search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
699 stars 135 forks source link

IsFixAvailable crashes when vulnerability FixedLocation is not specified #415

Closed liron-l closed 4 years ago

liron-l commented 5 years ago

Expected Behavior

No crash

Actual Behavior

Crash (see here):

func IsFixAvailable(pis []*vulnerability.PackageIssue) bool {
    for _, pi := range pis {
        if pi.GetFixedLocation().GetVersion().Kind == pkg.Version_MAXIMUM {
            // If FixedLocation.Version.Kind = MAXIMUM then no fix is available. Return false
            return false
        }
    }
    return true
}

GetFixedLocation() and GetVersion() can return nil. Those values are not verified when populating occurrences in Grafeas; also, not all vulnerability occurrences has fixes so i think it's valid keeping this field nil instead of specifying a fake value (Version_MAXIMUM).

Steps to Reproduce the Problem

Populate Grafeas with vulnerability occurrences without fixed version

PackageIssue: []*vulnerability.PackageIssue{
                {

                    AffectedLocation: &vulnerability.VulnerabilityLocation{CpeUri: "cpe", Package: vuln.Package(),
                        Version: &_package.Version{Name: vuln.PackageVersion, Kind: _package.Version_NORMAL}},
                    FixedLocation: nil,
                    SeverityName: vuln.Severity},
            },
aysylu commented 5 years ago

Thanks for reporting the issue @liron-l! That's a very good catch. Contributions from the community members to fix this are welcome!

ooq commented 4 years ago

Hi @liron-l , I created a patch in #431 , can you take a look if it addresses your issue? Thanks.