Improve List performance (#83)

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>

plugins/trivy/pkg/api/gh/client.go

@@ -41,8 +41,21 @@ func (c *Client) Get(ctx context.Context, GHSA string) (*github.GlobalSecurityAd
 	}
 }
 
-func New(token string) *Client {
-	client := github.NewClient(api.NewHTTPClient())
+type ClientOption = func(*http.Client)
+
+func WithLogging() ClientOption {
+	return func(client *http.Client) {
+		client.Transport = api.NewLoggingRoundTripper(client.Transport)
+	}
+}
+
+func New(token string, options ...ClientOption) *Client {
+	httpClient := api.NewHTTPClient()
+	for _, o := range options {
+		o(httpClient)
+	}
+
+	client := github.NewClient(httpClient)
 	if token != "" {
 		client = client.WithAuthToken(token)
 	}

plugins/trivy/pkg/config/resolver.go

@@ -211,7 +211,13 @@ func (r *Resolver) CVEClient() (*cveawg.Client, error) {
 }
 
 func (r *Resolver) GHClient() *gh.Client {
-	return gh.New(r.config.Github.Token)
+	options := []gh.ClientOption{}
+
+	if r.config.Logging.API && r.config.Logging.LogLevel < 0 {
+		options = append(options, gh.WithLogging())
+	}
+
+	return gh.New(r.config.Github.Token, options...)
 }
 
 func (r *Resolver) VulnrDB() (*vulnr.Database, error) {

plugins/trivy/pkg/server/vulnr/v1/handler.go

@@ -32,6 +32,7 @@ func (h *APIHandler) Register(engine *gin.RouterGroup) error {
 }
 
 func (h *APIHandler) List(ctx *gin.Context) {
+	zap.L().Debug("fetching policy list from policy-reporter api")
 	list, err := h.coreAPI.ListPolicies(ctx, url.Values{"sources": []string{"Trivy Vulnerability"}})
 	if err != nil {
 		zap.L().Error("failed to list policy list from core api", zap.Error(err))
@@ -46,7 +47,7 @@ func (h *APIHandler) List(ctx *gin.Context) {
 	for _, p := range list {
 		p := p
 		g.Go(func() error {
-			v, err := h.service.Get(ctx, p.Name)
+			v, err := h.service.GetDescription(ctx, p.Name)
 			if err != nil {
 				return fmt.Errorf("%s: %w", p.Name, err)
 			}

plugins/trivy/pkg/utils/fallback.go

@@ -0,0 +1,9 @@
+package utils
+
+func Fallback(s, f string) string {
+	if s != "" {
+		return s
+	}
+
+	return f
+}

plugins/trivy/pkg/vulnr/database.go

@@ -1,6 +1,8 @@
 package vulnr
 
 import (
+	"fmt"
+
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/types"
 )
@@ -16,6 +18,10 @@ func (d *Database) Get(id string) (*types.Vulnerability, error) {
 		return nil, err
 	}
 
+	if v.Title == "" && v.Severity == "UNKNOWN" {
+		return nil, fmt.Errorf("vulnr %s not found", id)
+	}
+
 	return &v, err
 }
 

plugins/trivy/pkg/vulnr/mapper.go

@@ -9,6 +9,7 @@ import (
 	"github.com/google/go-github/v58/github"
 
 	"github.com/kyverno/policy-reporter-plugins/plugins/trivy/pkg/api/cveawg"
+	"github.com/kyverno/policy-reporter-plugins/plugins/trivy/pkg/utils"
 )
 
 func MapSecurityAdvisory(ghsa *github.GlobalSecurityAdvisory) *Vulnerability {
@@ -44,6 +45,38 @@ func MapSecurityAdvisory(ghsa *github.GlobalSecurityAdvisory) *Vulnerability {
 	return vulnr
 }
 
+func MapFromTrivyDB(id string, cve *types.Vulnerability) *Vulnerability {
+	return &Vulnerability{
+		ID:          id,
+		Title:       id,
+		Severity:    cve.Severity,
+		Description: utils.Fallback(cve.Description, cve.Title),
+		Details:     make([]Details, 0),
+		References:  make([]string, 0),
+	}
+}
+
+func MapFromAPI(id string, cve *cveawg.CVE) *Vulnerability {
+	vulnr := &Vulnerability{
+		ID:         id,
+		Title:      id,
+		Details:    make([]Details, 0),
+		References: make([]string, 0),
+	}
+
+	if len(cve.Containers.Cna.Descriptions) == 1 {
+		vulnr.Description = cve.Containers.Cna.Descriptions[0].Value
+	} else {
+		for _, d := range cve.Containers.Cna.Descriptions {
+			if d.Lang == "en" {
+				vulnr.Description = d.Value
+			}
+		}
+	}
+
+	return vulnr
+}
+
 func MapCVE(cve *cveawg.CVE, trivyCVE *types.Vulnerability) *Vulnerability {
 	vulnr := &Vulnerability{
 		ID:         cve.CveMetadata.CveID,
@@ -129,7 +162,9 @@ func MapCVE(cve *cveawg.CVE, trivyCVE *types.Vulnerability) *Vulnerability {
 		}
 
 		vulnr.Title = cve.CveMetadata.CveID
-		vulnr.Description = trivyCVE.Description
+		if trivyCVE.Description != "" {
+			vulnr.Description = trivyCVE.Description
+		}
 	} else {
 		for _, ref := range cve.Containers.Cna.References {
 			vulnr.References = append(vulnr.References, ref.URL)

plugins/trivy/pkg/vulnr/service.go

@@ -50,6 +50,44 @@ func (s *Service) Get(ctx context.Context, name string) (*Vulnerability, error)
 	return details, nil
 }
 
+func (s *Service) GetDescription(ctx context.Context, name string) (*Vulnerability, error) {
+	if cached, ok := s.cache.Get("list/" + name); ok {
+		return cached.(*Vulnerability), nil
+	}
+
+	if strings.HasPrefix(name, "GHSA") {
+		ghsa, err := s.ghClient.Get(ctx, name)
+		if err != nil {
+			return nil, err
+		}
+
+		details := MapSecurityAdvisory(ghsa)
+		s.cache.Set("list/"+name, details, gocache.DefaultExpiration)
+
+		return details, nil
+	}
+
+	if trivyCVE, err := s.db.Get(name); trivyCVE != nil {
+		details := MapFromTrivyDB(name, trivyCVE)
+		s.cache.Set("list/"+name, details, gocache.DefaultExpiration)
+
+		return details, nil
+	} else {
+		zap.L().Warn("unable to load CVE from TrivyDB", zap.String("cve", name), zap.Error(err))
+	}
+
+	cve, err := s.cveAPI.GetCVE(ctx, name)
+	if err != nil {
+		zap.L().Error("unable to load CVE from CVEAWG API", zap.String("cve", name), zap.Error(err))
+		return nil, err
+	}
+
+	details := MapFromAPI(name, cve)
+	s.cache.Set("list/"+name, details, gocache.DefaultExpiration)
+
+	return details, nil
+}
+
 func New(cveAPI *cveawg.Client, db *Database, ghClient *gh.Client, cache *gocache.Cache) *Service {
 	return &Service{cveAPI, db, ghClient, cache}
 }