Skip to content

GitLab

Commit fff6f752 authored by AllForNothing's avatar AllForNothing
Browse files

Replace all whitelist with allowlist 


Signed-off-by: default avatarAllForNothing <sshijun@vmware.com>
parent 202916e3
Hide whitespace changes
Inline Side-by-side
Showing with 149 additions and 116 deletions
api/v2.0/legacy_swagger.yaml
View file @ fff6f752
......@@ -2533,38 +2533,38 @@ paths:
description: User need to log in first.
'403':
description: User does not have permission to call this API
'/system/CVEWhitelist':
'/system/CVEAllowlist':
get:
summary: Get the system level whitelist of CVE.
description: Get the system level whitelist of CVE. This API can be called by all authenticated users.
summary: Get the system level allowlist of CVE.
description: Get the system level allowlist of CVE. This API can be called by all authenticated users.
tags:
- Products
- System
responses:
'200':
description: Successfully retrieved the CVE whitelist.
description: Successfully retrieved the CVE allowlist.
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
'401':
description: User is not authenticated.
'500':
description: Unexpected internal errors.
put:
summary: Update the system level whitelist of CVE.
description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin
summary: Update the system level allowlist of CVE.
description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin
has permission to call this API.
tags:
- Products
- System
parameters:
- in: body
name: whitelist
description: The whitelist with new content
name: allowlist
description: The allowlist with new content
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
responses:
'200':
description: Successfully updated the CVE whitelist.
description: Successfully updated the CVE allowlist.
'401':
description: User is not authenticated.
'403':
......@@ -3755,9 +3755,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of the project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of the project.
$ref: '#/definitions/CVEAllowlist'
count_limit:
type: integer
format: int64
......@@ -3821,9 +3821,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of this project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of this project.
$ref: '#/definitions/CVEAllowlist'
ProjectMetadata:
type: object
properties:
......@@ -3842,10 +3842,10 @@ definitions:
auto_scan:
type: string
description: 'Whether scan images automatically when pushing. The valid values are "true", "false".'
reuse_sys_cve_whitelist:
reuse_sys_cve_allowlist:
type: string
description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false".
If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.'
description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false".
If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.'
ProjectSummary:
type: object
properties:
......@@ -5056,26 +5056,26 @@ definitions:
metadata:
type: object
description: The metadata of namespace
CVEWhitelist:
CVEAllowlist:
type: object
description: The CVE Whitelist for system or project
description: The CVE Allowlist for system or project
properties:
id:
type: integer
description: ID of the whitelist
description: ID of the allowlist
project_id:
type: integer
description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero.
description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero.
expires_at:
type: integer
description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire.
description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire.
items:
type: array
items:
$ref: "#/definitions/CVEWhitelistItem"
CVEWhitelistItem:
$ref: "#/definitions/CVEAllowlistItem"
CVEAllowlistItem:
type: object
description: The item in CVE whitelist
description: The item in CVE allowlist
properties:
cve_id:
type: string
......
docs/README.md
View file @ fff6f752
......@@ -45,7 +45,7 @@ This section describes how to use and maintain Harbor after deployment. These da
- [Scan All Images](administration/vulnerability-scanning/scan-all-images.md)
- [Schedule Scans](administration/vulnerability-scanning/schedule-scans.md)
- [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability-scanning/import-vulnerability-data.md)
- [Configure System-Wide CVE Whitelists](administration/vulnerability-scanning/configure-system-whitelist.md)
- [Configure System-Wide CVE Allowlists](administration/vulnerability-scanning/configure-system-allowlist.md)
- [Garbage Collection](administration/garbage-collection/_index.md)
- [Upgrade Harbor and Migrate Data](administration/upgrade/upgrade-migrate-data.md)
- [Upgrading Harbor Deployed with Helm](administration/upgrade/helm-upgrade.md)
......@@ -63,7 +63,7 @@ This section describes how users with the developer, master, and project adminis
- [Access and Search Project Logs](working-with-projects/access-project-logs.md)
- [Create Robot Accounts](working-with-projects/create-robot-accounts.md)
- [Configure Webhook Notifications](working-with-projects/configure-webhooks.md)
- [Configure a Per-Project CVE Whitelist](working-with-projects/configure-project-whitelist.md)
- [Configure a Per-Project CVE Allowlist](working-with-projects/configure-project-allowlist.md)
- [Implementing Content Trust](working-with-projects/implementing-content-trust.md)
- [Working with Images, Tags, and Helm Charts](working-with-projects/working-with-images.md)
- [Pulling and Pushing Images](working-with-projects/pulling-pushing-images.md)
......@@ -87,4 +87,4 @@ This section describes how developers can build from Harbor source code, customi
- [Registry Landscape](build-customize-contribute/registry-landscape.md)
- [E2E Test Scripting Guide](build-customize-contribute/e2e_api_python_based_scripting_guide.md)
See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community).
\ No newline at end of file
See also the list of [Articles from the Harbor Community](https://github.com/goharbor/harbor/blob/master/docs/README.md#articles-from-the-community).
docs/administration/managing-users/user-permissions-by-role.md
View file @ fff6f752
......@@ -48,8 +48,8 @@ The following table depicts the various user permission levels in a project.
| Add/Remove labels of helm chart version | | | ✓ | ✓ | ✓ |
| See a list of project robots | | | | ✓ | ✓ |
| Create/edit/delete project robots | | | | | ✓ |
| See configured CVE whitelist | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/remove CVE whitelist | | | | | ✓ |
| See configured CVE allowlist | ✓ | ✓ | ✓ | ✓ | ✓ |
| Create/edit/remove CVE allowlist | | | | | ✓ |
| Enable/disable webhooks | | | ✓ | ✓ | ✓ |
| Create/delete tag retention rules | | | ✓ | ✓ | ✓ |
| Enable/disable tag retention rules | | | ✓ | ✓ | ✓ |
......
docs/administration/vulnerability-scanning/configure-system-whitelist.md docs/administration/vulnerability-scanning/configure-system-allowlist.md
View file @ fff6f752
---
title: Configure System-Wide CVE Whitelists
title: Configure System-Wide CVE Allowlists
weight: 50
---
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create whitelists of CVEs to ignore during vulnerability scanning.
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. As a Harbor system administrator, you can create allowlists of CVEs to ignore during vulnerability scanning.
You can set a system-wide CVE whitelist or you can set CVE whitelists on a per-project basis. For information about per-project CVE whitelists, see [Configure a Per-Project CVE Whitelist](../../working-with-projects/project-configuration/configure-project-whitelist.md).
You can set a system-wide CVE allowlist or you can set CVE allowlists on a per-project basis. For information about per-project CVE allowlists, see [Configure a Per-Project CVE Allowlist](../../working-with-projects/project-configuration/configure-project-allowlist.md).
System-wide CVE whitelists apply to all of the projects in a Harbor instance.
System-wide CVE allowlists apply to all of the projects in a Harbor instance.
1. Go to **Configuration** > **System Settings**.
1. Under **Deployment security**, click **Add**.
![System-wide CVE whitelist](../../../img/cve-whitelist1.png)
![System-wide CVE allowlist](../../../img/cve-allowlist1.png)
1. Enter the list of CVE IDs to ignore during vulnerability scanning.
![Add system CVE whitelist](../../../img/cve-whitelist2.png)
![Add system CVE allowlist](../../../img/cve-allowlist2.png)
Either use a comma-separated list or newlines to add multiple CVE IDs to the list.
1. Click **Add** at the bottom of the window to add the list.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist.
![Add system CVEs](../../../img/cve-whitelist3.png)
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist.
![Add system CVEs](../../../img/cve-allowlist3.png)
1. Click **Save** at the bottom of the page to save your settings.
After you have created a system whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system whitelist.
After you have created a system allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** to add more CVE IDs to the system allowlist.
![Add and remove system CVEs](../../../img/cve-whitelist4.png)
![Add and remove system CVEs](../../../img/cve-allowlist4.png)
docs/build-customize-contribute/registry-landscape.md
View file @ fff6f752
......@@ -31,5 +31,5 @@ Table updated on 10/21/2019 against Harbor 1.9.
| Upstream Registry Proxy Cache | ✗ | ✓ | ✗ | ✗ | ✓ | ✓ | ✗ |
| Vulnerability Scanning & Monitoring | ✓ | ✓ | ✓ | ✗ | ✗ | ✓ | partial |
| Vulnerability Scanning Plugin Framework | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Vulnerability Whitelisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Vulnerability Allowlisting | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Webhooks | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
docs/build-customize-contribute/swagger.yaml
View file @ fff6f752
......@@ -3577,38 +3577,38 @@ paths:
description: User need to log in first.
'403':
description: User does not have permission to call this API
'/system/CVEWhitelist':
'/system/CVEAllowlist':
get:
summary: Get the system level whitelist of CVE.
description: Get the system level whitelist of CVE. This API can be called by all authenticated users.
summary: Get the system level allowlist of CVE.
description: Get the system level allowlist of CVE. This API can be called by all authenticated users.
tags:
- Products
- System
responses:
'200':
description: Successfully retrieved the CVE whitelist.
description: Successfully retrieved the CVE allowlist.
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
'401':
description: User is not authenticated.
'500':
description: Unexpected internal errors.
put:
summary: Update the system level whitelist of CVE.
description: This API overwrites the system level whitelist of CVE with the list in request body. Only system Admin
summary: Update the system level allowlist of CVE.
description: This API overwrites the system level allowlist of CVE with the list in request body. Only system Admin
has permission to call this API.
tags:
- Products
- System
parameters:
- in: body
name: whitelist
description: The whitelist with new content
name: allowlist
description: The allowlist with new content
schema:
$ref: "#/definitions/CVEWhitelist"
$ref: "#/definitions/CVEAllowlist"
responses:
'200':
description: Successfully updated the CVE whitelist.
description: Successfully updated the CVE allowlist.
'401':
description: User is not authenticated.
'403':
......@@ -4458,9 +4458,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of the project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of the project.
$ref: '#/definitions/CVEAllowlist'
count_limit:
type: integer
format: int64
......@@ -4510,9 +4510,9 @@ definitions:
metadata:
description: The metadata of the project.
$ref: '#/definitions/ProjectMetadata'
cve_whitelist:
description: The CVE whitelist of this project.
$ref: '#/definitions/CVEWhitelist'
cve_allowlist:
description: The CVE allowlist of this project.
$ref: '#/definitions/CVEAllowlist'
ProjectMetadata:
type: object
properties:
......@@ -4531,10 +4531,10 @@ definitions:
auto_scan:
type: string
description: 'Whether scan images automatically when pushing. The valid values are "true", "false".'
reuse_sys_cve_whitelist:
reuse_sys_cve_allowlist:
type: string
description: 'Whether this project reuse the system level CVE whitelist as the whitelist of its own. The valid values are "true", "false".
If it is set to "true" the actual whitelist associate with this project, if any, will be ignored.'
description: 'Whether this project reuse the system level CVE allowlist as the allowlist of its own. The valid values are "true", "false".
If it is set to "true" the actual allowlist associate with this project, if any, will be ignored.'
ProjectSummary:
type: object
properties:
......@@ -6036,26 +6036,26 @@ definitions:
metadata:
type: object
description: The metadata of namespace
CVEWhitelist:
CVEAllowlist:
type: object
description: The CVE Whitelist for system or project
description: The CVE Allowlist for system or project
properties:
id:
type: integer
description: ID of the whitelist
description: ID of the allowlist
project_id:
type: integer
description: ID of the project which the whitelist belongs to. For system level whitelist this attribute is zero.
description: ID of the project which the allowlist belongs to. For system level allowlist this attribute is zero.
expires_at:
type: integer
description: the time for expiration of the whitelist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE whitelist does not expire.
description: the time for expiration of the allowlist, in the form of seconds since epoch. This is an optional attribute, if it's not set the CVE allowlist does not expire.
items:
type: array
items:
$ref: "#/definitions/CVEWhitelistItem"
CVEWhitelistItem:
$ref: "#/definitions/CVEAllowlistItem"
CVEAllowlistItem:
type: object
description: The item in CVE whitelist
description: The item in CVE allowlist
properties:
cve_id:
type: string
......
docs/working-with-projects/project-configuration/configure-project-whitelist.md docs/working-with-projects/project-configuration/configure-project-allowlist.md
View file @ fff6f752
---
title: Configure a Per-Project CVE Whitelist
title: Configure a Per-Project CVE Allowlist
weight: 50
---
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create whitelists of CVEs to ignore during vulnerability scanning.
When you run vulnerability scans, images that are subject to Common Vulnerabilities and Exposures (CVE) are identified. According to the severity of the CVE and your security settings, these images might not be permitted to run. You can create allowlists of CVEs to ignore during vulnerability scanning.
Harbor administrators can set a system-wide CVE whitelist. For information about site-wide CVE whitelists, see [Configure System-Wide CVE Whitelists](../../administration/vulnerability-scanning/configure-system-whitelist.md). By default, the system whitelist is applied to all projects. You can configure different CVE whitelists for individual projects, that override the system whitelist.
Harbor administrators can set a system-wide CVE allowlist. For information about site-wide CVE allowlists, see [Configure System-Wide CVE Allowlists](../../administration/vulnerability-scanning/configure-system-allowlist.md). By default, the system allowlist is applied to all projects. You can configure different CVE allowlists for individual projects, that override the system allowlist.
1. Go to **Projects**, select a project, and select **Configuration**.
1. Under **CVE whitelist**, select **Project whitelist**.
1. Under **CVE allowlist**, select **Project allowlist**.
![Project CVE whitelist](../../../img/cve-whitelist5.png)
![Project CVE allowlist](../../../img/cve-allowlist5.png)
1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE whitelist to this project whitelist.
1. Optionally click **Copy From System** to add all of the CVE IDs from the system CVE allowlist to this project allowlist.
1. Click **Add** and enter a list of additional CVE IDs to ignore during vulnerability scanning of this project.
![Add project CVEs](../../../img/cve-whitelist6.png)
![Add project CVEs](../../../img/cve-allowlist6.png)
Either use a comma-separated list or newlines to add multiple CVE IDs to the list.
1. Click **Add** at the bottom of the window to add the CVEs to the project whitelist.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the whitelist.
1. Click **Add** at the bottom of the window to add the CVEs to the project allowlist.
1. Optionally uncheck the **Never expires** checkbox and use the calendar selector to set an expiry date for the allowlist.
1. Click **Save** at the bottom of the page to save your settings.
After you have created a project whitelist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project whitelist.
After you have created a project allowlist, you can remove CVE IDs from the list by clicking the delete button next to it in the list. You can click **Add** at any time to add more CVE IDs to this project allowlist.
If CVEs are added to the system whitelist after you have created a project whitelist, click **Copy From System** to add the new entries from the system whitelist to the project whitelist.
If CVEs are added to the system allowlist after you have created a project allowlist, click **Copy From System** to add the new entries from the system allowlist to the project allowlist.
{{< note >}}
If CVEs are deleted from the system whitelist after you have created a project whitelist, and if you added the system whitelist to the project whitelist, you must manually remove the deleted CVEs from the project whitelist. If you click **Copy From System** after CVEs have been deleted from the system whitelist, the deleted CVEs are not automatically removed from the project whitelist.
If CVEs are deleted from the system allowlist after you have created a project allowlist, and if you added the system allowlist to the project allowlist, you must manually remove the deleted CVEs from the project allowlist. If you click **Copy From System** after CVEs have been deleted from the system allowlist, the deleted CVEs are not automatically removed from the project allowlist.
{{< /note >}}
make/migrations/postgresql/0040_2.1.0_schema.up.sql
View file @ fff6f752
ALTER TABLE project ADD COLUMN IF NOT EXISTS registry_id int;
ALTER TABLE IF EXISTS cve_whitelist RENAME TO cve_allowlist;
CREATE TABLE IF NOT EXISTS execution (
id SERIAL NOT NULL,
......
src/common/dao/cve_whitelist.go src/common/dao/cve_allowlist.go
View file @ fff6f752
......@@ -21,16 +21,16 @@ import (
"github.com/goharbor/harbor/src/lib/log"
)
// CreateCVEWhitelist creates the CVE whitelist
func CreateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
// CreateCVEAllowlist creates the CVE allowlist
func CreateCVEAllowlist(l models.CVEAllowlist) (int64, error) {
o := GetOrmer()
itemsBytes, _ := json.Marshal(l.Items)
l.ItemsText = string(itemsBytes)
return o.Insert(&l)
}
// UpdateCVEWhitelist Updates the vulnerability white list to DB
func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
// UpdateCVEAllowlist Updates the vulnerability white list to DB
func UpdateCVEAllowlist(l models.CVEAllowlist) (int64, error) {
o := GetOrmer()
itemsBytes, _ := json.Marshal(l.Items)
l.ItemsText = string(itemsBytes)
......@@ -38,22 +38,22 @@ func UpdateCVEWhitelist(l models.CVEWhitelist) (int64, error) {
return id, err
}
// GetCVEWhitelist Gets the CVE whitelist of the project based on the project ID in parameter
func GetCVEWhitelist(pid int64) (*models.CVEWhitelist, error) {
// GetCVEAllowlist Gets the CVE allowlist of the project based on the project ID in parameter
func GetCVEAllowlist(pid int64) (*models.CVEAllowlist, error) {
o := GetOrmer()
qs := o.QueryTable(&models.CVEWhitelist{})
qs := o.QueryTable(&models.CVEAllowlist{})
qs = qs.Filter("ProjectID", pid)
r := []*models.CVEWhitelist{}
r := []*models.CVEAllowlist{}
_, err := qs.All(&r)
if err != nil {
return nil, fmt.Errorf("failed to get CVE whitelist for project %d, error: %v", pid, err)
return nil, fmt.Errorf("failed to get CVE allowlist for project %d, error: %v", pid, err)
}
if len(r) == 0 {
return nil, nil
} else if len(r) > 1 {
log.Infof("Multiple CVE whitelists found for project %d, length: %d, returning first element.", pid, len(r))
log.Infof("Multiple CVE allowlists found for project %d, length: %d, returning first element.", pid, len(r))
}
items := []models.CVEWhitelistItem{}
items := []models.CVEAllowlistItem{}
err = json.Unmarshal([]byte(r[0].ItemsText), &items)
if err != nil {
log.Errorf("Failed to decode item list, err: %v, text: %s", err, r[0].ItemsText)
......
src/common/dao/cve_whitelist_test.go src/common/dao/cve_allowlist_test.go
View file @ fff6f752
......@@ -21,35 +21,35 @@ import (
"testing"
)
func TestUpdateAndGetCVEWhitelist(t *testing.T) {
require.Nil(t, ClearTable("cve_whitelist"))
l2, err := GetCVEWhitelist(5)
func TestUpdateAndGetCVEAllowlist(t *testing.T) {
require.Nil(t, ClearTable("cve_allowlist"))
l2, err := GetCVEAllowlist(5)
assert.Nil(t, err)
assert.Nil(t, l2)
longList := []models.CVEWhitelistItem{}
longList := []models.CVEAllowlistItem{}
for i := 0; i < 50; i++ {
longList = append(longList, models.CVEWhitelistItem{CVEID: "CVE-1999-0067"})
longList = append(longList, models.CVEAllowlistItem{CVEID: "CVE-1999-0067"})
}
e := int64(1573254000)
in1 := models.CVEWhitelist{ProjectID: 3, Items: longList, ExpiresAt: &e}
_, err = UpdateCVEWhitelist(in1)
in1 := models.CVEAllowlist{ProjectID: 3, Items: longList, ExpiresAt: &e}
_, err = UpdateCVEAllowlist(in1)
require.Nil(t, err)
// assert.Equal(t, int64(1), n)
out1, err := GetCVEWhitelist(3)
out1, err := GetCVEAllowlist(3)
require.Nil(t, err)
assert.Equal(t, int64(3), out1.ProjectID)
assert.Equal(t, longList, out1.Items)
assert.Equal(t, e, *out1.ExpiresAt)
sysCVEs := []models.CVEWhitelistItem{
sysCVEs := []models.CVEAllowlistItem{
{CVEID: "CVE-2019-10164"},
{CVEID: "CVE-2017-12345"},
}
in3 := models.CVEWhitelist{Items: sysCVEs}
_, err = UpdateCVEWhitelist(in3)
in3 := models.CVEAllowlist{Items: sysCVEs}
_, err = UpdateCVEAllowlist(in3)
require.Nil(t, err)
require.Nil(t, ClearTable("cve_whitelist"))
require.Nil(t, ClearTable("cve_allowlist"))
}
src/common/models/base.go
View file @ fff6f752
......@@ -36,6 +36,6 @@ func init() {
new(NotificationJob),
new(ProjectBlob),
new(ArtifactAndBlob),
new(CVEWhitelist),
new(CVEAllowlist),
)
}
src/common/models/cve_whitelist.go src/common/models/cve_allowlist.go
View file @ fff6f752
......@@ -16,29 +16,29 @@ package models
import "time"
// CVEWhitelist defines the data model for a CVE whitelist
type CVEWhitelist struct {
// CVEAllowlist defines the data model for a CVE allowlist
type CVEAllowlist struct {
ID int64 `orm:"pk;auto;column(id)" json:"id"`
ProjectID int64 `orm:"column(project_id)" json:"project_id"`
ExpiresAt *int64 `orm:"column(expires_at)" json:"expires_at,omitempty"`
Items []CVEWhitelistItem `orm:"-" json:"items"`
Items []CVEAllowlistItem `orm:"-" json:"items"`
ItemsText string `orm:"column(items)" json:"-"`
CreationTime time.Time `orm:"column(creation_time);auto_now_add" json:"creation_time"`
UpdateTime time.Time `orm:"column(update_time);auto_now" json:"update_time"`
}
// CVEWhitelistItem defines one item in the CVE whitelist
type CVEWhitelistItem struct {
// CVEAllowlistItem defines one item in the CVE allowlist
type CVEAllowlistItem struct {
CVEID string `json:"cve_id"`
}
// TableName ...
func (c *CVEWhitelist) TableName() string {
return "cve_whitelist"
func (c *CVEAllowlist) TableName() string {
return "cve_allowlist"
}
// CVESet returns the set of CVE id of the items in the whitelist to help filter the vulnerability list
func (c *CVEWhitelist) CVESet() map[string]struct{} {
// CVESet returns the set of CVE id of the items in the allowlist to help filter the vulnerability list
func (c *CVEAllowlist) CVESet() map[string]struct{} {
r := map[string]struct{}{}
for _, it := range c.Items {
r[it.CVEID] = struct{}{}
......@@ -46,8 +46,8 @@ func (c *CVEWhitelist) CVESet() map[string]struct{} {
return r
}
// IsExpired returns whether the whitelist is expired
func (c *CVEWhitelist) IsExpired() bool {
// IsExpired returns whether the allowlist is expired
func (c *CVEAllowlist) IsExpired() bool {
if c.ExpiresAt == nil {
return false
}
......
src/common/models/cve_whitelist_test.go src/common/models/cve_allowlist_test.go
View file @ fff6f752
......@@ -21,38 +21,38 @@ import (
"time"
)
func TestCVEWhitelist_All(t *testing.T) {
func TestCVEAllowlist_All(t *testing.T) {
future := int64(4411494000)
now := time.Now().Unix()
cases := []struct {
input CVEWhitelist
input CVEAllowlist
cveset map[string]struct{}
expired bool
}{
{
input: CVEWhitelist{
input: CVEAllowlist{
ID: 1,
ProjectID: 0,
Items: []CVEWhitelistItem{},
Items: []CVEAllowlistItem{},
},
cveset: map[string]struct{}{},
expired: false,
},
{
input: CVEWhitelist{
input: CVEAllowlist{
ID: 1,
ProjectID: 0,
Items: []CVEWhitelistItem{},
Items: []CVEAllowlistItem{},
ExpiresAt: &now,
},
cveset: map[string]struct{}{},
expired: true,
},
{