openclarity · akpsgit · Jul 27, 2023 · Jul 27, 2023 · Jul 11, 2023 · Jul 11, 2023
@@ -1380,6 +1380,23 @@ components:
         - value
       additionalProperties: false
 
+    RootVolume:
+      type: object
+      description: Information about VM root volume
+      properties:
+        sizeGB:
+          type: integer
+        encrypted:
+          type: string
+          enum:
+            - Yes
+            - No
+            - Unknown
+      required:
+        - sizeGB
+        - encrypted
+      additionalProperties: false
+
     RuntimeScheduleScanConfig:
       type: object
       minProperties: 1 # Require that at least 1 property will be set
@@ -1551,6 +1568,8 @@ components:
         launchTime:
           type: string
           format: date-time
+        rootVolume:
+          $ref: '#/components/schemas/RootVolume'
       required:
         - objectType
         - instanceID
@@ -1559,6 +1578,7 @@ components:
         - image
         - platform
         - launchTime
+        - rootVolume
 
     PodInfo:
       type: object

@@ -32,14 +32,9 @@ const (
 	awsRegionEUCentral1    = "eu-central-1"
 	awsRegionUSEast1       = "us-east-1"
 	awsVPCEUCentral11      = "vpc-1-from-eu-central-1"
-	awsVPCEUCentral12      = "vpc-2-from-eu-central-1"
 	awsVPCUSEast11         = "vpc-1-from-us-east-1"
-	awsVPCUSEast12         = "vpc-2-from-us-east-1"
 	awsSGUSEast111         = "sg-1-from-vpc-1-from-us-east-1"
-	awsSGUSEast121         = "sg-1-from-vpc-2-from-us-east-1"
-	awsSGUSEast122         = "sg-2-from-vpc-2-from-us-east-1"
 	awsSGEUCentral111      = "sg-1-from-vpc-1-from-eu-central-1"
-	awsSGEUCentral121      = "sg-1-from-vpc-2-from-eu-central-1"
 	awsInstanceEUCentral11 = "i-instance-1-from-eu-central-1"
 	awsInstanceEUCentral12 = "i-instance-2-from-eu-central-1"
 	awsInstanceUSEast11    = "i-instance-1-from-us-east-1"
@@ -361,7 +356,7 @@ func createVulnerabilityFindings(ctx context.Context, base models.Finding, vulne
 }
 
 func createVMInfo(instanceID, location, image, instanceType, platform string,
-	tags []models.Tag, launchTime time.Time, instanceProvider models.CloudProvider,
+	tags []models.Tag, launchTime time.Time, instanceProvider models.CloudProvider, rootVolumeSizeGB int, rootVolumeEncrypted models.RootVolumeEncrypted,
 ) *models.AssetType {
 	info := models.AssetType{}
 	err := info.FromVMInfo(models.VMInfo{
@@ -373,6 +368,10 @@ func createVMInfo(instanceID, location, image, instanceType, platform string,
 		Location:         location,
 		Platform:         platform,
 		Tags:             &tags,
+		RootVolume: models.RootVolume{
+			Encrypted: rootVolumeEncrypted,
+			SizeGB:    rootVolumeSizeGB,
+		},
 	})
 	if err != nil {
 		panic(err)
@@ -403,7 +402,7 @@ func createAssets() []models.Asset {
 				},
 			},
 			AssetInfo: createVMInfo(awsInstanceEUCentral11, awsRegionEUCentral1+"/"+awsVPCEUCentral11+"/"+awsSGEUCentral111,
-				"ami-111", "t2.large", "Linux", []models.Tag{{Key: "Name", Value: "asset1"}}, time.Now(), models.AWS),
+				"ami-111", "t2.large", "Linux", []models.Tag{{Key: "Name", Value: "asset1"}}, time.Now(), models.AWS, 8, models.No),
 		},
 		{
 			ScansCount: utils.PointerTo(1),
@@ -425,7 +424,7 @@ func createAssets() []models.Asset {
 				},
 			},
 			AssetInfo: createVMInfo(awsInstanceEUCentral12, awsRegionEUCentral1+"/"+awsVPCEUCentral11+"/"+awsSGEUCentral111,
-				"ami-111", "t2.large", "Linux", []models.Tag{{Key: "Name", Value: "asset2"}}, time.Now(), models.AWS),
+				"ami-111", "t2.large", "Linux", []models.Tag{{Key: "Name", Value: "asset2"}}, time.Now(), models.AWS, 25, models.Yes),
 		},
 		{
 			ScansCount: utils.PointerTo(1),
@@ -446,7 +445,7 @@ func createAssets() []models.Asset {
 				},
 			},
 			AssetInfo: createVMInfo(awsInstanceUSEast11, awsRegionUSEast1+"/"+awsVPCUSEast11+"/"+awsSGUSEast111,
-				"ami-112", "t2.micro", "Linux", []models.Tag{{Key: "Name", Value: "asset3"}}, time.Now(), models.AWS),
+				"ami-112", "t2.micro", "Linux", []models.Tag{{Key: "Name", Value: "asset3"}}, time.Now(), models.AWS, 512, models.Unknown),
 		},
 	}
 }

@@ -395,6 +395,10 @@ var schemaMetas = map[string]odatasql.SchemaMeta{
 			"platform":     odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
 			"instanceType": odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
 			"image":        odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
+			"rootVolume": odatasql.FieldMeta{
+				FieldType:           odatasql.ComplexFieldType,
+				ComplexFieldSchemas: []string{"RootVolume"},
+			},
 			"tags": odatasql.FieldMeta{
 				FieldType: odatasql.CollectionFieldType,
 				CollectionItemMeta: &odatasql.FieldMeta{
@@ -412,6 +416,12 @@ var schemaMetas = map[string]odatasql.SchemaMeta{
 			"instanceProvider": odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
 		},
 	},
+	"RootVolume": {
+		Fields: odatasql.Schema{
+			"sizeGB":    odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
+			"encrypted": odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},
+		},
+	},
 	"SecurityGroup": {
 		Fields: odatasql.Schema{
 			"id": odatasql.FieldMeta{FieldType: odatasql.PrimitiveFieldType},

@@ -775,20 +775,32 @@ func (c *Client) getInstancesFromDescribeInstancesOutput(ctx context.Context, re
 			}
 
 			if err := validateInstanceFields(instance); err != nil {
-				logger.Errorf("Instance validation failed. instance id=%v: %v", getPointerValOrEmpty(instance.InstanceId), err)
+				logger.Errorf("Instance validation failed. instance id=%v: %v", utils.StringPointerValOrEmpty(instance.InstanceId), err)
 				continue
 			}
+			rootVol, err := getRootVolumeInfo(ctx, c.ec2Client, instance, regionID)
+			if err != nil {
+				logger.Warnf("Couldn't get root volume info. instance id=%v: %v", utils.StringPointerValOrEmpty(instance.InstanceId), err)
+				rootVol = &models.RootVolume{
+					SizeGB:    0,
+					Encrypted: models.Unknown,
+				}
+			}
+
 			ret = append(ret, Instance{
-				ID:               *instance.InstanceId,
-				Region:           regionID,
-				AvailabilityZone: *instance.Placement.AvailabilityZone,
-				Image:            *instance.ImageId,
-				InstanceType:     string(instance.InstanceType),
-				Platform:         *instance.PlatformDetails,
-				Tags:             getTagsFromECTags(instance.Tags),
-				LaunchTime:       *instance.LaunchTime,
-				VpcID:            *instance.VpcId,
-				SecurityGroups:   getSecurityGroupsIDs(instance.SecurityGroups),
+				ID:                  *instance.InstanceId,
+				Region:              regionID,
+				AvailabilityZone:    *instance.Placement.AvailabilityZone,
+				Image:               *instance.ImageId,
+				InstanceType:        string(instance.InstanceType),
+				Platform:            *instance.PlatformDetails,
+				Tags:                getTagsFromECTags(instance.Tags),
+				LaunchTime:          *instance.LaunchTime,
+				VpcID:               *instance.VpcId,
+				SecurityGroups:      getSecurityGroupsIDs(instance.SecurityGroups),
+				RootDeviceName:      utils.StringPointerValOrEmpty(instance.RootDeviceName),
+				RootVolumeSizeGB:    int32(rootVol.SizeGB),
+				RootVolumeEncrypted: rootVol.Encrypted,
 
 				ec2Client: c.ec2Client,
 			})
@@ -797,6 +809,60 @@ func (c *Client) getInstancesFromDescribeInstancesOutput(ctx context.Context, re
 	return ret
 }
 
+func getRootVolumeInfo(ctx context.Context, client *ec2.Client, i ec2types.Instance, region string) (*models.RootVolume, error) {
+	if i.RootDeviceName == nil || *i.RootDeviceName == "" {
+		return nil, fmt.Errorf("RootDeviceName is not set")
+	}
+	logger := log.GetLoggerFromContextOrDiscard(ctx)
+	for _, mapping := range i.BlockDeviceMappings {
+		if utils.StringPointerValOrEmpty(mapping.DeviceName) == utils.StringPointerValOrEmpty(i.RootDeviceName) {
+			if mapping.Ebs == nil {
+				return nil, fmt.Errorf("EBS of the root volume is nil")
+			}
+			if mapping.Ebs.VolumeId == nil {
+				return nil, fmt.Errorf("volume ID of the root volume is nil")
+			}
+			descParams := &ec2.DescribeVolumesInput{
+				VolumeIds: []string{*mapping.Ebs.VolumeId},
+			}
+
+			describeOut, err := client.DescribeVolumes(ctx, descParams, func(options *ec2.Options) {
+				options.Region = region
+			})
+			if err != nil {
+				return nil, fmt.Errorf("failed to describe the root volume")
+			}
+
+			if len(describeOut.Volumes) == 0 {
+				return nil, fmt.Errorf("volume list is empty")
+			}
+			if len(describeOut.Volumes) > 1 {
+				logger.WithFields(logrus.Fields{
+					"VolumeId":    *mapping.Ebs.VolumeId,
+					"Volumes num": len(describeOut.Volumes),
+				}).Warnf("Found more than 1 root volume, using the first")
+			}
+
+			return &models.RootVolume{
+				SizeGB:    int(utils.Int32PointerValOrEmpty(describeOut.Volumes[0].Size)),
+				Encrypted: encryptedToAPI(describeOut.Volumes[0].Encrypted),
+			}, nil
+		}
+	}
+
+	return nil, fmt.Errorf("instance doesn't have a root volume block device mapping")
+}
+
+func encryptedToAPI(encrypted *bool) models.RootVolumeEncrypted {
+	if encrypted == nil {
+		return models.Unknown
+	}
+	if *encrypted {
+		return models.Yes
+	}
+	return models.No
+}
+
 func (c *Client) ListAllRegions(ctx context.Context) ([]Region, error) {
 	ret := make([]Region, 0)
 	out, err := c.ec2Client.DescribeRegions(ctx, &ec2.DescribeRegionsInput{

@@ -277,7 +277,8 @@ func TestClient_getInstancesFromDescribeInstancesOutput(t *testing.T) {
 							Value: "val-1",
 						},
 					},
-					LaunchTime: launchTime,
+					LaunchTime:          launchTime,
+					RootVolumeEncrypted: models.Unknown,
 				},
 				{
 					ID:     "instance-2",
@@ -296,7 +297,8 @@ func TestClient_getInstancesFromDescribeInstancesOutput(t *testing.T) {
 							Value: "val-2",
 						},
 					},
-					LaunchTime: launchTime,
+					LaunchTime:          launchTime,
+					RootVolumeEncrypted: models.Unknown,
 				},
 				{
 					ID:     "instance-3",
@@ -305,12 +307,13 @@ func TestClient_getInstancesFromDescribeInstancesOutput(t *testing.T) {
 					SecurityGroups: []models.SecurityGroup{
 						{Id: "group3"},
 					},
-					AvailabilityZone: "az3",
-					Image:            "image3",
-					InstanceType:     "t2.large",
-					Platform:         "linux",
-					Tags:             nil,
-					LaunchTime:       launchTime,
+					AvailabilityZone:    "az3",
+					Image:               "image3",
+					InstanceType:        "t2.large",
+					Platform:            "linux",
+					Tags:                nil,
+					LaunchTime:          launchTime,
+					RootVolumeEncrypted: models.Unknown,
 				},
 			},
 		},
@@ -341,3 +344,43 @@ func TestClient_getInstancesFromDescribeInstancesOutput(t *testing.T) {
 		})
 	}
 }
+
+func Test_encryptedToAPI(t *testing.T) {
+	type args struct {
+		encrypted *bool
+	}
+	tests := []struct {
+		name string
+		args args
+		want models.RootVolumeEncrypted
+	}{
+		{
+			name: "unknown",
+			args: args{
+				encrypted: nil,
+			},
+			want: models.Unknown,
+		},
+		{
+			name: "no",
+			args: args{
+				encrypted: utils.PointerTo(false),
+			},
+			want: models.No,
+		},
+		{
+			name: "yes",
+			args: args{
+				encrypted: utils.PointerTo(true),
+			},
+			want: models.Yes,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := encryptedToAPI(tt.args.encrypted); got != tt.want {
+				t.Errorf("encryptedToAPI() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}