From dc8a3c191ec7c2bc8e2d7547ab47cb3d58dd8d2b Mon Sep 17 00:00:00 2001 From: Khushboo Sancheti Date: Wed, 9 Nov 2022 13:08:23 -0800 Subject: [PATCH 1/2] ROX-13347: Modify scope queries to included quoted cluster and namespace names, to allow exact matches instead of erroneous and unintended prefix matches. --- central/reports/common/query_builder_test.go | 2 +- pkg/sac/effectiveaccessscope/compacted.go | 4 ++-- pkg/sac/effectiveaccessscope/compacted_test.go | 12 ++++++------ 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/central/reports/common/query_builder_test.go b/central/reports/common/query_builder_test.go index 8dc4038282ed7..3a7bff089cb58 100644 --- a/central/reports/common/query_builder_test.go +++ b/central/reports/common/query_builder_test.go @@ -70,6 +70,6 @@ func TestBuildQuery(t *testing.T) { rq, err := qb.BuildQuery() assert.NoError(t, err) - assert.ElementsMatch(t, []string{"Cluster:remote+Namespace:ns1", "Cluster:secured+Namespace:ns2"}, rq.ScopeQueries) + assert.ElementsMatch(t, []string{`Cluster:"remote"+Namespace:"ns1"`, `Cluster:"secured"+Namespace:"ns2"`}, rq.ScopeQueries) assert.Equal(t, "Fixable:true+Severity:\"CRITICAL_VULNERABILITY_SEVERITY\",\"IMPORTANT_VULNERABILITY_SEVERITY\"", rq.CveFieldsQuery) } diff --git a/pkg/sac/effectiveaccessscope/compacted.go b/pkg/sac/effectiveaccessscope/compacted.go index 33c972ab4a4bd..b2e3b3d34f6bf 100644 --- a/pkg/sac/effectiveaccessscope/compacted.go +++ b/pkg/sac/effectiveaccessscope/compacted.go @@ -59,11 +59,11 @@ func (c ScopeTreeCompacted) ToScopeQueries() []string { scopeQueries := make([]string, 0, len(c)) for cluster, namespaces := range c { if len(namespaces) == 1 && namespaces[0] == "*" { - scopeQueries = append(scopeQueries, fmt.Sprintf("%s:%s", search.Cluster.String(), cluster)) + scopeQueries = append(scopeQueries, fmt.Sprintf("%s:%q", search.Cluster.String(), cluster)) continue } for _, ns := range namespaces { - scopeQueries = append(scopeQueries, fmt.Sprintf("%s:%s+%s:%s", + scopeQueries = append(scopeQueries, fmt.Sprintf("%s:%q+%s:%q", search.Cluster.String(), cluster, search.Namespace.String(), ns)) } diff --git a/pkg/sac/effectiveaccessscope/compacted_test.go b/pkg/sac/effectiveaccessscope/compacted_test.go index 6a928b9906f6d..c02a569d30ab9 100644 --- a/pkg/sac/effectiveaccessscope/compacted_test.go +++ b/pkg/sac/effectiveaccessscope/compacted_test.go @@ -23,14 +23,14 @@ func TestScopeQueries(t *testing.T) { stc: map[string][]string{ "prodCluster": {"*"}, }, - expectedScopeQueries: []string{"Cluster:prodCluster"}, + expectedScopeQueries: []string{`Cluster:"prodCluster"`}, }, { desc: "single cluster scope tree with specific namespaces", stc: map[string][]string{ "prodCluster": {"webserver", "db"}, }, - expectedScopeQueries: []string{"Cluster:prodCluster+Namespace:webserver", "Cluster:prodCluster+Namespace:db"}, + expectedScopeQueries: []string{`Cluster:"prodCluster"+Namespace:"webserver"`, `Cluster:"prodCluster"+Namespace:"db"`}, }, { desc: "multiple cluster scope tree with specific namespaces", @@ -38,10 +38,10 @@ func TestScopeQueries(t *testing.T) { "prodCluster": {"webserver", "db"}, "testCluster": {"test1", "test2"}, }, - expectedScopeQueries: []string{"Cluster:prodCluster+Namespace:webserver", - "Cluster:prodCluster+Namespace:db", - "Cluster:testCluster+Namespace:test1", - "Cluster:testCluster+Namespace:test2", + expectedScopeQueries: []string{`Cluster:"prodCluster"+Namespace:"webserver"`, + `Cluster:"prodCluster"+Namespace:"db"`, + `Cluster:"testCluster"+Namespace:"test1"`, + `Cluster:"testCluster"+Namespace:"test2"`, }, }, } From 2836471742ee4e3c79466db5a500dba3cd7a3dfc Mon Sep 17 00:00:00 2001 From: Khushboo Sancheti Date: Mon, 14 Nov 2022 14:59:37 -0800 Subject: [PATCH 2/2] ROX-13347: Modify scope queries to included quoted cluster and namespace names, to allow exact matches instead of erroneous and unintended prefix matches. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 091895a2ea648..4061d1cd03ca2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,4 @@ + # Changelog Entries in this file should be limited to: - Any changes that introduce a deprecation in functionality, OR @@ -51,6 +52,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp - ROX-13265: Fix missing rationale and remediation texts for default policy "Deployments should have at least one ingress Network Policy" - ROX-13500: Previously, deployment YAML check on V1 CronJob workload would cause Central to panic. This is now fixed. - `cves.ids` field of `storage.VulnerabilityRequest` object, which is in the response of `VulnerabilityRequestService` (`/v1/cve/requests/`) endpoints, has been renamed to `cves.cves`. +- ROX-13347: Vulnerability reporting scopes specifying cluster and/or namespace names now perform exact matches on those entities, as opposed to the erroneous prefix match. ## [3.72.0]