foreman_cve_scanner 0.5.0 → 0.6.0

data/app/services/foreman_cve_scanner/scan_importer.rb

@@ -9,7 +9,7 @@ module ForemanCveScanner
 
     def import_for_host!(host)
       scan_json = format_output(@job_output)
-      return nil if scan_json.nil?
+      raise ::Foreman::Exception, _('CVE scan output did not contain JSON content') if scan_json.nil?
 
       scanner_name = ::ForemanCveScanner::CveReportScanner.detect_scanner(scan_json)
       persist_scan!(host, scanner_name, scan_json)
@@ -32,12 +32,14 @@ module ForemanCveScanner
     end
 
     def extract_json(output_source)
-      output = output_source.to_s.each_line(chomp: true)
-                            .drop_while { |line| !line.start_with?('===START') }
-                            .drop(1)
-                            .take_while { |line| !line.start_with?('===END') }
-                            .reject(&:empty?)
-                            .join
+      lines = output_source.to_s.each_line(chomp: true).to_a
+      return nil unless lines.include?('===START') && lines.include?('===END')
+
+      output = lines.drop_while { |line| !line.start_with?('===START') }
+                    .drop(1)
+                    .take_while { |line| !line.start_with?('===END') }
+                    .reject(&:empty?)
+                    .join
       output.strip
     end
 
@@ -63,6 +65,7 @@ module ForemanCveScanner
         build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
       )
       refresh_host_status(host)
+      cleanup_old_scans(host)
       scan
     end
 
@@ -73,18 +76,13 @@ module ForemanCveScanner
       Rails.logger.error("CVE status refresh failed for host_id=#{host.id}: #{e}")
     end
 
-    def worst_severity(metrics)
-      %w[critical high medium low].each do |severity|
-        return severity if metrics[severity].to_i.positive?
-      end
-      'none'
-    end
-
     def build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
-      summary = metrics.merge('worst' => worst_severity(metrics))
+      summary = metrics.merge('worst' => ::ForemanCveScanner::CveScan.worst_severity(metrics))
       {
         host: host,
         scanner: scanner_name,
+        source: 'rex',
+        scanned_at: Time.current,
         raw: scan_json,
         summary: summary,
         findings: build_findings(scanner),
@@ -101,5 +99,9 @@ module ForemanCveScanner
         entry.merge('id' => id)
       end
     end
+
+    def cleanup_old_scans(host)
+      ::ForemanCveScanner::ScanCleanup.new(scope: host.cve_scans).cleanup!
+    end
   end
 end

data/app/views/api/v2/cve_scans/base.json.rabl

@@ -2,4 +2,4 @@
 
 object @cve_scan
 
-attributes :id, :host_id, :scanner, :created_at, :total, :critical, :high, :medium, :low, :summary
+attributes :id, :host_id, :scanner, :source, :scanned_at, :created_at, :total, :critical, :high, :medium, :low, :summary

data/app/views/api/v2/cve_scans/main.json.rabl

@@ -4,4 +4,4 @@ object @cve_scan
 
 extends 'api/v2/cve_scans/base'
 
-attributes :findings, :created_at, :updated_at
+attributes :findings, :updated_at

data/app/views/foreman_cve_scanner/job_templates/install_cve_scanners.erb

@@ -43,13 +43,13 @@ end
 case @host.architecture.to_s
 when 'x86_64'
   trivy_arch = 'Linux-64bit'
-  grype_arch = 'linux-amd64'
+  grype_arch = 'linux_amd64'
 when 'ppc64le'
   trivy_arch = 'Linux-PPC64LE'
-  grype_arch = 'linux-ppc64le'
+  grype_arch = 'linux_ppc64le'
 when 'aarch64'
   trivy_arch = 'Linux-ARM64'
-  grype_arch = 'linux-arm64'
+  grype_arch = 'linux_arm64'
 else
   raise("Architecture '#{@host.architecture}' not supported by template #{template_name}")
 end
@@ -59,13 +59,26 @@ grype_url = "https://github.com/anchore/grype/releases/download/v#{grype_version
 
 case @host.operatingsystem.family
 when 'Debian'
-  trivy_install_cmd = "wget -o /tmp/outfile.deb #{trivy_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
-  grype_install_cmd = "wget -o /tmp/outfile.deb #{grype_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
+  trivy_download_cmd = "wget -O /tmp/trivy.deb \"#{trivy_url}\""
+  grype_download_cmd = "wget -O /tmp/grype.deb \"#{grype_url}\""
+  trivy_install_cmd = "dpkg -i /tmp/trivy.deb"
+  grype_install_cmd = "dpkg -i /tmp/grype.deb"
+  trivy_cleanup_cmd = "rm -f /tmp/trivy.deb"
+  grype_cleanup_cmd = "rm -f /tmp/grype.deb"
 when 'Redhat', 'Suse'
-  trivy_install_cmd = "rpm -ivh #{trivy_url}"
-  grype_install_cmd = "rpm -ivh #{grype_url}"
+  trivy_install_cmd = "rpm -ivh \"#{trivy_url}\""
+  grype_install_cmd = "rpm -ivh \"#{grype_url}\""
 end
 -%>
 
-<%= trivy_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'trivy' %>
-<%= grype_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'grype' %>
+<% if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'trivy' -%>
+<%= trivy_download_cmd unless trivy_install_cmd.nil? %>
+<%= trivy_install_cmd %>
+<%= trivy_cleanup_cmd unless trivy_cleanup_cmd.nil? %>
+<% end -%>
+
+<% if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'grype' -%>
+<%= grype_download_cmd unless grype_download_cmd.nil? %>
+<%= grype_install_cmd %>
+<%= grype_cleanup_cmd unless grype_cleanup_cmd.nil? %>
+<% end %>

data/app/views/foreman_cve_scanner/job_templates/run_cve_scanner.erb

@@ -29,16 +29,16 @@ template_inputs:
   default: /
   hidden_value: false
 - name: scanner
-  required: true
+  required: false
   input_type: user
   options: "trivy\r\ngrype"
   advanced: false
   value_type: plain
-  default: trivy
   hidden_value: false
 %>
 <%
-scanner = input('scanner')
+scanner = input('scanner').to_s.strip
+scanner = foreman_cve_scanner('preferred_scanner') if scanner.empty?
 target = input('target').to_sym
 path = input('path')
 options = input('options').to_s
@@ -69,5 +69,7 @@ exit 1
 <% else -%>
 echo "===START"
 <%= exec_command %>
+rc=$?
 echo "===END"
+exit $rc
 <% end -%>

data/config/routes.rb

@@ -8,9 +8,14 @@ Rails.application.routes.draw do
                      constraints: ApiConstraints.new(version: 2, default: true) do
       constraints(host_id: %r{[^/]+}) do
         resources :hosts, only: [] do
-          resources :cve_scans, only: %i[index show] do
+          resources :cve_scans, only: %i[index show destroy] do
             collection do
+              post :import
               get :latest
+              get :compare
+            end
+            member do
+              get :export
             end
           end
         end

data/db/migrate/20260514080000_add_source_and_scanned_at_to_foreman_cve_scanner_cve_scans.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class AddSourceAndScannedAtToForemanCveScannerCveScans < ActiveRecord::Migration[6.1]
+  def up
+    add_column :foreman_cve_scanner_cve_scans, :source, :string
+    add_column :foreman_cve_scanner_cve_scans, :scanned_at, :datetime
+
+    execute <<~SQL.squish
+      UPDATE foreman_cve_scanner_cve_scans
+      SET source = 'rex', scanned_at = created_at
+      WHERE source IS NULL OR scanned_at IS NULL
+    SQL
+
+    change_column_null :foreman_cve_scanner_cve_scans, :source, false
+    change_column_null :foreman_cve_scanner_cve_scans, :scanned_at, false
+
+    add_index :foreman_cve_scanner_cve_scans, %i[host_id scanned_at],
+      order: { scanned_at: :desc }
+  end
+
+  def down
+    remove_index :foreman_cve_scanner_cve_scans, %i[host_id scanned_at]
+    remove_column :foreman_cve_scanner_cve_scans, :scanned_at
+    remove_column :foreman_cve_scanner_cve_scans, :source
+  end
+end

data/lib/foreman_cve_scanner/engine.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'foreman_remote_execution'
+require 'foreman_cve_scanner/template_helpers'
 
 module ForemanCveScanner
   # Rails engine for the Foreman CVE Scanner plugin.
@@ -15,20 +16,7 @@ module ForemanCveScanner
 
     initializer 'foreman_cve_scanner.register_plugin', before: :finisher_hook do |app|
       app.reloader.to_prepare do
-        Foreman::Plugin.register :foreman_cve_scanner do
-          requires_foreman '>= 3.13'
-          register_global_js_file 'fills'
-
-          apipie_documented_controllers ["#{ForemanCveScanner::Engine.root}/app/controllers/api/v2/*.rb"]
-
-          security_block :foreman_cve_scanner do
-            permission :view_cve_scans,
-              { 'api/v2/cve_scans': %i[index latest show destroy] },
-              resource_type: 'Host'
-          end
-
-          add_all_permissions_to_default_roles
-        end
+        ForemanCveScanner::Engine.register_plugin
       end
     end
 
@@ -38,6 +26,7 @@ module ForemanCveScanner
       Host::Managed.include ForemanCveScanner::HostExtensions
       require_dependency 'host_status/cve_status'
       HostStatus.status_registry.add(HostStatus::CveStatus)
+      ForemanCveScanner::Engine.register_katello_integration
       ForemanCveScanner::Engine.register_rex_features
     end
 
@@ -50,10 +39,72 @@ module ForemanCveScanner
     def self.register_rex_features
       RemoteExecutionFeature.register(
         :run_cve_scan,
-        N_('Run a CVE scan on a host'),
-        description: N_('Run CVE scan on host'),
-        host_action_button: true
+        N_('Run CVE scan'),
+        description: N_('Run CVE scan'),
+        host_action_button: true,
+        provided_inputs: %w[scanner]
       )
     end
+
+    def self.register_plugin
+      Foreman::Plugin.register :foreman_cve_scanner do
+        requires_foreman '>= 3.13'
+        register_global_js_file 'fills'
+        apipie_documented_controllers ForemanCveScanner::Engine.documented_controllers
+        extend_template_helpers ForemanCveScanner::TemplateHelpers
+        ForemanCveScanner::Engine.register_settings(self)
+        ForemanCveScanner::Engine.register_permissions(self)
+        add_all_permissions_to_default_roles
+      end
+    end
+
+    def self.documented_controllers
+      ["#{ForemanCveScanner::Engine.root}/app/controllers/api/v2/*.rb"]
+    end
+
+    def self.register_katello_integration
+      return unless Foreman::Plugin.installed?(:katello)
+      return unless defined?(::Katello::Host::ProfilesUploader)
+      ::Katello::Host::ProfilesUploader.prepend(ForemanCveScanner::ProfilesUploader)
+    end
+
+    def self.register_settings(plugin)
+      plugin.settings do
+        category :foreman_cve_scanner, N_('CVE Scanner') do
+          setting 'preferred_cve_scanner',
+            type: :string,
+            default: 'trivy',
+            full_name: N_('Preferred CVE scanner'),
+            description: N_('Default scanner used by the Run CVE scan job template.')
+          setting 'run_cve_scan_after_host_profiles_upload',
+            type: :boolean,
+            default: false,
+            full_name: N_('Run CVE scan after host profiles upload'),
+            description: N_('When Katello is installed, schedule a CVE scan after a host profiles upload completes.')
+          setting 'cve_scan_delete_after_days',
+            type: :integer,
+            default: 90,
+            full_name: N_('Delete CVE scans after X days'),
+            description: N_(
+              'Delete CVE scans older than the configured number of days. ' \
+              'Set to 0 to disable automatic cleanup.'
+            )
+        end
+      end
+    end
+
+    def self.register_permissions(plugin)
+      plugin.security_block :foreman_cve_scanner do
+        permission :view_cve_scans,
+          { 'api/v2/cve_scans': %i[index latest show export compare] },
+          resource_type: 'Host'
+        permission :import_cve_scans,
+          { 'api/v2/cve_scans': %i[import] },
+          resource_type: 'Host'
+        permission :destroy_cve_scans,
+          { 'api/v2/cve_scans': %i[destroy] },
+          resource_type: 'Host'
+      end
+    end
   end
 end

data/lib/foreman_cve_scanner/template_helpers.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ForemanCveScanner
+  module TemplateHelpers
+    extend ApipieDSL::Class
+
+    apipie :class, 'Macros related to Foreman CVE Scanner templates' do
+      name 'Foreman CVE Scanner'
+      sections only: %w[all jobs]
+    end
+
+    apipie :method, 'Returns values from Foreman CVE Scanner plugin settings' do
+      desc 'Use this macro in templates to access CVE Scanner settings in safe mode'
+      param :setting_name, String, desc: 'Setting name to resolve'
+      returns String, desc: 'Value of the requested CVE Scanner setting'
+      raises error: 'Foreman::Exception', desc: 'Raised when an unknown setting name is requested'
+      example "foreman_cve_scanner('preferred_scanner') #=> 'trivy'"
+    end
+    def foreman_cve_scanner(setting_name)
+      case setting_name.to_s
+      when 'preferred_scanner'
+        Setting[:preferred_cve_scanner]
+      else
+        raise ::Foreman::Exception, _('Unknown Foreman CVE Scanner template setting')
+      end
+    end
+  end
+end

data/lib/foreman_cve_scanner/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanCveScanner
-  VERSION = '0.5.0'
+  VERSION = '0.6.0'
 end

data/lib/tasks/foreman_cve_scanner_tasks.rake

@@ -14,3 +14,14 @@ namespace :test do
 end
 
 Rake::Task[:test].enhance ['test:foreman_cve_scanner']
+
+namespace :foreman_cve_scanner do
+  desc 'Delete old CVE scans using the configured retention or a DAYS override'
+  task cleanup_scans: :environment do
+    override = ENV['DAYS']
+    deleted = ForemanCveScanner::ScanCleanup.new(days: override.presence).cleanup!
+    basis = override.present? ? "DAYS=#{override}" : 'the configured retention'
+
+    puts "Deleted #{deleted} CVE scans using #{basis}."
+  end
+end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "foreman_cve_scanner",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "description": "Run CVE scan on host and collect report",
   "main": "webpack/index.js",
   "directories": {