Basis functionality is now implemented

Author: patrick.rissmann@l3montree.com

internal/core/assetversion/asset_version_service.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math"
+	"math/rand/v2"
 	"net/http"
 	"strings"
 	"time"
@@ -72,7 +73,7 @@ func (s *service) HandleFirstPartyVulnResult(asset models.Asset, assetVersion *m
 					AssetVersionName: assetVersion.Name,
 					AssetID:          asset.ID,
 					Message:          &result.Message.Text,
-					ScannerIDs:       scannerID,
+					ScannerID:        scannerID,
 				},
 				RuleID:      result.RuleId,
 				Uri:         result.Locations[0].PhysicalLocation.ArtifactLocation.Uri,
@@ -183,7 +184,7 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 			Vulnerability: models.Vulnerability{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          asset.ID,
-				ScannerIDs:       scannerID,
+				ScannerID:        scannerID + " ",
 			},
 			CVEID:                 utils.Ptr(v.CVEID),
 			ComponentPurl:         utils.Ptr(v.Purl),
@@ -221,6 +222,10 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 
 func (s *service) handleScanResult(userID string, scannerID string, assetVersion *models.AssetVersion, dependencyVulns []models.DependencyVuln, doRiskManagement bool, asset models.Asset) (int, int, []models.DependencyVuln, error) {
 	// get all existing dependencyVulns from the database - this is the old state
+
+	number := rand.IntN(len(dependencyVulns))
+	dependencyVulns = dependencyVulns[:number]
+	scannerID = scannerID + " "
 	existingDependencyVulns, err := s.dependencyVulnRepository.ListByAssetAndAssetVersion(assetVersion.Name, assetVersion.AssetID)
 	if err != nil {
 		slog.Error("could not get existing dependencyVulns", "err", err)
@@ -240,31 +245,64 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 	foundByScannerAndExisting := comparison.InBoth     //We have to check if it was already found by this scanner or only by other scanners
 	notFoundByScannerAndExisting := comparison.OnlyInA //We have to update all vulnerabilities which were previously found by this scanner and now aren't
 
+	var vulnerabilitiesToFix []models.DependencyVuln //We should collect all vulnerabilities we want to fix so we can do it all at once
+	var vulnerabilitiesToUpdate []models.DependencyVuln
 	// get a transaction
 	if err := s.dependencyVulnRepository.Transaction(func(tx core.DB) error {
 		// We can create the newly found one without checking anything
 		if err := s.dependencyVulnService.UserDetectedDependencyVulns(tx, userID, foundByScannerAndNotExisting, *assetVersion, asset, true); err != nil {
 			return err // this will cancel the transaction
 		}
+
 		// Now we work on the vulnerabilities found in both sets -> has the vulnerability this scanner id already in his scanner_ids
-		for _, existingVulnerability := range foundByScannerAndExisting {
-			if !strings.Contains(existingVulnerability.ScannerID, scannerID) {
-				existingVulnerability.ScannerID = existingVulnerability.ScannerID + " " + scannerID
+		for i := range foundByScannerAndExisting {
+			if !strings.Contains(foundByScannerAndExisting[i].ScannerID, scannerID) {
+				fmt.Printf("\nThe Scanner ID before : %s\n", foundByScannerAndExisting[i].ScannerID)
+				foundByScannerAndExisting[i].ScannerID = foundByScannerAndExisting[i].ScannerID + scannerID
+				fmt.Printf("\nThe Scanner ID after : %s\n", foundByScannerAndExisting[i].ScannerID)
+			}
+		}
+		err := s.dependencyVulnRepository.SaveBatch(tx, foundByScannerAndExisting)
+		if err != nil {
+			slog.Error("error when trying to update vulnerabilities")
+			return err
+		}
+
+		//Last we have to change the already existing vulnerabilities which were not found this time
+
+		for i := range notFoundByScannerAndExisting {
+			if notFoundByScannerAndExisting[i].ScannerID == scannerID {
+				notFoundByScannerAndExisting[i].ScannerID = ""
+				vulnerabilitiesToFix = append(vulnerabilitiesToFix, notFoundByScannerAndExisting[i])
+			} else if strings.Contains(notFoundByScannerAndExisting[i].ScannerID, scannerID) {
+				removeScannerFromVulnerability(&notFoundByScannerAndExisting[i], scannerID)
+				vulnerabilitiesToUpdate = append(vulnerabilitiesToUpdate, notFoundByScannerAndExisting[i])
 			}
 		}
-		s.dependencyVulnRepository.ApplyAndSave(tx, &existingDependencyVulns)
 
-		return s.dependencyVulnService.UserFixedDependencyVulns(tx, userID, fixedDependencyVulns, *assetVersion, asset, true)
+		err = s.dependencyVulnRepository.SaveBatch(tx, vulnerabilitiesToUpdate)
+		if err != nil {
+			slog.Error("error when trying to update vulnerabilities")
+			return err
+		}
+
+		return s.dependencyVulnService.UserFixedDependencyVulns(tx, userID, vulnerabilitiesToFix, *assetVersion, asset, true)
 	}); err != nil {
 		slog.Error("could not save dependencyVulns", "err", err)
 		return 0, 0, []models.DependencyVuln{}, err
 	}
 
 	// the amount we actually fixed, is the amount that was open before
-	fixedDependencyVulns = utils.Filter(fixedDependencyVulns, func(dependencyVuln models.DependencyVuln) bool {
+	vulnerabilitiesToFix = utils.Filter(vulnerabilitiesToFix, func(dependencyVuln models.DependencyVuln) bool {
 		return dependencyVuln.State == models.VulnStateOpen
 	})
-	return len(foundByScannerAndNotExisting), len(fixedDependencyVulns), append(foundByScannerAndNotExisting, comparison.InBoth...), nil
+	return len(foundByScannerAndNotExisting /* maybe also return vulns newly found by this scanner*/), len(vulnerabilitiesToFix), append(foundByScannerAndNotExisting, comparison.InBoth...), nil
+}
+
+// pass by reference to edit the actual vulnerability and not a copy
+func removeScannerFromVulnerability(vulnerability *models.DependencyVuln, scannerID string) {
+
+	vulnerability.ScannerID = strings.Replace(vulnerability.ScannerID, scannerID, "", 1)
 }
 
 func recursiveBuildBomRefMap(component cdx.Component) map[string]cdx.Component {

internal/core/daemon/flaw_daemon.go

@@ -74,15 +74,15 @@ func UpdateComponentProperties(db core.DB) error {
 			// group by scanner id
 			groups := make(map[string]map[string][]models.DependencyVuln)
 			for _, f := range dependencyVulns {
-				if _, ok := groups[f.ScannerIDs]; !ok {
-					groups[f.ScannerIDs] = make(map[string][]models.DependencyVuln)
+				if _, ok := groups[f.ScannerID]; !ok {
+					groups[f.ScannerID] = make(map[string][]models.DependencyVuln)
 				}
 
-				if _, ok := groups[f.ScannerIDs][f.AssetVersionName]; !ok {
-					groups[f.ScannerIDs][f.AssetVersionName] = make([]models.DependencyVuln, 0)
+				if _, ok := groups[f.ScannerID][f.AssetVersionName]; !ok {
+					groups[f.ScannerID][f.AssetVersionName] = make([]models.DependencyVuln, 0)
 				}
 
-				groups[f.ScannerIDs][f.AssetVersionName] = append(groups[f.ScannerIDs][f.AssetVersionName], f)
+				groups[f.ScannerID][f.AssetVersionName] = append(groups[f.ScannerID][f.AssetVersionName], f)
 			}
 
 			// group the dependencyVulns by scanner id

internal/core/dependency_vuln/dependency_vuln_controller.go

@@ -136,7 +136,7 @@ func (c dependencyVulnHttpController) ListPaged(ctx core.Context) error {
 		// append the dependencyVuln to the package
 		dependencyVulnsByPackage.DependencyVulns = append(res[*dependencyVuln.ComponentPurl].DependencyVulns, DependencyVulnDTO{
 			ID:                    dependencyVuln.ID,
-			ScannerID:             dependencyVuln.ScannerIDs,
+			ScannerID:             dependencyVuln.ScannerID,
 			Message:               dependencyVuln.Message,
 			AssetVersionName:      dependencyVuln.AssetVersionName,
 			AssetID:               dependencyVuln.AssetID.String(),
@@ -297,7 +297,7 @@ func convertToDetailedDTO(dependencyVuln models.DependencyVuln) detailedDependen
 			Priority:              dependencyVuln.Priority,
 			LastDetected:          dependencyVuln.LastDetected,
 			CreatedAt:             dependencyVuln.CreatedAt,
-			ScannerID:             dependencyVuln.ScannerIDs,
+			ScannerID:             dependencyVuln.ScannerID,
 			TicketID:              dependencyVuln.TicketID,
 			TicketURL:             dependencyVuln.TicketURL,
 			RiskRecalculatedAt:    dependencyVuln.RiskRecalculatedAt,

internal/core/dependency_vuln/dependency_vuln_dto.go

@@ -55,7 +55,7 @@ func DependencyVulnToDto(f models.DependencyVuln) DependencyVulnDTO {
 
 	return DependencyVulnDTO{
 		ID:                    f.ID,
-		ScannerID:             f.ScannerIDs,
+		ScannerID:             f.ScannerID,
 		Message:               f.Message,
 		AssetVersionName:      f.AssetVersionName,
 		AssetID:               f.AssetID.String(),

internal/core/dependency_vuln/first_party_vuln_controller.go

@@ -204,7 +204,7 @@ func convertFirstPartyVulnToDetailedDTO(firstPartyVuln models.FirstPartyVulnerab
 	return detailedFirstPartyVulnDTO{
 		FirstPartyVulnDTO: FirstPartyVulnDTO{
 			ID:          firstPartyVuln.ID,
-			ScannerID:   firstPartyVuln.ScannerIDs,
+			ScannerID:   firstPartyVuln.ScannerID,
 			Message:     firstPartyVuln.Message,
 			AssetID:     firstPartyVuln.AssetID.String(),
 			State:       firstPartyVuln.State,

internal/core/dependency_vuln/first_party_vuln_dto.go

@@ -38,7 +38,7 @@ func FirstPartyVulnToDto(f models.FirstPartyVulnerability) FirstPartyVulnDTO {
 
 	return FirstPartyVulnDTO{
 		ID:          f.ID,
-		ScannerID:   f.ScannerIDs,
+		ScannerID:   f.ScannerID,
 		Message:     f.Message,
 		AssetID:     f.AssetID.String(),
 		State:       f.State,

internal/core/risk/risk_explaination.go

@@ -300,7 +300,7 @@ func Explain(dependencyVuln models.DependencyVuln, asset models.Asset, vector st
 		cveDescription: dependencyVuln.CVE.Description,
 
 		affectedComponentName: utils.SafeDereference(dependencyVuln.ComponentPurl),
-		scanner:               dependencyVuln.ScannerIDs,
+		scanner:               dependencyVuln.ScannerID,
 		fixedVersion:          dependencyVuln.ComponentFixedVersion,
 	}
 }

internal/core/vulndb/scan/scan_controller.go

@@ -125,7 +125,7 @@ func DependencyVulnScan(c core.Context, bom normalize.SBOM, s *httpController) (
 		slog.Error("no scanner id provided")
 		return scanResults, err
 	}
-
+	//scannerID = ""
 	// handle the scan result
 	amountOpened, amountClose, newState, err := s.assetVersionService.HandleScanResult(asset, &assetVersion, vulns, scannerID, scannerID, userID, doRiskManagement)
 	if err != nil {

internal/database/models/first_party_vuln_model.go

@@ -48,7 +48,7 @@ func (m *FirstPartyVulnerability) CalculateHash() string {
 	startColumnStr := strconv.Itoa(m.StartColumn)
 	endColumnStr := strconv.Itoa(m.EndColumn)
 
-	hash := utils.HashString(startLineStr + endLineStr + startColumnStr + endColumnStr + m.RuleID + m.Uri + m.ScannerIDs + m.AssetID.String() + m.AssetVersionName)
+	hash := utils.HashString(startLineStr + endLineStr + startColumnStr + endColumnStr + m.RuleID + m.Uri + m.ScannerID + m.AssetID.String() + m.AssetVersionName)
 	m.ID = hash
 	return hash
 }

internal/database/models/vulnevent_model.go

@@ -94,6 +94,8 @@ func (e VulnEvent) Apply(vuln Vuln) {
 		vuln.SetState(VulnStateAccepted)
 	case EventTypeFalsePositive:
 		vuln.SetState(VulnStateFalsePositive)
+	case EventTypeDetectedByOtherScanner:
+
 	case EventTypeMarkedForTransfer:
 		vuln.SetState(VulnStateMarkedForTransfer)
 	case EventTypeRawRiskAssessmentUpdated: