Modified to check the expiration time of the allowlist when determini…

…ng the vulnerability of an artifact

src/controller/p2p/preheat/enforcer.go

@@ -483,7 +483,7 @@ func (de *defaultEnforcer) startTask(ctx context.Context, executionID int64, can
 
 // getVulnerabilitySev gets the severity code value for the given artifact with allowlist option set
 func (de *defaultEnforcer) getVulnerabilitySev(ctx context.Context, p *proModels.Project, art *artifact.Artifact) (uint, error) {
-	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet())
+	vulnerable, err := de.scanCtl.GetVulnerable(ctx, art, p.CVEAllowlist.CVESet(), p.CVEAllowlist.IsExpired())
 	if err != nil {
 		if errors.IsNotFoundErr(err) {
 			// no vulnerability report

src/controller/p2p/preheat/enforcer_test.go

@@ -111,6 +111,7 @@ func (suite *EnforcerTestSuite) SetupSuite() {
 		context.TODO(),
 		mock.AnythingOfType("*artifact.Artifact"),
 		mock.AnythingOfType("models.CVESet"),
+		mock.AnythingOfType("models.IsExpired"),
 	).Return(&scan.Vulnerable{Severity: &low, ScanStatus: "Success"}, nil)
 
 	fakeProCtl := &project.Controller{}

src/controller/scan/base_controller.go

@@ -755,7 +755,7 @@ func (bc *basicController) DeleteReports(ctx context.Context, digests ...string)
 	return nil
 }
 
-func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error) {
+func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error) {
 	if artifact == nil {
 		return nil, errors.New("no way to get vulnerable for nil artifact")
 	}
@@ -815,18 +815,26 @@ func (bc *basicController) GetVulnerable(ctx context.Context, artifact *ar.Artif
 
 		var severity vuln.Severity
 
-		for _, v := range vuls {
-			if allowlist.Contains(v.ID) {
-				// Append the by passed CVEs specified in the allowlist
-				vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
+		if allowlistIsExpired {
+			for _, v := range vuls {
+				if severity == "" || v.Severity.Code() > severity.Code() {
+					severity = v.Severity
+				}
+			}
+		} else {
+			for _, v := range vuls {
+				if allowlist.Contains(v.ID) {
+					// Append the by passed CVEs specified in the allowlist
+					vulnerable.CVEBypassed = append(vulnerable.CVEBypassed, v.ID)
 
-				vulnerable.VulnerabilitiesCount--
+					vulnerable.VulnerabilitiesCount--
 
-				continue
-			}
+					continue
+				}
 
-			if severity == "" || v.Severity.Code() > severity.Code() {
-				severity = v.Severity
+				if severity == "" || v.Severity.Code() > severity.Code() {
+					severity = v.Severity
+				}
 			}
 		}
 

src/controller/scan/controller.go

@@ -120,9 +120,11 @@ type Controller interface {
 	//   Arguments:
 	//     ctx context.Context : the context for this method
 	//     artifact *artifact.Artifact : artifact to be scanned
+	//     allowlist map[string]struct{} : the set of CVE id of the items in the allowlist
+	//     allowlistIsExpired bool : whether the allowlist is expired
 	//
 	//   Returns
 	//      *Vulnerable : the vulnerable
 	//     error        : non nil error if any errors occurred
-	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet) (*Vulnerable, error)
+	GetVulnerable(ctx context.Context, artifact *artifact.Artifact, allowlist allowlist.CVESet, allowlistIsExpired bool) (*Vulnerable, error)
 }

src/server/middleware/vulnerable/vulnerable.go

@@ -94,7 +94,7 @@ func Middleware() func(http.Handler) http.Handler {
 
 		projectSeverity := vuln.ParseSeverityVersion3(proj.Severity())
 
-		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist)
+		vulnerable, err := scanController.GetVulnerable(ctx, art, allowlist, proj.CVEAllowlist.IsExpired())
 		if err != nil {
 			if errors.IsNotFoundErr(err) {
 				// No report yet?