gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(cyclonedx): add vulnerabilities (#1832)

Browse Source 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
Masahiro331
2022-03-23 03:22:55 +09:00
committed by GitHub
parent df80fd31a0
commit 7a148089ec
15 changed files with 792 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
docs/advanced/sbom/cyclonedx.md
View File

@@ -16,7 +16,7 @@ $ trivy image --format cyclonedx --output result.json alpine:3.15
$ cat result.json | jq . $ cat result.json | jq .
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.3", "specVersion": "1.4",
"serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace", "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
"version": 1, "version": 1,
"metadata": { "metadata": {
@@ -163,13 +163,70 @@ $ cat result.json | jq .
"3da6a469-964d-4b4e-b67d-e94ec7c88d37" "3da6a469-964d-4b4e-b67d-e94ec7c88d37"
] ]
} }
],
"vulnerabilities": [
{
"id": "CVE-2021-42386",
"source": {
"name": "alpine",
"url": "https://secdb.alpinelinux.org/"
},
"ratings": [
{
"source": {
"name": "nvd"
},
"score": 7.2,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "nvd"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
{
"source": {
"name": "redhat"
},
"score": 6.6,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
416
],
"description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2021-42386"
},
{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386"
}
],
"published": "2021-11-15 21:15:00 +0000 UTC",
"updated": "2022-01-04 17:14:00 +0000 UTC",
"affects": [
{
"ref": "pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2"
},
{
"ref": "pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2"
}
]
}
] ]
} }
``` ```
</details> </details>
!!! caution
It doesn't support vulnerabilities yet, but installed packages.
[cyclonedx]: https://cyclonedx.org/ [cyclonedx]: https://cyclonedx.org/

204
pkg/report/cyclonedx/cyclonedx.go
View File

@@ -2,16 +2,23 @@ package cyclonedx
import ( import (
"io" "io"
"sort"
"strconv" "strconv"
"strings"
"time" "time"
cdx "github.com/CycloneDX/cyclonedx-go" cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/google/uuid" "github.com/google/uuid"
"golang.org/x/exp/maps"
"golang.org/x/xerrors" "golang.org/x/xerrors"
"k8s.io/utils/clock" "k8s.io/utils/clock"
ftypes "github.com/aquasecurity/fanal/types" ftypes "github.com/aquasecurity/fanal/types"
dtypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/purl" "github.com/aquasecurity/trivy/pkg/purl"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy/pkg/types"
) )
@@ -127,7 +134,7 @@ func (cw *Writer) convertToBom(r types.Report, version string) (*cdx.BOM, error)
Component: metadataComponent, Component: metadataComponent,
} }
bom.Components, bom.Dependencies, err = cw.parseComponents(r, bom.Metadata.Component.BOMRef) bom.Components, bom.Dependencies, bom.Vulnerabilities, err = cw.parseComponents(r, bom.Metadata.Component.BOMRef)
if err != nil { if err != nil {
return nil, xerrors.Errorf("failed to parse components: %w", err) return nil, xerrors.Errorf("failed to parse components: %w", err)
} }
@@ -135,17 +142,22 @@ func (cw *Writer) convertToBom(r types.Report, version string) (*cdx.BOM, error)
return bom, nil return bom, nil
} }
func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, error) { func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) {
var components []cdx.Component var components []cdx.Component
var dependencies []cdx.Dependency var dependencies []cdx.Dependency
var metadataDependencies []cdx.Dependency var metadataDependencies []cdx.Dependency
libraryUniqMap := map[string]struct{}{} libraryUniqMap := map[string]struct{}{}
vulnMap := map[string]cdx.Vulnerability{}
for _, result := range r.Results { for _, result := range r.Results {
var componentDependencies []cdx.Dependency var componentDependencies []cdx.Dependency
bomRefMap := map[string]string{}
for _, pkg := range result.Packages { for _, pkg := range result.Packages {
pkgComponent, err := cw.pkgToComponent(result.Type, r.Metadata, pkg) pkgComponent, err := cw.pkgToComponent(result.Type, r.Metadata, pkg)
if err != nil { if err != nil {
return nil, nil, xerrors.Errorf("failed to parse pkg: %w", err) return nil, nil, nil, xerrors.Errorf("failed to parse pkg: %w", err)
}
if _, ok := bomRefMap[pkg.Name+utils.FormatVersion(pkg)+pkg.FilePath]; !ok {
bomRefMap[pkg.Name+utils.FormatVersion(pkg)+pkg.FilePath] = pkgComponent.BOMRef
} }
// When multiple lock files have the same dependency with the same name and version, // When multiple lock files have the same dependency with the same name and version,
@@ -171,6 +183,20 @@ func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Compone
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef}) componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
} }
for _, vuln := range result.Vulnerabilities {
// Take a bom-ref
ref := bomRefMap[vuln.PkgName+vuln.InstalledVersion+vuln.PkgPath]
if v, ok := vulnMap[vuln.VulnerabilityID]; ok {
// If a vulnerability depends on multiple packages,
// it will be commonised into a single vulnerability.
// Vulnerability component (CVE-2020-26247)
// -> Library component (nokogiri /srv/app1/vendor/bundle/ruby/3.0.0/specifications/nokogiri-1.10.0.gemspec)
// -> Library component (nokogiri /srv/app2/vendor/bundle/ruby/3.0.0/specifications/nokogiri-1.10.0.gemspec)
*v.Affects = append(*v.Affects, affects(ref, vuln.InstalledVersion))
} else {
vulnMap[vuln.VulnerabilityID] = cw.vulnerability(vuln, ref)
}
}
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary || if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary ||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar { result.Type == ftypes.GemSpec || result.Type == ftypes.Jar {
@@ -215,11 +241,36 @@ func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Compone
metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef}) metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef})
} }
} }
vulns := maps.Values(vulnMap)
sort.Slice(vulns, func(i, j int) bool {
return vulns[i].ID > vulns[j].ID
})
dependencies = append(dependencies, dependencies = append(dependencies,
cdx.Dependency{Ref: bomRef, Dependencies: &metadataDependencies}, cdx.Dependency{Ref: bomRef, Dependencies: &metadataDependencies},
) )
return &components, &dependencies, nil return &components, &dependencies, &vulns, nil
}
func (cw *Writer) vulnerability(vuln types.DetectedVulnerability, bomRef string) cdx.Vulnerability {
v := cdx.Vulnerability{
ID: vuln.VulnerabilityID,
Source: source(vuln.DataSource),
Ratings: ratings(vuln),
CWEs: cwes(vuln.CweIDs),
Description: vuln.Description,
Advisories: advisories(vuln.References),
}
if vuln.PublishedDate != nil {
v.Published = vuln.PublishedDate.String()
}
if vuln.LastModifiedDate != nil {
v.Updated = vuln.LastModifiedDate.String()
}
v.Affects = &[]cdx.Affects{affects(bomRef, vuln.InstalledVersion)}
return v
} }
func (cw *Writer) pkgToComponent(t string, meta types.Metadata, pkg ftypes.Package) (cdx.Component, error) { func (cw *Writer) pkgToComponent(t string, meta types.Metadata, pkg ftypes.Package) (cdx.Component, error) {
@@ -363,3 +414,148 @@ func property(key, value string) cdx.Property {
Value: value, Value: value,
} }
} }
func advisories(refs []string) *[]cdx.Advisory {
var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
URL: ref,
})
}
return &advs
}
func cwes(cweIDs []string) *[]int {
var ret []int
for _, cweID := range cweIDs {
number, err := strconv.Atoi(strings.TrimPrefix(strings.ToLower(cweID), "cwe-"))
if err != nil {
log.Logger.Debugf("cwe id parse error: %s", err)
continue
}
ret = append(ret, number)
}
return &ret
}
func ratings(vulnerability types.DetectedVulnerability) *[]cdx.VulnerabilityRating {
var rates []cdx.VulnerabilityRating
for sourceID, severity := range vulnerability.VendorSeverity {
// When the vendor also provides CVSS score/vector
if cvss, ok := vulnerability.CVSS[sourceID]; ok {
if cvss.V2Score != 0 || cvss.V2Vector != "" {
rates = append(rates, ratingV2(sourceID, severity, cvss))
}
if cvss.V3Score != 0 || cvss.V3Vector != "" {
rates = append(rates, ratingV3(sourceID, severity, cvss))
}
} else { // When the vendor provides only severity
rate := cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Severity: toCDXSeverity(severity),
}
rates = append(rates, rate)
}
}
// For consistency
sort.Slice(rates, func(i, j int) bool {
if rates[i].Source.Name != rates[j].Source.Name {
return rates[i].Source.Name < rates[j].Source.Name
}
if rates[i].Method != rates[j].Method {
return rates[i].Method < rates[j].Method
}
return rates[i].Score < rates[j].Score
})
return &rates
}
func ratingV2(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CVSS) cdx.VulnerabilityRating {
cdxSeverity := toCDXSeverity(severity)
// Trivy keeps only CVSSv3 severity for NVD.
// The CVSSv2 severity must be calculated according to CVSSv2 score.
if sourceID == vulnerability.NVD {
cdxSeverity = nvdSeverityV2(cvss.V2Score)
}
return cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Score: cvss.V2Score,
Method: cdx.ScoringMethodCVSSv2,
Severity: cdxSeverity,
Vector: cvss.V2Vector,
}
}
func nvdSeverityV2(score float64) cdx.Severity {
// cf. https://nvd.nist.gov/vuln-metrics/cvss
switch {
case score < 4.0:
return cdx.SeverityInfo
case 4.0 <= score && score < 7.0:
return cdx.SeverityMedium
case 7.0 <= score:
return cdx.SeverityHigh
}
return cdx.SeverityUnknown
}
func ratingV3(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CVSS) cdx.VulnerabilityRating {
rate := cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Score: cvss.V3Score,
Method: cdx.ScoringMethodCVSSv3,
Severity: toCDXSeverity(severity),
Vector: cvss.V3Vector,
}
if strings.HasPrefix(cvss.V3Vector, "CVSS:3.1") {
rate.Method = cdx.ScoringMethodCVSSv31
}
return rate
}
func toCDXSeverity(s dtypes.Severity) cdx.Severity {
switch s {
case dtypes.SeverityLow:
return cdx.SeverityLow
case dtypes.SeverityMedium:
return cdx.SeverityMedium
case dtypes.SeverityHigh:
return cdx.SeverityHigh
case dtypes.SeverityCritical:
return cdx.SeverityCritical
default:
return cdx.SeverityUnknown
}
}
func source(source *dtypes.DataSource) *cdx.Source {
if source == nil {
return nil
}
return &cdx.Source{
Name: string(source.ID),
URL: source.URL,
}
}
func affects(ref, version string) cdx.Affects {
return cdx.Affects{
Ref: ref,
Range: &[]cdx.AffectedVersions{
{
Version: version,
Status: cdx.VulnerabilityStatusAffected,
// "AffectedVersions.Range" is not included, because it does not exist in DetectedVulnerability.
},
},
}
}

397
pkg/report/cyclonedx/cyclonedx_test.go
View File

@@ -16,6 +16,8 @@ import (
fos "github.com/aquasecurity/fanal/analyzer/os" fos "github.com/aquasecurity/fanal/analyzer/os"
ftypes "github.com/aquasecurity/fanal/types" ftypes "github.com/aquasecurity/fanal/types"
dtypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/report" "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/report/cyclonedx" "github.com/aquasecurity/trivy/pkg/report/cyclonedx"
"github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy/pkg/types"
@@ -55,27 +57,72 @@ func TestWriter_Write(t *testing.T) {
Type: fos.CentOS, Type: fos.CentOS,
Packages: []ftypes.Package{ Packages: []ftypes.Package{
{ {
Name: "acl", Name: "binutils",
Version: "2.2.53", Version: "2.30",
Release: "1.el8", Release: "93.el8",
Epoch: 0, Epoch: 0,
Arch: "aarch64", Arch: "aarch64",
SrcName: "acl", SrcName: "binutils",
SrcVersion: "2.2.53", SrcVersion: "2.30",
SrcRelease: "1.el8", SrcRelease: "93.el8",
SrcEpoch: 0, SrcEpoch: 0,
Modularitylabel: "", Modularitylabel: "",
License: "GPLv2+", License: "GPLv3+",
},
},
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2018-20623",
PkgName: "binutils",
InstalledVersion: "2.30-93.el8",
Layer: ftypes.Layer{
DiffID: "sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a",
},
SeveritySource: vulnerability.RedHatOVAL,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-20623",
DataSource: &dtypes.DataSource{
ID: vulnerability.RedHatOVAL,
Name: "Red Hat OVAL v2",
URL: "https://www.redhat.com/security/data/oval/v2/",
},
Vulnerability: dtypes.Vulnerability{
Title: "binutils: Use-after-free in the error function",
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHatOVAL: dtypes.SeverityMedium,
},
CweIDs: []string{"CWE-416"},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
V3Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
V2Score: 4.3,
V3Score: 5.5,
},
vulnerability.RedHatOVAL: dtypes.CVSS{
V3Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
V3Score: 5.3,
},
},
References: []string{
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
PublishedDate: timePtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)),
},
}, },
}, },
}, },
{ {
Target: "app/subproject/Gemfile.lock", Target: "app/subproject/Gemfile.lock",
Class: types.ClassLangPkg, Class: types.ClassLangPkg,
Type: "bundler", Type: ftypes.Bundler,
Packages: []ftypes.Package{ Packages: []ftypes.Package{
{ {
Name: "actioncable", Name: "actionpack",
Version: "7.0.0", Version: "7.0.0",
}, },
{ {
@@ -90,7 +137,7 @@ func TestWriter_Write(t *testing.T) {
Type: ftypes.Bundler, Type: ftypes.Bundler,
Packages: []ftypes.Package{ Packages: []ftypes.Package{
{ {
Name: "actioncable", Name: "actionpack",
Version: "7.0.0", Version: "7.0.0",
}, },
}, },
@@ -146,26 +193,26 @@ func TestWriter_Write(t *testing.T) {
}, },
Components: &[]cdx.Component{ Components: &[]cdx.Component{
{ {
BOMRef: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011", BOMRef: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Type: cdx.ComponentTypeLibrary, Type: cdx.ComponentTypeLibrary,
Name: "acl", Name: "binutils",
Version: "2.2.53-1.el8", Version: "2.30-93.el8",
Licenses: &cdx.Licenses{ Licenses: &cdx.Licenses{
cdx.LicenseChoice{Expression: "GPLv2+"}, cdx.LicenseChoice{Expression: "GPLv3+"},
}, },
PackageURL: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011", PackageURL: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Properties: &[]cdx.Property{ Properties: &[]cdx.Property{
{ {
Name: "aquasecurity:trivy:SrcName", Name: "aquasecurity:trivy:SrcName",
Value: "acl", Value: "binutils",
}, },
{ {
Name: "aquasecurity:trivy:SrcVersion", Name: "aquasecurity:trivy:SrcVersion",
Value: "2.2.53", Value: "2.30",
}, },
{ {
Name: "aquasecurity:trivy:SrcRelease", Name: "aquasecurity:trivy:SrcRelease",
Value: "1.el8", Value: "93.el8",
}, },
}, },
}, },
@@ -186,11 +233,11 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
{ {
BOMRef: "pkg:gem/actioncable@7.0.0", BOMRef: "pkg:gem/actionpack@7.0.0",
Type: cdx.ComponentTypeLibrary, Type: cdx.ComponentTypeLibrary,
Name: "actioncable", Name: "actionpack",
Version: "7.0.0", Version: "7.0.0",
PackageURL: "pkg:gem/actioncable@7.0.0", PackageURL: "pkg:gem/actionpack@7.0.0",
}, },
{ {
BOMRef: "pkg:gem/actioncontroller@7.0.0", BOMRef: "pkg:gem/actioncontroller@7.0.0",
@@ -237,7 +284,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000002", Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011", Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
}, },
}, },
}, },
@@ -245,7 +292,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000003", Ref: "3ff14136-e09f-4df9-80ea-000000000003",
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "pkg:gem/actioncable@7.0.0", Ref: "pkg:gem/actionpack@7.0.0",
}, },
{ {
Ref: "pkg:gem/actioncontroller@7.0.0", Ref: "pkg:gem/actioncontroller@7.0.0",
@@ -256,7 +303,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000004", Ref: "3ff14136-e09f-4df9-80ea-000000000004",
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "pkg:gem/actioncable@7.0.0", Ref: "pkg:gem/actionpack@7.0.0",
}, },
}, },
}, },
@@ -275,6 +322,72 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
Vulnerabilities: &[]cdx.Vulnerability{
{
ID: "CVE-2018-20623",
Source: &cdx.Source{
Name: string(vulnerability.RedHatOVAL),
URL: "https://www.redhat.com/security/data/oval/v2/",
},
Ratings: &[]cdx.VulnerabilityRating{
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
URL: "",
},
Score: 4.3,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv2,
Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
},
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
URL: "",
},
Score: 5.5,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv3,
Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RedHatOVAL),
URL: "",
},
Score: 5.3,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv3,
Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
},
},
CWEs: &[]int{
416,
},
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Advisories: &[]cdx.Advisory{
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
},
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
},
Published: "2018-12-31 19:29:00 +0000 UTC",
Updated: "2019-10-31 01:15:00 +0000 UTC",
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Range: &[]cdx.AffectedVersions{
{
Version: "2.30-93.el8",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
},
},
},
}, },
}, },
{ {
@@ -286,7 +399,7 @@ func TestWriter_Write(t *testing.T) {
Metadata: types.Metadata{ Metadata: types.Metadata{
Size: 1024, Size: 1024,
OS: &ftypes.OS{ OS: &ftypes.OS{
Family: "centos", Family: fos.CentOS,
Name: "8.3.2011", Name: "8.3.2011",
Eosl: true, Eosl: true,
}, },
@@ -318,6 +431,115 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
{
Target: "Ruby",
Class: types.ClassLangPkg,
Type: ftypes.GemSpec,
Packages: []ftypes.Package{
{
Name: "actionpack",
Version: "7.0.0",
Layer: ftypes.Layer{
DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
FilePath: "tools/project-john/specifications/actionpack.gemspec",
},
{
Name: "actionpack",
Version: "7.0.1",
Layer: ftypes.Layer{
DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
FilePath: "tools/project-doe/specifications/actionpack.gemspec",
},
},
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-23633",
PkgName: "actionpack",
PkgPath: "tools/project-john/specifications/actionpack.gemspec",
InstalledVersion: "7.0.0",
FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
SeveritySource: vulnerability.RubySec,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633",
DataSource: &dtypes.DataSource{
ID: vulnerability.RubySec,
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Vulnerability: dtypes.Vulnerability{
Title: "rubygem-actionpack: information leak between requests",
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHat: dtypes.SeverityLow,
vulnerability.RubySec: dtypes.SeverityHigh,
},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V2Score: 9.7,
V3Score: 5.9,
},
vulnerability.RedHat: dtypes.CVSS{
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V3Score: 5.9,
},
},
References: []string{
"http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633",
},
PublishedDate: timePtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),
},
},
{
VulnerabilityID: "CVE-2022-23633",
PkgName: "actionpack",
PkgPath: "tools/project-doe/specifications/actionpack.gemspec",
InstalledVersion: "7.0.1",
FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
SeveritySource: vulnerability.RubySec,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633",
DataSource: &dtypes.DataSource{
ID: vulnerability.RubySec,
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Vulnerability: dtypes.Vulnerability{
Title: "rubygem-actionpack: information leak between requests",
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHat: dtypes.SeverityLow,
vulnerability.RubySec: dtypes.SeverityHigh,
},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V2Score: 9.7,
V3Score: 5.9,
},
vulnerability.RedHat: dtypes.CVSS{
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V3Score: 5.9,
},
},
References: []string{
"http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633",
},
PublishedDate: timePtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),
},
},
},
},
}, },
}, },
wantSBOM: &cdx.BOM{ wantSBOM: &cdx.BOM{
@@ -391,7 +613,7 @@ func TestWriter_Write(t *testing.T) {
{ {
BOMRef: "3ff14136-e09f-4df9-80ea-000000000003", BOMRef: "3ff14136-e09f-4df9-80ea-000000000003",
Type: cdx.ComponentTypeOS, Type: cdx.ComponentTypeOS,
Name: "centos", Name: fos.CentOS,
Version: "8.3.2011", Version: "8.3.2011",
Properties: &[]cdx.Property{ Properties: &[]cdx.Property{
{ {
@@ -404,6 +626,40 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
{
BOMRef: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
Type: cdx.ComponentTypeLibrary,
Name: "actionpack",
Version: "7.0.0",
PackageURL: "pkg:gem/actionpack@7.0.0",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:FilePath",
Value: "tools/project-john/specifications/actionpack.gemspec",
},
{
Name: "aquasecurity:trivy:LayerDiffID",
Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
},
},
{
BOMRef: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
Type: cdx.ComponentTypeLibrary,
Name: "actionpack",
Version: "7.0.1",
PackageURL: "pkg:gem/actionpack@7.0.1",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:FilePath",
Value: "tools/project-doe/specifications/actionpack.gemspec",
},
{
Name: "aquasecurity:trivy:LayerDiffID",
Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
},
},
}, },
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
@@ -420,6 +676,87 @@ func TestWriter_Write(t *testing.T) {
{ {
Ref: "3ff14136-e09f-4df9-80ea-000000000003", Ref: "3ff14136-e09f-4df9-80ea-000000000003",
}, },
{
Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
},
{
Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
},
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{
{
ID: "CVE-2022-23633",
Source: &cdx.Source{
Name: string(vulnerability.RubySec),
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Ratings: &[]cdx.VulnerabilityRating{
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
},
Score: 9.7,
Severity: cdx.SeverityHigh,
Method: cdx.ScoringMethodCVSSv2,
Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
},
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
},
Score: 5.9,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv31,
Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RedHat),
},
Score: 5.9,
Severity: cdx.SeverityLow,
Method: cdx.ScoringMethodCVSSv31,
Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RubySec),
},
Severity: cdx.SeverityHigh,
},
},
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Advisories: &[]cdx.Advisory{
{
URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5",
},
{
URL: "https://access.redhat.com/security/cve/CVE-2022-23633",
},
},
Published: "2022-02-11 21:15:00 +0000 UTC",
Updated: "2022-02-22 21:47:00 +0000 UTC",
Affects: &[]cdx.Affects{
{
Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
Range: &[]cdx.AffectedVersions{
{
Version: "7.0.0",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
{
Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
Range: &[]cdx.AffectedVersions{
{
Version: "7.0.1",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
}, },
}, },
}, },
@@ -495,6 +832,7 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "3ff14136-e09f-4df9-80ea-000000000003", Ref: "3ff14136-e09f-4df9-80ea-000000000003",
@@ -588,6 +926,7 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "3ff14136-e09f-4df9-80ea-000000000002", Ref: "3ff14136-e09f-4df9-80ea-000000000002",
@@ -635,6 +974,7 @@ func TestWriter_Write(t *testing.T) {
}, },
}, },
}, },
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{ Dependencies: &[]cdx.Dependency{
{ {
Ref: "3ff14136-e09f-4df9-80ea-000000000002", Ref: "3ff14136-e09f-4df9-80ea-000000000002",
@@ -650,9 +990,7 @@ func TestWriter_Write(t *testing.T) {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
var count int var count int
newUUID := func() uuid.UUID { newUUID := func() uuid.UUID {
count++ count++
return uuid.Must(uuid.Parse(fmt.Sprintf("3ff14136-e09f-4df9-80ea-%012d", count))) return uuid.Must(uuid.Parse(fmt.Sprintf("3ff14136-e09f-4df9-80ea-%012d", count)))
} }
@@ -670,3 +1008,6 @@ func TestWriter_Write(t *testing.T) {
}) })
} }
} }
func timePtr(t time.Time) *time.Time {
return &t
}

8
pkg/report/json.go
View File

@@ -17,6 +17,14 @@ type JSONWriter struct {
// Write writes the results in JSON format // Write writes the results in JSON format
func (jw JSONWriter) Write(report types.Report) error { func (jw JSONWriter) Write(report types.Report) error {
// VendorSeverity includes all vendor severities.
// It would be noisy to users, so it should be removed from the JSON output.
for i := 0; i < len(report.Results); i++ {
for j := 0; j < len(report.Results[i].Vulnerabilities); j++ {
report.Results[i].Vulnerabilities[j].VendorSeverity = nil
}
}
output, err := json.MarshalIndent(report, "", " ") output, err := json.MarshalIndent(report, "", " ")
if err != nil { if err != nil {
return xerrors.Errorf("failed to marshal json: %w", err) return xerrors.Errorf("failed to marshal json: %w", err)

4
pkg/report/json_test.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/report" "github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy/pkg/types"
) )
@@ -31,6 +32,9 @@ func TestReportWriter_JSON(t *testing.T) {
Title: "foobar", Title: "foobar",
Description: "baz", Description: "baz",
Severity: "HIGH", Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityHigh,
},
}, },
}, },
}, },

4
pkg/report/sarif_test.go
View File

@@ -43,6 +43,10 @@ func TestReportWriter_Sarif(t *testing.T) {
Title: "foobar", Title: "foobar",
Description: "baz", Description: "baz",
Severity: "HIGH", Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityCritical,
vulnerability.RedHat: dbTypes.SeverityHigh,
},
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{ CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
vulnerability.NVD: { vulnerability.NVD: {
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",

3
pkg/report/template_test.go
View File

@@ -28,6 +28,9 @@ func TestReportWriter_Template(t *testing.T) {
PkgName: "foo", PkgName: "foo",
Vulnerability: dbTypes.Vulnerability{ Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityHigh.String(), Severity: dbTypes.SeverityHigh.String(),
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
"nvd": 1,
},
}, },
}, },
{ {

1
pkg/result/result.go
View File

@@ -87,7 +87,6 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
vulns[i].Severity = severity vulns[i].Severity = severity
vulns[i].SeveritySource = severitySource vulns[i].SeveritySource = severitySource
vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source) vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
vulns[i].Vulnerability.VendorSeverity = nil // Remove VendorSeverity from Results
} }
} }

21
pkg/result/result_test.go
View File

@@ -72,9 +72,12 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
{ {
VulnerabilityID: "CVE-2019-0002", VulnerabilityID: "CVE-2019-0002",
Vulnerability: dbTypes.Vulnerability{ Vulnerability: dbTypes.Vulnerability{
Title: "dos", Title: "dos",
Description: "dos vulnerability", Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(), Severity: dbTypes.SeverityLow.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.NVD: dbTypes.SeverityLow,
},
References: []string{"http://example.com"}, References: []string{"http://example.com"},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"), LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"), PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
@@ -146,8 +149,11 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
Title: "dos", Title: "dos",
Description: "dos vulnerability", Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(), Severity: dbTypes.SeverityLow.String(),
CweIDs: []string{"CWE-311"}, VendorSeverity: dbTypes.VendorSeverity{
References: []string{"http://example.com"}, vulnerability.RedHat: dbTypes.SeverityLow,
},
CweIDs: []string{"CWE-311"},
References: []string{"http://example.com"},
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{ CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
vulnerability.NVD: { vulnerability.NVD: {
V2Vector: "AV:N/AC:L/Au:N/C:P/I:P/A:P", V2Vector: "AV:N/AC:L/Au:N/C:P/I:P/A:P",
@@ -196,7 +202,10 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
Title: "COVID-19", Title: "COVID-19",
Description: "a nasty virus vulnerability for humans", Description: "a nasty virus vulnerability for humans",
Severity: dbTypes.SeverityCritical.String(), Severity: dbTypes.SeverityCritical.String(),
References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"}, VendorSeverity: dbTypes.VendorSeverity{
vulnerability.GHSA: dbTypes.SeverityCritical,
},
References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"},
}, },
SeveritySource: vulnerability.GHSA, SeveritySource: vulnerability.GHSA,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0005", PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0005",

9
pkg/rpc/client/client_test.go
View File

@@ -16,6 +16,7 @@ import (
ftypes "github.com/aquasecurity/fanal/types" ftypes "github.com/aquasecurity/fanal/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils" "github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/rpc/common" "github.com/aquasecurity/trivy/rpc/common"
rpc "github.com/aquasecurity/trivy/rpc/scanner" rpc "github.com/aquasecurity/trivy/rpc/scanner"
@@ -71,6 +72,10 @@ func TestScanner_Scan(t *testing.T) {
Severity: common.Severity_CRITICAL, Severity: common.Severity_CRITICAL,
References: []string{"http://exammple.com"}, References: []string{"http://exammple.com"},
SeveritySource: "nvd", SeveritySource: "nvd",
VendorSeverity: map[string]common.Severity{
string(vulnerability.NVD): common.Severity_MEDIUM,
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{ Cvss: map[string]*common.CVSS{
"nvd": { "nvd": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -114,6 +119,10 @@ func TestScanner_Scan(t *testing.T) {
Description: "Denial os Service", Description: "Denial os Service",
Severity: "CRITICAL", Severity: "CRITICAL",
References: []string{"http://exammple.com"}, References: []string{"http://exammple.com"},
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.NVD: dbTypes.SeverityMedium,
vulnerability.RedHat: dbTypes.SeverityMedium,
},
CVSS: dbTypes.VendorCVSS{ CVSS: dbTypes.VendorCVSS{
"nvd": { "nvd": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",

10
pkg/rpc/convert.go
View File

@@ -102,6 +102,10 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
V3Score: vendorSeverity.V3Score, V3Score: vendorSeverity.V3Score,
} }
} }
vensorSeverityMap := make(map[string]common.Severity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
vensorSeverityMap[string(vendor)] = common.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *timestamp.Timestamp var lastModifiedDate, publishedDate *timestamp.Timestamp
if vuln.LastModifiedDate != nil { if vuln.LastModifiedDate != nil {
@@ -129,6 +133,7 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
Title: vuln.Title, Title: vuln.Title,
Description: vuln.Description, Description: vuln.Description,
Severity: common.Severity(severity), Severity: common.Severity(severity),
VendorSeverity: vensorSeverityMap,
References: vuln.References, References: vuln.References,
Layer: ConvertToRPCLayer(vuln.Layer), Layer: ConvertToRPCLayer(vuln.Layer),
Cvss: cvssMap, Cvss: cvssMap,
@@ -240,6 +245,10 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
V3Score: vendorSeverity.V3Score, V3Score: vendorSeverity.V3Score,
} }
} }
vensorSeverityMap := make(dbTypes.VendorSeverity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
vensorSeverityMap[dbTypes.SourceID(vendor)] = dbTypes.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *time.Time var lastModifiedDate, publishedDate *time.Time
if vuln.LastModifiedDate != nil { if vuln.LastModifiedDate != nil {
@@ -267,6 +276,7 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
LastModifiedDate: lastModifiedDate, LastModifiedDate: lastModifiedDate,
PublishedDate: publishedDate, PublishedDate: publishedDate,
Custom: vuln.CustomVulnData.AsInterface(), Custom: vuln.CustomVulnData.AsInterface(),
VendorSeverity: vensorSeverityMap,
}, },
Layer: ConvertFromRPCLayer(vuln.Layer), Layer: ConvertFromRPCLayer(vuln.Layer),
SeveritySource: dbTypes.SourceID(vuln.SeveritySource), SeveritySource: dbTypes.SourceID(vuln.SeveritySource),

32
pkg/rpc/convert_test.go
View File

@@ -221,8 +221,11 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS", Title: "DoS",
Description: "Denial of Service", Description: "Denial of Service",
Severity: "MEDIUM", Severity: "MEDIUM",
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityMedium,
},
CVSS: dbTypes.VendorCVSS{ CVSS: dbTypes.VendorCVSS{
"redhat": { vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2, V2Score: 7.2,
@@ -254,6 +257,9 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS", Title: "DoS",
Description: "Denial of Service", Description: "Denial of Service",
Severity: common.Severity_MEDIUM, Severity: common.Severity_MEDIUM,
VendorSeverity: map[string]common.Severity{
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{ Cvss: map[string]*common.CVSS{
"redhat": { "redhat": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -312,6 +318,7 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS", Title: "DoS",
Description: "Denial of Service", Description: "Denial of Service",
Severity: common.Severity_UNKNOWN, Severity: common.Severity_UNKNOWN,
VendorSeverity: make(map[string]common.Severity),
Cvss: make(map[string]*common.CVSS), Cvss: make(map[string]*common.CVSS),
References: []string{"http://example.com"}, References: []string{"http://example.com"},
Layer: &common.Layer{ Layer: &common.Layer{
@@ -363,8 +370,11 @@ func TestConvertFromRPCResults(t *testing.T) {
Severity: common.Severity_MEDIUM, Severity: common.Severity_MEDIUM,
SeveritySource: string(vulnerability.NVD), SeveritySource: string(vulnerability.NVD),
CweIds: []string{"CWE-123", "CWE-456"}, CweIds: []string{"CWE-123", "CWE-456"},
VendorSeverity: map[string]common.Severity{
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{ Cvss: map[string]*common.CVSS{
"redhat": { string(vulnerability.RedHat): {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2, V2Score: 7.2,
@@ -404,13 +414,15 @@ func TestConvertFromRPCResults(t *testing.T) {
SeveritySource: vulnerability.NVD, SeveritySource: vulnerability.NVD,
PrimaryURL: "https://avd.aquasec.com/nvd/CVE-2019-0001", PrimaryURL: "https://avd.aquasec.com/nvd/CVE-2019-0001",
Vulnerability: dbTypes.Vulnerability{ Vulnerability: dbTypes.Vulnerability{
Title: "DoS", Title: "DoS",
Description: "Denial of Service", Description: "Denial of Service",
Severity: common.Severity_MEDIUM.String(), Severity: common.Severity_MEDIUM.String(),
CweIDs: []string{"CWE-123", "CWE-456"}, VendorSeverity: dbTypes.VendorSeverity{
VendorSeverity: nil, vulnerability.RedHat: dbTypes.SeverityMedium,
},
CweIDs: []string{"CWE-123", "CWE-456"},
CVSS: dbTypes.VendorCVSS{ CVSS: dbTypes.VendorCVSS{
"redhat": { vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2, V2Score: 7.2,
@@ -488,9 +500,9 @@ func TestConvertFromRPCResults(t *testing.T) {
Description: "Denial of Service", Description: "Denial of Service",
Severity: common.Severity_MEDIUM.String(), Severity: common.Severity_MEDIUM.String(),
CweIDs: []string{"CWE-123", "CWE-456"}, CweIDs: []string{"CWE-123", "CWE-456"},
VendorSeverity: nil, VendorSeverity: make(dbTypes.VendorSeverity),
CVSS: dbTypes.VendorCVSS{ CVSS: dbTypes.VendorCVSS{
"redhat": { vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C", V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2, V2Score: 7.2,

12
pkg/rpc/server/server_test.go
View File

@@ -18,6 +18,7 @@ import (
"github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils" "github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest" "github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/result" "github.com/aquasecurity/trivy/pkg/result"
"github.com/aquasecurity/trivy/pkg/scanner" "github.com/aquasecurity/trivy/pkg/scanner"
@@ -110,10 +111,13 @@ func TestScanServer_Scan(t *testing.T) {
SeveritySource: "nvd", SeveritySource: "nvd",
Layer: &common.Layer{}, Layer: &common.Layer{},
Cvss: map[string]*common.CVSS{}, Cvss: map[string]*common.CVSS{},
PrimaryUrl: "https://avd.aquasec.com/nvd/cve-2019-0001", VendorSeverity: map[string]common.Severity{
Title: "dos", string(vulnerability.NVD): common.Severity_MEDIUM,
Description: "dos vulnerability", },
References: []string{"http://example.com"}, PrimaryUrl: "https://avd.aquasec.com/nvd/cve-2019-0001",
Title: "dos",
Description: "dos vulnerability",
References: []string{"http://example.com"},
LastModifiedDate: &timestamp.Timestamp{ LastModifiedDate: &timestamp.Timestamp{
Seconds: 1577840460, Seconds: 1577840460,
}, },

134
rpc/common/service.pb.go
View File

@@ -785,6 +785,7 @@ type Vulnerability struct {
CustomVulnData *structpb.Value `protobuf:"bytes,18,opt,name=custom_vuln_data,json=customVulnData,proto3" json:"custom_vuln_data,omitempty"` CustomVulnData *structpb.Value `protobuf:"bytes,18,opt,name=custom_vuln_data,json=customVulnData,proto3" json:"custom_vuln_data,omitempty"`
VendorIds []string `protobuf:"bytes,19,rep,name=vendor_ids,json=vendorIds,proto3" json:"vendor_ids,omitempty"` VendorIds []string `protobuf:"bytes,19,rep,name=vendor_ids,json=vendorIds,proto3" json:"vendor_ids,omitempty"`
DataSource *DataSource `protobuf:"bytes,20,opt,name=data_source,json=dataSource,proto3" json:"data_source,omitempty"` DataSource *DataSource `protobuf:"bytes,20,opt,name=data_source,json=dataSource,proto3" json:"data_source,omitempty"`
VendorSeverity map[string]Severity `protobuf:"bytes,21,rep,name=vendor_severity,json=vendorSeverity,proto3" json:"vendor_severity,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3,enum=trivy.common.Severity"`
} }
func (x *Vulnerability) Reset() { func (x *Vulnerability) Reset() {
@@ -952,6 +953,13 @@ func (x *Vulnerability) GetDataSource() *DataSource {
return nil return nil
} }
func (x *Vulnerability) GetVendorSeverity() map[string]Severity {
if x != nil {
return x.VendorSeverity
}
return nil
}
type DataSource struct { type DataSource struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@@ -1318,7 +1326,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65,
0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e,
0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61,
0x79, 0x65, 0x72, 0x22, 0xbc, 0x07, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x79, 0x65, 0x72, 0x22, 0xf1, 0x08, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62,
0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61,
0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0f, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x49, 0x64, 0x0f, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x49, 0x64,
@@ -1373,45 +1381,56 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x74, 0x61, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x74, 0x61, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x18, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x18, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x44,
0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0a, 0x64, 0x61, 0x74, 0x61, 0x53, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0a, 0x64, 0x61, 0x74, 0x61, 0x53,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x1a, 0x4b, 0x0a, 0x09, 0x43, 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x58, 0x0a, 0x0f, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x5f,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x15, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x56, 0x75,
0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x2e, 0x56, 0x65, 0x6e, 0x64,
0x6f, 0x6e, 0x2e, 0x43, 0x56, 0x53, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x0e, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x1a,
0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x4b, 0x0a, 0x09, 0x43, 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x28,
0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e,
0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x38, 0x0a, 0x05, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x56, 0x53,
0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x59, 0x0a, 0x13,
0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x66, 0x66, 0x5f, 0x56, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x45, 0x6e,
0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x66, 0x66, 0x49, 0x64, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
0x22, 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x32, 0x56, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x05, 0x76, 0x61,
0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x33, 0x56, 0x65, 0x63, 0x74, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53,
0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c,
0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x38, 0x0a, 0x05, 0x4c,
0x74, 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x79, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01,
0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07,
0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x64, 0x69, 0x66, 0x66, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x69, 0x66, 0x66, 0x49, 0x64, 0x22, 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a,
0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x09, 0x76, 0x32, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x08, 0x76, 0x32, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33,
0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76,
0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x33, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63,
0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64, 0x6f, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f,
0x61, 0x74, 0x61, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x72, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04,
0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01,
0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45, 0x44, 0x49, 0x55, 0x4d, 0x10, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x43, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74,
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74,
0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
0x6f, 0x74, 0x6f, 0x33, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04,
0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c,
0x75, 0x65, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65,
0x72, 0x69, 0x74, 0x79, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
0x00, 0x12, 0x07, 0x0a, 0x03, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45,
0x44, 0x49, 0x55, 0x4d, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03,
0x12, 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31,
0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75,
0x61, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f,
0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
} }
var ( var (
@@ -1427,7 +1446,7 @@ func file_rpc_common_service_proto_rawDescGZIP() []byte {
} }
var file_rpc_common_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_rpc_common_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_rpc_common_service_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_rpc_common_service_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
var file_rpc_common_service_proto_goTypes = []interface{}{ var file_rpc_common_service_proto_goTypes = []interface{}{
(Severity)(0), // 0: trivy.common.Severity (Severity)(0), // 0: trivy.common.Severity
(*OS)(nil), // 1: trivy.common.OS (*OS)(nil), // 1: trivy.common.OS
@@ -1444,8 +1463,9 @@ var file_rpc_common_service_proto_goTypes = []interface{}{
(*CVSS)(nil), // 12: trivy.common.CVSS (*CVSS)(nil), // 12: trivy.common.CVSS
(*CustomResource)(nil), // 13: trivy.common.CustomResource (*CustomResource)(nil), // 13: trivy.common.CustomResource
nil, // 14: trivy.common.Vulnerability.CvssEntry nil, // 14: trivy.common.Vulnerability.CvssEntry
(*timestamppb.Timestamp)(nil), // 15: google.protobuf.Timestamp nil, // 15: trivy.common.Vulnerability.VendorSeverityEntry
(*structpb.Value)(nil), // 16: google.protobuf.Value (*timestamppb.Timestamp)(nil), // 16: google.protobuf.Timestamp
(*structpb.Value)(nil), // 17: google.protobuf.Value
} }
var file_rpc_common_service_proto_depIdxs = []int32{ var file_rpc_common_service_proto_depIdxs = []int32{
4, // 0: trivy.common.PackageInfo.packages:type_name -> trivy.common.Package 4, // 0: trivy.common.PackageInfo.packages:type_name -> trivy.common.Package
@@ -1460,19 +1480,21 @@ var file_rpc_common_service_proto_depIdxs = []int32{
0, // 9: trivy.common.Vulnerability.severity:type_name -> trivy.common.Severity 0, // 9: trivy.common.Vulnerability.severity:type_name -> trivy.common.Severity
11, // 10: trivy.common.Vulnerability.layer:type_name -> trivy.common.Layer 11, // 10: trivy.common.Vulnerability.layer:type_name -> trivy.common.Layer
14, // 11: trivy.common.Vulnerability.cvss:type_name -> trivy.common.Vulnerability.CvssEntry 14, // 11: trivy.common.Vulnerability.cvss:type_name -> trivy.common.Vulnerability.CvssEntry
15, // 12: trivy.common.Vulnerability.published_date:type_name -> google.protobuf.Timestamp 16, // 12: trivy.common.Vulnerability.published_date:type_name -> google.protobuf.Timestamp
15, // 13: trivy.common.Vulnerability.last_modified_date:type_name -> google.protobuf.Timestamp 16, // 13: trivy.common.Vulnerability.last_modified_date:type_name -> google.protobuf.Timestamp
16, // 14: trivy.common.Vulnerability.custom_advisory_data:type_name -> google.protobuf.Value 17, // 14: trivy.common.Vulnerability.custom_advisory_data:type_name -> google.protobuf.Value
16, // 15: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value 17, // 15: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value
10, // 16: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource 10, // 16: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource
11, // 17: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer 15, // 17: trivy.common.Vulnerability.vendor_severity:type_name -> trivy.common.Vulnerability.VendorSeverityEntry
16, // 18: trivy.common.CustomResource.data:type_name -> google.protobuf.Value 11, // 18: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer
12, // 19: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS 17, // 19: trivy.common.CustomResource.data:type_name -> google.protobuf.Value
20, // [20:20] is the sub-list for method output_type 12, // 20: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS
20, // [20:20] is the sub-list for method input_type 0, // 21: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity
20, // [20:20] is the sub-list for extension type_name 22, // [22:22] is the sub-list for method output_type
20, // [20:20] is the sub-list for extension extendee 22, // [22:22] is the sub-list for method input_type
0, // [0:20] is the sub-list for field type_name 22, // [22:22] is the sub-list for extension type_name
22, // [22:22] is the sub-list for extension extendee
0, // [0:22] is the sub-list for field type_name
} }
func init() { file_rpc_common_service_proto_init() } func init() { file_rpc_common_service_proto_init() }
@@ -1644,7 +1666,7 @@ func file_rpc_common_service_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(), GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_rpc_common_service_proto_rawDesc, RawDescriptor: file_rpc_common_service_proto_rawDesc,
NumEnums: 1, NumEnums: 1,
NumMessages: 14, NumMessages: 15,
NumExtensions: 0, NumExtensions: 0,
NumServices: 0, NumServices: 0,
}, },

1
rpc/common/service.proto
View File

@@ -101,6 +101,7 @@ message Vulnerability {
google.protobuf.Value custom_vuln_data = 18; google.protobuf.Value custom_vuln_data = 18;
repeated string vendor_ids = 19; repeated string vendor_ids = 19;
DataSource data_source = 20; DataSource data_source = 20;
map<string,Severity> vendor_severity = 21;
} }
message DataSource { message DataSource {