Renamed all scanner to scanner ID and went quickly over every mention of scannerID to see if I have to change the logic

Author: patrick.rissmann@l3montree.com

cmd/devguard-scanner/commands/sca.go

@@ -343,7 +343,7 @@ func getDirFromPath(path string) string {
 	return path
 }
 
-func scaCommandFactory(scanner string) func(cmd *cobra.Command, args []string) error {
+func scaCommandFactory(scannerID string) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, args []string) error {
 		core.InitLogger()
 		token, assetName, apiUrl, failOnRisk, webUI := parseConfig(cmd)
@@ -400,7 +400,7 @@ func scaCommandFactory(scanner string) func(cmd *cobra.Command, args []string) e
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("X-Risk-Management", strconv.FormatBool(doRiskManagement))
 		req.Header.Set("X-Asset-Name", assetName)
-		req.Header.Set("X-Scanner", "github.com/l3montree-dev/devguard/cmd/devguard-scanner"+"/"+scanner)
+		req.Header.Set("X-Scanner", "github.com/l3montree-dev/devguard/cmd/devguard-scanner/"+scannerID)
 
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {

cmd/devguard-scanner/commands/secret_scanning.go

@@ -41,7 +41,7 @@ func NewSecretScanningCommand() *cobra.Command {
 	return secretScanningCommand
 }
 
-func sarifCommandFactory(scanner string) func(cmd *cobra.Command, args []string) error {
+func sarifCommandFactory(scannerID string) func(cmd *cobra.Command, args []string) error {
 	return func(cmd *cobra.Command, args []string) error {
 		core.InitLogger()
 		token, assetName, apiUrl, _, webUI := parseConfig(cmd)
@@ -64,7 +64,7 @@ func sarifCommandFactory(scanner string) func(cmd *cobra.Command, args []string)
 			return errors.Wrap(err, "invalid path")
 		}
 
-		file, err := executeCodeScan(scanner, path)
+		file, err := executeCodeScan(scannerID, path)
 		if err != nil {
 			return errors.Wrap(err, "could not open file")
 		}
@@ -96,7 +96,7 @@ func sarifCommandFactory(scanner string) func(cmd *cobra.Command, args []string)
 		req.Header.Set("Content-Type", "application/json")
 		req.Header.Set("X-Risk-Management", strconv.FormatBool(doRiskManagement))
 		req.Header.Set("X-Asset-Name", assetName)
-		req.Header.Set("X-Scanner", "github.com/l3montree-dev/devguard/cmd/devguard-scanner/"+scanner)
+		req.Header.Set("X-Scanner", "github.com/l3montree-dev/devguard/cmd/devguard-scanner/"+scannerID)
 
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
@@ -116,19 +116,19 @@ func sarifCommandFactory(scanner string) func(cmd *cobra.Command, args []string)
 			return errors.Wrap(err, "could not parse response")
 		}
 
-		printFirstPartyScanResults(scanResponse, assetName, webUI, scanner)
+		printFirstPartyScanResults(scanResponse, assetName, webUI, scannerID)
 		return nil
 	}
 }
 
-func executeCodeScan(scanner, path string) (*os.File, error) {
-	switch scanner {
+func executeCodeScan(scannerID, path string) (*os.File, error) {
+	switch scannerID {
 	case "secret-scanning":
 		return secretScan(path)
 	case "sast":
 		return sastScan(path)
 	default:
-		return nil, fmt.Errorf("unknown scanner: %s", scanner)
+		return nil, fmt.Errorf("unknown scanner: %s", scannerID)
 	}
 
 }
@@ -190,23 +190,23 @@ func secretScan(path string) (*os.File, error) {
 	return file, nil
 }
 
-func printFirstPartyScanResults(scanResponse scan.FirstPartyScanResponse, assetName string, webUI string, scanner string) {
+func printFirstPartyScanResults(scanResponse scan.FirstPartyScanResponse, assetName string, webUI string, scannerID string) {
 
 	slog.Info("First party scan results", "firstPartyVulnAmount", len(scanResponse.FirstPartyVulns), "openedByThisScan", scanResponse.AmountOpened, "closedByThisScan", scanResponse.AmountClosed)
 
 	if len(scanResponse.FirstPartyVulns) == 0 {
 		return
 	}
 
-	switch scanner {
+	switch scannerID {
 	case "secret-scanning":
 		printSecretScanResults(scanResponse.FirstPartyVulns, webUI, assetName)
 		return
 	case "sast":
 		printSastScanResults(scanResponse.FirstPartyVulns, webUI, assetName)
 		return
 	default:
-		slog.Warn("unknown scanner", "scanner", scanner)
+		slog.Warn("unknown scanner", "scanner", scannerID)
 		return
 	}
 

internal/core/assetversion/asset_version_controller.go

@@ -67,13 +67,13 @@ func (a *assetVersionController) GetAssetVersionsByAssetID(ctx core.Context) err
 }
 
 func (a *assetVersionController) AffectedComponents(ctx core.Context) error {
-	scanner := ctx.QueryParam("scanner")
-	if scanner == "" {
+	scannerID := ctx.QueryParam("scanner")
+	if scannerID == "" {
 		return echo.NewHTTPError(400, "scanner query param is required")
 	}
 
 	assetVersion := core.GetAssetVersion(ctx)
-	_, dependencyVulns, err := a.getComponentsAndDependencyVulns(assetVersion, scanner)
+	_, dependencyVulns, err := a.getComponentsAndDependencyVulns(assetVersion, scannerID)
 	if err != nil {
 		return err
 	}
@@ -83,8 +83,8 @@ func (a *assetVersionController) AffectedComponents(ctx core.Context) error {
 	}))
 }
 
-func (a *assetVersionController) getComponentsAndDependencyVulns(assetVersion models.AssetVersion, scanner string) ([]models.ComponentDependency, []models.DependencyVuln, error) {
-	components, err := a.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scanner)
+func (a *assetVersionController) getComponentsAndDependencyVulns(assetVersion models.AssetVersion, scannerID string) ([]models.ComponentDependency, []models.DependencyVuln, error) {
+	components, err := a.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scannerID)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -103,12 +103,12 @@ func (a *assetVersionController) getComponentsAndDependencyVulns(assetVersion mo
 func (a *assetVersionController) DependencyGraph(ctx core.Context) error {
 	app := core.GetAssetVersion(ctx)
 
-	scanner := ctx.QueryParam("scanner")
-	if scanner == "" {
+	scannerID := ctx.QueryParam("scanner")
+	if scannerID == "" {
 		return echo.NewHTTPError(400, "scanner query param is required")
 	}
 
-	components, err := a.componentRepository.LoadComponents(nil, app.Name, app.AssetID, scanner)
+	components, err := a.componentRepository.LoadComponents(nil, app.Name, app.AssetID, scannerID)
 	if err != nil {
 		return err
 	}
@@ -125,14 +125,14 @@ func (a *assetVersionController) DependencyGraph(ctx core.Context) error {
 func (a *assetVersionController) GetDependencyPathFromPURL(ctx core.Context) error {
 	assetVersion := core.GetAssetVersion(ctx)
 
-	scanner := ctx.QueryParam("scanner")
+	scannerID := ctx.QueryParam("scanner")
 	pURL := ctx.QueryParam("purl")
 
-	if scanner == "" {
+	if scannerID == "" {
 		return echo.NewHTTPError(400, "scanner query param is required")
 	}
 
-	components, err := a.componentRepository.LoadPathToComponent(nil, assetVersion.Name, assetVersion.AssetID, pURL, scanner)
+	components, err := a.componentRepository.LoadPathToComponent(nil, assetVersion.Name, assetVersion.AssetID, pURL, scannerID)
 	if err != nil {
 		return err
 	}
@@ -196,12 +196,12 @@ func (a *assetVersionController) buildSBOM(ctx core.Context) (*cdx.BOM, error) {
 		}
 	}
 
-	scanner := ctx.QueryParam("scanner")
-	if scanner == "" {
+	scannerID := ctx.QueryParam("scanner")
+	if scannerID == "" {
 		return nil, echo.NewHTTPError(400, "scanner query param is required")
 	}
 
-	components, err := a.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scanner)
+	components, err := a.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scannerID)
 	if err != nil {
 		return nil, err
 	}
@@ -224,19 +224,19 @@ func (a *assetVersionController) buildVeX(ctx core.Context) (*cdx.BOM, error) {
 		}
 	}
 
-	scanner := ctx.QueryParam("scanner")
-	if scanner == "" {
+	scannerID := ctx.QueryParam("scanner")
+	if scannerID == "" {
 		return nil, echo.NewHTTPError(400, "scanner query param is required")
 	}
 
 	// url decode the scanner
-	scanner, err := url.QueryUnescape(scanner)
+	scannerID, err := url.QueryUnescape(scannerID)
 	if err != nil {
 		return nil, err
 	}
 
 	// get all associated dependencyVulns
-	components, dependencyVulns, err := a.getComponentsAndDependencyVulns(assetVersion, scanner)
+	components, dependencyVulns, err := a.getComponentsAndDependencyVulns(assetVersion, scannerID)
 	if err != nil {
 		return nil, err
 	}

internal/core/assetversion/asset_version_service.go

@@ -72,7 +72,7 @@ func (s *service) HandleFirstPartyVulnResult(asset models.Asset, assetVersion *m
 					AssetVersionName: assetVersion.Name,
 					AssetID:          asset.ID,
 					Message:          &result.Message.Text,
-					ScannerID:        scannerID,
+					ScannerIDs:       scannerID,
 				},
 				RuleID:      result.RuleId,
 				Uri:         result.Locations[0].PhysicalLocation.ArtifactLocation.Uri,
@@ -155,13 +155,13 @@ func (s *service) handleFirstPartyVulnResult(userID string, scannerID string, as
 	return len(newVulns), len(fixedVulns), append(newVulns, comparison.InBoth...), nil
 }
 
-func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scanner string, scannerID string, userID string, doRiskManagement bool) (amountOpened int, amountClose int, newState []models.DependencyVuln, err error) {
+func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scannerID string, userID string, doRiskManagement bool) (amountOpened int, amountClose int, newState []models.DependencyVuln, err error) {
 
 	// create dependencyVulns out of those vulnerabilities
 	dependencyVulns := []models.DependencyVuln{}
 
 	// load all asset components again and build a dependency tree
-	assetComponents, err := s.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scanner)
+	assetComponents, err := s.componentRepository.LoadComponents(nil, assetVersion.Name, assetVersion.AssetID, scannerID)
 	if err != nil {
 		return 0, 0, []models.DependencyVuln{}, errors.Wrap(err, "could not load asset components")
 	}
@@ -183,7 +183,7 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 			Vulnerability: models.Vulnerability{
 				AssetVersionName: assetVersion.Name,
 				AssetID:          asset.ID,
-				ScannerID:        scannerID + " ",
+				ScannerIDs:       scannerID + " ",
 			},
 			CVEID:                 utils.Ptr(v.CVEID),
 			ComponentPurl:         utils.Ptr(v.Purl),
@@ -208,7 +208,7 @@ func (s *service) HandleScanResult(asset models.Asset, assetVersion *models.Asse
 
 	devguardScanner := "github.com/l3montree-dev/devguard/cmd/devguard-scanner" + "/"
 
-	switch scanner {
+	switch scannerID {
 
 	case devguardScanner + "sca":
 		assetVersion.LastScaScan = utils.Ptr(time.Now())
@@ -255,8 +255,8 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 
 		// Now we work on the vulnerabilities found in both sets -> has the vulnerability this scanner id already in his scanner_ids
 		for i := range foundByScannerAndExisting {
-			if !strings.Contains(foundByScannerAndExisting[i].ScannerID, scannerID) {
-				foundByScannerAndExisting[i].ScannerID = foundByScannerAndExisting[i].ScannerID + scannerID
+			if !strings.Contains(foundByScannerAndExisting[i].ScannerIDs, scannerID) {
+				foundByScannerAndExisting[i].ScannerIDs = foundByScannerAndExisting[i].ScannerIDs + " " + scannerID
 			}
 		}
 
@@ -270,10 +270,10 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 		//Last we have to change the already existing vulnerabilities which were not found this time
 
 		for i := range notFoundByScannerAndExisting {
-			if notFoundByScannerAndExisting[i].ScannerID == scannerID {
-				notFoundByScannerAndExisting[i].ScannerID = ""
+			if notFoundByScannerAndExisting[i].ScannerIDs == scannerID {
+				notFoundByScannerAndExisting[i].ScannerIDs = ""
 				vulnerabilitiesToFix = append(vulnerabilitiesToFix, notFoundByScannerAndExisting[i])
-			} else if strings.Contains(notFoundByScannerAndExisting[i].ScannerID, scannerID) {
+			} else if strings.Contains(notFoundByScannerAndExisting[i].ScannerIDs, scannerID) {
 				removeScannerFromVulnerability(&notFoundByScannerAndExisting[i], scannerID)
 				vulnerabilitiesToUpdate = append(vulnerabilitiesToUpdate, notFoundByScannerAndExisting[i])
 			}
@@ -301,7 +301,7 @@ func (s *service) handleScanResult(userID string, scannerID string, assetVersion
 // pass by reference to edit the actual vulnerability and not a copy
 func removeScannerFromVulnerability(vulnerability *models.DependencyVuln, scannerID string) {
 
-	vulnerability.ScannerID = strings.Replace(vulnerability.ScannerID, scannerID, "", 1)
+	vulnerability.ScannerIDs = strings.Replace(vulnerability.ScannerIDs, scannerID, "", 1)
 }
 
 func recursiveBuildBomRefMap(component cdx.Component) map[string]cdx.Component {

internal/core/common_interfaces.go

@@ -87,14 +87,14 @@ type AffectedComponentRepository interface {
 type ComponentRepository interface {
 	common.Repository[string, models.Component, DB]
 
-	LoadComponents(tx DB, assetVersionName string, assetID uuid.UUID, scanner string) ([]models.ComponentDependency, error)
-	LoadComponentsWithProject(tx DB, assetVersionName string, assetID uuid.UUID, scanner string, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.ComponentDependency], error)
-	LoadPathToComponent(tx DB, assetVersionName string, assetID uuid.UUID, pURL string, scanner string) ([]models.ComponentDependency, error)
+	LoadComponents(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.ComponentDependency, error)
+	LoadComponentsWithProject(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string, pageInfo PageInfo, search string, filter []FilterQuery, sort []SortQuery) (Paged[models.ComponentDependency], error)
+	LoadPathToComponent(tx DB, assetVersionName string, assetID uuid.UUID, pURL string, scannerID string) ([]models.ComponentDependency, error)
 	SaveBatch(tx DB, components []models.Component) error
 	FindByPurl(tx DB, purl string) (models.Component, error)
 	HandleStateDiff(tx DB, assetVersionName string, assetID uuid.UUID, oldState []models.ComponentDependency, newState []models.ComponentDependency) error
 	GetDependencyCountPerScanner(assetVersionName string, assetID uuid.UUID) (map[string]int, error)
-	GetLicenseDistribution(tx DB, assetVersionName string, assetID uuid.UUID, scanner string) (map[string]int, error)
+	GetLicenseDistribution(tx DB, assetVersionName string, assetID uuid.UUID, scannerID string) (map[string]int, error)
 }
 
 type DependencyVulnRepository interface {
@@ -195,7 +195,7 @@ type AssetVersionService interface {
 	GetAssetVersionsByAssetID(assetID uuid.UUID) ([]models.AssetVersion, error)
 	HandleFirstPartyVulnResult(asset models.Asset, assetVersion *models.AssetVersion, sarifScan models.SarifResult, scannerID string, userID string, doRiskManagement bool) (int, int, []models.FirstPartyVulnerability, error)
 	UpdateSBOM(assetVersion models.AssetVersion, scannerID string, sbom normalize.SBOM) error
-	HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scanner string, scannerID string, userID string, doRiskManagement bool) (amountOpened int, amountClose int, newState []models.DependencyVuln, err error)
+	HandleScanResult(asset models.Asset, assetVersion *models.AssetVersion, vulns []models.VulnInPackage, scannerID string, userID string, doRiskManagement bool) (amountOpened int, amountClose int, newState []models.DependencyVuln, err error)
 }
 
 type AssetVersionRepository interface {
@@ -291,7 +291,7 @@ type ComponentProjectRepository interface {
 }
 
 type ComponentService interface {
-	GetAndSaveLicenseInformation(assetVersionName string, assetID uuid.UUID, scanner string) ([]models.Component, error)
+	GetAndSaveLicenseInformation(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.Component, error)
 	RefreshComponentProjectInformation(project models.ComponentProject)
 	GetLicense(component models.Component) (models.Component, error)
 }

internal/core/component/component_service.go

@@ -149,8 +149,8 @@ func (s *service) GetLicense(component models.Component) (models.Component, erro
 	return component, nil
 }
 
-func (s *service) GetAndSaveLicenseInformation(assetVersionName string, assetID uuid.UUID, scanner string) ([]models.Component, error) {
-	componentDependencies, err := s.componentRepository.LoadComponents(nil, assetVersionName, assetID, scanner)
+func (s *service) GetAndSaveLicenseInformation(assetVersionName string, assetID uuid.UUID, scannerID string) ([]models.Component, error) {
+	componentDependencies, err := s.componentRepository.LoadComponents(nil, assetVersionName, assetID, scannerID)
 	if err != nil {
 		return nil, err
 	}

internal/core/daemon/flaw_daemon.go

@@ -74,15 +74,15 @@ func UpdateComponentProperties(db core.DB) error {
 			// group by scanner id
 			groups := make(map[string]map[string][]models.DependencyVuln)
 			for _, f := range dependencyVulns {
-				if _, ok := groups[f.ScannerID]; !ok {
-					groups[f.ScannerID] = make(map[string][]models.DependencyVuln)
+				if _, ok := groups[f.ScannerIDs]; !ok {
+					groups[f.ScannerIDs] = make(map[string][]models.DependencyVuln)
 				}
 
-				if _, ok := groups[f.ScannerID][f.AssetVersionName]; !ok {
-					groups[f.ScannerID][f.AssetVersionName] = make([]models.DependencyVuln, 0)
+				if _, ok := groups[f.ScannerIDs][f.AssetVersionName]; !ok {
+					groups[f.ScannerIDs][f.AssetVersionName] = make([]models.DependencyVuln, 0)
 				}
 
-				groups[f.ScannerID][f.AssetVersionName] = append(groups[f.ScannerID][f.AssetVersionName], f)
+				groups[f.ScannerIDs][f.AssetVersionName] = append(groups[f.ScannerIDs][f.AssetVersionName], f)
 			}
 
 			// group the dependencyVulns by scanner id

internal/core/dependency_vuln/dependency_vuln_controller.go

@@ -2,7 +2,6 @@ package dependency_vuln
 
 import (
 	"encoding/json"
-	"fmt"
 	"log/slog"
 	"slices"
 
@@ -136,7 +135,7 @@ func (c dependencyVulnHttpController) ListPaged(ctx core.Context) error {
 		// append the dependencyVuln to the package
 		dependencyVulnsByPackage.DependencyVulns = append(res[*dependencyVuln.ComponentPurl].DependencyVulns, DependencyVulnDTO{
 			ID:                    dependencyVuln.ID,
-			ScannerID:             dependencyVuln.ScannerID,
+			ScannerID:             dependencyVuln.ScannerIDs,
 			Message:               dependencyVuln.Message,
 			AssetVersionName:      dependencyVuln.AssetVersionName,
 			AssetID:               dependencyVuln.AssetID.String(),
@@ -227,7 +226,7 @@ func (c dependencyVulnHttpController) Read(ctx core.Context) error {
 }
 
 func (c dependencyVulnHttpController) CreateEvent(ctx core.Context) error {
-	fmt.Printf("Called 'CreateEvent'")
+
 	asset := core.GetAsset(ctx)
 	assetVersion := core.GetAssetVersion(ctx)
 	thirdPartyIntegration := core.GetThirdPartyIntegration(ctx)
@@ -297,7 +296,7 @@ func convertToDetailedDTO(dependencyVuln models.DependencyVuln) detailedDependen
 			Priority:              dependencyVuln.Priority,
 			LastDetected:          dependencyVuln.LastDetected,
 			CreatedAt:             dependencyVuln.CreatedAt,
-			ScannerID:             dependencyVuln.ScannerID,
+			ScannerID:             dependencyVuln.ScannerIDs,
 			TicketID:              dependencyVuln.TicketID,
 			TicketURL:             dependencyVuln.TicketURL,
 			RiskRecalculatedAt:    dependencyVuln.RiskRecalculatedAt,

internal/core/dependency_vuln/dependency_vuln_dto.go

@@ -55,7 +55,7 @@ func DependencyVulnToDto(f models.DependencyVuln) DependencyVulnDTO {
 
 	return DependencyVulnDTO{
 		ID:                    f.ID,
-		ScannerID:             f.ScannerID,
+		ScannerID:             f.ScannerIDs,
 		Message:               f.Message,
 		AssetVersionName:      f.AssetVersionName,
 		AssetID:               f.AssetID.String(),

internal/core/dependency_vuln/first_party_vuln_controller.go

@@ -204,7 +204,7 @@ func convertFirstPartyVulnToDetailedDTO(firstPartyVuln models.FirstPartyVulnerab
 	return detailedFirstPartyVulnDTO{
 		FirstPartyVulnDTO: FirstPartyVulnDTO{
 			ID:          firstPartyVuln.ID,
-			ScannerID:   firstPartyVuln.ScannerID,
+			ScannerID:   firstPartyVuln.ScannerIDs,
 			Message:     firstPartyVuln.Message,
 			AssetID:     firstPartyVuln.AssetID.String(),
 			State:       firstPartyVuln.State,