foreman_cve_scanner 0.5.1 → 0.6.0

data/app/services/foreman_cve_scanner/scan_importer.rb

@@ -9,7 +9,7 @@ module ForemanCveScanner
 
     def import_for_host!(host)
       scan_json = format_output(@job_output)
-      return nil if scan_json.nil?
+      raise ::Foreman::Exception, _('CVE scan output did not contain JSON content') if scan_json.nil?
 
       scanner_name = ::ForemanCveScanner::CveReportScanner.detect_scanner(scan_json)
       persist_scan!(host, scanner_name, scan_json)
@@ -32,12 +32,14 @@ module ForemanCveScanner
     end
 
     def extract_json(output_source)
-      output = output_source.to_s.each_line(chomp: true)
-                            .drop_while { |line| !line.start_with?('===START') }
-                            .drop(1)
-                            .take_while { |line| !line.start_with?('===END') }
-                            .reject(&:empty?)
-                            .join
+      lines = output_source.to_s.each_line(chomp: true).to_a
+      return nil unless lines.include?('===START') && lines.include?('===END')
+
+      output = lines.drop_while { |line| !line.start_with?('===START') }
+                    .drop(1)
+                    .take_while { |line| !line.start_with?('===END') }
+                    .reject(&:empty?)
+                    .join
       output.strip
     end
 
@@ -63,6 +65,7 @@ module ForemanCveScanner
         build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
       )
       refresh_host_status(host)
+      cleanup_old_scans(host)
       scan
     end
 
@@ -73,18 +76,13 @@ module ForemanCveScanner
       Rails.logger.error("CVE status refresh failed for host_id=#{host.id}: #{e}")
     end
 
-    def worst_severity(metrics)
-      %w[critical high medium low].each do |severity|
-        return severity if metrics[severity].to_i.positive?
-      end
-      'none'
-    end
-
     def build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
-      summary = metrics.merge('worst' => worst_severity(metrics))
+      summary = metrics.merge('worst' => ::ForemanCveScanner::CveScan.worst_severity(metrics))
       {
         host: host,
         scanner: scanner_name,
+        source: 'rex',
+        scanned_at: Time.current,
         raw: scan_json,
         summary: summary,
         findings: build_findings(scanner),
@@ -101,5 +99,9 @@ module ForemanCveScanner
         entry.merge('id' => id)
       end
     end
+
+    def cleanup_old_scans(host)
+      ::ForemanCveScanner::ScanCleanup.new(scope: host.cve_scans).cleanup!
+    end
   end
 end

data/app/views/api/v2/cve_scans/base.json.rabl

@@ -2,4 +2,4 @@
 
 object @cve_scan
 
-attributes :id, :host_id, :scanner, :created_at, :total, :critical, :high, :medium, :low, :summary
+attributes :id, :host_id, :scanner, :source, :scanned_at, :created_at, :total, :critical, :high, :medium, :low, :summary

data/app/views/api/v2/cve_scans/main.json.rabl

@@ -4,4 +4,4 @@ object @cve_scan
 
 extends 'api/v2/cve_scans/base'
 
-attributes :findings, :created_at, :updated_at
+attributes :findings, :updated_at

data/app/views/foreman_cve_scanner/job_templates/install_cve_scanners.erb

@@ -43,13 +43,13 @@ end
 case @host.architecture.to_s
 when 'x86_64'
   trivy_arch = 'Linux-64bit'
-  grype_arch = 'linux-amd64'
+  grype_arch = 'linux_amd64'
 when 'ppc64le'
   trivy_arch = 'Linux-PPC64LE'
-  grype_arch = 'linux-ppc64le'
+  grype_arch = 'linux_ppc64le'
 when 'aarch64'
   trivy_arch = 'Linux-ARM64'
-  grype_arch = 'linux-arm64'
+  grype_arch = 'linux_arm64'
 else
   raise("Architecture '#{@host.architecture}' not supported by template #{template_name}")
 end

data/app/views/foreman_cve_scanner/job_templates/run_cve_scanner.erb

@@ -29,16 +29,16 @@ template_inputs:
   default: /
   hidden_value: false
 - name: scanner
-  required: true
+  required: false
   input_type: user
   options: "trivy\r\ngrype"
   advanced: false
   value_type: plain
-  default: trivy
   hidden_value: false
 %>
 <%
-scanner = input('scanner')
+scanner = input('scanner').to_s.strip
+scanner = foreman_cve_scanner('preferred_scanner') if scanner.empty?
 target = input('target').to_sym
 path = input('path')
 options = input('options').to_s
@@ -69,5 +69,7 @@ exit 1
 <% else -%>
 echo "===START"
 <%= exec_command %>
+rc=$?
 echo "===END"
+exit $rc
 <% end -%>

data/config/routes.rb

@@ -8,9 +8,14 @@ Rails.application.routes.draw do
                      constraints: ApiConstraints.new(version: 2, default: true) do
       constraints(host_id: %r{[^/]+}) do
         resources :hosts, only: [] do
-          resources :cve_scans, only: %i[index show] do
+          resources :cve_scans, only: %i[index show destroy] do
             collection do
+              post :import
               get :latest
+              get :compare
+            end
+            member do
+              get :export
             end
           end
         end

data/db/migrate/20260514080000_add_source_and_scanned_at_to_foreman_cve_scanner_cve_scans.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class AddSourceAndScannedAtToForemanCveScannerCveScans < ActiveRecord::Migration[6.1]
+  def up
+    add_column :foreman_cve_scanner_cve_scans, :source, :string
+    add_column :foreman_cve_scanner_cve_scans, :scanned_at, :datetime
+
+    execute <<~SQL.squish
+      UPDATE foreman_cve_scanner_cve_scans
+      SET source = 'rex', scanned_at = created_at
+      WHERE source IS NULL OR scanned_at IS NULL
+    SQL
+
+    change_column_null :foreman_cve_scanner_cve_scans, :source, false
+    change_column_null :foreman_cve_scanner_cve_scans, :scanned_at, false
+
+    add_index :foreman_cve_scanner_cve_scans, %i[host_id scanned_at],
+      order: { scanned_at: :desc }
+  end
+
+  def down
+    remove_index :foreman_cve_scanner_cve_scans, %i[host_id scanned_at]
+    remove_column :foreman_cve_scanner_cve_scans, :scanned_at
+    remove_column :foreman_cve_scanner_cve_scans, :source
+  end
+end

data/lib/foreman_cve_scanner/engine.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require 'foreman_remote_execution'
+require 'foreman_cve_scanner/template_helpers'
 
 module ForemanCveScanner
   # Rails engine for the Foreman CVE Scanner plugin.
@@ -15,20 +16,7 @@ module ForemanCveScanner
 
     initializer 'foreman_cve_scanner.register_plugin', before: :finisher_hook do |app|
       app.reloader.to_prepare do
-        Foreman::Plugin.register :foreman_cve_scanner do
-          requires_foreman '>= 3.13'
-          register_global_js_file 'fills'
-
-          apipie_documented_controllers ["#{ForemanCveScanner::Engine.root}/app/controllers/api/v2/*.rb"]
-
-          security_block :foreman_cve_scanner do
-            permission :view_cve_scans,
-              { 'api/v2/cve_scans': %i[index latest show destroy] },
-              resource_type: 'Host'
-          end
-
-          add_all_permissions_to_default_roles
-        end
+        ForemanCveScanner::Engine.register_plugin
       end
     end
 
@@ -38,6 +26,7 @@ module ForemanCveScanner
       Host::Managed.include ForemanCveScanner::HostExtensions
       require_dependency 'host_status/cve_status'
       HostStatus.status_registry.add(HostStatus::CveStatus)
+      ForemanCveScanner::Engine.register_katello_integration
       ForemanCveScanner::Engine.register_rex_features
     end
 
@@ -50,10 +39,72 @@ module ForemanCveScanner
     def self.register_rex_features
       RemoteExecutionFeature.register(
         :run_cve_scan,
-        N_('Run a CVE scan on a host'),
-        description: N_('Run CVE scan on host'),
-        host_action_button: true
+        N_('Run CVE scan'),
+        description: N_('Run CVE scan'),
+        host_action_button: true,
+        provided_inputs: %w[scanner]
       )
     end
+
+    def self.register_plugin
+      Foreman::Plugin.register :foreman_cve_scanner do
+        requires_foreman '>= 3.13'
+        register_global_js_file 'fills'
+        apipie_documented_controllers ForemanCveScanner::Engine.documented_controllers
+        extend_template_helpers ForemanCveScanner::TemplateHelpers
+        ForemanCveScanner::Engine.register_settings(self)
+        ForemanCveScanner::Engine.register_permissions(self)
+        add_all_permissions_to_default_roles
+      end
+    end
+
+    def self.documented_controllers
+      ["#{ForemanCveScanner::Engine.root}/app/controllers/api/v2/*.rb"]
+    end
+
+    def self.register_katello_integration
+      return unless Foreman::Plugin.installed?(:katello)
+      return unless defined?(::Katello::Host::ProfilesUploader)
+      ::Katello::Host::ProfilesUploader.prepend(ForemanCveScanner::ProfilesUploader)
+    end
+
+    def self.register_settings(plugin)
+      plugin.settings do
+        category :foreman_cve_scanner, N_('CVE Scanner') do
+          setting 'preferred_cve_scanner',
+            type: :string,
+            default: 'trivy',
+            full_name: N_('Preferred CVE scanner'),
+            description: N_('Default scanner used by the Run CVE scan job template.')
+          setting 'run_cve_scan_after_host_profiles_upload',
+            type: :boolean,
+            default: false,
+            full_name: N_('Run CVE scan after host profiles upload'),
+            description: N_('When Katello is installed, schedule a CVE scan after a host profiles upload completes.')
+          setting 'cve_scan_delete_after_days',
+            type: :integer,
+            default: 90,
+            full_name: N_('Delete CVE scans after X days'),
+            description: N_(
+              'Delete CVE scans older than the configured number of days. ' \
+              'Set to 0 to disable automatic cleanup.'
+            )
+        end
+      end
+    end
+
+    def self.register_permissions(plugin)
+      plugin.security_block :foreman_cve_scanner do
+        permission :view_cve_scans,
+          { 'api/v2/cve_scans': %i[index latest show export compare] },
+          resource_type: 'Host'
+        permission :import_cve_scans,
+          { 'api/v2/cve_scans': %i[import] },
+          resource_type: 'Host'
+        permission :destroy_cve_scans,
+          { 'api/v2/cve_scans': %i[destroy] },
+          resource_type: 'Host'
+      end
+    end
   end
 end

data/lib/foreman_cve_scanner/template_helpers.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ForemanCveScanner
+  module TemplateHelpers
+    extend ApipieDSL::Class
+
+    apipie :class, 'Macros related to Foreman CVE Scanner templates' do
+      name 'Foreman CVE Scanner'
+      sections only: %w[all jobs]
+    end
+
+    apipie :method, 'Returns values from Foreman CVE Scanner plugin settings' do
+      desc 'Use this macro in templates to access CVE Scanner settings in safe mode'
+      param :setting_name, String, desc: 'Setting name to resolve'
+      returns String, desc: 'Value of the requested CVE Scanner setting'
+      raises error: 'Foreman::Exception', desc: 'Raised when an unknown setting name is requested'
+      example "foreman_cve_scanner('preferred_scanner') #=> 'trivy'"
+    end
+    def foreman_cve_scanner(setting_name)
+      case setting_name.to_s
+      when 'preferred_scanner'
+        Setting[:preferred_cve_scanner]
+      else
+        raise ::Foreman::Exception, _('Unknown Foreman CVE Scanner template setting')
+      end
+    end
+  end
+end

data/lib/foreman_cve_scanner/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ForemanCveScanner
-  VERSION = '0.5.1'
+  VERSION = '0.6.0'
 end

data/lib/tasks/foreman_cve_scanner_tasks.rake

@@ -14,3 +14,14 @@ namespace :test do
 end
 
 Rake::Task[:test].enhance ['test:foreman_cve_scanner']
+
+namespace :foreman_cve_scanner do
+  desc 'Delete old CVE scans using the configured retention or a DAYS override'
+  task cleanup_scans: :environment do
+    override = ENV['DAYS']
+    deleted = ForemanCveScanner::ScanCleanup.new(days: override.presence).cleanup!
+    basis = override.present? ? "DAYS=#{override}" : 'the configured retention'
+
+    puts "Deleted #{deleted} CVE scans using #{basis}."
+  end
+end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "foreman_cve_scanner",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "Run CVE scan on host and collect report",
   "main": "webpack/index.js",
   "directories": {

data/test/controllers/api/v2/cve_scans_controller_test.rb

@@ -7,8 +7,8 @@ module Api
     class CveScansControllerTest < ActionController::TestCase
       def setup
         @host = FactoryBot.create(:host)
-        @scan_old = create_scan(created_at: 2.hours.ago, total: 1, low: 1)
-        @scan_new = create_scan(created_at: 1.hour.ago, total: 2, high: 2)
+        @scan_old = create_scan(created_at: 2.hours.ago, scanned_at: 2.hours.ago, total: 1, low: 1)
+        @scan_new = create_scan(created_at: 1.hour.ago, scanned_at: 1.hour.ago, total: 2, high: 2)
       end
 
       test 'index returns scans for host' do
@@ -33,11 +33,130 @@ module Api
         assert_equal @scan_old.id, body['id']
       end
 
+      test 'import imports external scan for host' do
+        assert_difference('ForemanCveScanner::CveScan.count', 1) do
+          post :import, params: {
+            host_id: @host.id,
+            cve_scan: create_payload,
+          }
+        end
+
+        assert_response :created
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal 'external', body['source']
+        assert_equal 1, body['critical']
+      end
+
+      test 'import rejects scan without scanned_at' do
+        post :import, params: {
+          host_id: @host.id,
+          cve_scan: create_payload.except(:scanned_at),
+        }
+
+        assert_response :unprocessable_entity
+      end
+
+      test 'compare returns scan comparison for host' do
+        set_comparison_findings!
+
+        get :compare, params: {
+          host_id: @host.id,
+          first_id: @scan_old.id,
+          second_id: @scan_new.id,
+        }
+
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_equal @scan_old.id, body['previous']['id']
+        assert_equal 1, body['summary']['updated']
+        assert_equal 1, body['summary']['resolved']
+        assert_equal 1, body['summary']['new']
+      end
+
+      test 'compare includes diff payload for updated finding' do
+        set_comparison_findings!
+
+        get :compare, params: {
+          host_id: @host.id,
+          first_id: @scan_old.id,
+          second_id: @scan_new.id,
+        }
+
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        updated_row = body['results'].find { |row| row['id'] == 'CVE-1' }
+        assert_equal 'updated', updated_row['status']
+        assert_equal 'CRITICAL', updated_row['diff']['severity']['new']
+      end
+
+      test 'compare requires both scan ids' do
+        get :compare, params: { host_id: @host.id, first_id: @scan_old.id }
+
+        assert_response :unprocessable_entity
+      end
+
+      test 'export returns csv headers for scan by id' do
+        set_export_findings!
+
+        get :export, params: { host_id: @host.id, id: @scan_old.id }
+
+        assert_response :success
+        assert_export_headers
+      end
+
+      test 'export returns csv body for scan by id' do
+        set_export_findings!
+
+        get :export, params: { host_id: @host.id, id: @scan_old.id }
+
+        assert_response :success
+        assert_export_body
+      end
+
+      test 'show does not return a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :show, params: { host_id: @host.id, id: other_scan.id }
+        end
+      end
+
+      test 'export does not return a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :export, params: { host_id: @host.id, id: other_scan.id }
+        end
+      end
+
+      test 'compare does not return scans from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_not_found do
+          get :compare, params: {
+            host_id: @host.id,
+            first_id: @scan_old.id,
+            second_id: other_scan.id,
+          }
+        end
+      end
+
       test 'index returns not found for unknown host' do
         get :index, params: { host_id: 'does-not-exist' }
         assert_response :not_found
       end
 
+      test 'index finds host by name' do
+        get :index, params: { host_id: @host.name }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        assert_not_nil body['results']
+        assert_equal 2, body['results'].size
+      end
+
       test 'latest returns no content when no scans exist' do
         ForemanCveScanner::CveScan.delete_all
 
@@ -45,22 +164,44 @@ module Api
         assert_response :no_content
       end
 
+      test 'destroy deletes scan for host' do
+        assert_difference('ForemanCveScanner::CveScan.count', -1) do
+          delete :destroy, params: { host_id: @host.id, id: @scan_old.id }
+        end
+
+        assert_response :success
+      end
+
+      test 'destroy does not delete a scan from another host' do
+        other_host = FactoryBot.create(:host)
+        other_scan = create_scan(host: other_host, total: 1, low: 1)
+
+        assert_no_difference('ForemanCveScanner::CveScan.count') do
+          assert_not_found do
+            delete :destroy, params: { host_id: @host.id, id: other_scan.id }
+          end
+        end
+      end
+
       private
 
-      # rubocop:disable Metrics/MethodLength
       def create_scan(options = {})
         defaults = {
           created_at: Time.now.utc,
+          scanned_at: Time.current,
           total: 0,
           critical: 0,
           high: 0,
           medium: 0,
           low: 0,
+          host: @host,
         }
         options = defaults.merge(options)
         ForemanCveScanner::CveScan.create!(
-          host: @host,
+          host: options[:host],
           scanner: 'trivy',
+          source: 'rex',
+          scanned_at: options[:scanned_at],
           created_at: options[:created_at],
           raw: { 'dummy' => true },
           summary: { 'worst' => 'low' },
@@ -72,7 +213,121 @@ module Api
           low: options[:low]
         )
       end
-      # rubocop:enable Metrics/MethodLength
+
+      def set_export_findings!
+        @scan_old.update!(
+          findings: [
+            {
+              'severity' => 'HIGH',
+              'published' => '2026-02-20',
+              'name' => 'openssl',
+              'version' => '1.1',
+              'fixed' => '1.2',
+              'status' => 'fixed',
+              'id' => 'CVE-2026-0001',
+              'title' => 'OpenSSL issue',
+              'url' => 'https://example.test/CVE-2026-0001',
+            },
+          ]
+        )
+      end
+
+      def create_payload
+        {
+          scanner: 'custom-scanner',
+          source: 'external',
+          scanned_at: '2026-05-14T08:00:00Z',
+          findings: [external_finding],
+        }
+      end
+
+      def set_comparison_findings!
+        @scan_old.update!(findings: old_comparison_findings)
+        @scan_new.update!(findings: new_comparison_findings)
+      end
+
+      def external_finding
+        {
+          id: 'CVE-2026-1111',
+          name: 'openssl',
+          severity: 'CRITICAL',
+          version: '1.0',
+          fixed: '1.1',
+          status: 'affected',
+          title: 'OpenSSL issue',
+          published: '2026-05-14T06:00:00Z',
+          url: 'https://example.test/CVE-2026-1111',
+        }
+      end
+
+      def old_comparison_findings
+        [
+          comparison_finding(
+            id: 'CVE-1',
+            name: 'openssl',
+            severity: 'HIGH',
+            version: '1.0',
+            title: 'OpenSSL issue'
+          ),
+          comparison_finding(
+            id: 'CVE-2',
+            name: 'curl',
+            severity: 'LOW',
+            version: '1.0',
+            title: 'Curl issue'
+          ),
+        ]
+      end
+
+      def new_comparison_findings
+        [
+          comparison_finding(
+            id: 'CVE-1',
+            name: 'openssl',
+            severity: 'CRITICAL',
+            version: '1.0',
+            title: 'OpenSSL issue'
+          ),
+          comparison_finding(
+            id: 'CVE-3',
+            name: 'bash',
+            severity: 'MEDIUM',
+            version: '2.0',
+            title: 'Bash issue',
+            published: '2026-02-21'
+          ),
+        ]
+      end
+
+      def comparison_finding(attributes)
+        {
+          'id' => attributes.fetch(:id),
+          'name' => attributes.fetch(:name),
+          'severity' => attributes.fetch(:severity),
+          'version' => attributes.fetch(:version),
+          'title' => attributes.fetch(:title),
+          'published' => attributes.fetch(:published, '2026-02-20'),
+        }
+      end
+
+      def assert_not_found
+        yield
+        assert_response :not_found
+      rescue ActiveRecord::RecordNotFound
+        assert true
+      end
+
+      def assert_export_headers
+        assert_includes @response.header['Content-Type'], 'text/csv'
+        assert_includes @response.header['Content-Disposition'], 'attachment'
+        assert_includes @response.header['Content-Disposition'], @host.shortname
+      end
+
+      def assert_export_body
+        assert_includes @response.body, 'Severity,Published,Package'
+        assert_includes @response.body, 'CVE-2026-0001'
+        assert_includes @response.body, 'openssl'
+      end
     end
   end
 end