Modified to check the expiration time of the allowlist when determini…

…ng the vulnerability of an artifact Signed-off-by: hyeyoung-lee <[email protected]>
goharbor · Mar 6, 2023 · 41f0a51 · 41f0a51
1 parent bfe4362
commit 41f0a51
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 12 deletions.
diff --git a/src/controller/p2p/preheat/enforcer.go b/src/controller/p2p/preheat/enforcer.go
@@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can
 
 // getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
 func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
-	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
+	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
 	if err != nil {
 		if errors.IsNotFoundErr(err) {
 			// no vulnerability report

diff --git a/src/controller/p2p/preheat/enforcer_test.go b/src/controller/p2p/preheat/enforcer_test.go
@@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
 		context.TODO(),
 		mock.AnythingOfType("*artifact.Artifact"),
 		mock.AnythingOfType("models.CVESet"),
+		mock.AnythingOfType("bool"),
 	).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
 
 	fakeProCtl := &project.Controller{}

diff --git a/src/controller/scan/base_controller.go b/src/controller/scan/base_controller.go
@@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
 	return nil
 }
 
-func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
+func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
 	if artifact == nil {
 		return nil, errors.New("no way to get vulnerable for nil artifact")
 	}
@@ -816,7 +816,7 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
 		var severity vuln.Severity
 
 		for _, v := range vuls {
-			if allowlist.Contains(v.ID) {
+			if !allowlistIsExpired && allowlist.Contains(v.ID) {
 				// Append the by passed CVEs specified in the allowlist
 				vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
 

diff --git a/src/controller/scan/controller.go b/src/controller/scan/controller.go
@@ -120,9 +120,11 @@ type Controller interface {
 	//   Arguments:
 	//     ctx context.Context : the context for this method
 	//     artifact *artifact.Artifact : artifact to be scanned
+	//     allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
+	//     allowlistIsExpired bool : whether the allowlist is expired
 	//
 	//   Returns
 	//      *Vulnerable : the vulnerable
 	//     error        : non nil error if any errors occurred
-	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
+	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
 }
diff --git a/src/server/middleware/vulnerable/vulnerable.go b/src/server/middleware/vulnerable/vulnerable.go
@@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {
 
 		projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
 
-		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
+		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
 		if err != nil {
 			if errors.IsNotFoundErr(err) {
 				// No report yet?

diff --git a/src/testing/controller/scan/controller.go b/src/testing/controller/scan/controller.go