From 0f925d7cdfe26e9382d0d1a14427bf7c88c87873 Mon Sep 17 00:00:00 2001 From: Chaz Leong <13462818+cleong14@users.noreply.github.com> Date: Mon, 6 May 2024 20:52:29 -1000 Subject: [PATCH 1/2] fix: missing slog.Error for KEV validations Fixes #68 Signed-off-by: Chaz Leong <13462818+cleong14@users.noreply.github.com> --- pkg/gatecheck/validate.go | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/pkg/gatecheck/validate.go b/pkg/gatecheck/validate.go index 7135386..504b150 100644 --- a/pkg/gatecheck/validate.go +++ b/pkg/gatecheck/validate.go @@ -213,19 +213,21 @@ func ruleGrypeKEVLimit(config *Config, report *artifacts.GrypeReportMin, catalog slog.Error("kev limit enabled but no catalog data exists") return false } - foundKevMatch := false + badCVEs := make([]string, 0) // Check if vulnerability is in the KEV Catalog for _, vulnerability := range report.Matches { inKEVCatalog := slices.ContainsFunc(catalog.Vulnerabilities, func(kevVul kev.Vulnerability) bool { return kevVul.CveID == vulnerability.Vulnerability.ID }) if inKEVCatalog { - slog.Warn("Matched to KEV Catalog", - "vulnerability", vulnerability.Vulnerability.ID) - foundKevMatch = true + badCVEs = append(badCVEs, vulnerability.Vulnerability.ID) + slog.Warn("cve found in kev catalog", + "cve_id", vulnerability.Vulnerability.ID) } } - if foundKevMatch { + if len(badCVEs) > 0 { + slog.Error("cve(s) found in kev catalog", + "vulnerabilities", len(badCVEs), "kev_catalog_count", len(catalog.Vulnerabilities)) return false } slog.Info("kev limit validated, no cves in catalog", @@ -242,7 +244,7 @@ func ruleCyclonedxKEVLimit(config *Config, report *artifacts.CyclonedxReportMin, slog.Error("kev limit enabled but no catalog data exists", "artifact", "cyclonedx") return false } - foundKevMatch := false + badCVEs := make([]string, 0) // Check if vulnerability is in the KEV Catalog for _, vulnerability := range report.Vulnerabilities { inKEVCatalog := slices.ContainsFunc(catalog.Vulnerabilities, func(kevVul kev.Vulnerability) bool { @@ -250,12 +252,14 @@ func ruleCyclonedxKEVLimit(config *Config, report *artifacts.CyclonedxReportMin, }) if inKEVCatalog { - slog.Warn("Matched to KEV Catalog", - "vulnerability", vulnerability.ID) - foundKevMatch = true + badCVEs = append(badCVEs, vulnerability.ID) + slog.Warn("cve found in kev catalog", + "cve_id", vulnerability.ID) } } - if foundKevMatch { + if len(badCVEs) > 0 { + slog.Error("cve(s) found in kev catalog", + "vulnerabilities", len(badCVEs), "kev_catalog_count", len(catalog.Vulnerabilities)) return false } slog.Info("kev limit validated, no cves in catalog", From 965eebd5442c40de6a5155e5a6bd25047cec2eb5 Mon Sep 17 00:00:00 2001 From: Chaz Leong <13462818+cleong14@users.noreply.github.com> Date: Mon, 6 May 2024 21:05:19 -1000 Subject: [PATCH 2/2] docs: update CHANGELOG Signed-off-by: Chaz Leong <13462818+cleong14@users.noreply.github.com> --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f267194..9e1dffd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [UNRELEASED] + +### Fixed + +- Missing `slog.Error` for KEV validations + ## [0.6.0] - 2024-04-26 ### Changed