diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000000..b5e555aa25 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,42 @@ +defaults: &defaults + docker : + - image: knqyf263/ci-trivy:latest + environment: + CGO_ENABLED: "1" + +jobs: + release: + <<: *defaults + steps: + - checkout + - run: + name: Release + command: goreleaser --rm-dist + - run: + name: Clone trivy repository + command: git clone git@github.com:knqyf263/trivy-repo.git + - run: + name: Setup git settings + command: | + git config --global user.email "knqyf263@gmail.com" + git config --global user.name "Teppei Fukuda" + - run: + name: Create rpm repository + command: ci/deploy-rpm.sh + - run: + name: Import GPG key + command: echo -e "$GPG_KEY" | gpg --import + - run: + name: Create deb repository + command: ci/deploy-deb.sh + +workflows: + version: 2 + release: + jobs: + - release: + filters: + branches: + ignore: /.*/ + tags: + only: /.*/ diff --git a/.gitignore b/.gitignore index f1c181ec9c..97cca67c67 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,5 @@ # Output of the go coverage tool, specifically when used with LiteIDE *.out + +.idea diff --git a/README.md b/README.md index 3f71ec568f..500112ccb8 100644 --- a/README.md +++ b/README.md @@ -1 +1,136 @@ -# trivy \ No newline at end of file +# trivy + +[![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest) +[![Build Status](https://travis-ci.org/knqyf263/trivy.svg?branch=master)](https://travis-ci.org/knqyf263/trivy) +[![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy) +[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE) + +# Abstract +Scan containers + +# Features + +# Installation + +## RHEL/CentOS + +Add repository setting to `/etc/yum.repos.d`. + +``` +$ sudo vim /etc/yum.repos.d/trivy.repo +[trivy] +name=Trivy repository +baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ +gpgcheck=0 +enabled=1 +$ sudo yum -y update +$ sudo yum -y install trivy +``` + +## Debian/Ubuntu + +Replace `[CODE_NAME]` with your code name + +CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic + +``` +$ sudo apt-get install apt-transport-https gnupg +$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add - +$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list +$ sudo apt-get update +$ sudo apt-get install trivy +``` + +## Mac OS X / Homebrew +You can use homebrew on OS X. +``` +$ brew tap knqyf263/trivy +$ brew install knqyf263/trivy/trivy +``` + +## Binary (Including Windows) +Go to [the releases page](https://github.com/knqyf263/trivy/releases), find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on. + +## From source + +```sh +$ go get -u github.com/knqyf263/trivy +``` + +# Examples + +# Usage + +``` +$ trivy -h +NAME: + trivy - A simple and comprehensive vulnerability scanner for containers +USAGE: + main [options] image_name +VERSION: + 0.0.1 +OPTIONS: + --format value, -f value format (table, json) (default: "table") + --input value, -i value input file path instead of image name + --severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN") + --output value, -o value output file name + --skip-update skip db update + --clean, -c clean all cache + --debug, -d debug mode + --help, -h show help + --version, -v print the version +``` + +# Q&A +## Homebrew +### Error: Your macOS keychain GitHub credentials do not have sufficient scope! + +``` +$ brew tap knqyf263/trivy +Error: Your macOS keychain GitHub credentials do not have sufficient scope! +Scopes they need: none +Scopes they have: +Create a personal access token: + https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew +echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc +``` + +Try: +``` +$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase +``` + +### Error: knqyf263/trivy/trivy 64 already installed + +``` +$ brew upgrade +... +Error: knqyf263/trivy/trivy 64 already installed +``` + +Try: + +``` +$ brew unlink trivy && brew uninstall trivy +($ rm -rf /usr/local/Cellar/trivy/64) +$ brew install knqyf263/trivy/trivy +``` + +# Contribute + +1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo +2. get original code: `go get github.com/knqyf263/trivy` +3. work on original code +4. add remote to your repo: git remote add myfork https://github.com/you/repo.git +5. push your changes: git push myfork +6. create a new Pull Request + +- see [GitHub and Go: forking, pull requests, and go-getting](http://blog.campoy.cat/2014/03/github-and-go-forking-pull-requests-and.html) + +---- + +# License +MIT + +# Author +Teppei Fukuda (knqyf263) diff --git a/ci/Dockerfile b/ci/Dockerfile new file mode 100644 index 0000000000..fba3d17e68 --- /dev/null +++ b/ci/Dockerfile @@ -0,0 +1,20 @@ +FROM bepsays/ci-goreleaser:1.12-2 + +RUN apt-get -y update \ + && apt-get -y install vim rpm reprepro createrepo \ + && wget https://dl.bintray.com/homebrew/mirror/berkeley-db-18.1.32.tar.gz \ + + # Berkeley DB + && tar zxvf berkeley-db-18.1.32.tar.gz \ + && cd db-18.1.32/build_unix \ + + # Linux + && ../dist/configure --prefix=/usr/local --host=x86_64-linux \ + && make \ + && make install \ + + # Darwin + && make clean \ + && ../dist/configure --prefix=/usr/local --host=x86_64-apple-darwin15 \ + && make \ + && make install diff --git a/ci/deploy-deb.sh b/ci/deploy-deb.sh new file mode 100755 index 0000000000..9516c2467d --- /dev/null +++ b/ci/deploy-deb.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +RELEASES=(wheezy jessie stretch buster trusty xenial bionic) + +cd trivy-repo/deb + +for release in ${RELEASES[@]}; do + echo "Adding deb package to $release" + reprepro -A i386 remove $release trivy + reprepro -A amd64 remove $release trivy + reprepro includedeb $release ../../dist/*Linux-64bit.deb + reprepro includedeb $release ../../dist/*Linux-32bit.deb +done + +git add . +git commit -m "Update deb packages" +git push origin master diff --git a/ci/deploy-rpm.sh b/ci/deploy-rpm.sh new file mode 100755 index 0000000000..4a0c6f094e --- /dev/null +++ b/ci/deploy-rpm.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +RPM_EL6=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el6/' -e 's/-64bit/.x86_64/') +RPM_EL7=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el7/' -e 's/-64bit/.x86_64/') + +cd trivy-repo +mkdir -p rpm/releases/6/x86_64 +mkdir -p rpm/releases/7/x86_64 + +cd rpm +cp ../../dist/*64bit.rpm releases/6/x86_64/${RPM_EL6} +cp ../../dist/*64bit.rpm releases/7/x86_64/${RPM_EL7} + +createrepo --update releases/6/x86_64/ +createrepo --update releases/7/x86_64/ + +git add . +git commit -m "Update rpm packages" +git push origin master + diff --git a/cmd/remic/main.go b/cmd/remic/main.go new file mode 100644 index 0000000000..b6c2c96b5b --- /dev/null +++ b/cmd/remic/main.go @@ -0,0 +1,67 @@ +package main + +import ( + "os" + "strings" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/remic" + "github.com/urfave/cli" + + "github.com/knqyf263/trivy/pkg/log" +) + +func main() { + cli.AppHelpTemplate = `NAME: + {{.Name}}{{if .Usage}} - {{.Usage}}{{end}} +USAGE: + {{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}} +VERSION: + {{.Version}}{{end}}{{end}}{{if .Description}} +DESCRIPTION: + {{.Description}}{{end}}{{if len .Authors}} +AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}: + {{range $index, $author := .Authors}}{{if $index}} + {{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}} +OPTIONS: + {{range $index, $option := .VisibleFlags}}{{if $index}} + {{end}}{{$option}}{{end}}{{end}} +` + app := cli.NewApp() + app.Name = "remic" + app.Version = "0.0.1" + app.ArgsUsage = "file" + + app.Usage = "A simple and fast tool for detecting vulnerabilities in application dependencies" + + app.Flags = []cli.Flag{ + cli.StringFlag{ + Name: "format, f", + Value: "table", + Usage: "format (table, json)", + }, + cli.StringFlag{ + Name: "severity, s", + Value: strings.Join(vulnerability.SeverityNames, ","), + Usage: "severity of vulnerabilities to be displayed", + }, + cli.StringFlag{ + Name: "output, o", + Usage: "output file name", + }, + cli.BoolFlag{ + Name: "debug, d", + Usage: "debug mode", + }, + } + + app.Action = func(c *cli.Context) error { + return remic.Run(c) + } + + err := app.Run(os.Args) + if err != nil { + log.Logger.Fatal(err) + } +} diff --git a/cmd/trivy/main.go b/cmd/trivy/main.go new file mode 100644 index 0000000000..862a547edb --- /dev/null +++ b/cmd/trivy/main.go @@ -0,0 +1,84 @@ +package main + +import ( + "os" + "strings" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/urfave/cli" + + "github.com/knqyf263/trivy/pkg" + "github.com/knqyf263/trivy/pkg/log" +) + +var ( + version = "dev" +) + +func main() { + cli.AppHelpTemplate = `NAME: + {{.Name}}{{if .Usage}} - {{.Usage}}{{end}} +USAGE: + {{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}} +VERSION: + {{.Version}}{{end}}{{end}}{{if .Description}} +DESCRIPTION: + {{.Description}}{{end}}{{if len .Authors}} +AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}: + {{range $index, $author := .Authors}}{{if $index}} + {{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}} +OPTIONS: + {{range $index, $option := .VisibleFlags}}{{if $index}} + {{end}}{{$option}}{{end}}{{end}} +` + app := cli.NewApp() + app.Name = "trivy" + app.Version = version + app.ArgsUsage = "image_name" + + app.Usage = "A simple and comprehensive vulnerability scanner for containers" + + app.Flags = []cli.Flag{ + cli.StringFlag{ + Name: "format, f", + Value: "table", + Usage: "format (table, json)", + }, + cli.StringFlag{ + Name: "input, i", + Value: "", + Usage: "input file path instead of image name", + }, + cli.StringFlag{ + Name: "severity, s", + Value: strings.Join(vulnerability.SeverityNames, ","), + Usage: "severities of vulnerabilities to be displayed (comma separated)", + }, + cli.StringFlag{ + Name: "output, o", + Usage: "output file name", + }, + cli.BoolFlag{ + Name: "skip-update", + Usage: "skip db update", + }, + cli.BoolFlag{ + Name: "clean, c", + Usage: "clean all cache", + }, + cli.BoolFlag{ + Name: "debug, d", + Usage: "debug mode", + }, + } + + app.Action = func(c *cli.Context) error { + return pkg.Run(c) + } + + err := app.Run(os.Args) + if err != nil { + log.Logger.Fatal(err) + } +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000000..219b22859d --- /dev/null +++ b/go.mod @@ -0,0 +1,39 @@ +module github.com/knqyf263/trivy + +go 1.12 + +require ( + github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 + github.com/emirpasic/gods v1.12.0 // indirect + github.com/etcd-io/bbolt v1.3.2 + github.com/fatih/color v1.7.0 + github.com/gliderlabs/ssh v0.1.3 // indirect + github.com/golang/protobuf v1.3.1 // indirect + github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6 + github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b + github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790 + github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 + github.com/knqyf263/go-version v1.1.1 + github.com/mattn/go-colorable v0.1.1 // indirect + github.com/mattn/go-runewidth v0.0.4 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/olekukonko/tablewriter v0.0.1 + github.com/stretchr/testify v1.3.0 // indirect + github.com/urfave/cli v1.20.0 + github.com/xanzy/ssh-agent v0.2.1 // indirect + go.etcd.io/bbolt v1.3.2 // indirect + go.uber.org/atomic v1.3.2 // indirect + go.uber.org/multierr v1.1.0 // indirect + go.uber.org/zap v1.9.1 + golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 + golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 // indirect + golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 // indirect + golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 + gopkg.in/cheggaaa/pb.v1 v1.0.28 + gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect + gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 // indirect + gopkg.in/src-d/go-git.v4 v4.10.0 + gopkg.in/yaml.v2 v2.2.2 +) + +replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55 diff --git a/go.sum b/go.sum new file mode 100644 index 0000000000..60f4da053f --- /dev/null +++ b/go.sum @@ -0,0 +1,315 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.37.4 h1:glPeL3BQJsbF6aIIYfZizMwc5LTYz250bDMjttbBGAU= +cloud.google.com/go v0.37.4/go.mod h1:NHPJ89PdicEuT9hdPXMROBD91xc5uRDxsMtSB16k7hw= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64= +github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs= +github.com/Microsoft/go-winio v0.4.11 h1:zoIOcVf0xPN1tnMVbTtEdI+P8OofVk3NObnwOQ6nK2Q= +github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= +github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= +github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= +github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs= +github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA= +github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c= +github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= +github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjoQ= +github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 h1:GMmnK0dvr0Sf0gx3DvTbln0c8DE07B7sPVD9dgHOqo4= +github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb h1:qSMRxG547z/BgQmyVyADxaMADQXVAD9uleP2sQeClbo= +github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a h1:glxUtT0RlaVJU86kg78ygzfhwW6D+uj5H+aOK01QDgI= +github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a/go.mod h1:uXhHPWAoRqw0jJc2f8RrPCwRhIo9otQ8OEWUFtpCiwA= +github.com/d4l3k/messagediff v1.2.1 h1:ZcAIMYsUg0EAp9X+tt8/enBE/Q8Yd5kzPynLyKptt9U= +github.com/d4l3k/messagediff v1.2.1/go.mod h1:Oozbb1TVXFac9FtSIxHBMnBCq2qeH/2KkEQxENCrlLo= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9rTHJQ= +github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ= +github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c h1:QlAVcyoF7QQVN7zV+xYBjgwtRVlRU3WCTCpb2mcqQrM= +github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f h1:hYf+mPizfvpH6VgIxdntnOmQHd1F1mQUc1oG+j3Ol2g= +github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f h1:W4fbqg0JUwy6lLesoJaV/rE0fwAmtdtinMa64X1CEh0= +github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43 h1:gZ4lWixV821UVbYtr+oz1ZPCHkbtE+ivfmHyZRgyl2Y= +github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43/go.mod h1:l1FUGRYBvbjnZ8MS6A2xOji4aZFlY/Qmgz7p4oXH7ac= +github.com/docker/docker-credential-helpers v0.6.1 h1:Dq4iIfcM7cNtddhLVWe9h4QDjsi4OER3Z8voPu/I52g= +github.com/docker/docker-credential-helpers v0.6.1/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.0.0-20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916 h1:yWHOI+vFjEsAakUTSrtqc/SAHrhSkmn48pqjidZX3QA= +github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI= +github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk= +github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4= +github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/emirpasic/gods v1.9.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= +github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= +github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= +github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0= +github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw= +github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c= +github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ= +github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/genuinetools/pkg v0.0.0-20180910213200-1c141f661797/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8= +github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= +github.com/gliderlabs/ssh v0.1.3 h1:cBU46h1lYQk5f2Z+jZbewFKy+1zzE2aUX/ilcPDAm9M= +github.com/gliderlabs/ssh v0.1.3/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8= +github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg= +github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6 h1:iSztZNfwEPMN2CvUX1SxNEclRZn+rwRMdsnAegxRJk4= +github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6/go.mod h1:OiuWIClssf5WzbMcR8lfspdBVaP+vRQndY4kHeFgrDw= +github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b h1:DiDMmSwuY27PJxA2Gs0+uI/bQ/ehKARaGXRdlp+wFis= +github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao= +github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790 h1:c02gG0yRNr25lcLOH+678SuuxxMUq36i48PQnmAweWk= +github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790/go.mod h1:CtT+dtv38jSz5EYYCX21LgtVXP+J3soF2fzQT8lHCfY= +github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM= +github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0= +github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8= +github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9DxI2o= +github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM= +github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc= +github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/mattn/go-colorable v0.1.1 h1:G1f5SKeVxmagw/IyvzvtZE4Gybcc4Tr1tf7I8z0XgOg= +github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-isatty v0.0.5 h1:tHXDdz1cpzGaovsTB+TVB8q90WEokoVmfMqoVcrLUgw= +github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/olekukonko/tablewriter v0.0.1 h1:b3iUnf1v+ppJiOfNX4yxxqfWKMQPZR5yoh8urCTFX88= +github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 h1:QhPf3A2AZW3tTGvHPg0TA+CR3oHbVLlXUhlghqISp1I= +github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y= +github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= +github.com/pelletier/go-buffruneio v0.2.0 h1:U4t4R6YkofJ5xHm3dJzuRpPZ0mr5MMCoAWooScCR7aA= +github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo= +github.com/peterhellberg/link v1.0.0 h1:mUWkiegowUXEcmlb+ybF75Q/8D2Y0BjZtR8cxoKhaQo= +github.com/peterhellberg/link v1.0.0/go.mod h1:gtSlOT4jmkY8P47hbTc8PTgiDDWpdPbFYl75keYyBB8= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v0.0.0-20180924113449-f69c853d21c1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 h1:D+CiwcpGTW6pL6bv6KI3KbyEyCKyS+1JWS2h8PNDnGA= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f h1:BVwpUVJDADN2ufcGik7W992pyps0wZ888b/y9GXcLTU= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20180920065004-418d78d0b9a7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1 h1:/K3IL0Z1quvmJ7X0A1AwNEK7CRkVK3YwfOU/QAL4WGg= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg= +github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4= +github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55 h1:O7Xl4zpk6zjYnwxUd7lubrx7xdzQ+PqfTgaxLE9nF+o= +github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55/go.mod h1:12Fe9EIvK3dG/qWhNk5e9O96I8SGmCKLsJ8GsXUbk+Y= +github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/xanzy/ssh-agent v0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8= +github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70= +github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4= +go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= +go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o= +go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE= +golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180925072008-f04abc6bdfa7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 h1:1Fzlr8kkDLQwqMP8GxrhptBLqZG/EDpiATneiZHY998= +golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c h1:fqgJT0MGcGpPgpWU7VRdRjuArfcOvC4AoJmILihzhDg= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg= +golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20180924164928-221a8d4f7494/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 h1:xtNn7qFlagY2mQNFHMSRPjT2RkOV4OXM7P5TVy9xATo= +google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/grpc v1.15.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio= +google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= +google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk= +gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk= +gopkg.in/src-d/go-billy.v4 v4.3.0 h1:KtlZ4c1OWbIs4jCv5ZXrTqG8EQocr0g/d4DjNg70aek= +gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk= +gopkg.in/src-d/go-git-fixtures.v3 v3.1.1/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g= +gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 h1:KFpaNTUcLHLoP/OkdcRXR+MA5p55MhA41YVb7Wd8EfM= +gopkg.in/src-d/go-git-fixtures.v3 v3.4.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g= +gopkg.in/src-d/go-git.v4 v4.10.0 h1:NWjTJTQnk8UpIGlssuefyDZ6JruEjo5s88vm88uASbw= +gopkg.in/src-d/go-git.v4 v4.10.0/go.mod h1:Vtut8izDyrM8BUVQnzJ+YvmNcem2J89EmfZYCkLokZk= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gotest.tools v2.1.0+incompatible h1:5USw7CrJBYKqjg9R7QlA6jzqZKEAtvW82aNmsxxGPxw= +gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/goreleaser.yml b/goreleaser.yml new file mode 100644 index 0000000000..f617ffb65e --- /dev/null +++ b/goreleaser.yml @@ -0,0 +1,81 @@ +project_name: trivy +builds: + - main: cmd/trivy/main.go + binary: trivy + ldflags: + - -s -w + - "-extldflags '-static'" + - -X main.version={{.Version}} + env: + - CGO_ENABLED=0 + goos: + - darwin + - linux + - windows + - freebsd + - openbsd + goarch: + - amd64 + - 386 + - arm + - arm64 + goarm: + - 7 + +nfpm: + formats: + - deb + - rpm + dependencies: + - rpm + vendor: "knqyf263" + homepage: "https://github.com/knqyf263" + maintainer: "Teppei Fukuda " + description: "A Fast Vulnerability Scanner for Containers" + license: "MIT" + name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}" + replacements: + amd64: 64bit + 386: 32bit + arm: ARM + arm64: ARM64 + darwin: macOS + linux: Linux + windows: Windows + openbsd: OpenBSD + netbsd: NetBSD + freebsd: FreeBSD + dragonfly: DragonFlyBSD + +archive: + format: tar.gz + format_overrides: + - goos: windows + format: zip + name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}" + replacements: + amd64: 64bit + 386: 32bit + arm: ARM + arm64: ARM64 + darwin: macOS + linux: Linux + windows: Windows + openbsd: OpenBSD + netbsd: NetBSD + freebsd: FreeBSD + dragonfly: DragonFlyBSD + files: + - README.md + - LICENSE + +brew: + github: + owner: knqyf263 + name: homebrew-trivy + dependencies: + - rpm + homepage: "https://github.com/knqyf263/trivy" + description: "" + test: | + system "#{bin}/program --version" diff --git a/pkg/db/db.go b/pkg/db/db.go new file mode 100644 index 0000000000..c443183906 --- /dev/null +++ b/pkg/db/db.go @@ -0,0 +1,116 @@ +package db + +import ( + "encoding/json" + "github.com/knqyf263/trivy/pkg/log" + "os" + "path/filepath" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/utils" + + bolt "github.com/etcd-io/bbolt" +) + +var ( + db *bolt.DB +) + +func Init() (err error) { + dbDir := filepath.Join(utils.CacheDir(), "db") + if err = os.MkdirAll(dbDir, 0700); err != nil { + return xerrors.Errorf("failed to mkdir: %w", err) + } + + dbPath := filepath.Join(dbDir, "trivy.db") + log.Logger.Debugf("db path: %s", dbPath) + db, err = bolt.Open(dbPath, 0600, nil) + if err != nil { + return xerrors.Errorf("failed to open db: %w", err) + } + return nil +} + +func Update(rootBucket, nestedBucket, key string, value interface{}) error { + err := db.Update(func(tx *bolt.Tx) error { + return PutNestedBucket(tx, rootBucket, nestedBucket, key, value) + }) + if err != nil { + return xerrors.Errorf("error in db update: %w", err) + } + return err +} + +func PutNestedBucket(tx *bolt.Tx, rootBucket, nestedBucket, key string, value interface{}) error { + root, err := tx.CreateBucketIfNotExists([]byte(rootBucket)) + if err != nil { + return xerrors.Errorf("failed to create a bucket: %w", err) + } + return Put(root, nestedBucket, key, value) +} +func Put(root *bolt.Bucket, nestedBucket, key string, value interface{}) error { + nested, err := root.CreateBucketIfNotExists([]byte(nestedBucket)) + if err != nil { + return xerrors.Errorf("failed to create a bucket: %w", err) + } + v, err := json.Marshal(value) + if err != nil { + return xerrors.Errorf("failed to unmarshal JSON: %w", err) + } + return nested.Put([]byte(key), v) +} +func BatchUpdate(fn func(tx *bolt.Tx) error) error { + err := db.Batch(func(tx *bolt.Tx) error { + return fn(tx) + }) + if err != nil { + return xerrors.Errorf("error in batch update: %w", err) + } + return nil +} + +func Get(rootBucket, nestedBucket, key string) (value []byte, err error) { + err = db.View(func(tx *bolt.Tx) error { + root := tx.Bucket([]byte(rootBucket)) + if root == nil { + return nil + } + nested := root.Bucket([]byte(nestedBucket)) + if nested == nil { + return nil + } + value = nested.Get([]byte(key)) + return nil + }) + if err != nil { + return nil, xerrors.Errorf("failed to get data from db: %w", err) + } + return value, nil +} + +func ForEach(rootBucket, nestedBucket string) (value map[string][]byte, err error) { + value = map[string][]byte{} + err = db.View(func(tx *bolt.Tx) error { + root := tx.Bucket([]byte(rootBucket)) + if root == nil { + return nil + } + nested := root.Bucket([]byte(nestedBucket)) + if nested == nil { + return nil + } + err := nested.ForEach(func(k, v []byte) error { + value[string(k)] = v + return nil + }) + if err != nil { + return xerrors.Errorf("error in db foreach: %w", err) + } + return nil + }) + if err != nil { + return nil, xerrors.Errorf("failed to get all key/value in the specified bucket: %w", err) + } + return value, nil +} diff --git a/pkg/git/git.go b/pkg/git/git.go new file mode 100644 index 0000000000..983fbb87ab --- /dev/null +++ b/pkg/git/git.go @@ -0,0 +1,188 @@ +package git + +import ( + "os" + "path/filepath" + "strings" + "time" + + "github.com/briandowns/spinner" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/utils" + "golang.org/x/xerrors" + git "gopkg.in/src-d/go-git.v4" + "gopkg.in/src-d/go-git.v4/plumbing/object" + "gopkg.in/src-d/go-git.v4/plumbing/storer" +) + +func CloneOrPull(url, repoPath string) (map[string]struct{}, error) { + exists, err := utils.Exists(filepath.Join(repoPath, ".git")) + if err != nil { + return nil, xerrors.Errorf("failed to check if a file exists: %w", err) + } + + updatedFiles := map[string]struct{}{} + if exists { + log.Logger.Debug("git pull") + files, err := pull(repoPath) + if err != nil { + return nil, xerrors.Errorf("failed to pull repository: %w", err) + } + + for _, filename := range files { + updatedFiles[strings.TrimSpace(filename)] = struct{}{} + } + } else { + log.Logger.Debug("remove an existed directory") + + s := spinner.New(spinner.CharSets[36], 100*time.Millisecond) + s.Suffix = " The first time will take a while..." + s.Start() + defer s.Stop() + + if err = os.RemoveAll(repoPath); err != nil { + return nil, xerrors.Errorf("failed to remove an existed directory: %w", err) + } + + if err = os.MkdirAll(repoPath, 0700); err != nil { + return nil, xerrors.Errorf("failed to mkdir: %w", err) + } + if err := clone(url, repoPath); err != nil { + return nil, xerrors.Errorf("failed to clone repository: %w", err) + } + + err = filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error { + if info.IsDir() { + return nil + } + rel, err := filepath.Rel(repoPath, path) + if err != nil { + return xerrors.Errorf("failed to get a relative path: %w", err) + } + updatedFiles[rel] = struct{}{} + return nil + }) + if err != nil { + return nil, xerrors.Errorf("error in file walk: %w", err) + } + } + + return updatedFiles, nil +} + +func clone(url, repoPath string) error { + if utils.IsCommandAvailable("git") { + return cloneByOSCommand(url, repoPath) + } + log.Logger.Warn("Recommend installing git (if not, DB update is very slow)") + + _, err := git.PlainClone(repoPath, false, &git.CloneOptions{ + URL: url, + }) + if err != nil && err != git.ErrRepositoryAlreadyExists { + return xerrors.Errorf("unexpected error in git clone: %w", err) + } + return nil +} + +func cloneByOSCommand(url, repoPath string) error { + commandAndArgs := []string{"clone", url, repoPath} + _, err := utils.Exec("git", commandAndArgs) + if err != nil { + return xerrors.Errorf("error in git clone: %w", err) + } + return nil +} + +func pull(repoPath string) ([]string, error) { + if utils.IsCommandAvailable("git") { + return pullByOSCommand(repoPath) + } + + r, err := git.PlainOpen(repoPath) + if err != nil { + return nil, xerrors.Errorf("failed to open repository: %w", err) + } + + log.Logger.Debug("Retrieve the branch being pointed by HEAD") + ref, err := r.Head() + if err != nil { + return nil, xerrors.Errorf("failed to get HEAD: %w", err) + } + + log.Logger.Debug("Get the working directory for the repository") + w, err := r.Worktree() + if err != nil { + return nil, xerrors.Errorf("failed to get the working directory: %w", err) + } + + log.Logger.Debug("Pull the latest changes from the origin remote and merge into the current branch") + err = w.Pull(&git.PullOptions{RemoteName: "origin"}) + if err != nil && err != git.NoErrAlreadyUpToDate { + return nil, err + } else if err == git.NoErrAlreadyUpToDate { + return []string{}, nil + } + + log.Logger.Debug("Retrieve the commit history") + commits, err := r.Log(&git.LogOptions{}) + if err != nil { + return nil, xerrors.Errorf("error in git log: %w", err) + } + + log.Logger.Debug("Detect the updated files") + var prevCommit *object.Commit + var updatedFiles []string + err = commits.ForEach(func(commit *object.Commit) error { + if prevCommit == nil { + prevCommit = commit + return nil + } + + patch, err := commit.Patch(prevCommit) + if err != nil { + return xerrors.Errorf("error in patch: %w", err) + } + for _, stat := range patch.Stats() { + updatedFiles = append(updatedFiles, stat.Name) + } + + if commit.Hash == ref.Hash() { + return storer.ErrStop + } + + prevCommit = commit + return nil + }) + if err != nil { + return nil, xerrors.Errorf("error in commit foreach: %w", err) + } + + return updatedFiles, nil +} + +func pullByOSCommand(repoPath string) ([]string, error) { + gitDir := filepath.Join(repoPath, ".git") + commandArgs := []string{"--git-dir", gitDir, "--work-tree", repoPath} + + revParseCmd := []string{"rev-parse", "HEAD"} + output, err := utils.Exec("git", append(commandArgs, revParseCmd...)) + if err != nil { + return nil, xerrors.Errorf("error in git rev-parse: %w", err) + } + commitHash := strings.TrimSpace(output) + + pullCmd := []string{"pull", "origin", "master"} + _, err = utils.Exec("git", append(commandArgs, pullCmd...)) + if err != nil { + return nil, xerrors.Errorf("error in git pull: %w", err) + } + + diffCmd := []string{"diff", commitHash, "HEAD", "--name-only"} + output, err = utils.Exec("git", append(commandArgs, diffCmd...)) + if err != nil { + return nil, xerrors.Errorf("error in git diff: %w", err) + } + updatedFiles := strings.Split(strings.TrimSpace(output), "\n") + return updatedFiles, nil +} diff --git a/pkg/log/logger.go b/pkg/log/logger.go new file mode 100644 index 0000000000..7e305056ce --- /dev/null +++ b/pkg/log/logger.go @@ -0,0 +1,55 @@ +package log + +import ( + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + "golang.org/x/xerrors" +) + +var Logger *zap.SugaredLogger + +func InitLogger(debug bool) (err error) { + Logger, err = newLogger(debug) + if err != nil { + return xerrors.Errorf("error in new logger: %w", err) + } + return nil + +} + +func newLogger(debug bool) (*zap.SugaredLogger, error) { + level := zap.NewAtomicLevel() + if debug { + level.SetLevel(zapcore.DebugLevel) + } else { + level.SetLevel(zapcore.InfoLevel) + } + + myConfig := zap.Config{ + Level: level, + Encoding: "console", + Development: debug, + DisableStacktrace: !debug, + DisableCaller: !debug, + EncoderConfig: zapcore.EncoderConfig{ + TimeKey: "Time", + LevelKey: "Level", + NameKey: "Name", + CallerKey: "Caller", + MessageKey: "Msg", + StacktraceKey: "St", + EncodeLevel: zapcore.CapitalColorLevelEncoder, + EncodeTime: zapcore.ISO8601TimeEncoder, + EncodeDuration: zapcore.StringDurationEncoder, + EncodeCaller: zapcore.ShortCallerEncoder, + }, + OutputPaths: []string{"stdout"}, + ErrorOutputPaths: []string{"stderr"}, + } + logger, err := myConfig.Build() + if err != nil { + return nil, xerrors.Errorf("failed to build zap config: %w", err) + } + + return logger.Sugar(), nil +} diff --git a/pkg/remic/run.go b/pkg/remic/run.go new file mode 100644 index 0000000000..ea3eac0576 --- /dev/null +++ b/pkg/remic/run.go @@ -0,0 +1,85 @@ +package remic + +import ( + l "log" + "os" + "strings" + + "github.com/knqyf263/trivy/pkg/scanner" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/vulnsrc" + + "github.com/urfave/cli" + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/report" +) + +func Run(c *cli.Context) (err error) { + debug := c.Bool("debug") + if err = log.InitLogger(debug); err != nil { + l.Fatal(err) + } + + args := c.Args() + if len(args) == 0 { + return xerrors.New(`remic" requires at least 1 argument.`) + } + + o := c.String("output") + output := os.Stdout + if o != "" { + if output, err = os.Create(o); err != nil { + return err + } + } + + var severities []vulnerability.Severity + for _, s := range strings.Split(c.String("severity"), ",") { + severity, err := vulnerability.NewSeverity(s) + if err != nil { + return err + } + severities = append(severities, severity) + } + + if err = db.Init(); err != nil { + return err + } + + if err = vulnsrc.Update(); err != nil { + return err + } + + fileName := args[0] + f, err := os.Open(fileName) + if err != nil { + return xerrors.Errorf("failed to open a file: %w", err) + } + defer f.Close() + + result, err := scanner.ScanFile(f, severities) + if err != nil { + return xerrors.Errorf("failed to scan a file: %w", err) + } + + var writer report.Writer + switch c.String("format") { + case "table": + writer = &report.TableWriter{Output: output} + case "json": + writer = &report.JsonWriter{Output: output} + default: + return xerrors.New("unknown format") + } + + if err = writer.Write([]report.Result{result}); err != nil { + return xerrors.Errorf("failed to write results: %w", err) + } + + return nil +} diff --git a/pkg/report/writer.go b/pkg/report/writer.go new file mode 100644 index 0000000000..475bbdd5c8 --- /dev/null +++ b/pkg/report/writer.go @@ -0,0 +1,87 @@ +package report + +import ( + "encoding/json" + "fmt" + "io" + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/types" + "github.com/olekukonko/tablewriter" +) + +type Results []Result + +type Result struct { + FileName string `json:"file"` + Vulnerabilities []types.Vulnerability +} + +type Writer interface { + Write(Results) error +} + +type TableWriter struct { + Output io.Writer +} + +func (tw TableWriter) Write(results Results) error { + for _, result := range results { + tw.write(result) + } + return nil +} +func (tw TableWriter) write(result Result) { + table := tablewriter.NewWriter(tw.Output) + table.SetHeader([]string{"Library", "Vulnerability ID", "Severity", "Installed Version", "Fixed Version", "Title"}) + + severityCount := map[string]int{} + for _, v := range result.Vulnerabilities { + severityCount[v.Severity]++ + table.Append([]string{v.PkgName, v.VulnerabilityID, vulnerability.ColorizeSeverity(v.Severity), + v.InstalledVersion, v.FixedVersion, v.Title}) + } + + var results []string + for _, severity := range vulnerability.SeverityNames { + r := fmt.Sprintf("%s: %d", severity, severityCount[severity]) + results = append(results, r) + } + + fmt.Printf("\n%s\n", result.FileName) + fmt.Println(strings.Repeat("=", len(result.FileName))) + fmt.Printf("Total: %d (%s)\n\n", len(result.Vulnerabilities), strings.Join(results, ", ")) + + if len(result.Vulnerabilities) == 0 { + return + } + + table.SetAutoMergeCells(true) + table.SetRowLine(true) + table.Render() + return +} + +type JsonWriter struct { + Output io.Writer +} + +func (jw JsonWriter) Write(results Results) error { + out := map[string][]types.Vulnerability{} + for _, result := range results { + out[result.FileName] = result.Vulnerabilities + } + output, err := json.MarshalIndent(out, "", " ") + if err != nil { + return xerrors.Errorf("failed to marshal json: %w", err) + } + + if _, err = fmt.Fprint(jw.Output, string(output)); err != nil { + return xerrors.Errorf("failed to write json: %w", err) + } + return nil +} diff --git a/pkg/run.go b/pkg/run.go new file mode 100644 index 0000000000..4f85f1baa3 --- /dev/null +++ b/pkg/run.go @@ -0,0 +1,95 @@ +package pkg + +import ( + l "log" + "os" + "strings" + + "github.com/knqyf263/trivy/pkg/utils" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/report" + "github.com/knqyf263/trivy/pkg/scanner" + "github.com/knqyf263/trivy/pkg/vulnsrc" + + "github.com/urfave/cli" + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/log" +) + +func Run(c *cli.Context) (err error) { + debug := c.Bool("debug") + if err = log.InitLogger(debug); err != nil { + l.Fatal(err) + } + log.Logger.Debugf("cache dir: %s", utils.CacheDir()) + + args := c.Args() + filePath := c.String("input") + if filePath == "" && len(args) == 0 { + log.Logger.Info(`trivy" requires at least 1 argument or --input option.`) + cli.ShowAppHelpAndExit(c, 1) + } + + clean := c.Bool("clean") + if clean { + log.Logger.Info("Cleaning caches...") + if err = os.RemoveAll(utils.CacheDir()); err != nil { + return xerrors.New("failed to remove cache") + } + } + o := c.String("output") + output := os.Stdout + if o != "" { + if output, err = os.Create(o); err != nil { + return xerrors.Errorf("failed to create an output file: %w", err) + } + } + + var severities []vulnerability.Severity + for _, s := range strings.Split(c.String("severity"), ",") { + severity, err := vulnerability.NewSeverity(s) + if err != nil { + return xerrors.Errorf("error in severity option: %w", err) + } + severities = append(severities, severity) + } + + if err = db.Init(); err != nil { + return xerrors.Errorf("error in vulnerability DB initialize: %w", err) + } + + if !c.Bool("skip-update") { + if err = vulnsrc.Update(); err != nil { + return xerrors.Errorf("error in vulnerability DB update: %w", err) + } + } + + var imageName string + if filePath == "" { + imageName = args[0] + } + results, err := scanner.ScanImage(imageName, filePath, severities) + if err != nil { + return xerrors.Errorf("error in image scan: %w", err) + } + + var writer report.Writer + switch c.String("format") { + case "table": + writer = &report.TableWriter{Output: output} + case "json": + writer = &report.JsonWriter{Output: output} + default: + xerrors.New("unknown format") + } + + if err = writer.Write(results); err != nil { + return err + } + + return nil +} diff --git a/pkg/scanner/library/bundler/advisory.go b/pkg/scanner/library/bundler/advisory.go new file mode 100644 index 0000000000..ca8c9dcc3b --- /dev/null +++ b/pkg/scanner/library/bundler/advisory.go @@ -0,0 +1,80 @@ +package bundler + +import ( + "io/ioutil" + "os" + "path/filepath" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/git" + "github.com/knqyf263/trivy/pkg/utils" + "gopkg.in/yaml.v2" +) + +const ( + dbURL = "https://github.com/rubysec/ruby-advisory-db.git" +) + +var ( + repoPath = filepath.Join(utils.CacheDir(), "ruby-advisory-db") +) + +type AdvisoryDB map[string][]Advisory + +type Advisory struct { + Gem string + Cve string + Osvdb string + Title string + Url string + PatchedVersions []string `yaml:"patched_versions"` + UnaffectedVersions []string `yaml:"unaffected_versions"` + Related Related +} + +type Related struct { + Cve []string + Url []string +} + +func (s *Scanner) UpdateDB() (err error) { + if _, err := git.CloneOrPull(dbURL, repoPath); err != nil { + return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err) + } + s.db, err = walk() + return err +} + +func walk() (AdvisoryDB, error) { + advisoryDB := AdvisoryDB{} + root := filepath.Join(repoPath, "gems") + + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if info.IsDir() { + return nil + } + buf, err := ioutil.ReadFile(path) + if err != nil { + return xerrors.Errorf("failed to read a file: %w", err) + } + + advisory := Advisory{} + err = yaml.Unmarshal(buf, &advisory) + if err != nil { + return xerrors.Errorf("failed to unmarshal YAML: %w", err) + } + + advisories, ok := advisoryDB[advisory.Gem] + if !ok { + advisories = []Advisory{} + } + advisoryDB[advisory.Gem] = append(advisories, advisory) + + return nil + }) + if err != nil { + return nil, xerrors.Errorf("error in file wakl: %w", err) + } + return advisoryDB, nil +} diff --git a/pkg/scanner/library/bundler/scan.go b/pkg/scanner/library/bundler/scan.go new file mode 100644 index 0000000000..1f72650560 --- /dev/null +++ b/pkg/scanner/library/bundler/scan.go @@ -0,0 +1,67 @@ +package bundler + +import ( + "fmt" + "os" + "strings" + + "github.com/knqyf263/go-dep-parser/pkg/bundler" + ptypes "github.com/knqyf263/go-dep-parser/pkg/types" + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + "github.com/knqyf263/trivy/pkg/types" + "golang.org/x/xerrors" +) + +const ( + scannerType = "bundler" +) + +type Scanner struct { + db AdvisoryDB +} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) { + var vulns []types.Vulnerability + for _, advisory := range s.db[pkgName] { + if utils.MatchVersions(pkgVer, advisory.PatchedVersions) { + continue + } + if utils.MatchVersions(pkgVer, advisory.UnaffectedVersions) { + continue + } + + var vulnerabilityID string + if advisory.Cve != "" { + vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve) + } else if advisory.Osvdb != "" { + vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb) + } + + vuln := types.Vulnerability{ + VulnerabilityID: vulnerabilityID, + PkgName: strings.TrimSpace(advisory.Gem), + Title: strings.TrimSpace(advisory.Title), + InstalledVersion: pkgVer.String(), + FixedVersion: strings.Join(advisory.PatchedVersions, ", "), + } + vulns = append(vulns, vuln) + } + return vulns, nil +} + +func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) { + libs, err := bundler.Parse(f) + if err != nil { + return nil, xerrors.Errorf("invalid Gemfile.lock format: %w", err) + } + return libs, nil +} + +func (s *Scanner) Type() string { + return scannerType +} diff --git a/pkg/scanner/library/composer/advisory.go b/pkg/scanner/library/composer/advisory.go new file mode 100644 index 0000000000..b455dde3ba --- /dev/null +++ b/pkg/scanner/library/composer/advisory.go @@ -0,0 +1,73 @@ +package composer + +import ( + "io/ioutil" + "os" + "path/filepath" + "strings" + + "github.com/knqyf263/trivy/pkg/utils" + + "github.com/knqyf263/trivy/pkg/git" + "gopkg.in/yaml.v2" +) + +const ( + dbURL = "https://github.com/FriendsOfPHP/security-advisories" +) + +var ( + repoPath = filepath.Join(utils.CacheDir(), "php-security-advisories") +) + +type AdvisoryDB map[string][]Advisory + +type Advisory struct { + Cve string + Title string + Link string + Reference string + Branches map[string]Branch +} + +type Branch struct { + Versions []string +} + +func (s *Scanner) UpdateDB() (err error) { + if _, err := git.CloneOrPull(dbURL, repoPath); err != nil { + return err + } + s.db, err = walk() + return err +} + +func walk() (AdvisoryDB, error) { + advisoryDB := AdvisoryDB{} + err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error { + if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") { + return nil + } + buf, err := ioutil.ReadFile(path) + if err != nil { + return err + } + + advisory := Advisory{} + err = yaml.Unmarshal(buf, &advisory) + if err != nil { + return err + } + advisories, ok := advisoryDB[advisory.Reference] + if !ok { + advisories = []Advisory{} + } + advisoryDB[advisory.Reference] = append(advisories, advisory) + + return nil + }) + if err != nil { + return nil, err + } + return advisoryDB, nil +} diff --git a/pkg/scanner/library/composer/scan.go b/pkg/scanner/library/composer/scan.go new file mode 100644 index 0000000000..9658c4f78f --- /dev/null +++ b/pkg/scanner/library/composer/scan.go @@ -0,0 +1,69 @@ +package composer + +import ( + "fmt" + "os" + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/go-dep-parser/pkg/composer" + ptypes "github.com/knqyf263/go-dep-parser/pkg/types" + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + "github.com/knqyf263/trivy/pkg/types" +) + +const ( + scannerType = "composer" +) + +type Scanner struct { + db AdvisoryDB +} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) { + var vulns []types.Vulnerability + ref := fmt.Sprintf("composer://%s", pkgName) + for _, advisory := range s.db[ref] { + var affectedVersions []string + var patchedVersions []string + for _, branch := range advisory.Branches { + for _, version := range branch.Versions { + if !strings.HasPrefix(version, "<=") && strings.HasPrefix(version, "<") { + patchedVersions = append(patchedVersions, strings.Trim(version, "<")) + } + } + affectedVersions = append(affectedVersions, strings.Join(branch.Versions, ", ")) + } + + if !utils.MatchVersions(pkgVer, affectedVersions) { + continue + } + + vuln := types.Vulnerability{ + VulnerabilityID: advisory.Cve, + PkgName: pkgName, + Title: strings.TrimSpace(advisory.Title), + InstalledVersion: pkgVer.String(), + FixedVersion: strings.Join(patchedVersions, ", "), + } + vulns = append(vulns, vuln) + } + return vulns, nil +} + +func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) { + libs, err := composer.Parse(f) + if err != nil { + return nil, xerrors.Errorf("invalid composer.lock format: %w", err) + } + return libs, nil +} +func (s *Scanner) Type() string { + return scannerType +} diff --git a/pkg/scanner/library/npm/advisory.go b/pkg/scanner/library/npm/advisory.go new file mode 100644 index 0000000000..89beb942d3 --- /dev/null +++ b/pkg/scanner/library/npm/advisory.go @@ -0,0 +1,83 @@ +package npm + +import ( + "encoding/json" + "os" + "path/filepath" + "strconv" + "strings" + + "github.com/knqyf263/trivy/pkg/utils" + + "github.com/knqyf263/trivy/pkg/git" +) + +const ( + dbURL = "https://github.com/nodejs/security-wg.git" +) + +var ( + repoPath = filepath.Join(utils.CacheDir(), "nodejs-security-wg") +) + +type AdvisoryDB map[string][]Advisory + +type Advisory struct { + ID int + Title string + ModuleName string `json:"module_name""` + Cves []string + VulnerableVersions string `json:"vulnerable_versions"` + PatchedVersions string `json:"patched_versions"` + Recommendation string + References []string + CvssScoreNumber json.Number `json:"cvss_score"` + CvssScore float64 +} + +func (s *Scanner) UpdateDB() (err error) { + if _, err := git.CloneOrPull(dbURL, repoPath); err != nil { + return err + } + s.db, err = walk() + return err +} + +func walk() (AdvisoryDB, error) { + advisoryDB := AdvisoryDB{} + err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error { + if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") { + return nil + } + f, err := os.Open(path) + if err != nil { + return err + } + defer f.Close() + + advisory := Advisory{} + if err = json.NewDecoder(f).Decode(&advisory); err != nil { + return err + } + advisory.ModuleName = strings.ToLower(advisory.ModuleName) + + // `cvss_score` returns float or string like "4.8 (MEDIUM)" + s := strings.Split(advisory.CvssScoreNumber.String(), " ") + advisory.CvssScore, err = strconv.ParseFloat(s[0], 64) + if err != nil { + advisory.CvssScore = -1 + } + + advisories, ok := advisoryDB[advisory.ModuleName] + if !ok { + advisories = []Advisory{} + } + advisoryDB[advisory.ModuleName] = append(advisories, advisory) + + return nil + }) + if err != nil { + return nil, err + } + return advisoryDB, nil +} diff --git a/pkg/scanner/library/npm/scan.go b/pkg/scanner/library/npm/scan.go new file mode 100644 index 0000000000..fbf50ec12f --- /dev/null +++ b/pkg/scanner/library/npm/scan.go @@ -0,0 +1,82 @@ +package npm + +import ( + "fmt" + "os" + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/go-dep-parser/pkg/npm" + ptypes "github.com/knqyf263/go-dep-parser/pkg/types" + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + "github.com/knqyf263/trivy/pkg/types" +) + +const ( + scannerType = "npm" +) + +type Scanner struct { + db AdvisoryDB +} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) { + replacer := strings.NewReplacer(".alpha", "-alpha", ".beta", "-beta", ".rc", "-rc", " <", ", <", " >", ", >") + var vulns []types.Vulnerability + for _, advisory := range s.db[pkgName] { + // e.g. <= 2.15.0 || >= 3.0.0 <= 3.8.2 + // => {"<=2.15.0", ">= 3.0.0, <= 3.8.2"} + var vulnerableVersions []string + for _, version := range strings.Split(advisory.VulnerableVersions, " || ") { + version = strings.TrimSpace(version) + vulnerableVersions = append(vulnerableVersions, replacer.Replace(version)) + } + + if !utils.MatchVersions(pkgVer, vulnerableVersions) { + continue + } + + var patchedVersions []string + for _, version := range strings.Split(advisory.PatchedVersions, " || ") { + version = strings.TrimSpace(version) + patchedVersions = append(patchedVersions, replacer.Replace(version)) + } + + if utils.MatchVersions(pkgVer, patchedVersions) { + continue + } + + if len(advisory.Cves) == 0 { + advisory.Cves = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)} + } + + for _, cveID := range advisory.Cves { + vuln := types.Vulnerability{ + VulnerabilityID: cveID, + PkgName: pkgName, + Title: strings.TrimSpace(advisory.Title), + InstalledVersion: pkgVer.String(), + FixedVersion: strings.Join(patchedVersions, ", "), + } + vulns = append(vulns, vuln) + } + } + return vulns, nil +} + +func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) { + libs, err := npm.Parse(f) + if err != nil { + return nil, xerrors.Errorf("invalid package-lock.json format: %w", err) + } + return libs, nil +} +func (s *Scanner) Type() string { + return scannerType +} diff --git a/pkg/scanner/library/pipenv/advisory.go b/pkg/scanner/library/pipenv/advisory.go new file mode 100644 index 0000000000..c1329b4345 --- /dev/null +++ b/pkg/scanner/library/pipenv/advisory.go @@ -0,0 +1,57 @@ +package pipenv + +import ( + "encoding/json" + "os" + "path/filepath" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/utils" + + "github.com/knqyf263/trivy/pkg/git" +) + +const ( + dbURL = "https://github.com/pyupio/safety-db.git" +) + +var ( + repoPath = filepath.Join(utils.CacheDir(), "python-safety-db") +) + +type AdvisoryDB map[string][]Advisory + +type Advisory struct { + ID string + Advisory string + Cve string + Specs []string + Version string `json:"v"` +} + +func (s *Scanner) UpdateDB() (err error) { + if _, err := git.CloneOrPull(dbURL, repoPath); err != nil { + return err + } + s.db, err = parse() + if err != nil { + return xerrors.Errorf("failed to parse python safety-db: %w", err) + } + return nil +} + +func parse() (AdvisoryDB, error) { + advisoryDB := AdvisoryDB{} + f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json")) + if err != nil { + return nil, err + } + defer f.Close() + + if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil { + return nil, err + } + + return advisoryDB, nil +} diff --git a/pkg/scanner/library/pipenv/scan.go b/pkg/scanner/library/pipenv/scan.go new file mode 100644 index 0000000000..78cc16bbcd --- /dev/null +++ b/pkg/scanner/library/pipenv/scan.go @@ -0,0 +1,73 @@ +package pipenv + +import ( + "os" + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/go-dep-parser/pkg/pipenv" + ptypes "github.com/knqyf263/go-dep-parser/pkg/types" + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + "github.com/knqyf263/trivy/pkg/types" +) + +const ( + scannerType = "pipenv" +) + +type Scanner struct { + db AdvisoryDB +} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) { + var vulns []types.Vulnerability + for _, advisory := range s.db[pkgName] { + if !utils.MatchVersions(pkgVer, advisory.Specs) { + continue + } + + vulnerabilityID := advisory.Cve + if vulnerabilityID == "" { + vulnerabilityID = advisory.ID + } + + vuln := types.Vulnerability{ + VulnerabilityID: vulnerabilityID, + PkgName: pkgName, + Title: strings.TrimSpace(advisory.Advisory), + InstalledVersion: pkgVer.String(), + FixedVersion: createFixedVersions(advisory.Specs), + } + vulns = append(vulns, vuln) + } + return vulns, nil +} + +func createFixedVersions(specs []string) string { + var fixedVersions []string + for _, spec := range specs { + for _, s := range strings.Split(spec, ",") { + if !strings.HasPrefix(s, "<=") && strings.HasPrefix(s, "<") { + fixedVersions = append(fixedVersions, strings.TrimPrefix(s, "<")) + } + } + } + return strings.Join(fixedVersions, ", ") +} + +func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) { + libs, err := pipenv.Parse(f) + if err != nil { + return nil, xerrors.Errorf("invalid Pipfile.lock format: %w", err) + } + return libs, nil +} +func (s *Scanner) Type() string { + return scannerType +} diff --git a/pkg/scanner/library/scan.go b/pkg/scanner/library/scan.go new file mode 100644 index 0000000000..1a2b568b12 --- /dev/null +++ b/pkg/scanner/library/scan.go @@ -0,0 +1,116 @@ +package library + +import ( + "os" + "path/filepath" + + "github.com/knqyf263/fanal/analyzer" + _ "github.com/knqyf263/fanal/analyzer/library/bundler" + _ "github.com/knqyf263/fanal/analyzer/library/composer" + _ "github.com/knqyf263/fanal/analyzer/library/npm" + _ "github.com/knqyf263/fanal/analyzer/library/pipenv" + "github.com/knqyf263/fanal/extractor" + ptypes "github.com/knqyf263/go-dep-parser/pkg/types" + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/scanner/library/bundler" + "github.com/knqyf263/trivy/pkg/scanner/library/composer" + "github.com/knqyf263/trivy/pkg/scanner/library/npm" + "github.com/knqyf263/trivy/pkg/scanner/library/pipenv" + "github.com/knqyf263/trivy/pkg/types" + "golang.org/x/xerrors" +) + +type Scanner interface { + UpdateDB() error + ParseLockfile(*os.File) ([]ptypes.Library, error) + Detect(string, *version.Version) ([]types.Vulnerability, error) + Type() string +} + +func NewScanner(filename string) Scanner { + var scanner Scanner + switch filename { + case "Gemfile.lock": + scanner = bundler.NewScanner() + case "composer.lock": + scanner = composer.NewScanner() + case "package-lock.json": + scanner = npm.NewScanner() + case "Pipfile.lock": + scanner = pipenv.NewScanner() + default: + return nil + } + return scanner +} + +func Scan(files extractor.FileMap) (map[string][]types.Vulnerability, error) { + results, err := analyzer.GetLibraries(files) + if err != nil { + return nil, xerrors.Errorf("failed to analyze libraries: %w", err) + } + + vulnerabilities := map[string][]types.Vulnerability{} + for path, pkgs := range results { + log.Logger.Debugf("Detecting library vulnerabilities, path: %s", path) + scanner := NewScanner(filepath.Base(string(path))) + if scanner == nil { + return nil, xerrors.New("unknown file type") + } + + vulns, err := scan(scanner, pkgs) + if err != nil { + return nil, xerrors.Errorf("failed to scan %s vulnerabilities: %w", scanner.Type(), err) + } + + if len(vulns) != 0 { + vulnerabilities[string(path)] = vulns + } + } + return vulnerabilities, nil +} + +func ScanFile(f *os.File) ([]types.Vulnerability, error) { + scanner := NewScanner(f.Name()) + if scanner == nil { + return nil, xerrors.New("unknown file type") + } + + pkgs, err := scanner.ParseLockfile(f) + if err != nil { + return nil, err + } + + vulns, err := scan(scanner, pkgs) + if err != nil { + return nil, err + } + return vulns, nil +} + +func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error) { + log.Logger.Infof("Updating %s Security DB...", scanner.Type()) + err := scanner.UpdateDB() + if err != nil { + return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err) + } + + log.Logger.Infof("Detect %s vulnerabilities", scanner.Type()) + var vulnerabilities []types.Vulnerability + for _, pkg := range pkgs { + v, err := version.NewVersion(pkg.Version) + if err != nil { + log.Logger.Debug(err) + continue + } + + vulns, err := scanner.Detect(pkg.Name, v) + if err != nil { + return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", scanner.Type(), err) + } + vulnerabilities = append(vulnerabilities, vulns...) + } + + return vulnerabilities, nil +} diff --git a/pkg/scanner/ospkg/alpine/alpine.go b/pkg/scanner/ospkg/alpine/alpine.go new file mode 100644 index 0000000000..1785ae3f18 --- /dev/null +++ b/pkg/scanner/ospkg/alpine/alpine.go @@ -0,0 +1,57 @@ +package alpine + +import ( + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/scanner/utils" + + "github.com/knqyf263/go-rpm-version" + + "github.com/knqyf263/trivy/pkg/vulnsrc/alpine" + + "github.com/knqyf263/fanal/analyzer" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/types" +) + +type Scanner struct{} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) { + log.Logger.Info("Detecting Alpine vulnerabilities...") + if strings.Count(osVer, ".") > 1 { + osVer = osVer[:strings.LastIndex(osVer, ".")] + } + log.Logger.Debugf("alpine: os version: %s", osVer) + log.Logger.Debugf("alpine: the number of packages: %s", len(pkgs)) + + var vulns []types.Vulnerability + for _, pkg := range pkgs { + advisories, err := alpine.Get(osVer, pkg.Name) + if err != nil { + return nil, xerrors.Errorf("failed to get alpine advisories: %w", err) + } + + installed := utils.FormatVersion(pkg) + installedVersion := version.NewVersion(installed) + + for _, adv := range advisories { + fixedVersion := version.NewVersion(adv.FixedVersion) + if installedVersion.LessThan(fixedVersion) { + vuln := types.Vulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + FixedVersion: adv.FixedVersion, + } + vulns = append(vulns, vuln) + } + } + } + return vulns, nil +} diff --git a/pkg/scanner/ospkg/debian/debian.go b/pkg/scanner/ospkg/debian/debian.go new file mode 100644 index 0000000000..1a075733af --- /dev/null +++ b/pkg/scanner/ospkg/debian/debian.go @@ -0,0 +1,81 @@ +package debian + +import ( + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/go-deb-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + + "github.com/knqyf263/fanal/analyzer" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/types" + "github.com/knqyf263/trivy/pkg/vulnsrc/debian" + debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval" +) + +type Scanner struct{} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) { + log.Logger.Info("Detecting Debian vulnerabilities...") + + if strings.Count(osVer, ".") > 0 { + osVer = osVer[:strings.Index(osVer, ".")] + } + log.Logger.Debugf("debian: os version: %s", osVer) + log.Logger.Debugf("debian: the number of packages: %s", len(pkgs)) + + var vulns []types.Vulnerability + for _, pkg := range pkgs { + if pkg.Type != analyzer.TypeSource { + continue + } + advisories, err := debianoval.Get(osVer, pkg.Name) + if err != nil { + return nil, xerrors.Errorf("failed to get debian OVAL: %w", err) + } + + installed := utils.FormatVersion(pkg) + installedVersion, err := version.NewVersion(installed) + if err != nil { + log.Logger.Debugf("failed to parse Debian installed package version: %w", err) + continue + } + + for _, adv := range advisories { + fixedVersion, err := version.NewVersion(adv.FixedVersion) + if err != nil { + log.Logger.Debugf("failed to parse Debian package version: %w", err) + continue + } + + if installedVersion.LessThan(fixedVersion) { + vuln := types.Vulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + FixedVersion: adv.FixedVersion, + } + vulns = append(vulns, vuln) + } + } + advisories, err = debian.Get(osVer, pkg.Name) + if err != nil { + return nil, xerrors.Errorf("failed to get debian advisory: %w", err) + } + for _, adv := range advisories { + vuln := types.Vulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + } + vulns = append(vulns, vuln) + } + } + return vulns, nil +} diff --git a/pkg/scanner/ospkg/redhat/redhat.go b/pkg/scanner/ospkg/redhat/redhat.go new file mode 100644 index 0000000000..f1e958ebc7 --- /dev/null +++ b/pkg/scanner/ospkg/redhat/redhat.go @@ -0,0 +1,56 @@ +package redhat + +import ( + "strings" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/scanner/utils" + + "github.com/knqyf263/go-rpm-version" + + "github.com/knqyf263/fanal/analyzer" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/types" + "github.com/knqyf263/trivy/pkg/vulnsrc/redhat" +) + +type Scanner struct{} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) { + log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...") + if strings.Count(osVer, ".") > 0 { + osVer = osVer[:strings.Index(osVer, ".")] + } + log.Logger.Debugf("redhat: os version: %s", osVer) + log.Logger.Debugf("redhat: the number of packages: %s", len(pkgs)) + + var vulns []types.Vulnerability + for _, pkg := range pkgs { + advisories, err := redhat.Get(osVer, pkg.Name) + if err != nil { + return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err) + } + + installed := utils.FormatVersion(pkg) + installedVersion := version.NewVersion(installed) + for _, adv := range advisories { + fixedVersion := version.NewVersion(adv.FixedVersion) + + if installedVersion.LessThan(fixedVersion) { + vuln := types.Vulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + FixedVersion: adv.FixedVersion, + } + vulns = append(vulns, vuln) + } + } + } + return vulns, nil +} diff --git a/pkg/scanner/ospkg/scan.go b/pkg/scanner/ospkg/scan.go new file mode 100644 index 0000000000..69a848da5d --- /dev/null +++ b/pkg/scanner/ospkg/scan.go @@ -0,0 +1,57 @@ +package ospkg + +import ( + "github.com/knqyf263/fanal/analyzer" + fos "github.com/knqyf263/fanal/analyzer/os" + _ "github.com/knqyf263/fanal/analyzer/os/alpine" + _ "github.com/knqyf263/fanal/analyzer/os/debianbase" + _ "github.com/knqyf263/fanal/analyzer/os/redhatbase" + _ "github.com/knqyf263/fanal/analyzer/pkg/apk" + _ "github.com/knqyf263/fanal/analyzer/pkg/dpkg" + "github.com/knqyf263/fanal/extractor" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/scanner/ospkg/alpine" + "github.com/knqyf263/trivy/pkg/scanner/ospkg/debian" + "github.com/knqyf263/trivy/pkg/scanner/ospkg/redhat" + "github.com/knqyf263/trivy/pkg/scanner/ospkg/ubuntu" + "github.com/knqyf263/trivy/pkg/types" + "golang.org/x/xerrors" +) + +type Scanner interface { + Detect(string, []analyzer.Package) ([]types.Vulnerability, error) +} + +func Scan(files extractor.FileMap) (string, string, []types.Vulnerability, error) { + os, err := analyzer.GetOS(files) + if err != nil { + return "", "", nil, xerrors.Errorf("failed to analyze OS: %w", err) + } + log.Logger.Debugf("OS family: %s, OS version: %s", os.Family, os.Name) + + var s Scanner + switch os.Family { + case fos.Alpine: + s = alpine.NewScanner() + case fos.Debian: + s = debian.NewScanner() + case fos.Ubuntu: + s = ubuntu.NewScanner() + case fos.RedHat, fos.CentOS: + s = redhat.NewScanner() + default: + return "", "", nil, xerrors.New("unsupported os") + } + pkgs, err := analyzer.GetPackages(files) + if err != nil { + return "", "", nil, xerrors.Errorf("failed to analyze OS packages: %w", err) + } + log.Logger.Debugf("the number of packages: %d", len(pkgs)) + + vulns, err := s.Detect(os.Name, pkgs) + if err != nil { + return "", "", nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err) + } + + return os.Family, os.Name, vulns, nil +} diff --git a/pkg/scanner/ospkg/scan_bsd.go b/pkg/scanner/ospkg/scan_bsd.go new file mode 100644 index 0000000000..69230da143 --- /dev/null +++ b/pkg/scanner/ospkg/scan_bsd.go @@ -0,0 +1,7 @@ +// +build freebsd netbsd openbsd + +package ospkg + +import ( + _ "github.com/knqyf263/fanal/analyzer/pkg/rpmcmd" +) diff --git a/pkg/scanner/ospkg/scan_unix.go b/pkg/scanner/ospkg/scan_unix.go new file mode 100644 index 0000000000..a917266561 --- /dev/null +++ b/pkg/scanner/ospkg/scan_unix.go @@ -0,0 +1,9 @@ +// +build linux darwin + +package ospkg + +import ( + _ "github.com/knqyf263/fanal/analyzer/pkg/rpmcmd" + // TODO: Eliminate the dependency on "rpm" command + // _ "github.com/knqyf263/fanal/analyzer/pkg/rpm" +) diff --git a/pkg/scanner/ospkg/ubuntu/ubuntu.go b/pkg/scanner/ospkg/ubuntu/ubuntu.go new file mode 100644 index 0000000000..0cf3a8ffe3 --- /dev/null +++ b/pkg/scanner/ospkg/ubuntu/ubuntu.go @@ -0,0 +1,64 @@ +package ubuntu + +import ( + "github.com/knqyf263/go-deb-version" + "github.com/knqyf263/trivy/pkg/scanner/utils" + "golang.org/x/xerrors" + + "github.com/knqyf263/fanal/analyzer" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/types" + "github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu" +) + +type Scanner struct{} + +func NewScanner() *Scanner { + return &Scanner{} +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) { + log.Logger.Info("Detecting Ubuntu vulnerabilities...") + log.Logger.Debugf("ubuntu: os version: %s", osVer) + log.Logger.Debugf("ubuntu: the number of packages: %s", len(pkgs)) + + var vulns []types.Vulnerability + for _, pkg := range pkgs { + advisories, err := ubuntu.Get(osVer, pkg.Name) + if err != nil { + return nil, xerrors.Errorf("failed to get Ubuntu advisories: %w", err) + } + + installed := utils.FormatVersion(pkg) + installedVersion, err := version.NewVersion(installed) + if err != nil { + log.Logger.Debugf("failed to parse Ubuntu installed package version: %w", err) + continue + } + + for _, adv := range advisories { + vuln := types.Vulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + FixedVersion: adv.FixedVersion, + } + + if adv.FixedVersion == "" { + vulns = append(vulns, vuln) + continue + } + + fixedVersion, err := version.NewVersion(adv.FixedVersion) + if err != nil { + log.Logger.Debugf("failed to parse Ubuntu package version: %w", err) + continue + } + + if installedVersion.LessThan(fixedVersion) { + vulns = append(vulns, vuln) + } + } + } + return vulns, nil +} diff --git a/pkg/scanner/scan.go b/pkg/scanner/scan.go new file mode 100644 index 0000000000..c07445c802 --- /dev/null +++ b/pkg/scanner/scan.go @@ -0,0 +1,181 @@ +package scanner + +import ( + "context" + "flag" + "fmt" + "os" + + "github.com/knqyf263/trivy/pkg/log" + + "github.com/knqyf263/trivy/pkg/report" + + "github.com/knqyf263/trivy/pkg/scanner/library" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/types" + + "github.com/knqyf263/trivy/pkg/scanner/ospkg" + + "golang.org/x/crypto/ssh/terminal" + "golang.org/x/xerrors" + + "github.com/knqyf263/fanal/analyzer" + "github.com/knqyf263/fanal/extractor" +) + +func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) { + var results report.Results + var err error + ctx := context.Background() + + var target string + var files extractor.FileMap + if imageName != "" { + target = imageName + files, err = analyzer.Analyze(ctx, imageName) + if err != nil { + return nil, xerrors.Errorf("failed to analyze image: %w", err) + } + } else if filePath != "" { + target = filePath + rc, err := openStream(filePath) + if err != nil { + return nil, xerrors.Errorf("failed to open stream: %w", err) + } + + files, err = analyzer.AnalyzeFromFile(ctx, rc) + if err != nil { + return nil, err + } + } else { + return nil, xerrors.New("image name or image file must be specified") + } + + osFamily, osVersion, osVulns, err := ospkg.Scan(files) + if err != nil { + return nil, xerrors.New("failed to scan image") + + } + + results = append(results, report.Result{ + FileName: fmt.Sprintf("%s (%s %s)", target, osFamily, osVersion), + Vulnerabilities: processVulnerabilties(osVulns, severities), + }) + + libVulns, err := library.Scan(files) + if err != nil { + return nil, xerrors.New("failed to scan libraries") + } + for path, vulns := range libVulns { + results = append(results, report.Result{ + FileName: path, + Vulnerabilities: processVulnerabilties(vulns, severities), + }) + } + + return results, nil +} + +func ScanFile(f *os.File, severities []vulnerability.Severity) (report.Result, error) { + vulns, err := library.ScanFile(f) + if err != nil { + return report.Result{}, xerrors.New("failed to scan libraries in file") + } + result := report.Result{ + FileName: f.Name(), + Vulnerabilities: processVulnerabilties(vulns, severities), + } + return result, nil +} + +func processVulnerabilties(vulns []types.Vulnerability, severities []vulnerability.Severity) []types.Vulnerability { + var vulnerabilities []types.Vulnerability + for _, vuln := range vulns { + sev, title := getDetail(vuln.VulnerabilityID) + + // Filter vulnerabilities by severity + for _, s := range severities { + if s == sev { + vuln.Severity = fmt.Sprint(sev) + vuln.Title = title + vulnerabilities = append(vulnerabilities, vuln) + break + } + } + } + return vulnerabilities +} + +func openStream(path string) (*os.File, error) { + if path == "-" { + if terminal.IsTerminal(0) { + flag.Usage() + os.Exit(64) + } else { + return os.Stdin, nil + } + } + return os.Open(path) +} + +func getDetail(vulnID string) (vulnerability.Severity, string) { + details, err := vulnerability.Get(vulnID) + if err != nil { + log.Logger.Debug(err) + return vulnerability.SeverityUnknown, "" + } else if len(details) == 0 { + return vulnerability.SeverityUnknown, "" + } + severity := getSeverity(details) + title := getTitle(details) + return severity, title +} + +func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity { + for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian, + vulnerability.DebianOVAL, vulnerability.Alpine} { + d, ok := details[source] + if !ok { + continue + } + if d.Severity != 0 { + return d.Severity + } else if d.SeverityV3 != 0 { + return d.SeverityV3 + } else if d.CvssScore > 0 { + return scoreToSeverity(d.CvssScore) + } else if d.CvssScoreV3 > 0 { + return scoreToSeverity(d.CvssScoreV3) + } + } + return vulnerability.SeverityUnknown +} + +func getTitle(details map[string]vulnerability.Vulnerability) string { + for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian, + vulnerability.DebianOVAL, vulnerability.Alpine} { + d, ok := details[source] + if !ok { + continue + } + if d.Title != "" { + return d.Title + } + } + return "" +} + +func scoreToSeverity(score float64) vulnerability.Severity { + if score >= 9.0 { + return vulnerability.SeverityCritical + } else if score >= 7.0 { + return vulnerability.SeverityHigh + } else if score >= 4.0 { + return vulnerability.SeverityMedium + } else if score > 0.0 { + return vulnerability.SeverityLow + } + return vulnerability.SeverityUnknown +} diff --git a/pkg/scanner/utils/utils.go b/pkg/scanner/utils/utils.go new file mode 100644 index 0000000000..e11f430bc6 --- /dev/null +++ b/pkg/scanner/utils/utils.go @@ -0,0 +1,40 @@ +package utils + +import ( + "fmt" + "strings" + + "github.com/knqyf263/fanal/analyzer" + + "github.com/knqyf263/go-version" + "github.com/knqyf263/trivy/pkg/log" +) + +var ( + replacer = strings.NewReplacer(".alpha", "-alpha", ".beta", "-beta", ".rc", "-rc") +) + +func MatchVersions(currentVersion *version.Version, rangeVersions []string) bool { + for _, p := range rangeVersions { + c, err := version.NewConstraint(replacer.Replace(p)) + if err != nil { + log.Logger.Debug("NewConstraint", "error", err) + return false + } + if c.Check(currentVersion) { + return true + } + } + return false +} + +func FormatVersion(pkg analyzer.Package) string { + v := pkg.Version + if pkg.Release != "" { + v = fmt.Sprintf("%s-%s", v, pkg.Release) + } + if pkg.Epoch != 0 { + v = fmt.Sprintf("%d:%s", pkg.Epoch, v) + } + return v +} diff --git a/pkg/types/library.go b/pkg/types/library.go new file mode 100644 index 0000000000..fc4b5eb971 --- /dev/null +++ b/pkg/types/library.go @@ -0,0 +1,6 @@ +package types + +type Library struct{ + Name string + Version string +} diff --git a/pkg/types/vulnerability.go b/pkg/types/vulnerability.go new file mode 100644 index 0000000000..625e4b8f7f --- /dev/null +++ b/pkg/types/vulnerability.go @@ -0,0 +1,11 @@ +package types + +type Vulnerability struct { + VulnerabilityID string + PkgName string + InstalledVersion string + FixedVersion string + + Title string + Severity string +} diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go new file mode 100644 index 0000000000..0ff3d57f84 --- /dev/null +++ b/pkg/utils/utils.go @@ -0,0 +1,113 @@ +package utils + +import ( + "bytes" + "io" + "os" + "os/exec" + "path/filepath" + "strings" + + "github.com/knqyf263/trivy/pkg/log" + "golang.org/x/xerrors" +) + +func CacheDir() string { + cacheDir, err := os.UserCacheDir() + if err != nil { + cacheDir = os.TempDir() + } + dir := filepath.Join(cacheDir, "trivy") + return dir +} + +func FileWalk(root string, targetFiles map[string]struct{}, walkFn func(r io.Reader, path string) error) error { + err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error { + if info.IsDir() { + return nil + } + + rel, err := filepath.Rel(root, path) + if err != nil { + return xerrors.Errorf("error in filepath rel: %w", err) + } + + if _, ok := targetFiles[rel]; !ok { + return nil + } + + if info.Size() == 0 { + log.Logger.Debugf("invalid size: %s", path) + return nil + } + + f, err := os.Open(path) + defer f.Close() + if err != nil { + return xerrors.Errorf("failed to open file: %w", err) + } + + if err = walkFn(f, path); err != nil { + return err + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in file walk: %w", err) + } + return nil +} + +func IsCommandAvailable(name string) bool { + cmd := exec.Command(name, "--help") + if err := cmd.Run(); err != nil { + return false + } + return true +} + +func Exists(path string) (bool, error) { + _, err := os.Stat(path) + if err == nil { + return true, nil + } + if os.IsNotExist(err) { + return false, nil + } + return true, err +} + +func StringInSlice(a string, list []string) bool { + for _, b := range list { + if b == a { + return true + } + } + return false +} + +func Exec(command string, args []string) (string, error) { + cmd := exec.Command(command, args...) + var stdoutBuf, stderrBuf bytes.Buffer + cmd.Stdout = &stdoutBuf + cmd.Stderr = &stderrBuf + if err := cmd.Run(); err != nil { + log.Logger.Debug(stderrBuf.String()) + return "", xerrors.Errorf("failed to exec: %w", err) + } + return stdoutBuf.String(), nil +} + +func FilterTargets(prefixPath string, targets map[string]struct{}) (map[string]struct{}, error) { + filtered := map[string]struct{}{} + for filename := range targets { + if strings.HasPrefix(filename, prefixPath) { + rel, err := filepath.Rel(prefixPath, filename) + if err != nil { + return nil, xerrors.Errorf("error in filepath rel: %w", err) + } + filtered[rel] = struct{}{} + } + } + return filtered, nil +} diff --git a/pkg/vulnsrc/alpine/alpine.go b/pkg/vulnsrc/alpine/alpine.go new file mode 100644 index 0000000000..00ae22d59b --- /dev/null +++ b/pkg/vulnsrc/alpine/alpine.go @@ -0,0 +1,112 @@ +package alpine + +import ( + "encoding/json" + "fmt" + "gopkg.in/cheggaaa/pb.v1" + "io" + "path/filepath" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/log" + + "golang.org/x/xerrors" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/utils" +) + +const ( + alpineDir = "alpine" +) + +var ( + platformFormat = "alpine %s" +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, alpineDir) + targets, err := utils.FilterTargets(alpineDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("Alpine: no updated file") + return nil + } + log.Logger.Debugf("Alpine updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + + var cves []AlpineCVE + err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error { + var cve AlpineCVE + if err = json.NewDecoder(r).Decode(&cve); err != nil { + return xerrors.Errorf("failed to decode Alpine JSON: %w", err) + } + cves = append(cves, cve) + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in Alpine walk: %w", err) + } + + if err = save(cves); err != nil { + return xerrors.Errorf("error in Alpine save: %w", err) + } + + return nil +} + +func save(cves []AlpineCVE) error { + log.Logger.Debug("Saving Alpine DB") + + err := db.BatchUpdate(func(tx *bolt.Tx) error { + for _, cve := range cves { + platformName := fmt.Sprintf(platformFormat, cve.Release) + pkgName := cve.Package + advisory := Advisory{ + VulnerabilityID: cve.VulnerabilityID, + FixedVersion: cve.FixedVersion, + Repository: cve.Repository, + } + if err := db.PutNestedBucket(tx, platformName, pkgName, cve.VulnerabilityID, advisory); err != nil { + return xerrors.Errorf("failed to save alpine advisory: %w", err) + } + + vuln := vulnerability.Vulnerability{ + Title: cve.Subject, + Description: cve.Description, + } + if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Alpine, vuln); err != nil { + return xerrors.Errorf("failed to save alpine vulnerability: %w", err) + } + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in db batch update: %w", err) + } + return nil +} + +func Get(release string, pkgName string) ([]Advisory, error) { + bucket := fmt.Sprintf(platformFormat, release) + advisories, err := db.ForEach(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("error in Alpine foreach: %w", err) + } + + var results []Advisory + for _, v := range advisories { + var advisory Advisory + if err = json.Unmarshal(v, &advisory); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Alpine JSON: %w", err) + } + results = append(results, advisory) + } + return results, nil +} diff --git a/pkg/vulnsrc/alpine/types.go b/pkg/vulnsrc/alpine/types.go new file mode 100644 index 0000000000..4c5ecb6eb7 --- /dev/null +++ b/pkg/vulnsrc/alpine/types.go @@ -0,0 +1,17 @@ +package alpine + +type AlpineCVE struct { + VulnerabilityID string + Release string + Package string + Repository string + FixedVersion string + Subject string + Description string +} + +type Advisory struct { + VulnerabilityID string + FixedVersion string + Repository string +} diff --git a/pkg/vulnsrc/debian-oval/debian-oval.go b/pkg/vulnsrc/debian-oval/debian-oval.go new file mode 100644 index 0000000000..02c4f99672 --- /dev/null +++ b/pkg/vulnsrc/debian-oval/debian-oval.go @@ -0,0 +1,165 @@ +package debianoval + +import ( + "encoding/json" + "fmt" + "gopkg.in/cheggaaa/pb.v1" + "io" + "os" + "path/filepath" + "strings" + + "github.com/knqyf263/trivy/pkg/vulnsrc/debian" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/log" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/utils" +) + +var ( + debianDir = filepath.Join("oval", "debian") + // e.g. debian oval 8 + platformFormat = "debian oval %s" +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, debianDir) + targets, err := utils.FilterTargets(debianDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("Debian OVAL: no updated file") + return nil + } + log.Logger.Debugf("Debian OVAL updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + + var cves []DebianOVAL + err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error { + var cve DebianOVAL + if err = json.NewDecoder(r).Decode(&cve); err != nil { + return xerrors.Errorf("failed to decode Debian OVAL JSON: %w", err) + } + + dirs := strings.Split(path, string(os.PathSeparator)) + if len(dirs) < 3 { + log.Logger.Debugf("invalid path: %s", path) + return nil + } + cve.Release = dirs[len(dirs)-3] + cves = append(cves, cve) + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in Debian OVAL walk: %w", err) + } + + if err = save(cves); err != nil { + return xerrors.Errorf("error in Debian OVAL save: %w", err) + } + + return nil +} + +// from https://github.com/kotakanbe/goval-dictionary/blob/c462c07a5cd0b6de52f167e9aa4298083edfc356/models/debian.go#L53 +func walkDebian(cri Criteria, pkgs []Package) []Package { + for _, c := range cri.Criterions { + ss := strings.Split(c.Comment, " DPKG is earlier than ") + if len(ss) != 2 { + continue + } + + // "0" means notyetfixed or erroneous information. + // Not available because "0" includes erroneous info... + if ss[1] == "0" { + continue + } + pkgs = append(pkgs, Package{ + Name: ss[0], + FixedVersion: strings.Split(ss[1], " ")[0], + }) + } + + if len(cri.Criterias) == 0 { + return pkgs + } + for _, c := range cri.Criterias { + pkgs = walkDebian(c, pkgs) + } + return pkgs +} + +func save(cves []DebianOVAL) error { + log.Logger.Debug("Saving Debian OVAL") + err := db.BatchUpdate(func(tx *bolt.Tx) error { + for _, cve := range cves { + affectedPkgs := walkDebian(cve.Criteria, []Package{}) + for _, affectedPkg := range affectedPkgs { + // stretch => 9 + majorVersion, ok := debian.DebianReleasesMapping[cve.Release] + if !ok { + continue + } + platformName := fmt.Sprintf(platformFormat, majorVersion) + cveID := cve.Metadata.Title + advisory := vulnerability.Advisory{ + VulnerabilityID: cveID, + FixedVersion: affectedPkg.FixedVersion, + } + if err := db.PutNestedBucket(tx, platformName, affectedPkg.Name, cveID, advisory); err != nil { + return xerrors.Errorf("failed to save Debian OVAL advisory: %w", err) + } + + var references []string + for _, ref := range cve.Metadata.References { + references = append(references, ref.RefURL) + } + + vuln := vulnerability.Vulnerability{ + Description: cve.Metadata.Description, + References: references, + } + + if err := vulnerability.Put(tx, cveID, vulnerability.DebianOVAL, vuln); err != nil { + return xerrors.Errorf("failed to save Debian OVAL vulnerability: %w", err) + } + } + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in batch update: %w", err) + } + + return nil +} + +func Get(release string, pkgName string) ([]vulnerability.Advisory, error) { + bucket := fmt.Sprintf(platformFormat, release) + advisories, err := db.ForEach(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("error in Debian OVAL foreach: %w", err) + } + if len(advisories) == 0 { + return nil, nil + } + + var results []vulnerability.Advisory + for _, v := range advisories { + var advisory vulnerability.Advisory + if err = json.Unmarshal(v, &advisory); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Debian OVAL JSON: %w", err) + } + results = append(results, advisory) + } + return results, nil +} diff --git a/pkg/vulnsrc/debian-oval/types.go b/pkg/vulnsrc/debian-oval/types.go new file mode 100644 index 0000000000..1f8cf2c153 --- /dev/null +++ b/pkg/vulnsrc/debian-oval/types.go @@ -0,0 +1,43 @@ +package debianoval + +type DebianOVAL struct { + Metadata Metadata + Criteria Criteria + Release string +} + +type Metadata struct { + Title string + AffectedList []Affected + Description string + References []Reference +} + +type Affected struct { + Family string + Platform string + Product string +} + +type Criteria struct { + Operator string + Criterias []Criteria + Criterions []Criterion +} + +type Reference struct { + Source string + RefID string + RefURL string +} + +type Criterion struct { + Negate bool + TestRef string + Comment string +} + +type Package struct { + Name string + FixedVersion string +} diff --git a/pkg/vulnsrc/debian/debian.go b/pkg/vulnsrc/debian/debian.go new file mode 100644 index 0000000000..ad39cf793f --- /dev/null +++ b/pkg/vulnsrc/debian/debian.go @@ -0,0 +1,155 @@ +package debian + +import ( + "encoding/json" + "fmt" + "gopkg.in/cheggaaa/pb.v1" + "io" + "path/filepath" + "strings" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/utils" + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + "golang.org/x/xerrors" +) + +const ( + debianDir = "debian" +) + +var ( + // e.g. debian 8 + platformFormat = "debian %s" + DebianReleasesMapping = map[string]string{ + // Code names + "squeeze": "6", + "wheezy": "7", + "jessie": "8", + "stretch": "9", + "buster": "10", + "sid": "unstable", + } +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, debianDir) + targets, err := utils.FilterTargets(debianDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("Debian: no updated file") + return nil + } + log.Logger.Debugf("Debian updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + + var cves []DebianCVE + err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error { + var cve DebianCVE + if err = json.NewDecoder(r).Decode(&cve); err != nil { + return xerrors.Errorf("failed to decode Debian JSON: %w", err) + } + + cve.VulnerabilityID = strings.TrimSuffix(filepath.Base(path), ".json") + cve.Package = filepath.Base(filepath.Dir(path)) + cves = append(cves, cve) + + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in Debian walk: %w", err) + } + + if err = save(cves); err != nil { + return xerrors.Errorf("error in Debian save: %w", err) + } + + return nil +} + +func save(cves []DebianCVE) error { + log.Logger.Debug("Saving Debian DB") + err := db.BatchUpdate(func(tx *bolt.Tx) error { + for _, cve := range cves { + for _, release := range cve.Releases { + for releaseStr := range release.Repositories { + majorVersion, ok := DebianReleasesMapping[releaseStr] + if !ok { + continue + } + platformName := fmt.Sprintf(platformFormat, majorVersion) + if release.Status != "open" { + continue + } + advisory := vulnerability.Advisory{ + VulnerabilityID: cve.VulnerabilityID, + //Severity: severityFromUrgency(release.Urgency), + } + if err := db.PutNestedBucket(tx, platformName, cve.Package, cve.VulnerabilityID, advisory); err != nil { + return xerrors.Errorf("failed to save Debian advisory: %w", err) + } + + vuln := vulnerability.Vulnerability{ + Severity: severityFromUrgency(release.Urgency), + Description: cve.Description, + } + + if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Debian, vuln); err != nil { + return xerrors.Errorf("failed to save Debian vulnerability: %w", err) + } + } + } + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in batch update: %w", err) + } + + return nil +} + +func Get(release string, pkgName string) ([]vulnerability.Advisory, error) { + bucket := fmt.Sprintf(platformFormat, release) + advisories, err := db.ForEach(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("error in Debian foreach: %w", err) + } + if len(advisories) == 0 { + return nil, nil + } + + var results []vulnerability.Advisory + for _, v := range advisories { + var advisory vulnerability.Advisory + if err = json.Unmarshal(v, &advisory); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Debian JSON: %w", err) + } + results = append(results, advisory) + } + return results, nil +} + +func severityFromUrgency(urgency string) vulnerability.Severity { + switch urgency { + case "not yet assigned": + return vulnerability.SeverityUnknown + + case "end-of-life", "unimportant", "low", "low*", "low**": + return vulnerability.SeverityLow + + case "medium", "medium*", "medium**": + return vulnerability.SeverityMedium + + case "high", "high*", "high**": + return vulnerability.SeverityHigh + default: + return vulnerability.SeverityUnknown + } +} diff --git a/pkg/vulnsrc/debian/types.go b/pkg/vulnsrc/debian/types.go new file mode 100644 index 0000000000..5e726aaa49 --- /dev/null +++ b/pkg/vulnsrc/debian/types.go @@ -0,0 +1,15 @@ +package debian + +type DebianCVE struct { + Description string `json:"description"` + Releases map[string]Release `json:"releases"` + Scope string `json:"scope"` + Package string + VulnerabilityID string +} + +type Release struct { + Repositories map[string]string `json:"repositories"` + Status string `json:"status"` + Urgency string `json:"urgency"` +} diff --git a/pkg/vulnsrc/nvd/nvd.go b/pkg/vulnsrc/nvd/nvd.go new file mode 100644 index 0000000000..3daeb114e2 --- /dev/null +++ b/pkg/vulnsrc/nvd/nvd.go @@ -0,0 +1,87 @@ +package nvd + +import ( + "encoding/json" + "gopkg.in/cheggaaa/pb.v1" + "io" + "path/filepath" + + "github.com/knqyf263/trivy/pkg/log" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/utils" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/db" +) + +const ( + nvdDir = "nvd" + rootBucket = "NVD" + nestedBucket = "dummy" +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, nvdDir) + targets, err := utils.FilterTargets(nvdDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("NVD: no updated file") + return nil + } + log.Logger.Debugf("NVD updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + var items []vulnerability.Item + err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error { + item := vulnerability.Item{} + if err := json.NewDecoder(r).Decode(&item); err != nil { + return xerrors.Errorf("failed to decode NVD JSON: %w", err) + } + items = append(items, item) + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in NVD walk: %w", err) + } + + if err = save(items); err != nil { + return xerrors.Errorf("error in NVD save: %w", err) + } + + return nil +} + +func save(items []vulnerability.Item) error { + log.Logger.Debug("NVD batch update") + err := vulnerability.BatchUpdate(func(b *bolt.Bucket) error { + for _, item := range items { + cveID := item.Cve.Meta.ID + severity, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV2.Severity) + severityV3, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV3.CvssV3.BaseSeverity) + vuln := vulnerability.Vulnerability{ + Severity: severity, + SeverityV3: severityV3, + // TODO + References: []string{}, + Title: "", + Description: "", + } + + if err := db.Put(b, cveID, vulnerability.Nvd, vuln); err != nil { + return err + } + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in batch update: %w", err) + } + return nil +} diff --git a/pkg/vulnsrc/redhat/redhat.go b/pkg/vulnsrc/redhat/redhat.go new file mode 100644 index 0000000000..89cbaa0fd2 --- /dev/null +++ b/pkg/vulnsrc/redhat/redhat.go @@ -0,0 +1,248 @@ +package redhat + +import ( + "encoding/json" + "fmt" + "gopkg.in/cheggaaa/pb.v1" + "io" + "io/ioutil" + "path/filepath" + "strconv" + "strings" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/log" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/db" + "github.com/knqyf263/trivy/pkg/utils" + "golang.org/x/xerrors" +) + +const ( + redhatDir = "redhat" + platformFormat = "Red Hat Enterprise Linux %s" +) + +var ( + targetPlatforms = []string{"Red Hat Enterprise Linux 5", "Red Hat Enterprise Linux 6", "Red Hat Enterprise Linux 7"} + targetStatus = []string{"Affected", "Fix deferred", "Will not fix"} +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, redhatDir) + targets, err := utils.FilterTargets(redhatDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("Red Hat: no updated file") + return nil + } + log.Logger.Debugf("Red Hat updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + + var cves []RedhatCVE + err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error { + content, err := ioutil.ReadAll(r) + if err != nil { + return err + } + cve := RedhatCVE{} + if err = json.Unmarshal(content, &cve); err != nil { + return xerrors.Errorf("failed to decode RedHat JSON: %w", err) + } + switch cve.TempAffectedRelease.(type) { + case []interface{}: + var ar RedhatCVEAffectedReleaseArray + if err = json.Unmarshal(content, &ar); err != nil { + return xerrors.Errorf("unknown affected_release type: %w", err) + } + cve.AffectedRelease = ar.AffectedRelease + case map[string]interface{}: + var ar RedhatCVEAffectedReleaseObject + if err = json.Unmarshal(content, &ar); err != nil { + return xerrors.Errorf("unknown affected_release type: %w", err) + } + cve.AffectedRelease = []RedhatAffectedRelease{ar.AffectedRelease} + case nil: + default: + return xerrors.New("unknown affected_release type") + } + + switch cve.TempPackageState.(type) { + case []interface{}: + var ps RedhatCVEPackageStateArray + if err = json.Unmarshal(content, &ps); err != nil { + return xerrors.Errorf("unknown package_state type: %w", err) + } + cve.PackageState = ps.PackageState + case map[string]interface{}: + var ps RedhatCVEPackageStateObject + if err = json.Unmarshal(content, &ps); err != nil { + return xerrors.Errorf("unknown package_state type: %w", err) + } + cve.PackageState = []RedhatPackageState{ps.PackageState} + case nil: + default: + return xerrors.New("unknown package_state type") + } + cves = append(cves, cve) + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in RedHat walk: %w", err) + } + + if err = save(cves); err != nil { + return xerrors.Errorf("error in RedHat save: %w", err) + } + + return nil +} + +// platformName: pkgStatus +type platform map[string]pkg + +// pkgName: advisoryStatus +type pkg map[string]advisory + +// cveID: version +type advisory map[string]interface{} + +func save(cves []RedhatCVE) error { + log.Logger.Debug("Saving RedHat DB") + err := db.BatchUpdate(func(tx *bolt.Tx) error { + for _, cve := range cves { + for _, affected := range cve.AffectedRelease { + if affected.Package == "" { + continue + } + // e.g. Red Hat Enterprise Linux 7 + platformName := affected.ProductName + if !utils.StringInSlice(affected.ProductName, targetPlatforms) { + continue + } + + pkgName, version := splitPkgName(affected.Package) + advisory := vulnerability.Advisory{ + VulnerabilityID: cve.Name, + FixedVersion: version, + } + if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil { + return xerrors.Errorf("failed to save Red Hat advisory: %w", err) + } + + } + + for _, pkgState := range cve.PackageState { + pkgName := pkgState.PackageName + if pkgName == "" { + continue + } + // e.g. Red Hat Enterprise Linux 7 + platformName := pkgState.ProductName + if !utils.StringInSlice(platformName, targetPlatforms) { + continue + } + if !utils.StringInSlice(pkgState.FixState, targetStatus) { + continue + } + + advisory := vulnerability.Advisory{ + // this means all versions + FixedVersion: "", + VulnerabilityID: cve.Name, + } + if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil { + return xerrors.Errorf("failed to save Red Hat advisory: %w", err) + } + + } + + cvssScore, _ := strconv.ParseFloat(cve.Cvss.CvssBaseScore, 64) + cvss3Score, _ := strconv.ParseFloat(cve.Cvss3.Cvss3BaseScore, 64) + + title := strings.TrimPrefix(strings.TrimSpace(cve.Bugzilla.Description), cve.Name) + + vuln := vulnerability.Vulnerability{ + CvssScore: cvssScore, + CvssScoreV3: cvss3Score, + Severity: severityFromThreat(cve.ThreatSeverity), + References: cve.References, + Title: strings.TrimSpace(title), + Description: strings.TrimSpace(strings.Join(cve.Details, "")), + } + if err := vulnerability.Put(tx, cve.Name, vulnerability.RedHat, vuln); err != nil { + return xerrors.Errorf("failed to save Red Hat vulnerability: %w", err) + } + } + return nil + }) + if err != nil { + return err + } + + return nil +} + +func Get(majorVersion string, pkgName string) ([]vulnerability.Advisory, error) { + bucket := fmt.Sprintf(platformFormat, majorVersion) + advisories, err := db.ForEach(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("error in Red Hat foreach: %w", err) + } + if len(advisories) == 0 { + return nil, nil + } + + var results []vulnerability.Advisory + for _, v := range advisories { + var advisory vulnerability.Advisory + if err = json.Unmarshal(v, &advisory); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Red Hat JSON: %w", err) + } + results = append(results, advisory) + } + return results, nil +} + +// ref. https://github.com/rpm-software-management/yum/blob/043e869b08126c1b24e392f809c9f6871344c60d/rpmUtils/miscutils.py#L301 +func splitPkgName(pkgName string) (string, string) { + var version string + + // Trim release + index := strings.LastIndex(pkgName, "-") + if index == -1 { + return "", "" + } + version = pkgName[index:] + pkgName = pkgName[:index] + + // Trim version + index = strings.LastIndex(pkgName, "-") + if index == -1 { + return "", "" + } + version = pkgName[index+1:] + version + pkgName = pkgName[:index] + + return pkgName, version +} + +func severityFromThreat(sev string) vulnerability.Severity { + switch strings.Title(sev) { + case "Low": + return vulnerability.SeverityLow + case "Moderate": + return vulnerability.SeverityMedium + case "Important": + return vulnerability.SeverityHigh + case "Critical": + return vulnerability.SeverityCritical + } + return vulnerability.SeverityUnknown +} diff --git a/pkg/vulnsrc/redhat/types.go b/pkg/vulnsrc/redhat/types.go new file mode 100644 index 0000000000..1c2493b073 --- /dev/null +++ b/pkg/vulnsrc/redhat/types.go @@ -0,0 +1,80 @@ +package redhat + +type RedhatCVE struct { + ThreatSeverity string `json:"threat_severity"` + PublicDate string `json:"public_date"` + Bugzilla RedhatBugzilla `json:"bugzilla"` + Cvss RedhatCvss `json:"cvss"` + Cvss3 RedhatCvss3 `json:"cvss3"` + Iava string `json:"iava"` + Cwe string `json:"cwe"` + Statement string `json:"statement"` + Acknowledgement string `json:"acknowledgement"` + Mitigation string `json:"mitigation"` + TempAffectedRelease interface{} `json:"affected_release"` // affected_release is array or object + AffectedRelease []RedhatAffectedRelease + TempPackageState interface{} `json:"package_state"` // package_state is array or object + PackageState []RedhatPackageState + Name string `json:"name"` + DocumentDistribution string `json:"document_distribution"` + + Details []string `json:"details" gorm:"-"` + References []string `json:"references" gorm:"-"` +} + +type RedhatCVEAffectedReleaseArray struct { + AffectedRelease []RedhatAffectedRelease `json:"affected_release"` +} + +type RedhatCVEAffectedReleaseObject struct { + AffectedRelease RedhatAffectedRelease `json:"affected_release"` +} + +type RedhatCVEPackageStateArray struct { + PackageState []RedhatPackageState `json:"package_state"` +} + +type RedhatCVEPackageStateObject struct { + PackageState RedhatPackageState `json:"package_state"` +} + +type RedhatDetail struct { + Detail string `sql:"type:text"` +} + +type RedhatReference struct { + Reference string `sql:"type:text"` +} + +type RedhatBugzilla struct { + Description string `json:"description" sql:"type:text"` + BugzillaID string `json:"id"` + URL string `json:"url"` +} + +type RedhatCvss struct { + CvssBaseScore string `json:"cvss_base_score"` + CvssScoringVector string `json:"cvss_scoring_vector"` + Status string `json:"status"` +} + +type RedhatCvss3 struct { + Cvss3BaseScore string `json:"cvss3_base_score"` + Cvss3ScoringVector string `json:"cvss3_scoring_vector"` + Status string `json:"status"` +} + +type RedhatAffectedRelease struct { + ProductName string `json:"product_name"` + ReleaseDate string `json:"release_date"` + Advisory string `json:"advisory"` + Package string `json:"package"` + Cpe string `json:"cpe"` +} + +type RedhatPackageState struct { + ProductName string `json:"product_name"` + FixState string `json:"fix_state"` + PackageName string `json:"package_name"` + Cpe string `json:"cpe"` +} diff --git a/pkg/vulnsrc/ubuntu/types.go b/pkg/vulnsrc/ubuntu/types.go new file mode 100644 index 0000000000..4e74600c14 --- /dev/null +++ b/pkg/vulnsrc/ubuntu/types.go @@ -0,0 +1,18 @@ +package ubuntu + +type UbuntuCVE struct { + Description string `json:"description"` + Candidate string + Priority string + Patches map[PackageName]Patch + References []string +} + +type PackageName string +type Release string +type Patch map[Release]Status + +type Status struct { + Status string + Note string +} diff --git a/pkg/vulnsrc/ubuntu/ubuntu.go b/pkg/vulnsrc/ubuntu/ubuntu.go new file mode 100644 index 0000000000..c6a344bbec --- /dev/null +++ b/pkg/vulnsrc/ubuntu/ubuntu.go @@ -0,0 +1,165 @@ +package ubuntu + +import ( + "encoding/json" + "fmt" + "gopkg.in/cheggaaa/pb.v1" + "io" + "path/filepath" + + "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability" + + "github.com/knqyf263/trivy/pkg/log" + + bolt "github.com/etcd-io/bbolt" + + "github.com/knqyf263/trivy/pkg/db" + "golang.org/x/xerrors" + + "github.com/knqyf263/trivy/pkg/utils" +) + +const ( + ubuntuDir = "ubuntu" + platformFormat = "ubuntu %s" + t +) + +var ( + targetStatus = []string{"needed", "deferred", "released"} + UbuntuReleasesMapping = map[string]string{ + "precise": "12.04", + "quantal": "12.10", + "raring": "13.04", + "trusty": "14.04", + "utopic": "14.10", + "vivid": "15.04", + "wily": "15.10", + "xenial": "16.04", + "yakkety": "16.10", + "zesty": "17.04", + "artful": "17.10", + "bionic": "18.04", + "cosmic": "18.10", + "disco": "19.04", + } +) + +func Update(dir string, updatedFiles map[string]struct{}) error { + rootDir := filepath.Join(dir, ubuntuDir) + targets, err := utils.FilterTargets(ubuntuDir, updatedFiles) + if err != nil { + return xerrors.Errorf("failed to filter target files: %w", err) + } else if len(targets) == 0 { + log.Logger.Debug("Ubuntu: no updated file") + return nil + } + log.Logger.Debugf("Ubuntu OVAL updated files: %d", len(targets)) + + bar := pb.StartNew(len(targets)) + defer bar.Finish() + + var cves []UbuntuCVE + err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error { + var cve UbuntuCVE + if err = json.NewDecoder(r).Decode(&cve); err != nil { + return xerrors.Errorf("failed to decode Ubuntu JSON: %w", err) + } + cves = append(cves, cve) + bar.Increment() + return nil + }) + if err != nil { + return xerrors.Errorf("error in Ubuntu walk: %w", err) + } + + if err = save(cves); err != nil { + return xerrors.Errorf("error in Ubuntu save: %w", err) + } + + return nil +} + +func save(cves []UbuntuCVE) error { + log.Logger.Debug("Saving Ubuntu DB") + err := db.BatchUpdate(func(tx *bolt.Tx) error { + for _, cve := range cves { + for packageName, patch := range cve.Patches { + pkgName := string(packageName) + for release, status := range patch { + if !utils.StringInSlice(status.Status, targetStatus) { + continue + } + osVersion, ok := UbuntuReleasesMapping[string(release)] + if !ok { + continue + } + platformName := fmt.Sprintf(platformFormat, osVersion) + advisory := vulnerability.Advisory{ + VulnerabilityID: cve.Candidate, + } + if status.Status == "released" { + advisory.FixedVersion = status.Note + } + if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Candidate, advisory); err != nil { + return xerrors.Errorf("failed to save Ubuntu advisory: %w", err) + } + + vuln := vulnerability.Vulnerability{ + Severity: severityFromPriority(cve.Priority), + References: cve.References, + Description: cve.Description, + // TODO + Title: "", + } + if err := vulnerability.Put(tx, cve.Candidate, vulnerability.Ubuntu, vuln); err != nil { + return xerrors.Errorf("failed to save Ubuntu vulnerability: %w", err) + } + } + } + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in batch update: %w", err) + } + return nil +} + +func Get(release string, pkgName string) ([]vulnerability.Advisory, error) { + bucket := fmt.Sprintf(platformFormat, release) + advisories, err := db.ForEach(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("error in Ubuntu foreach: %w", err) + } + if len(advisories) == 0 { + return nil, nil + } + + var results []vulnerability.Advisory + for _, v := range advisories { + var advisory vulnerability.Advisory + if err = json.Unmarshal(v, &advisory); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Ubuntu JSON: %w", err) + } + results = append(results, advisory) + } + return results, nil +} + +func severityFromPriority(priority string) vulnerability.Severity { + switch priority { + case "untriaged": + return vulnerability.SeverityUnknown + case "negligible", "low": + return vulnerability.SeverityLow + case "medium": + return vulnerability.SeverityMedium + case "high": + return vulnerability.SeverityHigh + case "critical": + return vulnerability.SeverityCritical + default: + return vulnerability.SeverityUnknown + } +} diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go new file mode 100644 index 0000000000..577c65afaf --- /dev/null +++ b/pkg/vulnsrc/vulnerability/const.go @@ -0,0 +1,14 @@ +package vulnerability + +const ( + // Data source + Nvd = "nvd" + RedHat = "redhat" + Debian = "debian" + DebianOVAL = "debian-oval" + Ubuntu = "ubuntu" + CentOS = "centos" + Fedora = "fedora" + Amazon = "amazon" + Alpine = "alpine" +) diff --git a/pkg/vulnsrc/vulnerability/types.go b/pkg/vulnsrc/vulnerability/types.go new file mode 100644 index 0000000000..b917f06c5c --- /dev/null +++ b/pkg/vulnsrc/vulnerability/types.go @@ -0,0 +1,95 @@ +package vulnerability + +import ( + "fmt" + "time" + + "github.com/fatih/color" +) + +type Severity int + +const ( + SeverityUnknown Severity = iota + SeverityLow + SeverityMedium + SeverityHigh + SeverityCritical +) + +var ( + SeverityNames = []string{ + "CRITICAL", + "HIGH", + "MEDIUM", + "LOW", + "UNKNOWN", + } + SeverityColor = []func(a ...interface{}) string{ + color.New(color.FgRed).SprintFunc(), + color.New(color.FgHiRed).SprintFunc(), + color.New(color.FgYellow).SprintFunc(), + color.New(color.FgBlue).SprintFunc(), + color.New(color.FgCyan).SprintFunc(), + } +) + +func NewSeverity(severity string) (Severity, error) { + for i, name := range SeverityNames { + if severity == name { + return Severity(i), nil + } + } + return SeverityUnknown, fmt.Errorf("unknown severity: %s", severity) +} + +func ColorizeSeverity(severity string) string { + for i, name := range SeverityNames { + if severity == name { + return SeverityColor[i](severity) + } + } + return color.New(color.FgBlue).SprintFunc()(severity) +} + +func (s Severity) String() string { + return SeverityNames[s] +} + +type LastUpdated struct { + Date time.Time +} + +type NVD struct { + CVEItems []Item `json:"CVE_Items"` +} + +type Item struct { + Cve Cve + Impact Impact +} + +type Cve struct { + Meta Meta `json:"CVE_data_meta"` +} + +type Meta struct { + ID string +} + +type Impact struct { + BaseMetricV2 BaseMetricV2 + BaseMetricV3 BaseMetricV3 +} + +type BaseMetricV2 struct { + Severity string +} + +type BaseMetricV3 struct { + CvssV3 CvssV3 +} + +type CvssV3 struct { + BaseSeverity string +} diff --git a/pkg/vulnsrc/vulnerability/vulnerability.go b/pkg/vulnsrc/vulnerability/vulnerability.go new file mode 100644 index 0000000000..0ed9b5b29b --- /dev/null +++ b/pkg/vulnsrc/vulnerability/vulnerability.go @@ -0,0 +1,70 @@ +package vulnerability + +import ( + "encoding/json" + + bolt "github.com/etcd-io/bbolt" + "github.com/knqyf263/trivy/pkg/db" + "golang.org/x/xerrors" +) + +const ( + rootBucket = "vulnerability" +) + +type Vulnerability struct { + CvssScore float64 + CvssScoreV3 float64 + Severity Severity + SeverityV3 Severity + References []string + Title string + Description string +} + +type Advisory struct { + VulnerabilityID string + FixedVersion string +} + +func Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error { + root, err := tx.CreateBucketIfNotExists([]byte(rootBucket)) + if err != nil { + return err + } + return db.Put(root, cveID, source, vuln) +} + +func Update(cveID, source string, vuln Vulnerability) error { + return db.Update(rootBucket, cveID, source, vuln) +} + +func BatchUpdate(fn func(b *bolt.Bucket) error) error { + return db.BatchUpdate(func(tx *bolt.Tx) error { + root, err := tx.CreateBucketIfNotExists([]byte(rootBucket)) + if err != nil { + return err + } + return fn(root) + }) +} + +func Get(cveID string) (map[string]Vulnerability, error) { + values, err := db.ForEach(rootBucket, cveID) + if err != nil { + return nil, xerrors.Errorf("error in NVD get: %w", err) + } + if len(values) == 0 { + return nil, nil + } + + vulns := map[string]Vulnerability{} + for source, value := range values { + var vuln Vulnerability + if err = json.Unmarshal(value, &vuln); err != nil { + return nil, xerrors.Errorf("failed to unmarshal Vulnerability JSON: %w", err) + } + vulns[source] = vuln + } + return vulns, nil +} diff --git a/pkg/vulnsrc/vulnsrc.go b/pkg/vulnsrc/vulnsrc.go new file mode 100644 index 0000000000..18da984aff --- /dev/null +++ b/pkg/vulnsrc/vulnsrc.go @@ -0,0 +1,74 @@ +package vulnsrc + +import ( + "github.com/knqyf263/trivy/pkg/git" + "github.com/knqyf263/trivy/pkg/log" + "github.com/knqyf263/trivy/pkg/utils" + "github.com/knqyf263/trivy/pkg/vulnsrc/alpine" + "github.com/knqyf263/trivy/pkg/vulnsrc/debian" + debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval" + "github.com/knqyf263/trivy/pkg/vulnsrc/nvd" + "github.com/knqyf263/trivy/pkg/vulnsrc/redhat" + "github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu" + "golang.org/x/xerrors" + "path/filepath" +) + +const ( + repoURL = "https://github.com/knqyf263/vuln-list.git" +) + +func Update() (err error) { + log.Logger.Info("Updating vulnerability database...") + + // Clone vuln-list repository + dir := filepath.Join(utils.CacheDir(), "vuln-list") + updatedFiles, err := git.CloneOrPull(repoURL, dir) + if err != nil { + return xerrors.Errorf("error in vulnsrc clone or pull: %w", err) + } + log.Logger.Debugf("total updated files: %d", len(updatedFiles)) + + // Only last_updated.json + if len(updatedFiles) <= 1 { + return nil + } + + // Update NVD + log.Logger.Info("Updating NVD data...") + if err = nvd.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in NVD update: %w", err) + } + + // Update Alpine OVAL + log.Logger.Info("Updating Alpine data...") + if err = alpine.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in Alpine OVAL update: %w", err) + } + + //Update RedHat + log.Logger.Info("Updating RedHat data...") + if err = redhat.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in RedHat update: %w", err) + } + + // Update Debian + log.Logger.Info("Updating Debian data...") + if err = debian.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in Debian update: %w", err) + } + + // Update Debian OVAL + log.Logger.Info("Updating Debian OVAL data...") + if err = debianoval.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in Debian OVAL update: %w", err) + } + + //Update Ubuntu + log.Logger.Info("Updating Ubuntu data...") + if err = ubuntu.Update(dir, updatedFiles); err != nil { + return xerrors.Errorf("error in Ubuntu update: %w", err) + } + + return nil +}