Skip to content

Commit

Permalink
✨ Add new server-side vulnerability report
Browse files Browse the repository at this point in the history
cnspec fetches the vulnerability report from upstream and displays the list of vulnerable packages from this report.

The affected commands are scan and vuln.

Also:
Fixes #977

Signed-off-by: Christian Zunker <[email protected]>
  • Loading branch information
czunker committed Dec 11, 2023
1 parent a7e8a32 commit 2b833c1
Show file tree
Hide file tree
Showing 15 changed files with 1,262 additions and 1,187 deletions.
55 changes: 35 additions & 20 deletions apps/cnspec/cmd/vuln.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
package cmd

import (
"encoding/json"
"os"

"github.com/mitchellh/mapstructure"
"github.com/rs/zerolog/log"
"github.com/spf13/cobra"
"github.com/spf13/viper"
Expand All @@ -15,8 +15,10 @@ import (
"go.mondoo.com/cnquery/v9/logger"
"go.mondoo.com/cnquery/v9/providers"
"go.mondoo.com/cnquery/v9/providers-sdk/v1/plugin"
"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/gql"
"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream/mvd"
"go.mondoo.com/cnspec/v9/cli/reporter"
mondoogql "go.mondoo.com/mondoo-go"
"go.mondoo.com/ranger-rpc/codes"
"go.mondoo.com/ranger-rpc/status"
)
Expand Down Expand Up @@ -87,60 +89,73 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
log.Error().Err(err).Msg("failed to initialize cnspec shell")
}

vulnReportQuery := "asset.vulnerabilityReport"
vulnReportDatapointChecksum := executor.MustGetOneDatapoint(executor.MustCompile(vulnReportQuery))
_, results, err := sh.RunOnce(vulnReportQuery)
packagesQuery := "packages{ name version }"
packagesDatapointChecksum := executor.MustGetOneDatapoint(executor.MustCompile(packagesQuery))
codeBundle, results, err := sh.RunOnce(packagesQuery)
if err != nil {
log.Error().Err(err).Msg("failed to run query")
return
}

// render vulnerability report
var vulnReport mvd.VulnReport
value, ok := results[vulnReportDatapointChecksum]
value, ok := results[packagesDatapointChecksum]
if !ok {
log.Error().Msg("could not find advisory report\n\n")
log.Error().Msg("could not find packages data\n\n")
return
}

if value == nil || value.Data == nil {
log.Error().Msg("could not load advisory report\n\n")
log.Error().Msg("could not load packages data\n\n")
return
}

if value.Data.Error != nil {
err := value.Data.Error
log.Err(value.Data.Error).Msg("could not load packages data\n\n")
return
}

packagesJson := value.Data.JSON(packagesDatapointChecksum, codeBundle)

gqlPackages := []mondoogql.PackageInput{}
err = json.Unmarshal(packagesJson, &gqlPackages)
if err != nil {
log.Error().Err(err).Msg("failed to unmarshal packages")
return
}

client, err := runtime.UpstreamConfig.InitClient()
if err != nil {
if status, ok := status.FromError(err); ok {
code := status.Code()
switch code {
case codes.Unauthenticated:
log.Fatal().Msg(unauthedErrorMsg)
default:
log.Err(value.Data.Error).Msg("could not load advisory report")
log.Err(err).Msg("could not authenticate upstream")
return
}
}
}
mondooClient, err := gql.NewClient(*runtime.UpstreamConfig, client.HttpClient)

rawData := value.Data.Value
cfg := &mapstructure.DecoderConfig{
Metadata: nil,
Result: &vulnReport,
TagName: "json",
}
decoder, _ := mapstructure.NewDecoder(cfg)
err = decoder.Decode(rawData)
platform := runtime.Provider.Connection.GetAsset().GetPlatform()
gqlVulnReport, err := mondooClient.GetIncognitoVulnReport(mondoogql.PlatformInput{
Name: mondoogql.NewStringPtr(mondoogql.String(platform.Name)),
Release: mondoogql.NewStringPtr(mondoogql.String(platform.Version)),
}, gqlPackages)
if err != nil {
log.Error().Msg("could not decode advisory report\n\n")
log.Error().Err(err).Msg("could not load advisory report")
return
}

vulnReport := gql.ConvertToMvdVulnReport(gqlVulnReport)

target := runtime.Provider.Connection.Asset.Name
if target == "" {
target = runtime.Provider.Connection.Asset.Mrn
}

printVulns(&vulnReport, conf, target)
printVulns(vulnReport, conf, target)
}

func printVulns(report *mvd.VulnReport, conf *scanConfig, target string) {
Expand Down
33 changes: 7 additions & 26 deletions cli/reporter/print_compact.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"strings"
"unicode/utf8"

"github.com/mitchellh/mapstructure"
"github.com/muesli/ansi"
"github.com/muesli/termenv"
"github.com/rs/zerolog/log"
Expand Down Expand Up @@ -362,7 +361,7 @@ func (r *defaultReporter) printAssetSections(orderedAssets []assetMrnName) {
r.printAssetQueries(resolved, report, queries, assetMrn, asset)
r.out.Write([]byte(NewLineCharacter))
// TODO: we should re-use the report results
r.printVulns(resolved, report, report.RawResults())
r.printVulns(report, assetMrn)

}
r.out.Write([]byte(NewLineCharacter))
Expand Down Expand Up @@ -586,39 +585,21 @@ func (r *defaultReporter) printCheck(score *policy.Score, query *explorer.Mquery

// ============================= ^^ ============================================

func (r *defaultReporter) printVulns(resolved *policy.ResolvedPolicy, report *policy.Report, results map[string]*llx.RawResult) {
func (r *defaultReporter) printVulns(report *policy.Report, assetMrn string) {
print := r.Printer

value, _ := getVulnReport(results)
if value == nil || value.Data == nil {
return
}
if value.Data.Error != nil {
r.out.Write([]byte(print.Error("Could not load the vulnerability report: "+value.Data.Error.Error()) + NewLineCharacter + NewLineCharacter))
vulnReport := r.data.VulnReports[assetMrn]

if vulnReport == nil {
return
}

r.out.Write([]byte(print.Primary("Vulnerabilities:" + NewLineCharacter)))

score := report.Scores[advisoryPolicyMrn]
_ = score

rawData := value.Data.Value

var vulnReport mvd.VulnReport
cfg := &mapstructure.DecoderConfig{
Metadata: nil,
Result: &vulnReport,
TagName: "json",
}
decoder, _ := mapstructure.NewDecoder(cfg)
if err := decoder.Decode(rawData); err != nil {
r.out.Write([]byte(print.Error("could not decode advisory report" + NewLineCharacter + NewLineCharacter)))
return
}

r.printVulnList(&vulnReport)
r.printVulnSummary(&vulnReport)
r.printVulnList(vulnReport)
r.printVulnSummary(vulnReport)
}

func (r *defaultReporter) printVulnList(report *mvd.VulnReport) {
Expand Down
2 changes: 1 addition & 1 deletion cli/reporter/reporter.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ module go.mondoo.com/cnspec/v9

go 1.21

// replace go.mondoo.com/cnquery/v9 => ../cnquery
replace go.mondoo.com/cnquery/v9 => ../cnquery

replace go.mondoo.com/mondoo-go => /home/christian/workspace/mondoo/github.com/mondoo-go

toolchain go1.21.3

Expand Down Expand Up @@ -101,6 +103,7 @@ require (
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sethvargo/go-retry v0.2.4 // indirect
github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spdx/tools-golang v0.5.3 // indirect
github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
Expand All @@ -115,6 +118,7 @@ require (
go.tmz.dev/musttag v0.7.2 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231127180814-3a041ad873d4 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
k8s.io/api v0.28.4 // indirect
k8s.io/apimachinery v0.28.4 // indirect
k8s.io/component-base v0.28.4 // indirect
Expand Down
4 changes: 4 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -959,6 +959,8 @@ github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c h1:W65qqJCIOVP4jpqP
github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c/go.mod h1:/PevMnwAxekIXwN8qQyfc5gl2NlkB3CQlkizAbOkeBs=
github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466 h1:17JxqqJY66GmZVHkmAsGEkcIu0oCe3AM420QDgGwZx0=
github.com/shurcooL/graphql v0.0.0-20230722043721-ed46e5a46466/go.mod h1:9dIRpgIY7hVhoqfe0/FcYp0bpInZaT7dc3BYOprrIUE=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
Expand Down Expand Up @@ -1654,6 +1656,8 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
Expand Down
Loading

0 comments on commit 2b833c1

Please sign in to comment.