diff --git a/src/pkg/securityhub/dao/security.go b/src/pkg/securityhub/dao/security.go index 0c87f417930d..9de412b9aeb6 100644 --- a/src/pkg/securityhub/dao/security.go +++ b/src/pkg/securityhub/dao/security.go @@ -48,16 +48,9 @@ where a.digest = s.digest order by s.critical_cnt desc, s.high_cnt desc, s.medium_cnt desc, s.low_cnt desc limit 5` - // sql to query the total artifact count, - // 1. exclude the artifact accessory, - // 2. exclude child artifact without tag - // 3. include top level artifact in image index + // sql to query the total artifact count, include the artifact accessory, and child artifact in image index // The totalArtifactCountSQL and scannedArtifactCountSQL should use the same criteria to filter the artifact - totalArtifactCountSQL = `SELECT COUNT(1) -FROM artifact a -WHERE NOT EXISTS (select 1 from artifact_accessory acc WHERE acc.artifact_id = a.id) - AND (EXISTS (SELECT 1 FROM tag WHERE tag.artifact_id = a.id) - OR NOT EXISTS (SELECT 1 FROM artifact_reference ref WHERE ref.child_id = a.id))` + totalArtifactCountSQL = `SELECT COUNT(1) FROM artifact` // sql to query the scanned artifact count, // exclude the artifact accessory, and child artifact in image index (without tag), @@ -67,19 +60,7 @@ FROM artifact a WHERE EXISTS (SELECT 1 FROM scan_report s WHERE a.digest = s.digest - AND s.registration_uuid = ?) - -- exclude artifact accessory - AND NOT EXISTS (SELECT 1 FROM artifact_accessory acc WHERE acc.artifact_id = a.id) - -- not a child without tag - AND NOT EXISTS (SELECT 1 FROM artifact_reference WHERE child_id = a.id AND NOT EXISTS (SELECT 1 FROM tag WHERE artifact_id = a.id)) - -- include image index which is scanned - OR EXISTS (SELECT 1 - FROM scan_report s, - artifact_reference ref - WHERE s.digest = ref.child_digest - AND ref.parent_id = a.id AND s.registration_uuid = ? AND NOT EXISTS (SELECT 1 - FROM scan_report s - WHERE s.digest = a.digest and s.registration_uuid = ?))` + AND s.registration_uuid = ?)` // sql to query the dangerous CVEs // sort the CVEs by CVSS score and severity level, make sure it is referred by a report @@ -268,7 +249,7 @@ func (d *dao) ScannedArtifactsCount(ctx context.Context, scannerUUID string, pro if err != nil { return cnt, err } - err = o.Raw(scannedArtifactCountSQL, scannerUUID, scannerUUID, scannerUUID).QueryRow(&cnt) + err = o.Raw(scannedArtifactCountSQL, scannerUUID).QueryRow(&cnt) return cnt, err } func (d *dao) DangerousCVEs(ctx context.Context, scannerUUID string, projectID int64, query *q.Query) ([]*scan.VulnerabilityRecord, error) { diff --git a/src/pkg/securityhub/dao/security_test.go b/src/pkg/securityhub/dao/security_test.go index 328b59520803..f6033b75f2cc 100644 --- a/src/pkg/securityhub/dao/security_test.go +++ b/src/pkg/securityhub/dao/security_test.go @@ -79,9 +79,9 @@ func (suite *SecurityDaoTestSuite) TearDownTest() { testDao.ExecuteBatchSQL([]string{ `delete from scan_report where uuid = 'uuid'`, `delete from tag where id = 1001`, - `delete from artifact where digest = 'digest1001'`, `delete from artifact_accessory where id = 1001`, `delete from artifact_reference where id = 1001`, + `delete from artifact where digest = 'digest1001'`, `delete from scanner_registration where uuid='ruuid'`, `delete from scanner_registration where uuid='uuid2'`, `delete from vulnerability_record where cve_id='2023-4567-12345'`, @@ -149,7 +149,7 @@ func Test_checkQFilter(t *testing.T) { } } -func (suite *SecurityDaoTestSuite) TestExacthMatchFilter() { +func (suite *SecurityDaoTestSuite) TestExactMatchFilter() { type args struct { ctx context.Context key string @@ -199,7 +199,8 @@ func (suite *SecurityDaoTestSuite) TestRangeFilter() { func (suite *SecurityDaoTestSuite) TestCountArtifact() { count, err := suite.dao.TotalArtifactsCount(suite.Context(), 0) suite.NoError(err) - suite.Equal(int64(1), count) + // includes artifact_accessory(1), child artifact of image index(1), image index(1) + suite.Equal(int64(3), count) } func (suite *SecurityDaoTestSuite) TestCountVul() { count, err := suite.dao.CountVulnerabilities(suite.Context(), "ruuid", 0, true, nil)