Updated e2e test

api/v1/convert/istio.go

@@ -1,38 +1,44 @@
 package convert
 
 import (
+	"github.com/hashicorp/go-version"
 	log "github.com/sirupsen/logrus"
 	"github.com/stackrox/istio-cves/types"
 	"github.com/stackrox/rox/pkg/stringutils"
 	v1 "github.com/stackrox/scanner/generated/scanner/api/v1"
-	"github.com/stackrox/scanner/pkg/istioUtil"
+	"github.com/stackrox/scanner/pkg/istioutil"
 	pkgtypes "github.com/stackrox/scanner/pkg/types"
 )
 
 // IstioVulnerabilities converts istio cve schema to vulnerability.
-func IstioVulnerabilities(version string, istioVulns []types.Vuln) []*v1.Vulnerability {
+func IstioVulnerabilities(vStr string, istioVulns []types.Vuln) []*v1.Vulnerability {
 	res := make([]*v1.Vulnerability, 0, len(istioVulns))
-	for _, v := range istioVulns {
-		m, err := pkgtypes.ConvertMetadataFromIstio(v)
+	v, err := version.NewVersion(vStr)
+	if err != nil {
+		log.Infof("Failed to get version: %s", vStr)
+		return nil
+	}
+	for _, istioVuln := range istioVulns {
+		m, err := pkgtypes.ConvertMetadataFromIstio(istioVuln)
 		if err != nil {
-			log.Errorf("unable to convert metadata for %s: %v", v.Name, err)
+			log.Errorf("unable to convert metadata for %s: %istioVuln", istioVuln.Name, err)
 			continue
 		}
 		if m.IsNilOrEmpty() {
-			log.Warnf("nil or empty metadata for %s", v.Name)
+			log.Warnf("nil or empty metadata for %s", istioVuln.Name)
 			continue
 		}
 
-		link := stringutils.OrDefault(v.Link, "https://istio.io/latest/news/security/")
-		_, fixedBy, err := istioUtil.IstioIsAffected(version, v)
+		link := stringutils.OrDefault(istioVuln.Link, "https://istio.io/latest/news/security/")
+		_, fixedBy, err := istioutil.IsAffected(v, istioVuln)
 		if err != nil {
-			log.Errorf("unable to get fixedBy for %s: %v", v.Name, err)
+			log.Errorf("unable to get fixedBy for %s: %istioVuln", istioVuln.Name, err)
 			continue
 		}
 
 		res = append(res, &v1.Vulnerability{
-			Name:        v.Name,
-			Description: v.Description,
+			Name:        istioVuln.Name,
+			Description: istioVuln.Description,
 			Link:        link,
 			MetadataV2:  Metadata(m),
 			FixedBy:     fixedBy,

api/v1/orchestratorscan/service.go

@@ -38,6 +38,8 @@ func NewService(db database.Datastore, k8sCache k8scache.Cache, istioCache istio
 }
 
 type serviceImpl struct {
+	v1.UnimplementedOrchestratorScanServiceServer
+
 	version    string
 	db         database.Datastore
 	k8sCache   k8scache.Cache
@@ -110,31 +112,24 @@ func (s *serviceImpl) GetKubeVulnerabilities(_ context.Context, req *v1.GetKubeV
 
 // GetIstioVulnerabilities returns Istio vulnerabilities for requested Kubernetes version.
 func (s *serviceImpl) GetIstioVulnerabilities(_ context.Context, req *v1.GetIstioVulnerabilitiesRequest) (*v1.GetIstioVulnerabilitiesResponse, error) {
-	var err error
 	resp := &v1.GetIstioVulnerabilitiesResponse{
 		ScannerVersion: s.version,
 	}
 
-	getIstioVuln := func(version string) ([]*v1.Vulnerability, error) {
-		if version == "" {
-			return nil, errors.New("Can't get vulnerabilities for empty version.")
-		}
-		version, err := convert.TruncateVersion(version)
-		if err != nil {
-			log.Warnf("Unable to convert Istio version of %s - %v. Skipping...", version, err)
-			return nil, nil
-		}
-
-		vulns := s.istioCache.GetVulnsByVersion(version)
-		converted := convert.IstioVulnerabilities(version, vulns)
-		return filterInvalidVulns(converted), nil
+	if req.GetIstioVersion() == "" {
+		return nil, errors.New("Can't get vulnerabilities for empty version.")
 	}
-
-	resp.Vulnerabilities, err = getIstioVuln(req.GetIstioVersion())
+	version, err := convert.TruncateVersion(req.GetIstioVersion())
 	if err != nil {
-		return nil, status.Error(codes.Internal, err.Error())
+		log.Warnf("Unable to convert Istio version of %s - %v. Skipping...", version, err)
+		return nil, nil
 	}
 
+	vulns := s.istioCache.GetVulnsByVersion(version)
+	converted := convert.IstioVulnerabilities(version, vulns)
+
+	resp.Vulnerabilities = filterInvalidVulns(converted)
+
 	return resp, nil
 }
 

e2etests/orchestrator_scan_test.go

@@ -24,28 +24,52 @@ func TestGRPCGetIstioVulnerabilities(t *testing.T) {
 	conn := connectToScanner(t)
 	client := v1.NewOrchestratorScanServiceClient(conn)
 
-	testCases := []struct {
-		version string
-		fixedBy string
-	}{
+	type istionVulnStruct struct {
+		version  string
+		name     string
+		fixedBy  string
+		severity string
+		score    float32
+	}
+
+	testCases := []istionVulnStruct{
+		{
+			version:  "1.13.6",
+			name:     "ISTIO-SECURITY-2022-006",
+			fixedBy:  "1.13.7",
+			severity: "Moderate",
+			score:    5.9,
+		},
 		{
-			version: "1.13.6",
-			fixedBy: "1.13.7",
+			version:  "1.14.0",
+			name:     "ISTIO-SECURITY-2022-007",
+			fixedBy:  "1.14.5",
+			severity: "Important",
+			score:    7.5,
 		},
 	}
 
+	testSet := make(map[string]istionVulnStruct)
+
 	for _, c := range testCases {
 		t.Run(fmt.Sprintf("case-%s", c.version), func(t *testing.T) {
 			req := &v1.GetIstioVulnerabilitiesRequest{IstioVersion: c.version}
 			resp, err := client.GetIstioVulnerabilities(context.Background(), req)
 			assert.NoError(t, err)
-			testSet := make(map[string]bool)
+
 			for _, vuln := range resp.GetVulnerabilities() {
 				assert.NotNil(t, vuln.GetMetadataV2().GetCvssV3())
+				assert.NotEmpty(t, vuln.Name)
 				assert.NotEmpty(t, vuln.FixedBy)
-				testSet[vuln.FixedBy] = true
+				assert.NotEmpty(t, vuln.Severity)
+				sample := istionVulnStruct{version: c.version, name: vuln.Name, fixedBy: vuln.FixedBy, severity: vuln.Severity, score: vuln.GetMetadataV2().GetCvssV3().Score}
+				testSet[vuln.Name] = sample
 			}
-			assert.True(t, testSet[c.fixedBy])
+
+			assert.NotEmpty(t, testSet[c.name])
+			assert.Equal(t, c.fixedBy, testSet[c.name].fixedBy)
+			assert.Equal(t, c.severity, testSet[c.name].severity)
+			assert.Equal(t, c.score, testSet[c.name].score)
 		})
 	}
 }

istio/cache/db.go

@@ -4,8 +4,10 @@ import (
 	"sync"
 	"time"
 
+	"github.com/hashicorp/go-version"
+	log "github.com/sirupsen/logrus"
 	"github.com/stackrox/istio-cves/types"
-	"github.com/stackrox/scanner/pkg/istioUtil"
+	"github.com/stackrox/scanner/pkg/istioutil"
 	"github.com/stackrox/scanner/pkg/vulndump"
 )
 
@@ -23,15 +25,23 @@ type cacheImpl struct {
 	lastUpdatedTime time.Time
 }
 
-func (c *cacheImpl) GetVulnsByVersion(version string) []types.Vuln {
+func (c *cacheImpl) GetVulnsByVersion(vStr string) []types.Vuln {
 	c.cacheRWLock.RLock()
 	defer c.cacheRWLock.RUnlock()
 
 	var vulns []types.Vuln
+	v, err := version.NewVersion(vStr)
+	if err != nil {
+		log.Infof("Failed to get version: %s", vStr)
+		return nil
+	}
 	for _, vuln := range c.cache {
-		isAffected, _, _ := istioUtil.IstioIsAffected(version, vuln)
+		isAffected, _, error := istioutil.IsAffected(v, vuln)
+		if error != nil {
+			continue
+		}
 		if isAffected {
-			// Only return vulnerabilities relevant to the given version.
+			// Only return vulnerabilities relevant to the given vStr.
 			vulns = append(vulns, vuln)
 		}
 	}

pkg/istioUtil/util.go → pkg/istioutil/util.go

@@ -1,17 +1,12 @@
-package istioUtil
+package istioutil
 
 import (
 	"github.com/hashicorp/go-version"
 	"github.com/stackrox/istio-cves/types"
 )
 
-// IstioIsAffected gets the fixed-by version for vStr in Istion vuln.
-func IstioIsAffected(vStr string, vuln types.Vuln) (bool, string, error) {
-	v, err := version.NewVersion(vStr)
-	if err != nil {
-		return false, "", err
-	}
-
+// IsAffected gets the fixed-by version for vStr in Istion vuln.
+func IsAffected(v *version.Version, vuln types.Vuln) (bool, string, error) {
 	for _, affected := range vuln.Affected {
 		constraint, err := version.NewConstraint(affected.Range)
 		if err != nil {