feat(cve): expand search domain to cve description and package info (#…

…2086)

* feat(cve): add reference url for cve

Signed-off-by: Laurentiu Niculae <[email protected]>

* feat(cve): expand search domain to cve description and package info

Signed-off-by: Laurentiu Niculae <[email protected]>

---------

Signed-off-by: Laurentiu Niculae <[email protected]>

go.mod

@@ -496,7 +496,7 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
 	golang.org/x/mod v0.13.0 // indirect
 	golang.org/x/net v0.18.0 // indirect
 	golang.org/x/term v0.14.0 // indirect

pkg/extensions/search/cve/cve.go

@@ -8,6 +8,7 @@ import (
 
 	godigest "github.com/opencontainers/go-digest"
 	ispec "github.com/opencontainers/image-spec/specs-go/v1"
+	"golang.org/x/exp/slices"
 
 	zerr "zotregistry.io/zot/errors"
 	zcommon "zotregistry.io/zot/pkg/common"
@@ -334,7 +335,15 @@ func filterCVEList(cveMap map[string]cvemodel.CVE, searchedCVE string, pageFinde
 
 	for _, cve := range cveMap {
 		if strings.Contains(strings.ToUpper(cve.Title), searchedCVE) ||
-			strings.Contains(strings.ToUpper(cve.ID), searchedCVE) {
+			strings.Contains(strings.ToUpper(cve.ID), searchedCVE) ||
+			strings.Contains(strings.ToUpper(cve.Description), searchedCVE) ||
+			strings.Contains(strings.ToUpper(cve.Reference), searchedCVE) ||
+			strings.Contains(strings.ToUpper(cve.Severity), searchedCVE) ||
+			slices.ContainsFunc(cve.PackageList, func(pack cvemodel.Package) bool {
+				return strings.Contains(strings.ToUpper(pack.Name), searchedCVE) ||
+					strings.Contains(strings.ToUpper(pack.FixedVersion), searchedCVE) ||
+					strings.Contains(strings.ToUpper(pack.InstalledVersion), searchedCVE)
+			}) {
 			pageFinder.Add(cve)
 		}
 	}

pkg/extensions/search/cve/model/models.go

@@ -17,6 +17,7 @@ type CVE struct {
 	Description string    `json:"Description"`
 	Severity    string    `json:"Severity"`
 	Title       string    `json:"Title"`
+	Reference   string    `json:"Reference"`
 	PackageList []Package `json:"PackageList"`
 }
 

pkg/extensions/search/cve/trivy/scanner.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"strings"
 	"sync"
 
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
@@ -427,6 +428,7 @@ func (scanner Scanner) scanManifest(ctx context.Context, repo, digest string) (m
 					ID:          vulnerability.VulnerabilityID,
 					Title:       vulnerability.Title,
 					Description: vulnerability.Description,
+					Reference:   getCVEReference(vulnerability.PrimaryURL, vulnerability.References),
 					Severity:    convertSeverity(vulnerability.Severity),
 					PackageList: newPkgList,
 				}
@@ -439,6 +441,34 @@ func (scanner Scanner) scanManifest(ctx context.Context, repo, digest string) (m
 	return cveidMap, nil
 }
 
+func getCVEReference(primaryURL string, references []string) string {
+	if primaryURL != "" {
+		return primaryURL
+	}
+
+	if len(references) > 0 {
+		nvdReference, found := getNVDReference(references)
+
+		if found {
+			return nvdReference
+		}
+
+		return references[0]
+	}
+
+	return ""
+}
+
+func getNVDReference(references []string) (string, bool) {
+	for i := range references {
+		if strings.Contains(references[i], "nvd.nist.gov") {
+			return references[i], true
+		}
+	}
+
+	return "", false
+}
+
 func (scanner Scanner) scanIndex(ctx context.Context, repo, digest string) (map[string]cvemodel.CVE, error) {
 	if cachedMap := scanner.cache.Get(digest); cachedMap != nil {
 		return cachedMap, nil

pkg/extensions/search/cve/trivy/scanner_internal_test.go

@@ -488,3 +488,19 @@ func TestIsIndexScannableErrors(t *testing.T) {
 		})
 	})
 }
+
+func TestGetCVEReference(t *testing.T) {
+	Convey("getCVEReference", t, func() {
+		ref := getCVEReference("primary", []string{})
+		So(ref, ShouldResemble, "primary")
+
+		ref = getCVEReference("", []string{"secondary"})
+		So(ref, ShouldResemble, "secondary")
+
+		ref = getCVEReference("", []string{""})
+		So(ref, ShouldResemble, "")
+
+		ref = getCVEReference("", []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-2650"})
+		So(ref, ShouldResemble, "https://nvd.nist.gov/vuln/detail/CVE-2023-2650")
+	})
+}

pkg/extensions/search/resolver.go

@@ -228,6 +228,7 @@ func getCVEListForImage(
 		desc := cveDetail.Description
 		title := cveDetail.Title
 		severity := cveDetail.Severity
+		referenceURL := cveDetail.Reference
 
 		pkgList := make([]*gql_generated.PackageInfo, 0)
 
@@ -249,6 +250,7 @@ func getCVEListForImage(
 				Title:       &title,
 				Description: &desc,
 				Severity:    &severity,
+				Reference:   &referenceURL,
 				PackageList: pkgList,
 			},
 		)

pkg/extensions/search/schema.graphql

@@ -46,6 +46,10 @@ type CVE {
     """
     Description: String
     """
+    Reference for the given CVE
+    """
+    Reference: String
+    """
     The impact the CVE has, one of "UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL"
     """
     Severity: String