gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

vulnerability: Add CVSS Vectors to JSON output. (#484)

Browse Source 
* vulnerability: Add CVSS Vectors to JSON output.

Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

```
      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },
```

Signed-off-by: Simarpreet Singh <simar@linux.com>

* mod: Update to latest master of trivy-db

Signed-off-by: Simarpreet Singh <simar@linux.com>

* vulnerability_test: Fix tests for new struct type

Signed-off-by: Simarpreet Singh <simar@linux.com>
This commit is contained in:
Simarpreet Singh
2020-05-21 14:22:14 -07:00
committed by GitHub
parent 926f323a72
commit a57c27eeec
3 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/vulnerability/vulnerability_test.go
View File

@@ -60,7 +60,7 @@ func TestClient_FillInfo(t *testing.T) {
vulns: []types.DetectedVulnerability{
{VulnerabilityID: "CVE-2019-0001"},
},
reportType: vulnerability.Ubuntu,
reportType: vulnerability.RedHat,
},
expectedVulnerabilities: []types.DetectedVulnerability{
{
@@ -146,7 +146,7 @@ func TestClient_FillInfo(t *testing.T) {
},
},
{
name: "happy path, with only OS vulnerability, yes vendor severity",
name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and vendor vectors",
getVulnerability: []db.GetVulnerabilityExpectation{
{
Args: db.GetVulnerabilityArgs{
@@ -160,6 +160,16 @@ func TestClient_FillInfo(t *testing.T) {
VendorSeverity: dbTypes.VendorSeverity{
vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat
},
VendorVectors: map[string]dbTypes.CVSSVector{
vulnerability.Nvd: {
V2: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
V3: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
vulnerability.RedHat: {
V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
},
References: []string{"http://example.com"},
},
},
@@ -179,6 +189,16 @@ func TestClient_FillInfo(t *testing.T) {
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
References: []string{"http://example.com"},
VendorVectors: map[string]dbTypes.CVSSVector{
vulnerability.Nvd: {
V2: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
V3: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
vulnerability.RedHat: {
V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
},
},
},
SeveritySource: vulnerability.RedHat,
},