foreman_cve_scanner 0.5.0 → 0.6.0

data/test/services/foreman_cve_scanner/scan_comparison_test.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'test_plugin_helper'
+
+module ForemanCveScanner
+  class ScanComparisonTest < ActiveSupport::TestCase
+    def setup
+      @host = FactoryBot.create(:host)
+      @first_scan = create_scan(
+        scanned_at: 2.hours.ago,
+        findings: first_findings
+      )
+      @second_scan = create_scan(
+        scanned_at: 1.hour.ago,
+        findings: second_findings
+      )
+    end
+
+    test 'compare builds summary and result rows' do
+      comparison = ScanComparison.compare(@first_scan, @second_scan)
+      statuses = comparison[:results].to_h { |row| [row[:id], row] }
+
+      assert_equal 1, comparison[:summary]['updated']
+      assert_equal 1, comparison[:summary]['resolved']
+      assert_equal 1, comparison[:summary]['new']
+      assert_equal 'updated', statuses['CVE-1'][:status]
+      assert_equal(
+        { old: 'HIGH', new: 'CRITICAL' },
+        statuses['CVE-1'][:diff]['severity']
+      )
+    end
+
+    test 'compare includes previous and current scan metadata' do
+      comparison = ScanComparison.compare(@first_scan, @second_scan)
+
+      assert_equal @first_scan.id, comparison[:previous][:id]
+      assert_equal @second_scan.id, comparison[:current][:id]
+      assert_equal @first_scan.scanner, comparison[:previous][:scanner]
+      assert_equal @second_scan.scanner, comparison[:current][:scanner]
+    end
+
+    private
+
+    def finding(id, name, severity, version)
+      {
+        'id' => id,
+        'name' => name,
+        'severity' => severity,
+        'version' => version,
+      }
+    end
+
+    def first_findings
+      [
+        finding('CVE-1', 'openssl', 'HIGH', '1.0'),
+        finding('CVE-2', 'curl', 'LOW', '1.0'),
+      ]
+    end
+
+    def second_findings
+      [
+        finding('CVE-1', 'openssl', 'CRITICAL', '1.0'),
+        finding('CVE-3', 'glibc', 'HIGH', '1.0'),
+      ]
+    end
+
+    def create_scan(scanned_at:, findings:)
+      ForemanCveScanner::CveScan.create!(
+        host: @host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: scanned_at,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'high' },
+        findings: findings,
+        total: findings.size,
+        critical: findings.count { |finding| finding['severity'] == 'CRITICAL' },
+        high: findings.count { |finding| finding['severity'] == 'HIGH' },
+        medium: findings.count { |finding| finding['severity'] == 'MEDIUM' },
+        low: findings.count { |finding| finding['severity'] == 'LOW' }
+      )
+    end
+  end
+end

data/test/services/foreman_cve_scanner/scan_importer_test.rb

@@ -6,6 +6,11 @@ module ForemanCveScanner
   class ScanImporterTest < ActiveSupport::TestCase
     def setup
       @host = FactoryBot.create(:host)
+      @previous_retention = Setting[:cve_scan_delete_after_days]
+    end
+
+    def teardown
+      Setting[:cve_scan_delete_after_days] = @previous_retention
     end
 
     test 'import_for_host! persists scan from trivy output' do
@@ -19,6 +24,7 @@ module ForemanCveScanner
       assert_not_nil scan
       assert_equal @host.id, scan.host_id
       assert_equal 'trivy', scan.scanner
+      assert_equal 'rex', scan.source
     end
 
     test 'import_for_host! sets totals and findings for trivy output' do
@@ -29,6 +35,7 @@ module ForemanCveScanner
 
       assert_operator scan.total, :>, 0
       assert_equal scan.total, scan.findings.count
+      assert_not_nil scan.scanned_at
     end
 
     test 'import_for_host! persists scan from proxy output' do
@@ -51,20 +58,76 @@ module ForemanCveScanner
       assert_operator scan.total, :>, 0
     end
 
-    test 'import_for_host! returns nil when no json markers' do
+    test 'import_for_host! raises when no json markers' do
       importer = ForemanCveScanner::ScanImporter.new('no markers here')
 
+      assert_raises(::Foreman::Exception) do
+        importer.import_for_host!(@host)
+      end
+    end
+
+    test 'import_for_host! raises when json is invalid' do
+      importer = ForemanCveScanner::ScanImporter.new("===START\n{bad\n===END")
+
+      assert_raises(::Foreman::Exception) do
+        importer.import_for_host!(@host)
+      end
+    end
+
+    test 'import_for_host! raises when marker block is empty' do
+      importer = ForemanCveScanner::ScanImporter.new("===START\n===END")
+
+      assert_raises(::Foreman::Exception) do
+        importer.import_for_host!(@host)
+      end
+    end
+
+    test 'import_for_host! cleans up old scans for the host using retention setting' do
+      Setting[:cve_scan_delete_after_days] = 1
+      old_scan = ForemanCveScanner::CveScan.create!(
+        host: @host,
+        scanner: 'trivy',
+        source: 'rex',
+        scanned_at: 3.days.ago,
+        raw: { 'dummy' => true },
+        summary: { 'worst' => 'low' },
+        findings: [{ 'id' => 'CVE-0000-0000' }],
+        total: 1,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 1
+      )
+      output = wrap_output(load_fixture('trivy.json'))
+      importer = ForemanCveScanner::ScanImporter.new(output)
+
       scan = importer.import_for_host!(@host)
 
-      assert_nil scan
+      assert_not_nil scan
+      assert_not ForemanCveScanner::CveScan.exists?(old_scan.id)
+      assert ForemanCveScanner::CveScan.exists?(scan.id)
     end
 
-    test 'import_for_host! returns nil when json is invalid' do
-      importer = ForemanCveScanner::ScanImporter.new("===START\n{bad\n===END")
+    test 'import_for_host! persists scan with zero findings' do
+      output = wrap_output(
+        {
+          'Results' => [
+            {
+              'Target' => '/',
+              'Class' => 'os-pkgs',
+            },
+          ],
+        }.to_json
+      )
+      importer = ForemanCveScanner::ScanImporter.new(output)
 
       scan = importer.import_for_host!(@host)
 
-      assert_nil scan
+      assert_not_nil scan
+      assert_equal 'trivy', scan.scanner
+      assert_empty scan.findings
+      assert_equal 0, scan.total
+      assert_equal 'none', scan.summary['worst']
     end
 
     private

data/webpack/components/CveCompareModal.js

@@ -0,0 +1,298 @@
+/* eslint-disable import/no-unresolved */
+/* eslint-disable camelcase */
+import React, { useEffect, useMemo, useState } from 'react';
+import PropTypes from 'prop-types';
+import {
+  Modal,
+  Button,
+  Text,
+  TextVariants,
+  SearchInput,
+} from '@patternfly/react-core';
+import {
+  Table,
+  Tbody,
+  Tr,
+  Th,
+  Thead,
+  Td,
+  SortByDirection,
+} from '@patternfly/react-table';
+import { useAPI } from 'foremanReact/common/hooks/API/APIHooks';
+import { foremanUrl } from 'foremanReact/common/helpers';
+import { translate as __ } from 'foremanReact/common/I18n';
+import { STATUS } from 'foremanReact/constants';
+import {
+  comparisonDiffEntries,
+  comparisonColumns,
+  comparisonFilters,
+  comparisonMatchesSearch,
+  comparisonSorters,
+  comparisonStatusLabels,
+  formatDateTime,
+  formatScanOrigin,
+  formatScannedAt,
+  normalizeSearchInputValue,
+} from './cve_helpers';
+import './cve_scans.scss';
+
+const CveCompareModal = ({ hostId, isOpen, onClose, scanIds }) => {
+  const [filter, setFilter] = useState('all');
+  const [search, setSearch] = useState('');
+  const [sortBy, setSortBy] = useState({
+    direction: SortByDirection.desc,
+    column: 'status',
+  });
+  const previousScanId = scanIds[0];
+  const currentScanId = scanIds[1];
+  const compareUrl =
+    isOpen && previousScanId && currentScanId
+      ? foremanUrl(
+          `/api/v2/hosts/${hostId}/cve_scans/compare?first_id=${previousScanId}&second_id=${currentScanId}`
+        )
+      : null;
+  const compareRequest = useAPI(isOpen ? 'get' : null, compareUrl, {
+    key: `CVE_COMPARE_${previousScanId}_${currentScanId}`,
+  });
+  useEffect(() => {
+    if (!isOpen) return;
+    setFilter('all');
+    setSearch('');
+    setSortBy({
+      direction: SortByDirection.desc,
+      column: 'status',
+    });
+  }, [currentScanId, isOpen, previousScanId]);
+
+  const comparison = compareRequest.response || {};
+  const previousScan = comparison.previous || {};
+  const currentScan = comparison.current || {};
+  const previousOrigin = formatScanOrigin(
+    previousScan.scanner,
+    previousScan.source
+  );
+  const currentOrigin = formatScanOrigin(
+    currentScan.scanner,
+    currentScan.source
+  );
+  const comparisonRows = useMemo(() => comparison.results || [], [
+    comparison.results,
+  ]);
+  const summary = comparison.summary || {};
+  const normalizedSearch = search.trim().toLowerCase();
+  const filteredRows = useMemo(() => {
+    let rows = comparisonRows;
+    if (filter !== 'all') {
+      rows = rows.filter(row => row.status === filter);
+    }
+    if (!normalizedSearch) return rows;
+    return rows.filter(row => comparisonMatchesSearch(row, normalizedSearch));
+  }, [comparisonRows, filter, normalizedSearch]);
+  const sortedRows = useMemo(() => {
+    const rows = [...filteredRows];
+    const sorter = comparisonSorters[sortBy.column] || comparisonSorters.status;
+    rows.sort((a, b) => {
+      const result = sorter(a, b);
+      return sortBy.direction === SortByDirection.asc ? result : -result;
+    });
+    return rows;
+  }, [filteredRows, sortBy]);
+  const status = compareRequest.status || STATUS.PENDING;
+  const subtitle =
+    previousScan.scanned_at && currentScan.scanned_at
+      ? `${formatScannedAt(previousScan.scanned_at)} -> ${formatScannedAt(
+          currentScan.scanned_at
+        )}`
+      : __('Compare CVE reports');
+
+  const onSort = column => {
+    const nextDirection =
+      sortBy.column === column && sortBy.direction === SortByDirection.asc
+        ? SortByDirection.desc
+        : SortByDirection.asc;
+    setSortBy({ column, direction: nextDirection });
+  };
+  const onSearchChange = (value, event) => {
+    setSearch(normalizeSearchInputValue(value, event));
+  };
+  const renderDiff = diff => {
+    const entries = comparisonDiffEntries(diff);
+    if (entries.length === 0) return '-';
+    return entries.map(entry => (
+      <div key={entry.field} className="cve-compare-diff-entry">
+        <span className="cve-compare-diff-label">{entry.label}:</span>{' '}
+        <span className="cve-compare-diff-values">
+          <span className="cve-compare-diff-old">{entry.oldValue}</span>{' '}
+          <span className="cve-compare-diff-arrow">-&gt;</span>{' '}
+          <span className="cve-compare-diff-new">{entry.newValue}</span>
+        </span>
+      </div>
+    ));
+  };
+
+  return (
+    <Modal
+      title={__('Compare CVE reports')}
+      description={subtitle}
+      isOpen={isOpen}
+      onClose={onClose}
+      width="80%"
+      maxWidth="80%"
+      ouiaId="cve-compare-modal"
+      actions={[
+        <Button
+          key="close"
+          variant="primary"
+          onClick={onClose}
+          ouiaId="cve-compare-close"
+        >
+          {__('Close')}
+        </Button>,
+      ]}
+    >
+      {status === STATUS.PENDING ? (
+        <Text component={TextVariants.small} ouiaId="cve-compare-loading">
+          {__('Loading...')}
+        </Text>
+      ) : (
+        <div className="cve-modal-body cve-compare-body">
+          <div className="cve-compare-summary">
+            <div className="cve-compare-meta">
+              <Text
+                component={TextVariants.small}
+                ouiaId="cve-compare-previous"
+              >
+                {__('Previous')}: {previousOrigin} /{' '}
+                {formatScannedAt(previousScan.scanned_at)}
+              </Text>
+              <Text component={TextVariants.small} ouiaId="cve-compare-current">
+                {__('Current')}: {currentOrigin} /{' '}
+                {formatScannedAt(currentScan.scanned_at)}
+              </Text>
+            </div>
+            <div className="cve-compare-cards">
+              {comparisonFilters
+                .filter(item => item.key !== 'all')
+                .map(item => (
+                  <button
+                    key={item.key}
+                    type="button"
+                    className={
+                      filter === item.key
+                        ? 'cve-compare-card is-active'
+                        : 'cve-compare-card'
+                    }
+                    onClick={() => setFilter(item.key)}
+                  >
+                    <span className="cve-compare-card-label">{item.label}</span>
+                    <span className="cve-compare-card-value">
+                      {summary[item.key]}
+                    </span>
+                  </button>
+                ))}
+            </div>
+          </div>
+          <div className="cve-modal-filters">
+            <SearchInput
+              id="cve-compare-search"
+              value={search}
+              onChange={onSearchChange}
+              onClear={() => setSearch('')}
+              onSearch={onSearchChange}
+              placeholder={__('Search comparison by CVE, package, diff...')}
+              aria-label={__('Search CVE comparison')}
+              className="cve-modal-search"
+            />
+            <div className="cve-modal-quick-filters">
+              <div className="cve-filter-buttons">
+                {comparisonFilters.map(item => (
+                  <button
+                    key={item.key}
+                    type="button"
+                    aria-pressed={filter === item.key}
+                    className={
+                      filter === item.key
+                        ? 'cve-filter-button is-active'
+                        : 'cve-filter-button'
+                    }
+                    onClick={() => setFilter(item.key)}
+                  >
+                    {item.label}
+                  </button>
+                ))}
+              </div>
+            </div>
+          </div>
+          <div className="cve-modal-results">
+            {sortedRows.length === 0 ? (
+              <Text component={TextVariants.small} ouiaId="cve-compare-empty">
+                {__('No CVE differences match the selected filters')}
+              </Text>
+            ) : (
+              <Table
+                variant="compact"
+                aria-label="CVE comparison table"
+                ouiaId="cve-compare-table"
+              >
+                <Thead>
+                  <Tr ouiaId="cve-compare-header">
+                    {comparisonColumns.map(column => (
+                      <Th
+                        key={column.key}
+                        className="cve-sortable"
+                        onClick={() => onSort(column.key)}
+                      >
+                        {column.label}
+                      </Th>
+                    ))}
+                  </Tr>
+                </Thead>
+                <Tbody>
+                  {sortedRows.map((row, index) => (
+                    <Tr key={row.key} ouiaId={`cve-compare-row-${index}`}>
+                      <Td dataLabel={__('Status')}>
+                        {comparisonStatusLabels[row.status]}
+                      </Td>
+                      <Td dataLabel={__('CVE')}>
+                        {row.url ? (
+                          <a href={row.url} target="_blank" rel="noreferrer">
+                            {row.id}
+                          </a>
+                        ) : (
+                          row.id
+                        )}
+                      </Td>
+                      <Td dataLabel={__('Package')}>{row.name}</Td>
+                      <Td dataLabel={__('Severity')}>{row.severity}</Td>
+                      <Td dataLabel={__('Version')}>{row.version}</Td>
+                      <Td dataLabel={__('Fixed')}>{row.fixed}</Td>
+                      <Td dataLabel={__('Scan status')}>{row.scan_status}</Td>
+                      <Td dataLabel={__('Diff')}>{renderDiff(row.diff)}</Td>
+                      <Td dataLabel={__('Published')}>
+                        {formatDateTime(row.published)}
+                      </Td>
+                      <Td dataLabel={__('Title')} title={row.title}>
+                        <span className="cve-truncate">{row.title}</span>
+                      </Td>
+                    </Tr>
+                  ))}
+                </Tbody>
+              </Table>
+            )}
+          </div>
+        </div>
+      )}
+    </Modal>
+  );
+};
+
+CveCompareModal.propTypes = {
+  hostId: PropTypes.number.isRequired,
+  isOpen: PropTypes.bool.isRequired,
+  onClose: PropTypes.func.isRequired,
+  scanIds: PropTypes.arrayOf(PropTypes.number),
+};
+CveCompareModal.defaultProps = {
+  scanIds: [],
+};
+export default CveCompareModal;