Skip to content

Commit

Permalink
(cherry-pick) Refine total artifact and scanned artifact (#19229)
Browse files Browse the repository at this point in the history
Refine total artifact and scanned artifact

  Artifact include all accessory, child artifact
  fixes #19215

Signed-off-by: stonezdj <[email protected]>
  • Loading branch information
stonezdj authored Aug 22, 2023
1 parent 90e526e commit 6366828
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 30 deletions.
32 changes: 5 additions & 27 deletions src/pkg/securityhub/dao/security.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,38 +48,16 @@ where a.digest = s.digest
order by s.critical_cnt desc, s.high_cnt desc, s.medium_cnt desc, s.low_cnt desc
limit 5`

// sql to query the total artifact count,
// 1. exclude the artifact accessory,
// 2. exclude child artifact without tag
// 3. include top level artifact in image index
// The totalArtifactCountSQL and scannedArtifactCountSQL should use the same criteria to filter the artifact
totalArtifactCountSQL = `SELECT COUNT(1)
FROM artifact a
WHERE NOT EXISTS (select 1 from artifact_accessory acc WHERE acc.artifact_id = a.id)
AND (EXISTS (SELECT 1 FROM tag WHERE tag.artifact_id = a.id)
OR NOT EXISTS (SELECT 1 FROM artifact_reference ref WHERE ref.child_id = a.id))`
// sql to query the total artifact count, include all artifacts in the artifact table
totalArtifactCountSQL = `SELECT COUNT(1) FROM artifact`

// sql to query the scanned artifact count,
// exclude the artifact accessory, and child artifact in image index (without tag),
// include the image index artifact which at least one child artifact is scanned
// sql to query the scanned artifact count, include all artifacts in the artifact table
scannedArtifactCountSQL = `SELECT COUNT(1)
FROM artifact a
WHERE EXISTS (SELECT 1
FROM scan_report s
WHERE a.digest = s.digest
AND s.registration_uuid = ?)
-- exclude artifact accessory
AND NOT EXISTS (SELECT 1 FROM artifact_accessory acc WHERE acc.artifact_id = a.id)
-- not a child without tag
AND NOT EXISTS (SELECT 1 FROM artifact_reference WHERE child_id = a.id AND NOT EXISTS (SELECT 1 FROM tag WHERE artifact_id = a.id))
-- include image index which is scanned
OR EXISTS (SELECT 1
FROM scan_report s,
artifact_reference ref
WHERE s.digest = ref.child_digest
AND ref.parent_id = a.id AND s.registration_uuid = ? AND NOT EXISTS (SELECT 1
FROM scan_report s
WHERE s.digest = a.digest and s.registration_uuid = ?))`
AND s.registration_uuid = ?)`

// sql to query the dangerous CVEs
// sort the CVEs by CVSS score and severity level, make sure it is referred by a report
Expand Down Expand Up @@ -268,7 +246,7 @@ func (d *dao) ScannedArtifactsCount(ctx context.Context, scannerUUID string, pro
if err != nil {
return cnt, err
}
err = o.Raw(scannedArtifactCountSQL, scannerUUID, scannerUUID, scannerUUID).QueryRow(&cnt)
err = o.Raw(scannedArtifactCountSQL, scannerUUID).QueryRow(&cnt)
return cnt, err
}
func (d *dao) DangerousCVEs(ctx context.Context, scannerUUID string, projectID int64, query *q.Query) ([]*scan.VulnerabilityRecord, error) {
Expand Down
7 changes: 4 additions & 3 deletions src/pkg/securityhub/dao/security_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,9 +79,9 @@ func (suite *SecurityDaoTestSuite) TearDownTest() {
testDao.ExecuteBatchSQL([]string{
`delete from scan_report where uuid = 'uuid'`,
`delete from tag where id = 1001`,
`delete from artifact where digest = 'digest1001'`,
`delete from artifact_accessory where id = 1001`,
`delete from artifact_reference where id = 1001`,
`delete from artifact where digest = 'digest1001'`,
`delete from scanner_registration where uuid='ruuid'`,
`delete from scanner_registration where uuid='uuid2'`,
`delete from vulnerability_record where cve_id='2023-4567-12345'`,
Expand Down Expand Up @@ -149,7 +149,7 @@ func Test_checkQFilter(t *testing.T) {
}
}

func (suite *SecurityDaoTestSuite) TestExacthMatchFilter() {
func (suite *SecurityDaoTestSuite) TestExactMatchFilter() {
type args struct {
ctx context.Context
key string
Expand Down Expand Up @@ -199,7 +199,8 @@ func (suite *SecurityDaoTestSuite) TestRangeFilter() {
func (suite *SecurityDaoTestSuite) TestCountArtifact() {
count, err := suite.dao.TotalArtifactsCount(suite.Context(), 0)
suite.NoError(err)
suite.Equal(int64(1), count)
// includes artifact_accessory(1), child artifact of image index(1), image index(1)
suite.Equal(int64(3), count)
}
func (suite *SecurityDaoTestSuite) TestCountVul() {
count, err := suite.dao.CountVulnerabilities(suite.Context(), "ruuid", 0, true, nil)
Expand Down

0 comments on commit 6366828

Please sign in to comment.