feat: add layered analysis scanning

Author: tembleking

src/app/commands.rs

@@ -8,8 +8,11 @@ use tower_lsp::{
     lsp_types::{Diagnostic, DiagnosticSeverity, MessageType, Position, Range},
 };
 
+use crate::infra::parse_dockerfile;
+
 use super::{
-    ImageBuilder, ImageScanner, InMemoryDocumentDatabase, LSPClient, lsp_server::WithContext,
+    ImageBuilder, ImageScanResult, ImageScanner, InMemoryDocumentDatabase, LSPClient, VulnSeverity,
+    lsp_server::WithContext,
 };
 
 pub struct CommandExecutor<C> {
@@ -126,10 +129,14 @@ where
             };
 
             if scan_result.has_vulnerabilities() {
-                let v = &scan_result.vulnerabilities;
                 diagnostic.message = format!(
                     "Vulnerabilities found for {}: {} Critical, {} High, {} Medium, {} Low, {} Negligible",
-                    image_for_selected_line, v.critical, v.high, v.medium, v.low, v.negligible
+                    image_for_selected_line,
+                    scan_result.count_vulns_of_severity(VulnSeverity::Critical),
+                    scan_result.count_vulns_of_severity(VulnSeverity::High),
+                    scan_result.count_vulns_of_severity(VulnSeverity::Medium),
+                    scan_result.count_vulns_of_severity(VulnSeverity::Low),
+                    scan_result.count_vulns_of_severity(VulnSeverity::Negligible),
                 );
 
                 diagnostic.severity = Some(if scan_result.is_compliant {
@@ -203,49 +210,129 @@ where
         )
         .await;
 
-        let diagnostic = {
-            let range_for_selected_line = Range::new(
-                Position::new(line, 0),
-                Position::new(
-                    line,
-                    document_text
-                        .lines()
-                        .nth(line as usize)
-                        .map(|x| x.len() as u32)
-                        .unwrap_or(u32::MAX),
-                ),
-            );
-
-            let mut diagnostic = Diagnostic {
-                range: range_for_selected_line,
-                severity: Some(DiagnosticSeverity::HINT),
-                message: "No vulnerabilities found.".to_owned(),
-                ..Default::default()
-            };
-
-            if scan_result.has_vulnerabilities() {
-                let v = &scan_result.vulnerabilities;
-                diagnostic.message = format!(
-                    "Vulnerabilities found for Dockerfile in {}: {} Critical, {} High, {} Medium, {} Low, {} Negligible",
-                    uri_without_file_path, v.critical, v.high, v.medium, v.low, v.negligible
-                );
-
-                diagnostic.severity = Some(if scan_result.is_compliant {
-                    DiagnosticSeverity::INFORMATION
-                } else {
-                    DiagnosticSeverity::ERROR
-                });
-            }
-
-            diagnostic
-        };
+        let diagnostic = diagnostic_for_image(line, &document_text, &scan_result);
+        let diagnostics_per_layer = diagnostics_for_layers(&document_text, &scan_result)?;
 
         self.document_database
             .remove_diagnostics(uri.to_str().unwrap())
             .await;
         self.document_database
             .append_document_diagnostics(uri.to_str().unwrap(), &[diagnostic])
             .await;
+        self.document_database
+            .append_document_diagnostics(uri.to_str().unwrap(), &diagnostics_per_layer)
+            .await;
         self.publish_all_diagnostics().await
     }
 }
+
+pub fn diagnostics_for_layers(
+    document_text: &str,
+    scan_result: &ImageScanResult,
+) -> Result<Vec<Diagnostic>> {
+    let instructions = parse_dockerfile(document_text);
+    let layers = &scan_result.layers;
+
+    let mut instr_idx = instructions.len().checked_sub(1);
+    let mut layer_idx = layers.len().checked_sub(1);
+
+    let mut diagnostics = Vec::new();
+
+    while let (Some(i), Some(l)) = (instr_idx, layer_idx) {
+        let instr = &instructions[i];
+        let layer = &layers[l];
+
+        if instr.keyword == "FROM" {
+            break;
+        }
+
+        if layer.layer_text.contains(&instr.arguments_str) {
+            instr_idx = instr_idx.and_then(|x| x.checked_sub(1));
+            layer_idx = layer_idx.and_then(|x| x.checked_sub(1));
+
+            let mut msg = String::new();
+            if layer.count_vulns_of_severity(VulnSeverity::Critical) > 0 {
+                msg += &format!(
+                    "🟣 {}  ",
+                    layer.count_vulns_of_severity(VulnSeverity::Critical)
+                )
+            }
+            if layer.count_vulns_of_severity(VulnSeverity::High) > 0 {
+                msg += &format!("🔴 {}  ", layer.count_vulns_of_severity(VulnSeverity::High))
+            }
+            if layer.count_vulns_of_severity(VulnSeverity::Medium) > 0 {
+                msg += &format!(
+                    "🟠 {}  ",
+                    layer.count_vulns_of_severity(VulnSeverity::Medium)
+                )
+            }
+            if layer.count_vulns_of_severity(VulnSeverity::Low) > 0 {
+                msg += &format!("🟡 {}  ", layer.count_vulns_of_severity(VulnSeverity::Low))
+            }
+            if layer.count_vulns_of_severity(VulnSeverity::Negligible) > 0 {
+                msg += &format!(
+                    "⚪ {}  ",
+                    layer.count_vulns_of_severity(VulnSeverity::Negligible)
+                )
+            }
+
+            let diagnostic = Diagnostic {
+                range: instr.range,
+                severity: Some(DiagnosticSeverity::WARNING),
+                source: Some("Sysdig".to_string()),
+                message: msg,
+                ..Default::default()
+            };
+
+            diagnostics.push(diagnostic);
+        } else {
+            layer_idx = layer_idx.and_then(|x| x.checked_sub(1));
+        }
+    }
+
+    Ok(diagnostics)
+}
+
+fn diagnostic_for_image(
+    line: u32,
+    document_text: &str,
+    scan_result: &ImageScanResult,
+) -> Diagnostic {
+    let range_for_selected_line = Range::new(
+        Position::new(line, 0),
+        Position::new(
+            line,
+            document_text
+                .lines()
+                .nth(line as usize)
+                .map(|x| x.len() as u32)
+                .unwrap_or(u32::MAX),
+        ),
+    );
+
+    let mut diagnostic = Diagnostic {
+        range: range_for_selected_line,
+        severity: Some(DiagnosticSeverity::HINT),
+        message: "No vulnerabilities found.".to_owned(),
+        ..Default::default()
+    };
+
+    if scan_result.has_vulnerabilities() {
+        diagnostic.message = format!(
+            "Vulnerabilities found: {} Critical, {} High, {} Medium, {} Low, {} Negligible",
+            scan_result.count_vulns_of_severity(VulnSeverity::Critical),
+            scan_result.count_vulns_of_severity(VulnSeverity::High),
+            scan_result.count_vulns_of_severity(VulnSeverity::Medium),
+            scan_result.count_vulns_of_severity(VulnSeverity::Low),
+            scan_result.count_vulns_of_severity(VulnSeverity::Negligible),
+        );
+
+        diagnostic.severity = Some(if scan_result.is_compliant {
+            DiagnosticSeverity::INFORMATION
+        } else {
+            DiagnosticSeverity::ERROR
+        });
+    }
+
+    diagnostic
+}

src/app/image_scanner.rs

@@ -7,20 +7,62 @@ pub trait ImageScanner {
     async fn scan_image(&self, image_pull_string: &str) -> Result<ImageScanResult, ImageScanError>;
 }
 
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Debug)]
 pub struct ImageScanResult {
-    pub vulnerabilities: Vulnerabilities,
+    pub vulnerabilities: Vec<VulnerabilityEntry>,
     pub is_compliant: bool,
+    pub layers: Vec<LayerScanResult>,
 }
 
 impl ImageScanResult {
+    pub fn count_vulns_of_severity(&self, severity: VulnSeverity) -> usize {
+        self.vulnerabilities
+            .iter()
+            .filter(|v| v.severity == severity)
+            .count()
+    }
+
+    pub fn has_vulnerabilities(&self) -> bool {
+        !self.vulnerabilities.is_empty()
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct VulnerabilityEntry {
+    pub id: String,
+    pub severity: VulnSeverity,
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum VulnSeverity {
+    Critical,
+    High,
+    Medium,
+    Low,
+    Negligible,
+}
+
+#[derive(Clone, Debug)]
+pub struct LayerScanResult {
+    pub layer_instruction: String,
+    pub layer_text: String,
+    pub vulnerabilities: Vec<VulnerabilityEntry>,
+}
+
+impl LayerScanResult {
+    pub fn count_vulns_of_severity(&self, severity: VulnSeverity) -> usize {
+        self.vulnerabilities
+            .iter()
+            .filter(|v| v.severity == severity)
+            .count()
+    }
+
     pub fn has_vulnerabilities(&self) -> bool {
-        let v = &self.vulnerabilities;
-        v.critical > 0 || v.high > 0 || v.medium > 0 || v.low > 0 || v.negligible > 0
+        !self.vulnerabilities.is_empty()
     }
 }
 
-#[derive(Clone, Copy, Debug)]
+#[derive(Clone, Copy, Debug, Default)]
 pub struct Vulnerabilities {
     pub critical: usize,
     pub high: usize,

src/app/mod.rs

@@ -9,6 +9,9 @@ mod queries;
 
 pub use document_database::*;
 pub use image_builder::{ImageBuildError, ImageBuildResult, ImageBuilder};
-pub use image_scanner::{ImageScanError, ImageScanResult, ImageScanner, Vulnerabilities};
+pub use image_scanner::{
+    ImageScanError, ImageScanResult, ImageScanner, LayerScanResult, VulnSeverity, Vulnerabilities,
+    VulnerabilityEntry,
+};
 pub use lsp_client::LSPClient;
 pub use lsp_server::LSPServer;