🐛 Provide platform family for vulnmgmt (#1145)

* 🐛 Provide platform family for vulnmgmt This is needed to determine the applicable app vulns. Also fix which version shows up in the 'FIXED' column of the scan output. Signed-off-by: Christian Zunker <[email protected]> * Fix license Signed-off-by: Christian Zunker <[email protected]> --------- Signed-off-by: Christian Zunker <[email protected]>
mondoohq · Mar 7, 2024 · abc0498 · abc0498
1 parent 0001592
commit abc0498
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 7 deletions.
diff --git a/Makefile b/Makefile
@@ -141,4 +141,13 @@ test/lint/golangci-lint/run: prep/tools
 .PHONY: test/lint/golangci-lint/run/new
 test/lint/golangci-lint/run/new: prep/tools
 	golangci-lint --version
-	golangci-lint run --timeout 10m --config .github/.golangci.yml --new-from-rev $(shell git log -n 1 origin/main --pretty=format:"%H")
+	golangci-lint run --timeout 10m --config .github/.golangci.yml --new-from-rev $(shell git log -n 1 origin/main --pretty=format:"%H")
+
+license: license/headers/check
+
+license/headers/check:
+	copywrite headers --plan
+
+license/headers/apply:
+	copywrite headers
+
diff --git a/apps/cnspec/cmd/vuln.go b/apps/cnspec/cmd/vuln.go
@@ -143,10 +143,15 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 	}
 
 	platform := runtime.Provider.Connection.GetAsset().GetPlatform()
+	family := []*mondoogql.String{}
+	for _, f := range platform.Family {
+		family = append(family, mondoogql.NewStringPtr(mondoogql.String(f)))
+	}
 	inputPlatform := mondoogql.PlatformInput{
 		Name:    mondoogql.NewStringPtr(mondoogql.String(platform.Name)),
 		Release: mondoogql.NewStringPtr(mondoogql.String(platform.Version)),
 		Build:   mondoogql.NewStringPtr(mondoogql.String(platform.Build)),
+		Family:  &family,
 	}
 	inputLabels := []*mondoogql.KeyValueInput{}
 	for k := range platform.Labels {
@@ -156,10 +161,7 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 		})
 	}
 	inputPlatform.Labels = &inputLabels
-	gqlVulnReport, err := mondooClient.GetIncognitoVulnReport(mondoogql.PlatformInput{
-		Name:    mondoogql.NewStringPtr(mondoogql.String(platform.Name)),
-		Release: mondoogql.NewStringPtr(mondoogql.String(platform.Version)),
-	}, gqlPackages)
+	gqlVulnReport, err := mondooClient.GetIncognitoVulnReport(inputPlatform, gqlPackages)
 	if err != nil {
 		log.Error().Err(err).Msg("could not load advisory report")
 		return

diff --git a/cli/components/advisories/report.go b/cli/components/advisories/report.go
@@ -207,9 +207,10 @@ func findVulnerablePackageWithoutNamespace(advisory *mvd.Advisory, installedPkg
 	var match *mvd.Package
 	for i := range advisory.Fixed {
 		if advisory.Fixed[i].Name == installedPkg.Name || advisory.Fixed[i].Name == installedPkg.Origin {
+			// This currently works under the assumption, that the highest version is the last one in the list
+			// To not re-apply all the version comparison here, we ensure the orderning in the upstream data
 			match = advisory.Fixed[i]
-			return match
 		}
 	}
-	return nil
+	return match
 }
diff --git a/cli/components/advisories/report_test.go b/cli/components/advisories/report_test.go
@@ -0,0 +1,30 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package advisories
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.mondoo.com/cnquery/v10/providers-sdk/v1/upstream/mvd"
+)
+
+func TestFindVulnerablePackageWithoutNamespace(t *testing.T) {
+	advisory := &mvd.Advisory{
+		Fixed: []*mvd.Package{
+			{Name: "pkg1", Version: "1.0.0"},
+			{Name: "pkg2", Version: "2.0.0"},
+			{Name: "pkg2", Version: "3.0.0"},
+			{Name: "pkg3", Version: "3.0.0"},
+		},
+	}
+
+	installedPkg := &mvd.Package{Name: "pkg2", Version: "2.0.0"}
+
+	match := findVulnerablePackageWithoutNamespace(advisory, installedPkg)
+
+	require.NotNil(t, match)
+	require.Equal(t, "pkg2", match.Name)
+	require.Equal(t, "3.0.0", match.Version)
+}