Skip to content

Commit

Permalink
fix: improve vuln report verifier report messages (#1238)
Browse files Browse the repository at this point in the history
  • Loading branch information
@akashsinghal
akashsinghal authored Jan 5, 2024
1 parent 23b143d commit b2bf323
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 49 deletions.
56 changes: 29 additions & 27 deletions plugins/verifier/vulnerabilityreport/vulnerability_report.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error extracting create timestamp annotation:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error extracting create timestamp annotation:[%v]", err.Error()),
}, nil
}

Expand All @@ -109,7 +109,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error validating maximum age:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error validating maximum age:[%v]", err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -120,7 +120,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: report is older than maximum age:[%s]", input.MaximumAge),
Message: fmt.Sprintf("Validation failed: report is older than maximum age:[%s]", input.MaximumAge),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -136,7 +136,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("error fetching reference manifest for subject: %s reference descriptor: %v: [%v]", subjectReference, referenceDescriptor.Descriptor, err.Error()),
Message: fmt.Sprintf("Validation failed: error fetching reference manifest for subject: %s reference descriptor: %v: [%v]", subjectReference, referenceDescriptor.Descriptor, err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -148,7 +148,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
Message: fmt.Sprintf("Validation failed: no layers found in manifest for referrer %s@%s", subjectReference.Path, referenceDescriptor.Digest.String()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -162,7 +162,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("error fetching blob for subject:[%s] digest:[%s]: [%v]", subjectReference, blobDesc.Digest, err.Error()),
Message: fmt.Sprintf("Validation failed: error fetching blob for subject:[%s] digest:[%s]: [%v]", subjectReference, blobDesc.Digest, err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -175,7 +175,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation skipped",
Message: "Validation skipped. passthrough enabled",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
"passthrough": true,
Expand All @@ -190,7 +190,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: schema validation failed for digest:[%s],artifact type:[%s],parse errors:[%v]", blobDesc.Digest, referenceDescriptor.ArtifactType, err.Error()),
Message: fmt.Sprintf("Validation failed: schema validation failed for digest:[%s],artifact type:[%s],parse errors:[%v]", blobDesc.Digest, referenceDescriptor.ArtifactType, err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -205,7 +205,7 @@ func VerifyReference(args *skel.CmdArgs, subjectReference common.Reference, refe
Name: input.Name,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand Down Expand Up @@ -238,7 +238,7 @@ func processSarifReport(input *PluginConfig, verifierName string, verifierType s
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error parsing sarif report:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error parsing sarif report:[%v]", err.Error()),
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand All @@ -250,7 +250,7 @@ func processSarifReport(input *PluginConfig, verifierName string, verifierType s
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: "vulnerability report validation failed: no runs found in sarif report",
Message: "Validation failed: no runs found in sarif report",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
},
Expand Down Expand Up @@ -280,7 +280,7 @@ func processSarifReport(input *PluginConfig, verifierName string, verifierType s
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
CreatedAnnotation: createdTime,
"scanner": scannerName,
Expand All @@ -305,7 +305,7 @@ func verifyDenyListCVEs(verifierName string, verifierType string, scannerName st
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule id not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule id not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -332,18 +332,19 @@ func verifyDenyListCVEs(verifierName string, verifierType string, scannerName st
IsSuccess: false,
Extensions: map[string]interface{}{
"scanner": scannerName,
"denylistCVEs": denylistViolations,
"denylistCVEs": denylistCVEs,
"cveViolations": denylistViolations,
CreatedAnnotation: createdTime,
},
Message: "vulnerability report validation failed",
Message: "Validation failed: found denied CVEs. See extensions field for details.",
}, nil
}

return &verifier.VerifierResult{
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -354,7 +355,7 @@ func verifyDenyListCVEs(verifierName string, verifierType string, scannerName st
// verifyDisallowedSeverities verifies that the report does not contain any disallowed severity levels
func verifyDisallowedSeverities(verifierName string, verifierType string, scannerName string, sarifReport *sarif.Report, disallowedSeverities []string, createdTime time.Time) (*verifier.VerifierResult, error) {
ruleMap := make(map[string]*sarif.ReportingDescriptor)
violatingRules := make([]sarif.ReportingDescriptor, 0)
violatingRules := make(map[string]string)
// create a map of rule id to rule for easy lookup
for _, rule := range sarifReport.Runs[0].Tool.Driver.Rules {
ruleMap[rule.ID] = rule
Expand All @@ -366,7 +367,7 @@ func verifyDisallowedSeverities(verifierName string, verifierType string, scanne
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule id not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule id not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -379,7 +380,7 @@ func verifyDisallowedSeverities(verifierName string, verifierType string, scanne
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: rule not found for result:[%v]", result),
Message: fmt.Sprintf("Validation failed: rule not found for result:[%v]", result),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand All @@ -392,17 +393,17 @@ func verifyDisallowedSeverities(verifierName string, verifierType string, scanne
Name: verifierName,
Type: verifierType,
IsSuccess: false,
Message: fmt.Sprintf("vulnerability report validation failed: error extracting severity:[%v]", err.Error()),
Message: fmt.Sprintf("Validation failed: error extracting severity:[%v]", err.Error()),
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
},
}, nil
}
// check if the severity is disallowed and add it to the list of violating rules
// check if the severity is disallowed and add it to the map of violating CVE IDs
for _, disallowed := range disallowedSeverities {
if strings.EqualFold(severity, disallowed) {
violatingRules = append(violatingRules, *rule)
violatingRules[rule.ID] = severity
}
}
}
Expand All @@ -413,18 +414,19 @@ func verifyDisallowedSeverities(verifierName string, verifierType string, scanne
Type: verifierType,
IsSuccess: false,
Extensions: map[string]interface{}{
"scanner": scannerName,
"severityViolations": violatingRules,
CreatedAnnotation: createdTime,
"scanner": scannerName,
"disallowedSeverities": disallowedSeverities,
"severityViolations": violatingRules,
CreatedAnnotation: createdTime,
},
Message: "vulnerability report validation failed",
Message: "Validation failed: found disallowed severities. See extensions field for details.",
}, nil
}
return &verifier.VerifierResult{
Name: verifierName,
Type: verifierType,
IsSuccess: true,
Message: "vulnerability report validation succeeded",
Message: "Validation succeeded",
Extensions: map[string]interface{}{
"scanner": scannerName,
CreatedAnnotation: createdTime,
Expand Down
Loading

0 comments on commit b2bf323

Please sign in to comment.