From ecc7a326f1a4038cd852b9e6d620d0187377e5c8 Mon Sep 17 00:00:00 2001 From: Dominik Richter Date: Mon, 16 Oct 2023 23:04:12 -0700 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B9=20create=20a=20resilient=20v8=20an?= =?UTF-8?q?d=20v9+=20vuln=20report?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We recently hotfixed an issue that caused the report not to show on v9+, because older v8 code-paths were taken: https://github.com/mondoohq/cnspec/pull/850 When the upstream reporting eventually switches over to use `asset` instead of `platform`, this hotfix will fail. This PR create a more resilient approach to the vulnerability report, supporting both v8 and v9+ Signed-off-by: Dominik Richter --- cli/reporter/junit.go | 13 ++----------- cli/reporter/print_compact.go | 12 ++---------- cli/reporter/render_advisory_policy.go | 16 ++++----------- cli/reporter/reporter.go | 27 +++++++++++++++++++++++++- 4 files changed, 34 insertions(+), 34 deletions(-) diff --git a/cli/reporter/junit.go b/cli/reporter/junit.go index 0bae02b5..78b255fc 100644 --- a/cli/reporter/junit.go +++ b/cli/reporter/junit.go @@ -10,9 +10,7 @@ import ( "github.com/jstemmer/go-junit-report/v2/junit" "github.com/mitchellh/mapstructure" - "github.com/rs/zerolog/log" "go.mondoo.com/cnquery/v9/explorer" - "go.mondoo.com/cnquery/v9/providers" "go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory" "go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/mvd" "go.mondoo.com/cnquery/v9/shared" @@ -164,18 +162,11 @@ func assetMvdTests(r *policy.ReportCollection, assetMrn string, assetObj *invent return nil } - schema := providers.DefaultRuntime().Schema() - vulnChecksum, err := defaultChecksum(vulnReport, schema) - if err != nil { - log.Debug().Err(err).Msg("could not determine vulnerability report checksum") - } - rawResults := results.RawResults() - value, ok := rawResults[vulnChecksum] - if !ok { + value, err := getVulnReport(rawResults) + if err != nil { return nil } - if value == nil || value.Data == nil { return nil } diff --git a/cli/reporter/print_compact.go b/cli/reporter/print_compact.go index 6ab1fe8d..51386eda 100644 --- a/cli/reporter/print_compact.go +++ b/cli/reporter/print_compact.go @@ -18,7 +18,6 @@ import ( "go.mondoo.com/cnquery/v9/cli/components" "go.mondoo.com/cnquery/v9/explorer" "go.mondoo.com/cnquery/v9/llx" - "go.mondoo.com/cnquery/v9/providers" "go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory" "go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/mvd" "go.mondoo.com/cnquery/v9/utils/stringx" @@ -586,16 +585,9 @@ func (r *defaultReporter) printCheck(score *policy.Score, query *explorer.Mquery func (r *defaultReporter) printVulns(resolved *policy.ResolvedPolicy, report *policy.Report, results map[string]*llx.RawResult) { print := r.Printer - schema := providers.DefaultRuntime().Schema() - vulnChecksum, err := defaultChecksum(vulnReport, schema) + value, err := getVulnReport(results) if err != nil { - log.Debug().Err(err).Msg("could not determine vulnerability report checksum") - r.out.Write([]byte(print.Error("No vulnerabilities for this provider"))) - return - } - - value, ok := results[vulnChecksum] - if !ok { + r.out.Write([]byte(print.Error(err.Error()))) return } diff --git a/cli/reporter/render_advisory_policy.go b/cli/reporter/render_advisory_policy.go index e5efc272..4cb2a56c 100644 --- a/cli/reporter/render_advisory_policy.go +++ b/cli/reporter/render_advisory_policy.go @@ -36,21 +36,12 @@ func renderAdvisoryPolicy(print *printer.Printer, policyObj *policy.Policy, repo // render mini score card score := report.Scores[policyObj.Mrn] - schema := providers.DefaultRuntime().Schema() - vulnChecksum, err := defaultChecksum(vulnReport, schema) - if err != nil { - log.Debug().Err(err).Msg("could not determine vulnerability report checksum") - b.WriteString(print.Error("no vulnerabilities for this provider")) - return b.String() - } - results := report.Data - value, ok := results[vulnChecksum] - if !ok { - b.WriteString(print.Error("could not find advisory report" + NewLineCharacter + NewLineCharacter)) + value, err := getVulnReport(results) + if err != nil { + b.WriteString(print.Error(err.Error())) return b.String() } - if value == nil || value.Data == nil { b.WriteString(print.Error("could not load advisory report" + NewLineCharacter + NewLineCharacter)) return b.String() @@ -96,6 +87,7 @@ func renderAdvisoryPolicy(print *printer.Printer, policyObj *policy.Policy, repo } // render additional information + schema := providers.DefaultRuntime().Schema() kernelInstalledChecksum, err := defaultChecksum(kernelInstalled, schema) if err != nil { log.Debug().Err(err).Msg("could not determine installed kernel checksum") diff --git a/cli/reporter/reporter.go b/cli/reporter/reporter.go index af7d6276..6f376c53 100644 --- a/cli/reporter/reporter.go +++ b/cli/reporter/reporter.go @@ -9,11 +9,13 @@ import ( "io" "strings" + "github.com/rs/zerolog/log" "go.mondoo.com/cnquery/v9" "go.mondoo.com/cnquery/v9/cli/printer" "go.mondoo.com/cnquery/v9/cli/theme/colors" "go.mondoo.com/cnquery/v9/llx" "go.mondoo.com/cnquery/v9/mqlc" + "go.mondoo.com/cnquery/v9/providers" "go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/mvd" "go.mondoo.com/cnquery/v9/shared" "go.mondoo.com/cnspec/v9/policy" @@ -23,7 +25,8 @@ import ( type mqlCode string const ( - vulnReport mqlCode = "platform.vulnerabilityReport" + vulnReportV8 mqlCode = "platform.vulnerabilityReport" + vulnReportV9 mqlCode = "asset.vulnerabilityReport" kernelInstalled mqlCode = "kernel.installed" ) @@ -32,6 +35,28 @@ var _defaultChecksums = map[mqlCode]struct { err error }{} +func getVulnReport[T any](results map[string]*T) (*T, error) { + schema := providers.DefaultRuntime().Schema() + vulnChecksum, err := defaultChecksum(vulnReportV9, schema) + if err != nil { + log.Debug().Err(err).Msg("could not determine vulnerability report checksum") + return nil, errors.New("No vulnerabilities for this provider") + } + if value, ok := results[vulnChecksum]; ok { + return value, nil + } + + // FIXME: DEPRECATED, remove in v11.0 vv + vulnChecksum, err = defaultChecksum(vulnReportV8, schema) + if err != nil { + log.Debug().Err(err).Msg("could not determine vulnerability report checksum") + return nil, errors.New("No vulnerabilities for this provider") + } + value, _ := results[vulnChecksum] + return value, nil + // ^^ +} + func defaultChecksum(code mqlCode, schema llx.Schema) (string, error) { res, ok := _defaultChecksums[code] if ok {