gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 23:26:39 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(cyclonedx): add vulnerabilities (#1832)

Browse Source 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
Masahiro331
2022-03-23 03:22:55 +09:00
committed by GitHub
parent df80fd31a0
commit 7a148089ec
15 changed files with 792 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
docs/advanced/sbom/cyclonedx.md
View File

@@ -16,7 +16,7 @@ $ trivy image --format cyclonedx --output result.json alpine:3.15
$ cat result.json | jq .
{
"bomFormat": "CycloneDX",
"specVersion": "1.3",
"specVersion": "1.4",
"serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
"version": 1,
"metadata": {
@@ -163,13 +163,70 @@ $ cat result.json | jq .
"3da6a469-964d-4b4e-b67d-e94ec7c88d37"
]
}
],
"vulnerabilities": [
{
"id": "CVE-2021-42386",
"source": {
"name": "alpine",
"url": "https://secdb.alpinelinux.org/"
},
"ratings": [
{
"source": {
"name": "nvd"
},
"score": 7.2,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "nvd"
},
"score": 6.5,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"
},
{
"source": {
"name": "redhat"
},
"score": 6.6,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
416
],
"description": "A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2021-42386"
},
{
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386"
}
],
"published": "2021-11-15 21:15:00 +0000 UTC",
"updated": "2022-01-04 17:14:00 +0000 UTC",
"affects": [
{
"ref": "pkg:apk/alpine/busybox@1.33.1-r3?distro=3.14.2"
},
{
"ref": "pkg:apk/alpine/ssl_client@1.33.1-r3?distro=3.14.2"
}
]
}
]
}
```
</details>
!!! caution
It doesn't support vulnerabilities yet, but installed packages.
[cyclonedx]: https://cyclonedx.org/

204
pkg/report/cyclonedx/cyclonedx.go
View File

@@ -2,16 +2,23 @@ package cyclonedx
import (
"io"
"sort"
"strconv"
"strings"
"time"
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/google/uuid"
"golang.org/x/exp/maps"
"golang.org/x/xerrors"
"k8s.io/utils/clock"
ftypes "github.com/aquasecurity/fanal/types"
dtypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/purl"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -127,7 +134,7 @@ func (cw *Writer) convertToBom(r types.Report, version string) (*cdx.BOM, error)
Component: metadataComponent,
}
bom.Components, bom.Dependencies, err = cw.parseComponents(r, bom.Metadata.Component.BOMRef)
bom.Components, bom.Dependencies, bom.Vulnerabilities, err = cw.parseComponents(r, bom.Metadata.Component.BOMRef)
if err != nil {
return nil, xerrors.Errorf("failed to parse components: %w", err)
}
@@ -135,17 +142,22 @@ func (cw *Writer) convertToBom(r types.Report, version string) (*cdx.BOM, error)
return bom, nil
}
func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, error) {
func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) {
var components []cdx.Component
var dependencies []cdx.Dependency
var metadataDependencies []cdx.Dependency
libraryUniqMap := map[string]struct{}{}
vulnMap := map[string]cdx.Vulnerability{}
for _, result := range r.Results {
var componentDependencies []cdx.Dependency
bomRefMap := map[string]string{}
for _, pkg := range result.Packages {
pkgComponent, err := cw.pkgToComponent(result.Type, r.Metadata, pkg)
if err != nil {
return nil, nil, xerrors.Errorf("failed to parse pkg: %w", err)
return nil, nil, nil, xerrors.Errorf("failed to parse pkg: %w", err)
}
if _, ok := bomRefMap[pkg.Name+utils.FormatVersion(pkg)+pkg.FilePath]; !ok {
bomRefMap[pkg.Name+utils.FormatVersion(pkg)+pkg.FilePath] = pkgComponent.BOMRef
}
// When multiple lock files have the same dependency with the same name and version,
@@ -171,6 +183,20 @@ func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Compone
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
}
for _, vuln := range result.Vulnerabilities {
// Take a bom-ref
ref := bomRefMap[vuln.PkgName+vuln.InstalledVersion+vuln.PkgPath]
if v, ok := vulnMap[vuln.VulnerabilityID]; ok {
// If a vulnerability depends on multiple packages,
// it will be commonised into a single vulnerability.
// Vulnerability component (CVE-2020-26247)
// -> Library component (nokogiri /srv/app1/vendor/bundle/ruby/3.0.0/specifications/nokogiri-1.10.0.gemspec)
// -> Library component (nokogiri /srv/app2/vendor/bundle/ruby/3.0.0/specifications/nokogiri-1.10.0.gemspec)
*v.Affects = append(*v.Affects, affects(ref, vuln.InstalledVersion))
} else {
vulnMap[vuln.VulnerabilityID] = cw.vulnerability(vuln, ref)
}
}
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary ||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar {
@@ -215,11 +241,36 @@ func (cw *Writer) parseComponents(r types.Report, bomRef string) (*[]cdx.Compone
metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef})
}
}
vulns := maps.Values(vulnMap)
sort.Slice(vulns, func(i, j int) bool {
return vulns[i].ID > vulns[j].ID
})
dependencies = append(dependencies,
cdx.Dependency{Ref: bomRef, Dependencies: &metadataDependencies},
)
return &components, &dependencies, nil
return &components, &dependencies, &vulns, nil
}
func (cw *Writer) vulnerability(vuln types.DetectedVulnerability, bomRef string) cdx.Vulnerability {
v := cdx.Vulnerability{
ID: vuln.VulnerabilityID,
Source: source(vuln.DataSource),
Ratings: ratings(vuln),
CWEs: cwes(vuln.CweIDs),
Description: vuln.Description,
Advisories: advisories(vuln.References),
}
if vuln.PublishedDate != nil {
v.Published = vuln.PublishedDate.String()
}
if vuln.LastModifiedDate != nil {
v.Updated = vuln.LastModifiedDate.String()
}
v.Affects = &[]cdx.Affects{affects(bomRef, vuln.InstalledVersion)}
return v
}
func (cw *Writer) pkgToComponent(t string, meta types.Metadata, pkg ftypes.Package) (cdx.Component, error) {
@@ -363,3 +414,148 @@ func property(key, value string) cdx.Property {
Value: value,
}
}
func advisories(refs []string) *[]cdx.Advisory {
var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
URL: ref,
})
}
return &advs
}
func cwes(cweIDs []string) *[]int {
var ret []int
for _, cweID := range cweIDs {
number, err := strconv.Atoi(strings.TrimPrefix(strings.ToLower(cweID), "cwe-"))
if err != nil {
log.Logger.Debugf("cwe id parse error: %s", err)
continue
}
ret = append(ret, number)
}
return &ret
}
func ratings(vulnerability types.DetectedVulnerability) *[]cdx.VulnerabilityRating {
var rates []cdx.VulnerabilityRating
for sourceID, severity := range vulnerability.VendorSeverity {
// When the vendor also provides CVSS score/vector
if cvss, ok := vulnerability.CVSS[sourceID]; ok {
if cvss.V2Score != 0 || cvss.V2Vector != "" {
rates = append(rates, ratingV2(sourceID, severity, cvss))
}
if cvss.V3Score != 0 || cvss.V3Vector != "" {
rates = append(rates, ratingV3(sourceID, severity, cvss))
}
} else { // When the vendor provides only severity
rate := cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Severity: toCDXSeverity(severity),
}
rates = append(rates, rate)
}
}
// For consistency
sort.Slice(rates, func(i, j int) bool {
if rates[i].Source.Name != rates[j].Source.Name {
return rates[i].Source.Name < rates[j].Source.Name
}
if rates[i].Method != rates[j].Method {
return rates[i].Method < rates[j].Method
}
return rates[i].Score < rates[j].Score
})
return &rates
}
func ratingV2(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CVSS) cdx.VulnerabilityRating {
cdxSeverity := toCDXSeverity(severity)
// Trivy keeps only CVSSv3 severity for NVD.
// The CVSSv2 severity must be calculated according to CVSSv2 score.
if sourceID == vulnerability.NVD {
cdxSeverity = nvdSeverityV2(cvss.V2Score)
}
return cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Score: cvss.V2Score,
Method: cdx.ScoringMethodCVSSv2,
Severity: cdxSeverity,
Vector: cvss.V2Vector,
}
}
func nvdSeverityV2(score float64) cdx.Severity {
// cf. https://nvd.nist.gov/vuln-metrics/cvss
switch {
case score < 4.0:
return cdx.SeverityInfo
case 4.0 <= score && score < 7.0:
return cdx.SeverityMedium
case 7.0 <= score:
return cdx.SeverityHigh
}
return cdx.SeverityUnknown
}
func ratingV3(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CVSS) cdx.VulnerabilityRating {
rate := cdx.VulnerabilityRating{
Source: &cdx.Source{
Name: string(sourceID),
},
Score: cvss.V3Score,
Method: cdx.ScoringMethodCVSSv3,
Severity: toCDXSeverity(severity),
Vector: cvss.V3Vector,
}
if strings.HasPrefix(cvss.V3Vector, "CVSS:3.1") {
rate.Method = cdx.ScoringMethodCVSSv31
}
return rate
}
func toCDXSeverity(s dtypes.Severity) cdx.Severity {
switch s {
case dtypes.SeverityLow:
return cdx.SeverityLow
case dtypes.SeverityMedium:
return cdx.SeverityMedium
case dtypes.SeverityHigh:
return cdx.SeverityHigh
case dtypes.SeverityCritical:
return cdx.SeverityCritical
default:
return cdx.SeverityUnknown
}
}
func source(source *dtypes.DataSource) *cdx.Source {
if source == nil {
return nil
}
return &cdx.Source{
Name: string(source.ID),
URL: source.URL,
}
}
func affects(ref, version string) cdx.Affects {
return cdx.Affects{
Ref: ref,
Range: &[]cdx.AffectedVersions{
{
Version: version,
Status: cdx.VulnerabilityStatusAffected,
// "AffectedVersions.Range" is not included, because it does not exist in DetectedVulnerability.
},
},
}
}

397
pkg/report/cyclonedx/cyclonedx_test.go
View File

@@ -16,6 +16,8 @@ import (
fos "github.com/aquasecurity/fanal/analyzer/os"
ftypes "github.com/aquasecurity/fanal/types"
dtypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/report/cyclonedx"
"github.com/aquasecurity/trivy/pkg/types"
@@ -55,27 +57,72 @@ func TestWriter_Write(t *testing.T) {
Type: fos.CentOS,
Packages: []ftypes.Package{
{
Name: "acl",
Version: "2.2.53",
Release: "1.el8",
Name: "binutils",
Version: "2.30",
Release: "93.el8",
Epoch: 0,
Arch: "aarch64",
SrcName: "acl",
SrcVersion: "2.2.53",
SrcRelease: "1.el8",
SrcName: "binutils",
SrcVersion: "2.30",
SrcRelease: "93.el8",
SrcEpoch: 0,
Modularitylabel: "",
License: "GPLv2+",
License: "GPLv3+",
},
},
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2018-20623",
PkgName: "binutils",
InstalledVersion: "2.30-93.el8",
Layer: ftypes.Layer{
DiffID: "sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a",
},
SeveritySource: vulnerability.RedHatOVAL,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-20623",
DataSource: &dtypes.DataSource{
ID: vulnerability.RedHatOVAL,
Name: "Red Hat OVAL v2",
URL: "https://www.redhat.com/security/data/oval/v2/",
},
Vulnerability: dtypes.Vulnerability{
Title: "binutils: Use-after-free in the error function",
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHatOVAL: dtypes.SeverityMedium,
},
CweIDs: []string{"CWE-416"},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
V3Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
V2Score: 4.3,
V3Score: 5.5,
},
vulnerability.RedHatOVAL: dtypes.CVSS{
V3Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
V3Score: 5.3,
},
},
References: []string{
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
PublishedDate: timePtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)),
},
},
},
},
{
Target: "app/subproject/Gemfile.lock",
Class: types.ClassLangPkg,
Type: "bundler",
Type: ftypes.Bundler,
Packages: []ftypes.Package{
{
Name: "actioncable",
Name: "actionpack",
Version: "7.0.0",
},
{
@@ -90,7 +137,7 @@ func TestWriter_Write(t *testing.T) {
Type: ftypes.Bundler,
Packages: []ftypes.Package{
{
Name: "actioncable",
Name: "actionpack",
Version: "7.0.0",
},
},
@@ -146,26 +193,26 @@ func TestWriter_Write(t *testing.T) {
},
Components: &[]cdx.Component{
{
BOMRef: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
BOMRef: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Type: cdx.ComponentTypeLibrary,
Name: "acl",
Version: "2.2.53-1.el8",
Name: "binutils",
Version: "2.30-93.el8",
Licenses: &cdx.Licenses{
cdx.LicenseChoice{Expression: "GPLv2+"},
cdx.LicenseChoice{Expression: "GPLv3+"},
},
PackageURL: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
PackageURL: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:SrcName",
Value: "acl",
Value: "binutils",
},
{
Name: "aquasecurity:trivy:SrcVersion",
Value: "2.2.53",
Value: "2.30",
},
{
Name: "aquasecurity:trivy:SrcRelease",
Value: "1.el8",
Value: "93.el8",
},
},
},
@@ -186,11 +233,11 @@ func TestWriter_Write(t *testing.T) {
},
},
{
BOMRef: "pkg:gem/actioncable@7.0.0",
BOMRef: "pkg:gem/actionpack@7.0.0",
Type: cdx.ComponentTypeLibrary,
Name: "actioncable",
Name: "actionpack",
Version: "7.0.0",
PackageURL: "pkg:gem/actioncable@7.0.0",
PackageURL: "pkg:gem/actionpack@7.0.0",
},
{
BOMRef: "pkg:gem/actioncontroller@7.0.0",
@@ -237,7 +284,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
},
@@ -245,7 +292,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:gem/actioncable@7.0.0",
Ref: "pkg:gem/actionpack@7.0.0",
},
{
Ref: "pkg:gem/actioncontroller@7.0.0",
@@ -256,7 +303,7 @@ func TestWriter_Write(t *testing.T) {
Ref: "3ff14136-e09f-4df9-80ea-000000000004",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:gem/actioncable@7.0.0",
Ref: "pkg:gem/actionpack@7.0.0",
},
},
},
@@ -275,6 +322,72 @@ func TestWriter_Write(t *testing.T) {
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{
{
ID: "CVE-2018-20623",
Source: &cdx.Source{
Name: string(vulnerability.RedHatOVAL),
URL: "https://www.redhat.com/security/data/oval/v2/",
},
Ratings: &[]cdx.VulnerabilityRating{
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
URL: "",
},
Score: 4.3,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv2,
Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P",
},
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
URL: "",
},
Score: 5.5,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv3,
Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RedHatOVAL),
URL: "",
},
Score: 5.3,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv3,
Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
},
},
CWEs: &[]int{
416,
},
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Advisories: &[]cdx.Advisory{
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
},
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
},
Published: "2018-12-31 19:29:00 +0000 UTC",
Updated: "2019-10-31 01:15:00 +0000 UTC",
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Range: &[]cdx.AffectedVersions{
{
Version: "2.30-93.el8",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
},
},
},
},
},
{
@@ -286,7 +399,7 @@ func TestWriter_Write(t *testing.T) {
Metadata: types.Metadata{
Size: 1024,
OS: &ftypes.OS{
Family: "centos",
Family: fos.CentOS,
Name: "8.3.2011",
Eosl: true,
},
@@ -318,6 +431,115 @@ func TestWriter_Write(t *testing.T) {
},
},
},
{
Target: "Ruby",
Class: types.ClassLangPkg,
Type: ftypes.GemSpec,
Packages: []ftypes.Package{
{
Name: "actionpack",
Version: "7.0.0",
Layer: ftypes.Layer{
DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
FilePath: "tools/project-john/specifications/actionpack.gemspec",
},
{
Name: "actionpack",
Version: "7.0.1",
Layer: ftypes.Layer{
DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
FilePath: "tools/project-doe/specifications/actionpack.gemspec",
},
},
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-23633",
PkgName: "actionpack",
PkgPath: "tools/project-john/specifications/actionpack.gemspec",
InstalledVersion: "7.0.0",
FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
SeveritySource: vulnerability.RubySec,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633",
DataSource: &dtypes.DataSource{
ID: vulnerability.RubySec,
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Vulnerability: dtypes.Vulnerability{
Title: "rubygem-actionpack: information leak between requests",
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHat: dtypes.SeverityLow,
vulnerability.RubySec: dtypes.SeverityHigh,
},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V2Score: 9.7,
V3Score: 5.9,
},
vulnerability.RedHat: dtypes.CVSS{
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V3Score: 5.9,
},
},
References: []string{
"http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633",
},
PublishedDate: timePtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),
},
},
{
VulnerabilityID: "CVE-2022-23633",
PkgName: "actionpack",
PkgPath: "tools/project-doe/specifications/actionpack.gemspec",
InstalledVersion: "7.0.1",
FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
SeveritySource: vulnerability.RubySec,
PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633",
DataSource: &dtypes.DataSource{
ID: vulnerability.RubySec,
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Vulnerability: dtypes.Vulnerability{
Title: "rubygem-actionpack: information leak between requests",
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Severity: dtypes.SeverityMedium.String(),
VendorSeverity: dtypes.VendorSeverity{
vulnerability.NVD: dtypes.SeverityMedium,
vulnerability.RedHat: dtypes.SeverityLow,
vulnerability.RubySec: dtypes.SeverityHigh,
},
CVSS: dtypes.VendorCVSS{
vulnerability.NVD: dtypes.CVSS{
V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V2Score: 9.7,
V3Score: 5.9,
},
vulnerability.RedHat: dtypes.CVSS{
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
V3Score: 5.9,
},
},
References: []string{
"http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633",
},
PublishedDate: timePtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
LastModifiedDate: timePtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),
},
},
},
},
},
},
wantSBOM: &cdx.BOM{
@@ -391,7 +613,7 @@ func TestWriter_Write(t *testing.T) {
{
BOMRef: "3ff14136-e09f-4df9-80ea-000000000003",
Type: cdx.ComponentTypeOS,
Name: "centos",
Name: fos.CentOS,
Version: "8.3.2011",
Properties: &[]cdx.Property{
{
@@ -404,6 +626,40 @@ func TestWriter_Write(t *testing.T) {
},
},
},
{
BOMRef: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
Type: cdx.ComponentTypeLibrary,
Name: "actionpack",
Version: "7.0.0",
PackageURL: "pkg:gem/actionpack@7.0.0",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:FilePath",
Value: "tools/project-john/specifications/actionpack.gemspec",
},
{
Name: "aquasecurity:trivy:LayerDiffID",
Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
},
},
{
BOMRef: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
Type: cdx.ComponentTypeLibrary,
Name: "actionpack",
Version: "7.0.1",
PackageURL: "pkg:gem/actionpack@7.0.1",
Properties: &[]cdx.Property{
{
Name: "aquasecurity:trivy:FilePath",
Value: "tools/project-doe/specifications/actionpack.gemspec",
},
{
Name: "aquasecurity:trivy:LayerDiffID",
Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
},
},
},
},
Dependencies: &[]cdx.Dependency{
{
@@ -420,6 +676,87 @@ func TestWriter_Write(t *testing.T) {
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
},
{
Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
},
{
Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
},
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{
{
ID: "CVE-2022-23633",
Source: &cdx.Source{
Name: string(vulnerability.RubySec),
URL: "https://github.com/rubysec/ruby-advisory-db",
},
Ratings: &[]cdx.VulnerabilityRating{
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
},
Score: 9.7,
Severity: cdx.SeverityHigh,
Method: cdx.ScoringMethodCVSSv2,
Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C",
},
{
Source: &cdx.Source{
Name: string(vulnerability.NVD),
},
Score: 5.9,
Severity: cdx.SeverityMedium,
Method: cdx.ScoringMethodCVSSv31,
Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RedHat),
},
Score: 5.9,
Severity: cdx.SeverityLow,
Method: cdx.ScoringMethodCVSSv31,
Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
},
{
Source: &cdx.Source{
Name: string(vulnerability.RubySec),
},
Severity: cdx.SeverityHigh,
},
},
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Advisories: &[]cdx.Advisory{
{
URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5",
},
{
URL: "https://access.redhat.com/security/cve/CVE-2022-23633",
},
},
Published: "2022-02-11 21:15:00 +0000 UTC",
Updated: "2022-02-22 21:47:00 +0000 UTC",
Affects: &[]cdx.Affects{
{
Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
Range: &[]cdx.AffectedVersions{
{
Version: "7.0.0",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
{
Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
Range: &[]cdx.AffectedVersions{
{
Version: "7.0.1",
Status: cdx.VulnerabilityStatusAffected,
},
},
},
},
},
},
@@ -495,6 +832,7 @@ func TestWriter_Write(t *testing.T) {
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
@@ -588,6 +926,7 @@ func TestWriter_Write(t *testing.T) {
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
@@ -635,6 +974,7 @@ func TestWriter_Write(t *testing.T) {
},
},
},
Vulnerabilities: &[]cdx.Vulnerability{},
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
@@ -650,9 +990,7 @@ func TestWriter_Write(t *testing.T) {
t.Run(tc.name, func(t *testing.T) {
var count int
newUUID := func() uuid.UUID {
count++
return uuid.Must(uuid.Parse(fmt.Sprintf("3ff14136-e09f-4df9-80ea-%012d", count)))
}
@@ -670,3 +1008,6 @@ func TestWriter_Write(t *testing.T) {
})
}
}
func timePtr(t time.Time) *time.Time {
return &t
}

8
pkg/report/json.go
View File

@@ -17,6 +17,14 @@ type JSONWriter struct {
// Write writes the results in JSON format
func (jw JSONWriter) Write(report types.Report) error {
// VendorSeverity includes all vendor severities.
// It would be noisy to users, so it should be removed from the JSON output.
for i := 0; i < len(report.Results); i++ {
for j := 0; j < len(report.Results[i].Vulnerabilities); j++ {
report.Results[i].Vulnerabilities[j].VendorSeverity = nil
}
}
output, err := json.MarshalIndent(report, "", " ")
if err != nil {
return xerrors.Errorf("failed to marshal json: %w", err)

4
pkg/report/json_test.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -31,6 +32,9 @@ func TestReportWriter_JSON(t *testing.T) {
Title: "foobar",
Description: "baz",
Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityHigh,
},
},
},
},

4
pkg/report/sarif_test.go
View File

@@ -43,6 +43,10 @@ func TestReportWriter_Sarif(t *testing.T) {
Title: "foobar",
Description: "baz",
Severity: "HIGH",
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.NVD: dbTypes.SeverityCritical,
vulnerability.RedHat: dbTypes.SeverityHigh,
},
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
vulnerability.NVD: {
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",

3
pkg/report/template_test.go
View File

@@ -28,6 +28,9 @@ func TestReportWriter_Template(t *testing.T) {
PkgName: "foo",
Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityHigh.String(),
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
"nvd": 1,
},
},
},
{

1
pkg/result/result.go
View File

@@ -87,7 +87,6 @@ func (c Client) FillVulnerabilityInfo(vulns []types.DetectedVulnerability, repor
vulns[i].Severity = severity
vulns[i].SeveritySource = severitySource
vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
vulns[i].Vulnerability.VendorSeverity = nil // Remove VendorSeverity from Results
}
}

9
pkg/result/result_test.go
View File

@@ -75,6 +75,9 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.NVD: dbTypes.SeverityLow,
},
References: []string{"http://example.com"},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
@@ -146,6 +149,9 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityLow,
},
CweIDs: []string{"CWE-311"},
References: []string{"http://example.com"},
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
@@ -196,6 +202,9 @@ func TestClient_FillVulnerabilityInfo(t *testing.T) {
Title: "COVID-19",
Description: "a nasty virus vulnerability for humans",
Severity: dbTypes.SeverityCritical.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.GHSA: dbTypes.SeverityCritical,
},
References: []string{"https://www.who.int/emergencies/diseases/novel-coronavirus-2019"},
},
SeveritySource: vulnerability.GHSA,

9
pkg/rpc/client/client_test.go
View File

@@ -16,6 +16,7 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/rpc/common"
rpc "github.com/aquasecurity/trivy/rpc/scanner"
@@ -71,6 +72,10 @@ func TestScanner_Scan(t *testing.T) {
Severity: common.Severity_CRITICAL,
References: []string{"http://exammple.com"},
SeveritySource: "nvd",
VendorSeverity: map[string]common.Severity{
string(vulnerability.NVD): common.Severity_MEDIUM,
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{
"nvd": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -114,6 +119,10 @@ func TestScanner_Scan(t *testing.T) {
Description: "Denial os Service",
Severity: "CRITICAL",
References: []string{"http://exammple.com"},
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.NVD: dbTypes.SeverityMedium,
vulnerability.RedHat: dbTypes.SeverityMedium,
},
CVSS: dbTypes.VendorCVSS{
"nvd": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",

10
pkg/rpc/convert.go
View File

@@ -102,6 +102,10 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
V3Score: vendorSeverity.V3Score,
}
}
vensorSeverityMap := make(map[string]common.Severity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
vensorSeverityMap[string(vendor)] = common.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *timestamp.Timestamp
if vuln.LastModifiedDate != nil {
@@ -129,6 +133,7 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
Title: vuln.Title,
Description: vuln.Description,
Severity: common.Severity(severity),
VendorSeverity: vensorSeverityMap,
References: vuln.References,
Layer: ConvertToRPCLayer(vuln.Layer),
Cvss: cvssMap,
@@ -240,6 +245,10 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
V3Score: vendorSeverity.V3Score,
}
}
vensorSeverityMap := make(dbTypes.VendorSeverity)
for vendor, vendorSeverity := range vuln.VendorSeverity {
vensorSeverityMap[dbTypes.SourceID(vendor)] = dbTypes.Severity(vendorSeverity)
}
var lastModifiedDate, publishedDate *time.Time
if vuln.LastModifiedDate != nil {
@@ -267,6 +276,7 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
LastModifiedDate: lastModifiedDate,
PublishedDate: publishedDate,
Custom: vuln.CustomVulnData.AsInterface(),
VendorSeverity: vensorSeverityMap,
},
Layer: ConvertFromRPCLayer(vuln.Layer),
SeveritySource: dbTypes.SourceID(vuln.SeveritySource),

24
pkg/rpc/convert_test.go
View File

@@ -221,8 +221,11 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS",
Description: "Denial of Service",
Severity: "MEDIUM",
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityMedium,
},
CVSS: dbTypes.VendorCVSS{
"redhat": {
vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2,
@@ -254,6 +257,9 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS",
Description: "Denial of Service",
Severity: common.Severity_MEDIUM,
VendorSeverity: map[string]common.Severity{
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{
"redhat": {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
@@ -312,6 +318,7 @@ func TestConvertToRpcVulns(t *testing.T) {
Title: "DoS",
Description: "Denial of Service",
Severity: common.Severity_UNKNOWN,
VendorSeverity: make(map[string]common.Severity),
Cvss: make(map[string]*common.CVSS),
References: []string{"http://example.com"},
Layer: &common.Layer{
@@ -363,8 +370,11 @@ func TestConvertFromRPCResults(t *testing.T) {
Severity: common.Severity_MEDIUM,
SeveritySource: string(vulnerability.NVD),
CweIds: []string{"CWE-123", "CWE-456"},
VendorSeverity: map[string]common.Severity{
string(vulnerability.RedHat): common.Severity_MEDIUM,
},
Cvss: map[string]*common.CVSS{
"redhat": {
string(vulnerability.RedHat): {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2,
@@ -407,10 +417,12 @@ func TestConvertFromRPCResults(t *testing.T) {
Title: "DoS",
Description: "Denial of Service",
Severity: common.Severity_MEDIUM.String(),
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityMedium,
},
CweIDs: []string{"CWE-123", "CWE-456"},
VendorSeverity: nil,
CVSS: dbTypes.VendorCVSS{
"redhat": {
vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2,
@@ -488,9 +500,9 @@ func TestConvertFromRPCResults(t *testing.T) {
Description: "Denial of Service",
Severity: common.Severity_MEDIUM.String(),
CweIDs: []string{"CWE-123", "CWE-456"},
VendorSeverity: nil,
VendorSeverity: make(dbTypes.VendorSeverity),
CVSS: dbTypes.VendorCVSS{
"redhat": {
vulnerability.RedHat: {
V2Vector: "AV:L/AC:L/Au:N/C:C/I:C/A:C",
V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
V2Score: 7.2,

4
pkg/rpc/server/server_test.go
View File

@@ -18,6 +18,7 @@ import (
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/result"
"github.com/aquasecurity/trivy/pkg/scanner"
@@ -110,6 +111,9 @@ func TestScanServer_Scan(t *testing.T) {
SeveritySource: "nvd",
Layer: &common.Layer{},
Cvss: map[string]*common.CVSS{},
VendorSeverity: map[string]common.Severity{
string(vulnerability.NVD): common.Severity_MEDIUM,
},
PrimaryUrl: "https://avd.aquasec.com/nvd/cve-2019-0001",
Title: "dos",
Description: "dos vulnerability",

134
rpc/common/service.pb.go
View File

@@ -785,6 +785,7 @@ type Vulnerability struct {
CustomVulnData *structpb.Value `protobuf:"bytes,18,opt,name=custom_vuln_data,json=customVulnData,proto3" json:"custom_vuln_data,omitempty"`
VendorIds []string `protobuf:"bytes,19,rep,name=vendor_ids,json=vendorIds,proto3" json:"vendor_ids,omitempty"`
DataSource *DataSource `protobuf:"bytes,20,opt,name=data_source,json=dataSource,proto3" json:"data_source,omitempty"`
VendorSeverity map[string]Severity `protobuf:"bytes,21,rep,name=vendor_severity,json=vendorSeverity,proto3" json:"vendor_severity,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3,enum=trivy.common.Severity"`
}
func (x *Vulnerability) Reset() {
@@ -952,6 +953,13 @@ func (x *Vulnerability) GetDataSource() *DataSource {
return nil
}
func (x *Vulnerability) GetVendorSeverity() map[string]Severity {
if x != nil {
return x.VendorSeverity
}
return nil
}
type DataSource struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@@ -1318,7 +1326,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65,
0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e,
0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61,
0x79, 0x65, 0x72, 0x22, 0xbc, 0x07, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62,
0x79, 0x65, 0x72, 0x22, 0xf1, 0x08, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62,
0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61,
0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x0f, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x49, 0x64,
@@ -1373,45 +1381,56 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x74, 0x61, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x14, 0x20, 0x01, 0x28, 0x0b, 0x32,
0x18, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x44,
0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x0a, 0x64, 0x61, 0x74, 0x61, 0x53,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x1a, 0x4b, 0x0a, 0x09, 0x43, 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d,
0x6f, 0x6e, 0x2e, 0x43, 0x56, 0x53, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02,
0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64,
0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28,
0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x38, 0x0a, 0x05, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x12,
0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x66, 0x66, 0x5f,
0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x66, 0x66, 0x49, 0x64,
0x22, 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76,
0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x32, 0x56,
0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74,
0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x33, 0x56, 0x65, 0x63, 0x74,
0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03,
0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a,
0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52,
0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73,
0x74, 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74,
0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12,
0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01,
0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05,
0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72,
0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72,
0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18,
0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64,
0x61, 0x74, 0x61, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12,
0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03,
0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45, 0x44, 0x49, 0x55, 0x4d, 0x10,
0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x43,
0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74,
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75,
0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63,
0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x33,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x58, 0x0a, 0x0f, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x5f,
0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x15, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f,
0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x56, 0x75,
0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x2e, 0x56, 0x65, 0x6e, 0x64,
0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
0x0e, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x1a,
0x4b, 0x0a, 0x09, 0x43, 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x28,
0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e,
0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x56, 0x53,
0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x59, 0x0a, 0x13,
0x56, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x45, 0x6e,
0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x05, 0x76, 0x61,
0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53,
0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c,
0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x38, 0x0a, 0x05, 0x4c,
0x61, 0x79, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07,
0x64, 0x69, 0x66, 0x66, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
0x69, 0x66, 0x66, 0x49, 0x64, 0x22, 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a,
0x09, 0x76, 0x32, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
0x52, 0x08, 0x76, 0x32, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33,
0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76,
0x33, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63,
0x6f, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f,
0x72, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04,
0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01,
0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74,
0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74,
0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e,
0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04,
0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f,
0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c,
0x75, 0x65, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65,
0x72, 0x69, 0x74, 0x79, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10,
0x00, 0x12, 0x07, 0x0a, 0x03, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45,
0x44, 0x49, 0x55, 0x4d, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03,
0x12, 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31,
0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75,
0x61, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f,
0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1427,7 +1446,7 @@ func file_rpc_common_service_proto_rawDescGZIP() []byte {
}
var file_rpc_common_service_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
var file_rpc_common_service_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
var file_rpc_common_service_proto_msgTypes = make([]protoimpl.MessageInfo, 15)
var file_rpc_common_service_proto_goTypes = []interface{}{
(Severity)(0), // 0: trivy.common.Severity
(*OS)(nil), // 1: trivy.common.OS
@@ -1444,8 +1463,9 @@ var file_rpc_common_service_proto_goTypes = []interface{}{
(*CVSS)(nil), // 12: trivy.common.CVSS
(*CustomResource)(nil), // 13: trivy.common.CustomResource
nil, // 14: trivy.common.Vulnerability.CvssEntry
(*timestamppb.Timestamp)(nil), // 15: google.protobuf.Timestamp
(*structpb.Value)(nil), // 16: google.protobuf.Value
nil, // 15: trivy.common.Vulnerability.VendorSeverityEntry
(*timestamppb.Timestamp)(nil), // 16: google.protobuf.Timestamp
(*structpb.Value)(nil), // 17: google.protobuf.Value
}
var file_rpc_common_service_proto_depIdxs = []int32{
4, // 0: trivy.common.PackageInfo.packages:type_name -> trivy.common.Package
@@ -1460,19 +1480,21 @@ var file_rpc_common_service_proto_depIdxs = []int32{
0, // 9: trivy.common.Vulnerability.severity:type_name -> trivy.common.Severity
11, // 10: trivy.common.Vulnerability.layer:type_name -> trivy.common.Layer
14, // 11: trivy.common.Vulnerability.cvss:type_name -> trivy.common.Vulnerability.CvssEntry
15, // 12: trivy.common.Vulnerability.published_date:type_name -> google.protobuf.Timestamp
15, // 13: trivy.common.Vulnerability.last_modified_date:type_name -> google.protobuf.Timestamp
16, // 14: trivy.common.Vulnerability.custom_advisory_data:type_name -> google.protobuf.Value
16, // 15: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value
16, // 12: trivy.common.Vulnerability.published_date:type_name -> google.protobuf.Timestamp
16, // 13: trivy.common.Vulnerability.last_modified_date:type_name -> google.protobuf.Timestamp
17, // 14: trivy.common.Vulnerability.custom_advisory_data:type_name -> google.protobuf.Value
17, // 15: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value
10, // 16: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource
11, // 17: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer
16, // 18: trivy.common.CustomResource.data:type_name -> google.protobuf.Value
12, // 19: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS
20, // [20:20] is the sub-list for method output_type
20, // [20:20] is the sub-list for method input_type
20, // [20:20] is the sub-list for extension type_name
20, // [20:20] is the sub-list for extension extendee
0, // [0:20] is the sub-list for field type_name
15, // 17: trivy.common.Vulnerability.vendor_severity:type_name -> trivy.common.Vulnerability.VendorSeverityEntry
11, // 18: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer
17, // 19: trivy.common.CustomResource.data:type_name -> google.protobuf.Value
12, // 20: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS
0, // 21: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity
22, // [22:22] is the sub-list for method output_type
22, // [22:22] is the sub-list for method input_type
22, // [22:22] is the sub-list for extension type_name
22, // [22:22] is the sub-list for extension extendee
0, // [0:22] is the sub-list for field type_name
}
func init() { file_rpc_common_service_proto_init() }
@@ -1644,7 +1666,7 @@ func file_rpc_common_service_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_rpc_common_service_proto_rawDesc,
NumEnums: 1,
NumMessages: 14,
NumMessages: 15,
NumExtensions: 0,
NumServices: 0,
},

1
rpc/common/service.proto
View File

@@ -101,6 +101,7 @@ message Vulnerability {
google.protobuf.Value custom_vuln_data = 18;
repeated string vendor_ids = 19;
DataSource data_source = 20;
map<string,Severity> vendor_severity = 21;
}
message DataSource {