foreman_cve_scanner 0.0.2 → 0.5.0

data/lib/foreman_cve_scanner/engine.rb

@@ -1,21 +1,43 @@
+# frozen_string_literal: true
+
 require 'foreman_remote_execution'
 
 module ForemanCveScanner
+  # Rails engine for the Foreman CVE Scanner plugin.
   class Engine < ::Rails::Engine
     engine_name 'foreman_cve_scanner'
 
-    initializer 'foreman_cve_scanner.register_plugin', :before => :finisher_hook do |app|
+    initializer 'foreman_cve_scanner.load_app_instance_data' do |app|
+      ForemanCveScanner::Engine.paths['db/migrate'].existent.each do |path|
+        app.config.paths['db/migrate'] << path
+      end
+    end
+
+    initializer 'foreman_cve_scanner.register_plugin', before: :finisher_hook do |app|
       app.reloader.to_prepare do
         Foreman::Plugin.register :foreman_cve_scanner do
           requires_foreman '>= 3.13'
-          register_report_scanner ForemanCveScanner::CveReportScanner
-          register_report_origin 'CveScanner', 'ConfigReport'
+          register_global_js_file 'fills'
+
+          apipie_documented_controllers ["#{ForemanCveScanner::Engine.root}/app/controllers/api/v2/*.rb"]
+
+          security_block :foreman_cve_scanner do
+            permission :view_cve_scans,
+              { 'api/v2/cve_scans': %i[index latest show destroy] },
+              resource_type: 'Host'
+          end
+
+          add_all_permissions_to_default_roles
         end
       end
     end
 
     # Include concerns in this config.to_prepare block
     config.to_prepare do
+      require_dependency 'foreman_cve_scanner/host_extensions'
+      Host::Managed.include ForemanCveScanner::HostExtensions
+      require_dependency 'host_status/cve_status'
+      HostStatus.status_registry.add(HostStatus::CveStatus)
       ForemanCveScanner::Engine.register_rex_features
     end
 

data/lib/foreman_cve_scanner/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ForemanCveScanner
-  VERSION = '0.0.2'.freeze
+  VERSION = '0.5.0'
 end

data/lib/foreman_cve_scanner.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require 'foreman_cve_scanner/engine'
 
-module ForemanPluginTemplate
+# Foreman CVE Scanner plugin namespace.
+module ForemanCveScanner
 end

data/lib/tasks/foreman_cve_scanner_seeds.rake

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+namespace :foreman_cve_scanner do
+  desc 'Seed Foreman CVE Scanner job templates'
+  task seed_job_templates: :environment do
+    require Rails.root.join('lib/seed_helper')
+    require 'foreman_remote_execution'
+    paths = Dir["#{ForemanCveScanner::Engine.root}/app/views/foreman_cve_scanner/job_templates/*.erb"]
+    SeedHelper.import_templates(paths, 'ForemanCveScanner')
+    puts "Seeded #{paths.size} Foreman CVE Scanner job templates"
+  end
+end

data/lib/tasks/rubocop.rake

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+begin
+  require 'rubocop/rake_task'
+
+  test_patterns = [
+    "#{ForemanCveScanner::Engine.root}/*.gemspec",
+    "#{ForemanCveScanner::Engine.root}/*.rb",
+    "#{ForemanCveScanner::Engine.root}/app/**/*.rb",
+    "#{ForemanCveScanner::Engine.root}/config/**/*.rb",
+    "#{ForemanCveScanner::Engine.root}/db/**/*.rb",
+    "#{ForemanCveScanner::Engine.root}/lib/**/*.rake",
+    "#{ForemanCveScanner::Engine.root}/lib/**/*.rb",
+    "#{ForemanCveScanner::Engine.root}/test/**/*.rb",
+  ]
+
+  namespace :foreman_cve_scanner do
+    desc 'Runs Rubocop style checker'
+    RuboCop::RakeTask.new(:rubocop) do |task|
+      task.patterns = test_patterns
+    end
+
+    desc 'Runs Rubocop style checker with xml output for Jenkins'
+    RuboCop::RakeTask.new('rubocop:jenkins') do |task|
+      task.patterns = test_patterns
+      task.requires = ['rubocop/formatter/checkstyle_formatter']
+      task.formatters = ['RuboCop::Formatter::CheckstyleFormatter']
+      task.options = ['--no-color', '--out', 'rubocop.xml']
+    end
+  end
+rescue LoadError
+  # 'Rubocop not loaded.'
+end

data/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "foreman_cve_scanner",
+  "version": "0.5.0",
+  "description": "Run CVE scan on host and collect report",
+  "main": "webpack/index.js",
+  "directories": {
+    "lib": "lib",
+    "test": "test"
+  },
+  "scripts": {
+    "lint": "tfm-lint --plugin -d /webpack",
+    "test": "tfm-test --plugin",
+    "create-react-component": "yo react-domain"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+ssh://git@github.com/ATIX-AG/foreman_cve_scanner.git"
+  },
+  "peerDependencies": {
+    "@theforeman/vendor": ">= 8.16.0"
+  },
+  "devDependencies": {
+    "@babel/core": "^7.7.0",
+    "@theforeman/builder": "^15.0.0",
+    "@theforeman/eslint-plugin-foreman": "^15.0.0",
+    "@theforeman/find-foreman": "^15.0.0",
+    "@theforeman/vendor-dev": "^15.0.0",
+    "babel-eslint": ">= 10.0.3",
+    "eslint": "^6.7.2",
+    "eslint-plugin-react": ">= 7.27.1",
+    "eslint-plugin-react-hooks": ">= 4.3.0",
+    "eslint-plugin-spellcheck": ">= 0.0.17",
+    "prettier": "^1.19.1"
+  },
+  "keywords": [
+    "CVE",
+    "Trivy",
+    "Grype",
+    "security",
+    "Foreman"
+  ],
+  "author": "ATIX AG",
+  "license": "GPL-3.0",
+  "bugs": {
+    "url": "https://github.com/ATIX-AG/foreman_cve_scanner/issues"
+  },
+  "homepage": "https://github.com/ATIX-AG/foreman_cve_scanner#readme"
+}

data/test/actions/foreman_cve_scanner/cve_scanner_job_test.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class CveScannerJobTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+    end
+
+    test 'format_output parses json between markers across proxy output entries' do
+      job_output = {
+        'proxy_output' => {
+          'result' => [
+            { 'output_type' => 'stdout', 'output' => "===START\n{\"key\":" },
+            { 'output_type' => 'stdout', 'output' => "1}\n===END\n" },
+          ],
+        },
+      }
+
+      importer = ForemanCveScanner::ScanImporter.new(job_output)
+      parsed = importer.send(:format_output, job_output)
+
+      assert_equal({ 'key' => 1 }, parsed)
+    end
+
+    test 'persist_scan! stores scan and metrics' do
+      scan_json = JSON.parse(
+        File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/trivy.json'))
+      )
+
+      importer = ForemanCveScanner::ScanImporter.new('')
+      scan = importer.send(:persist_scan!, @host, 'trivy', scan_json)
+
+      assert scan.persisted?
+      assert scan.total.positive?
+      assert_equal @host.id, scan.host_id
+    end
+
+    test 'import_for_host! creates scan from rex output' do
+      output = [
+        '===START',
+        File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/trivy.json')),
+        '===END',
+      ].join("\n")
+
+      importer = ForemanCveScanner::ScanImporter.new(output)
+      scan = importer.import_for_host!(@host)
+
+      assert scan.persisted?
+      assert_equal @host.id, scan.host_id
+    end
+  end
+end

data/test/controllers/api/v2/cve_scans_controller_test.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module Api
+  module V2
+    class CveScansControllerTest < ActionController::TestCase
+      def setup
+        @host = FactoryBot.create(:host)
+        @scan_old = create_scan(created_at: 2.hours.ago, total: 1, low: 1)
+        @scan_new = create_scan(created_at: 1.hour.ago, total: 2, high: 2)
+      end
+
+      test 'index returns scans for host' do
+        get :index, params: { host_id: @host.id }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_not_nil body['results']
+        assert_equal 2, body['results'].size
+      end
+
+      test 'latest returns most recent scan' do
+        get :latest, params: { host_id: @host.id }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal @scan_new.id, body['id']
+      end
+
+      test 'show returns scan by id' do
+        get :show, params: { host_id: @host.id, id: @scan_old.id }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal @scan_old.id, body['id']
+      end
+
+      test 'index returns not found for unknown host' do
+        get :index, params: { host_id: 'does-not-exist' }
+        assert_response :not_found
+      end
+
+      test 'latest returns no content when no scans exist' do
+        ForemanCveScanner::CveScan.delete_all
+
+        get :latest, params: { host_id: @host.id }
+        assert_response :no_content
+      end
+
+      private
+
+      # rubocop:disable Metrics/MethodLength
+      def create_scan(options = {})
+        defaults = {
+          created_at: Time.now.utc,
+          total: 0,
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0,
+        }
+        options = defaults.merge(options)
+        ForemanCveScanner::CveScan.create!(
+          host: @host,
+          scanner: 'trivy',
+          created_at: options[:created_at],
+          raw: { 'dummy' => true },
+          summary: { 'worst' => 'low' },
+          findings: [{ 'id' => 'CVE-0000-0000' }],
+          total: options[:total],
+          critical: options[:critical],
+          high: options[:high],
+          medium: options[:medium],
+          low: options[:low]
+        )
+      end
+      # rubocop:enable Metrics/MethodLength
+    end
+  end
+end

data/test/models/host_status/cve_status_test.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module HostStatus
+  class CveStatusTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+    end
+
+    test 'no scans returns warning status' do
+      status = @host.get_status(HostStatus::CveStatus)
+      assert_equal 'No CVE scans', status.to_label
+      assert_equal HostStatus::Global::WARN, status.to_global
+      assert_equal 0, status.to_status
+    end
+
+    test 'critical or high scan returns error status' do
+      create_scan(critical: 1, high: 0, medium: 0, low: 0)
+      status = @host.get_status(HostStatus::CveStatus)
+      assert_equal 'Critical or high CVEs', status.to_label
+      assert_equal HostStatus::Global::ERROR, status.to_global
+      assert_equal 3, status.to_status
+    end
+
+    test 'medium scan returns warn status' do
+      create_scan(critical: 0, high: 0, medium: 2, low: 0)
+      status = @host.get_status(HostStatus::CveStatus)
+      assert_equal 'Medium CVEs', status.to_label
+      assert_equal HostStatus::Global::WARN, status.to_global
+      assert_equal 2, status.to_status
+    end
+
+    test 'low scan returns ok status' do
+      create_scan(critical: 0, high: 0, medium: 0, low: 1)
+      status = @host.get_status(HostStatus::CveStatus)
+      assert_equal 'Low CVEs', status.to_label
+      assert_equal HostStatus::Global::OK, status.to_global
+      assert_equal 1, status.to_status
+    end
+
+    test 'status is registered in registry' do
+      assert_includes HostStatus.status_registry, HostStatus::CveStatus
+    end
+
+    private
+
+    def create_scan(critical:, high:, medium:, low:)
+      total = critical + high + medium + low
+      ForemanCveScanner::CveScan.create!(
+        host: @host,
+        scanner: 'trivy',
+        created_at: Time.now.utc,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'low' },
+        findings: [{ 'id' => 'CVE-0000-0000' }],
+        total: total,
+        critical: critical,
+        high: high,
+        medium: medium,
+        low: low
+      )
+    end
+  end
+end

data/test/services/foreman_cve_scanner/cve_report_scanner_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_plugin_helper'
 
 module ForemanCveScanner
@@ -5,9 +7,9 @@ module ForemanCveScanner
     test 'should identify as cve scan' do
       raw = {
         'reporter' => 'cve_scan',
-        'scan' => JSON.parse(File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/grype.json')))
+        'scan' => JSON.parse(File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/grype.json'))),
       }
-      assert_equal ForemanCveScanner::CveReportScanner.identify_origin(raw), 'CveScanner'
+      assert_equal('CveScanner', ForemanCveScanner::CveReportScanner.identify_origin(raw))
     end
 
     test 'should raise an exception if invalid report' do
@@ -18,26 +20,52 @@ module ForemanCveScanner
 
     test 'trivy scan has valid data' do
       data = JSON.parse(File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/trivy.json')))
-      raw = {
-        'reporter' => 'cve_scan',
-        'scan' => data
-      }
-      ForemanCveScanner::CveReportScanner.add_reporter_data(nil, raw)
-      assert_equal raw['logs'].count, 10
-      assert_equal raw['logs'][0]['log']['level'], 'info'
-      assert_equal raw['logs'][0]['log']['messages']['message'], 'CVE-2020-12762: json-c, libfastjson: integer overflow and out-of-bounds write via a large JSON file # url: https://avd.aquasec.com/nvd/cve-2020-12762'
+      scanner = ForemanCveScanner::CveReportScanner.new('scan' => data)
+      scanner.generate
+      assert_equal(10, scanner.logs.count)
+      assert_equal('info', scanner.logs[0]['log']['level'])
+      expected_message = [
+        'CVE-2020-12762: json-c, libfastjson: integer overflow and out-of-',
+        'bounds write via a large JSON file # url: ',
+        'https://avd.aquasec.com/nvd/cve-2020-12762',
+      ].join
+      assert_equal scanner.logs[0]['log']['messages']['message'], expected_message
     end
 
     test 'grype scan has valid data' do
       data = JSON.parse(File.read(File.join(ForemanCveScanner::Engine.root, 'test/fixtures/grype.json')))
-      raw = {
-        'reporter' => 'cve_scan',
-        'scan' => data
+      scanner = ForemanCveScanner::CveReportScanner.new('scan' => data)
+      scanner.generate
+      assert_equal(18, scanner.logs.count)
+      first_severity = data.dig('matches', 0, 'vulnerability', 'severity')
+      expected_level = expected_level_for(first_severity)
+      assert_equal scanner.logs[0]['log']['level'], expected_level
+      expected_message = [
+        'CVE-2007-0086: The Apache HTTP Server, when accessed through a TCP ',
+        'connection with a large window size, allows remote attackers to cause ',
+        'a denial of service (network bandwidth consumption) via a Range header ',
+        'that specifies multiple copies of the same fragment. # url: ',
+        'https://nvd.nist.gov/vuln/detail/CVE-2007-0086',
+      ].join
+      assert_equal scanner.logs[0]['log']['messages']['message'], expected_message
+    end
+
+    test 'detect_scanner returns expected scanner names' do
+      assert_equal 'grype', ForemanCveScanner::CveReportScanner.detect_scanner('matches' => [])
+      assert_equal 'trivy', ForemanCveScanner::CveReportScanner.detect_scanner('Results' => [])
+      assert_equal 'unknown', ForemanCveScanner::CveReportScanner.detect_scanner('foo' => 'bar')
+    end
+
+    private
+
+    def expected_level_for(severity)
+      map = {
+        'CRITICAL' => 'err',
+        'HIGH' => 'warning',
+        'MEDIUM' => 'info',
+        'LOW' => 'debug',
       }
-      ForemanCveScanner::CveReportScanner.add_reporter_data(nil, raw)
-      assert_equal raw['logs'].count, 18
-      assert_equal raw['logs'][0]['log']['level'], 'info'
-      assert_equal raw['logs'][0]['log']['messages']['message'], 'CVE-2007-0086: The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. # url: https://nvd.nist.gov/vuln/detail/CVE-2007-0086'
+      map.fetch(severity.to_s.strip.upcase, 'info')
     end
   end
 end

data/test/services/foreman_cve_scanner/scan_importer_test.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class ScanImporterTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+    end
+
+    test 'import_for_host! persists scan from trivy output' do
+      output = wrap_output(load_fixture('trivy.json'))
+      importer = ForemanCveScanner::ScanImporter.new(output)
+
+      count_before = ForemanCveScanner::CveScan.count
+      scan = importer.import_for_host!(@host)
+
+      assert_equal count_before + 1, ForemanCveScanner::CveScan.count
+      assert_not_nil scan
+      assert_equal @host.id, scan.host_id
+      assert_equal 'trivy', scan.scanner
+    end
+
+    test 'import_for_host! sets totals and findings for trivy output' do
+      output = wrap_output(load_fixture('trivy.json'))
+      importer = ForemanCveScanner::ScanImporter.new(output)
+
+      scan = importer.import_for_host!(@host)
+
+      assert_operator scan.total, :>, 0
+      assert_equal scan.total, scan.findings.count
+    end
+
+    test 'import_for_host! persists scan from proxy output' do
+      output = load_fixture('grype.json')
+      proxy_output = {
+        'proxy_output' => {
+          'result' => [
+            { 'output_type' => 'stdout', 'output' => "===START\n" },
+            { 'output_type' => 'stdout', 'output' => output },
+            { 'output_type' => 'stdout', 'output' => "\n===END\n" },
+          ],
+        },
+      }
+      importer = ForemanCveScanner::ScanImporter.new(proxy_output)
+
+      scan = importer.import_for_host!(@host)
+
+      assert_not_nil scan
+      assert_equal 'grype', scan.scanner
+      assert_operator scan.total, :>, 0
+    end
+
+    test 'import_for_host! returns nil when no json markers' do
+      importer = ForemanCveScanner::ScanImporter.new('no markers here')
+
+      scan = importer.import_for_host!(@host)
+
+      assert_nil scan
+    end
+
+    test 'import_for_host! returns nil when json is invalid' do
+      importer = ForemanCveScanner::ScanImporter.new("===START\n{bad\n===END")
+
+      scan = importer.import_for_host!(@host)
+
+      assert_nil scan
+    end
+
+    private
+
+    def load_fixture(name)
+      path = File.join(ForemanCveScanner::Engine.root, 'test/fixtures', name)
+      JSON.parse(File.read(path)).to_json
+    end
+
+    def wrap_output(json_text)
+      [
+        '===START',
+        json_text,
+        '===END',
+      ].join("\n")
+    end
+  end
+end

data/test/test_plugin_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # This calls the main test_helper in Foreman-core
 require 'test_helper'