Switch to GraphQL CVE query

Author: cdupuis

query/async.go

@@ -23,10 +23,10 @@ import (
 )
 
 type queryResult struct {
-	Cves       []types.Cve
-	BaseImages []types.BaseImageMatch
-	Image      *types.BaseImage
-	Error      error
+	Vulnerabilities []types.VulnerabilitiesByPurl
+	BaseImages      []types.BaseImageMatch
+	Image           *types.BaseImage
+	Error           error
 }
 
 func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImages bool, workspace string, apiKey string) *types.Sbom {
@@ -36,15 +36,15 @@ func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImag
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			cves, err := QueryCves(sb, "", workspace, apiKey)
+			cves, err := ForVulnerabilitiesInGraphQL(sb)
 			if err != nil {
 				resultChan <- queryResult{
 					Error: err,
 				}
 			}
 			if cves != nil {
 				resultChan <- queryResult{
-					Cves: *cves,
+					Vulnerabilities: cves.VulnerabilitiesByPackage,
 				}
 			}
 		}()
@@ -87,8 +87,8 @@ func ForCvesAndBaseImagesAsync(sb *types.Sbom, includeCves bool, includeBaseImag
 		if result.BaseImages != nil {
 			sb.Source.BaseImages = result.BaseImages
 		}
-		if result.Cves != nil {
-			sb.Vulnerabilities = result.Cves
+		if result.Vulnerabilities != nil {
+			sb.Vulnerabilities = result.Vulnerabilities
 		}
 		if result.Image != nil {
 			sb.Source.Image.Details = result.Image

query/query.go

@@ -17,13 +17,15 @@
 package query
 
 import (
+	"context"
 	_ "embed"
 	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/docker/index-cli-plugin/internal"
 	"github.com/docker/index-cli-plugin/types"
+	"github.com/hasura/go-graphql-client"
 
 	"github.com/atomist-skills/go-skill"
 	"github.com/pkg/errors"
@@ -132,3 +134,32 @@ func query(query string, name string, workspace string, apiKey string) (*http.Re
 	skill.Log.Debugf("Query response %s", resp.Status)
 	return resp, nil
 }
+
+func ForVulnerabilitiesInGraphQL(sb *types.Sbom) (*types.VulnerabilitiesByPurls, error) {
+	url := "https://api.dso.docker.com/v1/graphql"
+	client := graphql.NewClient(url, nil)
+
+	purls := make([]string, 0)
+	for _, p := range sb.Artifacts {
+		purls = append(purls, p.Purl)
+	}
+
+	variables := map[string]interface{}{
+		"purls": purls,
+	}
+
+	var q types.VulnerabilitiesByPurls
+	err := client.Query(context.Background(), &q, variables)
+	if err != nil {
+		fmt.Sprintf("error %v", err)
+		return nil, errors.Wrapf(err, "failed to run query")
+	}
+	if len(q.VulnerabilitiesByPackage) > 0 {
+		if len(q.VulnerabilitiesByPackage) == 1 {
+			skill.Log.Infof("Detected 1 vulnerable package")
+		} else {
+			skill.Log.Infof("Detected %d vulnerable packages", len(q.VulnerabilitiesByPackage))
+		}
+	}
+	return &q, nil
+}

sbom/diff.go

@@ -23,8 +23,6 @@ import (
 
 	"github.com/anchore/packageurl-go"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/index-cli-plugin/format"
-	"github.com/docker/index-cli-plugin/internal"
 	"github.com/docker/index-cli-plugin/types"
 	"github.com/gookit/color"
 	"github.com/jedib0t/go-pretty/v6/table"
@@ -79,7 +77,7 @@ func DiffImages(image1 string, image2 string, cli command.Cli, workspace string,
 	}
 
 	diffPackages(result1, result2)
-	diffCves(result1, result2)
+	//diffCves(result1, result2)
 	return nil
 }
 
@@ -235,7 +233,7 @@ type CveEntry struct {
 
 type CveMap map[string]CveEntry
 
-func diffCves(result1, result2 ImageIndexResult) {
+/*func diffCves(result1, result2 ImageIndexResult) {
 	dc := 0
 	cves := make(CveMap)
 	for _, c := range result1.Sbom.Vulnerabilities {
@@ -329,4 +327,4 @@ func diffCves(result1, result2 ImageIndexResult) {
 		fmt.Println(t.Render())
 	}
 
-}
+}*/

sbom/index.go

@@ -43,9 +43,9 @@ type ImageIndexResult struct {
 func indexImageAsync(wg *sync.WaitGroup, image string, cli command.Cli, resultChan chan<- ImageIndexResult) {
 	defer wg.Done()
 	sbom, err := IndexImage(image, cli)
-	cves, err := query.QueryCves(sbom, "", "", "")
+	cves, err := query.ForVulnerabilitiesInGraphQL(sbom)
 	if err == nil {
-		sbom.Vulnerabilities = *cves
+		sbom.Vulnerabilities = cves.VulnerabilitiesByPackage
 	}
 	resultChan <- ImageIndexResult{
 		Input: image,

types/graphql_types.go

@@ -1,3 +1,19 @@
+/*
+ * Copyright © 2022 Docker, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package types
 
 type BaseImage struct {
@@ -48,3 +64,31 @@ type BaseImagesByDiffIdsQuery struct {
 type ImageByDigestQuery struct {
 	ImageDetailsByDigest BaseImage `graphql:"imageDetailsByDigest(context: {}, digest: $digest, platform: {os: $os, architecture: $architecture, variant: $variant})"`
 }
+
+type Vulnerability struct {
+	Source          string `graphql:"source" json:"source,omitempty"`
+	SourceId        string `graphql:"sourceId" json:"source_id,omitempty"`
+	Description     string `graphql:"description" json:"description,omitempty"`
+	VulnerableRange string `graphql:"vulnerableRange" json:"vulnerable_range,omitempty"`
+	FixedBy         string `graphql:"fixedBy" json:"fixed_by,omitempty"`
+	Url             string `graphql:"url" json:"url,omitempty"`
+	Cvss            struct {
+		Score    float32 `graphql:"score" json:"score,omitempty"`
+		Severity string  `graphql:"severity" json:"severity,omitempty"`
+		Vector   string  `graphql:"vector" json:"vector,omitempty"`
+		Version  string  `graphql:"version" json:"version,omitempty"`
+	} `graphql:"cvss" json:"cvss,omitempty"`
+	Cwes []struct {
+		CweId string `graphql:"cweId" json:"cwe_id,omitempty"`
+		Name  string `graphql:"description" json:"name,omitempty"`
+	} `graphql:"cwes" json:"cwes,omitempty"`
+}
+
+type VulnerabilitiesByPurl struct {
+	Purl            string          `graphql:"purl" json:"purl,omitempty"`
+	Vulnerabilities []Vulnerability `graphql:"vulnerabilities" json:"vulnerabilities,omitempty"`
+}
+
+type VulnerabilitiesByPurls struct {
+	VulnerabilitiesByPackage []VulnerabilitiesByPurl `graphql:"vulnerabilitiesByPackage(context: {}, packageUrls: $purls)"`
+}

types/types.go

@@ -130,10 +130,10 @@ type Source struct {
 }
 
 type Sbom struct {
-	Source          Source     `json:"source"`
-	Artifacts       []Package  `json:"artifacts"`
-	Vulnerabilities []Cve      `json:"vulnerabilities,omitempty"`
-	Descriptor      Descriptor `json:"descriptor"`
+	Source          Source                  `json:"source"`
+	Artifacts       []Package               `json:"artifacts"`
+	Vulnerabilities []VulnerabilitiesByPurl `json:"vulnerabilities,omitempty"`
+	Descriptor      Descriptor              `json:"descriptor"`
 }
 
 type Package struct {