Skip to content

ROX-31479: Add getting nodes for CVE #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mtodor merged 1 commit into from
Dec 19, 2025
Merged

ROX-31479: Add getting nodes for CVE #19

mtodor merged 1 commit into from
Dec 19, 2025

Conversation

@mtodor
Copy link
Collaborator

@mtodor mtodor commented Dec 15, 2025
edited
Loading

Description

This PR adds the ability to fetch information if there are nodes affected by a specific CVE.

It groups nodes by cluster and OS image used. This is done because mostly cluster nodes are using the same image and usually contain the same set of CVEs.

We are using the streaming (export) endpoint in this case, because filtering by CVE is not possible in the list nodes endpoint, and filtering is really important.

Validation

  • Unit tests
  • Tested with MCP inspector against demo staging cluster
  • Tested with LLM against demo staging cluster

LLM testing: (redacted)

> Is this CVE affecting me CVE-2020-26159?

⏺ stackrox-mcp - get_deployments_for_cve (MCP)(cveName: "CVE-2020-26159")
⏺ stackrox-mcp - get_nodes_for_cve (MCP)(cveName: "CVE-2020-26159")

⏺ Yes, CVE-2020-26159 is affecting your environment, but only at the node level - not in your application deployments:

  Affected Nodes:
  - staging-<abc>-cluster: 8 nodes
    - OS: Red Hat Enterprise Linux CoreOS V123-0 (Plow)
  - staging-<def>-cluster: 6 nodes
    - OS: Red Hat Enterprise Linux CoreOS V124-0 (Plow)

  Total: 14 nodes affected across 2 clusters

  Deployments: None of your application deployments are affected by this CVE.

@mtodor mtodor requested a review from janisz as a code owner December 15, 2025 16:54
@codecov-commenter
Copy link

codecov-commenter commented Dec 15, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 89.15663% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.38%. Comparing base (bf6db65) to head (434f67d).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
internal/toolsets/vulnerability/nodes.go 89.02% 5 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #19      +/-   ##
==========================================
+ Coverage   85.00%   85.38%   +0.38%     
==========================================
  Files          23       24       +1     
  Lines         820      903      +83     
==========================================
+ Hits          697      771      +74     
- Misses         96      101       +5     
- Partials       27       31       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mtodor mtodor force-pushed the mtodor/ROX-31479-add-get-nodes-for-cve branch from f3e25c2 to 434f67d Compare December 17, 2025 16:31
janisz
janisz approved these changes Dec 18, 2025
View reviewed changes
@mtodor mtodor merged commit 8c77a67 into main Dec 19, 2025
3 checks passed
@mtodor mtodor deleted the mtodor/ROX-31479-add-get-nodes-for-cve branch December 19, 2025 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janisz janisz janisz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtodor @codecov-commenter @janisz