enricher: add RHCC enricher

This change introduces a new enricher that reports where rhcc packages
exist (if at all), it allows callers to discount vulnerabilities /
packages that come from the same layers. This approach
helps to keep the index report unchanged and therefore state is less
of an issue, it also builds on existing machinary.

Signed-off-by: crozzy <[email protected]>

Author: crozzy

enricher/rhcc/rhcc.go

@@ -0,0 +1,47 @@
+package rhcc
+
+import (
+	"context"
+	"encoding/json"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/rhel/rhcc"
+)
+
+type Enricher struct{}
+
+var (
+	_ driver.Enricher = (*Enricher)(nil)
+)
+
+const (
+	// Type is the type of data returned from the Enricher's Enrich method.
+	Type = `message/vnd.clair.map.layer; enricher=clair.rhcc schema=??`
+)
+
+func (e *Enricher) Name() string { return "rhcc" }
+
+func (e *Enricher) Enrich(ctx context.Context, g driver.EnrichmentGetter, r *claircore.VulnerabilityReport) (string, []json.RawMessage, error) {
+	problematicPkgs := make(map[string]string)
+	for id, p := range r.Packages {
+		if p.Kind == "binary" {
+			if envs, ok := r.Environments[id]; ok {
+				for _, e := range envs {
+					for _, repoID := range e.RepositoryIDs {
+						repo := r.Repositories[repoID]
+						if repo.Name == rhcc.GoldRepo.Name {
+							problematicPkgs[e.IntroducedIn.String()] = id
+						}
+					}
+				}
+			}
+		}
+	}
+
+	b, err := json.Marshal(problematicPkgs)
+	if err != nil {
+		return Type, nil, err
+	}
+	return Type, []json.RawMessage{b}, nil
+}

enricher/rhcc/rhcc_test.go

@@ -0,0 +1,240 @@
+package rhcc
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/json"
+	"io"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+func Digest(name string) claircore.Digest {
+	h := sha256.New()
+	io.WriteString(h, name)
+	d, err := claircore.NewDigest("sha256", h.Sum(nil))
+	if err != nil {
+		panic(err)
+	}
+	return d
+}
+
+func TestEnrich(t *testing.T) {
+	t.Parallel()
+	ctx := zlog.Test(context.Background(), t)
+	firstLayerHash := Digest("first layer")
+	secondLayerHash := Digest("second layer")
+	tests := []struct {
+		name   string
+		vr     *claircore.VulnerabilityReport
+		layers []*claircore.Layer
+		want   map[string]string
+	}{
+		{
+			name: "vuln in package in different layer from rhcc package",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+						Kind:           claircore.BINARY,
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+						Kind:    claircore.BINARY,
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: secondLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{firstLayerHash.String(): "1"},
+		},
+		{
+			name: "vuln in package in same layer as rhcc package",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+						Kind:           claircore.BINARY,
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+						Kind:    claircore.BINARY,
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{firstLayerHash.String(): "1"},
+		},
+		{
+			name: "vuln in package in same layer as rhcc package and rhcc vuln in same layer",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+						Kind:           claircore.BINARY,
+					},
+					"2": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+						Kind:    claircore.BINARY,
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+					"5": {
+						Name:           "something bad ubi",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"2": {"4"},
+					"1": {"5"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{firstLayerHash.String(): "1"},
+		},
+		{
+			name: "multiple rhcc packages in different layers",
+			vr: &claircore.VulnerabilityReport{
+				Packages: map[string]*claircore.Package{
+					"1": {
+						Name:           "some-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+						Kind:           claircore.BINARY,
+					},
+					"2": {
+						Name:           "some-other-rh-package-slash-image",
+						RepositoryHint: "rhcc",
+						Version:        "v1.0.0",
+						Kind:           claircore.BINARY,
+					},
+					"3": {
+						Name:    "grafana",
+						Version: "v4.7.0",
+						Kind:    claircore.BINARY,
+					},
+				},
+				Environments: map[string][]*claircore.Environment{
+					"1": {{IntroducedIn: firstLayerHash}},
+					"2": {{IntroducedIn: secondLayerHash}},
+					"3": {{IntroducedIn: firstLayerHash}},
+				},
+				Vulnerabilities: map[string]*claircore.Vulnerability{
+					"4": {
+						Name:           "something bad with grafana",
+						FixedInVersion: "v100.0.0",
+					},
+					"5": {
+						Name:           "something bad ubi",
+						FixedInVersion: "v100.0.0",
+					},
+					"6": {
+						Name:           "something bad s2i",
+						FixedInVersion: "v100.0.0",
+					},
+				},
+				PackageVulnerabilities: map[string][]string{
+					"3": {"4"},
+					"1": {"5"},
+					"2": {"6"},
+				},
+			},
+			layers: []*claircore.Layer{
+				{Hash: firstLayerHash},
+				{Hash: secondLayerHash},
+			},
+			want: map[string]string{firstLayerHash.String(): "1", secondLayerHash.String(): "2"},
+		},
+	}
+
+	e := &Enricher{}
+	nog := &noopGetter{}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			tp, data, err := e.Enrich(ctx, nog, tc.vr)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if tp != "message/vnd.clair.map.layer; enricher=clair.rhcc schema=??" {
+				t.Fatal("wrong type")
+			}
+			got := make(map[string]string)
+			if err := json.Unmarshal(data[0], &got); err != nil {
+				t.Error(err)
+			}
+			if !cmp.Equal(got, tc.want) {
+				t.Error(cmp.Diff(got, tc.want))
+			}
+		})
+
+	}
+}
+
+func TestName(t *testing.T) {
+	e := &Enricher{}
+	if e.Name() != "rhcc" {
+		t.Fatal("name should be rhcc")
+	}
+}
+
+type noopGetter struct{}
+
+func (f *noopGetter) GetEnrichment(ctx context.Context, tags []string) ([]driver.EnrichmentRecord, error) {
+	return nil, nil
+}

rhel/rhcc/coalescer_test.go

@@ -21,7 +21,7 @@ func TestCoalescer(t *testing.T) {
 		// Mark them as if they came from this package's package scanner
 		p.RepositoryHint = `rhcc`
 	}
-	repo := []*claircore.Repository{&goldRepo}
+	repo := []*claircore.Repository{&GoldRepo}
 	layerArtifacts := []*indexer.LayerArtifacts{
 		{
 			Hash: test.RandomSHA256Digest(t),
@@ -67,7 +67,7 @@ func TestCoalescer(t *testing.T) {
 		}
 		for _, id := range e.RepositoryIDs {
 			r := ir.Repositories[id]
-			if got, want := r.Name, goldRepo.Name; got != want {
+			if got, want := r.Name, GoldRepo.Name; got != want {
 				t.Errorf("got: %q, want: %q", got, want)
 			}
 		}

rhel/rhcc/matcher.go

@@ -26,7 +26,7 @@ func (*matcher) Name() string { return "rhel-container-matcher" }
 // Filter implements [driver.Matcher].
 func (*matcher) Filter(r *claircore.IndexRecord) bool {
 	return r.Repository != nil &&
-		r.Repository.Name == goldRepo.Name
+		r.Repository.Name == GoldRepo.Name
 }
 
 // Query implements [driver.Matcher].

rhel/rhcc/parser_test.go

@@ -39,7 +39,7 @@ func TestDB(t *testing.T) {
 					Links:              "https://access.redhat.com/errata/RHSA-2021:3665 https://access.redhat.com/security/cve/CVE-2021-3762",
 					NormalizedSeverity: claircore.High,
 					FixedInVersion:     "v3.5.7-8",
-					Repo:               &goldRepo,
+					Repo:               &GoldRepo,
 					Range: &claircore.Range{
 						Lower: claircore.Version{
 							Kind: "rhctag",
@@ -81,7 +81,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "v4.6.0-202112140546.p0.g8b9da97.assembly.stream",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 				{
 					Name:               "RHSA-2021:5107",
@@ -103,7 +103,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "v4.7.0-202112140553.p0.g091bb99.assembly.stream",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 				{
 					Name:               "RHSA-2021:5108",
@@ -125,7 +125,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "v4.8.0-202112132154.p0.g57dd03a.assembly.stream",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 			},
 		},
@@ -153,7 +153,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "v6.8.1-65",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 				{
 					Name:               "RHSA-2021:5137",
@@ -175,7 +175,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "v5.0.10-1",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 			},
 		},
@@ -203,7 +203,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "4.8-167.9a9db5f.release_4.8",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 				{
 					Name:               "RHSA-2021:2041",
@@ -225,7 +225,7 @@ func TestDB(t *testing.T) {
 						},
 					},
 					FixedInVersion: "4.7-140.49a6fcf.release_4.7",
-					Repo:           &goldRepo,
+					Repo:           &GoldRepo,
 				},
 			},
 		},

rhel/rhcc/rhcc.go

@@ -14,7 +14,7 @@ import (
 	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
-var goldRepo = claircore.Repository{
+var GoldRepo = claircore.Repository{
 	Name: "Red Hat Container Catalog",
 	URI:  `https://catalog.redhat.com/software/containers/explore`,
 }