feat: add vulnerability count to matched packages, enabled via flag --show-vuln-count (#507)

rlmestre · web-flow · commit ff0412908deb · 2025-03-04T12:18:12.000-04:00
Signed-off-by: Rafael Mestre &lt;rafael@herodevs.com&gt;
diff --git a/cmd/xeol/cli/commands/root.go b/cmd/xeol/cli/commands/root.go
@@ -244,12 +244,13 @@ func runXeol(app clio.Application, opts *options.Xeol, userInput string) error {
 		}
 
 		if err := writer.Write(models.PresenterConfig{
-			Matches:   allMatches,
-			Packages:  packages,
-			Context:   pkgContext,
-			SBOM:      s,
-			AppConfig: opts,
-			DBStatus:  status,
+			Matches:       allMatches,
+			Packages:      packages,
+			Context:       pkgContext,
+			SBOM:          s,
+			AppConfig:     opts,
+			ShowVulnCount: opts.ShowVulnCount,
+			DBStatus:      status,
 		}); err != nil {
 			errs <- err
 		}
diff --git a/cmd/xeol/cli/options/xeol.go b/cmd/xeol/cli/options/xeol.go
@@ -33,6 +33,7 @@ type Xeol struct {
 	Registry               registry    `yaml:"registry" json:"registry" mapstructure:"registry"`
 	Name                   string      `yaml:"name" json:"name" mapstructure:"name"`
 	DefaultImagePullSource string      `yaml:"default-image-pull-source" json:"default-image-pull-source" mapstructure:"default-image-pull-source"`
+	ShowVulnCount          bool        `yaml:"show-vuln-count" json:"show-vuln-count" mapstructure:"show-vuln-count"`
 }
 
 var _ interface {
@@ -53,6 +54,7 @@ func DefaultXeol(id clio.Identification) *Xeol {
 		ProjectName:       project,
 		CommitHash:        commit,
 		ImagePath:         "Dockerfile",
+		ShowVulnCount:     false,
 	}
 	return config
 }
@@ -123,6 +125,11 @@ func (o *Xeol) AddFlags(flags clio.FlagSet) {
 		"platform", "",
 		"an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')",
 	)
+
+	flags.BoolVarP(&o.ShowVulnCount,
+		"show-vuln-count", "",
+		"show the number of vulnerabilities found for each package (default is false)",
+	)
 }
 
 func (o *Xeol) parseLookaheadOption() (err error) {
diff --git a/test/integration/db_mock_test.go b/test/integration/db_mock_test.go
@@ -19,6 +19,10 @@ func (s *mockStore) GetCyclesByCpe(cpe string) ([]xeolDB.Cycle, error) {
 	return s.backend[cpe], nil
 }
 
+func (s *mockStore) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {
+	return 0, nil
+}
+
 func (s *mockStore) GetAllProducts() (*[]xeolDB.Product, error) {
 	return nil, nil
 }
diff --git a/xeol/db/eol_provider.go b/xeol/db/eol_provider.go
@@ -83,3 +83,17 @@ func (pr *EolProvider) GetByPackagePurl(p pkg.Package) ([]eol.Cycle, error) {
 
 	return cycles, nil
 }
+
+func (pr *EolProvider) GetVulnCount(p pkg.Package) (int, error) {
+	shortPurl, err := purl.ShortPurl(p)
+	if err != nil {
+		return 0, err
+	}
+
+	vulnCount, err := pr.reader.GetVulnCountByPurlAndVersion(shortPurl, p.Version)
+	if err != nil {
+		return 0, err
+	}
+
+	return vulnCount, nil
+}
diff --git a/xeol/db/v1/eol.go b/xeol/db/v1/eol.go
@@ -36,6 +36,7 @@ type EolStore interface {
 type EolStoreReader interface {
 	GetCyclesByPurl(purl string) ([]Cycle, error)
 	GetCyclesByCpe(cpe string) ([]Cycle, error)
+	GetVulnCountByPurlAndVersion(purl string, version string) (int, error)
 	GetAllProducts() (*[]Product, error)
 }
 
diff --git a/xeol/db/v1/store/store.go b/xeol/db/v1/store/store.go
@@ -143,3 +143,14 @@ func (s *store) GetCyclesByPurl(purl string) ([]v1.Cycle, error) {
 	}
 	return cycles, nil
 }
+
+func (s *store) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {
+	var vulnCount int
+	if result := s.db.Table("vulns").
+		Select("vulns.issue_count").
+		Joins("JOIN purls ON vulns.product_id = purls.product_id").
+		Where("purls.purl = ? AND vulns.version = ?", purl, version).Find(&vulnCount); result.Error != nil {
+		return 0, result.Error
+	}
+	return vulnCount, nil
+}
diff --git a/xeol/eol/provider.go b/xeol/eol/provider.go
@@ -13,6 +13,7 @@ type Provider interface {
 
 type ProviderByPackagePurl interface {
 	GetByPackagePurl(p pkg.Package) ([]Cycle, error)
+	GetVulnCount(p pkg.Package) (int, error)
 }
 
 type ProviderByDistroCpe interface {
diff --git a/xeol/match/fingerprint.go b/xeol/match/fingerprint.go
@@ -13,6 +13,7 @@ type Fingerprint struct {
 	eolDate      string
 	eolBool      bool
 	lts          string
+	version      string
 }
 
 func (m Fingerprint) String() string {
diff --git a/xeol/match/match.go b/xeol/match/match.go
@@ -11,8 +11,9 @@ var ErrCannotMerge = fmt.Errorf("unable to merge eol matches")
 
 // Match represents a finding in the eol matching process, pairing a single package and a single eol object.
 type Match struct {
-	Cycle   eol.Cycle
-	Package pkg.Package // The package used to search for a match.
+	Cycle     eol.Cycle
+	Package   pkg.Package // The package used to search for a match.
+	VulnCount int
 }
 
 // String is the string representation of select match fields.
@@ -32,6 +33,7 @@ func (m Match) Fingerprint() Fingerprint {
 		eolDate:      m.Cycle.Eol,
 		eolBool:      m.Cycle.EolBool,
 		lts:          m.Cycle.LTS,
+		version:      m.Package.Version,
 	}
 }
 
diff --git a/xeol/matcher/distro/matcher_test.go b/xeol/matcher/distro/matcher_test.go
@@ -29,6 +29,10 @@ func (s *mockStore) GetCyclesByCpe(cpe string) ([]xeolDB.Cycle, error) {
 	return s.backend[cpe], nil
 }
 
+func (s *mockStore) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {
+	return 0, nil
+}
+
 func (s *mockStore) GetAllProducts() (*[]xeolDB.Product, error) {
 	return nil, nil
 }
diff --git a/xeol/matcher/packages/matcher_test.go b/xeol/matcher/packages/matcher_test.go
@@ -30,6 +30,10 @@ func (s *mockStore) GetCyclesByCpe(cpe string) ([]xeolDB.Cycle, error) {
 	return s.backend[cpe], nil
 }
 
+func (s *mockStore) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {
+	return 0, nil
+}
+
 func (s *mockStore) GetAllProducts() (*[]xeolDB.Product, error) {
 	return nil, nil
 }
diff --git a/xeol/presenter/models/presenter_bundle.go b/xeol/presenter/models/presenter_bundle.go
@@ -8,10 +8,11 @@ import (
 )
 
 type PresenterConfig struct {
-	Matches   match.Matches
-	Packages  []pkg.Package
-	Context   pkg.Context
-	SBOM      *sbom.SBOM
-	AppConfig interface{}
-	DBStatus  interface{}
+	Matches       match.Matches
+	Packages      []pkg.Package
+	Context       pkg.Context
+	SBOM          *sbom.SBOM
+	AppConfig     interface{}
+	ShowVulnCount bool
+	DBStatus      interface{}
 }
diff --git a/xeol/presenter/table/presenter.go b/xeol/presenter/table/presenter.go
@@ -18,15 +18,17 @@ var now = time.Now
 
 // Presenter is a generic struct for holding fields needed for reporting
 type Presenter struct {
-	matches  match.Matches
-	packages []pkg.Package
+	matches       match.Matches
+	packages      []pkg.Package
+	showVulnCount bool
 }
 
 // NewPresenter is a *Presenter constructor
 func NewPresenter(pb models.PresenterConfig) *Presenter {
 	return &Presenter{
-		matches:  pb.Matches,
-		packages: pb.Packages,
+		matches:       pb.Matches,
+		packages:      pb.Packages,
+		showVulnCount: pb.ShowVulnCount,
 	}
 }
 
@@ -35,12 +37,16 @@ func (pres *Presenter) Present(output io.Writer) error {
 	rows := make([][]string, 0)
 
 	columns := []string{"NAME", "VERSION", "EOL", "DAYS EOL", "TYPE"}
+	if pres.showVulnCount {
+		columns = append(columns, "# OF VULNS.")
+	}
+
 	// Generate rows for matches
 	for m := range pres.matches.Enumerate() {
 		if m.Package.Name == "" {
 			continue
 		}
-		row, err := createRow(m)
+		row, err := createRow(m, pres.showVulnCount)
 
 		if err != nil {
 			return err
@@ -85,17 +91,24 @@ func (pres *Presenter) Present(output io.Writer) error {
 	return nil
 }
 
-func createRow(m match.Match) ([]string, error) {
+func createRow(m match.Match, showVulnCount bool) ([]string, error) {
 	daysEol, err := calculateDaysEol(m)
 	if err != nil {
 		return nil, err
 	}
 
+	row := []string{m.Package.Name, m.Package.Version}
 	if m.Cycle.EolBool {
-		return []string{m.Package.Name, m.Package.Version, "YES", "-", string(m.Package.Type)}, nil
+		row = append(row, "YES", "-", string(m.Package.Type))
+	} else {
+		row = append(row, m.Cycle.Eol, daysEol, string(m.Package.Type))
+	}
+
+	if showVulnCount {
+		row = append(row, strconv.Itoa(m.VulnCount))
 	}
 
-	return []string{m.Package.Name, m.Package.Version, m.Cycle.Eol, daysEol, string(m.Package.Type)}, nil
+	return row, nil
 }
 
 func calculateDaysEol(m match.Match) (string, error) {
diff --git a/xeol/presenter/table/presenter_test.go b/xeol/presenter/table/presenter_test.go
@@ -69,7 +69,7 @@ func TestCreateRow(t *testing.T) {
 
 	for _, testCase := range cases {
 		t.Run(testCase.name, func(t *testing.T) {
-			row, err := createRow(testCase.match)
+			row, err := createRow(testCase.match, false)
 
 			assert.Equal(t, testCase.expectedErr, err)
 			assert.Equal(t, testCase.expectedRow, row)
diff --git a/xeol/search/purl.go b/xeol/search/purl.go
@@ -30,9 +30,16 @@ func ByPackagePURL(store eol.Provider, p pkg.Package, _ match.MatcherType, eolMa
 	}
 
 	if (cycle != eol.Cycle{}) {
+		vulnCount, err := store.GetVulnCount(p)
+		if err != nil {
+			log.Warnf("failed to get vulnerability count for package %s: %v", p, err)
+			vulnCount = 0
+		}
+
 		return match.Match{
-			Cycle:   cycle,
-			Package: p,
+			Cycle:     cycle,
+			Package:   p,
+			VulnCount: vulnCount,
 		}, nil
 	}
 	return match.Match{}, nil

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ type Xeol struct {`
`33`	`33`	Registry registry `yaml:"registry" json:"registry" mapstructure:"registry"`
`34`	`34`	Name string `yaml:"name" json:"name" mapstructure:"name"`
`35`	`35`	DefaultImagePullSource string `yaml:"default-image-pull-source" json:"default-image-pull-source" mapstructure:"default-image-pull-source"`
	`36`	+ ShowVulnCount bool `yaml:"show-vuln-count" json:"show-vuln-count" mapstructure:"show-vuln-count"`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`var _ interface {`
`@@ -53,6 +54,7 @@ func DefaultXeol(id clio.Identification) *Xeol {`
`53`	`54`	`ProjectName: project,`
`54`	`55`	`CommitHash: commit,`
`55`	`56`	`ImagePath: "Dockerfile",`
	`57`	`+ ShowVulnCount: false,`
`56`	`58`	`}`
`57`	`59`	`return config`
`58`	`60`	`}`
`@@ -123,6 +125,11 @@ func (o *Xeol) AddFlags(flags clio.FlagSet) {`
`123`	`125`	`"platform", "",`
`124`	`126`	`"an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')",`
`125`	`127`	`)`
	`128`	`+`
	`129`	`+ flags.BoolVarP(&o.ShowVulnCount,`
	`130`	`+ "show-vuln-count", "",`
	`131`	`+ "show the number of vulnerabilities found for each package (default is false)",`
	`132`	`+ )`
`126`	`133`	`}`
`127`	`134`
`128`	`135`	`func (o *Xeol) parseLookaheadOption() (err error) {`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,10 @@ func (s *mockStore) GetCyclesByCpe(cpe string) ([]xeolDB.Cycle, error) {`
`19`	`19`	`return s.backend[cpe], nil`
`20`	`20`	`}`
`21`	`21`
	`22`	`+func (s *mockStore) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {`
	`23`	`+ return 0, nil`
	`24`	`+}`
	`25`	`+`
`22`	`26`	`func (s mockStore) GetAllProducts() ([]xeolDB.Product, error) {`
`23`	`27`	`return nil, nil`
`24`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ type EolStore interface {`
`36`	`36`	`type EolStoreReader interface {`
`37`	`37`	`GetCyclesByPurl(purl string) ([]Cycle, error)`
`38`	`38`	`GetCyclesByCpe(cpe string) ([]Cycle, error)`
	`39`	`+ GetVulnCountByPurlAndVersion(purl string, version string) (int, error)`
`39`	`40`	`GetAllProducts() (*[]Product, error)`
`40`	`41`	`}`
`41`	`42`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ type Provider interface {`
`13`	`13`
`14`	`14`	`type ProviderByPackagePurl interface {`
`15`	`15`	`GetByPackagePurl(p pkg.Package) ([]Cycle, error)`
	`16`	`+ GetVulnCount(p pkg.Package) (int, error)`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`type ProviderByDistroCpe interface {`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ type Fingerprint struct {`
`13`	`13`	`eolDate string`
`14`	`14`	`eolBool bool`
`15`	`15`	`lts string`
	`16`	`+ version string`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`func (m Fingerprint) String() string {`
Original file line number	Diff line number	Diff line change
`@@ -11,8 +11,9 @@ var ErrCannotMerge = fmt.Errorf("unable to merge eol matches")`
`11`	`11`
`12`	`12`	`// Match represents a finding in the eol matching process, pairing a single package and a single eol object.`
`13`	`13`	`type Match struct {`
`14`		`- Cycle eol.Cycle`
`15`		`- Package pkg.Package // The package used to search for a match.`
	`14`	`+ Cycle eol.Cycle`
	`15`	`+ Package pkg.Package // The package used to search for a match.`
	`16`	`+ VulnCount int`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`// String is the string representation of select match fields.`
`@@ -32,6 +33,7 @@ func (m Match) Fingerprint() Fingerprint {`
`32`	`33`	`eolDate: m.Cycle.Eol,`
`33`	`34`	`eolBool: m.Cycle.EolBool,`
`34`	`35`	`lts: m.Cycle.LTS,`
	`36`	`+ version: m.Package.Version,`
`35`	`37`	`}`
`36`	`38`	`}`
`37`	`39`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,10 @@ func (s *mockStore) GetCyclesByCpe(cpe string) ([]xeolDB.Cycle, error) {`
`29`	`29`	`return s.backend[cpe], nil`
`30`	`30`	`}`
`31`	`31`
	`32`	`+func (s *mockStore) GetVulnCountByPurlAndVersion(purl string, version string) (int, error) {`
	`33`	`+ return 0, nil`
	`34`	`+}`
	`35`	`+`
`32`	`36`	`func (s mockStore) GetAllProducts() ([]xeolDB.Product, error) {`
`33`	`37`	`return nil, nil`
`34`	`38`	`}`