issue #3733 change code to allow all images if DOCKER_SECURITY_TOOL_O…

…S is empty (as in was previously)
epam · Oct 4, 2024 · 6f53c41 · 6f53c41
1 parent bb04f99
commit 6f53c41
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 19 deletions.
diff --git a/api/src/main/java/com/epam/pipeline/manager/pipeline/ToolManager.java b/api/src/main/java/com/epam/pipeline/manager/pipeline/ToolManager.java
@@ -828,8 +828,7 @@ public boolean isToolOSVersionAllowed(final ToolOSVersion toolOSVersion) {
         final String allowedOSes = preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS);
         final String allowedWithWarningOSes = preferenceManager.getPreference(
                 SystemPreferences.DOCKER_SECURITY_TOOL_OS_WITH_WARNING);
-        if ((StringUtils.isEmpty(allowedOSes) && StringUtils.isEmpty(allowedWithWarningOSes))
-                || toolOSVersion == null) {
+        if (StringUtils.isEmpty(allowedOSes) || toolOSVersion == null) {
             return true;
         }
         return toolOSVersion.isMatched(allowedOSes) || toolOSVersion.isMatched(allowedWithWarningOSes);

diff --git a/api/src/test/java/com/epam/pipeline/manager/docker/scan/AggregatingToolScanManagerTest.java b/api/src/test/java/com/epam/pipeline/manager/docker/scan/AggregatingToolScanManagerTest.java
@@ -81,6 +81,7 @@
 
 public class AggregatingToolScanManagerTest {
 
+    private static final int ONE = 1;
     private static final boolean DENY_NOT_SCANNED = true;
     private static final int MAX_CRITICAL_VULNERABILITIES = 2;
     private static final int MAX_HIGH_VULNERABILITIES = 3;
@@ -98,6 +99,8 @@ public class AggregatingToolScanManagerTest {
     private static final Set<String> TEST_LABEL_MARK = Collections.singleton("LABEL-name");
     private static final int ERROR_CODE = 500;
     private static final String CLAIR_DEFAULT_VERSION = "v2";
+    public static final String UBUNTU_OS = "ubuntu";
+    public static final String CENTOS_OS = "centos";
 
     @InjectMocks
     private AggregatingToolScanManager aggregatingToolScanManager = new AggregatingToolScanManager();
@@ -154,7 +157,7 @@ public class AggregatingToolScanManagerTest {
     private ClairScanResult.ClairFeature feature;
     private ToolDependency testDependency;
     private final ToolDependency nvidiaDependency = new ToolDependency(
-            1, "latest", "NvidiaVersion", null, ToolDependency.Ecosystem.NVIDIA, null);
+            ONE, "latest", "NvidiaVersion", null, ToolDependency.Ecosystem.NVIDIA, null);
 
     @Before
     public void setUp() throws Exception {
@@ -223,7 +226,7 @@ public void setUp() throws Exception {
         DockerComponentScanResult dockerComponentScanResult = new DockerComponentScanResult();
         DockerComponentLayerScanResult layerScanResult = new DockerComponentLayerScanResult();
         testDependency = new ToolDependency(
-                1, "latest", "test", "1.0", ToolDependency.Ecosystem.R_PKG, "R Package");
+                ONE, "latest", "test", "1.0", ToolDependency.Ecosystem.R_PKG, "R Package");
         layerScanResult.setDependencies(Arrays.asList(testDependency, nvidiaDependency));
         dockerComponentScanResult.setLayers(Collections.singletonList(layerScanResult));
 
@@ -297,7 +300,7 @@ public void testThatScanToolFilterDependencies() throws ToolScanExternalServiceE
 
         List<ToolDependency> dependencies = result.getDependencies();
         //check that dependencies are filtered and only one pass the filter
-        Assert.assertEquals(1, dependencies.size());
+        Assert.assertEquals(ONE, dependencies.size());
     }
 
     @Test
@@ -327,7 +330,7 @@ public void testScanTool() throws ToolScanExternalServiceException {
         Assert.assertEquals(testDependency.getVersion(), loadedDependency.getVersion());
         Assert.assertEquals(testDependency.getDescription(), loadedDependency.getDescription());
 
-        loadedDependency = dependencies.get(1);
+        loadedDependency = dependencies.get(ONE);
         Assert.assertEquals(nvidiaDependency.getName(), "NvidiaVersion");
         Assert.assertEquals(nvidiaDependency.getEcosystem(), loadedDependency.getEcosystem());
 
@@ -416,14 +419,14 @@ public void testThatScanIsPerformedEvenIfDockerCompFails() throws ToolScanExtern
 
         // Check that even that status is FAILED we still get vulnerabilities from clair
         Assert.assertEquals(ToolScanStatus.FAILED, result.getStatus());
-        Assert.assertEquals(1, result.getVulnerabilities().size());
-        Assert.assertEquals(1, result.getVulnerabilities().stream().map(Vulnerability::getFeature).count());
+        Assert.assertEquals(ONE, result.getVulnerabilities().size());
+        Assert.assertEquals(ONE, result.getVulnerabilities().stream().map(Vulnerability::getFeature).count());
     }
 
     @Test
     public void testDenyOnCritical() {
-        TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES + 1, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult);
+        TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES + ONE, MAX_HIGH_VULNERABILITIES,
+                ONE, toolScanResult);
         Assert.assertFalse(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
@@ -432,7 +435,7 @@ public void testDenyOnNotAllowedOS() {
         when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS))
                 .thenReturn("centos:6");
         TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult, new ToolOSVersion("ubuntu", "14"));
+                ONE, toolScanResult, new ToolOSVersion(UBUNTU_OS, "14"));
         Assert.assertFalse(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
@@ -441,32 +444,52 @@ public void testDenyOnNotAllowedOSVersion() {
         when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS))
                 .thenReturn("centos:6");
         TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult, new ToolOSVersion("centos", "7"));
+                ONE, toolScanResult, new ToolOSVersion(CENTOS_OS, "7"));
         Assert.assertFalse(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
     @Test
     public void testAllowOnAllowedOSVersion() {
         when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS))
-                .thenReturn("centos");
+                .thenReturn(CENTOS_OS);
         TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult, new ToolOSVersion("centos", "7"));
+                ONE, toolScanResult, new ToolOSVersion(CENTOS_OS, "7"));
         Assert.assertTrue(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
     @Test
     public void testAllowOnAllowedOSInToolOsWithWarning() {
+        when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS))
+                .thenReturn(CENTOS_OS);
+        when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS_WITH_WARNING))
+                .thenReturn("ubuntu:14");
+        TestUtils.generateScanResult(0, 0,
+                ONE, toolScanResult, new ToolOSVersion(UBUNTU_OS, "14"));
+        Assert.assertTrue(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
+    }
+
+    @Test
+    public void testAllowIfAllowedOSsIsEmpty() {
         when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS_WITH_WARNING))
                 .thenReturn("ubuntu:14");
         TestUtils.generateScanResult(0, 0,
-                1, toolScanResult, new ToolOSVersion("ubuntu", "14"));
+                ONE, toolScanResult, new ToolOSVersion(UBUNTU_OS, "14"));
+        Assert.assertTrue(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
+    }
+
+    @Test
+    public void testAllowIfAllowedOSsIsEmptyAndAllowedOSesWithWarningDoesntAllow() {
+        when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_OS_WITH_WARNING))
+                .thenReturn(CENTOS_OS);
+        TestUtils.generateScanResult(0, 0,
+                ONE, toolScanResult, new ToolOSVersion(UBUNTU_OS, "14"));
         Assert.assertTrue(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
     @Test
     public void testDenyOnHigh() {
-        TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES + 1,
-                1, toolScanResult);
+        TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES + ONE,
+                ONE, toolScanResult);
         Assert.assertFalse(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
@@ -475,14 +498,14 @@ public void testDenyOnMedium() {
         when(preferenceManager.getPreference(SystemPreferences.DOCKER_SECURITY_TOOL_POLICY_MAX_MEDIUM_VULNERABILITIES))
                 .thenReturn(0);
         TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult);
+                ONE, toolScanResult);
         Assert.assertFalse(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }
 
     @Test
     public void testAllow() {
         TestUtils.generateScanResult(MAX_CRITICAL_VULNERABILITIES, MAX_HIGH_VULNERABILITIES,
-                1, toolScanResult);
+                ONE, toolScanResult);
         Assert.assertTrue(aggregatingToolScanManager.checkTool(testTool, LATEST_VERSION).isAllowed());
     }