From 85077a71a696d54297b8fb4e8a9edd3cf5f54364 Mon Sep 17 00:00:00 2001
From: hyeyoung-lee <hyeyoung.lee@nhn.com>
Date: Mon, 16 Jan 2023 14:44:18 +0900
Subject: [PATCH] Modified to check the expiration time of the allowlist when
 determining the vulnerability of an artifact

Signed-off-by: hyeyoung-lee <hyeyoung.lee@nhn.com>
---
 src/controller/p2p/preheat/enforcer.go        |  2 +-
 src/controller/p2p/preheat/enforcer_test.go   |  1 +
 src/controller/scan/base_controller.go        | 28 ++++++++++++-------
 src/controller/scan/controller.go             |  4 ++-
 .../middleware/vulnerable/vulnerable.go       |  2 +-
 src/testing/controller/scan/controller.go     | 14 +++++-----
 6 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/src/controller/p2p/preheat/enforcer.go b/src/controller/p2p/preheat/enforcer.go
index b93692de9959..e5a144a402ca 100644
--- a/src/controller/p2p/preheat/enforcer.go
+++ b/src/controller/p2p/preheat/enforcer.go
@@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can
 
 // getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
 func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
-	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
+	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
 	if err != nil {
 		if errors.IsNotFoundErr(err) {
 			// no vulnerability report
diff --git a/src/controller/p2p/preheat/enforcer_test.go b/src/controller/p2p/preheat/enforcer_test.go
index ee9f9a047b22..384031e0a2f0 100644
--- a/src/controller/p2p/preheat/enforcer_test.go
+++ b/src/controller/p2p/preheat/enforcer_test.go
@@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
 		context.TODO(),
 		mock.AnythingOfType("*artifact.Artifact"),
 		mock.AnythingOfType("models.CVESet"),
+		mock.AnythingOfType("bool"),
 	).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
 
 	fakeProCtl := &project.Controller{}
diff --git a/src/controller/scan/base_controller.go b/src/controller/scan/base_controller.go
index dccea957f6bd..c27e91283657 100644
--- a/src/controller/scan/base_controller.go
+++ b/src/controller/scan/base_controller.go
@@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
 	return nil
 }
 
-func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
+func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
 	if artifact == nil {
 		return nil, errors.New("no way to get vulnerable for nil artifact")
 	}
@@ -815,18 +815,26 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
 
 		var severity vuln.Severity
 
-		for _, v := range vuls {
-			if allowlist.Contains(v.ID) {
-				// Append the by passed CVEs specified in the allowlist
-				vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
+		if allowlistIsExpired {
+			for _, v := range vuls {
+				if severity == "" || v.Severity.Code() > severity.Code() {
+					severity = v.Severity
+				}
+			}
+		} else {
+			for _, v := range vuls {
+				if allowlist.Contains(v.ID) {
+					// Append the by passed CVEs specified in the allowlist
+					vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
 
-				vulnerable.VulnerabilitiesCount--
+					vulnerable.VulnerabilitiesCount--
 
-				continue
-			}
+					continue
+				}
 
-			if severity == "" || v.Severity.Code() > severity.Code() {
-				severity = v.Severity
+				if severity == "" || v.Severity.Code() > severity.Code() {
+					severity = v.Severity
+				}
 			}
 		}
 
diff --git a/src/controller/scan/controller.go b/src/controller/scan/controller.go
index 47b47ccdb164..5029a7dcc3fe 100644
--- a/src/controller/scan/controller.go
+++ b/src/controller/scan/controller.go
@@ -120,9 +120,11 @@ type Controller interface {
 	//   Arguments:
 	//     ctx context.Context : the context for this method
 	//     artifact *artifact.Artifact : artifact to be scanned
+	//     allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
+	//     allowlistIsExpired bool : whether the allowlist is expired
 	//
 	//   Returns
 	//      *Vulnerable : the vulnerable
 	//     error        : non nil error if any errors occurred
-	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
+	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
 }
diff --git a/src/server/middleware/vulnerable/vulnerable.go b/src/server/middleware/vulnerable/vulnerable.go
index d342cec7dd5b..5fbd52ebb119 100644
--- a/src/server/middleware/vulnerable/vulnerable.go
+++ b/src/server/middleware/vulnerable/vulnerable.go
@@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {
 
 		projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
 
-		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
+		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
 		if err != nil {
 			if errors.IsNotFoundErr(err) {
 				// No report yet?
diff --git a/src/testing/controller/scan/controller.go b/src/testing/controller/scan/controller.go
index 0ee8dd63fe28..7db296e62c5a 100644
--- a/src/testing/controller/scan/controller.go
+++ b/src/testing/controller/scan/controller.go
@@ -111,13 +111,13 @@ func (_m *Controller) GetSummary(ctx context.Context, _a1 *artifact.Artifact, mi
 	return r0, r1
 }
 
-// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist
-func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet) (*scan.Vulnerable, error) {
-	ret := _m.Called(ctx, _a1, allowlist)
+// GetVulnerable provides a mock function with given fields: ctx, _a1, allowlist, allowlistIsExpired
+func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact, allowlist models.CVESet, allowlistIsExpired bool) (*scan.Vulnerable, error) {
+	ret := _m.Called(ctx, _a1, allowlist, allowlistIsExpired)
 
 	var r0 *scan.Vulnerable
-	if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet) *scan.Vulnerable); ok {
-		r0 = rf(ctx, _a1, allowlist)
+	if rf, ok := ret.Get(0).(func(context.Context, *artifact.Artifact, models.CVESet, bool) *scan.Vulnerable); ok {
+		r0 = rf(ctx, _a1, allowlist, allowlistIsExpired)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*scan.Vulnerable)
@@ -125,8 +125,8 @@ func (_m *Controller) GetVulnerable(ctx context.Context, _a1 *artifact.Artifact,
 	}
 
 	var r1 error
-	if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet) error); ok {
-		r1 = rf(ctx, _a1, allowlist)
+	if rf, ok := ret.Get(1).(func(context.Context, *artifact.Artifact, models.CVESet, bool) error); ok {
+		r1 = rf(ctx, _a1, allowlist, allowlistIsExpired)
 	} else {
 		r1 = ret.Error(1)
 	}