fix: group image vulnerabilities by base/os image (#5680)

* feat: add support for app and env sorting in scan list api and add medium, high and unknown severity support

* fix: query fix for appName sort or envName sort

* fix: sql script number change

* fix: minor changes

* fix: review fix

* fix: remove dml on cve_store and handle it in code handling this versioning

* fix: review comments

* feat: storing target,class and type values in imageScanExecutionResults

* feat: add sql script

* feat: add sql script

* fix: add new columns

* fix: update script numbers

* fix: correct down script

* fix: minor fix

* chore: script number update

Author: gireesh-naidu

internal/sql/repository/security/ImageScanDeployInfoRepository.go

@@ -177,7 +177,7 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithoutObject(request
 		query = query + " AND res.cve_store_name ILIKE '%" + request.CVEName + "%'"
 	}
 	if len(request.Severity) > 0 {
-		severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprintf("%d", request.Severity)), ","), "[]")
+		severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.Severity)), ","), "[]")
 		query = query + fmt.Sprintf(" AND (cs.standard_severity IN (%s) OR (cs.severity IN (%s) AND cs.standard_severity IS NULL))", severities, severities)
 	}
 	if len(request.EnvironmentIds) > 0 {
@@ -239,7 +239,7 @@ func (impl ImageScanDeployInfoRepositoryImpl) scanListQueryWithObject(request *s
 	}
 
 	if len(request.Severity) > 0 {
-		severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprintf("%d", request.Severity)), ","), "[]")
+		severities := strings.Trim(strings.Join(strings.Fields(fmt.Sprint(request.Severity)), ","), "[]")
 		query = query + fmt.Sprintf(" AND (cs.standard_severity IN (%s) OR (cs.severity IN (%s) AND cs.standard_severity IS NULL))", severities, severities)
 	}
 	if len(request.EnvironmentIds) > 0 {

internal/sql/repository/security/ImageScanResultRepository.go

@@ -30,6 +30,9 @@ type ImageScanExecutionResult struct {
 	Package                     string   `sql:"package"`
 	Version                     string   `sql:"version"`
 	FixedVersion                string   `sql:"fixed_version"`
+	Target                      string   `sql:"target"`
+	Type                        string   `sql:"type"`
+	Class                       string   `sql:"class"`
 	CveStore                    CveStore
 	ImageScanExecutionHistory   ImageScanExecutionHistory
 }

pkg/security/ImageScanService.go

@@ -331,6 +331,9 @@ func (impl ImageScanServiceImpl) FetchExecutionDetailResult(request *bean3.Image
 				FVersion: item.FixedVersion,
 				Package:  item.CveStore.Package,
 				Severity: item.CveStore.GetSeverity().String(),
+				Target:   item.Target,
+				Type:     item.Type,
+				Class:    item.Class,
 				//Permission: "BLOCK", TODO
 			}
 			// data already migrated hence get package, version and fixedVersion from image_scan_execution_result

pkg/security/bean/bean.go

@@ -25,6 +25,9 @@ type Vulnerabilities struct {
 	CVersion   string `json:"currentVersion"`
 	FVersion   string `json:"fixedVersion"`
 	Permission string `json:"permission"`
+	Target     string `json:"target"`
+	Class      string `json:"class"`
+	Type       string `json:"type"`
 }
 
 func (vul *Vulnerabilities) IsCritical() bool {

scripts/sql/276_scan_policies.down.sql

@@ -0,0 +1,3 @@
+UPDATE cve_policy_control
+SET deleted = true, updated_on = 'now()', updated_by = '1'
+WHERE severity = '3' OR severity = '5';

scripts/sql/276_scan_policies.up.sql

@@ -0,0 +1,6 @@
+
+-- severity 3 is for high and 5 is for unknown
+INSERT INTO "public"."cve_policy_control" ("global", "cluster_id", "env_id", "app_id", "cve_store_id", "action", "severity", "deleted", "created_on", "created_by", "updated_on", "updated_by") VALUES
+                                                     ('t', NULL, NULL, NULL, NULL, '1', '3', 'f', 'now()', '1', 'now()', '1'),
+                                                     ('t', NULL, NULL, NULL, NULL, '1', '5', 'f', 'now()', '1', 'now()', '1');
+

scripts/sql/279_link_external_release.down.sql renamed to scripts/sql/280_link_external_release.down.sql

@@ -0,0 +1,21 @@
+UPDATE scan_tool_metadata
+SET image_scan_descriptor_template = '[
+                                        {
+                                            "pathToVulnerabilitiesArray": "Results.#.Vulnerabilities",
+                                            "name": "VulnerabilityID",
+                                            "package": "PkgName",
+                                            "packageVersion": "InstalledVersion",
+                                            "fixedInVersion": "FixedVersion",
+                                            "severity": "Severity"
+                                        }
+                                     ]', updated_on = 'now()'
+WHERE name = 'TRIVY'
+    AND version = 'V1'
+    AND scan_target = 'IMAGE'
+    AND active = true
+    AND deleted = false;
+
+ALTER TABLE image_scan_execution_result
+    DROP COLUMN class,
+    DROP COLUMN type,
+    DROP COLUMN target;

scripts/sql/279_link_external_release.up.sql renamed to scripts/sql/280_link_external_release.up.sql

@@ -0,0 +1,29 @@
+UPDATE scan_tool_metadata SET result_descriptor_template = '[
+      {
+        "pathToResultArray": "Results",
+        "pathToVulnerabilitiesArray": "Vulnerabilities",
+        "vulnerabilityData":{
+       		"name": "VulnerabilityID",
+        	"package": "PkgName",
+        	"packageVersion": "InstalledVersion",
+        	"fixedInVersion": "FixedVersion",
+        	"severity": "Severity"
+        },
+        "resultData":{
+  			"target":"Target",
+        	"class":"Class",
+        	"type":"Type"
+       }
+      }
+]',updated_on = 'now()'
+
+WHERE name = 'TRIVY'
+    AND version = 'V1'
+    AND scan_target = 'IMAGE'
+    AND active = true
+    AND deleted = false;
+
+ALTER TABLE image_scan_execution_result
+    ADD COLUMN class TEXT,
+    ADD COLUMN type TEXT,
+    ADD COLUMN target TEXT;