Skip to content

ROX-31479: Add getting nodes for CVE#19

Merged
mtodor merged 1 commit intomainfrom
mtodor/ROX-31479-add-get-nodes-for-cve
Dec 19, 2025
Merged

ROX-31479: Add getting nodes for CVE#19
mtodor merged 1 commit intomainfrom
mtodor/ROX-31479-add-get-nodes-for-cve

Conversation

@mtodor
Copy link
Collaborator

@mtodor mtodor commented Dec 15, 2025
edited
Loading

Description

This PR adds the ability to fetch information if there are nodes affected by a specific CVE.

It groups nodes by cluster and OS image used. This is done because mostly cluster nodes are using the same image and usually contain the same set of CVEs.

We are using the streaming (export) endpoint in this case, because filtering by CVE is not possible in the list nodes endpoint, and filtering is really important.

Validation

  • Unit tests
  • Tested with MCP inspector against demo staging cluster
  • Tested with LLM against demo staging cluster

LLM testing: (redacted)

> Is this CVE affecting me CVE-2020-26159?

⏺ stackrox-mcp - get_deployments_for_cve (MCP)(cveName: "CVE-2020-26159")
⏺ stackrox-mcp - get_nodes_for_cve (MCP)(cveName: "CVE-2020-26159")

⏺ Yes, CVE-2020-26159 is affecting your environment, but only at the node level - not in your application deployments:

  Affected Nodes:
  - staging-<abc>-cluster: 8 nodes
    - OS: Red Hat Enterprise Linux CoreOS V123-0 (Plow)
  - staging-<def>-cluster: 6 nodes
    - OS: Red Hat Enterprise Linux CoreOS V124-0 (Plow)

  Total: 14 nodes affected across 2 clusters

  Deployments: None of your application deployments are affected by this CVE.

@mtodor mtodor requested a review from janisz as a code owner December 15, 2025 16:54
@codecov-commenter
Copy link

codecov-commenter commented Dec 15, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 89.15663% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.38%. Comparing base (bf6db65) to head (434f67d).
⚠️ Report is 25 commits behind head on main.

Files with missing lines Patch % Lines
internal/toolsets/vulnerability/nodes.go 89.02% 5 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #19      +/-   ##
==========================================
+ Coverage   85.00%   85.38%   +0.38%     
==========================================
  Files          23       24       +1     
  Lines         820      903      +83     
==========================================
+ Hits          697      771      +74     
- Misses         96      101       +5     
- Partials       27       31       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mtodor mtodor force-pushed the mtodor/ROX-31479-add-get-nodes-for-cve branch from f3e25c2 to 434f67d Compare December 17, 2025 16:31
janisz
janisz approved these changes Dec 18, 2025
View reviewed changes
@mtodor mtodor merged commit 8c77a67 into main Dec 19, 2025
3 checks passed
@mtodor mtodor deleted the mtodor/ROX-31479-add-get-nodes-for-cve branch December 19, 2025 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@janisz janisz janisz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtodor @codecov-commenter @janisz