Add ability to create a patch with component adapters

valocode · Sep 14, 2021 · 699b5b7 · 699b5b7
1 parent d292ec5
commit 699b5b7
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 9 deletions.
diff --git a/adapter/adapter_test.go b/adapter/adapter_test.go
@@ -24,13 +24,13 @@ func TestRego(t *testing.T) {
 			result, err := RunFromFile(
 				tc.adapter,
 				WithInputFileSlice(tc.inputFiles),
-				WithTracing(true),
+				// WithTracing(true),
 			)
 			require.NoError(t, err)
 			for _, trace := range result.Traces {
 				fmt.Println(trace)
 			}
-			t.Logf("result: %#v", result.CodeScan)
+			t.Logf("%s result: %#v", name, result.CodeScan)
 		})
 	}
 }
diff --git a/adapter/testdata/snyk.rego b/adapter/testdata/snyk.rego
@@ -12,6 +12,8 @@ component := [comp |
 		"vulnerabilities": [{
 			"vid": vuln.id,
 			"severity_score": vuln.cvssScore,
+			# if you want to add a patch which becomes a vulnerability review
+			# "patch": {"message": "test patch"},
 		}],
 	}
 ]
diff --git a/store/api/component.go b/store/api/component.go
@@ -17,6 +17,11 @@ type (
 
 	Vulnerability struct {
 		ent.VulnerabilityModelCreate `validate:"required" mapstructure:",squash"`
+		Patch                        *VulnerabilityPatch `json:"patch,omitempty" mapstructure:"patch"`
+	}
+
+	VulnerabilityPatch struct {
+		Message *string `json:"message,omitempty" validate:"required" mapstructure:"message"`
 	}
 
 	ComponentRead struct {

diff --git a/store/codescan.go b/store/codescan.go
@@ -6,7 +6,9 @@ import (
 	"github.com/valocode/bubbly/ent/gitcommit"
 	"github.com/valocode/bubbly/ent/release"
 	"github.com/valocode/bubbly/ent/releasecomponent"
+	"github.com/valocode/bubbly/ent/releasevulnerability"
 	"github.com/valocode/bubbly/ent/vulnerability"
+	"github.com/valocode/bubbly/ent/vulnerabilityreview"
 	"github.com/valocode/bubbly/store/api"
 )
 
@@ -126,14 +128,36 @@ func (h *Handler) saveCodeScan(dbRelease *ent.Release, scan *api.CodeScan) (*ent
 						return HandleEntError(err, "vulnerability")
 					}
 				}
-				_, err = tx.ReleaseVulnerability.Create().
-					SetRelease(dbRelease).
-					SetVulnerability(existingVuln).
-					SetScan(codeScan).
-					SetComponent(relComp).
-					Save(h.ctx)
+				// Check if the release vulnerability already exists, which is
+				// the combination of release ID and vulnerability ID
+				dbRelVuln, err := tx.ReleaseVulnerability.Query().Where(
+					releasevulnerability.HasReleaseWith(release.ID(dbRelease.ID)),
+					releasevulnerability.HasVulnerabilityWith(vulnerability.ID(existingVuln.ID)),
+				).Only(h.ctx)
 				if err != nil {
-					return HandleEntError(err, "release vulnerability")
+					if !ent.IsNotFound(err) {
+						return HandleEntError(err, "query release vulnerability")
+					}
+					dbRelVuln, err = tx.ReleaseVulnerability.Create().
+						SetRelease(dbRelease).
+						SetVulnerability(existingVuln).
+						SetScan(codeScan).
+						SetComponent(relComp).
+						Save(h.ctx)
+					if err != nil {
+						return HandleEntError(err, "create release vulnerability")
+					}
+				}
+				if vuln.Patch != nil {
+					_, err := tx.VulnerabilityReview.Create().
+						SetName(*vuln.Patch.Message).
+						SetDecision(vulnerabilityreview.DecisionPatched).
+						SetVulnerability(existingVuln).
+						AddInstanceIDs(dbRelVuln.ID).
+						Save(h.ctx)
+					if err != nil {
+						return HandleEntError(err, "create vulnerability patch")
+					}
 				}
 			}
 		}