feat: Trivy Image Scanning (#3373)

* wip

* Sql script fix

* Sql Fix

* Trivy and generic image scanning sql

* script number change

* Module Integration Changes

* Module Integration Changes

* wire changes

* script renaming

* Handling default value false

* Script Number change

* Inclusion of module-type and enabled state for all modules

* Adding enabled

* Handling Version of Clair

* Distinct condition

* Distinct condition change

* Testing changes

* Testing changes

* Update devtron.yaml

* Update installation-script

* Final changes

* Final changes

* --Final changes--

* --Finalchanges--

* Helm Command Handling

* Helm Command Handling

* minor changes

* Pushing scantoolid in execution result

* Image scan Scan Tool Id handling

* No vulnerability image scan tool id handling

* Script number change

* handling latest image scan deploy info

* script no change

* Handling For CICD enabling state

* review changes

* final changes

* fixes minor

* fixes minor

* fixes minor

* review changes

* changes for empty module type handling

* review changes and main sync script

---------

Co-authored-by: kartik-579 <[email protected]>

Author: Shivam-nagar23

Wire.go

@@ -585,6 +585,8 @@ func InitializeApp() (*App, error) {
 		wire.Bind(new(security2.CveStoreRepository), new(*security2.CveStoreRepositoryImpl)),
 		security2.NewImageScanDeployInfoRepositoryImpl,
 		wire.Bind(new(security2.ImageScanDeployInfoRepository), new(*security2.ImageScanDeployInfoRepositoryImpl)),
+		security2.NewScanToolMetadataRepositoryImpl,
+		wire.Bind(new(security2.ScanToolMetadataRepository), new(*security2.ScanToolMetadataRepositoryImpl)),
 		router.NewPolicyRouterImpl,
 		wire.Bind(new(router.PolicyRouter), new(*router.PolicyRouterImpl)),
 		restHandler.NewPolicyRestHandlerImpl,
@@ -593,6 +595,8 @@ func InitializeApp() (*App, error) {
 		wire.Bind(new(security.PolicyService), new(*security.PolicyServiceImpl)),
 		security2.NewPolicyRepositoryImpl,
 		wire.Bind(new(security2.CvePolicyRepository), new(*security2.CvePolicyRepositoryImpl)),
+		security2.NewScanToolExecutionHistoryMappingRepositoryImpl,
+		wire.Bind(new(security2.ScanToolExecutionHistoryMappingRepository), new(*security2.ScanToolExecutionHistoryMappingRepositoryImpl)),
 
 		argocdServer.NewArgoK8sClientImpl,
 		wire.Bind(new(argocdServer.ArgoK8sClient), new(*argocdServer.ArgoK8sClientImpl)),

api/module/ModuleRestHandler.go

@@ -34,6 +34,7 @@ type ModuleRestHandler interface {
 	GetModuleInfo(w http.ResponseWriter, r *http.Request)
 	GetModuleConfig(w http.ResponseWriter, r *http.Request)
 	HandleModuleAction(w http.ResponseWriter, r *http.Request)
+	EnableModule(w http.ResponseWriter, r *http.Request)
 }
 
 type ModuleRestHandlerImpl struct {
@@ -164,3 +165,46 @@ func (impl ModuleRestHandlerImpl) HandleModuleAction(w http.ResponseWriter, r *h
 	}
 	common.WriteJsonResp(w, err, res, http.StatusOK)
 }
+
+func (impl ModuleRestHandlerImpl) EnableModule(w http.ResponseWriter, r *http.Request) {
+	// check if user is logged in or not
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// check query param
+	params := mux.Vars(r)
+	moduleName := params["name"]
+	if len(moduleName) == 0 {
+		impl.logger.Error("module name is not supplied")
+		common.WriteJsonResp(w, errors.New("module name is not supplied"), nil, http.StatusBadRequest)
+		return
+	}
+	// decode request
+	decoder := json.NewDecoder(r.Body)
+	var moduleEnableRequestDto module.ModuleEnableRequestDto
+	err = decoder.Decode(&moduleEnableRequestDto)
+	if err != nil {
+		impl.logger.Errorw("error in decoding request in ModuleEnableRequestDto", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// service call
+	res, err := impl.moduleService.EnableModule(moduleName, moduleEnableRequestDto.Version)
+	if err != nil {
+		impl.logger.Errorw("service err, Enabling Module", "err", err, "moduleName", moduleName, "toolVersion", moduleEnableRequestDto.Version)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}

api/module/ModuleRouter.go

@@ -21,4 +21,5 @@ func (impl ModuleRouterImpl) Init(configRouter *mux.Router) {
 	configRouter.Path("").HandlerFunc(impl.moduleRestHandler.GetModuleInfo).Methods("GET")
 	configRouter.Path("/config").HandlerFunc(impl.moduleRestHandler.GetModuleConfig).Queries("name", "{name}").Methods("GET")
 	configRouter.Path("").HandlerFunc(impl.moduleRestHandler.HandleModuleAction).Queries("name", "{name}").Methods("POST")
+	configRouter.Path("/enable").HandlerFunc(impl.moduleRestHandler.EnableModule).Queries("name", "{name}").Methods("POST")
 }

cmd/external-app/wire.go

@@ -31,6 +31,7 @@ import (
 	app2 "github.com/devtron-labs/devtron/internal/sql/repository/app"
 	"github.com/devtron-labs/devtron/internal/sql/repository/appStatus"
 	"github.com/devtron-labs/devtron/internal/sql/repository/pipelineConfig"
+	security2 "github.com/devtron-labs/devtron/internal/sql/repository/security"
 	"github.com/devtron-labs/devtron/internal/util"
 	"github.com/devtron-labs/devtron/pkg/app"
 	appStoreBean "github.com/devtron-labs/devtron/pkg/appStore/bean"
@@ -174,6 +175,9 @@ func InitializeApp() (*App, error) {
 		wire.Value(appStoreBean.RefChartProxyDir("scripts/devtron-reference-helm-charts")),
 		util.NewGitFactory,
 		util.NewGitCliUtil,
+
+		security2.NewScanToolMetadataRepositoryImpl,
+		wire.Bind(new(security2.ScanToolMetadataRepository), new(*security2.ScanToolMetadataRepositoryImpl)),
 	)
 	return &App{}, nil
 }

cmd/external-app/wire_gen.go

@@ -28,7 +28,8 @@ import (
 	"go.uber.org/zap"
 )
 
-/**
+/*
+*
 this table contains scanned images registry for deployed object and apps,
 images which are deployed on cluster by anyway and has scanned result
 */
@@ -126,8 +127,8 @@ func (impl ImageScanDeployInfoRepositoryImpl) FindByIds(ids []int) ([]*ImageScan
 	return models, err
 }
 
-func (impl ImageScanDeployInfoRepositoryImpl) Update(team *ImageScanDeployInfo) error {
-	err := impl.dbConnection.Update(team)
+func (impl ImageScanDeployInfoRepositoryImpl) Update(model *ImageScanDeployInfo) error {
+	err := impl.dbConnection.Update(model)
 	return err
 }
 

internal/sql/repository/security/ImageScanDeployInfoRepository.go

@@ -27,6 +27,7 @@ type ImageScanExecutionResult struct {
 	Id                          int      `sql:"id,pk"`
 	CveStoreName                string   `sql:"cve_store_name,notnull"`
 	ImageScanExecutionHistoryId int      `sql:"image_scan_execution_history_id"`
+	ScanToolId                  int      `sql:"scan_tool_id"`
 	CveStore                    CveStore
 	ImageScanExecutionHistory   ImageScanExecutionHistory
 }
@@ -93,30 +94,30 @@ func (impl ImageScanResultRepositoryImpl) FetchByScanExecutionId(scanExecutionId
 	Where("image_scan_execution_result.scan_execution_id = ?", id).Select()
 	*/
 
-	err := impl.dbConnection.Model(&models).Column("image_scan_execution_result.*", "CveStore").
+	err := impl.dbConnection.Model(&models).ColumnExpr("DISTINCT cve_store_name").Column("image_scan_execution_result.*", "CveStore").
 		Where("image_scan_execution_result.image_scan_execution_history_id = ?", scanExecutionId).
 		Select()
 	return models, err
 }
 
 func (impl ImageScanResultRepositoryImpl) FetchByScanExecutionIds(ids []int) ([]*ImageScanExecutionResult, error) {
 	var models []*ImageScanExecutionResult
-	err := impl.dbConnection.Model(&models).Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
+	err := impl.dbConnection.Model(&models).ColumnExpr("DISTINCT cve_store_name").Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
 		Where("image_scan_execution_result.image_scan_execution_history_id in(?)", pg.In(ids)).
 		Select()
 	return models, err
 }
 
 func (impl ImageScanResultRepositoryImpl) FindByImageDigest(imageDigest string) ([]*ImageScanExecutionResult, error) {
 	var model []*ImageScanExecutionResult
-	err := impl.dbConnection.Model(&model).Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
+	err := impl.dbConnection.Model(&model).ColumnExpr("DISTINCT cve_store_name").Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
 		Where("image_scan_execution_history.image_hash = ?", imageDigest).Order("image_scan_execution_history.execution_time desc").Select()
 	return model, err
 }
 
 func (impl ImageScanResultRepositoryImpl) FindByImageDigests(digest []string) ([]*ImageScanExecutionResult, error) {
 	var models []*ImageScanExecutionResult
-	err := impl.dbConnection.Model(&models).Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
+	err := impl.dbConnection.Model(&models).ColumnExpr("DISTINCT cve_store_name").Column("image_scan_execution_result.*", "ImageScanExecutionHistory", "CveStore").
 		Where("image_hash in (?)", pg.In(digest)).Order("execution_time desc").Select()
 	return models, err
 }

internal/sql/repository/security/ImageScanResultRepository.go

@@ -0,0 +1,127 @@
+package security
+
+import (
+	serverBean "github.com/devtron-labs/devtron/pkg/server/bean"
+	"github.com/devtron-labs/devtron/pkg/sql"
+	"github.com/go-pg/pg"
+	"go.uber.org/zap"
+	"time"
+)
+
+type ScanToolExecutionHistoryMapping struct {
+	tableName                   struct{}                             `sql:"scan_tool_execution_history_mapping" pg:",discard_unknown_columns"`
+	Id                          int                                  `sql:"id,pk"`
+	ImageScanExecutionHistoryId int                                  `sql:"image_scan_execution_history_id"`
+	ScanToolId                  int                                  `sql:"scan_tool_id"`
+	ExecutionStartTime          time.Time                            `sql:"execution_start_time,notnull"`
+	ExecutionFinishTime         time.Time                            `sql:"execution_finish_time,notnull"`
+	State                       serverBean.ScanExecutionProcessState `sql:"state"`
+	TryCount                    int                                  `sql:"try_count"`
+	sql.AuditLog
+}
+
+type ScanToolExecutionHistoryMappingRepository interface {
+	Save(model *ScanToolExecutionHistoryMapping) error
+	SaveInBatch(models []*ScanToolExecutionHistoryMapping) error
+	UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolId int, state serverBean.ScanExecutionProcessState, executionFinishTime time.Time) error
+	MarkAllRunningStateAsFailedHavingTryCountReachedLimit(tryCount int) error
+	GetAllScanHistoriesByState(state serverBean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error)
+	GetAllScanHistoriesByExecutionHistoryIdAndStates(executionHistoryId int, states []serverBean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error)
+	GetAllScanHistoriesByExecutionHistoryIds(ids []int) ([]*ScanToolExecutionHistoryMapping, error)
+}
+
+type ScanToolExecutionHistoryMappingRepositoryImpl struct {
+	dbConnection *pg.DB
+	logger       *zap.SugaredLogger
+}
+
+func NewScanToolExecutionHistoryMappingRepositoryImpl(dbConnection *pg.DB,
+	logger *zap.SugaredLogger) *ScanToolExecutionHistoryMappingRepositoryImpl {
+	return &ScanToolExecutionHistoryMappingRepositoryImpl{
+		dbConnection: dbConnection,
+		logger:       logger,
+	}
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) Save(model *ScanToolExecutionHistoryMapping) error {
+	err := repo.dbConnection.Insert(model)
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, Save", "model", model, "err", err)
+		return err
+	}
+	return nil
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) SaveInBatch(models []*ScanToolExecutionHistoryMapping) error {
+	err := repo.dbConnection.Insert(&models)
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, SaveInBatch", "err", err, "models", models)
+		return err
+	}
+	return nil
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) UpdateStateByToolAndExecutionHistoryId(executionHistoryId, toolId int,
+	state serverBean.ScanExecutionProcessState, executionFinishTime time.Time) error {
+	model := &ScanToolExecutionHistoryMapping{}
+	_, err := repo.dbConnection.Model(model).Set("state = ?", state).
+		Set("execution_finish_time  = ?", executionFinishTime).
+		Set("updated_on = ?", time.Now()).
+		Set("updated_by =?", time.Now()).
+		Where("image_scan_execution_history_id = ?", executionHistoryId).
+		Where("scan_tool_id = ?", toolId).Update()
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, SaveInBatch", "err", err, "model", model)
+		return err
+	}
+	return nil
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) MarkAllRunningStateAsFailedHavingTryCountReachedLimit(tryCount int) error {
+	var models []*ScanToolExecutionHistoryMapping
+	_, err := repo.dbConnection.Model(&models).
+		Set("state = ?", serverBean.ScanExecutionProcessStateFailed).
+		Set("updated_on = ?", time.Now()).
+		Set("updated_by =?", time.Now()).
+		Where("state = ?", serverBean.ScanExecutionProcessStateRunning).
+		Where("try_count > ?", tryCount).Update()
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, MarkAllRunningStateAsFailedHavingTryCountReachedLimit", "err", err)
+		return err
+	}
+	return nil
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) GetAllScanHistoriesByState(state serverBean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error) {
+	var models []*ScanToolExecutionHistoryMapping
+	err := repo.dbConnection.Model(&models).Column("scan_tool_execution_history_mapping.*").
+		Where("state = ?", state).Select()
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, GetAllScanHistoriesByState", "err", err)
+		return nil, err
+	}
+	return models, nil
+}
+
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) GetAllScanHistoriesByExecutionHistoryIdAndStates(executionHistoryId int, states []serverBean.ScanExecutionProcessState) ([]*ScanToolExecutionHistoryMapping, error) {
+	var models []*ScanToolExecutionHistoryMapping
+	err := repo.dbConnection.Model(&models).Column("scan_tool_execution_history_mapping.*").
+		Where("image_scan_execution_history_id = ?", executionHistoryId).
+		Where("state in (?)", pg.In(states)).Select()
+	if err != nil {
+		repo.logger.Errorw("error in ScanToolExecutionHistoryMappingRepository, GetAllScanHistoriesByState", "err", err)
+		return nil, err
+	}
+	return models, nil
+}
+func (repo *ScanToolExecutionHistoryMappingRepositoryImpl) GetAllScanHistoriesByExecutionHistoryIds(ids []int) ([]*ScanToolExecutionHistoryMapping, error) {
+	var models []*ScanToolExecutionHistoryMapping
+	err := repo.dbConnection.Model(&models).Column("scan_tool_execution_history_mapping.*").
+		Where("image_scan_execution_history_id in (?)", pg.In(ids)).
+		Select()
+	if err != nil {
+		repo.logger.Errorw("error in getting ScanToolExecutionHistoryMappingRepository, GetAllScanHistoriesByState", "err", err)
+		return nil, err
+	}
+	return models, nil
+}