Merge pull request #6259 from devtron-labs/img-scan-bug-fixes

fix: Img scan bug fixes

Author: prakash100198

api/bean/Security.go

@@ -27,6 +27,13 @@ type CreateVulnerabilityPolicyRequest struct {
 	Severity  string               `json:"severity,omitempty"`
 }
 
+func (r *CreateVulnerabilityPolicyRequest) IsRequestGlobal() bool {
+	if r.ClusterId == 0 && r.EnvId == 0 && r.AppId == 0 {
+		return true
+	}
+	return false
+}
+
 // CreateVulnerabilityPolicyResponse defines model for CreateVulnerabilityPolicyResponse.
 type CreateVulnerabilityPolicyResponse struct {
 	// Error object

api/bean/ValuesOverrideRequest.go

@@ -81,6 +81,7 @@ type ValuesOverrideRequest struct {
 	PipelineOverrideId                    int                         `json:"pipelineOverrideId"` // required for async install/upgrade event;
 	DeploymentType                        models.DeploymentType       `json:"deploymentType"`     // required for async install/upgrade handling; previously if was used internally
 	ForceSyncDeployment                   bool                        `json:"forceSyncDeployment,notnull"`
+	IsRollbackDeployment                  bool                        `json:"isRollbackDeployment"`
 	UserId                                int32                       `json:"-"`
 	EnvId                                 int                         `json:"-"`
 	EnvName                               string                      `json:"-"`

api/restHandler/ImageScanRestHandler.go

@@ -97,6 +97,12 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		return
 	}
 
+	filteredDeployInfoList, err := impl.imageScanService.FilterDeployInfoByScannedArtifactsDeployedInEnv(deployInfoList)
+	if err != nil {
+		impl.logger.Errorw("request err, FilterDeployInfoListForScannedArtifacts", "payload", request, "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
 	token := r.Header.Get("token")
 	var ids []int
 	var appRBACObjects []string
@@ -105,7 +111,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	podRBACMap := make(map[string]int)
 
 	IdToAppEnvPairs := make(map[int][2]int)
-	for _, item := range deployInfoList {
+	for _, item := range filteredDeployInfoList {
 		if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypeApp || item.ObjectType == ObjectTypeChart) {
 			IdToAppEnvPairs[item.Id] = [2]int{item.ScanObjectMetaId, item.EnvId}
 		}
@@ -117,7 +123,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 		return
 	}
 
-	for _, item := range deployInfoList {
+	for _, item := range filteredDeployInfoList {
 		if item.ScanObjectMetaId > 0 && (item.ObjectType == ObjectTypeApp || item.ObjectType == ObjectTypeChart) {
 			appObject := appObjects[item.Id]
 			envObject := envObjects[item.Id]
@@ -145,7 +151,7 @@ func (impl ImageScanRestHandlerImpl) ScanExecutionList(w http.ResponseWriter, r
 	envResults := impl.enforcer.EnforceInBatch(token, casbin.ResourceEnvironment, casbin.ActionGet, envRBACObjects)
 	podResults := impl.enforcer.EnforceInBatch(token, casbin.ResourceGlobalEnvironment, casbin.ActionGet, podRBACObjects)
 
-	for _, item := range deployInfoList {
+	for _, item := range filteredDeployInfoList {
 		if impl.enforcerUtil.IsAuthorizedForAppInAppResults(item.ScanObjectMetaId, appResults, appIdtoApp) && impl.enforcerUtil.IsAuthorizedForEnvInEnvResults(item.ScanObjectMetaId, item.EnvId, envResults, appIdtoApp, envIdToEnv) {
 			ids = append(ids, item.Id)
 		}

api/restHandler/PolicyRestHandler.go

@@ -121,9 +121,9 @@ func (impl PolicyRestHandlerImpl) SavePolicy(w http.ResponseWriter, r *http.Requ
 	}
 	//AUTH
 
-	res, err := impl.policyService.SavePolicy(req, userId)
+	res, err := impl.policyService.SavePolicy(&req, userId)
 	if err != nil {
-		impl.logger.Errorw("service err, SavePolicy", "err", err, "payload", req)
+		impl.logger.Errorw("service err, SavePolicy", "payload", req, "err", err)
 		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
 		return
 	}

internal/sql/repository/pipelineConfig/CdWorfkflowRepository.go

@@ -57,6 +57,7 @@ type CdWorkflowRepository interface {
 	FindLastUnFailedProcessedRunner(appId int, environmentId int) (*CdWorkflowRunner, error)
 	IsLatestCDWfr(pipelineId, wfrId int) (bool, error)
 	FindLatestCdWorkflowRunnerByEnvironmentIdAndRunnerType(appId int, environmentId int, runnerType apiBean.WorkflowType) (CdWorkflowRunner, error)
+	FindLatestCdWorkflowRunnerArtifactMetadataForAppAndEnvIds(appVsEnvIdMap map[int][]int, runnerType apiBean.WorkflowType) ([]*cdWorkflow.CdWorkflowRunnerArtifactMetadata, error)
 	FindAllTriggeredWorkflowCountInLast24Hour() (cdWorkflowCount int, err error)
 	GetConnection() *pg.DB
 
@@ -778,3 +779,33 @@ func (impl *CdWorkflowRepositoryImpl) FindDeployedCdWorkflowRunnersByPipelineId(
 	}
 	return runners, nil
 }
+
+func (impl *CdWorkflowRepositoryImpl) FindLatestCdWorkflowRunnerArtifactMetadataForAppAndEnvIds(appVsEnvIdMap map[int][]int, runnerType apiBean.WorkflowType) ([]*cdWorkflow.CdWorkflowRunnerArtifactMetadata, error) {
+	var allRunners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+	query := `
+WITH RankedData AS (
+    SELECT 
+        p.app_id AS "app_id",
+        p.environment_id AS "env_id",
+		p.deleted AS "deleted",
+        wf.ci_artifact_id AS "ci_artifact_id",
+        ci_artifact.parent_ci_artifact AS "parent_ci_artifact",
+        ci_artifact.scanned AS "scanned",
+        ROW_NUMBER() OVER (PARTITION BY p.app_id, p.environment_id ORDER BY cd_workflow_runner.id DESC) AS rn
+    FROM cd_workflow_runner INNER JOIN cd_workflow wf ON wf.id = cd_workflow_runner.cd_workflow_id
+    INNER JOIN pipeline p ON p.id = wf.pipeline_id
+    INNER JOIN ci_artifact ON ci_artifact.id = wf.ci_artifact_id
+    WHERE cd_workflow_runner.workflow_type = ? AND p.app_id = ? AND p.environment_id IN (?))
+SELECT "app_id","env_id","ci_artifact_id","parent_ci_artifact","scanned" FROM RankedData WHERE rn = 1 and deleted= false;
+`
+	for appId, envIds := range appVsEnvIdMap {
+		var runners []*cdWorkflow.CdWorkflowRunnerArtifactMetadata
+		_, err := impl.dbConnection.Query(&runners, query, runnerType, appId, pg.In(envIds))
+		if err != nil {
+			impl.logger.Errorw("error in getting cdWfrs by appId and envIds and runner type", "appVsEnvIdMap", appVsEnvIdMap, "err", err)
+			return nil, err
+		}
+		allRunners = append(allRunners, runners...)
+	}
+	return allRunners, nil
+}

internal/sql/repository/pipelineConfig/bean/workflow/cdWorkflow/CdWorkflowBean.go

@@ -52,3 +52,11 @@ const (
 )
 
 type WorkflowExecutorType string
+
+type CdWorkflowRunnerArtifactMetadata struct {
+	AppId            int  `pg:"app_id"`
+	EnvId            int  `pg:"env_id"`
+	CiArtifactId     int  `pg:"ci_artifact_id"`
+	ParentCiArtifact int  `pg:"parent_ci_artifact"`
+	Scanned          bool `pg:"scanned"`
+}

pkg/deployment/trigger/devtronApps/TriggerService.go

@@ -358,32 +358,34 @@ func (impl *TriggerServiceImpl) getCdPipelineForManualCdTrigger(ctx context.Cont
 	return cdPipeline, nil
 }
 
-func (impl *TriggerServiceImpl) validateDeploymentTriggerRequest(ctx context.Context, runner *pipelineConfig.CdWorkflowRunner,
-	cdPipeline *pipelineConfig.Pipeline, imageDigest string, envDeploymentConfig *bean9.DeploymentConfig, triggeredBy int32) error {
+func (impl *TriggerServiceImpl) validateDeploymentTriggerRequest(ctx context.Context, validateDeploymentTriggerObj *bean.ValidateDeploymentTriggerObj) error {
 	newCtx, span := otel.Tracer("orchestrator").Start(ctx, "TriggerServiceImpl.validateDeploymentTriggerRequest")
 	defer span.End()
 	// custom GitOps repo url validation --> Start
-	err := impl.handleCustomGitOpsRepoValidation(runner, cdPipeline, envDeploymentConfig, triggeredBy)
+	err := impl.handleCustomGitOpsRepoValidation(validateDeploymentTriggerObj.Runner, validateDeploymentTriggerObj.CdPipeline, validateDeploymentTriggerObj.DeploymentConfig, validateDeploymentTriggerObj.TriggeredBy)
 	if err != nil {
 		impl.logger.Errorw("custom GitOps repository validation error, TriggerStage", "err", err)
 		return err
 	}
 	// custom GitOps repo url validation --> Ends
-
-	// checking vulnerability for deploying image
-	vulnerabilityCheckRequest := adapter.GetVulnerabilityCheckRequest(cdPipeline, imageDigest)
-	isVulnerable, err := impl.imageScanService.GetArtifactVulnerabilityStatus(newCtx, vulnerabilityCheckRequest)
-	if err != nil {
-		impl.logger.Errorw("error in getting Artifact vulnerability status, ManualCdTrigger", "err", err)
-		return err
+	var isVulnerable bool
+	// if request is for rollback then bypass vulnerability validation
+	if !validateDeploymentTriggerObj.IsDeploymentTypeRollback() {
+		// checking vulnerability for deploying image
+		vulnerabilityCheckRequest := adapter.GetVulnerabilityCheckRequest(validateDeploymentTriggerObj.CdPipeline, validateDeploymentTriggerObj.ImageDigest)
+		isVulnerable, err = impl.imageScanService.GetArtifactVulnerabilityStatus(newCtx, vulnerabilityCheckRequest)
+		if err != nil {
+			impl.logger.Errorw("error in getting Artifact vulnerability status, ManualCdTrigger", "err", err)
+			return err
+		}
 	}
 
 	if isVulnerable == true {
 		// if image vulnerable, update timeline status and return
-		if err = impl.cdWorkflowCommonService.MarkCurrentDeploymentFailed(runner, errors.New(cdWorkflow.FOUND_VULNERABILITY), triggeredBy); err != nil {
-			impl.logger.Errorw("error while updating current runner status to failed, TriggerDeployment", "wfrId", runner.Id, "err", err)
+		if err = impl.cdWorkflowCommonService.MarkCurrentDeploymentFailed(validateDeploymentTriggerObj.Runner, errors.New(cdWorkflow.FOUND_VULNERABILITY), validateDeploymentTriggerObj.TriggeredBy); err != nil {
+			impl.logger.Errorw("error while updating current runner status to failed, TriggerDeployment", "wfrId", validateDeploymentTriggerObj.Runner.Id, "err", err)
 		}
-		return fmt.Errorf("found vulnerability for image digest %s", imageDigest)
+		return fmt.Errorf("found vulnerability for image digest %s", validateDeploymentTriggerObj.ImageDigest)
 	}
 	return nil
 }
@@ -536,7 +538,8 @@ func (impl *TriggerServiceImpl) ManualCdTrigger(triggerContext bean.TriggerConte
 			impl.logger.Errorw("error in creating timeline status for deployment initiation, ManualCdTrigger", "err", err, "timeline", timeline)
 		}
 		if isNotHibernateRequest(overrideRequest.DeploymentType) {
-			validationErr := impl.validateDeploymentTriggerRequest(ctx, runner, cdPipeline, artifact.ImageDigest, envDeploymentConfig, overrideRequest.UserId)
+			validateReqObj := adapter.NewValidateDeploymentTriggerObj(runner, cdPipeline, artifact.ImageDigest, envDeploymentConfig, overrideRequest.UserId, overrideRequest.IsRollbackDeployment)
+			validationErr := impl.validateDeploymentTriggerRequest(ctx, validateReqObj)
 			if validationErr != nil {
 				impl.logger.Errorw("validation error deployment request", "cdWfr", runner.Id, "err", validationErr)
 				return 0, "", nil, validationErr
@@ -671,7 +674,7 @@ func (impl *TriggerServiceImpl) TriggerAutomaticDeployment(request bean.TriggerR
 		return err
 	}
 	// setting triggeredBy as 1(system user) since case of auto trigger
-	validationErr := impl.validateDeploymentTriggerRequest(ctx, runner, pipeline, artifact.ImageDigest, envDeploymentConfig, 1)
+	validationErr := impl.validateDeploymentTriggerRequest(ctx, adapter.NewValidateDeploymentTriggerObj(runner, pipeline, artifact.ImageDigest, envDeploymentConfig, 1, false))
 	if validationErr != nil {
 		impl.logger.Errorw("validation error deployment request", "cdWfr", runner.Id, "err", validationErr)
 		return validationErr

pkg/deployment/trigger/devtronApps/adapter/adapter.go

@@ -61,3 +61,15 @@ func NewAppIdentifierFromOverrideRequest(overrideRequest *apiBean.ValuesOverride
 		ReleaseName: overrideRequest.ReleaseName,
 	}
 }
+
+func NewValidateDeploymentTriggerObj(runner *pipelineConfig.CdWorkflowRunner, cdPipeline *pipelineConfig.Pipeline, imageDigest string,
+	deploymentConfig *bean2.DeploymentConfig, userId int32, isRollbackDeployment bool) *bean.ValidateDeploymentTriggerObj {
+	return &bean.ValidateDeploymentTriggerObj{
+		Runner:               runner,
+		CdPipeline:           cdPipeline,
+		ImageDigest:          imageDigest,
+		DeploymentConfig:     deploymentConfig,
+		TriggeredBy:          userId,
+		IsRollbackDeployment: isRollbackDeployment,
+	}
+}

pkg/deployment/trigger/devtronApps/bean/bean.go

@@ -21,6 +21,7 @@ import (
 	"github.com/devtron-labs/devtron/api/bean"
 	"github.com/devtron-labs/devtron/internal/sql/repository"
 	"github.com/devtron-labs/devtron/internal/sql/repository/pipelineConfig"
+	bean2 "github.com/devtron-labs/devtron/pkg/deployment/common/bean"
 	"time"
 )
 
@@ -102,3 +103,16 @@ const (
 	CHILD_CD_COUNT               = "CHILD_CD_COUNT"
 	APP_NAME                     = "APP_NAME"
 )
+
+type ValidateDeploymentTriggerObj struct {
+	Runner               *pipelineConfig.CdWorkflowRunner
+	CdPipeline           *pipelineConfig.Pipeline
+	ImageDigest          string
+	DeploymentConfig     *bean2.DeploymentConfig
+	TriggeredBy          int32
+	IsRollbackDeployment bool
+}
+
+func (r *ValidateDeploymentTriggerObj) IsDeploymentTypeRollback() bool {
+	return r.IsRollbackDeployment
+}