Merge pull request #251 from cerberauth/link-issues-scans

Link scans to issues in reports

Author: emmanuelgautier

internal/auth/security_scheme.go

@@ -15,7 +15,7 @@ type SecurityScheme struct {
 	Type        Type         `json:"type" yaml:"type"`
 	Scheme      SchemeName   `json:"scheme" yaml:"scheme"`
 	In          *SchemeIn    `json:"in" yaml:"in"`
-	TokenFormat *TokenFormat `json:"token_format" yaml:"token_format"`
+	TokenFormat *TokenFormat `json:"tokenFormat" yaml:"tokenFormat"`
 
 	Name   string      `json:"name" yaml:"name"`
 	Config interface{} `json:"config" yaml:"config"`

internal/request/request.go

@@ -6,10 +6,13 @@ import (
 	"net/http"
 
 	"github.com/cerberauth/vulnapi/internal/auth"
+	"github.com/google/uuid"
 )
 
 type Request struct {
-	Body        []byte
+	ID   string
+	Body []byte
+
 	Client      *Client
 	HttpRequest *http.Request
 }
@@ -53,6 +56,7 @@ func NewRequest(method string, url string, body io.Reader, client *Client) (*Req
 	}
 
 	return &Request{
+		ID:   uuid.New().String(),
 		Body: bodyBuffer,
 
 		Client:      client,
@@ -86,6 +90,10 @@ func (r *Request) WithSecurityScheme(securityScheme *auth.SecurityScheme) *Reque
 	return r
 }
 
+func (r *Request) GetID() string {
+	return r.ID
+}
+
 func (r *Request) GetMethod() string {
 	return r.HttpRequest.Method
 }
@@ -138,7 +146,8 @@ func (r *Request) SetBody(body io.Reader) *Request {
 }
 
 func (r *Request) Do() (*Response, error) {
-	r.SetHeader("User-Agent", "vulnapi")
+	r.SetHeader("user-agent", "vulnapi")
+	r.SetHeader("x-vulnapi-request-id", r.GetID())
 
 	rl.Take()
 	httpRes, err := r.Client.Do(r.HttpRequest)

internal/request/request_test.go

@@ -20,6 +20,7 @@ func TestNewRequest(t *testing.T) {
 	request, err := request.NewRequest(method, url, body, nil)
 
 	assert.NoError(t, err)
+	assert.NotEqual(t, "", request.ID)
 	assert.Equal(t, method, request.HttpRequest.Method)
 	assert.Equal(t, url, request.HttpRequest.URL.String())
 	assert.Equal(t, []byte("test"), request.Body)
@@ -68,6 +69,17 @@ func TestWithSecurityScheme(t *testing.T) {
 	assert.Equal(t, "Bearer "+token, request.HttpRequest.Header.Get("Authorization"))
 }
 
+func TestGetID(t *testing.T) {
+	method := http.MethodGet
+	url := "http://localhost:8080/"
+
+	request, err := request.NewRequest(method, url, nil, nil)
+
+	assert.NoError(t, err)
+	assert.NotEqual(t, "", request.GetID())
+	assert.Equal(t, request.ID, request.GetID())
+}
+
 func TestGetMethod(t *testing.T) {
 	method := http.MethodGet
 	url := "http://localhost:8080/"
@@ -241,6 +253,7 @@ func TestDo(t *testing.T) {
 		assert.Equal(t, method, req.Method)
 		assert.Equal(t, url, req.URL.String())
 		assert.Equal(t, "vulnapi", req.Header.Get("User-Agent"))
+		assert.Equal(t, request.GetID(), req.Header.Get("x-vulnapi-request-id"))
 
 		return httpmock.NewBytesResponse(http.StatusNoContent, nil), nil
 	})
@@ -301,6 +314,7 @@ func TestDoWithClientHeaders(t *testing.T) {
 		assert.Equal(t, method, req.Method)
 		assert.Equal(t, url, req.URL.String())
 		assert.Equal(t, "vulnapi", req.Header.Get("User-Agent"))
+		assert.Equal(t, request.GetID(), req.Header.Get("x-vulnapi-request-id"))
 		assert.Equal(t, header.Get("X-Test"), req.Header.Get("X-Test"))
 
 		return httpmock.NewBytesResponse(http.StatusNoContent, nil), nil
@@ -354,6 +368,7 @@ func TestDoWithSecuritySchemeHeaders(t *testing.T) {
 		assert.Equal(t, method, req.Method)
 		assert.Equal(t, url, req.URL.String())
 		assert.Equal(t, "vulnapi", req.Header.Get("User-Agent"))
+		assert.Equal(t, request.GetID(), req.Header.Get("x-vulnapi-request-id"))
 		assert.Equal(t, "Bearer "+token, req.Header.Get("Authorization"))
 
 		return httpmock.NewBytesResponse(http.StatusNoContent, nil), nil
@@ -385,6 +400,7 @@ func TestDoWithHeadersSecuritySchemeHeaders(t *testing.T) {
 		assert.Equal(t, method, req.Method)
 		assert.Equal(t, url, req.URL.String())
 		assert.Equal(t, "vulnapi", req.Header.Get("User-Agent"))
+		assert.Equal(t, request.GetID(), req.Header.Get("x-vulnapi-request-id"))
 		assert.Equal(t, header.Get("X-Test"), req.Header.Get("X-Test"))
 		assert.Equal(t, "Bearer "+token, req.Header.Get("Authorization"))
 
@@ -417,6 +433,7 @@ func TestDoWithCookiesSecuritySchemeHeaders(t *testing.T) {
 		assert.Equal(t, method, req.Method)
 		assert.Equal(t, url, req.URL.String())
 		assert.Equal(t, "vulnapi", req.Header.Get("User-Agent"))
+		assert.Equal(t, request.GetID(), req.Header.Get("x-vulnapi-request-id"))
 		assert.Equal(t, cookies[0].Name, req.Cookies()[0].Name)
 		assert.Equal(t, cookies[0].Value, req.Cookies()[0].Value)
 		assert.Equal(t, "Bearer "+token, req.Header.Get("Authorization"))

internal/scan/attempt.go

@@ -0,0 +1,62 @@
+package scan
+
+import (
+	"github.com/cerberauth/vulnapi/internal/operation"
+	"github.com/cerberauth/vulnapi/internal/request"
+)
+
+type IssueScanAttemptStatus string
+
+func (attemptStatus IssueScanAttemptStatus) String() string {
+	return string(attemptStatus)
+}
+
+const (
+	IssueScanAttemptStatusPassed IssueScanAttemptStatus = "passed"
+	IssueScanAttemptStatusFailed IssueScanAttemptStatus = "failed"
+	IssueScanAttemptStatusNone   IssueScanAttemptStatus = "none"
+)
+
+type IssueScanAttempt struct {
+	ID       string
+	Status   IssueScanAttemptStatus
+	Request  *request.Request
+	Response *request.Response
+	Err      error
+}
+
+func NewIssueScanAttempt(operation *operation.Operation, req *request.Request, res *request.Response, err error) *IssueScanAttempt {
+	return &IssueScanAttempt{
+		ID:     operation.GetID() + "-" + req.GetID(),
+		Status: IssueScanAttemptStatusNone,
+
+		Request:  req,
+		Response: res,
+		Err:      err,
+	}
+}
+
+func (scanAttempt *IssueScanAttempt) WithBooleanStatus(status bool) *IssueScanAttempt {
+	if status {
+		return scanAttempt.Pass()
+	}
+	return scanAttempt.Fail()
+}
+
+func (scanAttempt *IssueScanAttempt) Fail() *IssueScanAttempt {
+	scanAttempt.Status = IssueScanAttemptStatusFailed
+	return scanAttempt
+}
+
+func (scanAttempt *IssueScanAttempt) Pass() *IssueScanAttempt {
+	scanAttempt.Status = IssueScanAttemptStatusPassed
+	return scanAttempt
+}
+
+func (scanAttempt *IssueScanAttempt) HasPassed() bool {
+	return scanAttempt.Status == IssueScanAttemptStatusPassed
+}
+
+func (scanAttempt *IssueScanAttempt) HasFailed() bool {
+	return scanAttempt.Status == IssueScanAttemptStatusFailed
+}

internal/scan/attempt_test.go

@@ -0,0 +1,90 @@
+package scan
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/cerberauth/vulnapi/internal/operation"
+	"github.com/cerberauth/vulnapi/internal/request"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNewIssueScanAttempt(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+
+	assert.NotNil(t, scanAttempt)
+	assert.Equal(t, IssueScanAttemptStatusNone, scanAttempt.Status)
+	assert.Equal(t, req, scanAttempt.Request)
+	assert.Equal(t, res, scanAttempt.Response)
+	assert.Equal(t, err, scanAttempt.Err)
+}
+
+func TestIssueScanAttempt_WithBooleanStatus(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+
+	scanAttempt.WithBooleanStatus(true)
+	assert.Equal(t, IssueScanAttemptStatusPassed, scanAttempt.Status)
+
+	scanAttempt.WithBooleanStatus(false)
+	assert.Equal(t, IssueScanAttemptStatusFailed, scanAttempt.Status)
+}
+
+func TestIssueScanAttempt_Fail(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+	scanAttempt.Fail()
+
+	assert.Equal(t, IssueScanAttemptStatusFailed, scanAttempt.Status)
+}
+
+func TestIssueScanAttempt_Pass(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+	scanAttempt.Pass()
+
+	assert.Equal(t, IssueScanAttemptStatusPassed, scanAttempt.Status)
+}
+
+func TestIssueScanAttempt_HasPassed(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+	scanAttempt.Pass()
+
+	assert.True(t, scanAttempt.HasPassed())
+	assert.False(t, scanAttempt.HasFailed())
+}
+
+func TestIssueScanAttempt_HasFailed(t *testing.T) {
+	req, _ := request.NewRequest(http.MethodGet, "http://example.com", nil, nil)
+	res := &request.Response{}
+	err := error(nil)
+	op, _ := operation.NewOperationFromRequest(req)
+
+	scanAttempt := NewIssueScanAttempt(op, req, res, err)
+	scanAttempt.Fail()
+
+	assert.True(t, scanAttempt.HasFailed())
+	assert.False(t, scanAttempt.HasPassed())
+}

internal/scan/scan_url.go

@@ -3,15 +3,8 @@ package scan
 import (
 	"github.com/cerberauth/vulnapi/internal/auth"
 	"github.com/cerberauth/vulnapi/internal/operation"
-	"github.com/cerberauth/vulnapi/internal/request"
 )
 
-type IssueScanAttempt struct {
-	Request  *request.Request
-	Response *request.Response
-	Err      error
-}
-
 func ScanURL(operation *operation.Operation, securityScheme *auth.SecurityScheme) (*IssueScanAttempt, error) {
 	req, err := operation.NewRequest()
 	if err != nil {
@@ -25,9 +18,5 @@ func ScanURL(operation *operation.Operation, securityScheme *auth.SecurityScheme
 	}
 
 	res, err := req.Do()
-	return &IssueScanAttempt{
-		Request:  req,
-		Response: res,
-		Err:      err,
-	}, err
+	return NewIssueScanAttempt(operation, req, res, err), err
 }

report/issue_report.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/cerberauth/vulnapi/internal/auth"
 	"github.com/cerberauth/vulnapi/internal/operation"
+	"github.com/cerberauth/vulnapi/internal/scan"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 )
@@ -30,10 +31,35 @@ var IssueReportStatuses = []IssueReportStatus{
 	IssueReportStatusNone,
 }
 
+type IssueScanReport struct {
+	ID     string                       `json:"id" yaml:"id"`
+	Status *scan.IssueScanAttemptStatus `json:"status" yaml:"status"`
+}
+
+func NewIssueScanReport(id string, status *scan.IssueScanAttemptStatus) *IssueScanReport {
+	return &IssueScanReport{
+		ID:     id,
+		Status: status,
+	}
+}
+
+func (issueScanReport *IssueScanReport) GetStatus() scan.IssueScanAttemptStatus {
+	return *issueScanReport.Status
+}
+
+func (issueScanReport *IssueScanReport) HasFailed() bool {
+	return *issueScanReport.Status == scan.IssueScanAttemptStatusFailed
+}
+
+func (issueScanReport *IssueScanReport) HasPassed() bool {
+	return *issueScanReport.Status == scan.IssueScanAttemptStatusPassed
+}
+
 type IssueReport struct {
 	Issue  `json:",inline" yaml:",inline"`
 	Status IssueReportStatus `json:"status" yaml:"status"`
 
+	Scans          []*IssueScanReport   `json:"scans" yaml:"scans"`
 	Operation      *operation.Operation `json:"-" yaml:"-"`
 	SecurityScheme *auth.SecurityScheme `json:"-" yaml:"-"`
 }
@@ -42,6 +68,7 @@ func NewIssueReport(issue Issue) *IssueReport {
 	return &IssueReport{
 		Issue:  issue,
 		Status: IssueReportStatusNone,
+		Scans:  []*IssueScanReport{},
 	}
 }
 
@@ -122,6 +149,15 @@ func (vr *IssueReport) IsCriticalRiskSeverity() bool {
 	return vr.CVSS.Score > 9
 }
 
+func (vr *IssueReport) WithScanAttempt(attempt *scan.IssueScanAttempt) *IssueReport {
+	return vr.AddScanAttempt(attempt)
+}
+
+func (vr *IssueReport) AddScanAttempt(attempt *scan.IssueScanAttempt) *IssueReport {
+	vr.Scans = append(vr.Scans, NewIssueScanReport(attempt.ID, &attempt.Status))
+	return vr
+}
+
 func (vr *IssueReport) String() string {
 	return fmt.Sprintf("[%s] %s", vr.SeverityLevelString(), vr.Name)
 }