feat: Capability to block deployments in case of vulnerabilities only if FIXED IN VERSION available (#3796)

* block if fixed version available

* check for policy in different apis.

* minimise the if else check

* minimise the if else check

* Completed unit testcases

* remove duplicate codes

* remove duplicate codes

* unit test cases

Author: Ashish-devtron

internal/sql/repository/security/CvePolicyControle.go

@@ -46,10 +46,11 @@ const (
 	Inherit PolicyAction = iota
 	Allow
 	Block
+	Blockiffixed
 )
 
 func (d PolicyAction) String() string {
-	return [...]string{"inherit", "allow", "block"}[d]
+	return [...]string{"inherit", "allow", "block", "blockiffixed"}[d]
 }
 
 // ------------------
@@ -246,23 +247,23 @@ func (impl *CvePolicyRepositoryImpl) GetBlockedCVEList(cves []*CveStore, cluster
 	if err != nil {
 		return nil, err
 	}
-	blockedCve := impl.enforceCvePolicy(cves, cvePolicy, severityPolicy)
+	blockedCve := EnforceCvePolicy(cves, cvePolicy, severityPolicy)
 	return blockedCve, nil
 }
 
-func (impl *CvePolicyRepositoryImpl) enforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[Severity]*CvePolicy) (blockedCVE []*CveStore) {
+func EnforceCvePolicy(cves []*CveStore, cvePolicy map[string]*CvePolicy, severityPolicy map[Severity]*CvePolicy) (blockedCVE []*CveStore) {
 
 	for _, cve := range cves {
 		if policy, ok := cvePolicy[cve.Name]; ok {
 			if policy.Action == Allow {
 				continue
-			} else {
+			} else if (policy.Action == Block) || (policy.Action == Blockiffixed && cve.FixedVersion != "") {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		} else {
 			if severityPolicy[cve.Severity] != nil && severityPolicy[cve.Severity].Action == Allow {
 				continue
-			} else {
+			} else if severityPolicy[cve.Severity] != nil && (severityPolicy[cve.Severity].Action == Block || (severityPolicy[cve.Severity].Action == Blockiffixed && cve.FixedVersion != "")) {
 				blockedCVE = append(blockedCVE, cve)
 			}
 		}
@@ -346,6 +347,7 @@ func (impl *CvePolicyRepositoryImpl) getHighestPolicy(allPolicies map[string][]*
 	}
 	return applicablePolicies
 }
+
 func (impl *CvePolicyRepositoryImpl) getHighestPolicyS(allPolicies map[Severity][]*CvePolicy) map[Severity]*CvePolicy {
 	applicablePolicies := make(map[Severity]*CvePolicy)
 	for key, policies := range allPolicies {

internal/sql/repository/security/CvePolicyControle_test.go

@@ -0,0 +1,179 @@
+package security
+
+import (
+	"github.com/go-pg/pg"
+	"reflect"
+	"testing"
+)
+
+func TestCvePolicyRepositoryImpl_enforceCvePolicy(t *testing.T) {
+	type fields struct {
+		dbConnection *pg.DB
+	}
+	type args struct {
+		cves           []*CveStore
+		cvePolicy      map[string]*CvePolicy
+		severityPolicy map[Severity]*CvePolicy
+	}
+	tests := []struct {
+		name           string
+		fields         fields
+		args           args
+		wantBlockedCVE []*CveStore
+	}{
+		// TODO: Add test cases.
+		{
+			name: "Test 1",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+					{
+						Severity: Low,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Allow,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{
+					Low: {
+						Action: Allow,
+					},
+				},
+			},
+			wantBlockedCVE: nil,
+		},
+		{
+			name: "Test 2",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Block,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Name: "abc",
+				},
+			},
+		},
+		{
+			name: "Test 3",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity: High,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Block,
+					},
+				},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Severity: High,
+				},
+			},
+		},
+		{
+			name: "Test 4",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name:         "abc",
+						FixedVersion: "1.0.0",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Blockiffixed,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Name:         "abc",
+					FixedVersion: "1.0.0",
+				},
+			},
+		},
+		{
+			name: "Test 5",
+			args: args{
+				cves: []*CveStore{
+					{
+						Name: "abc",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{
+					"abc": {
+						Action: Blockiffixed,
+					},
+				},
+				severityPolicy: map[Severity]*CvePolicy{},
+			},
+			wantBlockedCVE: nil,
+		},
+		{
+			name: "Test 6",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity:     High,
+						FixedVersion: "1.0.0",
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Blockiffixed,
+					},
+				},
+			},
+			wantBlockedCVE: []*CveStore{
+				{
+					Severity:     High,
+					FixedVersion: "1.0.0",
+				},
+			},
+		},
+		{
+			name: "Test 7",
+			args: args{
+				cves: []*CveStore{
+					{
+						Severity: High,
+					},
+				},
+				cvePolicy: map[string]*CvePolicy{},
+				severityPolicy: map[Severity]*CvePolicy{
+					High: {
+						Action: Blockiffixed,
+					},
+				},
+			},
+			wantBlockedCVE: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if gotBlockedCVE := EnforceCvePolicy(tt.args.cves, tt.args.cvePolicy, tt.args.severityPolicy); !reflect.DeepEqual(gotBlockedCVE, tt.wantBlockedCVE) {
+				t.Errorf("EnforceCvePolicy() = %v, want %v", gotBlockedCVE, tt.wantBlockedCVE)
+			}
+		})
+	}
+}

pkg/security/policyService.go

@@ -250,7 +250,7 @@ func (impl *PolicyServiceImpl) VerifyImage(verifyImageRequest *VerifyImageReques
 				scanResultsIdMap[scanResult.ImageScanExecutionHistoryId] = scanResult.ImageScanExecutionHistoryId
 			}
 		}
-		blockedCves := impl.enforceCvePolicy(cveStores, cvePolicy, severityPolicy)
+		blockedCves := security.EnforceCvePolicy(cveStores, cvePolicy, severityPolicy)
 		impl.logger.Debugw("blocked cve for image", "image", image, "blocked", blockedCves)
 		for _, cve := range blockedCves {
 			vr := &VerifyImageResponse{
@@ -328,27 +328,6 @@ func (impl *PolicyServiceImpl) VerifyImage(verifyImageRequest *VerifyImageReques
 	return imageBlockedCves, nil
 }
 
-// image(cve), appId, envId
-func (impl *PolicyServiceImpl) enforceCvePolicy(cves []*security.CveStore, cvePolicy map[string]*security.CvePolicy, severityPolicy map[security.Severity]*security.CvePolicy) (blockedCVE []*security.CveStore) {
-
-	for _, cve := range cves {
-		if policy, ok := cvePolicy[cve.Name]; ok {
-			if policy.Action == security.Allow {
-				continue
-			} else {
-				blockedCVE = append(blockedCVE, cve)
-			}
-		} else {
-			if severityPolicy[cve.Severity] != nil && severityPolicy[cve.Severity].Action == security.Allow {
-				continue
-			} else {
-				blockedCVE = append(blockedCVE, cve)
-			}
-		}
-	}
-	return blockedCVE
-}
-
 func (impl *PolicyServiceImpl) GetApplicablePolicy(clusterId, envId, appId int, isAppstore bool) (map[string]*security.CvePolicy, map[security.Severity]*security.CvePolicy, error) {
 
 	var policyLevel security.PolicyLevel
@@ -441,6 +420,8 @@ func (impl *PolicyServiceImpl) parsePolicyAction(action string) (security.Policy
 		policyAction = security.Block
 	} else if action == "inherit" {
 		policyAction = security.Inherit
+	} else if action == "blockiffixed" {
+		policyAction = security.Blockiffixed
 	} else {
 		return security.Inherit, fmt.Errorf("unsupported action %s", action)
 	}
@@ -706,7 +687,7 @@ func (impl *PolicyServiceImpl) GetBlockedCVEList(cves []*security.CveStore, clus
 	if err != nil {
 		return nil, err
 	}
-	blockedCve := impl.enforceCvePolicy(cves, cvePolicy, severityPolicy)
+	blockedCve := security.EnforceCvePolicy(cves, cvePolicy, severityPolicy)
 	return blockedCve, nil
 }
 
@@ -715,13 +696,13 @@ func (impl *PolicyServiceImpl) HasBlockedCVE(cves []*security.CveStore, cvePolic
 		if policy, ok := cvePolicy[cve.Name]; ok {
 			if policy.Action == security.Allow {
 				continue
-			} else {
+			} else if (policy.Action == security.Block) || (policy.Action == security.Blockiffixed && cve.FixedVersion != "") {
 				return true
 			}
 		} else {
 			if severityPolicy[cve.Severity] != nil && severityPolicy[cve.Severity].Action == security.Allow {
 				continue
-			} else {
+			} else if severityPolicy[cve.Severity] != nil && (severityPolicy[cve.Severity].Action == security.Block || (severityPolicy[cve.Severity].Action == security.Blockiffixed && cve.FixedVersion != "")) {
 				return true
 			}
 		}