mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-15 17:11:40 -08:00
refactor: replace mock VulnSrc with trivy-db integration
- Remove mock VulnSrc implementation - Use real trivy-db rootio.VulnSrc - Update go.mod to use trivy-db fork with Root.io support - Fix FixedVersion field mapping to use PatchedVersions
This commit is contained in:
knqyf263
7
go.mod
7
go.mod
@@ -328,7 +328,7 @@ require (
|
||||
github.com/ncruces/go-strftime v0.1.9 // indirect
|
||||
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
|
||||
github.com/oklog/ulid v1.3.1 // indirect
|
||||
github.com/oklog/ulid/v2 v2.1.0 // indirect
|
||||
github.com/oklog/ulid/v2 v2.1.1 // indirect
|
||||
github.com/opencontainers/runtime-spec v1.2.1 // indirect
|
||||
github.com/opencontainers/selinux v1.12.0 // indirect
|
||||
github.com/opentracing/opentracing-go v1.2.0 // indirect
|
||||
@@ -352,7 +352,7 @@ require (
|
||||
github.com/rubenv/sql-migrate v1.7.1 // indirect
|
||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||
github.com/sagikazarmark/locafero v0.7.0 // indirect
|
||||
github.com/samber/oops v1.16.1 // indirect
|
||||
github.com/samber/oops v1.18.1 // indirect
|
||||
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
|
||||
github.com/sassoftware/relic v7.2.1+incompatible // indirect
|
||||
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
|
||||
@@ -450,3 +450,6 @@ tool (
|
||||
golang.org/x/tools/cmd/goyacc
|
||||
sigs.k8s.io/kind
|
||||
)
|
||||
|
||||
// TODO: Delete it once https://github.com/aquasecurity/trivy-db/pull/546 gets merged.
|
||||
replace github.com/aquasecurity/trivy-db => github.com/chait-slim/trivy-db v0.0.0-20250626080309-36695f101e75
|
||||
|
||||
12
go.sum
12
go.sum
@@ -802,8 +802,6 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
|
||||
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
|
||||
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
|
||||
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e h1:+B/in1DQDGwQbKhW5pWL8XxBgnZKxXhUznylJ2NCyvs=
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20250529093513-a12dfc204b6e/go.mod h1:4zd4qZcjhNAHASz5I0O7qapv5h5gSJzSEaZXv/IPOGc=
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
|
||||
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
|
||||
github.com/aquasecurity/trivy-kubernetes v0.9.0 h1:rp8RuXwKfFWUPR/ULksA2WpD0z6rslVkzLmPGQr61Wc=
|
||||
@@ -905,6 +903,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
|
||||
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
|
||||
github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
|
||||
github.com/chait-slim/trivy-db v0.0.0-20250626080309-36695f101e75 h1:0wDJgdG3fz6UVOpHreqp33LJHOozgQlCSMoueeGi1uk=
|
||||
github.com/chait-slim/trivy-db v0.0.0-20250626080309-36695f101e75/go.mod h1:Ubl2YWA6Zg7eaojg4MDmeDdYU4+PiGPsnwo6B5UIwqw=
|
||||
github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
|
||||
github.com/cheggaaa/pb/v3 v3.1.7 h1:2FsIW307kt7A/rz/ZI2lvPO+v3wKazzE4K/0LtTWsOI=
|
||||
github.com/cheggaaa/pb/v3 v3.1.7/go.mod h1:/Ji89zfVPeC/u5j8ukD0MBPHt2bzTYp74lQ7KlgFWTQ=
|
||||
@@ -1644,8 +1644,8 @@ github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
|
||||
github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
|
||||
github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
|
||||
github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
|
||||
github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU=
|
||||
github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
|
||||
github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
|
||||
github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
|
||||
github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=
|
||||
github.com/oleiade/reflections v1.0.1/go.mod h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
|
||||
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
|
||||
@@ -1777,8 +1777,8 @@ github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsF
|
||||
github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
|
||||
github.com/samber/lo v1.50.0 h1:XrG0xOeHs+4FQ8gJR97zDz5uOFMW7OwFWiFVzqopKgY=
|
||||
github.com/samber/lo v1.50.0/go.mod h1:RjZyNk6WSnUFRKK6EyOhsRJMqft3G+pg7dCWHQCWvsc=
|
||||
github.com/samber/oops v1.16.1 h1:XlKkXsWM5g8hE4C+sEV9n0X282fZn3XabVmAKU2RiHI=
|
||||
github.com/samber/oops v1.16.1/go.mod h1:8eXgMAJcDXRAijQsFRhfy/EHDOTiSvwkg6khFqFK078=
|
||||
github.com/samber/oops v1.18.1 h1:qjhZbqbdyhWBKntkY8sxrDNKA8b4c5VHlmI1rli7X7M=
|
||||
github.com/samber/oops v1.18.1/go.mod h1:xYqvimigkKV70HyLXiBZJFpIWi2CGcc6Xx7eV+2HycI=
|
||||
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
|
||||
github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
|
||||
github.com/sassoftware/go-rpmutils v0.4.0 h1:ojND82NYBxgwrV+mX1CWsd5QJvvEZTKddtCdFLPWhpg=
|
||||
|
||||
@@ -2,10 +2,12 @@ package rootio
|
||||
|
||||
import (
|
||||
"context"
|
||||
"strings"
|
||||
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/rootio"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
|
||||
"github.com/aquasecurity/trivy/pkg/detector/ospkg/version"
|
||||
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
@@ -17,29 +19,29 @@ import (
|
||||
// Scanner implements the Root.io scanner
|
||||
type Scanner struct {
|
||||
comparer version.Comparer
|
||||
vs VulnSrc
|
||||
vs rootio.VulnSrc
|
||||
logger *log.Logger
|
||||
}
|
||||
|
||||
// NewScanner is the factory method for Scanner
|
||||
func NewScanner(baseOS ftypes.OSType) *Scanner {
|
||||
var comparer version.Comparer
|
||||
var vs VulnSrc
|
||||
var vs rootio.VulnSrc
|
||||
|
||||
switch baseOS {
|
||||
case ftypes.Debian:
|
||||
comparer = version.NewDEBComparer()
|
||||
vs = newMockVulnSrc(vulnerability.Debian)
|
||||
vs = rootio.NewVulnSrc(vulnerability.Debian)
|
||||
case ftypes.Ubuntu:
|
||||
comparer = version.NewDEBComparer()
|
||||
vs = newMockVulnSrc(vulnerability.Ubuntu)
|
||||
vs = rootio.NewVulnSrc(vulnerability.Ubuntu)
|
||||
case ftypes.Alpine:
|
||||
comparer = version.NewAPKComparer()
|
||||
vs = newMockVulnSrc(vulnerability.Alpine)
|
||||
vs = rootio.NewVulnSrc(vulnerability.Alpine)
|
||||
default:
|
||||
// Should never happen as it's validated in the provider
|
||||
comparer = version.NewDEBComparer()
|
||||
vs = newMockVulnSrc(vulnerability.Debian)
|
||||
vs = rootio.NewVulnSrc(vulnerability.Debian)
|
||||
}
|
||||
|
||||
return &Scanner{
|
||||
@@ -74,7 +76,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
|
||||
PkgID: pkg.ID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: utils.FormatVersion(pkg),
|
||||
FixedVersion: adv.FixedVersion,
|
||||
FixedVersion: strings.Join(adv.PatchedVersions, ", "),
|
||||
Layer: pkg.Layer,
|
||||
PkgIdentifier: pkg.Identifier,
|
||||
Custom: adv.Custom,
|
||||
|
||||
@@ -1,73 +0,0 @@
|
||||
package rootio
|
||||
|
||||
import (
|
||||
"maps"
|
||||
"slices"
|
||||
|
||||
"github.com/samber/lo"
|
||||
|
||||
"github.com/aquasecurity/trivy-db/pkg/db"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
|
||||
)
|
||||
|
||||
// VulnSrc defines the interface for Root.io vulnerability data source
|
||||
// The actual implementation will be in trivy-db side: pkg/vulnsrc/rootio/rootio.go
|
||||
type VulnSrc interface {
|
||||
Get(osVer, pkgName string) ([]dbTypes.Advisory, error)
|
||||
}
|
||||
|
||||
// mockVulnSrc is a temporary mock implementation simulating the trivy-db VulnSrc
|
||||
type mockVulnSrc struct {
|
||||
dbc db.Operation
|
||||
inner VulnSrc // This can be replaced with the actual implementation later
|
||||
}
|
||||
|
||||
func newMockVulnSrc(sourceID dbTypes.SourceID) VulnSrc {
|
||||
vs := &mockVulnSrc{dbc: db.Config{}}
|
||||
|
||||
switch sourceID {
|
||||
case vulnerability.Debian:
|
||||
vs.inner = debian.NewVulnSrc()
|
||||
case vulnerability.Ubuntu:
|
||||
vs.inner = ubuntu.NewVulnSrc()
|
||||
case vulnerability.Alpine:
|
||||
vs.inner = debian.NewVulnSrc()
|
||||
}
|
||||
return vs
|
||||
}
|
||||
|
||||
func (v *mockVulnSrc) Get(osVer, pkgName string) ([]dbTypes.Advisory, error) {
|
||||
// Get advisories from the original distributors, like Debian or Alpine
|
||||
advs, err := v.inner.Get(osVer, pkgName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Simulate the advisories with Root.io's version constraints
|
||||
allAdvs := make(map[string]dbTypes.Advisory, len(advs))
|
||||
for _, adv := range advs {
|
||||
if adv.FixedVersion != "" {
|
||||
adv.VulnerableVersions = []string{"<" + adv.FixedVersion}
|
||||
adv.PatchedVersions = []string{adv.FixedVersion}
|
||||
adv.FixedVersion = "" // Clear fixed version to avoid confusion
|
||||
}
|
||||
allAdvs[adv.VulnerabilityID] = adv
|
||||
}
|
||||
|
||||
advs, err = v.dbc.GetAdvisories(osVer, pkgName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
rootAdvs := lo.SliceToMap(advs, func(adv dbTypes.Advisory) (string, dbTypes.Advisory) {
|
||||
return adv.VulnerabilityID, adv
|
||||
})
|
||||
|
||||
// Merge the advisories from the original distributors with Root.io's advisories
|
||||
maps.Copy(allAdvs, rootAdvs)
|
||||
|
||||
return slices.Collect(maps.Values(allAdvs)), nil
|
||||
}
|
||||
Reference in New Issue
Block a user