mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-21 06:43:05 -08:00
refactor(ospkg_scanner): use trivy-db
This commit is contained in:
knqyf263
@@ -4,13 +4,15 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/alpine"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
version "github.com/knqyf263/go-rpm-version"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -37,13 +39,17 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
type Scanner struct{}
|
||||
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{}
|
||||
type Scanner struct {
|
||||
vs dbTypes.VulnSrc
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{
|
||||
vs: alpine.NewVulnSrc(),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
|
||||
log.Logger.Info("Detecting Alpine vulnerabilities...")
|
||||
if strings.Count(osVer, ".") > 1 {
|
||||
osVer = osVer[:strings.LastIndex(osVer, ".")]
|
||||
@@ -51,9 +57,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
log.Logger.Debugf("alpine: os version: %s", osVer)
|
||||
log.Logger.Debugf("alpine: the number of packages: %d", len(pkgs))
|
||||
|
||||
var vulns []vulnerability.DetectedVulnerability
|
||||
var vulns []types.DetectedVulnerability
|
||||
for _, pkg := range pkgs {
|
||||
advisories, err := alpine.Get(osVer, pkg.Name)
|
||||
advisories, err := s.vs.Get(osVer, pkg.Name)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to get alpine advisories: %w", err)
|
||||
}
|
||||
@@ -64,7 +70,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
for _, adv := range advisories {
|
||||
fixedVersion := version.NewVersion(adv.FixedVersion)
|
||||
if installedVersion.LessThan(fixedVersion) {
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
|
||||
@@ -5,19 +5,20 @@ import (
|
||||
|
||||
"go.uber.org/zap"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/amazon"
|
||||
version "github.com/knqyf263/go-deb-version"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
type Scanner struct {
|
||||
l *zap.SugaredLogger
|
||||
ac amazon.Operations
|
||||
ac dbTypes.VulnSrc
|
||||
}
|
||||
|
||||
func NewScanner() *Scanner {
|
||||
@@ -27,7 +28,7 @@ func NewScanner() *Scanner {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
|
||||
log.Logger.Info("Detecting Amazon Linux vulnerabilities...")
|
||||
|
||||
osVer = strings.Fields(osVer)[0]
|
||||
@@ -37,7 +38,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
log.Logger.Debugf("amazon: os version: %s", osVer)
|
||||
log.Logger.Debugf("amazon: the number of packages: %d", len(pkgs))
|
||||
|
||||
var vulns []vulnerability.DetectedVulnerability
|
||||
var vulns []types.DetectedVulnerability
|
||||
for _, pkg := range pkgs {
|
||||
advisories, err := s.ac.Get(osVer, pkg.Name)
|
||||
if err != nil {
|
||||
@@ -63,7 +64,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
}
|
||||
|
||||
if installedVersion.LessThan(fixedVersion) {
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
|
||||
@@ -4,34 +4,34 @@ import (
|
||||
"errors"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"go.uber.org/zap/zapcore"
|
||||
"go.uber.org/zap/zaptest/observer"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
type MockAmazonConfig struct {
|
||||
update func(string, map[string]struct{}) error
|
||||
get func(string, string) ([]vulnerability.Advisory, error)
|
||||
update func(string) error
|
||||
get func(string, string) ([]dbTypes.Advisory, error)
|
||||
}
|
||||
|
||||
func (mac MockAmazonConfig) Update(a string, b map[string]struct{}) error {
|
||||
func (mac MockAmazonConfig) Update(a string) error {
|
||||
if mac.update != nil {
|
||||
return mac.update(a, b)
|
||||
return mac.update(a)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (mac MockAmazonConfig) Get(a string, b string) ([]vulnerability.Advisory, error) {
|
||||
func (mac MockAmazonConfig) Get(a string, b string) ([]dbTypes.Advisory, error) {
|
||||
if mac.get != nil {
|
||||
return mac.get(a, b)
|
||||
}
|
||||
return []vulnerability.Advisory{}, nil
|
||||
return []dbTypes.Advisory{}, nil
|
||||
}
|
||||
|
||||
func TestScanner_Detect(t *testing.T) {
|
||||
@@ -41,8 +41,8 @@ func TestScanner_Detect(t *testing.T) {
|
||||
s := &Scanner{
|
||||
l: log.Logger,
|
||||
ac: MockAmazonConfig{
|
||||
get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
|
||||
return []vulnerability.Advisory{
|
||||
get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) {
|
||||
return []dbTypes.Advisory{
|
||||
{
|
||||
VulnerabilityID: "123",
|
||||
FixedVersion: "3.0.0",
|
||||
@@ -65,7 +65,7 @@ func TestScanner_Detect(t *testing.T) {
|
||||
},
|
||||
})
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, []vulnerability.DetectedVulnerability{
|
||||
assert.Equal(t, []types.DetectedVulnerability{
|
||||
{
|
||||
VulnerabilityID: "123",
|
||||
PkgName: "testpkg",
|
||||
@@ -84,7 +84,7 @@ func TestScanner_Detect(t *testing.T) {
|
||||
s := &Scanner{
|
||||
l: log.Logger,
|
||||
ac: MockAmazonConfig{
|
||||
get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
|
||||
get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) {
|
||||
return nil, errors.New("failed to fetch advisories")
|
||||
},
|
||||
},
|
||||
@@ -104,8 +104,8 @@ func TestScanner_Detect(t *testing.T) {
|
||||
s := &Scanner{
|
||||
l: log.Logger,
|
||||
ac: MockAmazonConfig{
|
||||
get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
|
||||
return []vulnerability.Advisory{
|
||||
get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) {
|
||||
return []dbTypes.Advisory{
|
||||
{
|
||||
VulnerabilityID: "123",
|
||||
FixedVersion: "3.0.0",
|
||||
@@ -122,7 +122,7 @@ func TestScanner_Detect(t *testing.T) {
|
||||
},
|
||||
})
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls)
|
||||
assert.Equal(t, []types.DetectedVulnerability(nil), vuls)
|
||||
loggedMessages := getAllLoggedLogs(recorder)
|
||||
assert.Contains(t, loggedMessages, "failed to parse Amazon Linux installed package version: upstream_version must start with digit")
|
||||
})
|
||||
@@ -133,8 +133,8 @@ func TestScanner_Detect(t *testing.T) {
|
||||
s := &Scanner{
|
||||
l: log.Logger,
|
||||
ac: MockAmazonConfig{
|
||||
get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
|
||||
return []vulnerability.Advisory{
|
||||
get: func(s string, s2 string) (advisories []dbTypes.Advisory, e error) {
|
||||
return []dbTypes.Advisory{
|
||||
{
|
||||
VulnerabilityID: "123",
|
||||
FixedVersion: "thisisbadversioning",
|
||||
@@ -151,7 +151,7 @@ func TestScanner_Detect(t *testing.T) {
|
||||
},
|
||||
})
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls)
|
||||
assert.Equal(t, []types.DetectedVulnerability(nil), vuls)
|
||||
loggedMessages := getAllLoggedLogs(recorder)
|
||||
assert.Contains(t, loggedMessages, "failed to parse Amazon Linux package version: upstream_version must start with digit")
|
||||
})
|
||||
|
||||
@@ -4,15 +4,17 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian"
|
||||
debianoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/debian-oval"
|
||||
|
||||
version "github.com/knqyf263/go-deb-version"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/debian"
|
||||
debianoval "github.com/aquasecurity/trivy/pkg/vulnsrc/debian-oval"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -38,13 +40,19 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
type Scanner struct{}
|
||||
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{}
|
||||
type Scanner struct {
|
||||
ovalVs dbTypes.VulnSrc
|
||||
vs dbTypes.VulnSrc
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{
|
||||
ovalVs: debianoval.NewVulnSrc(),
|
||||
vs: debian.NewVulnSrc(),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
|
||||
log.Logger.Info("Detecting Debian vulnerabilities...")
|
||||
|
||||
if strings.Count(osVer, ".") > 0 {
|
||||
@@ -53,9 +61,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
log.Logger.Debugf("debian: os version: %s", osVer)
|
||||
log.Logger.Debugf("debian: the number of packages: %d", len(pkgs))
|
||||
|
||||
var vulns []vulnerability.DetectedVulnerability
|
||||
var vulns []types.DetectedVulnerability
|
||||
for _, pkg := range pkgs {
|
||||
advisories, err := debianoval.Get(osVer, pkg.SrcName)
|
||||
advisories, err := s.ovalVs.Get(osVer, pkg.SrcName)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to get debian OVAL: %w", err)
|
||||
}
|
||||
@@ -75,7 +83,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
}
|
||||
|
||||
if installedVersion.LessThan(fixedVersion) {
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
@@ -84,12 +92,12 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
vulns = append(vulns, vuln)
|
||||
}
|
||||
}
|
||||
advisories, err = debian.Get(osVer, pkg.SrcName)
|
||||
advisories, err = s.vs.Get(osVer, pkg.SrcName)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to get debian advisory: %w", err)
|
||||
}
|
||||
for _, adv := range advisories {
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
|
||||
@@ -4,14 +4,17 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
"github.com/aquasecurity/fanal/analyzer/os"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/redhat"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/redhat"
|
||||
|
||||
version "github.com/knqyf263/go-rpm-version"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
"github.com/aquasecurity/fanal/analyzer/os"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -34,13 +37,17 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
type Scanner struct{}
|
||||
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{}
|
||||
type Scanner struct {
|
||||
vs dbTypes.VulnSrc
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{
|
||||
vs: redhat.NewVulnSrc(),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
|
||||
log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...")
|
||||
if strings.Count(osVer, ".") > 0 {
|
||||
osVer = osVer[:strings.Index(osVer, ".")]
|
||||
@@ -48,9 +55,9 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
log.Logger.Debugf("redhat: os version: %s", osVer)
|
||||
log.Logger.Debugf("redhat: the number of packages: %d", len(pkgs))
|
||||
|
||||
var vulns []vulnerability.DetectedVulnerability
|
||||
var vulns []types.DetectedVulnerability
|
||||
for _, pkg := range pkgs {
|
||||
advisories, err := redhat.Get(osVer, pkg.SrcName)
|
||||
advisories, err := s.vs.Get(osVer, pkg.SrcName)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err)
|
||||
}
|
||||
@@ -60,7 +67,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
for _, adv := range advisories {
|
||||
fixedVersion := version.NewVersion(adv.FixedVersion)
|
||||
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
|
||||
@@ -3,14 +3,16 @@ package ubuntu
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
|
||||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu"
|
||||
|
||||
version "github.com/knqyf263/go-deb-version"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/log"
|
||||
"github.com/aquasecurity/trivy/pkg/vulnsrc/ubuntu"
|
||||
"github.com/aquasecurity/trivy/pkg/scanner/utils"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -49,20 +51,24 @@ var (
|
||||
}
|
||||
)
|
||||
|
||||
type Scanner struct{}
|
||||
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{}
|
||||
type Scanner struct {
|
||||
vs dbTypes.VulnSrc
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
|
||||
func NewScanner() *Scanner {
|
||||
return &Scanner{
|
||||
vs: ubuntu.NewVulnSrc(),
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
|
||||
log.Logger.Info("Detecting Ubuntu vulnerabilities...")
|
||||
log.Logger.Debugf("ubuntu: os version: %s", osVer)
|
||||
log.Logger.Debugf("ubuntu: the number of packages: %d", len(pkgs))
|
||||
|
||||
var vulns []vulnerability.DetectedVulnerability
|
||||
var vulns []types.DetectedVulnerability
|
||||
for _, pkg := range pkgs {
|
||||
advisories, err := ubuntu.Get(osVer, pkg.SrcName)
|
||||
advisories, err := s.vs.Get(osVer, pkg.SrcName)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to get Ubuntu advisories: %w", err)
|
||||
}
|
||||
@@ -75,7 +81,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
|
||||
}
|
||||
|
||||
for _, adv := range advisories {
|
||||
vuln := vulnerability.DetectedVulnerability{
|
||||
vuln := types.DetectedVulnerability{
|
||||
VulnerabilityID: adv.VulnerabilityID,
|
||||
PkgName: pkg.Name,
|
||||
InstalledVersion: installed,
|
||||
|
||||
@@ -1 +1,12 @@
|
||||
package types
|
||||
|
||||
import "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
|
||||
type DetectedVulnerability struct {
|
||||
VulnerabilityID string `json:",omitempty"`
|
||||
PkgName string `json:",omitempty"`
|
||||
InstalledVersion string `json:",omitempty"`
|
||||
FixedVersion string `json:",omitempty"`
|
||||
|
||||
types.Vulnerability
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user