From 5208643fa87b8de25a7466d4ce03271166f041c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Pra=C5=BCak?=
 <pawelprazak@users.noreply.github.com>
Date: Thu, 22 Feb 2018 01:53:27 +0100
Subject: [PATCH] main/vulns: add fixable group (#67)

- add a new group of "Fixable" vulns
- exit with error on any fixable vulns
- add fixable-threshold parameter
---
 clair/types.go |  2 +-
 main.go        | 27 +++++++++++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/clair/types.go b/clair/types.go
index 002bba1e..0fa531cc 100644
--- a/clair/types.go
+++ b/clair/types.go
@@ -19,7 +19,7 @@ func IsEmptyLayer(blobSum digest.Digest) bool {
 
 var (
 	// Priorities are the vulnerability priority labels.
-	Priorities = []string{"Unknown", "Negligible", "Low", "Medium", "High", "Critical", "Defcon1"}
+	Priorities = []string{"Unknown", "Negligible", "Low", "Medium", "High", "Critical", "Defcon1", "Fixable"}
 )
 
 // Error describes the structure of a clair error.
diff --git a/main.go b/main.go
index 5728d344..44f0a4aa 100644
--- a/main.go
+++ b/main.go
@@ -276,11 +276,19 @@ func main() {
 					Name:  "clair",
 					Usage: "url to clair instance",
 				},
+				cli.IntFlag{
+					Name:  "fixable-threshold",
+					Usage: "number of fixable issues permitted",
+					Value: 0,
+				},
 			},
 			Action: func(c *cli.Context) error {
 				if c.String("clair") == "" {
 					return errors.New("clair url cannot be empty, pass --clair")
 				}
+				if c.Int("fixable-threshold") < 0 {
+					return errors.New("fixable threshold must be a positive integer")
+				}
 				if len(c.Args()) < 1 {
 					return fmt.Errorf("pass the name of the repository")
 				}
@@ -362,6 +370,10 @@ func main() {
 				for _, v := range vulns {
 					sevRow := vulnsBy(v.Severity, store)
 					store[v.Severity] = append(sevRow, v)
+					if len(v.FixedBy) > 0 {
+						fixRow := vulnsBy("Fixable", store)
+						store["Fixable"] = append(fixRow, v)
+					}
 				}
 
 				// iterate over the priorities list
@@ -374,7 +386,12 @@ func main() {
 				}
 				iteratePriorities(func(sev string) {
 					for _, v := range store[sev] {
-						fmt.Printf("%s: [%s] \n%s\n%s\n", v.Name, v.Severity, v.Description, v.Link)
+						if sev == "Fixable" {
+							fmt.Printf("%s: [%s] \n%s\n%s\n", v.Name, v.Severity+" - Fixable", v.Description, v.Link)
+							fmt.Printf("Fixed by: %s\n", v.FixedBy)
+						} else {
+							fmt.Printf("%s: [%s] \n%s\n%s\n", v.Name, v.Severity, v.Description, v.Link)
+						}
 						fmt.Println("-----------------------------------------")
 					}
 				})
@@ -382,10 +399,16 @@ func main() {
 					fmt.Printf("%s: %d\n", sev, len(store[sev]))
 				})
 
+				// return an error if there are more than 1 fixable vulns
+				lenFixableVulns := len(store["Fixable"])
+				if lenFixableVulns > c.Int("fixable-threshold") {
+					logrus.Fatalf("%d fixable vulnerabilities found", lenFixableVulns)
+				}
+
 				// return an error if there are more than 10 bad vulns
 				lenBadVulns := len(store["High"]) + len(store["Critical"]) + len(store["Defcon1"])
 				if lenBadVulns > 10 {
-					logrus.Fatalf("%d bad vunerabilities found", lenBadVulns)
+					logrus.Fatalf("%d bad vulnerabilities found", lenBadVulns)
 				}
 
 				return nil