From a54d1e95fdfa1eaff0b854c6017035001ef4fef0 Mon Sep 17 00:00:00 2001 From: Andrea Scarpino Date: Mon, 4 Dec 2023 16:29:14 +0000 Subject: [PATCH] feat(vuln): remove duplicates in Fixed Version (#5596) Signed-off-by: knqyf263 Co-authored-by: knqyf263 --- pkg/detector/library/driver.go | 9 +++++-- pkg/detector/library/driver_test.go | 25 +++++++++++++++++++ .../testdata/fixtures/data-source.yaml | 5 ++++ .../library/testdata/fixtures/pip.yaml | 18 +++++++++++++ 4 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 pkg/detector/library/testdata/fixtures/pip.yaml diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index c22d1f7c5a..e18f926a39 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -4,6 +4,7 @@ import ( "fmt" "strings" + "github.com/samber/lo" "golang.org/x/xerrors" "github.com/aquasecurity/trivy-db/pkg/db" @@ -136,7 +137,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D func createFixedVersions(advisory dbTypes.Advisory) string { if len(advisory.PatchedVersions) != 0 { - return strings.Join(advisory.PatchedVersions, ", ") + return joinFixedVersions(advisory.PatchedVersions) } var fixedVersions []string @@ -149,5 +150,9 @@ func createFixedVersions(advisory dbTypes.Advisory) string { } } } - return strings.Join(fixedVersions, ", ") + return joinFixedVersions(fixedVersions) +} + +func joinFixedVersions(fixedVersions []string) string { + return strings.Join(lo.Uniq(fixedVersions), ", ") } diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go index 9bfa6ade77..b7b94153c6 100644 --- a/pkg/detector/library/driver_test.go +++ b/pkg/detector/library/driver_test.go @@ -157,6 +157,31 @@ func TestDriver_Detect(t *testing.T) { }, wantErr: "failed to unmarshal advisory JSON", }, + { + name: "duplicated version in advisory", + fixtures: []string{ + "testdata/fixtures/pip.yaml", + "testdata/fixtures/data-source.yaml", + }, + libType: ftypes.PythonPkg, + args: args{ + pkgName: "Django", + pkgVer: "4.2.1", + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2023-36053", + PkgName: "Django", + InstalledVersion: "4.2.1", + FixedVersion: "4.2.3", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Pip", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip", + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml index 26d88adf83..eeb4a57e96 100644 --- a/pkg/detector/library/testdata/fixtures/data-source.yaml +++ b/pkg/detector/library/testdata/fixtures/data-source.yaml @@ -20,3 +20,8 @@ ID: "ruby-advisory-db" Name: "Ruby Advisory Database" URL: "https://github.com/rubysec/ruby-advisory-db" + - key: "pip::GitHub Security Advisory Pip" + value: + ID: "ghsa" + Name: "GitHub Security Advisory Pip" + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" diff --git a/pkg/detector/library/testdata/fixtures/pip.yaml b/pkg/detector/library/testdata/fixtures/pip.yaml new file mode 100644 index 0000000000..f39357e16f --- /dev/null +++ b/pkg/detector/library/testdata/fixtures/pip.yaml @@ -0,0 +1,18 @@ +- bucket: "pip::GitHub Security Advisory Pip" + pairs: + - bucket: Django + pairs: + - key: CVE-2023-36053 + value: + PatchedVersions: + - 4.2.3 + VulnerableVersions: + - < 4.2.3 + - bucket: django + pairs: + - key: CVE-2023-36053 + value: + PatchedVersions: + - 4.2.3 + VulnerableVersions: + - < 4.2.3