Prevent vulns from being resolved if there is an error with a namespace scan

Shao Ming Tanrequested to merge
smtan/fix-ocs-vuln-resolution-bug into master

This MR fixes Avoid resolving OCS vulns if a scanning pod fails (gitlab-org/gitlab#487754 - closed) with the main fix being the first commit.

The subsequent commits are to reinstate the tests that were removed in this MR to ensure that all the edge cases are captured.

Background of the bug

When the main OCS scanner starts, it creates a scanning pod for each namespace to be scanned. Once a scanning pod completes and parses the detected vulnerabilities, it calls the PUT starboard_vulnerability endpoint to create vulns and receives a UUID for each vuln.

These UUIDs are then passed back to the main OCS scanner, which calls POST scan_result with an array of all the UUIDs.

Any UUIDs not in this list are resolved.

This brings us to the root cause of the bug. When a scanning pod for a namespace fails, no vulnerabilities are created, meaning no UUIDs are returned to the main OCS scanner. As a result, if vulnerabilities were previously created in that namespace, they would be incorrectly resolved.

Refactoring notes

To streamline testing, I moved the startPodScanForNamespace method from scanner.go (the main OCS scanner) into namespace_scanner.go, as it logically handles the entire namespace scanning process, including the creation of the scanning pod and extraction of the vuln report.

To enable easier testing of scanner.go and namespace_scanner.go, I've introduced interfaces that allow GoMock to generate mocks for reporter.go, scanning_manager.go and namespace_scanner.go.

Review Checklist

  • Be sure to consider the scalability and availability impact of this changes by evaluating the impact of them at scale.
Edited by Shao Ming Tan

Merge request reports