fix: ensure pods are only added to lists once

Signed-off-by: deggja <[email protected]>

backend/pkg/k8s/cilium-scanner.go

@@ -178,6 +178,16 @@ func fetchCiliumPolicies(dynamicClient dynamic.Interface, nsName string, writer
 	return unstructuredPolicies, hasDenyAll, nil
 }
 
+// helper function to ensure pods are not added to list multiple times
+func addUniquePodDetail(podDetails []string, detail string) []string {
+    for _, d := range podDetails {
+        if d == detail {
+            return podDetails // pod already in the list.
+        }
+    }
+    return append(podDetails, detail) // add pod if its not in list
+}
+
 // determinePodCoverage identifies unprotected pods in a namespace based on the fetched Cilium policies.
 func determinePodCoverage(clientset *kubernetes.Clientset, nsName string, policies []*unstructured.Unstructured, hasDenyAll bool, writer *bufio.Writer, scanResult *ScanResult) ([]string, error) {
 	unprotectedPods := []string{}
@@ -194,16 +204,15 @@ func determinePodCoverage(clientset *kubernetes.Clientset, nsName string, polici
 			continue
 		}
 		podIdentifier := fmt.Sprintf("%s/%s", pod.Namespace, pod.Name)
-		if _, exists := globallyProtectedPods[podIdentifier]; !exists {
-			if !IsPodProtected(writer, clientset, pod, policies, hasDenyAll, globallyProtectedPods) {
-				unprotectedPodDetails := fmt.Sprintf("%s %s %s", pod.Namespace, pod.Name, pod.Status.PodIP)
-				unprotectedPods = append(unprotectedPods, unprotectedPodDetails)
-				scanResult.UnprotectedPods = append(scanResult.UnprotectedPods, unprotectedPodDetails)
-			} else {
-				globallyProtectedPods[podIdentifier] = struct{}{} // Mark the pod as protected globally
-			}
-		}
-	}
+        if _, exists := globallyProtectedPods[podIdentifier]; !exists {
+            if !IsPodProtected(writer, clientset, pod, policies, hasDenyAll, globallyProtectedPods) {
+                unprotectedPodDetails := fmt.Sprintf("%s %s %s", pod.Namespace, pod.Name, pod.Status.PodIP)
+                unprotectedPods = addUniquePodDetail(unprotectedPods, unprotectedPodDetails)
+            } else {
+                globallyProtectedPods[podIdentifier] = struct{}{} // Mark the pod as protected globally
+            }
+        }
+    }
 
 	return unprotectedPods, nil
 }
@@ -563,7 +572,7 @@ func ScanCiliumClusterwideNetworkPolicies(dynamicClient dynamic.Interface, print
 		UserDeniedPolicies: false,
 		AllPodsProtected:   false,
 		HasDenyAll:         []string{},
-		Score:              0, // or some initial value
+		Score:              50, // or some initial value
 	}
 
 	defaultDenyAllFound, appliesToEntireCluster, partialDenyAllPolicies, partialDenyAllFound := analyzeClusterwidePolicies(unstructuredPolicies)

backend/pkg/k8s/scanner.go

@@ -397,24 +397,28 @@ func IsSystemNamespace(namespace string) bool {
 
 // Scoring logic
 func CalculateScore(hasPolicies bool, hasDenyAll bool, unprotectedPodsCount int) int {
-	score := 50 // Start with a base score of 50
+    score := 50 // Start with a base score of 50
+    fmt.Printf("Initial score: %d\n", score)
 
-	if hasDenyAll {
+    if hasDenyAll {
         score += 20 // Add 20 points for having deny-all policies
+        fmt.Printf("Added 20 points for deny-all policies. New score: %d\n", score)
     } else if !hasPolicies {
         score -= 20 // Subtract 20 points if there are no policies at all
+        fmt.Printf("Subtracted 20 points for no policies. New score: %d\n", score)
     }
 
-	// Deduct score based on the number of unprotected pods
-	score -= unprotectedPodsCount
+    // Deduct score based on the number of unprotected pods
+    score -= unprotectedPodsCount
+    fmt.Printf("Subtracted %d points for %d unprotected pods. Final score: %d\n", unprotectedPodsCount, unprotectedPodsCount, score)
 
-	if score > 100 {
+    if score > 100 {
         score = 100
     } else if score < 1 {
         score = 1
     }
 
-	return score
+    return score
 }
 
 // INTERACTIVE DASHBOARD LOGIC