Merge pull request #245 from l3montree-dev/243-add-repo-parts-vulnera…

…bilities-handling started to refactor: rename Asset to AssetNew and update related refe…
l3montree-dev · Feb 17, 2025 · be0269c · be0269c
2 parents a768ffb + d7b20df
commit be0269c
Show file tree

Hide file tree

Showing 47 changed files with 1,887 additions and 1,183 deletions.
diff --git a/cmd/devguard-cli/commands/migrate.go b/cmd/devguard-cli/commands/migrate.go
@@ -0,0 +1,60 @@
+package commands
+
+import (
+	"log/slog"
+
+	"github.com/l3montree-dev/devguard/internal/core"
+	"github.com/l3montree-dev/devguard/internal/database/models"
+	"github.com/l3montree-dev/devguard/internal/database/repositories"
+	"github.com/spf13/cobra"
+)
+
+func NewMigrateCommand() *cobra.Command {
+	migrate := cobra.Command{
+		Use:   "migrate",
+		Short: "Migrate data",
+	}
+
+	migrate.AddCommand(newFlawHashMigration())
+	return &migrate
+}
+
+func newFlawHashMigration() *cobra.Command {
+	flawHashMigration := cobra.Command{
+		Use:   "flaw-hash",
+		Short: "Will recalculate the flaw hashes for all flaws",
+		Args:  cobra.ExactArgs(0),
+		Run: func(cmd *cobra.Command, args []string) {
+			core.LoadConfig() // nolint
+			database, err := core.DatabaseFactory()
+			if err != nil {
+				slog.Error("could not connect to database", "err", err)
+				return
+			}
+
+			flawRepository := repositories.NewFlawRepository(database)
+
+			var flaws []models.Flaw
+			err = flawRepository.GetDB(nil).Model(&models.Flaw{}).Find(&flaws).Error
+
+			if err != nil {
+				slog.Error("could not fetch flaws", "err", err)
+				return
+			}
+
+			for _, flaw := range flaws {
+				oldHash := flaw.ID
+				newHash := flaw.CalculateHash()
+
+				// update the hash in the database
+				err = flawRepository.GetDB(nil).Model(&models.Flaw{}).Where("id = ?", oldHash).UpdateColumn("id", newHash).Error
+				if err != nil {
+					slog.Error("could not update flaw hash", "err", err)
+					return
+				}
+			}
+		},
+	}
+
+	return &flawHashMigration
+}
diff --git a/cmd/devguard-cli/commands/risk.go b/cmd/devguard-cli/commands/risk.go
@@ -38,13 +38,14 @@ func newCalculateCmd() *cobra.Command {
 			flawEventRepository := repositories.NewFlawEventRepository(database)
 			cveRepository := repositories.NewCVERepository(database)
 			assetRepository := repositories.NewAssetRepository(database)
+			assetVersionRepository := repositories.NewAssetVersionRepository(database)
 			flawService := flaw.NewService(flawRepository, flawEventRepository, assetRepository, cveRepository)
 			statisticsRepository := repositories.NewStatisticsRepository(database)
 			componentRepository := repositories.NewComponentRepository(database)
 			projectRepository := repositories.NewProjectRepository(database)
 			projectRiskHistoryRepository := repositories.NewProjectRiskHistoryRepository(database)
 
-			statisticService := statistics.NewService(statisticsRepository, componentRepository, repositories.NewAssetRiskHistoryRepository(database), flawRepository, assetRepository, projectRepository, projectRiskHistoryRepository)
+			statisticService := statistics.NewService(statisticsRepository, componentRepository, repositories.NewAssetRiskHistoryRepository(database), flawRepository, assetVersionRepository, projectRepository, projectRiskHistoryRepository)
 
 			shouldCalculateHistory, err := cmd.Flags().GetBool("history")
 			if err != nil {
@@ -59,16 +60,16 @@ func newCalculateCmd() *cobra.Command {
 
 			if shouldCalculateHistory {
 				slog.Info("recalculating risk history")
-				// fetch all assets
-				assets, err := assetRepository.GetAllAssetsFromDB()
+				// fetch all assetVersions
+				assetVersions, err := assetVersionRepository.GetAllAssetsVersionFromDB(nil)
 				if err != nil {
 					slog.Error("could not fetch assets", "err", err)
 					return
 				}
 
-				for _, asset := range assets {
-					slog.Info("recalculating risk history for asset", "asset", asset.ID)
-					if err := statisticService.UpdateAssetRiskAggregation(asset.ID, asset.CreatedAt, time.Now(), true); err != nil {
+				for _, version := range assetVersions {
+					slog.Info("recalculating risk history for asset", "assetVersionName", version.Name, "assetID", version.AssetID)
+					if err := statisticService.UpdateAssetRiskAggregation(version.Name, version.AssetID, version.CreatedAt, time.Now(), true); err != nil {
 						slog.Error("could not recalculate risk history", "err", err)
 						return
 					}

diff --git a/cmd/devguard-cli/commands/scan.go b/cmd/devguard-cli/commands/scan.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/l3montree-dev/devguard/internal/core"
 	"github.com/l3montree-dev/devguard/internal/core/asset"
+	"github.com/l3montree-dev/devguard/internal/core/assetversion"
 	"github.com/l3montree-dev/devguard/internal/core/flaw"
 	"github.com/l3montree-dev/devguard/internal/core/normalize"
 	"github.com/l3montree-dev/devguard/internal/core/vulndb/scan"
@@ -37,24 +38,22 @@ func newSbomCommand() *cobra.Command {
 				return
 			}
 			assetRepository := repositories.NewAssetRepository(database)
+			assetVersionRepository := repositories.NewAssetVersionRepository(database)
 			flawRepository := repositories.NewFlawRepository(database)
+			flawService := flaw.NewService(flawRepository, repositories.NewFlawEventRepository(database), assetRepository, repositories.NewCVERepository(database))
 			componentRepository := repositories.NewComponentRepository(database)
-			assetService := asset.NewService(assetRepository, componentRepository, flawRepository, flaw.NewService(
-				flawRepository,
-				repositories.NewFlawEventRepository(database),
-				assetRepository,
-				repositories.NewCVERepository(database),
-			))
+			assetService := asset.NewService(assetRepository, flawRepository, flawService)
+			assetVersionService := assetversion.NewService(assetVersionRepository, componentRepository, flawRepository, flawService, assetService)
 
 			sbomScanner := scan.NewSBOMScanner(scan.NewCPEComparer(database), scan.NewPurlComparer(database), repositories.NewCVERepository(database))
 
-			assets, err := assetRepository.GetAllAssetsFromDB()
+			assetVersions, err := assetVersionRepository.GetAllAssetsVersionFromDB(database)
 			if err != nil {
 				slog.Error("could not get assets", "err", err)
 				return
 			}
-			for _, asset := range assets {
-				components, err := componentRepository.LoadAllLatestComponentFromAsset(nil, asset)
+			for _, assetVersion := range assetVersions {
+				components, err := componentRepository.LoadAllLatestComponentFromAssetVersion(nil, assetVersion, "")
 
 				// group the components by scanner
 				scannerComponents := make(map[string][]models.ComponentDependency)
@@ -66,7 +65,6 @@ func newSbomCommand() *cobra.Command {
 				}
 
 				for scanner, scannerComponents := range scannerComponents {
-
 					now := time.Now()
 					// build the sbom of the asset
 
@@ -75,7 +73,7 @@ func newSbomCommand() *cobra.Command {
 						continue
 					}
 
-					sbom := assetService.BuildSBOM(asset, "latest", "", scannerComponents)
+					sbom := assetVersionService.BuildSBOM(assetVersion, "latest", "", scannerComponents)
 
 					normalizedSBOM := normalize.FromCdxBom(sbom, false)
 
@@ -85,8 +83,10 @@ func newSbomCommand() *cobra.Command {
 						continue
 					}
 
-					amountOpened, amountClosed, flaws, err := assetService.HandleScanResult(
-						asset,
+					amountOpened, amountClosed, flaws, err := assetVersionService.HandleScanResult(
+						// TODO: add the correct asset
+						models.Asset{},
+						assetVersion,
 						vulns,
 						scanner,
 						"latest",
@@ -100,7 +100,7 @@ func newSbomCommand() *cobra.Command {
 						continue
 					}
 
-					slog.Info("scan result", "asset", asset.Name, "totalAmount", len(flaws), "amountOpened", amountOpened, "amountClosed", amountClosed, "duration", time.Since(now))
+					slog.Info("scan result", "asset", assetVersion.Name, "totalAmount", len(flaws), "amountOpened", amountOpened, "amountClosed", amountClosed, "duration", time.Since(now))
 
 				}
 			}

diff --git a/cmd/devguard-cli/main.go b/cmd/devguard-cli/main.go
@@ -55,6 +55,7 @@ func init() {
 	rootCmd.AddCommand(commands.NewVulndbCommand())
 	rootCmd.AddCommand(commands.NewRiskCommand())
 	rootCmd.AddCommand(commands.NewScanCommand())
+	rootCmd.AddCommand(commands.NewMigrateCommand())
 }
 
 func main() {

diff --git a/cmd/devguard-scanner/commands/sca.go b/cmd/devguard-scanner/commands/sca.go
@@ -145,6 +145,45 @@ func isValidPath(path string) (bool, error) {
 	return true, nil
 }
 
+func getCurrentBranchName(path string) (string, error) {
+
+	cmd := exec.Command("git", "rev-parse", "--abbrev-ref", "HEAD")
+	var out bytes.Buffer
+	var errOut bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &errOut
+	cmd.Dir = getDirFromPath(path)
+	err := cmd.Run()
+	if err != nil {
+		slog.Error("could not run git rev-parse --abbrev-ref HEAD", "err", err, "path", getDirFromPath(path), "msg", errOut.String())
+		return "", err
+	}
+
+	return strings.TrimSpace(out.String()), nil
+
+}
+
+func getDefaultBranchName(path string) (string, error) {
+	cmd := exec.Command("git", "symbolic-ref", "refs/remotes/origin/HEAD")
+	var out bytes.Buffer
+	var errOut bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &errOut
+	cmd.Dir = getDirFromPath(path)
+	err := cmd.Run()
+	if err != nil {
+		slog.Error("could not determine default branch", "err", err, "path", getDirFromPath(path), "msg", errOut.String())
+		return "", err
+	}
+
+	parts := strings.Split(strings.TrimSpace(out.String()), "/")
+	if len(parts) == 0 {
+		return "", fmt.Errorf("unexpected format for default branch output")
+	}
+
+	return parts[len(parts)-1], nil
+}
+
 func getCurrentVersion(path string) (string, int, error) {
 	// mark the path as safe git directory
 	slog.Debug("marking path as safe", "path", getDirFromPath(path))
@@ -384,6 +423,7 @@ func addScanFlags(cmd *cobra.Command) {
 	cmd.Flags().String("path", ".", "The path to the project to scan. Defaults to the current directory.")
 	cmd.Flags().String("fail-on-risk", "critical", "The risk level to fail the scan on. Can be 'low', 'medium', 'high' or 'critical'. Defaults to 'critical'.")
 	cmd.Flags().String("webUI", "https://main.devguard.org", "The url of the web UI to show the scan results in. Defaults to 'https://app.devguard.dev'.")
+
 }
 
 func getDirFromPath(path string) string {
@@ -434,6 +474,23 @@ func scaCommandFactory(scanner string) func(cmd *cobra.Command, args []string) e
 		}
 
 		slog.Info("starting scan", "version", version, "asset", assetName)
+
+		branch, err := getCurrentBranchName(path)
+		if err != nil {
+			return errors.Wrap(err, "could not get branch name")
+		}
+
+		defaultBranch, err := getDefaultBranchName(path)
+		if err != nil {
+			return errors.Wrap(err, "could not get default branch name")
+		}
+
+		assetVersion := branch
+
+		if commitAfterTag == 0 {
+			assetVersion = version
+		}
+
 		// read the sbom file and post it to the scan endpoint
 		// get the flaws and print them to the console
 		file, err := generateSBOM(path)
@@ -466,6 +523,8 @@ func scaCommandFactory(scanner string) func(cmd *cobra.Command, args []string) e
 		req.Header.Set("X-Risk-Management", strconv.FormatBool(doRiskManagement))
 		req.Header.Set("X-Asset-Name", assetName)
 		req.Header.Set("X-Asset-Version", version)
+		req.Header.Set("X-Asset-Version-New", assetVersion)
+		req.Header.Set("X-Asset-Default-Branch", defaultBranch)
 		req.Header.Set("X-Scanner", "github.com/l3montree-dev/devguard/cmd/devguard-scanner"+"/"+scanner)
 
 		resp, err := http.DefaultClient.Do(req)