <[email protected]>
lacework · Jul 11, 2022 · 5ff586c · 5ff586c
1 parent 2794070
commit 5ff586c
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 7 deletions.
diff --git a/api/vulnerabilities_container.go b/api/vulnerabilities_container.go
@@ -316,6 +316,7 @@ type ContainerVulnerability struct {
 	Link        string                 `json:"link"`
 	FixVersion  string                 `json:"fix_version"`
 	Metadata    map[string]interface{} `json:"metadata"`
+	Status      string                 `json:"status"`
 }
 
 // traverseMetadata will try to extract an interface from the nested tree of key

diff --git a/cli/cmd/vuln_container.go b/cli/cmd/vuln_container.go
@@ -626,7 +626,7 @@ func buildVulnerabilityDetailsReportTable(details vulnerabilityDetailsReport) st
 			report.WriteString(
 				renderCustomTable(
 					[]string{"CVE ID", "Severity", "Package", "Current Version",
-						"Fix Version", "Introduced in Layer"},
+						"Fix Version", "Introduced in Layer", "Status"},
 					vulnImageTable,
 					tableFunc(func(t *tablewriter.Table) {
 						t.SetBorder(false)
@@ -696,6 +696,7 @@ type vulnTable struct {
 	CreatedBy      string
 	CVSSv2Score    float64
 	CVSSv3Score    float64
+	Status         string
 }
 
 type filteredImageTable struct {
@@ -818,6 +819,7 @@ func filterVulContainerImageLayers(image *api.VulnContainerImage) filteredImageT
 					CreatedBy:      createdBy,
 					CVSSv2Score:    vul.CVSSv2Score(),
 					CVSSv3Score:    vul.CVSSv3Score(),
+					Status:         vul.Status,
 				})
 
 				filteredPkg.Vulnerabilities = append(filteredPkg.Vulnerabilities, vul)
@@ -870,6 +872,7 @@ func vulContainerImageLayersToTable(imageTable filteredImageTable) [][]string {
 			vuln.CurrentVersion,
 			vuln.FixVersion,
 			vuln.CreatedBy,
+			vuln.Status,
 		})
 	}
 

diff --git a/cli/cmd/vulnerability_exceptions_test.go b/cli/cmd/vulnerability_exceptions_test.go
@@ -18,6 +18,7 @@
 package cmd
 
 import (
+	"regexp"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -30,6 +31,51 @@ func TestBuildVulnerabilityException(t *testing.T) {
 	assert.Equal(t, vulnExceptionPropertiesTable, vulnPropertiesOutput)
 }
 
+func TestCVEValidate(t *testing.T) {
+	cveRegEx, _ := regexp.Compile(CveRegex)
+	alasRegEx, _ := regexp.Compile(AlasRegex)
+
+	cveTableTest := []struct {
+		Name     string
+		Input    string
+		Regex    *regexp.Regexp
+		Expected bool
+	}{{
+		Name:     "CVE Valid",
+		Input:    "CVE-2022-28948",
+		Regex:    cveRegEx,
+		Expected: true,
+	}, {
+		Name:     "CVE Invalid",
+		Input:    "CV-202-28948",
+		Regex:    cveRegEx,
+		Expected: false,
+	}, {
+		Name:     "ALAS Valid",
+		Input:    "ALAS-2022-1788",
+		Regex:    alasRegEx,
+		Expected: true,
+	}, {
+		Name:     "ALAS Valid",
+		Input:    "ALAS2-2022-1802",
+		Regex:    alasRegEx,
+		Expected: true,
+	},
+		{
+			Name:     "ALAS Invalid",
+			Input:    "ALA-2022-1788",
+			Regex:    alasRegEx,
+			Expected: false,
+		},
+	}
+	for _, test := range cveTableTest {
+		t.Run(test.Name, func(t *testing.T) {
+			result := test.Regex.MatchString(test.Input)
+			assert.Equal(t, result, test.Expected)
+		})
+	}
+}
+
 var (
 	mockVulnException = api.VulnerabilityException{
 		Enabled:         1,

diff --git a/cli/cmd/vulnerability_test.go b/cli/cmd/vulnerability_test.go
@@ -174,7 +174,8 @@ func TestBuildVulnContainerAssessmentReportsWithVulnerabilitiesPackagesViewWithF
                   }
                 },
                 "name": "CVE-2021-36159",
-                "severity": "critical"
+                "severity": "critical",
+                "status": "Vulnerable"
               }
             ]
           }
@@ -226,6 +227,7 @@ func mockVulnerabilityAssessment() *api.VulnContainerAssessment {
                 "description": "",
                 "fix_version": "2.10.6-r0",
                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30139",
+                "status": "Vulnerable",
                 "metadata": {
                   "NVD": {
                     "CVSSv2": {
@@ -248,6 +250,7 @@ func mockVulnerabilityAssessment() *api.VulnContainerAssessment {
                 "description": "",
                 "fix_version": "2.10.7-r0",
                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36159",
+                "status": "Vulnerable",
                 "metadata": {
                   "NVD": {
                     "CVSSv2": {
@@ -277,6 +280,7 @@ func mockVulnerabilityAssessment() *api.VulnContainerAssessment {
                 "description": "",
                 "fix_version": "1.1.24-r10",
                 "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928",
+                "status": "Vulnerable",
                 "metadata": {
                   "NVD": {
                     "CVSSv2": {

diff --git a/cli/cmd/vulnerabilty_exceptions.go b/cli/cmd/vulnerabilty_exceptions.go
@@ -32,6 +32,9 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const CveRegex = `(?i)CVE-\d{4}-\d{4,7}`
+const AlasRegex = `(?i)ALAS(2?)-\d{4}-\d{3,7}`
+
 var (
 	// vulnerability-exceptions command is used to manage lacework vulnerability exceptions
 	vulnerabilityExceptionCommand = &cobra.Command{
@@ -343,17 +346,18 @@ func transformVulnerabilityExceptionPackages(packages string) []api.Vulnerabilit
 
 func validateCveFormat() survey.Validator {
 	return func(val interface{}) error {
-		cveRegEx, _ := regexp.Compile(`(?i)CVE-\d{4}-\d{4,7}`)
+		cveRegEx, _ := regexp.Compile(CveRegex)
+		alasRegEx, _ := regexp.Compile(AlasRegex)
 		if list, ok := val.([]core.OptionAnswer); ok {
 			for _, i := range list {
-				if !cveRegEx.MatchString(i.Value) {
-					return fmt.Errorf("CVE format is invalid. Please format corretly eg: CVE-2014-0001")
+				if !cveRegEx.MatchString(i.Value) && !alasRegEx.MatchString(i.Value) {
+					return fmt.Errorf("CVE format is invalid. Please format corretly eg: CVE-2014-0001, ALAS2-2022-1788")
 				}
 			}
 		} else {
 			value := val.(string)
-			if !cveRegEx.MatchString(value) {
-				return fmt.Errorf("CVE format is invalid. Please format corretly eg: CVE-2014-0001")
+			if !cveRegEx.MatchString(value) && !alasRegEx.MatchString(value) {
+				return fmt.Errorf("CVE format is invalid. Please format corretly eg: CVE-2014-0001,  ALAS2-2022-1788")
 			}
 		}
 		return nil