[TC-1666] - Ten Latest Sboms with vulnerabilities summary backend (tr…

…ustification#1550) * example of data structure returned Signed-off-by: m-brophy <[email protected]> * add http endpoint Signed-off-by: m-brophy <[email protected]> * fix formatting issues Signed-off-by: m-brophy <[email protected]> * fix compile issues Signed-off-by: m-brophy <[email protected]> * TC-1130 create status endpoint for dashbaord * alter data object as per feedback Signed-off-by: m-brophy <[email protected]> * fix format problems Signed-off-by: m-brophy <[email protected]> * fix compile errors Signed-off-by: m-brophy <[email protected]> * unused import removal Signed-off-by: m-brophy <[email protected]> * feat: It supports sorting through indexed timestamps * TC-1130 new endpoint for status of sbom * TC-1130 add new endponits for vex ad cve * Save working version Signed-off-by: carlosthe19916 <[email protected]> * TC-1666: backend vulns for ten latest sboms Signed-off-by: m-brophy <[email protected]> * format changes Signed-off-by: m-brophy <[email protected]> * remove unused imports Signed-off-by: m-brophy <[email protected]> * fix incorrectly named variable Signed-off-by: m-brophy <[email protected]> * non snake case variable name Signed-off-by: m-brophy <[email protected]> * Move models to model-crate and rename them to avoid conflict/confussion Signed-off-by: carlosthe19916 <[email protected]> * Found new vulnerabilties for testing Ubuntu ecosystem Signed-off-by: mrizzi <[email protected]> --------- Signed-off-by: m-brophy <[email protected]> Signed-off-by: carlosthe19916 <[email protected]> Signed-off-by: mrizzi <[email protected]> Co-authored-by: Xiaofeng Bai <[email protected]> Co-authored-by: carlosthe19916 <[email protected]> Co-authored-by: mrizzi <[email protected]>
carlosthe19916 · Aug 28, 2024 · a5a2b0a · a5a2b0a
1 parent 1f8c9df
commit a5a2b0a
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 1 deletion.
diff --git a/spog/api/src/endpoints/sbom/mod.rs b/spog/api/src/endpoints/sbom/mod.rs
@@ -18,6 +18,11 @@ pub(crate) fn configure(auth: Option<Arc<Authenticator>>) -> impl FnOnce(&mut Se
                 .wrap(new_auth!(auth.clone()))
                 .to(search),
         );
+        config.service(
+            web::resource("/api/v1/sbom/latestwithvulns")
+                .wrap(new_auth!(auth.clone()))
+                .to(sboms_with_vulnerability_summary),
+        );
         config.service(
             web::resource("/api/v1/sbom/vulnerabilities")
                 .wrap(new_auth!(auth))

diff --git a/spog/api/src/endpoints/sbom/search.rs b/spog/api/src/endpoints/sbom/search.rs
@@ -1,8 +1,13 @@
 use crate::app_state::AppState;
+use crate::endpoints::sbom::process_get_vulnerabilities;
 use crate::search;
+use crate::service::guac::GuacService;
+use crate::service::v11y::V11yService;
 use actix_web::{web, HttpResponse};
 use actix_web_httpauth::extractors::bearer::BearerAuth;
+use spog_model::prelude::{Last10SbomVulnerabilitySummary, Last10SbomVulnerabilitySummaryVulnerabilities};
 use spog_model::search::SbomSummary;
+use spog_model::vuln::SbomReport;
 use tracing::instrument;
 use trustification_api::search::{SearchOptions, SearchResult};
 use trustification_auth::client::TokenProvider;
@@ -94,3 +99,90 @@ async fn search_advisories(state: web::Data<AppState>, sboms: &mut Vec<SbomSumma
         }
     }
 }
+
+#[instrument(skip(state, v11y, guac, access_token), err)]
+pub async fn sboms_with_vulnerability_summary(
+    state: web::Data<AppState>,
+    access_token: Option<BearerAuth>,
+    guac: web::Data<GuacService>,
+    v11y: web::Data<V11yService>,
+) -> actix_web::Result<HttpResponse> {
+    let ten_latest_sboms = state
+        .search_sbom(
+            "-sort:indexedTimestamp",
+            0,
+            10,
+            SearchOptions {
+                explain: false,
+                metadata: true,
+                summaries: true,
+            },
+            &access_token,
+        )
+        .await?;
+
+    let mut summary: Vec<Last10SbomVulnerabilitySummary> = vec![];
+    for item in ten_latest_sboms.result {
+        let item = item.document;
+        let vulnerabilities =
+            process_get_vulnerabilities(&state, &v11y, &guac, &access_token, &item.id, Some(0), Some(100000))
+                .await?
+                .as_ref()
+                .and_then(|sbom_report: &SbomReport| sbom_report.summary.first())
+                .map_or(
+                    Last10SbomVulnerabilitySummaryVulnerabilities {
+                        none: 0,
+                        low: 0,
+                        medium: 0,
+                        high: 0,
+                        critical: 0,
+                    },
+                    |(_mitre, vulnerability_summary)| {
+                        let none = vulnerability_summary
+                            .iter()
+                            .find(|item| item.severity == Some(cvss::Severity::None))
+                            .map_or_else(
+                                || {
+                                    vulnerability_summary
+                                        .iter()
+                                        .find(|item| item.severity.is_none())
+                                        .map_or(0, |entry| entry.count)
+                                },
+                                |entry| entry.count,
+                            );
+                        let low = vulnerability_summary
+                            .iter()
+                            .find(|item| item.severity == Some(cvss::Severity::Low))
+                            .map_or(0, |entry| entry.count);
+                        let medium = vulnerability_summary
+                            .iter()
+                            .find(|item| item.severity == Some(cvss::Severity::Medium))
+                            .map_or(0, |entry| entry.count);
+                        let high = vulnerability_summary
+                            .iter()
+                            .find(|item| item.severity == Some(cvss::Severity::High))
+                            .map_or(0, |entry| entry.count);
+                        let critical = vulnerability_summary
+                            .iter()
+                            .find(|item| item.severity == Some(cvss::Severity::Critical))
+                            .map_or(0, |entry| entry.count);
+
+                        Last10SbomVulnerabilitySummaryVulnerabilities {
+                            none,
+                            low,
+                            medium,
+                            high,
+                            critical,
+                        }
+                    },
+                );
+
+        let sbom_vulnerabilities = Last10SbomVulnerabilitySummary {
+            sbom_id: item.id,
+            sbom_name: item.name,
+            vulnerabilities,
+        };
+        summary.push(sbom_vulnerabilities);
+    }
+    Ok(HttpResponse::Ok().json(summary))
+}
diff --git a/spog/api/src/endpoints/sbom/vuln/mod.rs b/spog/api/src/endpoints/sbom/vuln/mod.rs
@@ -82,7 +82,7 @@ pub async fn get_vulnerabilities(
 }
 
 #[instrument(skip(state, guac, v11y, access_token), err)]
-async fn process_get_vulnerabilities(
+pub async fn process_get_vulnerabilities(
     state: &AppState,
     v11y: &V11yService,
     guac: &GuacService,

diff --git a/spog/model/src/dashboard.rs b/spog/model/src/dashboard.rs
@@ -1,3 +1,4 @@
+use serde::{Deserialize, Serialize};
 use time::OffsetDateTime;
 
 #[derive(Clone, serde::Deserialize, serde::Serialize)]
@@ -40,3 +41,20 @@ pub struct CveStatus {
     /// Updated time of last updated doc
     pub last_updated_date: Option<OffsetDateTime>,
 }
+
+// Last 10 SBOMs
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct Last10SbomVulnerabilitySummaryVulnerabilities {
+    pub none: usize,
+    pub low: usize,
+    pub medium: usize,
+    pub high: usize,
+    pub critical: usize,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
+pub struct Last10SbomVulnerabilitySummary {
+    pub sbom_id: String,
+    pub sbom_name: String,
+    pub vulnerabilities: Last10SbomVulnerabilitySummaryVulnerabilities,
+}