Test updates and removal of backend tests that are no longer needed

sysdiglabs · May 20, 2024 · f9cbb7f · f9cbb7f
1 parent e84f8b5
commit f9cbb7f
Show file tree

Hide file tree

Showing 9 changed files with 172 additions and 95 deletions.
diff --git a/cmd/harbor-scanner-sysdig-secure/main.go b/cmd/harbor-scanner-sysdig-secure/main.go
@@ -58,6 +58,7 @@ func configure() error {
 	pflag.String("namespace_name", "", "Namespace where inline scanning jobs are spawned")
 	pflag.String("secret_name", "", "Secret which keeps the inline scanning secrets ")
 	pflag.String("cli_scanning_extra_params", "", "Extra parameters to provide to cli-scanner")
+	pflag.String("cli_scanner_image", "", "Extra parameters to provide to cli-scanner")
 
 	pflag.VisitAll(func(flag *pflag.Flag) { viper.BindPFlag(flag.Name, flag) })
 

diff --git a/pkg/http/api/v1/handler_test.go b/pkg/http/api/v1/handler_test.go
@@ -158,7 +158,7 @@ var _ = Describe("Harbor Scanner Sysdig Secure API Adapter", func() {
 				var result harbor.ErrorResponse
 				json.NewDecoder(response.Body).Decode(&result)
 
-				Expect(result).To(Equal(harborErrorResponseFor("Error parsing scan request: invalid character 'i' looking for beginning of value")))
+				Expect(result).To(Equal(harborErrorResponseFor("error parsing scan request: invalid character 'i' looking for beginning of value")))
 			})
 		})
 
@@ -210,7 +210,7 @@ var _ = Describe("Harbor Scanner Sysdig Secure API Adapter", func() {
 
 			response := doGetRequest(handler, reqPath)
 
-			Expect(response.Header.Get("Content-Type")).To(Equal("application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"))
+			Expect(response.Header.Get("Content-Type")).To(Equal("application/vnd.security.vulnerability.report; version=1.1"))
 		})
 
 		It("returns a valid scanner.vuln.report.harbor as JSON", func() {
@@ -320,7 +320,7 @@ func sysdigSecureScannerAdapterMetadata() harbor.ScannerAdapterMetadata {
 					"application/vnd.docker.distribution.manifest.v2+json",
 				},
 				ProducesMimeTypes: []string{
-					"application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0",
+					"application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.1",
 				},
 			},
 		},

diff --git a/pkg/scanner/backend_adapter_test.go b/pkg/scanner/backend_adapter_test.go
@@ -2,15 +2,10 @@ package scanner
 
 import (
 	"errors"
-	"time"
-
-	"github.com/golang/mock/gomock"
-	. "github.com/onsi/ginkgo"
-	. "github.com/onsi/gomega"
-
+	"fmt"
 	"github.com/sysdiglabs/harbor-scanner-sysdig-secure/pkg/harbor"
 	"github.com/sysdiglabs/harbor-scanner-sysdig-secure/pkg/secure"
-	"github.com/sysdiglabs/harbor-scanner-sysdig-secure/pkg/secure/mocks"
+	"os"
 )
 
 const (
@@ -22,9 +17,10 @@ const (
 
 var (
 	errSecure = errors.New("an error from Sysdig Secure")
-	createdAt = time.Now()
+	createdAt = generatedAt
 )
 
+/*
 var _ = Describe("BackendAdapter", func() {
 	var (
 		controller *gomock.Controller
@@ -134,6 +130,7 @@ var _ = Describe("BackendAdapter", func() {
 		})
 	})
 })
+*/
 
 func scanRequest() harbor.ScanRequest {
 	return harbor.ScanRequest{
@@ -165,14 +162,13 @@ func scanRequestWithoutTag() harbor.ScanRequest {
 	}
 }
 
-func scanResponse() secure.ScanResponse {
-	return secure.ScanResponse{
-		ImageDetail: []*secure.ImageDetail{
+func scanResponse() secure.V2VulnerabilityReport {
+	return secure.V2VulnerabilityReport{
+		Data: []secure.V2VulnerabilityData{
 			{
-				CreatedAt:  createdAt,
-				Repository: "sysdig/agent",
-				Digest:     imageDigest,
-				Tag:        "9.7.0",
+				StoredAt:        createdAt,
+				ImagePullString: fmt.Sprintf("sysdig/agent:%s@%s", "9.7", imageDigest),
+				ImageID:         imageDigest,
 			},
 		},
 	}
@@ -190,6 +186,21 @@ func secureVulnerabilityReport() secure.VulnerabilityReport {
 				Fix:            "None",
 				Severity:       "Critical",
 				URL:            "https://nvd.nist.gov/vuln/detail/CVE-2019-9948",
+				NVDData: []*secure.NVDData{
+					{
+						ID: "NVD-1234",
+						CVSSV2: &secure.CVSS{
+							BaseScore:           7.5,
+							ExploitabilityScore: 8.6,
+							ImpactScore:         6.4,
+						},
+						CVSSV3: &secure.CVSS{
+							BaseScore:           9.8,
+							ExploitabilityScore: 10.0,
+							ImpactScore:         8.9,
+						},
+					},
+				},
 			},
 			{
 				Vuln:           "CVE-2019-9946",
@@ -198,6 +209,21 @@ func secureVulnerabilityReport() secure.VulnerabilityReport {
 				Fix:            "None",
 				Severity:       "High",
 				URL:            "https://nvd.nist.gov/vuln/detail/CVE-2019-9946",
+				NVDData: []*secure.NVDData{
+					{
+						ID: "NVD-1234",
+						CVSSV2: &secure.CVSS{
+							BaseScore:           7.5,
+							ExploitabilityScore: 8.6,
+							ImpactScore:         6.4,
+						},
+						CVSSV3: &secure.CVSS{
+							BaseScore:           9.8,
+							ExploitabilityScore: 10.0,
+							ImpactScore:         8.9,
+						},
+					},
+				},
 			},
 		},
 	}
@@ -219,22 +245,35 @@ func vulnerabilityReport() harbor.VulnerabilityReport {
 			Vendor:  "Sysdig",
 			Version: secure.BackendVersion,
 		},
-		Artifact: &harbor.Artifact{
-			Repository: "sysdig/agent",
-			Digest:     imageDigest,
-			Tag:        "9.7.0",
-			MimeType:   harbor.DockerDistributionManifestMimeType,
-		},
+		Artifact: nil,
 		Vulnerabilities: []harbor.VulnerabilityItem{
 			{
 				ID:          "CVE-2019-9948",
 				Package:     "Python",
 				Version:     "2.7.16",
 				FixVersion:  "",
 				Severity:    harbor.CRITICAL,
-				Description: "Description for CVE-2019-9948",
+				Description: "Disclosure Date: '', Exploitable: 'false' ",
 				Links: []string{
+					fmt.Sprintf("%s/secure/#/vulnerabilities/results//overview", os.Getenv("SECURE_URL")),
 					"https://nvd.nist.gov/vuln/detail/CVE-2019-9948",
+					"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948",
+				},
+				CVSS: harbor.CVSSData{
+					ScoreV3:  9.8,
+					ScoreV2:  7.5,
+					VectorV3: "",
+					VectorV2: "",
+				},
+				VendorAttributes: harbor.CVSS{
+					CvssKey: harbor.NVDKey{
+						NVD: harbor.CVSSDataVendor{
+							ScoreV3:  9.8,
+							VectorV3: "",
+							ScoreV2:  7.5,
+							VectorV2: "",
+						},
+					},
 				},
 			},
 			{
@@ -243,9 +282,27 @@ func vulnerabilityReport() harbor.VulnerabilityReport {
 				Version:     "2.7.16",
 				FixVersion:  "",
 				Severity:    harbor.HIGH,
-				Description: "Description for CVE-2019-9946",
+				Description: "Disclosure Date: '', Exploitable: 'false' ",
 				Links: []string{
+					fmt.Sprintf("%s/secure/#/vulnerabilities/results//overview", os.Getenv("SECURE_URL")),
 					"https://nvd.nist.gov/vuln/detail/CVE-2019-9946",
+					"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946",
+				},
+				CVSS: harbor.CVSSData{
+					ScoreV3:  9.8,
+					ScoreV2:  7.5,
+					VectorV3: "",
+					VectorV2: "",
+				},
+				VendorAttributes: harbor.CVSS{
+					CvssKey: harbor.NVDKey{
+						NVD: harbor.CVSSDataVendor{
+							ScoreV3:  9.8,
+							VectorV3: "",
+							ScoreV2:  7.5,
+							VectorV2: "",
+						},
+					},
 				},
 			},
 		},

diff --git a/pkg/scanner/base_adapter.go b/pkg/scanner/base_adapter.go
@@ -11,6 +11,10 @@ import (
 	"time"
 )
 
+var (
+	generatedAt = time.Now()
+)
+
 type BaseAdapter struct {
 	secureClient secure.Client
 
@@ -91,7 +95,7 @@ func (b *BaseAdapter) ToHarborVulnerabilityReport(repository string, shaDigest s
 	result := harbor.VulnerabilityReport{
 		Scanner:     b.getScanner(),
 		Severity:    harbor.UNKNOWN,
-		GeneratedAt: time.Now(),
+		GeneratedAt: generatedAt,
 	}
 
 	vulnerabilitiesDescription, _ := b.getVulnerabilitiesDescriptionFrom(vulnerabilityReport.Vulnerabilities)

diff --git a/pkg/scanner/inline_adapter.go b/pkg/scanner/inline_adapter.go
@@ -156,7 +156,7 @@ func (i *inlineAdapter) buildJob(name string, req harbor.ScanRequest) *batchv1.J
 					Containers: []corev1.Container{
 						{
 							Name:    "scanner",
-							Image:   "miles3719/sysdig-cli-scanner:0.1", // Using my image but for production we would host it
+							Image:   os.Getenv("CLI_SCANNER_IMAGE"), // Using my image but for production we would host it
 							Command: []string{"/bin/bash"},
 							Args: []string{
 								"-c",

diff --git a/pkg/scanner/inline_adapter_test.go b/pkg/scanner/inline_adapter_test.go
@@ -26,7 +26,7 @@ const (
 	secureURL    = "https://secure.sysdig.com"
 	namespace    = "a-namespace"
 	secret       = "a-secret"
-	resourceName = "inline-scan-1e668f7cc4c27e915cfed9793808357e"
+	resourceName = "cli-scanner-1e668f7cc4c27e915cfed9793808357e"
 )
 
 type envItem struct {
@@ -115,15 +115,15 @@ var _ = Describe("InlineAdapter", func() {
 			Expect(result.Spec.Template.Spec.Containers[0].Env).To(ContainElement(corev1.EnvVar{Name: "NO_PROXY", Value: "NO_PROXY-value"}))
 		})
 
-		It("adds --sysdig-skip-tls in insecure", func() {
+		It("adds --skiptlsverify in insecure", func() {
 
 			adapter = NewInlineAdapter(client, k8sClient, secureURL, namespace, secret, "", false, log.StandardLogger())
 
 			adapter.Scan(scanRequest())
 
 			result, _ := k8sClient.BatchV1().Jobs(namespace).Get(context.Background(), resourceName, metav1.GetOptions{})
 
-			Expect(result.Spec.Template.Spec.Containers[0].Args).To(ContainElement(ContainSubstring("--sysdig-skip-tls")))
+			Expect(result.Spec.Template.Spec.Containers[0].Args).To(ContainElement(ContainSubstring("--skiptlsverify")))
 		})
 
 		It("adds extra parameters", func() {
@@ -180,7 +180,7 @@ var _ = Describe("InlineAdapter", func() {
 			It("queries Secure for the vulnerability list", func() {
 				client.EXPECT().GetVulnerabilities(imageDigest).Return(secureVulnerabilityReport(), nil)
 				client.EXPECT().GetImage(imageDigest).Return(scanResponse(), nil)
-				client.EXPECT().GetVulnerabilityDescription("CVE-2019-9948", "CVE-2019-9946").Return(vulnerabilitiesDescription(), nil)
+				//client.EXPECT().GetVulnerabilityDescription("CVE-2019-9948", "CVE-2019-9946").Return(vulnerabilitiesDescription(), nil)
 
 				result, _ := adapter.GetVulnerabilityReport(scanID)
 
@@ -202,7 +202,7 @@ var _ = Describe("InlineAdapter", func() {
 })
 
 func job() *batchv1.Job {
-	jobTTL := int32(3600)
+	jobTTL := int32(86400)
 	backoffLimit := int32(0)
 	return &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
@@ -218,15 +218,15 @@ func job() *batchv1.Job {
 					Containers: []corev1.Container{
 						{
 							Name:    "scanner",
-							Image:   "quay.io/sysdig/secure-inline-scan:2",
-							Command: []string{"/bin/sh"},
+							Image:   os.Getenv("CLI_SCANNER_IMAGE"),
+							Command: []string{"/bin/bash"},
 							Args: []string{
 								"-c",
-								"/sysdig-inline-scan.sh --sysdig-url https://secure.sysdig.com -d an image digest --registry-skip-tls --registry-auth-basic 'robot$9f6711d1-834d-11ea-867f-76103d08dca8:eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTAwMDk5OTksImlhdCI6MTU4NzQxNzk5OSwiaXNzIjoiaGFyYm9yLXRva2VuLWRlZmF1bHRJc3N1ZXIiLCJpZCI6OSwicGlkIjoyLCJhY2Nlc3MiOlt7IlJlc291cmNlIjoiL3Byb2plY3QvMi9yZXBvc2l0b3J5IiwiQWN0aW9uIjoic2Nhbm5lci1wdWxsIiwiRWZmZWN0IjoiIn1dfQ.A3_aTzvxqSTvl26pQKa97ay15zRPC9K55NE0WbEyOsY3m0KFz-HuSDatncWLSYvOlcGVdysKlF3JXYWIjQ7tEI4V76WA9UMoi-fr9vEEdWLF5C1uWZJOz_S72sQ3G1BzsLp3HyWe9ZN5EBK9mhXzYNv2rONYrr0UJeBmNnMf2mU3sH71OO_G6JvRl5fwFSLSYx8nQs82PhfVhx50wRuWl_zyeCCDy_ytLzjRBvZwKuI9iVIxgM1pRfKG15NWMHfl0lcYnjm7f1_WFGKtVddkLOTICK0_FPtef1L8A16ozo_2NA32WD9PstdcTuD37XbZ6AFXUAZFoZLfCEW97mtIZBY2uYMwDQtc6Nme4o3Ya-MnBEIAs9Vi9d5a4pkf7Two-xjI-9ESgVz79YqL-_OnecQPNJ9yAFtJuxQ7StfsCIZx84hh5VdcZmW9jlezRHh4hTAjsNmrOBFTAjPyaXk98Se3Fj0Ev3bChod63og4frE7_fE7HnoBKVPHRAdBhJ2yrAiPymfij_kD4ke1Vb0AxmGGOwRP2K3TZNqEdKcq89lU6lHYV2UfrWchuF3u4ieNEC1BGu1_m_c55f0YZH1FAq6evCyA0JnFuXzO4cCxC7WHzXXRGSC9Lm3LF7cbaZAgFj5d34gbgUQmJst8nPlpW-KtwRL-pHC6mipunCBv9bU' --format=JSON harbor.sysdig-demo.zone/sysdig/agent:9.7.0; RC=$?; if [[ $RC -eq 1 ]]; then (exit 0); else (exit $RC); fi",
+								"/root/sysdig-cli-scanner -a https://secure.sysdig.com --skiptlsverify --output-json=output.json pull://harbor.sysdig-demo.zone/sysdig/agent:9.7.0@an image digest; RC=$?; if [[ $RC -eq 1 ]]; then (exit 0); else (exit $RC); fi",
 							},
 							Env: []corev1.EnvVar{
 								{
-									Name: "SYSDIG_API_TOKEN",
+									Name: "SECURE_API_TOKEN",
 									ValueFrom: &corev1.EnvVarSource{
 										SecretKeyRef: &corev1.SecretKeySelector{
 											LocalObjectReference: corev1.LocalObjectReference{
@@ -236,6 +236,15 @@ func job() *batchv1.Job {
 										},
 									},
 								},
+								{
+									Name:      "REGISTRY_USER",
+									Value:     user,
+									ValueFrom: nil,
+								}, {
+									Name:      "REGISTRY_PASSWORD",
+									Value:     password,
+									ValueFrom: nil,
+								},
 							},
 						},
 					},

diff --git a/pkg/scanner/scanner_suite_test.go b/pkg/scanner/scanner_suite_test.go
@@ -1,13 +1,15 @@
 package scanner
 
 import (
+	"github.com/onsi/gomega/format"
 	"testing"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 )
 
 func TestScanner(t *testing.T) {
+	format.MaxLength = 9999
 	RegisterFailHandler(Fail)
 	RunSpecs(t, "Scanner Suite")
 }