Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cve): include PkgPath information in image cve UI list using sections and in CVE export #428

Merged
merged 1 commit into from
Feb 29, 2024

Conversation

vrajashkr
Copy link
Contributor

What type of PR is this?
feature

Which issue does this PR fix:
Towards project-zot/zot#2175

What does this PR do / Why do we need it:
This PR displays the Package Path information for the package list for a given CVE in the vulnerabilities list.
Since there is more data being displayed, this PR also brings in a change to display this information in a vertically stacked form with a separate section for each affected package.

References #426

Testing done on this change:
Screenshots:
Screenshot from 2024-02-26 09-17-03
Screenshot from 2024-02-26 09-19-08
Screenshot from 2024-02-26 09-20-05
Screenshot from 2024-02-26 09-21-25
Screenshot from 2024-02-26 09-21-54
Screenshot from 2024-02-26 09-23-23

CSV export:

id,severity,title,description,reference,packageName,packagePath,packageInstalledVersion,packageFixedVersion
CVE-2016-1000027,CRITICAL,spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization,"Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.",https://avd.aquasec.com/nvd/cve-2016-1000027,org.springframework:spring-web,usr/local/artifacts/spring-web-5.3.31.jar,5.3.31,6.0.0

XLSX export:
Screenshot 2024-02-22 at 23 38 56

Will this break upgrades or downgrades. Has updating a running cluster been tested?:
Ideally, this should not break upgrades or downgrades as the older graphQL query should continue working just fine as well as the updated query.
No, updating a running cluster has not been tested.

Does this change require updates to the CNI daemonset config files to work?:
N/A

Does this PR introduce any user-facing change?:
Yes

The package list for a given CVE is now displayed in a vertical form with a section for each affected package.
Additionally, the package path for a given CVE (if available) is also displayed. If the package path is not available, the field will indicate 'Not Specified'.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@vrajashkr vrajashkr force-pushed the feat/zui-cve-pkg-section branch from 455a738 to 13b10d3 Compare February 26, 2024 04:01
@vrajashkr
Copy link
Contributor Author

I've kept the PR in Draft state temporarily as I'm seeing some local Unit Test failures which I'm not able to immediately figure out.

Signed-off-by: Vishwas Rajashekar <vrajashe@cisco.com>
@vrajashkr vrajashkr force-pushed the feat/zui-cve-pkg-section branch from 13b10d3 to 8fa9abc Compare February 26, 2024 12:17
@vrajashkr vrajashkr marked this pull request as ready for review February 26, 2024 12:18
@vrajashkr
Copy link
Contributor Author

I've kept the PR in Draft state temporarily as I'm seeing some local Unit Test failures which I'm not able to immediately figure out.

Fixed! Missed to change the data testId :)

There was an additional suggestion regarding whether we'd like to hide this data in mobile view. Ref: #426 (comment)

Once we're all on the same page about whether to hide it, I can probably make that change in a separate PR.

Copy link

codecov bot commented Feb 26, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.87%. Comparing base (33524ce) to head (8fa9abc).

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #428      +/-   ##
==========================================
+ Coverage   82.82%   82.87%   +0.04%     
==========================================
  Files          62       63       +1     
  Lines        1875     1880       +5     
  Branches      483      483              
==========================================
+ Hits         1553     1558       +5     
  Misses        311      311              
  Partials       11       11              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vrajashkr
Copy link
Contributor Author

Hi @raulkele, gentle bump on this PR.

Would be great to get your feedback. Thanks!

@raulkele
Copy link
Collaborator

raulkele commented Feb 28, 2024

Code looks good, only one small syntactic sugar suggestion.
Now just looking for a final decision as to which version is preferred.

@rchincha
Copy link
Contributor

Like this better than PR #426

Copy link
Contributor

@rchincha rchincha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@andaaron andaaron merged commit e2367c2 into project-zot:main Feb 29, 2024
8 checks passed
andaaron added a commit to andaaron/zot that referenced this pull request Feb 29, 2024
See project-zot/zui#428 for details

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
@vrajashkr vrajashkr deleted the feat/zui-cve-pkg-section branch February 29, 2024 15:20
rchincha pushed a commit to project-zot/zot that referenced this pull request Feb 29, 2024
See project-zot/zui#428 for details

Signed-off-by: Andrei Aaron <aaaron@luxoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants