feat: CVE severity categorisation and scan result listing API enhancements (#5617)

* feat: add support for app and env sorting in scan list api and add medium, high and unknown severity support

* fix: query fix for appName sort or envName sort

* fix: sql script number change

* fix: minor changes

* fix: review fix

* fix: remove dml on cve_store and handle it in code handling this versioning

* fix: review comments

* fix: update script numbers

* fix: minor fix

Author: gireesh-naidu

api/restHandler/ImageScanRestHandler.go

@@ -19,6 +19,7 @@ package restHandler
 import (
 	"encoding/json"
 	"fmt"
+	securityBean "github.com/devtron-labs/devtron/pkg/security/bean"
 	"net/http"
 	"strconv"
 
@@ -70,7 +71,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	}
 
 	decoder := json.NewDecoder(r.Body)
-	var request *security.ImageScanRequest
+	var request *securityBean.ImageScanRequest
 	err = decoder.Decode(&request)
 	if err != nil {
 		impl.logger.Errorw("request err, ScanExecutionList", "err", err, "payload", request)
@@ -82,8 +83,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	if err != nil {
 		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
 		if util.IsErrNoRows(err) {
-			responseList := make([]*security.ImageScanHistoryResponse, 0)
-			common.WriteJsonResp(w, nil, &security.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
 		} else {
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		}
@@ -126,8 +127,8 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	if err != nil {
 		impl.logger.Errorw("service err, ScanExecutionList", "err", err, "payload", request)
 		if util.IsErrNoRows(err) {
-			responseList := make([]*security.ImageScanHistoryResponse, 0)
-			common.WriteJsonResp(w, nil, &security.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
 		} else {
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		}
@@ -177,7 +178,7 @@ func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter,
 		}
 	}
 	image := v.Get("image")
-	request := &security.ImageScanRequest{
+	request := &securityBean.ImageScanRequest{
 		ImageScanDeployInfoId: imageScanDeployInfoId,
 		Image:                 image,
 		ArtifactId:            artifactId,
@@ -189,7 +190,7 @@ func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter,
 	if err != nil {
 		impl.logger.Errorw("service err, FetchExecutionDetail", "err", err, "payload", request)
 		if util.IsErrNoRows(err) {
-			common.WriteJsonResp(w, nil, &security.ImageScanExecutionDetail{}, http.StatusOK)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanExecutionDetail{}, http.StatusOK)
 		} else {
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		}
@@ -221,7 +222,7 @@ func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter,
 		}
 		//RBAC
 	} else {
-		common.WriteJsonResp(w, err, &security.ImageScanExecutionDetail{}, http.StatusOK)
+		common.WriteJsonResp(w, err, &securityBean.ImageScanExecutionDetail{}, http.StatusOK)
 	}
 
 	common.WriteJsonResp(w, err, executionDetail, http.StatusOK)
@@ -230,7 +231,7 @@ func (impl ImageScanRestHandlerImpl) FetchExecutionDetail(w http.ResponseWriter,
 func (impl ImageScanRestHandlerImpl) FetchMinScanResultByAppIdAndEnvId(w http.ResponseWriter, r *http.Request) {
 	v := r.URL.Query()
 	var appId, envId int
-	request := &security.ImageScanRequest{}
+	request := &securityBean.ImageScanRequest{}
 	appIds := v.Get("appId")
 	if len(appIds) > 0 {
 		appId, err := strconv.Atoi(appIds)
@@ -299,8 +300,8 @@ func (impl ImageScanRestHandlerImpl) VulnerabilityExposure(w http.ResponseWriter
 	if err != nil {
 		impl.logger.Errorw("service err, VulnerabilityExposure", "err", err, "payload", request)
 		if util.IsErrNoRows(err) {
-			responseList := make([]*security.ImageScanHistoryResponse, 0)
-			common.WriteJsonResp(w, nil, &security.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
+			responseList := make([]*securityBean.ImageScanHistoryResponse, 0)
+			common.WriteJsonResp(w, nil, &securityBean.ImageScanHistoryListingResponse{ImageScanHistoryResponse: responseList}, http.StatusOK)
 		} else {
 			common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		}

api/restHandler/PolicyRestHandler.go

@@ -20,12 +20,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	securityBean "github.com/devtron-labs/devtron/internal/sql/repository/security/bean"
 	"net/http"
 	"strconv"
 
 	"github.com/devtron-labs/devtron/api/bean"
 	"github.com/devtron-labs/devtron/api/restHandler/common"
-	security2 "github.com/devtron-labs/devtron/internal/sql/repository/security"
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
 	user2 "github.com/devtron-labs/devtron/pkg/auth/user"
 	"github.com/devtron-labs/devtron/pkg/cluster"
@@ -221,18 +221,18 @@ func (impl PolicyRestHandlerImpl) GetPolicy(w http.ResponseWriter, r *http.Reque
 		req.Id = ids
 	}
 	var clusterId, environmentId, appId int
-	var policyLevel security2.PolicyLevel
-	if level == security2.Global.String() {
-		policyLevel = security2.Global
-	} else if level == security2.Cluster.String() {
+	var policyLevel securityBean.PolicyLevel
+	if level == securityBean.Global.String() {
+		policyLevel = securityBean.Global
+	} else if level == securityBean.Cluster.String() {
 		clusterId = req.Id
-		policyLevel = security2.Cluster
-	} else if level == security2.Environment.String() {
+		policyLevel = securityBean.Cluster
+	} else if level == securityBean.Environment.String() {
 		environmentId = req.Id
-		policyLevel = security2.Environment
-	} else if level == security2.Application.String() {
+		policyLevel = securityBean.Environment
+	} else if level == securityBean.Application.String() {
 		appId = req.Id
-		policyLevel = security2.Application
+		policyLevel = securityBean.Application
 	}
 
 	token := r.Header.Get("token")

internal/sql/repository/security/CvePolicyControle.go

@@ -18,99 +18,37 @@ package security
 
 import (
 	"fmt"
+	securityBean "github.com/devtron-labs/devtron/internal/sql/repository/security/bean"
 	"github.com/devtron-labs/devtron/pkg/sql"
 	"github.com/go-pg/pg"
 	"github.com/go-pg/pg/orm"
 	"time"
 )
 
 type CvePolicy struct {
-	tableName     struct{}     `sql:"cve_policy_control" pg:",discard_unknown_columns"`
-	Id            int          `sql:"id,pk"`
-	Global        bool         `sql:"global,notnull"`
-	ClusterId     int          `sql:"cluster_id"`
-	EnvironmentId int          `sql:"env_id"`
-	AppId         int          `sql:"app_id"`
-	CVEStoreId    string       `sql:"cve_store_id"`
-	Action        PolicyAction `sql:"action, notnull"`
-	Severity      *Severity    `sql:"severity, notnull "`
-	Deleted       bool         `sql:"deleted, notnull"`
+	tableName     struct{}                  `sql:"cve_policy_control" pg:",discard_unknown_columns"`
+	Id            int                       `sql:"id,pk"`
+	Global        bool                      `sql:"global,notnull"`
+	ClusterId     int                       `sql:"cluster_id"`
+	EnvironmentId int                       `sql:"env_id"`
+	AppId         int                       `sql:"app_id"`
+	CVEStoreId    string                    `sql:"cve_store_id"`
+	Action        securityBean.PolicyAction `sql:"action, notnull"`
+	Severity      *securityBean.Severity    `sql:"severity, notnull "`
+	Deleted       bool                      `sql:"deleted, notnull"`
 	sql.AuditLog
 	CveStore *CveStore
 }
 
-type PolicyAction int
-
-const (
-	Inherit PolicyAction = iota
-	Allow
-	Block
-	Blockiffixed
-)
-
-func (d PolicyAction) String() string {
-	return [...]string{"inherit", "allow", "block", "blockiffixed"}[d]
-}
-
-// ------------------
-type Severity int
-
-const (
-	Low Severity = iota
-	Medium
-	Critical
-	High
-	Safe
-)
-const (
-	HIGH     string = "high"
-	CRITICAL string = "critical"
-	SAFE     string = "safe"
-	LOW      string = "low"
-	MEDIUM   string = "medium"
-	MODERATE string = "moderate"
-)
-
-// Handling for future use
-func (d Severity) ValuesOf(severity string) Severity {
-	if severity == CRITICAL || severity == HIGH {
-		return Critical
-	} else if severity == MODERATE || severity == MEDIUM {
-		return Medium
-	} else if severity == LOW || severity == SAFE {
-		return Low
-	}
-	return Low
-}
-
-// Updating it for future use(not in use for standard severity)
-func (d Severity) String() string {
-	return [...]string{"low", "moderate", "critical", "high", "safe"}[d]
-}
-
-// ----------------
-type PolicyLevel int
-
-const (
-	Global PolicyLevel = iota
-	Cluster
-	Environment
-	Application
-)
-
-func (d PolicyLevel) String() string {
-	return [...]string{"global", "cluster", "environment", "application"}[d]
-}
-
-func (policy *CvePolicy) PolicyLevel() PolicyLevel {
+func (policy *CvePolicy) PolicyLevel() securityBean.PolicyLevel {
 	if policy.ClusterId != 0 {
-		return Cluster
+		return securityBean.Cluster
 	} else if policy.AppId != 0 {
-		return Application
+		return securityBean.Application
 	} else if policy.EnvironmentId != 0 {
-		return Environment
+		return securityBean.Environment
 	} else {
-		return Global
+		return securityBean.Global
 	}
 }
 
@@ -250,37 +188,37 @@ func (impl *CvePolicyRepositoryImpl) GetBlockedCVEList(cves []*CveStore, cluster
 	return blockedCve, nil
 }
 
-func EnforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[Severity]*CvePolicy) (blockedCVE []*CveStore) {
+func EnforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[securityBean.Severity]*CvePolicy) (blockedCVE []*CveStore) {
 
 	for _, cve := range cves {
 		if policy, ok := cvePolicy[cve.Name]; ok {
-			if policy.Action == Allow {
+			if policy.Action == securityBean.Allow {
 				continue
-			} else if (policy.Action == Block) || (policy.Action == Blockiffixed && cve.FixedVersion != "") {
+			} else if (policy.Action == securityBean.Block) || (policy.Action == securityBean.Blockiffixed && cve.FixedVersion != "") {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		} else {
-			if severityPolicy[cve.Severity] != nil && severityPolicy[cve.Severity].Action == Allow {
+			if severityPolicy[cve.GetSeverity()] != nil && severityPolicy[cve.GetSeverity()].Action == securityBean.Allow {
 				continue
-			} else if severityPolicy[cve.Severity] != nil && (severityPolicy[cve.Severity].Action == Block || (severityPolicy[cve.Severity].Action == Blockiffixed && cve.FixedVersion != "")) {
+			} else if severityPolicy[cve.GetSeverity()] != nil && (severityPolicy[cve.GetSeverity()].Action == securityBean.Block || (severityPolicy[cve.GetSeverity()].Action == securityBean.Blockiffixed && cve.FixedVersion != "")) {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		}
 	}
 	return blockedCVE
 }
 
-func (impl *CvePolicyRepositoryImpl) getApplicablePolicy(clusterId, envId, appId int, isAppstore bool) (map[string]*CvePolicy, map[Severity]*CvePolicy, error) {
+func (impl *CvePolicyRepositoryImpl) getApplicablePolicy(clusterId, envId, appId int, isAppstore bool) (map[string]*CvePolicy, map[securityBean.Severity]*CvePolicy, error) {
 
-	var policyLevel PolicyLevel
+	var policyLevel securityBean.PolicyLevel
 	if isAppstore && appId > 0 && envId > 0 && clusterId > 0 {
-		policyLevel = Environment
+		policyLevel = securityBean.Environment
 	} else if appId > 0 && envId > 0 && clusterId > 0 {
-		policyLevel = Application
+		policyLevel = securityBean.Application
 	} else if envId > 0 && clusterId > 0 {
-		policyLevel = Environment
+		policyLevel = securityBean.Environment
 	} else if clusterId > 0 {
-		policyLevel = Cluster
+		policyLevel = securityBean.Cluster
 	} else {
 		//error in case of global or other policy
 		return nil, nil, fmt.Errorf("policy not identified")
@@ -290,16 +228,16 @@ func (impl *CvePolicyRepositoryImpl) getApplicablePolicy(clusterId, envId, appId
 	return cvePolicy, severityPolicy, err
 }
 
-func (impl *CvePolicyRepositoryImpl) getPolicies(policyLevel PolicyLevel, clusterId, environmentId, appId int) (map[string]*CvePolicy, map[Severity]*CvePolicy, error) {
+func (impl *CvePolicyRepositoryImpl) getPolicies(policyLevel securityBean.PolicyLevel, clusterId, environmentId, appId int) (map[string]*CvePolicy, map[securityBean.Severity]*CvePolicy, error) {
 	var policies []*CvePolicy
 	var err error
-	if policyLevel == Global {
+	if policyLevel == securityBean.Global {
 		policies, err = impl.GetGlobalPolicies()
-	} else if policyLevel == Cluster {
+	} else if policyLevel == securityBean.Cluster {
 		policies, err = impl.GetClusterPolicies(clusterId)
-	} else if policyLevel == Environment {
+	} else if policyLevel == securityBean.Environment {
 		policies, err = impl.GetEnvPolicies(clusterId, environmentId)
-	} else if policyLevel == Application {
+	} else if policyLevel == securityBean.Application {
 		policies, err = impl.GetAppEnvPolicies(clusterId, environmentId, appId)
 	} else {
 		return nil, nil, fmt.Errorf("unsupported policy level: %s", policyLevel)
@@ -314,9 +252,9 @@ func (impl *CvePolicyRepositoryImpl) getPolicies(policyLevel PolicyLevel, cluste
 	return cvePolicy, severityPolicy, nil
 }
 
-func (impl *CvePolicyRepositoryImpl) getApplicablePolicies(policies []*CvePolicy) (map[string]*CvePolicy, map[Severity]*CvePolicy) {
+func (impl *CvePolicyRepositoryImpl) getApplicablePolicies(policies []*CvePolicy) (map[string]*CvePolicy, map[securityBean.Severity]*CvePolicy) {
 	cvePolicy := make(map[string][]*CvePolicy)
-	severityPolicy := make(map[Severity][]*CvePolicy)
+	severityPolicy := make(map[securityBean.Severity][]*CvePolicy)
 	for _, policy := range policies {
 		if policy.CVEStoreId != "" {
 			cvePolicy[policy.CveStore.Name] = append(cvePolicy[policy.CveStore.Name], policy)
@@ -347,8 +285,8 @@ func (impl *CvePolicyRepositoryImpl) getHighestPolicy(allPolicies map[string][]*
 	return applicablePolicies
 }
 
-func (impl *CvePolicyRepositoryImpl) getHighestPolicyS(allPolicies map[Severity][]*CvePolicy) map[Severity]*CvePolicy {
-	applicablePolicies := make(map[Severity]*CvePolicy)
+func (impl *CvePolicyRepositoryImpl) getHighestPolicyS(allPolicies map[securityBean.Severity][]*CvePolicy) map[securityBean.Severity]*CvePolicy {
+	applicablePolicies := make(map[securityBean.Severity]*CvePolicy)
 	for key, policies := range allPolicies {
 		var applicablePolicy *CvePolicy
 		for _, policy := range policies {

internal/sql/repository/security/CveStoreRepository.go

@@ -19,6 +19,7 @@ package security
 import (
 	"fmt"
 	"github.com/devtron-labs/devtron/internal/sql/repository/helper"
+	securityBean "github.com/devtron-labs/devtron/internal/sql/repository/security/bean"
 	"github.com/devtron-labs/devtron/pkg/sql"
 	"github.com/go-pg/pg"
 	"go.uber.org/zap"
@@ -27,15 +28,41 @@ import (
 )
 
 type CveStore struct {
-	tableName    struct{} `sql:"cve_store" pg:",discard_unknown_columns"`
-	Name         string   `sql:"name,pk"`
-	Severity     Severity `sql:"severity,notnull"`
-	Package      string   `sql:"package,notnull"` // deprecated
-	Version      string   `sql:"version,notnull"`
-	FixedVersion string   `sql:"fixed_version,notnull"`
+	tableName struct{} `sql:"cve_store" pg:",discard_unknown_columns"`
+	Name      string   `sql:"name,pk"`
+
+	// Deprecated: Severity, use StandardSeverity for all read purposes
+	Severity securityBean.Severity `sql:"severity,notnull"`
+	// Deprecated: Package
+	Package string `sql:"package,notnull"` // deprecated, storing package data in image_scan_execution_result table
+	// Deprecated: Version
+	Version string `sql:"version,notnull"`
+	// Deprecated: FixedVersion
+	FixedVersion string `sql:"fixed_version,notnull"`
+
+	// StandardSeverity is the actual severity. use GetSeverity method to get severity of the vulnerability
+	// earlier severity is maintained in Severity column by merging HIGH and CRITICAL severities.
+	// later we introduced new column StandardSeverity to store raw severity, but didn't migrate the existing Severity data to StandardSeverity.
+	// currently, we deprecated Severity.
+	StandardSeverity *securityBean.Severity `sql:"standard_severity"`
 	sql.AuditLog
 }
 
+// GetSeverity returns the actual severity of the vulnerability.
+func (cve *CveStore) GetSeverity() securityBean.Severity {
+	if cve.StandardSeverity == nil {
+		// we need this as there was a time when StandardSeverity didn't exist.
+		// and migration of Severity data to StandardSeverity is not done.
+		return cve.Severity
+	}
+	return *cve.StandardSeverity
+}
+
+func (cve *CveStore) SetStandardSeverity(severity securityBean.Severity) {
+	cve.Severity = severity
+	cve.StandardSeverity = &severity
+}
+
 type VulnerabilityRequest struct {
 	AppName    string `json:"appName"`
 	CveName    string `json:"cveName"`