gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 06:43:05 -08:00
Code Issues Packages Projects Releases Wiki Activity

refactor: migrate to prefixed buckets (#1644)

Browse Source
This commit is contained in:
Teppei Fukuda
2022-01-31 10:05:38 +02:00
committed by GitHub
parent 84dd33f7e9
commit 8d5882be03
114 changed files with 2053 additions and 2346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
contrib/asff.tpl
View File

@@ -19,12 +19,12 @@
{
"SchemaVersion": "2018-10-08",
"Id": "{{ $target }}/{{ .VulnerabilityID }}",
"ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
"GeneratorId": "Trivy",
"AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
"AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
"CreatedAt": "{{ getCurrentTime }}",
"UpdatedAt": "{{ getCurrentTime }}",
"CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
"Severity": {
"Label": "{{ $severity }}"
},
@@ -42,7 +42,7 @@
"Type": "Container",
"Id": "{{ $target }}",
"Partition": "aws",
"Region": "{{ getEnv "AWS_REGION" }}",
"Region": "{{ env "AWS_REGION" }}",
"Details": {
"Container": { "ImageName": "{{ $target }}" },
"Other": {
@@ -51,10 +51,10 @@
"PkgName": "{{ .PkgName }}",
"Installed Package": "{{ .InstalledVersion }}",
"Patched Package": "{{ .FixedVersion }}",
"NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
"NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
"NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
"NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
"NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
}
}
}

4
contrib/html.tpl
View File

@@ -52,7 +52,7 @@
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
<title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
</script>
</head>
<body>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
<table>
{{- range . }}
<tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>

2
go.mod
View File

@@ -13,7 +13,7 @@ require (
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069
github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4
github.com/caarlos0/env/v6 v6.0.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.0.3

4
go.sum
View File

@@ -260,8 +260,8 @@ github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbp
github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069 h1:TYG76ClrtBiunB43Hme+ahszJfm0E+og+JQsEEMrHbk=
github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4 h1:w/cU+uNDHHzMKLNpiohoHvPTtd1mi6Dyih4pqV6FLxQ=
github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=

18
integration/client_server_test.go
View File

@@ -286,13 +286,23 @@ func TestClientServerWithTemplate(t *testing.T) {
},
}
report.CustomTemplateFuncMap = map[string]interface{}{
"now": func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
},
"date": func(format string, t time.Time) string {
return t.Format(format)
},
}
t.Cleanup(func() {
report.CustomTemplateFuncMap = map[string]interface{}{}
})
app, addr, cacheDir := setup(t, setupOptions{})
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
report.Now = func() time.Time {
return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
}
t.Setenv("AWS_REGION", "test-region")
t.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
@@ -382,7 +392,7 @@ func TestClientServerWithRedis(t *testing.T) {
// Set up Trivy server
app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
defer os.RemoveAll(cacheDir)
t.Cleanup(func() { os.RemoveAll(cacheDir) })
// Test parameters
testArgs := csArgs{

10
integration/fs_test.go
View File

@@ -45,6 +45,14 @@ func TestFilesystem(t *testing.T) {
},
golden: "testdata/pip.json.golden",
},
{
name: "pom",
args: args{
securityChecks: "vuln",
input: "testdata/fixtures/fs/pom",
},
golden: "testdata/pom.json.golden",
},
{
name: "dockerfile",
args: args{
@@ -90,7 +98,7 @@ func TestFilesystem(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := []string{"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
"--format", "json", "--security-checks", tt.args.securityChecks}
"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks}
if len(tt.args.policyPaths) != 0 {
for _, policyPath := range tt.args.policyPaths {

1
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -62,6 +62,7 @@
"SeveritySource": "alma",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
"DataSource": {
"ID": "alma",
"Name": "AlmaLinux Product Errata",
"URL": "https://errata.almalinux.org/"
},

4
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -71,6 +71,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -129,6 +130,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -197,6 +199,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -255,6 +258,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},

4
integration/testdata/alpine-310.html.golden vendored
View File

@@ -51,7 +51,7 @@
}
a.toggle-more-links { cursor: pointer; }
</style>
<title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</title>
<title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC </title>
<script>
window.onload = function() {
document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -81,7 +81,7 @@
</script>
</head>
<body>
<h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</h1>
<h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC</h1>
<table>
<tr class="group-header"><th colspan="6">alpine</th></tr>
<tr class="sub-header">

4
integration/testdata/alpine-310.json.golden vendored
View File

@@ -64,6 +64,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -121,6 +122,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -188,6 +190,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -245,6 +248,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},

2
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -64,6 +64,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -99,6 +100,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},

2
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -64,6 +64,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -131,6 +132,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},

6
integration/testdata/alpine-39.json.golden vendored
View File

@@ -64,6 +64,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -121,6 +122,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -188,6 +190,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -245,6 +248,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -312,6 +316,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},
@@ -347,6 +352,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
"DataSource": {
"ID": "alpine",
"Name": "Alpine Secdb",
"URL": "https://secdb.alpinelinux.org/"
},

1
integration/testdata/amazon-1.json.golden vendored
View File

@@ -63,6 +63,7 @@
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"DataSource": {
"ID": "amazon",
"Name": "Amazon Linux Security Center",
"URL": "https://alas.aws.amazon.com/"
},

2
integration/testdata/amazon-2.json.golden vendored
View File

@@ -63,6 +63,7 @@
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"DataSource": {
"ID": "amazon",
"Name": "Amazon Linux Security Center",
"URL": "https://alas.aws.amazon.com/"
},
@@ -118,6 +119,7 @@
"SeveritySource": "amazon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5436",
"DataSource": {
"ID": "amazon",
"Name": "Amazon Linux Security Center",
"URL": "https://alas.aws.amazon.com/"
},

53
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -54,32 +54,77 @@
"Type": "cargo",
"Vulnerabilities": [
{
"VulnerabilityID": "RUSTSEC-2019-0001",
"VulnerabilityID": "CVE-2019-15542",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"Severity": "UNKNOWN"
"Title": "Uncontrolled recursion leads to abort in HTML serialization",
"Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
"Severity": "HIGH",
"CweIDs": [
"CWE-674"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 5,
"V3Score": 7.5
}
},
"References": [
"https://crates.io/crates/ammonia",
"https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210",
"https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
],
"PublishedDate": "2019-08-26T18:15:00Z",
"LastModifiedDate": "2020-08-24T17:37:00Z"
},
{
"VulnerabilityID": "RUSTSEC-2021-0074",
"VulnerabilityID": "CVE-2021-38193",
"PkgName": "ammonia",
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Layer": {
"DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193",
"DataSource": {
"Name": "RustSec Advisory Database",
"URL": "https://github.com/RustSec/advisory-db"
},
"Severity": "UNKNOWN"
"Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
"Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-79"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"V2Score": 4.3,
"V3Score": 6.1
}
},
"References": [
"https://crates.io/crates/ammonia",
"https://github.com/rust-ammonia/ammonia/pull/142",
"https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md",
"https://rustsec.org/advisories/RUSTSEC-2021-0074.html"
],
"PublishedDate": "2021-08-08T06:15:00Z",
"LastModifiedDate": "2021-08-16T16:37:00Z"
}
]
}

1
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -66,6 +66,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},

2
integration/testdata/debian-buster.json.golden vendored
View File

@@ -62,6 +62,7 @@
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -113,6 +114,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},

5
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -62,6 +62,7 @@
"SeveritySource": "debian",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -113,6 +114,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -170,6 +172,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -227,6 +230,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -284,6 +288,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},

4
integration/testdata/distroless-base.json.golden vendored
View File

@@ -60,6 +60,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -130,6 +131,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -204,6 +206,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -274,6 +277,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},

4
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -77,6 +77,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -147,6 +148,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -221,6 +223,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -291,6 +294,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},

327
integration/testdata/fixtures/db/data-source.yaml vendored
View File

@@ -1,382 +1,141 @@
- bucket: data-source
pairs:
- key: GitHub Security Advisory Composer
- key: "composer::GitHub Security Advisory Composer"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Composer"
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
- key: GitHub Security Advisory Maven
- key: "maven::GitHub Security Advisory Maven"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Maven"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
- key: GitHub Security Advisory Npm
- key: "npm::GitHub Security Advisory Npm"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Npm"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
- key: GitHub Security Advisory Nuget
- key: "nuget::GitHub Security Advisory Nuget"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Nuget"
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget"
- key: GitHub Security Advisory Pip
- key: "pip::GitHub Security Advisory Pip"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Pip"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
- key: GitHub Security Advisory RubyGems
- key: "rubygems::GitHub Security Advisory RubyGems"
value:
ID: "ghsa"
Name: "GitHub Security Advisory RubyGems"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
- key: Oracle Linux 5
value:
Name: "Oracle Linux OVAL definitions"
URL: "https://linux.oracle.com/security/oval/"
- key: Oracle Linux 6
value:
Name: "Oracle Linux OVAL definitions"
URL: "https://linux.oracle.com/security/oval/"
- key: Oracle Linux 7
value:
Name: "Oracle Linux OVAL definitions"
URL: "https://linux.oracle.com/security/oval/"
- key: Oracle Linux 8
value:
ID: "oracle-oval"
Name: "Oracle Linux OVAL definitions"
URL: "https://linux.oracle.com/security/oval/"
- key: Photon OS 1.0
value:
Name: "Photon OS CVE metadata"
URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
- key: Photon OS 2.0
value:
Name: "Photon OS CVE metadata"
URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
- key: Photon OS 3.0
value:
ID: "photon"
Name: "Photon OS CVE metadata"
URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
- key: Photon OS 4.0
value:
Name: "Photon OS CVE metadata"
URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
- key: SUSE Linux Enterprise 11
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 11-PUBCLOUD
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 11.1
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 11.2
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 11.3
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 11.4
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12.1
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12.2
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12.3
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12.4
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 12.5
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15-ESPOS
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15.1
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15.2
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15.3
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15.4
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 5.0
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 5.1
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: alma 8
value:
ID: "alma"
Name: "AlmaLinux Product Errata"
URL: "https://errata.almalinux.org/"
- key: alpine 3.10
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.11
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.12
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.13
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.14
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.15
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.2
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.3
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.4
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.5
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.6
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.7
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.8
value:
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.9
value:
ID: "alpine"
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: alpine 3.10
value:
ID: "alpine"
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"
- key: amazon linux 1
value:
ID: "amazon"
Name: "Amazon Linux Security Center"
URL: "https://alas.aws.amazon.com/"
- key: amazon linux 2
value:
ID: "amazon"
Name: "Amazon Linux Security Center"
URL: "https://alas.aws.amazon.com/"
- key: archlinux
value:
Name: "Arch Linux Vulnerable issues"
URL: "https://security.archlinux.org/"
- key: cargo::Open Source Vulnerability
value:
Name: "RustSec Advisory Database"
URL: "https://github.com/RustSec/advisory-db"
- key: debian 10
value:
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: debian 11
value:
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: debian 12
value:
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: debian 7
value:
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: debian 8
value:
ID: "debian"
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: debian 9
value:
ID: "debian"
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
- key: go::GitLab Advisory Database Community
value:
ID: "glad"
Name: "GitLab Advisory Database Community"
URL: "https://gitlab.com/gitlab-org/advisories-community"
- key: go::The Go Vulnerability Database
value:
ID: "go-vulndb"
Name: "The Go Vulnerability Database"
URL: "https://github.com/golang/vulndb"
- key: maven::GitLab Advisory Database Community
value:
ID: "glad"
Name: "GitLab Advisory Database Community"
URL: "https://gitlab.com/gitlab-org/advisories-community"
- key: nodejs-security-wg
- key: npm::nodejs-security-wg
value:
ID: "nodejs-security-wg"
Name: "Node.js Ecosystem Security Working Group"
URL: "https://github.com/nodejs/security-wg"
- key: openSUSE Leap 15.0
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 15.1
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 15.2
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 15.3
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 15.4
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 42.1
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 42.2
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: openSUSE Leap 42.3
value:
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: php-security-advisories
- key: composer::php-security-advisories
value:
ID: "php-security-advisories"
Name: "PHP Security Advisories Database"
URL: "https://github.com/FriendsOfPHP/security-advisories"
- key: pip::Open Source Vulnerability
value:
ID: "osv"
Name: "Python Packaging Advisory Database"
URL: "https://github.com/pypa/advisory-db"
- key: rocky 8
value:
ID: "rocky"
Name: "Rocky Linux updateinfo"
URL: "https://download.rockylinux.org/pub/rocky/"
- key: ruby-advisory-db
- key: rubygems::ruby-advisory-db
value:
ID: "ruby-advisory-db"
Name: "Ruby Advisory Database"
URL: "https://github.com/rubysec/ruby-advisory-db"
- key: ubuntu 12.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 12.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 13.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 13.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 14.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 14.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 15.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 15.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 16.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 16.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 17.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 17.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 18.04
value:
ID: "ubuntu"
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 18.10
- key: CBL-Mariner 1.0
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 19.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 19.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 20.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 20.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 21.04
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 21.10
value:
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"

20
integration/testdata/fixtures/db/java.yaml vendored Normal file
View File

@@ -0,0 +1,20 @@
- bucket: maven::GitHub Security Advisory Maven
pairs:
- bucket: com.fasterxml.jackson.core:jackson-databind
pairs:
- key: CVE-2020-9548
value:
PatchedVersions:
- 2.9.10.4
VulnerableVersions:
- ">= 2.0.0, <= 2.9.10.3"
- bucket: maven::GitLab Advisory Database Community
pairs:
- bucket: com.fasterxml.jackson.core:jackson-databind
pairs:
- key: CVE-2021-20190
value:
PatchedVersions:
- 2.9.10.7
VulnerableVersions:
- "[2.9.0,2.9.10.7)"

2
integration/testdata/fixtures/db/nodejs.yaml vendored
View File

@@ -1,4 +1,4 @@
- bucket: GitHub Security Advisory Npm
- bucket: "npm::GitHub Security Advisory Npm"
pairs:
- bucket: jquery
pairs:

2
integration/testdata/fixtures/db/python.yaml vendored
View File

@@ -1,4 +1,4 @@
- bucket: GitHub Security Advisory Pip
- bucket: "pip::GitHub Security Advisory Pip"
pairs:
- bucket: werkzeug
pairs:

2
integration/testdata/fixtures/db/ruby.yaml vendored
View File

@@ -1,4 +1,4 @@
- bucket: GitHub Security Advisory RubyGems
- bucket: "rubygems::GitHub Security Advisory RubyGems"
pairs:
- bucket: activesupport
pairs:

4
integration/testdata/fixtures/db/rust.yaml vendored
View File

@@ -2,11 +2,11 @@
pairs:
- bucket: ammonia
pairs:
- key: RUSTSEC-2019-0001
- key: CVE-2019-15542
value:
PatchedVersions:
- ">= 2.1.0"
- key: RUSTSEC-2021-0074
- key: CVE-2021-38193
value:
PatchedVersions:
- ">= 3.1.0"

127
integration/testdata/fixtures/db/vulnerability.yaml vendored
View File

@@ -132,7 +132,7 @@
Severity: CRITICAL
Title: "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties"
VendorSeverity:
ghsa-npm: 4.0
ghsa: 4.0
nvd: 4.0
redhat: 3.0
- key: CVE-2019-11358
@@ -237,7 +237,7 @@
alma: 2.0
amazon: 2.0
arch-linux: 2.0
ghsa-npm: 2.0
ghsa: 2.0
nodejs-security-wg: 2.0
nvd: 2.0
oracle-oval: 2.0
@@ -294,7 +294,7 @@
Severity: HIGH
Title: "python-werkzeug: insufficient debugger PIN randomness vulnerability"
VendorSeverity:
ghsa-pip: 3.0
ghsa: 3.0
nvd: 3.0
redhat: 2.0
ubuntu: 1.0
@@ -400,6 +400,27 @@
photon: 2.0
redhat: 1.0
ubuntu: 1.0
- key: CVE-2019-15542
value:
CVSS:
nvd:
V2Score: 5.0
V2Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
V3Score: 7.5
V3Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CweIDs:
- CWE-674
Description: An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.
LastModifiedDate: 2020-08-24T17:37:00Z
PublishedDate: 2019-08-26T18:15:00Z
References:
- https://crates.io/crates/ammonia
- "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
- https://rustsec.org/advisories/RUSTSEC-2019-0001.html
Severity: HIGH
Title: Uncontrolled recursion leads to abort in HTML serialization
VendorSeverity:
nvd: 3.0
- key: CVE-2019-1559
value:
CVSS:
@@ -816,7 +837,7 @@
Severity: MEDIUM
Title: "python-werkzeug: open redirect via double slash in the URL"
VendorSeverity:
ghsa-pip: 2.0
ghsa: 2.0
nvd: 2.0
redhat: 2.0
ubuntu: 2.0
@@ -887,9 +908,83 @@
Severity: CRITICAL
Title: "rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore"
VendorSeverity:
ghsa-rubygems: 3.0
ghsa: 3.0
nvd: 4.0
redhat: 3.0
- key: CVE-2020-9548
value:
CVSS:
nvd:
V2Score: 6.8
V2Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
V3Score: 9.8
V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhat:
V3Score: 8.1
V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CweIDs:
- CWE-502
Description: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
LastModifiedDate: 2021-12-02T21:23:00Z
PublishedDate: 2020-03-02T04:15:00Z
References:
- https://access.redhat.com/security/cve/CVE-2020-9548
- https://github.com/FasterXML/jackson-databind/issues/2634
- https://github.com/advisories/GHSA-p43x-xfjf-5jhr
- https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
- https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
- https://nvd.nist.gov/vuln/detail/CVE-2020-9548
- https://security.netapp.com/advisory/ntap-20200904-0006/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Severity: CRITICAL
Title: "jackson-databind: Serialization gadgets in anteros-core"
VendorSeverity:
ghsa: 4.0
nvd: 4.0
redhat: 3.0
- key: CVE-2021-20190
value:
CVSS:
nvd:
V2Score: 8.3
V2Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C
V3Score: 8.1
V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
redhat:
V3Score: 8.1
V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CweIDs:
- CWE-502
Description: A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
LastModifiedDate: 2021-07-20T23:15:00Z
PublishedDate: 2021-01-19T17:15:00Z
References:
- https://access.redhat.com/security/cve/CVE-2021-20190
- https://bugzilla.redhat.com/show_bug.cgi?id=1916633
- https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
- https://github.com/FasterXML/jackson-databind/issues/2854
- https://github.com/advisories/GHSA-5949-rw7g-wx7w
- https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-20190
- https://security.netapp.com/advisory/ntap-20210219-0008/
Severity: HIGH
Title: "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing"
VendorSeverity:
ghsa: 3.0
nvd: 3.0
redhat: 3.0
- key: CVE-2021-3712
value:
CVSS:
@@ -947,6 +1042,28 @@
redhat: 2.0
rocky: 2.0
ubuntu: 2.0
- key: CVE-2021-38193
value:
CVSS:
nvd:
V2Score: 4.3
V2Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
V3Score: 6.1
V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CweIDs:
- CWE-79
Description: An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.
LastModifiedDate: 2021-08-16T16:37:00Z
PublishedDate: 2021-08-08T06:15:00Z
References:
- https://crates.io/crates/ammonia
- https://github.com/rust-ammonia/ammonia/pull/142
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md
- https://rustsec.org/advisories/RUSTSEC-2021-0074.html
Severity: MEDIUM
Title: Incorrect handling of embedded SVG and MathML leads to mutation XSS
VendorSeverity:
nvd: 2.0
- key: CVE-2022-0158
value:
CVSS:

59
integration/testdata/fixtures/fs/pom/pom.xml vendored Normal file
View File

@@ -0,0 +1,59 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>log4shell</artifactId>
<version>1.0-SNAPSHOT</version>
<name>log4shell</name>
<packaging>war</packaging>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<junit.version>5.7.1</junit.version>
</properties>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>4.0.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.3.1</version>
</plugin>
</plugins>
</build>
</project>

6
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -119,6 +119,7 @@
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
"DataSource": {
"ID": "debian",
"Name": "Debian Security Tracker",
"URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
},
@@ -175,15 +176,16 @@
"Layer": {
"DiffID": "sha256:75e43d55939745950bc3f8fad56c5834617c4339f0f54755e69a0dd5372624e9"
},
"SeveritySource": "nvd",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory RubyGems",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
},
"Title": "rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
"Description": "A deserialization of untrusted data vulnernerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
"Severity": "CRITICAL",
"Severity": "HIGH",
"CweIDs": [
"CWE-502"
],

13
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -44,7 +44,13 @@
"Layer": {
"DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
},
"SeveritySource": "cbl-mariner",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0261",
"DataSource": {
"ID": "cbl-mariner",
"Name": "CBL-Mariner Vulnerability Data",
"URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
},
"Title": "CVE-2022-0261 affecting package vim 8.2.4081",
"Description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"Severity": "HIGH",
@@ -67,8 +73,13 @@
"Layer": {
"DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
},
"SeveritySource": "nvd",
"SeveritySource": "cbl-mariner",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0158",
"DataSource": {
"ID": "cbl-mariner",
"Name": "CBL-Mariner Vulnerability Data",
"URL": "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
},
"Title": "vim: heap-based read buffer overflow in compile_get_env()",
"Description": "vim is vulnerable to Heap-based Buffer Overflow",
"Severity": "LOW",

6
integration/testdata/nodejs.json.golden vendored
View File

@@ -26,9 +26,10 @@
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Layer": {},
"SeveritySource": "nodejs-security-wg",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
@@ -140,9 +141,10 @@
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.12",
"Layer": {},
"SeveritySource": "ghsa-npm",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Npm",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},

6
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -68,7 +68,10 @@
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"SeveritySource": "suse-cvrf",
"PrimaryURL": "https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"DataSource": {
"ID": "suse-cvrf",
"Name": "SUSE CVRF",
"URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
},
@@ -88,7 +91,10 @@
"Layer": {
"DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
},
"SeveritySource": "suse-cvrf",
"PrimaryURL": "https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
"DataSource": {
"ID": "suse-cvrf",
"Name": "SUSE CVRF",
"URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
},

10
integration/testdata/oraclelinux-8-slim.json.golden vendored
View File

@@ -69,15 +69,16 @@
"Layer": {
"DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e"
},
"SeveritySource": "nvd",
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3823",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "curl: SMTP end-of-response out-of-bounds read",
"Description": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
"Severity": "HIGH",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-125"
],
@@ -123,15 +124,16 @@
"Layer": {
"DiffID": "sha256:e3196b7450602f5547c52d197255dfa96a006ea9c52c19bf3ba2d5412a4b161e"
},
"SeveritySource": "nvd",
"SeveritySource": "oracle-oval",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5436",
"DataSource": {
"ID": "oracle-oval",
"Name": "Oracle Linux OVAL definitions",
"URL": "https://linux.oracle.com/security/oval/"
},
"Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
"Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
"Severity": "HIGH",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-787"
],

3
integration/testdata/photon-30.json.golden vendored
View File

@@ -73,6 +73,7 @@
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"DataSource": {
"ID": "photon",
"Name": "Photon OS CVE metadata",
"URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
},
@@ -121,6 +122,7 @@
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"DataSource": {
"ID": "photon",
"Name": "Photon OS CVE metadata",
"URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
},
@@ -176,6 +178,7 @@
"SeveritySource": "photon",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
"DataSource": {
"ID": "photon",
"Name": "Photon OS CVE metadata",
"URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
},

6
integration/testdata/pip.json.golden vendored
View File

@@ -26,9 +26,10 @@
"InstalledVersion": "0.11",
"FixedVersion": "0.15.3",
"Layer": {},
"SeveritySource": "nvd",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
@@ -71,9 +72,10 @@
"InstalledVersion": "0.11",
"FixedVersion": "0.11.6",
"Layer": {},
"SeveritySource": "nvd",
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},

126
integration/testdata/pom.json.golden vendored Normal file
View File

@@ -0,0 +1,126 @@
{
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pom",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "pom.xml",
"Class": "lang-pkgs",
"Type": "pom",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2020-9548",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "jackson-databind: Serialization gadgets in anteros-core",
"Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-502"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 6.8,
"V3Score": 9.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2020-9548",
"https://github.com/FasterXML/jackson-databind/issues/2634",
"https://github.com/advisories/GHSA-p43x-xfjf-5jhr",
"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E",
"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html",
"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
"https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
"https://security.netapp.com/advisory/ntap-20200904-0006/",
"https://www.oracle.com/security-alerts/cpujan2021.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/security-alerts/cpuoct2020.html",
"https://www.oracle.com/security-alerts/cpuoct2021.html"
],
"PublishedDate": "2020-03-02T04:15:00Z",
"LastModifiedDate": "2021-12-02T21:23:00Z"
},
{
"VulnerabilityID": "CVE-2021-20190",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Layer": {},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190",
"DataSource": {
"ID": "glad",
"Name": "GitLab Advisory Database Community",
"URL": "https://gitlab.com/gitlab-org/advisories-community"
},
"Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
"Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"Severity": "HIGH",
"CweIDs": [
"CWE-502"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 8.3,
"V3Score": 8.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 8.1
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2021-20190",
"https://bugzilla.redhat.com/show_bug.cgi?id=1916633",
"https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a",
"https://github.com/FasterXML/jackson-databind/issues/2854",
"https://github.com/advisories/GHSA-5949-rw7g-wx7w",
"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E",
"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html",
"https://nvd.nist.gov/vuln/detail/CVE-2021-20190",
"https://security.netapp.com/advisory/ntap-20210219-0008/"
],
"PublishedDate": "2021-01-19T17:15:00Z",
"LastModifiedDate": "2021-07-20T23:15:00Z"
}
]
}
]
}

1
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -62,6 +62,7 @@
"SeveritySource": "rocky",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
"DataSource": {
"ID": "rocky",
"Name": "Rocky Linux updateinfo",
"URL": "https://download.rockylinux.org/pub/rocky/"
},

4
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -81,6 +81,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -135,6 +136,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -189,6 +191,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -243,6 +246,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},

5
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -80,6 +80,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -128,6 +129,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -182,6 +184,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -236,6 +239,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
@@ -290,6 +294,7 @@
"SeveritySource": "ubuntu",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},

76
pkg/detector/library/advisory.go
View File

@@ -1,76 +0,0 @@
package library
import (
"fmt"
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory represents security advisories for each programming language
type Advisory struct {
ecosystem string
comparer comparer.Comparer
}
// NewAdvisory is the factory method of Advisory
func NewAdvisory(ecosystem string, comparer comparer.Comparer) *Advisory {
return &Advisory{
ecosystem: ecosystem,
comparer: comparer,
}
}
// DetectVulnerabilities scans buckets with the prefix according to the ecosystem in "Advisory".
// If "ecosystem" is pip, it looks for buckets with "pip::" and gets security advisories from those buckets.
// It allows us to add a new data source with the ecosystem prefix (e.g. pip::new-data-source)
// and detect vulnerabilities without specifying a specific bucket name.
func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
// e.g. "pip::", "npm::"
prefix := fmt.Sprintf("%s::", s.ecosystem)
advisories, err := db.Config{}.GetAdvisories(prefix, pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get %s advisories: %w", s.ecosystem, err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
if !s.comparer.IsVulnerable(pkgVer, advisory) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: s.createFixedVersions(advisory),
DataSource: advisory.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func (s *Advisory) createFixedVersions(advisory dbTypes.Advisory) string {
if len(advisory.PatchedVersions) != 0 {
return strings.Join(advisory.PatchedVersions, ", ")
}
var fixedVersions []string
for _, version := range advisory.VulnerableVersions {
for _, s := range strings.Split(version, ",") {
s = strings.TrimSpace(s)
if !strings.HasPrefix(s, "<=") && strings.HasPrefix(s, "<") {
s = strings.TrimPrefix(s, "<")
fixedVersions = append(fixedVersions, strings.TrimSpace(s))
}
}
}
return strings.Join(fixedVersions, ", ")
}

118
pkg/detector/library/advisory_test.go
View File

@@ -1,118 +0,0 @@
package library_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library"
"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestAdvisory_DetectVulnerabilities(t *testing.T) {
type args struct {
pkgName string
pkgVer string
}
tests := []struct {
name string
fixtures []string
ecosystem string
comparer comparer.Comparer
args args
want []types.DetectedVulnerability
wantErr string
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/php.yaml"},
ecosystem: vulnerability.Composer,
comparer: comparer.GenericComparer{},
args: args{
pkgName: "symfony/symfony",
pkgVer: "4.2.6",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-10909",
PkgName: "symfony/symfony",
InstalledVersion: "4.2.6",
FixedVersion: "4.2.7",
},
},
},
{
name: "no patched versions in the advisory",
fixtures: []string{"testdata/fixtures/php.yaml"},
ecosystem: vulnerability.Composer,
comparer: comparer.GenericComparer{},
args: args{
pkgName: "symfony/symfony",
pkgVer: "4.4.6",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-5275",
PkgName: "symfony/symfony",
InstalledVersion: "4.4.6",
FixedVersion: "4.4.7",
},
},
},
{
name: "no vulnerable versions in the advisory",
fixtures: []string{"testdata/fixtures/ruby.yaml"},
ecosystem: vulnerability.RubyGems,
comparer: bundler.RubyGemsComparer{},
args: args{
pkgName: "activesupport",
pkgVer: "4.1.1",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2015-3226",
PkgName: "activesupport",
InstalledVersion: "4.1.1",
FixedVersion: ">= 4.2.2, ~> 4.1.11",
},
},
},
{
name: "no vulnerability",
fixtures: []string{"testdata/fixtures/php.yaml"},
ecosystem: vulnerability.Composer,
comparer: comparer.GenericComparer{},
args: args{
pkgName: "symfony/symfony",
pkgVer: "4.4.7",
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Initialize DB
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
adv := library.NewAdvisory(tt.ecosystem, tt.comparer)
got, err := adv.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
switch {
case tt.wantErr != "":
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
default:
assert.NoError(t, err)
}
// Compare
assert.Equal(t, tt.want, got)
})
}
}

49
pkg/detector/library/bundler/advisory.go
View File

@@ -1,49 +0,0 @@
package bundler
import (
"strings"
"golang.org/x/xerrors"
bundlerSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/bundler"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory implements the bundler VulnSrc
type Advisory struct {
comparer RubyGemsComparer
vs bundlerSrc.VulnSrc
}
// NewAdvisory is the factory method to return bundler.Advisory
func NewAdvisory() *Advisory {
return &Advisory{
vs: bundlerSrc.NewVulnSrc(),
comparer: RubyGemsComparer{},
}
}
// DetectVulnerabilities scans and returns Vulnerability in bundler
func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
advisories, err := a.vs.Get(pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get bundler advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
if !a.comparer.IsVulnerable(pkgVer, advisory) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: strings.TrimSpace(pkgName),
InstalledVersion: pkgVer,
FixedVersion: strings.Join(advisory.PatchedVersions, ", "),
DataSource: advisory.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}

89
pkg/detector/library/bundler/advisory_test.go
View File

@@ -1,89 +0,0 @@
package bundler_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestAdvisory_DetectVulnerabilities(t *testing.T) {
type args struct {
pkgName string
pkgVer string
}
tests := []struct {
name string
args args
fixtures []string
want []types.DetectedVulnerability
wantErr string
}{
{
name: "detected",
args: args{
pkgName: "activesupport",
pkgVer: "4.1.1",
},
fixtures: []string{
"testdata/fixtures/gem.yaml",
"testdata/fixtures/data-source.yaml",
},
want: []types.DetectedVulnerability{
{
PkgName: "activesupport",
InstalledVersion: "4.1.1",
VulnerabilityID: "CVE-2015-3226",
FixedVersion: ">= 4.2.2, ~> 4.1.11",
DataSource: &dbTypes.DataSource{
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
},
},
},
{
name: "not detected",
args: args{
pkgName: "activesupport",
pkgVer: "4.1.0.a",
},
fixtures: []string{"testdata/fixtures/gem.yaml"},
want: nil,
},
{
name: "invalid JSON",
args: args{
pkgName: "activesupport",
pkgVer: "4.1.0",
},
fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
want: nil,
wantErr: "failed to unmarshal advisory JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
a := bundler.NewAdvisory()
got, err := a.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
if tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}

6
pkg/detector/library/bundler/testdata/fixtures/data-source.yaml vendored
View File

@@ -1,6 +0,0 @@
- bucket: data-source
pairs:
- key: ruby-advisory-db
value:
Name: "Ruby Advisory Database"
URL: "https://github.com/rubysec/ruby-advisory-db"

11
pkg/detector/library/bundler/testdata/fixtures/gem.yaml vendored
View File

@@ -1,11 +0,0 @@
- bucket: ruby-advisory-db
pairs:
- bucket: activesupport
pairs:
- key: CVE-2015-3226
value:
PatchedVersions:
- ">= 4.2.2"
- "~> 4.1.11"
UnaffectedVersions:
- "< 4.1.0"

7
pkg/detector/library/bundler/testdata/fixtures/invalid-type.yaml vendored
View File

@@ -1,7 +0,0 @@
- bucket: ruby-advisory-db
pairs:
- bucket: activesupport
pairs:
- key: CVE-2015-3226
value:
PatchedVersions: dummy

2
pkg/detector/library/comparer/compare.go → pkg/detector/library/compare/compare.go
View File

@@ -1,4 +1,4 @@
package comparer
package compare
import (
"strings"

6
pkg/detector/library/comparer/compare_test.go → pkg/detector/library/compare/compare_test.go
View File

@@ -1,4 +1,4 @@
package comparer_test
package compare_test
import (
"testing"
@@ -6,7 +6,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)
func TestGenericComparer_IsVulnerable(t *testing.T) {
@@ -108,7 +108,7 @@ func TestGenericComparer_IsVulnerable(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
v := comparer.GenericComparer{}
v := compare.GenericComparer{}
got := v.IsVulnerable(tt.args.ver, tt.args.advisory)
assert.Equal(t, tt.want, got)
})

4
pkg/detector/library/maven/compare.go → pkg/detector/library/compare/maven/compare.go
View File

@@ -6,7 +6,7 @@ import (
version "github.com/masahiro331/go-mvn-version"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)
// Comparer represents a comparer for maven
@@ -14,7 +14,7 @@ type Comparer struct{}
// IsVulnerable checks if the package version is vulnerable to the advisory.
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return comparer.IsVulnerable(ver, advisory, n.matchVersion)
return compare.IsVulnerable(ver, advisory, n.matchVersion)
}
// matchVersion checks if the package version satisfies the given constraint.

3
pkg/detector/library/maven/compare_test.go → pkg/detector/library/compare/maven/compare_test.go
View File

@@ -3,11 +3,10 @@ package maven_test
import (
"testing"
"github.com/aquasecurity/trivy/pkg/detector/library/maven"
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/maven"
)
func TestComparer_IsVulnerable(t *testing.T) {

4
pkg/detector/library/npm/compare.go → pkg/detector/library/compare/npm/compare.go
View File

@@ -5,7 +5,7 @@ import (
npm "github.com/aquasecurity/go-npm-version/pkg"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)
// Comparer represents a comparer for npm
@@ -13,7 +13,7 @@ type Comparer struct{}
// IsVulnerable checks if the package version is vulnerable to the advisory.
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return comparer.IsVulnerable(ver, advisory, n.matchVersion)
return compare.IsVulnerable(ver, advisory, n.matchVersion)
}
// matchVersion checks if the package version satisfies the given constraint.

2
pkg/detector/library/npm/compare_test.go → pkg/detector/library/compare/npm/compare_test.go
View File

@@ -6,7 +6,7 @@ import (
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/npm"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/npm"
)
func TestNpmComparer_IsVulnerable(t *testing.T) {

14
pkg/detector/library/python/compare.go → pkg/detector/library/compare/pep440/compare.go
View File

@@ -1,23 +1,23 @@
package python
package pep440
import (
"golang.org/x/xerrors"
version "github.com/aquasecurity/go-pep440-version"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)
// Pep440Comparer represents a comparer for PEP 440
type Pep440Comparer struct{}
// Comparer represents a comparer for PEP 440
type Comparer struct{}
// IsVulnerable checks if the package version is vulnerable to the advisory.
func (n Pep440Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return comparer.IsVulnerable(ver, advisory, n.matchVersion)
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return compare.IsVulnerable(ver, advisory, n.matchVersion)
}
// matchVersion checks if the package version satisfies the given constraint.
func (n Pep440Comparer) matchVersion(currentVersion, constraint string) (bool, error) {
func (n Comparer) matchVersion(currentVersion, constraint string) (bool, error) {
v, err := version.Parse(currentVersion)
if err != nil {
return false, xerrors.Errorf("python version error (%s): %s", currentVersion, err)

6
pkg/detector/library/python/compare_test.go → pkg/detector/library/compare/pep440/compare_test.go
View File

@@ -1,4 +1,4 @@
package python_test
package pep440_test
import (
"testing"
@@ -6,7 +6,7 @@ import (
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/python"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/pep440"
)
func TestPep440Comparer_IsVulnerable(t *testing.T) {
@@ -108,7 +108,7 @@ func TestPep440Comparer_IsVulnerable(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
c := python.Pep440Comparer{}
c := pep440.Comparer{}
got := c.IsVulnerable(tt.args.currentVersion, tt.args.advisory)
assert.Equal(t, tt.want, got)
})

14
pkg/detector/library/bundler/compare.go → pkg/detector/library/compare/rubygems/compare.go
View File

@@ -1,23 +1,23 @@
package bundler
package rubygems
import (
"golang.org/x/xerrors"
"github.com/aquasecurity/go-gem-version"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)
// RubyGemsComparer represents a comparer for RubyGems
type RubyGemsComparer struct{}
// Comparer represents a comparer for RubyGems
type Comparer struct{}
// IsVulnerable checks if the package version is vulnerable to the advisory.
func (r RubyGemsComparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return comparer.IsVulnerable(ver, advisory, r.matchVersion)
func (r Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return compare.IsVulnerable(ver, advisory, r.matchVersion)
}
// matchVersion checks if the package version satisfies the given constraint.
func (r RubyGemsComparer) matchVersion(currentVersion, constraint string) (bool, error) {
func (r Comparer) matchVersion(currentVersion, constraint string) (bool, error) {
v, err := gem.NewVersion(currentVersion)
if err != nil {
return false, xerrors.Errorf("RubyGems version error (%s): %s", currentVersion, err)

6
pkg/detector/library/bundler/compare_test.go → pkg/detector/library/compare/rubygems/compare_test.go
View File

@@ -1,4 +1,4 @@
package bundler_test
package rubygems_test
import (
"testing"
@@ -6,7 +6,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/rubygems"
)
func TestRubyGemsComparer_IsVulnerable(t *testing.T) {
@@ -94,7 +94,7 @@ func TestRubyGemsComparer_IsVulnerable(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
r := bundler.RubyGemsComparer{}
r := rubygems.Comparer{}
got := r.IsVulnerable(tt.args.currentVersion, tt.args.advisory)
assert.Equal(t, tt.want, got)
})

63
pkg/detector/library/composer/advisory.go
View File

@@ -1,63 +0,0 @@
package composer
import (
"fmt"
"strings"
"golang.org/x/xerrors"
composerSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/composer"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory encapsulates composer.VulnSrc
type Advisory struct {
vs composerSrc.VulnSrc
comparer comparer.Comparer // TODO: implement a comparer for Composer
}
// NewAdvisory is the factory method of Advisory
func NewAdvisory() *Advisory {
return &Advisory{
vs: composerSrc.NewVulnSrc(),
comparer: comparer.GenericComparer{},
}
}
// DetectVulnerabilities returns the vulnerabilities in a package
func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
ref := fmt.Sprintf("composer://%s", pkgName)
advisories, err := s.vs.Get(ref)
if err != nil {
return nil, xerrors.Errorf("failed to get composer advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
var patchedVersions []string
for _, vulnerableRange := range advisory.VulnerableVersions {
// e.g. ">=5, <5.3.1"
for _, v := range strings.Split(vulnerableRange, ", ") {
// e.g. "<5.3.1"
if !strings.HasPrefix(v, "<=") && strings.HasPrefix(v, "<") {
patchedVersions = append(patchedVersions, strings.Trim(v, "<"))
}
}
}
if !s.comparer.IsVulnerable(pkgVer, advisory) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: strings.Join(patchedVersions, ", "),
DataSource: advisory.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}

89
pkg/detector/library/composer/advisory_test.go
View File

@@ -1,89 +0,0 @@
package composer_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library/composer"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestAdvisory_DetectVulnerabilities(t *testing.T) {
type args struct {
pkgName string
pkgVer string
}
tests := []struct {
name string
args args
fixtures []string
want []types.DetectedVulnerability
wantErr string
}{
{
name: "detected",
args: args{
pkgName: "aws/aws-sdk-php",
pkgVer: "3.2.0",
},
fixtures: []string{
"testdata/fixtures/composer.yaml",
"testdata/fixtures/data-source.yaml",
},
want: []types.DetectedVulnerability{
{
PkgName: "aws/aws-sdk-php",
InstalledVersion: "3.2.0",
VulnerabilityID: "CVE-2015-5723",
FixedVersion: "3.2.1",
DataSource: &dbTypes.DataSource{
Name: "PHP Security Advisories Database",
URL: "https://github.com/FriendsOfPHP/security-advisories",
},
},
},
},
{
name: "not detected",
args: args{
pkgName: "guzzlehttp/guzzle",
pkgVer: "5.3.1",
},
fixtures: []string{"testdata/fixtures/composer.yaml"},
want: nil,
},
{
name: "malformed JSON",
args: args{
pkgName: "aws/aws-sdk-php",
pkgVer: "3.2.0",
},
fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
wantErr: "failed to unmarshal advisory JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
a := composer.NewAdvisory()
got, err := a.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
if tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
} else {
assert.NoError(t, err)
}
assert.Equal(t, tt.want, got)
})
}
}

16
pkg/detector/library/composer/testdata/fixtures/composer.yaml vendored
View File

@@ -1,16 +0,0 @@
- bucket: php-security-advisories
pairs:
- bucket: "composer://aws/aws-sdk-php"
pairs:
- key: CVE-2015-5723
value:
VulnerableVersions:
- ">=3.0.0, <3.2.1"
- bucket: "composer://guzzlehttp/guzzle"
pairs:
- key: CVE-2016-5385
value:
VulnerableVersions:
- ">=4.0.0rc2, <4.2.4"
- ">=5, <5.3.1"
- ">=6, <6.2.1"

6
pkg/detector/library/composer/testdata/fixtures/data-source.yaml vendored
View File

@@ -1,6 +0,0 @@
- bucket: data-source
pairs:
- key: php-security-advisories
value:
Name: "PHP Security Advisories Database"
URL: "https://github.com/FriendsOfPHP/security-advisories"

7
pkg/detector/library/composer/testdata/fixtures/invalid-type.yaml vendored
View File

@@ -1,7 +0,0 @@
- bucket: php-security-advisories
pairs:
- bucket: "composer://aws/aws-sdk-php"
pairs:
- key: CVE-2015-5723
value:
VulnerableVersions: invalid

2
pkg/detector/library/detect.go
View File

@@ -25,7 +25,7 @@ func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerabilit
func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability, error) {
var vulnerabilities []types.DetectedVulnerability
for _, lib := range libs {
vulns, err := driver.Detect(lib.Name, lib.Version)
vulns, err := driver.DetectVulnerabilities(lib.Name, lib.Version)
if err != nil {
return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err)
}

175
pkg/detector/library/driver.go
View File

@@ -1,120 +1,121 @@
package library
import (
"fmt"
"strings"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/maven"
"golang.org/x/xerrors"
ftypes "github.com/aquasecurity/fanal/types"
ecosystem "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/composer"
"github.com/aquasecurity/trivy/pkg/detector/library/ghsa"
"github.com/aquasecurity/trivy/pkg/detector/library/maven"
"github.com/aquasecurity/trivy/pkg/detector/library/npm"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/npm"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/pep440"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/rubygems"
"github.com/aquasecurity/trivy/pkg/types"
)
type advisory interface {
DetectVulnerabilities(string, string) ([]types.DetectedVulnerability, error)
}
// NewDriver returns a driver according to the library type
func NewDriver(libType string) (Driver, error) {
var driver Driver
var ecosystem dbTypes.Ecosystem
var comparer compare.Comparer
switch libType {
case ftypes.Bundler, ftypes.GemSpec:
driver = newRubyGemsDriver()
ecosystem = vulnerability.RubyGems
comparer = rubygems.Comparer{}
case ftypes.Cargo:
driver = newCargoDriver()
ecosystem = vulnerability.Cargo
comparer = compare.GenericComparer{}
case ftypes.Composer:
driver = newComposerDriver()
case ftypes.Npm, ftypes.Yarn, ftypes.NodePkg, ftypes.JavaScript:
driver = newNpmDriver()
case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
driver = newPipDriver()
case ftypes.NuGet:
driver = newNugetDriver()
case ftypes.Jar, ftypes.Pom:
driver = newMavenDriver()
ecosystem = vulnerability.Composer
comparer = compare.GenericComparer{}
case ftypes.GoBinary, ftypes.GoMod:
driver = Driver{
ecosystem: vulnerability.Go,
advisories: []advisory{NewAdvisory(vulnerability.Go, comparer.GenericComparer{})},
}
ecosystem = vulnerability.Go
comparer = compare.GenericComparer{}
case ftypes.Jar, ftypes.Pom:
ecosystem = vulnerability.Maven
comparer = maven.Comparer{}
case ftypes.Npm, ftypes.Yarn, ftypes.NodePkg, ftypes.JavaScript:
ecosystem = vulnerability.Npm
comparer = npm.Comparer{}
case ftypes.NuGet:
ecosystem = vulnerability.NuGet
comparer = compare.GenericComparer{}
case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
ecosystem = vulnerability.Pip
comparer = pep440.Comparer{}
default:
return Driver{}, xerrors.Errorf("unsupported type %s", libType)
}
return driver, nil
return Driver{
ecosystem: ecosystem,
comparer: comparer,
dbc: db.Config{},
}, nil
}
// Driver implements the advisory
// Driver represents security advisories for each programming language
type Driver struct {
ecosystem string
advisories []advisory
}
// Aggregate aggregates drivers
func Aggregate(ecosystem string, advisories ...advisory) Driver {
return Driver{ecosystem: ecosystem, advisories: advisories}
}
// Detect scans and returns vulnerabilities
func (d *Driver) Detect(pkgName string, pkgVer string) ([]types.DetectedVulnerability, error) {
var detectedVulnerabilities []types.DetectedVulnerability
uniqVulnIDMap := make(map[string]struct{})
for _, adv := range d.advisories {
vulns, err := adv.DetectVulnerabilities(pkgName, pkgVer)
if err != nil {
return nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err)
}
for _, vuln := range vulns {
if _, ok := uniqVulnIDMap[vuln.VulnerabilityID]; ok {
continue
}
uniqVulnIDMap[vuln.VulnerabilityID] = struct{}{}
detectedVulnerabilities = append(detectedVulnerabilities, vuln)
}
}
return detectedVulnerabilities, nil
ecosystem dbTypes.Ecosystem
comparer compare.Comparer
dbc db.Config
}
// Type returns the driver ecosystem
func (d *Driver) Type() string {
return d.ecosystem
return string(d.ecosystem)
}
func newRubyGemsDriver() Driver {
c := bundler.RubyGemsComparer{}
return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.RubyGems, c))
// DetectVulnerabilities scans buckets with the prefix according to the ecosystem.
// If "ecosystem" is pip, it looks for buckets with "pip::" and gets security advisories from those buckets.
// It allows us to add a new data source with the ecosystem prefix (e.g. pip::new-data-source)
// and detect vulnerabilities without specifying a specific bucket name.
func (d *Driver) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
// e.g. "pip::", "npm::"
prefix := fmt.Sprintf("%s::", d.ecosystem)
advisories, err := d.dbc.GetAdvisories(prefix, vulnerability.NormalizePkgName(d.ecosystem, pkgName))
if err != nil {
return nil, xerrors.Errorf("failed to get %s advisories: %w", d.ecosystem, err)
}
var vulns []types.DetectedVulnerability
for _, adv := range advisories {
if !d.comparer.IsVulnerable(pkgVer, adv) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: createFixedVersions(adv),
DataSource: adv.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func newComposerDriver() Driver {
c := comparer.GenericComparer{}
return Aggregate(vulnerability.Composer, NewAdvisory(vulnerability.Composer, c), composer.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Composer, c))
}
func createFixedVersions(advisory dbTypes.Advisory) string {
if len(advisory.PatchedVersions) != 0 {
return strings.Join(advisory.PatchedVersions, ", ")
}
func newCargoDriver() Driver {
return Aggregate(vulnerability.Cargo, NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}))
}
func newNpmDriver() Driver {
c := npm.Comparer{}
return Aggregate(vulnerability.Npm, NewAdvisory(vulnerability.Npm, c), npm.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Npm, c))
}
func newPipDriver() Driver {
c := comparer.GenericComparer{}
return Aggregate(vulnerability.Pip, NewAdvisory(vulnerability.Pip, c), ghsa.NewAdvisory(ecosystem.Pip, c))
}
func newNugetDriver() Driver {
c := comparer.GenericComparer{}
return Aggregate(vulnerability.NuGet, NewAdvisory(vulnerability.NuGet, c), ghsa.NewAdvisory(ecosystem.Nuget, c))
}
func newMavenDriver() Driver {
c := maven.Comparer{}
return Aggregate(vulnerability.Maven, NewAdvisory(vulnerability.Maven, c), ghsa.NewAdvisory(ecosystem.Maven, c))
var fixedVersions []string
for _, version := range advisory.VulnerableVersions {
for _, s := range strings.Split(version, ",") {
s = strings.TrimSpace(s)
if !strings.HasPrefix(s, "<=") && strings.HasPrefix(s, "<") {
s = strings.TrimPrefix(s, "<")
fixedVersions = append(fixedVersions, strings.TrimSpace(s))
}
}
}
return strings.Join(fixedVersions, ", ")
}

36
pkg/detector/library/driver_test.go
View File

@@ -9,6 +9,7 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library"
"github.com/aquasecurity/trivy/pkg/types"
@@ -45,6 +46,7 @@ func TestDriver_Detect(t *testing.T) {
InstalledVersion: "4.2.6",
FixedVersion: "4.2.7",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GLAD,
Name: "GitLab Advisory Database Community",
URL: "https://gitlab.com/gitlab-org/advisories-community",
},
@@ -52,21 +54,14 @@ func TestDriver_Detect(t *testing.T) {
},
},
{
name: "non-prefix buckets",
name: "non-prefixed buckets",
fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
libType: ftypes.Composer,
args: args{
pkgName: "symfony/symfony",
pkgVer: "4.2.6",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2019-10909",
PkgName: "symfony/symfony",
InstalledVersion: "4.2.6",
FixedVersion: "4.2.7",
},
},
want: nil,
},
{
name: "no patched versions in the advisory",
@@ -86,6 +81,7 @@ func TestDriver_Detect(t *testing.T) {
InstalledVersion: "4.4.6",
FixedVersion: "4.4.7",
DataSource: &dbTypes.DataSource{
ID: vulnerability.PhpSecurityAdvisories,
Name: "PHP Security Advisories Database",
URL: "https://github.com/FriendsOfPHP/security-advisories",
},
@@ -110,6 +106,7 @@ func TestDriver_Detect(t *testing.T) {
InstalledVersion: "4.1.1",
FixedVersion: ">= 4.2.2, ~> 4.1.11",
DataSource: &dbTypes.DataSource{
ID: vulnerability.RubySec,
Name: "Ruby Advisory Database",
URL: "https://github.com/rubysec/ruby-advisory-db",
},
@@ -125,6 +122,16 @@ func TestDriver_Detect(t *testing.T) {
pkgVer: "4.4.7",
},
},
{
name: "malformed JSON",
fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
libType: ftypes.Composer,
args: args{
pkgName: "symfony/symfony",
pkgVer: "5.1.5",
},
wantErr: "failed to unmarshal advisory JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@@ -135,16 +142,15 @@ func TestDriver_Detect(t *testing.T) {
driver, err := library.NewDriver(tt.libType)
require.NoError(t, err)
got, err := driver.Detect(tt.args.pkgName, tt.args.pkgVer)
switch {
case tt.wantErr != "":
require.NotNil(t, err)
got, err := driver.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
if tt.wantErr != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
default:
assert.NoError(t, err)
return
}
// Compare
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}

51
pkg/detector/library/ghsa/advisory.go
View File

@@ -1,51 +0,0 @@
package ghsa
import (
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory implements VulnSrc
type Advisory struct {
vs ghsa.VulnSrc
comparer comparer.Comparer
}
// NewAdvisory is the factory method to return advisory
func NewAdvisory(ecosystem ghsa.Ecosystem, comparer comparer.Comparer) *Advisory {
return &Advisory{
vs: ghsa.NewVulnSrc(ecosystem),
comparer: comparer,
}
}
// DetectVulnerabilities scans package for vulnerabilities
func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
advisories, err := s.vs.Get(pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get ghsa advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
if !s.comparer.IsVulnerable(pkgVer, advisory) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: strings.Join(advisory.PatchedVersions, ", "),
DataSource: advisory.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}

135
pkg/detector/library/ghsa/advisory_test.go
View File

@@ -1,135 +0,0 @@
package ghsa_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
ghsaSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/ghsa"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestAdvisory_DetectVulnerabilities(t *testing.T) {
type fields struct {
ecosystem ghsaSrc.Ecosystem
comparer comparer.Comparer
}
type args struct {
pkgName string
pkgVer string
}
tests := []struct {
name string
args args
fields fields
fixtures []string
want []types.DetectedVulnerability
wantErr string
}{
{
name: "composer detected",
fields: fields{
ecosystem: ghsaSrc.Composer,
comparer: comparer.GenericComparer{},
},
args: args{
pkgName: "symfony/symfony",
pkgVer: "5.1.5-alpha",
},
fixtures: []string{
"testdata/fixtures/ghsa.yaml",
"testdata/fixtures/data-source.yaml",
},
want: []types.DetectedVulnerability{
{
PkgName: "symfony/symfony",
InstalledVersion: "5.1.5-alpha",
VulnerabilityID: "CVE-2020-15094",
FixedVersion: "5.1.5, 4.4.13",
DataSource: &dbTypes.DataSource{
Name: "GitHub Security Advisory Composer",
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer",
},
},
},
},
{
name: "nuget detected",
fields: fields{
ecosystem: ghsaSrc.Nuget,
comparer: comparer.GenericComparer{},
},
args: args{
pkgName: "AWSSDK.Core",
pkgVer: "3.5.1.30",
},
fixtures: []string{
"testdata/fixtures/ghsa.yaml",
"testdata/fixtures/data-source.yaml",
},
want: []types.DetectedVulnerability{
{
PkgName: "AWSSDK.Core",
InstalledVersion: "3.5.1.30",
VulnerabilityID: "CVE-2020-99999",
FixedVersion: "3.5.1.31",
DataSource: &dbTypes.DataSource{
Name: "GitHub Security Advisory Nuget",
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget",
},
},
},
},
{
name: "not detected",
fields: fields{
ecosystem: ghsaSrc.Composer,
comparer: comparer.GenericComparer{},
},
args: args{
pkgName: "symfony/symfony",
pkgVer: "5.1.5",
},
fixtures: []string{"testdata/fixtures/ghsa.yaml"},
want: nil,
},
{
name: "malformed JSON",
fields: fields{
ecosystem: ghsaSrc.Composer,
comparer: comparer.GenericComparer{},
},
args: args{
pkgName: "symfony/symfony",
pkgVer: "5.1.5",
},
fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
wantErr: "failed to unmarshal advisory JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
a := ghsa.NewAdvisory(tt.fields.ecosystem, tt.fields.comparer)
got, err := a.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
if tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
} else {
assert.NoError(t, err)
}
assert.Equal(t, tt.want, got)
})
}
}

10
pkg/detector/library/ghsa/testdata/fixtures/data-source.yaml vendored
View File

@@ -1,10 +0,0 @@
- bucket: data-source
pairs:
- key: GitHub Security Advisory Composer
value:
Name: "GitHub Security Advisory Composer"
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
- key: GitHub Security Advisory Nuget
value:
Name: "GitHub Security Advisory Nuget"
URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget"

22
pkg/detector/library/ghsa/testdata/fixtures/ghsa.yaml vendored
View File

@@ -1,22 +0,0 @@
- bucket: GitHub Security Advisory Composer
pairs:
- bucket: "symfony/symfony"
pairs:
- key: CVE-2020-15094
value:
PatchedVersions:
- 5.1.5
- 4.4.13
VulnerableVersions:
- ">= 5.0.0, < 5.1.5"
- ">= 4.4.0, < 4.4.13"
- bucket: GitHub Security Advisory Nuget
pairs:
- bucket: "AWSSDK.Core"
pairs:
- key: CVE-2020-99999
value:
PatchedVersions:
- 3.5.1.31
VulnerableVersions:
- ">= 3.0.0, < 3.5.1.31"

88
pkg/detector/library/mock_operation.go
View File

@@ -1,88 +0,0 @@
// Code generated by mockery v1.0.0. DO NOT EDIT.
package library
import mock "github.com/stretchr/testify/mock"
import pkgtypes "github.com/aquasecurity/trivy/pkg/types"
import time "time"
import types "github.com/aquasecurity/fanal/types"
// MockOperation is an autogenerated mock type for the Operation type
type MockOperation struct {
mock.Mock
}
type OperationDetectArgs struct {
ImageName string
ImageNameAnything bool
FilePath string
FilePathAnything bool
Created time.Time
CreatedAnything bool
Pkgs []types.Package
PkgsAnything bool
}
type OperationDetectReturns struct {
Vulns []pkgtypes.DetectedVulnerability
Err error
}
type OperationDetectExpectation struct {
Args OperationDetectArgs
Returns OperationDetectReturns
}
func (_m *MockOperation) ApplyDetectExpectation(e OperationDetectExpectation) {
var args []interface{}
if e.Args.ImageNameAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.ImageName)
}
if e.Args.FilePathAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.FilePath)
}
if e.Args.CreatedAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.Created)
}
if e.Args.PkgsAnything {
args = append(args, mock.Anything)
} else {
args = append(args, e.Args.Pkgs)
}
_m.On("Detect", args...).Return(e.Returns.Vulns, e.Returns.Err)
}
func (_m *MockOperation) ApplyDetectExpectations(expectations []OperationDetectExpectation) {
for _, e := range expectations {
_m.ApplyDetectExpectation(e)
}
}
// Detect provides a mock function with given fields: imageName, filePath, created, pkgs
func (_m *MockOperation) Detect(imageName string, filePath string, created time.Time, pkgs []types.Package) ([]pkgtypes.DetectedVulnerability, error) {
ret := _m.Called(imageName, filePath, created, pkgs)
var r0 []pkgtypes.DetectedVulnerability
if rf, ok := ret.Get(0).(func(string, string, time.Time, []types.Package) []pkgtypes.DetectedVulnerability); ok {
r0 = rf(imageName, filePath, created, pkgs)
} else {
if ret.Get(0) != nil {
r0 = ret.Get(0).([]pkgtypes.DetectedVulnerability)
}
}
var r1 error
if rf, ok := ret.Get(1).(func(string, string, time.Time, []types.Package) error); ok {
r1 = rf(imageName, filePath, created, pkgs)
} else {
r1 = ret.Error(1)
}
return r0, r1
}

57
pkg/detector/library/npm/advisory.go
View File

@@ -1,57 +0,0 @@
package npm
import (
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/node"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory encapsulate Node vulnerability source
type Advisory struct {
comparer Comparer
vs node.VulnSrc
}
// NewAdvisory is the factory method for Node Advisory
func NewAdvisory() *Advisory {
return &Advisory{
vs: node.NewVulnSrc(),
comparer: Comparer{},
}
}
// DetectVulnerabilities scans and return vulnerability using Node package scanner
func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
advisories, err := a.vs.Get(pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get node advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
if !a.comparer.IsVulnerable(pkgVer, advisory) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: createFixedVersions(advisory.PatchedVersions),
DataSource: advisory.DataSource,
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func createFixedVersions(patchedVersions []string) string {
var fixedVersions []string
for _, s := range patchedVersions {
fixedVersions = append(fixedVersions, strings.TrimSpace(s))
}
return strings.Join(fixedVersions, ", ")
}

96
pkg/detector/library/npm/advisory_test.go
View File

@@ -1,96 +0,0 @@
package npm_test
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/library/npm"
"github.com/aquasecurity/trivy/pkg/types"
)
func TestAdvisory_DetectVulnerabilities(t *testing.T) {
type args struct {
pkgName string
pkgVer string
}
tests := []struct {
name string
args args
fixtures []string
want []types.DetectedVulnerability
wantErr string
}{
{
name: "detected",
args: args{
pkgName: "electron",
pkgVer: "2.0.17",
},
fixtures: []string{
"testdata/fixtures/npm.yaml",
"testdata/fixtures/data-source.yaml",
},
want: []types.DetectedVulnerability{
{
PkgName: "electron",
InstalledVersion: "2.0.17",
VulnerabilityID: "CVE-2019-5786",
FixedVersion: "^2.0.18, ^3.0.16, ^3.1.6, ^4.0.8, ^5.0.0-beta.5",
DataSource: &dbTypes.DataSource{
Name: "Node.js Ecosystem Security Working Group",
URL: "https://github.com/nodejs/security-wg",
},
},
},
},
{
name: "not detected",
args: args{
pkgName: "electron",
pkgVer: "2.0.18",
},
fixtures: []string{"testdata/fixtures/npm.yaml"},
want: nil,
},
{
name: "empty value",
args: args{
pkgName: "electron",
pkgVer: "2.0.18",
},
fixtures: []string{"testdata/fixtures/no-value.yaml"},
want: nil,
},
{name: "malformed JSON",
args: args{
pkgName: "electron",
pkgVer: "2.0.18",
},
fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
wantErr: "failed to unmarshal advisory JSON",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
_ = dbtest.InitDB(t, tt.fixtures)
defer db.Close()
a := npm.NewAdvisory()
got, err := a.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
if tt.wantErr != "" {
require.NotNil(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
}
}

6
pkg/detector/library/npm/testdata/fixtures/data-source.yaml vendored
View File

@@ -1,6 +0,0 @@
- bucket: data-source
pairs:
- key: nodejs-security-wg
value:
Name: "Node.js Ecosystem Security Working Group"
URL: "https://github.com/nodejs/security-wg"

9
pkg/detector/library/npm/testdata/fixtures/invalid-type.yaml vendored
View File

@@ -1,9 +0,0 @@
- bucket: nodejs-security-wg
pairs:
- bucket: electron
pairs:
- key: CVE-2019-5786
value:
PatchedVersions:
- 1
- 2

6
pkg/detector/library/npm/testdata/fixtures/no-value.yaml vendored
View File

@@ -1,6 +0,0 @@
- bucket: nodejs-security-wg
pairs:
- bucket: electron
pairs:
- key: CVE-2019-5786
value:

18
pkg/detector/library/npm/testdata/fixtures/npm.yaml vendored
View File

@@ -1,18 +0,0 @@
- bucket: nodejs-security-wg
pairs:
- bucket: electron
pairs:
- key: CVE-2019-5786
value:
PatchedVersions:
- "^2.0.18"
- "^3.0.16"
- "^3.1.6"
- "^4.0.8"
- "^5.0.0-beta.5"
VulnerableVersions:
- "<2.0.18"
- "<3.0.16"
- "<3.1.6"
- "<4.0.8"
- "<5.0.0-beta.5"

3
pkg/detector/library/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,13 +2,16 @@
pairs:
- key: composer::GitLab Advisory Database Community
value:
ID: "glad"
Name: "GitLab Advisory Database Community"
URL: "https://gitlab.com/gitlab-org/advisories-community"
- key: composer::php-security-advisories
value:
ID: "php-security-advisories"
Name: "PHP Security Advisories Database"
URL: "https://github.com/FriendsOfPHP/security-advisories"
- key: rubygems::ruby-advisory-db
value:
ID: "ruby-advisory-db"
Name: "Ruby Advisory Database"
URL: "https://github.com/rubysec/ruby-advisory-db"

2
pkg/detector/library/ghsa/testdata/fixtures/invalid-type.yaml → pkg/detector/library/testdata/fixtures/invalid-type.yaml vendored
View File

@@ -1,4 +1,4 @@
- bucket: GitHub Security Advisory Composer
- bucket: composer::GitHub Security Advisory Composer
pairs:
- bucket: "symfony/symfony"
pairs:

4
pkg/detector/ospkg/alma/alma_test.go
View File

@@ -1,7 +1,6 @@
package alma_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -11,6 +10,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alma"
"github.com/aquasecurity/trivy/pkg/types"
@@ -61,6 +62,7 @@ func TestScanner_Detect(t *testing.T) {
FixedVersion: "3.6.8-37.el8.alma",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Alma,
Name: "AlmaLinux Product Errata",
URL: "https://errata.almalinux.org/",
},

1
pkg/detector/ospkg/alma/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: alma 8
value:
ID: "alma"
Name: "AlmaLinux Product Errata"
URL: "https://errata.almalinux.org/"

7
pkg/detector/ospkg/alpine/alpine_test.go
View File

@@ -1,7 +1,6 @@
package alpine_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"sort"
"testing"
"time"
@@ -12,6 +11,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
"github.com/aquasecurity/trivy/pkg/types"
@@ -62,6 +63,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Alpine,
Name: "Alpine Secdb",
URL: "https://secdb.alpinelinux.org/",
},
@@ -75,6 +77,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Alpine,
Name: "Alpine Secdb",
URL: "https://secdb.alpinelinux.org/",
},
@@ -102,6 +105,7 @@ func TestScanner_Detect(t *testing.T) {
InstalledVersion: "1.6-r0",
FixedVersion: "1.6-r1",
DataSource: &dbTypes.DataSource{
ID: vulnerability.Alpine,
Name: "Alpine Secdb",
URL: "https://secdb.alpinelinux.org/",
},
@@ -135,6 +139,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Alpine,
Name: "Alpine Secdb",
URL: "https://secdb.alpinelinux.org/",
},

1
pkg/detector/ospkg/alpine/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: alpine 3.10
value:
ID: "alpine"
Name: "Alpine Secdb"
URL: "https://secdb.alpinelinux.org/"

5
pkg/detector/ospkg/amazon/amazon_test.go
View File

@@ -1,7 +1,6 @@
package amazon_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -11,6 +10,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
"github.com/aquasecurity/trivy/pkg/types"
@@ -55,6 +56,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Amazon,
Name: "Amazon Linux Security Center",
URL: "https://alas.aws.amazon.com/",
},
@@ -86,6 +88,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Amazon,
Name: "Amazon Linux Security Center",
URL: "https://alas.aws.amazon.com/",
},

2
pkg/detector/ospkg/amazon/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,9 +2,11 @@
pairs:
- key: amazon linux 1
value:
ID: "amazon"
Name: "Amazon Linux Security Center"
URL: "https://alas.aws.amazon.com/"
- key: amazon linux 2
value:
ID: "amazon"
Name: "Amazon Linux Security Center"
URL: "https://alas.aws.amazon.com/"

2
pkg/detector/ospkg/debian/debian_test.go
View File

@@ -58,6 +58,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Debian,
Name: "Debian Security Tracker",
URL: "https://salsa.debian.org/security-tracker-team/security-tracker",
},
@@ -74,6 +75,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Debian,
Name: "Debian Security Tracker",
URL: "https://salsa.debian.org/security-tracker-team/security-tracker",
},

1
pkg/detector/ospkg/debian/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: debian 9
value:
ID: "debian"
Name: "Debian Security Tracker"
URL: "https://salsa.debian.org/security-tracker-team/security-tracker"

6
pkg/detector/ospkg/mariner/mariner_test.go
View File

@@ -3,13 +3,13 @@ package mariner_test
import (
"testing"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
"github.com/aquasecurity/trivy/pkg/types"
@@ -59,6 +59,7 @@ func TestScanner_Detect(t *testing.T) {
FixedVersion: "9.16.15-1.cm1",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.CBLMariner,
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
},
@@ -96,6 +97,7 @@ func TestScanner_Detect(t *testing.T) {
InstalledVersion: "8.2.4081-1.cm1",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.CBLMariner,
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
},

2
pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,11 +2,13 @@
pairs:
- key: CBL-Mariner 1.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
- bucket: data-source
pairs:
- key: CBL-Mariner 2.0
value:
ID: "cbl-mariner"
Name: "CBL-Mariner Vulnerability Data"
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData"

5
pkg/detector/ospkg/oracle/oracle_test.go
View File

@@ -1,7 +1,6 @@
package oracle
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -12,7 +11,9 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -131,6 +132,7 @@ func TestScanner_Detect(t *testing.T) {
InstalledVersion: "7.29.0-59.0.1.el7",
FixedVersion: "7.29.0-59.0.1.el7_9.1",
DataSource: &dbTypes.DataSource{
ID: vulnerability.OracleOVAL,
Name: "Oracle Linux OVAL definitions",
URL: "https://linux.oracle.com/security/oval/",
},
@@ -203,6 +205,7 @@ func TestScanner_Detect(t *testing.T) {
InstalledVersion: "2:2.17-156.ksplice1.el7",
FixedVersion: "2:2.17-157.ksplice1.el7_3.4",
DataSource: &dbTypes.DataSource{
ID: vulnerability.OracleOVAL,
Name: "Oracle Linux OVAL definitions",
URL: "https://linux.oracle.com/security/oval/",
},

1
pkg/detector/ospkg/oracle/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: Oracle Linux 7
value:
ID: "oracle-oval"
Name: "Oracle Linux OVAL definitions"
URL: "https://linux.oracle.com/security/oval/"

4
pkg/detector/ospkg/photon/photon_test.go
View File

@@ -1,7 +1,6 @@
package photon_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -11,6 +10,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
"github.com/aquasecurity/trivy/pkg/types"
@@ -57,6 +58,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Photon,
Name: "Photon OS CVE metadata",
URL: "https://packages.vmware.com/photon/photon_cve_metadata/",
},

1
pkg/detector/ospkg/photon/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: Photon OS 1.0
value:
ID: "photon"
Name: "Photon OS CVE metadata"
URL: "https://packages.vmware.com/photon/photon_cve_metadata/"

4
pkg/detector/ospkg/rocky/rocky_test.go
View File

@@ -1,7 +1,6 @@
package rocky_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -11,6 +10,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/rocky"
"github.com/aquasecurity/trivy/pkg/types"
@@ -58,6 +59,7 @@ func TestScanner_Detect(t *testing.T) {
FixedVersion: "4.18.0-348.2.1.el8_5",
Layer: ftypes.Layer{},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Rocky,
Name: "Rocky Linux updateinfo",
URL: "https://download.rockylinux.org/pub/rocky/",
},

1
pkg/detector/ospkg/rocky/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,5 +2,6 @@
pairs:
- key: rocky 8
value:
ID: "rocky"
Name: "Rocky Linux updateinfo"
URL: "https://download.rockylinux.org/pub/rocky/"

4
pkg/detector/ospkg/suse/suse_test.go
View File

@@ -1,7 +1,6 @@
package suse_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"testing"
"time"
@@ -11,6 +10,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/suse"
"github.com/aquasecurity/trivy/pkg/types"
@@ -59,6 +60,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.SuseCVRF,
Name: "SUSE CVRF",
URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
},

2
pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,9 +2,11 @@
pairs:
- key: openSUSE Leap 15.3
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
- key: SUSE Linux Enterprise 15.3
value:
ID: "suse-cvrf"
Name: "SUSE CVRF"
URL: "https://ftp.suse.com/pub/projects/security/cvrf/"

2
pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml vendored
View File

@@ -2,9 +2,11 @@
pairs:
- key: ubuntu 20.04
value:
ID: "ubuntu"
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"
- key: ubuntu 21.04
value:
ID: "ubuntu"
Name: "Ubuntu CVE Tracker"
URL: "https://git.launchpad.net/ubuntu-cve-tracker"

5
pkg/detector/ospkg/ubuntu/ubuntu_test.go
View File

@@ -1,7 +1,6 @@
package ubuntu_test
import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"sort"
"testing"
"time"
@@ -12,6 +11,8 @@ import (
ftypes "github.com/aquasecurity/fanal/types"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest"
"github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu"
"github.com/aquasecurity/trivy/pkg/types"
@@ -56,6 +57,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Ubuntu,
Name: "Ubuntu CVE Tracker",
URL: "https://git.launchpad.net/ubuntu-cve-tracker",
},
@@ -69,6 +71,7 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
DataSource: &dbTypes.DataSource{
ID: vulnerability.Ubuntu,
Name: "Ubuntu CVE Tracker",
URL: "https://git.launchpad.net/ubuntu-cve-tracker",
},

7
pkg/report/sarif_test.go
View File

@@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/assert"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/report"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -47,12 +48,12 @@ func TestReportWriter_Sarif(t *testing.T) {
Title: "foobar",
Description: "baz",
Severity: "HIGH",
CVSS: map[string]dbTypes.CVSS{
"nvd": {
CVSS: map[dbTypes.SourceID]dbTypes.CVSS{
vulnerability.NVD: {
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3Score: 9.8,
},
"redhat": {
vulnerability.RedHat: {
V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
V3Score: 7.5,
},

24
pkg/report/template.go
View File

@@ -3,18 +3,22 @@ package report
import (
"bytes"
"encoding/xml"
"fmt"
"html"
"io"
"os"
"strings"
"text/template"
"time"
"github.com/Masterminds/sprig"
"golang.org/x/xerrors"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/log"
)
// CustomTemplateFuncMap is used to overwrite existing functions for testing.
var CustomTemplateFuncMap = map[string]interface{}{}
// TemplateWriter write result in custom format defined by user's template
type TemplateWriter struct {
Output io.Writer
@@ -35,7 +39,7 @@ func NewTemplateWriter(output io.Writer, outputTemplate string) (*TemplateWriter
templateFuncMap["escapeXML"] = func(input string) string {
escaped := &bytes.Buffer{}
if err := xml.EscapeText(escaped, []byte(input)); err != nil {
fmt.Printf("error while escapeString to XML: %v", err.Error())
log.Logger.Error("error while escapeString to XML: %s", err)
return input
}
return escaped.String()
@@ -46,18 +50,18 @@ func NewTemplateWriter(output io.Writer, outputTemplate string) (*TemplateWriter
}
return input
}
templateFuncMap["toLower"] = func(input string) string {
return strings.ToLower(input)
}
templateFuncMap["escapeString"] = func(input string) string {
return html.EscapeString(input)
}
templateFuncMap["getEnv"] = func(key string) string {
return os.Getenv(key)
templateFuncMap["sourceID"] = func(input string) dbTypes.SourceID {
return dbTypes.SourceID(input)
}
templateFuncMap["getCurrentTime"] = func() string {
return Now().UTC().Format(time.RFC3339Nano)
// Overwrite functions
for k, v := range CustomTemplateFuncMap {
templateFuncMap[k] = v
}
tmpl, err := template.New("output template").Funcs(templateFuncMap).Parse(outputTemplate)
if err != nil {
return nil, xerrors.Errorf("error parsing template: %w", err)

Some files were not shown because too many files have changed in this diff Show More