feat(scanresult): Use global evaluation result from scanner

tembleking · tembleking · commit fcc0029c8861 · 2025-10-28T09:04:39.000+01:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,3 +12,5 @@ repos:
     - id: trailing-whitespace
     - id: end-of-file-fixer
     - id: check-yaml
+    - id: check-toml
+    - id: no-commit-to-branch
diff --git a/src/domain/scanresult/evaluation_result.rs b/src/domain/scanresult/evaluation_result.rs
@@ -13,3 +13,13 @@ impl EvaluationResult {
         matches!(self, Self::Passed)
     }
 }
+
+impl From<&str> for EvaluationResult {
+    fn from(value: &str) -> Self {
+        if value.eq_ignore_ascii_case("failed") {
+            EvaluationResult::Failed
+        } else {
+            EvaluationResult::Passed
+        }
+    }
+}
diff --git a/src/domain/scanresult/scan_result.rs b/src/domain/scanresult/scan_result.rs
@@ -27,6 +27,7 @@ pub struct ScanResult {
     policies: HashMap<String, Arc<Policy>>,
     policy_bundles: HashMap<String, Arc<PolicyBundle>>,
     accepted_risks: HashMap<String, Arc<AcceptedRisk>>,
+    global_evaluation: EvaluationResult,
 }
 
 impl ScanResult {
@@ -41,6 +42,7 @@ impl ScanResult {
         architecture: Architecture,
         labels: HashMap<String, String>,
         created_at: DateTime<Utc>,
+        global_evaluation: EvaluationResult,
     ) -> Self {
         Self {
             scan_type,
@@ -60,6 +62,7 @@ impl ScanResult {
             policies: HashMap::new(),
             policy_bundles: HashMap::new(),
             accepted_risks: HashMap::new(),
+            global_evaluation,
         }
     }
 
@@ -242,15 +245,7 @@ impl ScanResult {
     }
 
     pub fn evaluation_result(&self) -> EvaluationResult {
-        if self
-            .policies()
-            .iter()
-            .all(|p| p.evaluation_result().is_passed())
-        {
-            EvaluationResult::Passed
-        } else {
-            EvaluationResult::Failed
-        }
+        self.global_evaluation
     }
 }
 
@@ -277,6 +272,7 @@ mod tests {
             Architecture::Amd64,
             HashMap::new(),
             Utc::now(),
+            EvaluationResult::Failed,
         )
     }
 
@@ -505,7 +501,18 @@ mod tests {
 
     #[test]
     fn evaluation_result_passed() {
-        let mut scan_result = create_scan_result();
+        let mut scan_result = ScanResult::new(
+            ScanType::Docker,
+            "alpine:latest".to_string(),
+            "sha256:12345".to_string(),
+            Some("sha256:67890".to_string()),
+            OperatingSystem::new(Family::Linux, "alpine:3.18".to_string()),
+            123456,
+            Architecture::Amd64,
+            HashMap::new(),
+            Utc::now(),
+            EvaluationResult::Passed,
+        );
         let now = Utc::now();
         let policy =
             scan_result.add_policy("policy-1".to_string(), "My Policy".to_string(), now, now);
@@ -758,7 +765,11 @@ mod tests {
 
         assert_eq!(bundle.evaluation_result(), EvaluationResult::Passed);
         assert_eq!(policy.evaluation_result(), EvaluationResult::Passed);
-        assert_eq!(scan_result.evaluation_result(), EvaluationResult::Passed);
+        assert_eq!(
+            scan_result.evaluation_result(),
+            EvaluationResult::Failed,
+            "Global evaluation should remain Failed"
+        );
 
         let failed_rule = bundle.add_rule(
             "rule-failed".to_string(),
@@ -780,6 +791,10 @@ mod tests {
 
         assert_eq!(bundle.evaluation_result(), EvaluationResult::Failed);
         assert_eq!(policy.evaluation_result(), EvaluationResult::Failed);
-        assert_eq!(scan_result.evaluation_result(), EvaluationResult::Failed);
+        assert_eq!(
+            scan_result.evaluation_result(),
+            EvaluationResult::Failed,
+            "Global evaluation should remain Failed"
+        );
     }
 }
diff --git a/src/infra/sysdig_image_scanner_json_scan_result_v1.rs b/src/infra/sysdig_image_scanner_json_scan_result_v1.rs
@@ -7,7 +7,6 @@ use std::collections::HashMap;
 use crate::domain::scanresult::{
     accepted_risk_reason::AcceptedRiskReason,
     architecture::Architecture,
-    evaluation_result::EvaluationResult,
     operating_system::{Family, OperatingSystem},
     package_type::PackageType,
     scan_result::ScanResult,
@@ -17,7 +16,7 @@ use crate::domain::scanresult::{
 
 impl From<JsonScanResultV1> for ScanResult {
     fn from(report: JsonScanResultV1) -> Self {
-        let mut scan_result = ScanResult::from(&report.result.metadata);
+        let mut scan_result = ScanResult::from(&report.result);
 
         add_layers(&report.result, &mut scan_result);
         add_risk_accepts(&report.result, &mut scan_result);
@@ -145,11 +144,7 @@ fn add_policies(result: &JsonResult, scan_result: &mut ScanResult) {
                 let rule = policy_bundle.add_rule(
                     json_rule.rule_id.clone(),
                     json_rule.description.clone(),
-                    if json_rule.evaluation_result.eq_ignore_ascii_case("failed") {
-                        EvaluationResult::Failed
-                    } else {
-                        EvaluationResult::Passed
-                    },
+                    json_rule.evaluation_result.as_str().into(),
                 );
 
                 for json_failure in json_rule.failures.as_deref().unwrap_or_default() {
@@ -188,8 +183,9 @@ fn failure_message_for(result: &JsonResult, package_ref: &str, vulnerability_ref
     }
 }
 
-impl From<&JsonMetadata> for ScanResult {
-    fn from(metadata: &JsonMetadata) -> Self {
+impl From<&JsonResult> for ScanResult {
+    fn from(result: &JsonResult) -> Self {
+        let metadata = &result.metadata;
         ScanResult::new(
             ScanType::Docker,
             metadata.pull_string.clone(),
@@ -200,6 +196,7 @@ impl From<&JsonMetadata> for ScanResult {
             arch_from_str(&metadata.architecture),
             metadata.labels.clone(),
             metadata.created_at,
+            result.policies.global_evaluation.as_str().into(),
         )
     }
 }
diff --git a/tests/general.rs b/tests/general.rs
@@ -5,6 +5,7 @@ use rstest::{fixture, rstest};
 use serde_json::json;
 use std::collections::HashMap;
 use sysdig_lsp::domain::scanresult::architecture::Architecture;
+use sysdig_lsp::domain::scanresult::evaluation_result::EvaluationResult;
 use sysdig_lsp::domain::scanresult::operating_system::{Family, OperatingSystem};
 use sysdig_lsp::domain::scanresult::scan_result::ScanResult;
 use sysdig_lsp::domain::scanresult::scan_type::ScanType;
@@ -120,6 +121,7 @@ fn scan_result() -> ScanResult {
         Architecture::Amd64,
         HashMap::new(),
         chrono::Utc::now(),
+        EvaluationResult::Passed,
     );
 
     let layer = result.add_layer(

Original file line number	Diff line number	Diff line change
`@@ -13,3 +13,13 @@ impl EvaluationResult {`
`13`	`13`	`matches!(self, Self::Passed)`
`14`	`14`	`}`
`15`	`15`	`}`
	`16`	`+`
	`17`	`+impl From<&str> for EvaluationResult {`
	`18`	`+ fn from(value: &str) -> Self {`
	`19`	`+ if value.eq_ignore_ascii_case("failed") {`
	`20`	`+ EvaluationResult::Failed`
	`21`	`+ } else {`
	`22`	`+ EvaluationResult::Passed`
	`23`	`+ }`
	`24`	`+ }`
	`25`	`+}`