feat: show origin layer for vulnerabilities (#439)

* chore(mod): update dependencies * test(integration): update the golden file
2025-12-22 23:26:39 -08:00 · 2020-03-18 11:00:23 +02:00
parent 07a731c4bb
commit b847e57991
4 changed files with 9 additions and 7 deletions
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy
 go 1.13
 require (
-	github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0
+	github.com/aquasecurity/fanal v0.0.0-20200317181056-f28b6d21845c
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
 	github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1
 	github.com/caarlos0/env/v6 v6.0.0
--- a/go.sum
+++ b/go.sum
@@ -29,8 +29,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/aquasecurity/fanal v0.0.0-20190819081512-f04452b627c6/go.mod h1:enEz4FFetw4XAbkffaYgyCVq1556R9Ry+noqT4rq9BE=
-github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0 h1:ZkK02opCRhNdXBQHVA8cYgMFWfIYKAdje6s7LJQOQ0I=
+github.com/aquasecurity/fanal v0.0.0-20200317181056-f28b6d21845c h1:xOSCXeJVrHWZcYFqdTbE/eGX379U+djqHZzDYnEr2Sg=
-github.com/aquasecurity/fanal v0.0.0-20200306122936-f0a17242a9a0/go.mod h1:yPZqe/vMN0QDXBIl3kE9s793zU9NSQuEHGWLlL85bG8=
+github.com/aquasecurity/fanal v0.0.0-20200317181056-f28b6d21845c/go.mod h1:yPZqe/vMN0QDXBIl3kE9s793zU9NSQuEHGWLlL85bG8=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4=
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -431,8 +431,10 @@ func setupClient(t *testing.T, ignoreUnfixed bool, severity, ignoreIDs []string,
 	cleanup := func() {
 		_ = os.Remove(ignoreTmpDir)
 		if !*update {
 			_ = os.Remove(outputFile)
 		}
 	}
 	osArgs = append(osArgs, []string{"--output", outputFile}...)
 	return osArgs, outputFile, cleanup
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -1213,7 +1213,7 @@
        "VulnerabilityID": "CVE-2007-6755",
        "PkgName": "libssl1.1",
        "InstalledVersion": "1.1.0k-1~deb9u1",
-        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
        "Title": "Dual_EC_DRBG: weak pseudo random number generator",
        "Description": "The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain \"skeleton key\" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.",
        "Severity": "MEDIUM",
@@ -1232,7 +1232,7 @@
        "VulnerabilityID": "CVE-2010-0928",
        "PkgName": "libssl1.1",
        "InstalledVersion": "1.1.0k-1~deb9u1",
-        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
        "Title": "openssl: RSA authentication weakness",
        "Description": "OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a \"fault-based attack.\"",
        "Severity": "MEDIUM",
@@ -1250,7 +1250,7 @@
        "PkgName": "libssl1.1",
        "InstalledVersion": "1.1.0k-1~deb9u1",
        "FixedVersion": "1.1.0l-1~deb9u1",
-        "LayerID": "sha256:e92caab8efcf25a24bea5213ab7e54d4a5f5f08644836bb2d296070b1ae1044e",
+        "LayerID": "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
        "Severity": "MEDIUM",