Skip to content

Commit

Permalink
Merge pull request #25 from armosec/add_container_to_attack_chains
Browse files Browse the repository at this point in the history 
fix vul controls condition
  • Loading branch information
@kooomix
kooomix authored Sep 14, 2023
2 parents b43f066 + dbf64ed commit 4b9660c
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 23 deletions.
13 changes: 4 additions & 9 deletions attackchains/attackchainutils.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,19 +66,14 @@ func convertVulToControl(vul *cscanlib.CommonContainerScanSummaryResult, tags []
// isVulnerableRelevantToAttackChain checks if the vulnerability is relevant to the attack chain
func isVulnerableRelevantToAttackChain(vul *cscanlib.CommonContainerScanSummaryResult) bool {
// validate relevancy
if !vul.HasRelevancyData || (vul.HasRelevancyData && vul.RelevantLabel == "yes") {
if !vul.HasRelevancyData || (vul.HasRelevancyData && vul.RelevantLabel == cscanlib.RelevantLabelYes) {
//validate severity
if vul.Severity == "Critical" {
if vul.Severity == cscanlib.CriticalSeverity {
return true
}

// TODO: figure out how to handle empty severity stats
// if vul.SeveritiesStats == nil || len(vul.SeveritiesStats) == 0 {
// return false, fmt.Errorf("Vulnerability '%s' has no severity stats", vul.WLID)
// }

for _, stat := range vul.SeveritiesStats {
if stat.Severity == "Critical" && stat.TotalCount > 0 {

if stat.Severity == cscanlib.CriticalSeverity && stat.RelevantCount > 0 {
return true
}
}
Expand Down
29 changes: 15 additions & 14 deletions attackchains/attackchainutils_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ func TestIsVulnarableRelevantToAttackChange(t *testing.T) {
ImageID: "ss",
HasRelevancyData: true,
RelevantLabel: "yes",
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "Critical", TotalCount: 1}},
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "Critical", RelevantCount: 1}},
},
expected: true,
wantErr: false,
Expand All @@ -36,7 +36,7 @@ func TestIsVulnarableRelevantToAttackChange(t *testing.T) {
ImageID: "ss",
HasRelevancyData: true,
RelevantLabel: "yes",
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "High", TotalCount: 1}},
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "High", RelevantCount: 1}},
},
expected: false,
wantErr: false,
Expand All @@ -47,7 +47,7 @@ func TestIsVulnarableRelevantToAttackChange(t *testing.T) {
ImageID: "ss",
HasRelevancyData: true,
RelevantLabel: "no",
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "High", TotalCount: 1}},
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "High", RelevantCount: 1}},
},
expected: false,
wantErr: false,
Expand All @@ -58,21 +58,22 @@ func TestIsVulnarableRelevantToAttackChange(t *testing.T) {
ImageID: "ss",
HasRelevancyData: false,
RelevantLabel: "no",
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "Critical", TotalCount: 1}},
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "Critical", RelevantCount: 1}},
},
expected: true,
wantErr: false,
},
// {
// name: "relevant but no severity stats - should return error",
// vul: &cscanlib.CommonContainerScanSummaryResult{
// ImageID: "ss",
// HasRelevancyData: true,
// RelevantLabel: "yes",
// },
// expected: false,
// wantErr: true,
// },
{
name: "relevant - has no relevancy data and relevant count is 0",
vul: &cscanlib.CommonContainerScanSummaryResult{
ImageID: "ss",
HasRelevancyData: true,
RelevantLabel: "yes",
SeveritiesStats: []cscanlib.SeverityStats{{Severity: "Critical", RelevantCount: 0}},
},
expected: false,
wantErr: false,
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
Expand Down

0 comments on commit 4b9660c

Please sign in to comment.