feat: rpc and db query for summary history

Co-authored-by: sindrerh2 <[email protected]>

Author: tommytroen

cmd/cli/main.go

@@ -18,6 +18,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -34,6 +35,7 @@ type options struct {
 	workload  string
 	limit     int64
 	order     string
+	since     string
 }
 
 func main() {
@@ -89,7 +91,8 @@ func main() {
 						Action: func(ctx context.Context, cmd *cli.Command) error {
 							return listVulnz(ctx, cmd, c, opts)
 						},
-					}, {
+					},
+					{
 						Name:    "summary",
 						Aliases: []string{"s"},
 						Usage:   "list vulnerability summary for filter",
@@ -98,6 +101,15 @@ func main() {
 							return listSummaries(ctx, cmd, c, opts)
 						},
 					},
+					{
+						Name:    "history",
+						Aliases: []string{"h"},
+						Usage:   "list vulnerability summary history for filter",
+						Flags:   commonFlags(opts),
+						Action: func(ctx context.Context, cmd *cli.Command) error {
+							return listSummaryHistory(ctx, cmd, c, opts)
+						},
+					},
 				},
 			},
 			{
@@ -309,6 +321,107 @@ func listSummaries(ctx context.Context, cmd *cli.Command, c vulnerabilities.Clie
 	return nil
 }
 
+// convertDuration converts a duration string with Y (years), M (months), W (weeks), D (days) into hours (h).
+func convertDuration(duration string) (string, error) {
+	multipliers := map[string]int{
+		"Y": 365 * 24, // 1 year = 8760 hours
+		"M": 30 * 24,  // 1 month = 30 days = 30 * 24 hours
+		"W": 7 * 24,   // 1 week = 7 days = 7 * 24 hours
+		"D": 24,       // 1 day = 24 hours
+	}
+
+	for unit, multiplier := range multipliers {
+		if strings.HasSuffix(duration, unit) {
+			trimmed, _ := strings.CutSuffix(duration, unit)
+			num, err := strconv.Atoi(trimmed)
+			if err != nil {
+				return "", fmt.Errorf("invalid duration: %s", duration)
+			}
+			return strconv.Itoa(num*multiplier) + "h", nil
+		}
+	}
+
+	// If no recognized suffix, return as-is
+	return duration, nil
+}
+
+func listSummaryHistory(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
+	offset := 0
+	s, err := convertDuration(o.since)
+	if err != nil {
+		return err
+	}
+	duration, err := time.ParseDuration(s)
+	if err != nil {
+		return fmt.Errorf("invalid duration: %s", o.since)
+	}
+	// Compute past timestamp
+	sinceTime := time.Now().Add(-duration)
+
+	for {
+		opts := parseOptions(cmd, o)
+		opts = append(opts, vulnerabilities.Offset(int32(offset)))
+
+		start := time.Now()
+		resp, err := c.ListVulnerabilitySummaryHistory(ctx, sinceTime, opts...)
+		if err != nil {
+			return err
+		}
+
+		headerFmt := color.New(color.FgGreen, color.Underline).SprintfFunc()
+		columnFmt := color.New(color.FgYellow).SprintfFunc()
+
+		tbl := table.New("Workload", "Cluster", "Namespace", "Has SBOM", "Critical", "High", "Medium", "Low", "Unassigned", "RiskScore", "LastUpdated")
+		tbl.WithHeaderFormatter(headerFmt).WithFirstColumnFormatter(columnFmt)
+
+		for _, n := range resp.GetNodes() {
+			tbl.AddRow(
+				// kills the layout
+				// n.Workload.GetImageName()+":"+n.GetWorkload().GetImageTag(),
+				n.Workload.GetName(),
+				n.Workload.GetCluster(),
+				n.Workload.GetNamespace(),
+				n.GetVulnerabilitySummary().GetHasSbom(),
+				n.GetVulnerabilitySummary().GetCritical(),
+				n.GetVulnerabilitySummary().GetHigh(),
+				n.GetVulnerabilitySummary().GetMedium(),
+				n.GetVulnerabilitySummary().GetLow(),
+				n.GetVulnerabilitySummary().GetUnassigned(),
+				n.GetVulnerabilitySummary().GetRiskScore(),
+				n.GetVulnerabilitySummary().GetLastUpdated().AsTime().Format(time.RFC3339),
+			)
+		}
+
+		tbl.Print()
+		numFetched := offset + int(o.limit)
+		if numFetched > int(resp.PageInfo.TotalCount) {
+			numFetched = int(resp.PageInfo.TotalCount)
+		}
+		fmt.Printf("Fetched %d of total '%d' summaries in %f seconds.\n", numFetched, resp.PageInfo.TotalCount, time.Since(start).Seconds())
+
+		// Check if there is another page
+		if !resp.GetPageInfo().GetHasNextPage() {
+			fmt.Printf("No more pages available.\n")
+			break
+		}
+
+		// Ask user for input to continue pagination
+		fmt.Println("Press 'n' for next page, 'q' to quit:")
+		reader := bufio.NewReader(os.Stdin)
+		input, _ := reader.ReadString('\n')
+		input = strings.TrimSpace(input)
+
+		if input == "q" {
+			break
+		} else if input == "n" {
+			offset += int(o.limit)
+		} else {
+			fmt.Println("Invalid input. Use 'n' for next page or 'q' to quit.")
+		}
+	}
+	return nil
+}
+
 func listVulnz(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
 	offset := 0
 	for {
@@ -473,6 +586,13 @@ func commonFlags(opts *options, excludes ...string) []cli.Flag {
 			Usage:       "order by field, use 'field:desc' for descending order",
 			Destination: &opts.order,
 		},
+		&cli.StringFlag{
+			Name:        "since",
+			Aliases:     []string{"s"},
+			Value:       "24h",
+			Usage:       "Specify a relative time (e.g. '1Y' for last year, '1M' for last month, '2D' for last 2 days, '12h' for last 12 hours, '30m' for last 30 minutes)",
+			Destination: &opts.since,
+		},
 	}
 	for _, f := range cFlags {
 		exclude := false

internal/api/grpcvulnerabilities/summary.go

@@ -5,14 +5,14 @@ import (
 	"errors"
 	"fmt"
 	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgtype"
 	"github.com/nais/v13s/internal/api/grpcpagination"
 	"github.com/nais/v13s/internal/collections"
 	"github.com/nais/v13s/internal/database/sql"
 	"github.com/nais/v13s/pkg/api/vulnerabilities"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
-// TODO: do we want image_name and image_tag as filter aswell? must update sql query
 func (s *Server) ListVulnerabilitySummaries(ctx context.Context, request *vulnerabilities.ListVulnerabilitySummariesRequest) (*vulnerabilities.ListVulnerabilitySummariesResponse, error) {
 	limit, offset, err := grpcpagination.Pagination(request)
 	if err != nil {
@@ -55,24 +55,104 @@ func (s *Server) ListVulnerabilitySummaries(ctx context.Context, request *vulner
 				Low:         safeInt(row.Low),
 				Unassigned:  safeInt(row.Unassigned),
 				RiskScore:   safeInt(row.RiskScore),
-				LastUpdated: timestamppb.New(row.VulnerabilityUpdatedAt.Time),
+				LastUpdated: timestamppb.New(row.SummaryUpdatedAt.Time),
 				HasSbom:     row.HasSbom,
 			},
 		}
 	})
 
-	pageInfo, err := grpcpagination.PageInfo(request, len(ws))
+	total, err := s.querier.CountVulnerabilitySummaries(ctx, sql.CountVulnerabilitySummariesParams{
+		Cluster:      request.GetFilter().Cluster,
+		Namespace:    request.GetFilter().Namespace,
+		WorkloadType: request.GetFilter().FuzzyWorkloadType(),
+		WorkloadName: request.GetFilter().Workload,
+	})
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to count summaries: %w", err)
 	}
 
+	pageInfo, err := grpcpagination.PageInfo(request, int(total))
+	if err != nil {
+		return nil, err
+	}
 	response := &vulnerabilities.ListVulnerabilitySummariesResponse{
 		Nodes:    ws,
 		PageInfo: pageInfo,
 	}
 	return response, nil
 }
 
+func (s *Server) ListVulnerabilitySummaryHistory(ctx context.Context, request *vulnerabilities.ListVulnerabilitySummaryHistoryRequest) (*vulnerabilities.ListVulnerabilitySummaryHistoryResponse, error) {
+	limit, offset, err := grpcpagination.Pagination(request)
+	if err != nil {
+		return nil, err
+	}
+
+	if request.GetFilter() == nil {
+		request.Filter = &vulnerabilities.Filter{}
+	}
+
+	summaries, err := s.querier.ListVulnerabilitySummaryHistory(ctx, sql.ListVulnerabilitySummaryHistoryParams{
+		Cluster:      request.GetFilter().Cluster,
+		Namespace:    request.GetFilter().Namespace,
+		WorkloadType: request.GetFilter().WorkloadType,
+		WorkloadName: request.GetFilter().Workload,
+		OrderBy:      sanitizeOrderBy(request.OrderBy, vulnerabilities.OrderByCritical),
+		Limit:        limit,
+		Offset:       offset,
+		From:         pgtype.Timestamptz{Time: request.From.AsTime(), Valid: true},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to list vulnerability summaries: %w", err)
+	}
+
+	ws := collections.Map(summaries, func(row *sql.ListVulnerabilitySummaryHistoryRow) *vulnerabilities.WorkloadSummary {
+		return &vulnerabilities.WorkloadSummary{
+			Id: row.ID.String(),
+			Workload: &vulnerabilities.Workload{
+				Cluster:   row.Cluster,
+				Namespace: row.Namespace,
+				Name:      row.WorkloadName,
+				Type:      row.WorkloadType,
+				ImageName: row.ImageName,
+				ImageTag:  row.ImageTag,
+			},
+			// TODO: Summary rows in the is not guaranteed to have a value, so we need to check if it's nil
+			VulnerabilitySummary: &vulnerabilities.Summary{
+				Critical:    safeInt(row.Critical),
+				High:        safeInt(row.High),
+				Medium:      safeInt(row.Medium),
+				Low:         safeInt(row.Low),
+				Unassigned:  safeInt(row.Unassigned),
+				RiskScore:   safeInt(row.RiskScore),
+				LastUpdated: timestamppb.New(row.SummaryUpdatedAt.Time),
+				HasSbom:     row.HasSbom,
+			},
+		}
+	})
+
+	total, err := s.querier.CountVulnerabilitySummaryHistory(ctx, sql.CountVulnerabilitySummaryHistoryParams{
+		Cluster:      request.GetFilter().Cluster,
+		Namespace:    request.GetFilter().Namespace,
+		WorkloadType: request.GetFilter().FuzzyWorkloadType(),
+		WorkloadName: request.GetFilter().Workload,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to count summaries: %w", err)
+	}
+
+	pageInfo, err := grpcpagination.PageInfo(request, int(total))
+	if err != nil {
+		return nil, err
+	}
+
+	response := &vulnerabilities.ListVulnerabilitySummaryHistoryResponse{
+		Nodes:    ws,
+		PageInfo: pageInfo,
+	}
+	return response, nil
+}
+
 // TODO: if no summaries are found, handle this case by not returning the summary? and maybe handle it in the sql query, right now we return 0 on all fields
 // TLDR: make distinction between no summary found and summary found with 0 values
 func (s *Server) GetVulnerabilitySummary(ctx context.Context, request *vulnerabilities.GetVulnerabilitySummaryRequest) (*vulnerabilities.GetVulnerabilitySummaryResponse, error) {

internal/database/queries/vulnerbility_summary.sql

@@ -83,8 +83,8 @@ SELECT
     v.risk_score,
     w.created_at AS workload_created_at,
     w.updated_at AS workload_updated_at,
-    v.created_at AS vulnerability_created_at,
-    v.updated_at AS vulnerability_updated_at,
+    v.created_at AS summary_created_at,
+    v.updated_at AS summary_updated_at,
     CASE WHEN v.image_name IS NOT NULL THEN TRUE ELSE FALSE END AS has_sbom
 FROM workloads w
          LEFT JOIN vulnerability_summary v
@@ -122,6 +122,91 @@ OFFSET
     sqlc.arg('offset')
 ;
 
+-- name: CountVulnerabilitySummaries :one
+SELECT COUNT(*) AS total
+FROM workloads w
+         LEFT JOIN vulnerability_summary v
+                   ON w.image_name = v.image_name AND w.image_tag = v.image_tag
+WHERE
+    (CASE WHEN sqlc.narg('cluster')::TEXT is not null THEN w.cluster = sqlc.narg('cluster')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('namespace')::TEXT is not null THEN w.namespace = sqlc.narg('namespace')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_type')::TEXT is not null THEN w.workload_type = sqlc.narg('workload_type')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_name')::TEXT is not null THEN w.name = sqlc.narg('workload_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_name')::TEXT is not null THEN v.image_name = sqlc.narg('image_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_tag')::TEXT is not null THEN v.image_tag = sqlc.narg('image_tag')::TEXT ELSE TRUE END)
+;
+
+-- name: ListVulnerabilitySummaryHistory :many
+SELECT
+    w.id,
+    w.name AS workload_name,
+    w.workload_type,
+    w.namespace,
+    w.cluster,
+    w.image_name,
+    w.image_tag,
+    v.critical,
+    v.high,
+    v.medium,
+    v.low,
+    v.unassigned,
+    v.risk_score,
+    w.created_at AS workload_created_at,
+    w.updated_at AS workload_updated_at,
+    v.created_at AS summary_created_at,
+    v.updated_at AS summary_updated_at,
+    CASE WHEN v.image_name IS NOT NULL THEN TRUE ELSE FALSE END AS has_sbom
+FROM workloads w
+         LEFT JOIN vulnerability_summary v
+                   ON w.image_name = v.image_name
+WHERE
+  v.updated_at > sqlc.arg('from')::TIMESTAMP WITH TIME ZONE
+  AND (CASE WHEN sqlc.narg('cluster')::TEXT is not null THEN w.cluster = sqlc.narg('cluster')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('namespace')::TEXT is not null THEN w.namespace = sqlc.narg('namespace')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_type')::TEXT is not null THEN w.workload_type = sqlc.narg('workload_type')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_name')::TEXT is not null THEN w.name = sqlc.narg('workload_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_name')::TEXT is not null THEN v.image_name = sqlc.narg('image_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_tag')::TEXT is not null THEN v.image_tag = sqlc.narg('image_tag')::TEXT ELSE TRUE END)
+ORDER BY
+    CASE WHEN sqlc.narg('order_by') = 'workload_asc' THEN w.name END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'workload_desc' THEN w.name END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'namespace_asc' THEN namespace END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'namespace_desc' THEN namespace END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'cluster_asc' THEN cluster END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'cluster_desc' THEN cluster END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'critical_asc' THEN v.critical END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'critical_desc' THEN v.critical END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'high_asc' THEN v.high END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'high_desc' THEN v.high END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'medium_asc' THEN v.medium END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'medium_desc' THEN v.medium END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'low_asc' THEN v.low END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'low_desc' THEN v.low END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'unassigned_asc' THEN v.unassigned END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'unassigned_desc' THEN v.unassigned END DESC,
+    CASE WHEN sqlc.narg('order_by') = 'risk_score_asc' THEN v.risk_score END ASC,
+    CASE WHEN sqlc.narg('order_by') = 'risk_score_desc' THEN v.risk_score END DESC,
+    v.updated_at DESC, v.id DESC
+    LIMIT
+    sqlc.arg('limit')
+OFFSET
+    sqlc.arg('offset')
+;
+
+-- name: CountVulnerabilitySummaryHistory :one
+SELECT COUNT(*) AS total
+FROM workloads w
+         LEFT JOIN vulnerability_summary v
+                   ON w.image_name = v.image_name
+WHERE
+    (CASE WHEN sqlc.narg('cluster')::TEXT is not null THEN w.cluster = sqlc.narg('cluster')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('namespace')::TEXT is not null THEN w.namespace = sqlc.narg('namespace')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_type')::TEXT is not null THEN w.workload_type = sqlc.narg('workload_type')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('workload_name')::TEXT is not null THEN w.name = sqlc.narg('workload_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_name')::TEXT is not null THEN v.image_name = sqlc.narg('image_name')::TEXT ELSE TRUE END)
+  AND (CASE WHEN sqlc.narg('image_tag')::TEXT is not null THEN v.image_tag = sqlc.narg('image_tag')::TEXT ELSE TRUE END)
+;
+
 -- name: GetVulnerabilitySummary :one
 WITH filtered_workloads AS (
     SELECT w.id, w.image_name, w.image_tag