[NVASHAS-8938] Add Critical CVE Severity to support CVSS v3 scores 9.…

…0-10.0 (CI/CD tool)
neuvector · May 14, 2024 · 286bb87 · 286bb87
1 parent 196964f
commit 286bb87
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/action.yml b/action.yml
@@ -60,6 +60,7 @@ runs:
   using: "docker"
   image: 'Dockerfile'
   env:
+    CRITICAL_VUL_TO_FAIL: ${{ inputs.min-critical-cves-to-fail }}
     HIGH_VUL_TO_FAIL: ${{ inputs.min-high-cves-to-fail }}
     MEDIUM_VUL_TO_FAIL: ${{ inputs.min-medium-cves-to-fail }}
     VUL_NAMES_TO_FAIL: ${{ inputs.cve-names-to-fail }}

diff --git a/run-scan.sh b/run-scan.sh
@@ -16,6 +16,7 @@ if [ -n "${SCANNER_REGISTRY_PASSWORD}" ]; then
 fi
 
 NV_SCANNER_IMAGE=${NV_SCANNER_IMAGE:-"neuvector/scanner:latest"}
+CRITICAL_VUL_TO_FAIL=${CRITICAL_VUL_TO_FAIL:-""}
 HIGH_VUL_TO_FAIL=${HIGH_VUL_TO_FAIL:-"0"}
 MEDIUM_VUL_TO_FAIL=${MEDIUM_VUL_TO_FAIL:-"0"}
 OUTPUT=${OUTPUT:-"text"}
@@ -40,20 +41,35 @@ VUL_EXEMPT_LIST=$(printf '["%s"]' "${VUL_NAMES_TO_EXEMPT//,/\",\"}")
 filterOutExemptCVEsFromJson "scan_result.json" "$VUL_EXEMPT_LIST"
 
 VUL_NUM=$(cat scan_result.json | jq '.report.vulnerabilities | length')
+FOUND_CRITICAL=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "Critical") | .severity' | wc -l)
 FOUND_HIGH=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "High") | .severity' | wc -l)
 FOUND_MEDIUM=$(cat scan_result.json | jq '.report.vulnerabilities[] | select(.severity == "Medium") | .severity' | wc -l)
 VUL_LIST=$(printf '["%s"]' "${VUL_NAMES_TO_FAIL//,/\",\"}")
 VUL_LIST_FOUND=$(cat scan_result.json | jq --arg arr "$VUL_LIST" '.report.vulnerabilities[] | select(.name as $n | $arr | index($n)) |.name')
+total_high_critical=$((FOUND_HIGH + FOUND_CRITICAL))
 
 echo "GITHUB_OUTPUT: $GITHUB_OUTPUT"
 echo "vulnerability_count=$VUL_NUM" >> "$GITHUB_OUTPUT"
+echo "critical_vulnerability_count=$FOUND_CRITICAL" >> "$GITHUB_OUTPUT"
 echo "high_vulnerability_count=$FOUND_HIGH" >> "$GITHUB_OUTPUT"
 echo "medium_vulnerability_count=$FOUND_MEDIUM" >> "$GITHUB_OUTPUT"
 
+aboveHighToFail=0
+# backward compatibility for upgraded version.
+if [ -z "$CRITICAL_VUL_TO_FAIL" ]; then
+  aboveHighToFail=${HIGH_VUL_TO_FAIL}
+fi
+
 # we must count the high and med before we put.
 if [[ -n $VUL_LIST_FOUND ]]; then
   fail_reason="Found specific named vulnerabilities."
   scan_fail="true"
+elif [ ${aboveHighToFail} -ne 0 -a $total_high_critical -ge ${aboveHighToFail} ]; then
+  fail_reason="Found ${FOUND_CRITICAL} critical and ${FOUND_HIGH} high vulnerabilities exceeding the maximum of ${aboveHighToFail} (combined high and critical threshold)."
+  scan_fail="true"  
+elif [ ${CRITICAL_VUL_TO_FAIL} -ne 0 -a $FOUND_CRITICAL -ge ${CRITICAL_VUL_TO_FAIL} ]; then
+  fail_reason="Found ${FOUND_CRITICAL} critical vulnerabilities exceeding the maximum of ${HIGH_VUL_TO_FAIL}."
+  scan_fail="true"  
 elif [ ${HIGH_VUL_TO_FAIL} -ne 0 -a $FOUND_HIGH -ge ${HIGH_VUL_TO_FAIL} ]; then
   fail_reason="Found ${FOUND_HIGH} high vulnerabilities exceeding the maximum of ${HIGH_VUL_TO_FAIL}."
   scan_fail="true"

diff --git a/test/scan-image.bats b/test/scan-image.bats
@@ -32,6 +32,15 @@ setup_file() {
     [[ "$output" =~ "Image scanning succeed" ]]
 }
 
+@test "scan image with vulnerabilities and above High severity fail" {
+    run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
+    echo "Status $status"
+    echo "Output"
+    echo -e $output
+    [ "$status" -eq 1 ]
+    [[ "$output" =~ "critical vulnerabilities" ]]
+}
+
 @test "scan image with vulnerabilities and high severity fail" {
     run docker run --rm -e HIGH_VUL_TO_FAIL=1 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"
@@ -50,6 +59,7 @@ setup_file() {
     [[ "$output" =~ "medium vulnerabilities" ]]
 }
 
+
 @test "scan image with vulnerabilities and specific CVE fail" {
     run docker run --rm -e VUL_NAMES_TO_FAIL=invalid,CVE-2020-16156 -e SCANNER_REGISTRY=https://index.docker.io/ -e SCANNER_REPOSITORY=library/debian -e SCANNER_TAG=11.0 -v /var/run/docker.sock:/var/run/docker.sock -e GITHUB_OUTPUT="${GITHUB_OUTPUT}" -v "/github/output:/tmp"  neuvector/scan-action 
     echo "Status $status"