0dZddlmZddlmZddlmZddlZddlZddlZddlm Z ddl m Z ddlmZdd lmZdd lmZdd lmZgd Zgd ZgdZdZdZdZdZdZdZdZdZ dZ!y)z/Utility for interacting with vex command group.)absolute_import)division)unicode_literalsN) exceptions)util)apis) docker_util)log) FileReader)component_not_presentvulnerable_code_not_present1vulnerable_code_cannot_be_controlled_by_adversary#vulnerable_code_not_in_execute_path inline_mitigations_already_exist)known_affectedknown_not_affectedfixedunder_investigation) mitigationno_fix_plannednone_available vendor_fix workaroundz ^[^:@\/]+$c tjdd} t|5}tj|}dddtd}d}|jd}|5|jd} | "| jd}| jd }|j|| } |r|n|} i} |d d D]O} | d} t| } || k7r| d }|d}dj| } |j|d|| }|| |<Qg}|dD]}|dD]}|d|D]t}| j|}|t|||| ||\}}|dj|}|jj j#||}|j%|v|| fS#1swYoxYw#t $rt jdwxYw)aReads a vex file and extracts notes. Args: filename: str, path to the vex file. image_uri: uri of the whole image version_uri: uri of a specific version Returns: A list of notes. Raises: ar_exceptions.InvalidInputValueError if user input is invalid. containeranalysisv1NzReading json file has faileddocument publishername namespace)r publisherNamespace product_treebranchesproduct product_idz https://{})r id genericUrivulnerabilitiesproduct_statuszimage-{})keyvalue)rGetMessagesModuler jsonload ValueError ar_exceptionsInvalidInputValueError _Validateget Publisher RemoveHTTPSformatProduct _MakeNoteBatchCreateNotesRequest NotesValueAdditionalPropertyappend)filename image_uri version_uri ca_messagesfilevexr r!rr generic_uriproductid_to_product_proto_map product_info artifact_urir%r& product_protonotesvulnstatusnoteidnotes 4lib/googlecloudsdk/command_lib/artifacts/vex_util.py ParseVexFilerO8s;&&':DA+ H  IIdOc   C. $) WWZ (  [)I ]]6 "d-- ,i## "$) + +#% .)*5l'L|,LL 9%G&J%%k2K'' V_ (M 2?":.6 %#$d'(-.v6*044Z@ ?  &'9h    $$V,&  / / : : M M$ N   T7)%"  q     . .& s! F3F&F3&F0+F33Gcf|jd}|tjd|jd}|tjdt|dkrtjd|D]\}|jd}|tjd t|j d d ksItjd |jd }|tjdt|dkrt j d|D] }t|y)zValidates vex file has all needed fields. Args: vex: json representing a vex document Raises: ar_exceptions.InvalidInputValueError if user input is invalid. r#Nz)product_tree is required in csaf documentr$z6branches are required in product tree in csaf documentz@at least one branch is expected in product tree in csaf documentr z1name is required in product tree in csaf document/zWname of product should be artifact path, showing repository, project, and package/imager)z-vulnerabilities are required in csaf documentz7at least one vulnerability is expected in csaf document)r4r1r2lensplitr warning_ValidateVulnerability)rCr#r$r%r r)rJs rNr3r3s?(,  . .3   j )(   . .@  ]Q  . .J g ;;v D |  0 0 =  4::c?a  0 0 ( GG-./  . .7  AKKIJd4 c|jd}|tjd|jd}|tjdt|dkrtjd|D]3}|tvs tjdj |t|jd }|I|D]D}|jd }|t vstjd j |t |jd }|J|D]D}|jd } | tvstjdj | tyy)zValidates vulnerability is structured correctly. Args: vuln: a vulnerability from vex document Raises: ar_exceptions.InvalidInputValueError if user input is invalid. cveNz7cve is required in all vulnerabilities in csaf documentr*zBproduct_status is required in all vulnerabilities in csaf documentrQz5at least one status is expected in each vulnerabilityzHInvalid product status passed in {}. Product status should be one of {}flagslabelz;Invalid flag label passed in {}. Label should be one of {} remediationscategoryzEInvalid remediation category passed in {}. Label should be one of {})r4r1r2rTPOSSIBLE_PRODUCT_STATUSr7POSSIBLE_JUSTIFICATION_FLAGSPOSSIBLE_REMEDIATION_CATEGORIES) rJcve_namer*rKr[flagr\r] remediationr^s rNrWrWstXXe_(   . .A 88,-.  . .L  1  . .? f ,,  0 0 6&"9:  ((7 % hhwe 2 222 I VE7 8  .),# ,h 8 822 VH&EF  $rXcJd}g}d}d} |jd} | | D] } | ddk(s | }|dk(r.|jjj}t |||}n~|dk(r.|jjj }t |||} nK|dk(r!|jjj}n%|dk(r |jjj}|j|j|d |||j|d ||d nd||d nd|||  } | jjj| jjjz} t!j"| j%} | j'}|| fS)aMakes a note. Args: vuln: vulnerability proto status: string of status of vulnerability product: product proto publisher: publisher proto. document: document proto. msgs: container analysis messages Returns: noteid, and note NrIr^ descriptionrrrrtitlerZtext)vulnerabilityIdshortDescriptionlongDescriptionstater] justification)rgrr% assessment)vulnerabilityAssessment)r4 AssessmentStateValueValuesEnumAFFECTED_GetRemediations NOT_AFFECTED_GetJustificationsFIXEDUNDER_INVESTIGATIONNoteVulnerabilityAssessmentNoteror%r(rnrihashlibmd5encode hexdigest)rJrKr%rrmsgsrlr] desc_notermrIrMr+resultrLs rNr9r9s %,)- ((7 %  j ] *   OO 0 0 9 9E#D'48L %% OO 0 0 = =E&tWd;M  OO 0 0 6 6E && OO 0 0 D DE ">>!__"5k& )1&(/')%  ?  $( ""**55 $$//??@ ;;szz| $&    & rXc8g}|jd}||S|D]}}|d}|d}|jjj|j }|dD]6} | |j k(s|j||}|j |8|S)zGet remediations. Args: vuln: vulnerability proto product: product proto msgs: container analysis messages Returns: remediations proto r]r^details product_ids)remediationTyper)r4 RemediationRemediationTypeValueValuesEnumlookup_by_nameupperr'r=) rJr%r~r]vuln_remediationsrdremediation_typeremediation_detailremediation_enumr&s rNrsrs!s,hh~. &k":.$Y/ 77FF  " " $  "-0 wzz !&&,6H'  K( 1' rXcd}|jd}||jS|D];}|jd}|jdD]}||jk(s|}=|jjj }||j } |jj| } |j| } | S)zGet justifications. Args: vuln: vulnerability proto product: product proto msgs: container analysis messages Returns: justification proto justification_type_unspecifiedr[r\r)justificationType)r4 Justificationr' JustificationTypeValueValuesEnumto_dictr) rJr%r~justification_type_as_stringr[rcr\r& enum_dictnumberjustification_typerms rNruruAs"B ((7 % ]    d HHW Ehh}- wzz !',$.  99AAC  1779 :& 99&A$$*%- rXcddddd}d}d}d}tjtj|}|r6||j d}|j d}|j d}tjtj |}|rG||j d}|j dj d d d }|j d}|r|r|stjd tjt|}|r||dfS tj|}tt||?}||t!|fS#tj$r}tjd |d}~wwxYw)zParse GCR URL. Args: url: gcr url for version, tag or whole image Returns: strings of project, image url and version url Raises: ar_exceptions.InvalidInputValueError: If user input is invalid. useuropeasia)z us.gcr.iozgcr.ioz eu.gcr.ioz asia.gcr.ioNrepoprojectimagerR:rQzFailed to parse the GCR image.z)Failed to resolve digest of the GCR image)rematchr GCR_DOCKER_REPO_REGEXgroup#GCR_DOCKER_DOMAIN_SCOPED_REPO_REGEXreplacer1r2WHOLE_IMAGE_REGEXgcr_utilGetDigestFromNameInvalidImageNameErrorsupertype__str__str) url location_maplocationrrmatches docker_digeste image_urls rN ParseGCRUrlrbsu , ( ' % HH[66 <' GMM&12HmmI&G MM' "E HH[DDc J' GMM&12HmmI&..sC;G MM' "E   . .(  HH& .' C  ..s3M D'?A) )S/ //  ' '  . .3    sEE<!E77E<cHd}|j|r|t|dS|S)Nzhttps://) startswithrT)uriprefixs rNr6r6s) &^^F s6{|  *rX)"__doc__ __future__rrrrzr.r googlecloudsdk.api_lib.artifactsrr1'googlecloudsdk.api_lib.container.imagesrrgooglecloudsdk.api_lib.utilr$googlecloudsdk.command_lib.artifactsr googlecloudsdk.corer googlecloudsdk.core.util.filesr r`r_rarrOr3rWr9rsrurr6rXrNrs~6&' HD,<#5 2 #"JZ+!\. b:z@B.0b rX