Add Istio request handler and business logics for fetching Istio CVEs

[daynewlee]

Add functionalities of fetch Istio CVEs, converting Istio CVEs to responses and handling Istio CVE get requests.

[ghost]

Images are ready for the commit at abc1e5c.

To use the images, use the tag 2.26.x-24-gabc1e5cb92.

[daynewlee]

Manual test with http request

curl "https://localhost:8443/v1/orchestrator/istio/vulnerabilities/1.13.6" -k

{"scannerVersion":"2.26.x-15-g341eca297c","vulnerabilities":[{"name":"ISTIO-SECURITY-2022-006","description":"Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing","link":"https://istio.io/latest/news/security/istio-security-2022-006/","metadataV2":{"publishedDateTime":"2022-07-26T00:00Z","lastModifiedDateTime":"","cvssV2":null,"cvssV3":{"vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","score":5.9,"exploitabilityScore":2.2,"impactScore":3.6}},"fixedBy":"1.13.7","severity":"Moderate"}]}

[RTann]

A few changes requested. Also, be sure to rebase to get the new *zip.Reader updates

[RTann]

nit: declare this closer to where it's used

[RTann]

bump ^

[RTann]

Unable to convert Istio version etc

[RTann]

remove newline

[RTann]

This doesn't seem to ever return an error, so no need for that return type

[RTann]

Almost there!

[RTann]

I don't think this needs to be a closure. Why not just run these steps and then eventually set resp.Vulnerabilities = filterInvalidVulns(converted)

[RTann]

I think it may be more worthwhile to give an Istio version and ensure we find specific vulnerabilities. For example, we know Istio verison 1.13.6 is affected by ISTIO-SECURITY-2022-007, which has a specific description and CVSS and is fixed by 1.13.9

[RTann]

nit the directory and package name should be all lowercase: istioutil

[RTann]

can probably just rename to IsAffected since it's clear this is about Istio from the package name

[RTann]

can we pass in a version.Version instead of a string?

[RTann]

can you add a comment why we ignore errors here?

[openshift-ci]

@daynewlee: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-tests	abc1e5c	link	false	/test e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[RTann]

a few minor nits. Going to approve to avoid having to do another review cycle, but please take a look at the suggestions

[RTann]

nit: Istio version

[RTann]

// IsAffected returns whether the given version of Istio is affected by the given vulnerability.
// If it is, then the fixed-by version is returned as well.

[RTann]

missed this before, sorry. Let's call this err instead, as error is the type

[RTann]

Suggested change

	c.cacheRWLock.RLock()
	defer c.cacheRWLock.RUnlock()
	var vulns []types.Vuln
	v, err := version.NewVersion(vStr)
	if err != nil {
	log.Infof("Failed to get version: %s", vStr)
	return nil
	}
	var vulns []types.Vuln
	v, err := version.NewVersion(vStr)
	if err != nil {
	log.Infof("Failed to get version: %s", vStr)
	return nil
	}
	c.cacheRWLock.RLock()
	defer c.cacheRWLock.RUnlock()

[RTann]

This way, we only lock when we have to

[RTann]

Can we leave a comment saying we know this version is affected, which is why we can ignore that return value?

[RTann]

I think you meant %v at the end?