Override with Vendor score if exists (#433)

* wip: Add a failing test to demo severity override Signed-off-by: Simarpreet Singh <simar@linux.com> * scan.go: Return osFound for use in determining vendor. Signed-off-by: Simarpreet Singh <simar@linux.com> * pkg: Fix ScanImage return in case an OSFound Signed-off-by: Simarpreet Singh <simar@linux.com> * scan_test: Include a package-lock.json for happy path Signed-off-by: Simarpreet Singh <simar@linux.com> * wip: Add a test to include various reportResult types Signed-off-by: Simarpreet Singh <simar@linux.com> * Makefile: Add a target to generate mocks. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Pass reportType as argument for FillInfo. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Add other types of vulnerabilities. Signed-off-by: Simarpreet Singh <simar@linux.com> * integration: Update golden files. Signed-off-by: Simarpreet Singh <simar@linux.com> * ospkg: Fix FillInfo for ospkg/server Signed-off-by: Simarpreet Singh <simar@linux.com> * rpc: Add os.Family type to Response. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability_test.go: Add case where no vendor severity exists. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Fallback to NVD if it exists. Also add tests for other cases. Signed-off-by: Simarpreet Singh <simar@linux.com> * rpc: Fix a few sites with reportType info and tests. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Remove VendorSeverity from displayed results Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Add vulnerability source information. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Add VendorSeverity logic for lightDB as well. This commit also makes FillInfo logic common to both light and full DBs. Signed-off-by: Simarpreet Singh <simar@linux.com> * remove some crufty TODOs Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability_test: Add a case for light db for documentation purposes Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: update trivy-db to point to master Signed-off-by: Simarpreet Singh <simar@linux.com> * scan_test: Remove cruft and bring back test cases Signed-off-by: Simarpreet Singh <simar@linux.com> * scan_test: Add pkg Type to mock return Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: reorder err check after err Signed-off-by: Simarpreet Singh <simar@linux.com> * client_test: Fix import ordering Signed-off-by: Simarpreet Singh <simar@linux.com> * convert.go: Use result.Type Signed-off-by: Simarpreet Singh <simar@linux.com> * convert: Use result.Type and simplify ConvertFromRpcResults signature Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Refactor calls to getVendorSeverity Signed-off-by: Simarpreet Singh <simar@linux.com> * integration: Remove centos-7-critical.json.golden There's no critical vulnerability in CentOS 7 anymore. In addition this test was not adding any value that is already not covered by existing tests cases. Signed-off-by: Simarpreet Singh <simar@linux.com> * rpc: Include severity source in tests. Signed-off-by: Simarpreet Singh <simar@linux.com> * integration: Update test db to include VendorSeverity. Test DB is now a snapshot of full database from trivy-db. Also update golden files to include SeveritySource. Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability: Make centos7 use RHEL vendor severities Signed-off-by: Simarpreet Singh <simar@linux.com>
2025-12-21 23:00:42 -08:00 · 2020-04-16 16:58:58 -07:00
parent 7629f7f0d6
commit 17b84f6c09
60 changed files with 34464 additions and 19414 deletions
--- a/pkg/scanner/scan_test.go
+++ b/pkg/scanner/scan_test.go
@@ -29,7 +29,7 @@ func TestScanner_ScanImage(t *testing.T) {
 		args               args
 		analyzeExpectation AnalyzerAnalyzeExpectation
 		scanExpectation    ScanExpectation
-		want               report.Results
+		wantResults        report.Results
 		wantErr            string
 	}{
 		{
@@ -73,6 +73,18 @@ func TestScanner_ScanImage(t *testing.T) {
 								},
 							},
 						},
+						{
+							Target: "node-app/package-lock.json",
+							Vulnerabilities: []types.DetectedVulnerability{
+								{
+									VulnerabilityID:  "CVE-2019-11358",
+									PkgName:          "jquery",
+									InstalledVersion: "3.3.9",
+									FixedVersion:     ">=3.4.0",
+								},
+							},
+							Type: "npm",
+						},
 					},
 					OsFound: &ftypes.OS{
 						Family: "alpine",
@@ -81,7 +93,7 @@ func TestScanner_ScanImage(t *testing.T) {
 					Eols: true,
 				},
 			},
-			want: report.Results{
+			wantResults: report.Results{
 				{
 					Target: "alpine:3.11",
 					Vulnerabilities: []types.DetectedVulnerability{
@@ -97,6 +109,18 @@ func TestScanner_ScanImage(t *testing.T) {
 						},
 					},
 				},
+				{
+					Target: "node-app/package-lock.json",
+					Vulnerabilities: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2019-11358",
+							PkgName:          "jquery",
+							InstalledVersion: "3.3.9",
+							FixedVersion:     ">=3.4.0",
+						},
+					},
+					Type: "npm",
+				},
 			},
 		},
 		{
@@ -154,7 +178,7 @@ func TestScanner_ScanImage(t *testing.T) {
 			analyzer.ApplyAnalyzeExpectation(tt.analyzeExpectation)

 			s := NewScanner(d, analyzer)
-			got, err := s.ScanImage(tt.args.options)
+			gotResults, err := s.ScanImage(tt.args.options)
 			if tt.wantErr != "" {
 				require.NotNil(t, err, tt.name)
 				require.Contains(t, err.Error(), tt.wantErr, tt.name)
@@ -163,7 +187,7 @@ func TestScanner_ScanImage(t *testing.T) {
 				require.NoError(t, err, tt.name)
 			}

-			assert.Equal(t, tt.want, got)
+			assert.Equal(t, tt.wantResults, gotResults, tt.name)
 		})
 	}
 }