✨ Add new server-side vulnerability report

cnspec fetches the vulnerability report from upstream and displays the list of vulnerable packages from this report.

Signed-off-by: Christian Zunker <[email protected]>

apps/cnspec/cmd/vuln.go

@@ -4,9 +4,9 @@
 package cmd
 
 import (
+	"encoding/json"
 	"os"
 
-	"github.com/mitchellh/mapstructure"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -15,8 +15,10 @@ import (
 	"go.mondoo.com/cnquery/v9/logger"
 	"go.mondoo.com/cnquery/v9/providers"
 	"go.mondoo.com/cnquery/v9/providers-sdk/v1/plugin"
+	"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/gql"
 	"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/mvd"
 	"go.mondoo.com/cnspec/v9/cli/reporter"
+	mondoogql "go.mondoo.com/mondoo-go"
 	"go.mondoo.com/ranger-rpc/codes"
 	"go.mondoo.com/ranger-rpc/status"
 )
@@ -59,15 +61,14 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 		log.Fatal().Msg(unauthedErrorMsg)
 	}
 
-	res, err := runtime.Provider.Instance.Plugin.Connect(&plugin.ConnectReq{
+	err = runtime.Connect(&plugin.ConnectReq{
 		Features: conf.Features,
 		Asset:    cliRes.Asset,
 		Upstream: runtime.UpstreamConfig,
-	}, nil)
+	})
 	if err != nil {
 		log.Fatal().Err(err).Msg("could not load asset information")
 	}
-	runtime.Provider.Connection = res
 
 	// when we close the shell, we need to close the backend and store the recording
 	onCloseHandler := func() {
@@ -88,60 +89,73 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 		log.Error().Err(err).Msg("failed to initialize cnspec shell")
 	}
 
-	vulnReportQuery := "asset.vulnerabilityReport"
-	vulnReportDatapointChecksum := executor.MustGetOneDatapoint(executor.MustCompile(vulnReportQuery))
-	_, results, err := sh.RunOnce(vulnReportQuery)
+	packagesQuery := "packages{ name version }"
+	packagesDatapointChecksum := executor.MustGetOneDatapoint(executor.MustCompile(packagesQuery))
+	codeBundle, results, err := sh.RunOnce(packagesQuery)
 	if err != nil {
 		log.Error().Err(err).Msg("failed to run query")
 		return
 	}
 
 	// render vulnerability report
-	var vulnReport mvd.VulnReport
-	value, ok := results[vulnReportDatapointChecksum]
+	value, ok := results[packagesDatapointChecksum]
 	if !ok {
-		log.Error().Msg("could not find advisory report\n\n")
+		log.Error().Msg("could not find packages data\n\n")
 		return
 	}
 
 	if value == nil || value.Data == nil {
-		log.Error().Msg("could not load advisory report\n\n")
+		log.Error().Msg("could not load packages data\n\n")
 		return
 	}
 
 	if value.Data.Error != nil {
-		err := value.Data.Error
+		log.Err(value.Data.Error).Msg("could not load packages data\n\n")
+		return
+	}
+
+	packagesJson := value.Data.JSON(packagesDatapointChecksum, codeBundle)
+
+	gqlPackages := []mondoogql.PackageInput{}
+	err = json.Unmarshal(packagesJson, &gqlPackages)
+	if err != nil {
+		log.Error().Err(err).Msg("failed to unmarshal packages")
+		return
+	}
+
+	client, err := runtime.UpstreamConfig.InitClient()
+	if err != nil {
 		if status, ok := status.FromError(err); ok {
 			code := status.Code()
 			switch code {
 			case codes.Unauthenticated:
 				log.Fatal().Msg(unauthedErrorMsg)
 			default:
-				log.Err(value.Data.Error).Msg("could not load advisory report")
+				log.Err(err).Msg("could not authenticate upstream")
 				return
 			}
 		}
 	}
+	mondooClient, err := gql.NewClient(*runtime.UpstreamConfig, client.HttpClient)
 
-	rawData := value.Data.Value
-	cfg := &mapstructure.DecoderConfig{
-		Metadata: nil,
-		Result:   &vulnReport,
-		TagName:  "json",
-	}
-	decoder, _ := mapstructure.NewDecoder(cfg)
-	err = decoder.Decode(rawData)
+	platform := runtime.Provider.Connection.GetAsset().GetPlatform()
+	gqlVulnReport, err := mondooClient.GetIncognitoVulnReport(mondoogql.PlatformInput{
+		Name:    mondoogql.NewStringPtr(mondoogql.String(platform.Name)),
+		Release: mondoogql.NewStringPtr(mondoogql.String(platform.Version)),
+	}, gqlPackages)
 	if err != nil {
-		log.Error().Msg("could not decode advisory report\n\n")
+		log.Error().Err(err).Msg("could not load advisory report")
 		return
 	}
 
+	vulnReport := gql.ConvertToMvdVulnReport(gqlVulnReport)
+
 	target := runtime.Provider.Connection.Asset.Name
 	if target == "" {
 		target = runtime.Provider.Connection.Asset.Mrn
 	}
 
-	printVulns(&vulnReport, conf, target)
+	printVulns(vulnReport, conf, target)
 }
 
 func printVulns(report *mvd.VulnReport, conf *scanConfig, target string) {

cli/reporter/print_compact.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"unicode/utf8"
 
-	"github.com/mitchellh/mapstructure"
 	"github.com/muesli/ansi"
 	"github.com/muesli/termenv"
 	"github.com/rs/zerolog/log"
@@ -362,7 +361,7 @@ func (r *defaultReporter) printAssetSections(orderedAssets []assetMrnName) {
 		r.printAssetQueries(resolved, report, queries, assetMrn, asset)
 		r.out.Write([]byte(NewLineCharacter))
 		// TODO: we should re-use the report results
-		r.printVulns(resolved, report, report.RawResults())
+		r.printVulns(report, assetMrn)
 
 	}
 	r.out.Write([]byte(NewLineCharacter))
@@ -586,39 +585,21 @@ func (r *defaultReporter) printCheck(score *policy.Score, query *explorer.Mquery
 
 // ============================= ^^ ============================================
 
-func (r *defaultReporter) printVulns(resolved *policy.ResolvedPolicy, report *policy.Report, results map[string]*llx.RawResult) {
+func (r *defaultReporter) printVulns(report *policy.Report, assetMrn string) {
 	print := r.Printer
 
-	value, _ := getVulnReport(results)
-	if value == nil || value.Data == nil {
-		return
-	}
-	if value.Data.Error != nil {
-		r.out.Write([]byte(print.Error("Could not load the vulnerability report: "+value.Data.Error.Error()) + NewLineCharacter + NewLineCharacter))
+	vulnReport := r.data.VulnReports[assetMrn]
+
+	if vulnReport == nil {
 		return
 	}
-
 	r.out.Write([]byte(print.Primary("Vulnerabilities:" + NewLineCharacter)))
 
 	score := report.Scores[advisoryPolicyMrn]
 	_ = score
 
-	rawData := value.Data.Value
-
-	var vulnReport mvd.VulnReport
-	cfg := &mapstructure.DecoderConfig{
-		Metadata: nil,
-		Result:   &vulnReport,
-		TagName:  "json",
-	}
-	decoder, _ := mapstructure.NewDecoder(cfg)
-	if err := decoder.Decode(rawData); err != nil {
-		r.out.Write([]byte(print.Error("could not decode advisory report" + NewLineCharacter + NewLineCharacter)))
-		return
-	}
-
-	r.printVulnList(&vulnReport)
-	r.printVulnSummary(&vulnReport)
+	r.printVulnList(vulnReport)
+	r.printVulnSummary(vulnReport)
 }
 
 func (r *defaultReporter) printVulnList(report *mvd.VulnReport) {

go.mod

@@ -2,7 +2,8 @@ module go.mondoo.com/cnspec/v9
 
 go 1.21
 
-// replace go.mondoo.com/cnquery/v9 => ../cnquery
+replace go.mondoo.com/cnquery/v9 => ../cnquery
+replace go.mondoo.com/mondoo-go => /home/christian/workspace/mondoo/github.com/mondoo-go
 
 toolchain go1.21.3
 
@@ -95,6 +96,7 @@ require (
 	github.com/sagikazarmark/locafero v0.3.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sethvargo/go-retry v0.2.4 // indirect
+	github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spdx/tools-golang v0.5.3 // indirect
 	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
@@ -105,6 +107,7 @@ require (
 	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/ykadowak/zerologlint v0.1.3 // indirect
 	go-simpler.org/sloglint v0.2.0 // indirect
+	go.mondoo.com/mondoo-go v0.0.0-20231115081401-e27ff48607b6 // indirect
 	go.opentelemetry.io/otel/metric v1.21.0 // indirect
 	go.tmz.dev/musttag v0.7.2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231127180814-3a041ad873d4 // indirect

go.sum

@@ -949,6 +949,8 @@ github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqP
 github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
 github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
 github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
+github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
@@ -1083,8 +1085,8 @@ go-simpler.org/sloglint v0.2.0/go.mod h1:/RQr0TeTf89IyRjLJ9ogUbIp1Zs5zJJAj02pwQo
 go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs=
-go.mondoo.com/cnquery/v9 v9.9.1 h1:XMEXYvK503gW1M/b+OJypmTK4hVS51149OgIvmUqzmc=
-go.mondoo.com/cnquery/v9 v9.9.1/go.mod h1:siFSVh/VpFpAp4FakashsqIWeB2KA9sjpcnFDEciJ4U=
+go.mondoo.com/mondoo-go v0.0.0-20231115081401-e27ff48607b6 h1:v1vA+PTWiIBXO+TSc6/+gPuc5dAxATkn5ebrXdecevs=
+go.mondoo.com/mondoo-go v0.0.0-20231115081401-e27ff48607b6/go.mod h1:bl1WL7TxPpyrQKiYcIMoOyggwBnvbnlt17/YY9Hsngw=
 go.mondoo.com/ranger-rpc v0.5.3 h1:914JOFTrxWFtBu1qrvuTyTyMibuT7g1GAX3HaUcbFqI=
 go.mondoo.com/ranger-rpc v0.5.3/go.mod h1:p+aaD7IpfhlnjeZ/uJ9ytS1655kaAyspWAzNYUZJHZw=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=