WorkloadStatusVulnerable (#143)

* WIP

* storybook complete

* vulnerability report page and support vulnerable workload error

* fix lint

* wat

Author: andnorda

src/lib/AppErrorTypeToMessage.svelte

@@ -135,7 +135,7 @@
 				{/if}
 				The threshold is determined by either having more than one critical vulnerability or a combined
 				risk score of other severities exceeding 100. Please keep your dependencies up to date. See
-				<a href="/team/{team}/{env}/app/{app}/image">image details</a> for more details.
+				<a href="/team/{team}/{env}/app/{app}/vulnerability-report">image details</a> for more details.
 			</Alert>
 		{:else if type !== 'WorkloadStatusOutboundNetwork' && type !== 'WorkloadStatusInboundNetwork'}
 			<Alert variant="error">Unkown error</Alert>

src/lib/components/Icon.svelte

@@ -70,6 +70,7 @@
 			case 'utilization':
 				return LineGraphStackedIcon;
 			case 'vulnerabilities':
+			case 'vulnerability report':
 				return VirusIcon;
 			case 'members':
 				return PersonGroupIcon;

src/lib/components/Menu.stories.svelte

@@ -54,7 +54,10 @@
 				{ label: 'Status', href: '/team/devteam/dev/app/app-w-all-storage/status' }
 			],
 			[
-				{ label: 'Image', href: '/team/devteam/dev/app/app-w-all-storage/image' },
+				{
+					label: 'Vulnerability Report',
+					href: '/team/devteam/dev/app/app-w-all-storage/vulnerability-report'
+				},
 				{ label: 'Deployments', href: '/team/devteam/dev/app/app-w-all-storage/deploys' },
 				{ label: 'Cost', href: '/team/devteam/dev/app/app-w-all-storage/cost' },
 				{

src/lib/components/WorkloadsWithSBOM.svelte

@@ -141,7 +141,7 @@
 		});
 	};
 
-	const imageUrl = (workload: {
+	const vulnerabilityReportUrl = (workload: {
 		readonly __typename: string | null;
 		readonly id: string;
 		readonly name: string;
@@ -154,7 +154,7 @@
 			readonly slug: string;
 		};
 	}) => {
-		return `/team/${workload.team.slug}/${workload.teamEnvironment.environment.name}/${workload.__typename === 'Application' ? 'app' : 'job'}/${workload.name}/image`;
+		return `/team/${workload.team.slug}/${workload.teamEnvironment.environment.name}/${workload.__typename === 'Application' ? 'app' : 'job'}/${workload.name}/vulnerability-report`;
 	};
 
 	export function severityToColorWithHover(severity: string): string {
@@ -247,7 +247,10 @@
 									<Tooltip content="critical">
 										{#if workload.image.vulnerabilitySummary}
 											{#if workload.image.vulnerabilitySummary.critical > 0}
-												<a href={imageUrl(workload)} class="vulnerability-count CRITICAL">
+												<a
+													href={vulnerabilityReportUrl(workload)}
+													class="vulnerability-count CRITICAL"
+												>
 													{workload.image.vulnerabilitySummary
 														? workload.image.vulnerabilitySummary.critical
 														: '-'}
@@ -268,7 +271,7 @@
 									<Tooltip content="high">
 										{#if workload.image.vulnerabilitySummary}
 											{#if workload.image.vulnerabilitySummary.high > 0}
-												<a href={imageUrl(workload)} class="vulnerability-count HIGH">
+												<a href={vulnerabilityReportUrl(workload)} class="vulnerability-count HIGH">
 													{workload.image.vulnerabilitySummary
 														? workload.image.vulnerabilitySummary.high
 														: '-'}
@@ -289,7 +292,10 @@
 									<Tooltip content="medium">
 										{#if workload.image.vulnerabilitySummary}
 											{#if workload.image.vulnerabilitySummary.medium > 0}
-												<a href={imageUrl(workload)} class="vulnerability-count MEDIUM">
+												<a
+													href={vulnerabilityReportUrl(workload)}
+													class="vulnerability-count MEDIUM"
+												>
 													{workload.image.vulnerabilitySummary
 														? workload.image.vulnerabilitySummary.medium
 														: '-'}
@@ -310,7 +316,7 @@
 									<Tooltip content="low">
 										{#if workload.image.vulnerabilitySummary}
 											{#if workload.image.vulnerabilitySummary.low > 0}
-												<a href={imageUrl(workload)} class="vulnerability-count LOW">
+												<a href={vulnerabilityReportUrl(workload)} class="vulnerability-count LOW">
 													{workload.image.vulnerabilitySummary
 														? workload.image.vulnerabilitySummary.low
 														: '-'}
@@ -331,7 +337,10 @@
 									<Tooltip content="unassigned">
 										{#if workload.image.vulnerabilitySummary}
 											{#if workload.image.vulnerabilitySummary.unassigned > 0}
-												<a href={imageUrl(workload)} class="vulnerability-count UNASSIGNED">
+												<a
+													href={vulnerabilityReportUrl(workload)}
+													class="vulnerability-count UNASSIGNED"
+												>
 													{workload.image.vulnerabilitySummary.unassigned}
 												</a>
 											{:else}
@@ -349,7 +358,10 @@
 								<div class="vulnerability-summary">
 									<Tooltip content="risk score">
 										<BodyShort class="vulnerability-count">
-											<a href={imageUrl(workload)} class="vulnerability-count RISK_SCORE">
+											<a
+												href={vulnerabilityReportUrl(workload)}
+												class="vulnerability-count RISK_SCORE"
+											>
 												{workload.image.vulnerabilitySummary
 													? workload.image.vulnerabilitySummary.riskScore
 													: '-'}

src/lib/components/errors/DeprecatedImageRegistry.stories.svelte

@@ -18,6 +18,9 @@
 			registry: 'docker.pkg.github.com'
 		}}
 		workloadType="App"
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
 	/>
 </Story>
 

src/lib/components/errors/ErrorMessage.svelte

@@ -1,3 +1,14 @@
+<script module>
+	export const supportedErrorTypes = [
+		'WorkloadStatusInvalidNaisYaml',
+		'WorkloadStatusSynchronizationFailing',
+		'WorkloadStatusDeprecatedRegistry',
+		'WorkloadStatusNoRunningInstances',
+		'WorkloadStatusFailedRun',
+		'WorkloadStatusVulnerable'
+	] as const;
+</script>
+
 <script lang="ts">
 	import { WorkloadStatusErrorLevel, type ValueOf } from '$houdini';
 	import { Alert, BodyLong, Heading } from '@nais/ds-svelte-community';
@@ -6,9 +17,15 @@
 		error,
 		workloadType,
 		instances,
+		teamSlug,
+		workloadName,
+		environment,
 		docURL
 	}: {
 		workloadType: 'App' | 'Job';
+		teamSlug: string;
+		workloadName: string;
+		environment: string;
 		instances?: {
 			name: string;
 			status: { message: string };
@@ -33,6 +50,11 @@
 							name: string;
 							detail: string;
 					  }
+					| {
+							__typename: 'WorkloadStatusVulnerable';
+							riskScore: number;
+							critical: number;
+					  }
 			  ))
 			| { __typename: "non-exhaustive; don't match this" };
 		docURL: (path: string) => string;
@@ -55,7 +77,8 @@
 		WorkloadStatusSynchronizationFailing: 'Rollout Failed - Synchronization Error',
 		WorkloadStatusDeprecatedRegistry: 'Deprecated Image Registry',
 		WorkloadStatusNoRunningInstances: 'No Running Instances',
-		WorkloadStatusFailedRun: 'Job Failed'
+		WorkloadStatusFailedRun: 'Job Failed',
+		WorkloadStatusVulnerable: 'High Risk: Vulnerabilities Detected'
 	};
 </script>
 
@@ -139,6 +162,31 @@
 				<BodyLong>
 					Check logs if available. If you're unable to resolve the issue, contact the Nais team.
 				</BodyLong>
+			{:else if error.__typename === 'WorkloadStatusVulnerable'}
+				<BodyLong>
+					{#if error.riskScore > 100}
+						<strong>Risk Score:</strong>
+						{error.riskScore} (Exceeds threshold of 100)<br />
+					{/if}
+					{#if error.critical > 0}
+						<strong>Critical Vulnerabilities:</strong>
+						{error.critical}
+					{/if}
+				</BodyLong>
+				<BodyLong>
+					Workloads are flagged as vulnerable if their dependencies have a high risk score or
+					critical vulnerabilities.
+				</BodyLong>
+				<BodyLong>
+					Review detailed vulnerability information in the <a
+						href="/team/{teamSlug}/{environment}/{workloadType === 'Job'
+							? 'job'
+							: 'app'}/{workloadName}/vulnerability-report">Vulnerability Report</a
+					>, and update affected dependencies to their latest patched versions.
+				</BodyLong>
+				<BodyLong>
+					Ignoring these vulnerabilities can expose your application to potential security breaches.
+				</BodyLong>
 			{/if}
 		</div>
 	</Alert>

src/lib/components/errors/FailedRun.stories.svelte

@@ -19,6 +19,9 @@
 			detail: 'Run failed after 7 attempts'
 		}}
 		workloadType="Job"
+		teamSlug="team-service-management"
+		workloadName="aareg-sync-konkurser-q4-29028365"
+		environment="dev-fss"
 	/>
 </Story>
 

src/lib/components/errors/InvalidManifest.stories.svelte

@@ -19,6 +19,9 @@
 				'the domain "roger.com" cannot be used in cluster "dev-gcp"; use one of dev.nav.cloud.nais.io, external.dev.nav.cloud.nais.io, authenticated.dev.nav.cloud.nais.io, .intern.dev.nav.no, .dev-gcp.nav.cloud.nais.io, .ekstern.dev.nav.no, .ansatt.dev.nav.no, .very.intern.dev.nav.no'
 		}}
 		workloadType="App"
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
 	/>
 </Story>
 

src/lib/components/errors/NoRunningInstances.stories.svelte

@@ -21,6 +21,9 @@
 			{ name: 'bidrag-sak-675cdddb5-vpc6m', status: { message: 'ImagePullBackOff' } }
 		]}
 		workloadType="App"
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
 	/>
 </Story>
 

src/lib/components/errors/RiskScore.stories.svelte

@@ -0,0 +1,106 @@
+<script module>
+	import { defineMeta } from '@storybook/addon-svelte-csf';
+	import ErrorMessage from './ErrorMessage.svelte';
+	import TeamErrorMessage from './TeamErrorMessage.svelte';
+
+	const { Story } = defineMeta({
+		title: 'Errors/Vulnerable Image',
+		tags: ['autodocs']
+	});
+</script>
+
+<Story name="Risk Score - Workload">
+	<ErrorMessage
+		docURL={(p) => p}
+		error={{
+			__typename: 'WorkloadStatusVulnerable',
+			level: 'WARNING',
+			riskScore: 276,
+			critical: 0
+		}}
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
+		workloadType="App"
+	/>
+</Story>
+
+<Story name="Critical - Workload">
+	<ErrorMessage
+		docURL={(p) => p}
+		error={{
+			__typename: 'WorkloadStatusVulnerable',
+			level: 'WARNING',
+			riskScore: 70,
+			critical: 7
+		}}
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
+		workloadType="App"
+	/>
+</Story>
+
+<Story name="Both - Workload">
+	<ErrorMessage
+		docURL={(p) => p}
+		error={{
+			__typename: 'WorkloadStatusVulnerable',
+			level: 'WARNING',
+			riskScore: 276,
+			critical: 1
+		}}
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
+		workloadType="App"
+	/>
+</Story>
+
+<Story name="Team - Singular">
+	<TeamErrorMessage
+		teamSlug="team-service-management"
+		error={{
+			__typename: 'WorkloadStatusVulnerable',
+			level: 'WARNING'
+		}}
+		workloads={[
+			{
+				__typename: 'App',
+				name: 'ip-lookup-preprod',
+				teamEnvironment: { environment: { name: 'dev-fss' } },
+				team: { slug: 'team-service-management' }
+			}
+		]}
+	/>
+</Story>
+
+<Story name="Team - Multiple">
+	<TeamErrorMessage
+		teamSlug="team-service-management"
+		error={{
+			__typename: 'WorkloadStatusVulnerable',
+			level: 'WARNING'
+		}}
+		workloads={[
+			{
+				__typename: 'App',
+				name: 'ip-lookup-preprod',
+				teamEnvironment: { environment: { name: 'dev-fss' } },
+				team: { slug: 'team-service-management' }
+			},
+			{
+				__typename: 'App',
+				name: 'tsm-dustin-integration-preprod',
+				teamEnvironment: { environment: { name: 'prod-fss' } },
+				team: { slug: 'team-service-management' }
+			},
+			{
+				__typename: 'App',
+				name: 'tsm-dustin-integration-preprod',
+				teamEnvironment: { environment: { name: 'prod-fss' } },
+				team: { slug: 'team-service-management' }
+			}
+		]}
+	/>
+</Story>

src/lib/components/errors/SynchronizationError.stories.svelte

@@ -19,6 +19,9 @@
 				'persisting SQLInstance to Kubernetes: validation error: refusing to overwrite manually edited resource; please add the correct ownerReference in order to continue'
 		}}
 		workloadType="Job"
+		teamSlug="team-service-management"
+		workloadName="ip-lookup-preprod"
+		environment="dev-fss"
 	/>
 </Story>