From e5fc57af0ead0c8209915c4397aaf40e6022a766 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Mon, 28 Oct 2019 11:48:11 +0200 Subject: [PATCH] refactor(ospkg_scanner): use trivy-db --- pkg/scanner/ospkg/alpine/alpine.go | 32 ++++++++++++--------- pkg/scanner/ospkg/amazon/amazon.go | 15 +++++----- pkg/scanner/ospkg/amazon/amazon_test.go | 38 ++++++++++++------------- pkg/scanner/ospkg/debian/debian.go | 36 ++++++++++++++--------- pkg/scanner/ospkg/redhat/redhat.go | 35 ++++++++++++++--------- pkg/scanner/ospkg/ubuntu/ubuntu.go | 28 +++++++++++------- pkg/types/vulnerability.go | 11 +++++++ 7 files changed, 117 insertions(+), 78 deletions(-) diff --git a/pkg/scanner/ospkg/alpine/alpine.go b/pkg/scanner/ospkg/alpine/alpine.go index 40ba47fc62..e0d422b730 100644 --- a/pkg/scanner/ospkg/alpine/alpine.go +++ b/pkg/scanner/ospkg/alpine/alpine.go @@ -4,13 +4,15 @@ import ( "strings" "time" - "github.com/aquasecurity/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/log" - "github.com/aquasecurity/trivy/pkg/scanner/utils" - "github.com/aquasecurity/trivy/pkg/vulnsrc/alpine" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" version "github.com/knqyf263/go-rpm-version" "golang.org/x/xerrors" + + "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine" + "github.com/aquasecurity/trivy/pkg/log" + "github.com/aquasecurity/trivy/pkg/scanner/utils" + "github.com/aquasecurity/trivy/pkg/types" ) var ( @@ -37,13 +39,17 @@ var ( } ) -type Scanner struct{} - -func NewScanner() *Scanner { - return &Scanner{} +type Scanner struct { + vs dbTypes.VulnSrc } -func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) { +func NewScanner() *Scanner { + return &Scanner{ + vs: alpine.NewVulnSrc(), + } +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { log.Logger.Info("Detecting Alpine vulnerabilities...") if strings.Count(osVer, ".") > 1 { osVer = osVer[:strings.LastIndex(osVer, ".")] @@ -51,9 +57,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability log.Logger.Debugf("alpine: os version: %s", osVer) log.Logger.Debugf("alpine: the number of packages: %d", len(pkgs)) - var vulns []vulnerability.DetectedVulnerability + var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - advisories, err := alpine.Get(osVer, pkg.Name) + advisories, err := s.vs.Get(osVer, pkg.Name) if err != nil { return nil, xerrors.Errorf("failed to get alpine advisories: %w", err) } @@ -64,7 +70,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability for _, adv := range advisories { fixedVersion := version.NewVersion(adv.FixedVersion) if installedVersion.LessThan(fixedVersion) { - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, diff --git a/pkg/scanner/ospkg/amazon/amazon.go b/pkg/scanner/ospkg/amazon/amazon.go index b552d8483f..47e9fa5eb0 100644 --- a/pkg/scanner/ospkg/amazon/amazon.go +++ b/pkg/scanner/ospkg/amazon/amazon.go @@ -5,19 +5,20 @@ import ( "go.uber.org/zap" - "github.com/aquasecurity/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/vulnsrc/amazon" version "github.com/knqyf263/go-deb-version" "golang.org/x/xerrors" + "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon" "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/scanner/utils" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy/pkg/types" ) type Scanner struct { l *zap.SugaredLogger - ac amazon.Operations + ac dbTypes.VulnSrc } func NewScanner() *Scanner { @@ -27,7 +28,7 @@ func NewScanner() *Scanner { } } -func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) { +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { log.Logger.Info("Detecting Amazon Linux vulnerabilities...") osVer = strings.Fields(osVer)[0] @@ -37,7 +38,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability log.Logger.Debugf("amazon: os version: %s", osVer) log.Logger.Debugf("amazon: the number of packages: %d", len(pkgs)) - var vulns []vulnerability.DetectedVulnerability + var vulns []types.DetectedVulnerability for _, pkg := range pkgs { advisories, err := s.ac.Get(osVer, pkg.Name) if err != nil { @@ -63,7 +64,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability } if installedVersion.LessThan(fixedVersion) { - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, diff --git a/pkg/scanner/ospkg/amazon/amazon_test.go b/pkg/scanner/ospkg/amazon/amazon_test.go index 413a6bf9b2..fd4d880f82 100644 --- a/pkg/scanner/ospkg/amazon/amazon_test.go +++ b/pkg/scanner/ospkg/amazon/amazon_test.go @@ -4,34 +4,34 @@ import ( "errors" "testing" + "github.com/stretchr/testify/assert" "go.uber.org/zap" - "go.uber.org/zap/zapcore" "go.uber.org/zap/zaptest/observer" "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy/pkg/log" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" - "github.com/stretchr/testify/assert" + "github.com/aquasecurity/trivy/pkg/types" ) type MockAmazonConfig struct { - update func(string, map[string]struct{}) error - get func(string, string) ([]vulnerability.Advisory, error) + update func(string) error + get func(string, string) ([]dbTypes.Advisory, error) } -func (mac MockAmazonConfig) Update(a string, b map[string]struct{}) error { +func (mac MockAmazonConfig) Update(a string) error { if mac.update != nil { - return mac.update(a, b) + return mac.update(a) } return nil } -func (mac MockAmazonConfig) Get(a string, b string) ([]vulnerability.Advisory, error) { +func (mac MockAmazonConfig) Get(a string, b string) ([]dbTypes.Advisory, error) { if mac.get != nil { return mac.get(a, b) } - return []vulnerability.Advisory{}, nil + return []dbTypes.Advisory{}, nil } func TestScanner_Detect(t *testing.T) { @@ -41,8 +41,8 @@ func TestScanner_Detect(t *testing.T) { s := &Scanner{ l: log.Logger, ac: MockAmazonConfig{ - get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) { - return []vulnerability.Advisory{ + get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) { + return []dbTypes.Advisory{ { VulnerabilityID: "123", FixedVersion: "3.0.0", @@ -65,7 +65,7 @@ func TestScanner_Detect(t *testing.T) { }, }) assert.NoError(t, err) - assert.Equal(t, []vulnerability.DetectedVulnerability{ + assert.Equal(t, []types.DetectedVulnerability{ { VulnerabilityID: "123", PkgName: "testpkg", @@ -84,7 +84,7 @@ func TestScanner_Detect(t *testing.T) { s := &Scanner{ l: log.Logger, ac: MockAmazonConfig{ - get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) { + get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) { return nil, errors.New("failed to fetch advisories") }, }, @@ -104,8 +104,8 @@ func TestScanner_Detect(t *testing.T) { s := &Scanner{ l: log.Logger, ac: MockAmazonConfig{ - get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) { - return []vulnerability.Advisory{ + get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) { + return []dbTypes.Advisory{ { VulnerabilityID: "123", FixedVersion: "3.0.0", @@ -122,7 +122,7 @@ func TestScanner_Detect(t *testing.T) { }, }) assert.NoError(t, err) - assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls) + assert.Equal(t, []types.DetectedVulnerability(nil), vuls) loggedMessages := getAllLoggedLogs(recorder) assert.Contains(t, loggedMessages, "failed to parse Amazon Linux installed package version: upstream_version must start with digit") }) @@ -133,8 +133,8 @@ func TestScanner_Detect(t *testing.T) { s := &Scanner{ l: log.Logger, ac: MockAmazonConfig{ - get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) { - return []vulnerability.Advisory{ + get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) { + return []dbTypes.Advisory{ { VulnerabilityID: "123", FixedVersion: "thisisbadversioning", @@ -151,7 +151,7 @@ func TestScanner_Detect(t *testing.T) { }, }) assert.NoError(t, err) - assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls) + assert.Equal(t, []types.DetectedVulnerability(nil), vuls) loggedMessages := getAllLoggedLogs(recorder) assert.Contains(t, loggedMessages, "failed to parse Amazon Linux package version: upstream_version must start with digit") }) diff --git a/pkg/scanner/ospkg/debian/debian.go b/pkg/scanner/ospkg/debian/debian.go index fb561f30c4..a9f2a3708b 100644 --- a/pkg/scanner/ospkg/debian/debian.go +++ b/pkg/scanner/ospkg/debian/debian.go @@ -4,15 +4,17 @@ import ( "strings" "time" - "github.com/aquasecurity/fanal/analyzer" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian" + debianoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian-oval" + version "github.com/knqyf263/go-deb-version" "golang.org/x/xerrors" + "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/scanner/utils" - "github.com/aquasecurity/trivy/pkg/vulnsrc/debian" - debianoval "github.com/aquasecurity/trivy/pkg/vulnsrc/debian-oval" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy/pkg/types" ) var ( @@ -38,13 +40,19 @@ var ( } ) -type Scanner struct{} - -func NewScanner() *Scanner { - return &Scanner{} +type Scanner struct { + ovalVs dbTypes.VulnSrc + vs dbTypes.VulnSrc } -func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) { +func NewScanner() *Scanner { + return &Scanner{ + ovalVs: debianoval.NewVulnSrc(), + vs: debian.NewVulnSrc(), + } +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { log.Logger.Info("Detecting Debian vulnerabilities...") if strings.Count(osVer, ".") > 0 { @@ -53,9 +61,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability log.Logger.Debugf("debian: os version: %s", osVer) log.Logger.Debugf("debian: the number of packages: %d", len(pkgs)) - var vulns []vulnerability.DetectedVulnerability + var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - advisories, err := debianoval.Get(osVer, pkg.SrcName) + advisories, err := s.ovalVs.Get(osVer, pkg.SrcName) if err != nil { return nil, xerrors.Errorf("failed to get debian OVAL: %w", err) } @@ -75,7 +83,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability } if installedVersion.LessThan(fixedVersion) { - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, @@ -84,12 +92,12 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability vulns = append(vulns, vuln) } } - advisories, err = debian.Get(osVer, pkg.SrcName) + advisories, err = s.vs.Get(osVer, pkg.SrcName) if err != nil { return nil, xerrors.Errorf("failed to get debian advisory: %w", err) } for _, adv := range advisories { - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, diff --git a/pkg/scanner/ospkg/redhat/redhat.go b/pkg/scanner/ospkg/redhat/redhat.go index d1135c0b54..a9b5d6581f 100644 --- a/pkg/scanner/ospkg/redhat/redhat.go +++ b/pkg/scanner/ospkg/redhat/redhat.go @@ -4,14 +4,17 @@ import ( "strings" "time" - "github.com/aquasecurity/fanal/analyzer" - "github.com/aquasecurity/fanal/analyzer/os" - "github.com/aquasecurity/trivy/pkg/log" - "github.com/aquasecurity/trivy/pkg/scanner/utils" - "github.com/aquasecurity/trivy/pkg/vulnsrc/redhat" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/redhat" + version "github.com/knqyf263/go-rpm-version" "golang.org/x/xerrors" + + "github.com/aquasecurity/fanal/analyzer" + "github.com/aquasecurity/fanal/analyzer/os" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy/pkg/log" + "github.com/aquasecurity/trivy/pkg/scanner/utils" + "github.com/aquasecurity/trivy/pkg/types" ) var ( @@ -34,13 +37,17 @@ var ( } ) -type Scanner struct{} - -func NewScanner() *Scanner { - return &Scanner{} +type Scanner struct { + vs dbTypes.VulnSrc } -func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) { +func NewScanner() *Scanner { + return &Scanner{ + vs: redhat.NewVulnSrc(), + } +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...") if strings.Count(osVer, ".") > 0 { osVer = osVer[:strings.Index(osVer, ".")] @@ -48,9 +55,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability log.Logger.Debugf("redhat: os version: %s", osVer) log.Logger.Debugf("redhat: the number of packages: %d", len(pkgs)) - var vulns []vulnerability.DetectedVulnerability + var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - advisories, err := redhat.Get(osVer, pkg.SrcName) + advisories, err := s.vs.Get(osVer, pkg.SrcName) if err != nil { return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err) } @@ -60,7 +67,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability for _, adv := range advisories { fixedVersion := version.NewVersion(adv.FixedVersion) - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, diff --git a/pkg/scanner/ospkg/ubuntu/ubuntu.go b/pkg/scanner/ospkg/ubuntu/ubuntu.go index f1380e11f1..e0e23cc8ab 100644 --- a/pkg/scanner/ospkg/ubuntu/ubuntu.go +++ b/pkg/scanner/ospkg/ubuntu/ubuntu.go @@ -3,14 +3,16 @@ package ubuntu import ( "time" - "github.com/aquasecurity/trivy/pkg/scanner/utils" - "github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu" + version "github.com/knqyf263/go-deb-version" "golang.org/x/xerrors" "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy/pkg/log" - "github.com/aquasecurity/trivy/pkg/vulnsrc/ubuntu" + "github.com/aquasecurity/trivy/pkg/scanner/utils" + "github.com/aquasecurity/trivy/pkg/types" ) var ( @@ -49,20 +51,24 @@ var ( } ) -type Scanner struct{} - -func NewScanner() *Scanner { - return &Scanner{} +type Scanner struct { + vs dbTypes.VulnSrc } -func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) { +func NewScanner() *Scanner { + return &Scanner{ + vs: ubuntu.NewVulnSrc(), + } +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { log.Logger.Info("Detecting Ubuntu vulnerabilities...") log.Logger.Debugf("ubuntu: os version: %s", osVer) log.Logger.Debugf("ubuntu: the number of packages: %d", len(pkgs)) - var vulns []vulnerability.DetectedVulnerability + var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - advisories, err := ubuntu.Get(osVer, pkg.SrcName) + advisories, err := s.vs.Get(osVer, pkg.SrcName) if err != nil { return nil, xerrors.Errorf("failed to get Ubuntu advisories: %w", err) } @@ -75,7 +81,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability } for _, adv := range advisories { - vuln := vulnerability.DetectedVulnerability{ + vuln := types.DetectedVulnerability{ VulnerabilityID: adv.VulnerabilityID, PkgName: pkg.Name, InstalledVersion: installed, diff --git a/pkg/types/vulnerability.go b/pkg/types/vulnerability.go index ab1254f4c2..6627de2243 100644 --- a/pkg/types/vulnerability.go +++ b/pkg/types/vulnerability.go @@ -1 +1,12 @@ package types + +import "github.com/aquasecurity/trivy-db/pkg/types" + +type DetectedVulnerability struct { + VulnerabilityID string `json:",omitempty"` + PkgName string `json:",omitempty"` + InstalledVersion string `json:",omitempty"` + FixedVersion string `json:",omitempty"` + + types.Vulnerability +}