gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 14:50:53 -08:00
Code Issues Packages Projects Releases Wiki Activity

revert: add new classes for vulnerabilities (#2701)

Browse Source
This commit is contained in:
Teppei Fukuda
2022-08-15 21:40:29 +03:00
committed by GitHub
parent a5d4f7fbd9
commit ed1fa89117
50 changed files with 127 additions and 142 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@@ -8,7 +8,7 @@ require (
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.22.0
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/go-dep-parser v0.0.0-20220807122629-b5a21d267b03
github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

4
go.sum
View File

@@ -206,8 +206,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.71.5 h1:HOao1TaP74lhbsLUmYaNgHx1afdYImDicB8b/f54FIM=
github.com/aquasecurity/defsec v0.71.5/go.mod h1:+ouYrROGLz3lGutl+K+ilXX5V41S76JIi+L8aXPBsAQ=
github.com/aquasecurity/go-dep-parser v0.0.0-20220807122629-b5a21d267b03 h1:Axx5KwV0c83IlPLIIsi/Ht6sGsSJBzABUngXjFHFg4I=
github.com/aquasecurity/go-dep-parser v0.0.0-20220807122629-b5a21d267b03/go.mod h1:SONYN1M+sYu6VIJsZnltmVfcGOCvp09HWbhpnHDn3aY=
github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86 h1:sc8hDjSxO3aiG0R7HvaAVnY6329NTtv9AqDGpVQxAPQ=
github.com/aquasecurity/go-dep-parser v0.0.0-20220815163410-fcf26eb92b86/go.mod h1:wwxn1SyOEY8W5hy8aDQDoExX+ybVsi+xfIllXz93+Fk=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=

8
integration/client_server_test.go
View File

@@ -12,6 +12,8 @@ import (
"testing"
"time"
"github.com/samber/lo"
cdx "github.com/CycloneDX/cyclonedx-go"
"github.com/docker/go-connections/nat"
"github.com/stretchr/testify/assert"
@@ -399,10 +401,10 @@ func TestClientServerWithCycloneDX(t *testing.T) {
err = json.NewDecoder(f).Decode(&got)
require.NoError(t, err)
assert.EqualValues(t, tt.wantComponentsCount, len(*got.Components))
assert.EqualValues(t, tt.wantDependenciesCount, len(*got.Dependencies))
assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
for i, dep := range *got.Dependencies {
assert.EqualValues(t, tt.wantDependsOnCount[i], len(*dep.Dependencies))
assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
}
})
}

2
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alma",
"Vulnerabilities": [
{

2
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -56,7 +56,7 @@
"Results": [
{
"Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/alpine-310.json.golden vendored
View File

@@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/alpine-39.json.golden vendored
View File

@@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/alpine-distroless.json.golden vendored
View File

@@ -45,7 +45,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-distroless.tar.gz (alpine 3.16)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{

2
integration/testdata/amazon-1.json.golden vendored
View File

@@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{

2
integration/testdata/amazon-2.json.golden vendored
View File

@@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-2.tar.gz (amazon 2 (Karoo))",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{

2
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -49,7 +49,7 @@
"Results": [
{
"Target": "Cargo.lock",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "cargo",
"Vulnerabilities": [
{

2
integration/testdata/centos-6.json.golden vendored
View File

@@ -71,7 +71,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-6.tar.gz (centos 6.10)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{

2
integration/testdata/centos-7-cyclonedx.json.golden vendored
View File

@@ -3,7 +3,7 @@
"specVersion": "1.4",
"version": 1,
"metadata": {
"timestamp": "2022-07-03T08:45:54+00:00",
"timestamp": "2022-08-14T12:39:11+00:00",
"tools": [
{
"vendor": "aquasecurity",

2
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{

2
integration/testdata/centos-7-medium.json.golden vendored
View File

@@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{

2
integration/testdata/centos-7.json.golden vendored
View File

@@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{

2
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{

2
integration/testdata/debian-buster.json.golden vendored
View File

@@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{

2
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-stretch.tar.gz (debian 9.9)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{

2
integration/testdata/distroless-base.json.golden vendored
View File

@@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{

2
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -65,7 +65,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-python27.tar.gz (debian 9.9)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{

4
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -102,7 +102,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
@@ -165,7 +165,7 @@
},
{
"Target": "Ruby",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "gemspec",
"Vulnerabilities": [
{

2
integration/testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden vendored
View File

@@ -3,7 +3,7 @@
"specVersion": "1.4",
"version": 1,
"metadata": {
"timestamp": "2022-07-03T08:45:54+00:00",
"timestamp": "2022-08-14T12:39:11+00:00",
"tools": [
{
"vendor": "aquasecurity",

6
integration/testdata/gomod.json.golden vendored
View File

@@ -17,7 +17,7 @@
"Results": [
{
"Target": "go.mod",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
@@ -103,7 +103,7 @@
},
{
"Target": "submod/go.mod",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
@@ -131,7 +131,7 @@
},
{
"Target": "submod2/go.mod",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{

2
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -34,7 +34,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
{

2
integration/testdata/nodejs.json.golden vendored
View File

@@ -17,7 +17,7 @@
"Results": [
{
"Target": "package-lock.json",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{

2
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -57,7 +57,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "opensuse.leap",
"Vulnerabilities": [
{

2
integration/testdata/oraclelinux-8.json.golden vendored
View File

@@ -58,7 +58,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/oraclelinux-8.tar.gz (oracle 8.0)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "oracle",
"Vulnerabilities": [
{

2
integration/testdata/photon-30.json.golden vendored
View File

@@ -59,7 +59,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/photon-30.tar.gz (photon 3.0)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "photon",
"Vulnerabilities": [
{

7
integration/testdata/pip.json.golden vendored
View File

@@ -55,12 +55,7 @@
"Version": "2.0.0",
"Layer": {}
}
]
},
{
"Target": "requirements.txt",
"Class": "vuln-lang-pkgs",
"Type": "pip",
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14806",

14
integration/testdata/pnpm.json.golden vendored
View File

@@ -2,10 +2,22 @@
"SchemaVersion": 2,
"ArtifactName": "testdata/fixtures/fs/pnpm",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "pnpm-lock.yaml",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "pnpm",
"Vulnerabilities": [
{

2
integration/testdata/pom.json.golden vendored
View File

@@ -17,7 +17,7 @@
"Results": [
{
"Target": "pom.xml",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "pom",
"Vulnerabilities": [
{

2
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/rockylinux-8.tar.gz (rocky 8.5)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "rocky",
"Vulnerabilities": [
{

4
integration/testdata/spring4shell-jre11.json.golden vendored
View File

@@ -185,12 +185,12 @@
"Results": [
{
"Target": "testdata/fixtures/images/spring4shell-jre11.tar.gz (debian 11.3)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian"
},
{
"Target": "Java",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "jar",
"Vulnerabilities": [
{

4
integration/testdata/spring4shell-jre8.json.golden vendored
View File

@@ -185,12 +185,12 @@
"Results": [
{
"Target": "testdata/fixtures/images/spring4shell-jre8.tar.gz (debian 11.3)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "debian"
},
{
"Target": "Java",
"Class": "vuln-lang-pkgs",
"Class": "lang-pkgs",
"Type": "jar",
"Vulnerabilities": [
{

2
integration/testdata/ubi-7.json.golden vendored
View File

@@ -72,7 +72,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/ubi-7.tar.gz (redhat 7.7)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "redhat",
"Vulnerabilities": [
{

2
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -67,7 +67,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/ubuntu-1804.tar.gz (ubuntu 18.04)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "ubuntu",
"Vulnerabilities": [
{

2
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -67,7 +67,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/ubuntu-1804.tar.gz (ubuntu 18.04)",
"Class": "vuln-os-pkgs",
"Class": "os-pkgs",
"Type": "ubuntu",
"Vulnerabilities": [
{

4
pkg/report/sarif.go
View File

@@ -187,9 +187,9 @@ func (sw SarifWriter) Write(report types.Report) error {
func toSarifRuleName(class string) string {
switch class {
case types.ClassVulnOSPkg:
case types.ClassOSPkg:
return sarifOsPackageVulnerability
case types.ClassVulnLangPkg:
case types.ClassLangPkg:
return sarifLanguageSpecificVulnerability
case types.ClassConfig:
return sarifConfigFiles

2
pkg/report/sarif_test.go
View File

@@ -30,7 +30,7 @@ func TestReportWriter_Sarif(t *testing.T) {
input: types.Results{
{
Target: "library/test",
Class: types.ClassVulnOSPkg,
Class: types.ClassOSPkg,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-0001",

17
pkg/report/table/table.go
View File

@@ -13,7 +13,6 @@ import (
"github.com/aquasecurity/table"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
@@ -53,25 +52,17 @@ type Renderer interface {
// Write writes the result on standard output
func (tw Writer) Write(report types.Report) error {
// Iterate results to extract packages first, then write tables for each result
pkgs := map[string][]ftypes.Package{}
for _, result := range report.Results {
if result.Class == types.ClassOSPkg || result.Class == types.ClassLangPkg {
pkgs[result.Target] = result.Packages
}
}
for _, result := range report.Results {
// Not display a table of custom resources
if result.Class == types.ClassCustom {
continue
}
tw.write(result, pkgs)
tw.write(result)
}
return nil
}
func (tw Writer) write(result types.Result, pkgs map[string][]ftypes.Package) {
func (tw Writer) write(result types.Result) {
if result.IsEmpty() && result.Class != types.ClassOSPkg {
return
}
@@ -79,8 +70,8 @@ func (tw Writer) write(result types.Result, pkgs map[string][]ftypes.Package) {
var renderer Renderer
switch {
// vulnerability
case result.Class == types.ClassVulnOSPkg || result.Class == types.ClassVulnLangPkg:
renderer = NewVulnerabilityRenderer(result, pkgs, tw.isOutputToTerminal(), tw.Tree, tw.Severities)
case result.Class == types.ClassOSPkg || result.Class == types.ClassLangPkg:
renderer = NewVulnerabilityRenderer(result, tw.isOutputToTerminal(), tw.Tree, tw.Severities)
// misconfiguration
case result.Class == types.ClassConfig:
renderer = NewMisconfigRenderer(result, tw.Severities, tw.Trace, tw.IncludeNonFailures, tw.isOutputToTerminal())

13
pkg/report/table/table_test.go
View File

@@ -24,7 +24,7 @@ func TestReportWriter_Table(t *testing.T) {
results: types.Results{
{
Target: "test",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-0001",
@@ -59,7 +59,7 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
results: types.Results{
{
Target: "test",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-0001",
@@ -95,7 +95,7 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
results: types.Results{
{
Target: "test",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-0001",
@@ -127,7 +127,7 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
results: types.Results{
{
Target: "test",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-1234",
@@ -199,11 +199,6 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
},
},
},
},
{
Target: "package-lock.json",
Class: types.ClassVulnLangPkg,
Type: "npm",
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-0235",

14
pkg/report/table/vulnerability.go
View File

@@ -23,14 +23,13 @@ type vulnerabilityRenderer struct {
w *bytes.Buffer
tableWriter *table.Table
result types.Result
pkgs map[string][]ftypes.Package
isTerminal bool
tree bool
severities []dbTypes.Severity
once *sync.Once
}
func NewVulnerabilityRenderer(result types.Result, pkgs map[string][]ftypes.Package, isTerminal, tree bool, severities []dbTypes.Severity) vulnerabilityRenderer {
func NewVulnerabilityRenderer(result types.Result, isTerminal, tree bool, severities []dbTypes.Severity) vulnerabilityRenderer {
buf := bytes.NewBuffer([]byte{})
if !isTerminal {
tml.DisableFormatting()
@@ -39,7 +38,6 @@ func NewVulnerabilityRenderer(result types.Result, pkgs map[string][]ftypes.Pack
w: buf,
tableWriter: newTableWriter(buf, isTerminal),
result: result,
pkgs: pkgs,
isTerminal: isTerminal,
tree: tree,
severities: severities,
@@ -55,7 +53,7 @@ func (r vulnerabilityRenderer) Render() string {
total, summaries := summarize(r.severities, severityCount)
target := r.result.Target
if r.result.Class == types.ClassVulnLangPkg {
if r.result.Class == types.ClassLangPkg {
target += fmt.Sprintf(" (%s)", r.result.Type)
}
renderTarget(r.w, target, r.isTerminal)
@@ -130,14 +128,8 @@ func (r vulnerabilityRenderer) countSeverities(vulns []types.DetectedVulnerabili
}
func (r vulnerabilityRenderer) renderDependencyTree() {
// Take packages
pkgs, ok := r.pkgs[r.result.Target]
if !ok {
return
}
// Get parents of each dependency
parents := reverseDeps(pkgs)
parents := reverseDeps(r.result.Packages)
if len(parents) == 0 {
return
}

2
pkg/sbom/cyclonedx/marshal.go
View File

@@ -187,8 +187,8 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
var metadataDependencies []cdx.Dependency
libraryUniqMap := map[string]struct{}{}
vulnMap := map[string]cdx.Vulnerability{}
bomRefMap := map[string]string{}
for _, result := range r.Results {
bomRefMap := map[string]string{}
var componentDependencies []cdx.Dependency
for _, pkg := range result.Packages {
pkgComponent, err := pkgToCdxComponent(result.Type, r.Metadata, pkg)

12
pkg/sbom/cyclonedx/marshal_test.go
View File

@@ -70,11 +70,6 @@ func TestMarshaler_Marshal(t *testing.T) {
Licenses: []string{"GPLv3+"},
},
},
},
{
Target: "rails:latest (centos 8.3.2011)",
Class: types.ClassVulnOSPkg,
Type: fos.CentOS,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2018-20623",
@@ -475,11 +470,6 @@ func TestMarshaler_Marshal(t *testing.T) {
FilePath: "tools/project-doe/specifications/actionpack.gemspec",
},
},
},
{
Target: "Ruby",
Class: types.ClassVulnOSPkg,
Type: ftypes.GemSpec,
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-23633",
@@ -1118,7 +1108,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) {
},
{
Target: "rails:latest (centos 8.3.2011)",
Class: types.ClassVulnOSPkg,
Class: types.ClassOSPkg,
Type: fos.CentOS,
Vulnerabilities: []types.DetectedVulnerability{
{

28
pkg/scanner/local/scan.go
View File

@@ -9,6 +9,7 @@ import (
"time"
"github.com/google/wire"
"github.com/samber/lo"
"golang.org/x/exp/slices"
"golang.org/x/xerrors"
@@ -96,14 +97,14 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
}
var eosl bool
var results types.Results
var results, pkgResults types.Results
// Fill OS packages and language-specific packages
if options.ListAllPackages {
if res := s.osPkgsToResult(target, artifactDetail, options); res != nil {
results = append(results, *res)
pkgResults = append(pkgResults, *res)
}
results = append(results, s.langPkgsToResult(artifactDetail)...)
pkgResults = append(pkgResults, s.langPkgsToResult(artifactDetail)...)
}
// Scan packages for vulnerabilities
@@ -116,7 +117,13 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
if artifactDetail.OS != nil {
artifactDetail.OS.Eosl = eosl
}
// Merge package results into vulnerability results
s.fillPkgsInVulns(pkgResults, vulnResults)
results = append(results, vulnResults...)
} else {
// If vulnerability scanning is not enabled, it just adds package results.
results = append(results, pkgResults...)
}
// Scan IaC config files
@@ -253,7 +260,7 @@ func (s Scanner) scanOSPkgs(target string, detail ftypes.ArtifactDetail, options
result := &types.Result{
Target: artifactDetail,
Vulnerabilities: vulns,
Class: types.ClassVulnOSPkg,
Class: types.ClassOSPkg,
Type: detail.OS.Family,
}
return result, eosl, nil
@@ -295,7 +302,7 @@ func (s Scanner) scanLangPkgs(apps []ftypes.Application) (types.Results, error)
results = append(results, types.Result{
Target: target,
Vulnerabilities: vulns,
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: app.Type,
})
}
@@ -305,6 +312,17 @@ func (s Scanner) scanLangPkgs(apps []ftypes.Application) (types.Results, error)
return results, nil
}
func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) {
// Fill vulnerability results in package results
for i := range vulnResults {
if r, found := lo.Find(pkgResults, func(r types.Result) bool {
return r.Class == vulnResults[i].Class && r.Target == vulnResults[i].Target
}); found {
vulnResults[i].Packages = r.Packages
}
}
}
func (s Scanner) misconfsToResults(misconfs []ftypes.Misconfiguration) types.Results {
log.Logger.Infof("Detected config files: %d", len(misconfs))
var results types.Results

48
pkg/scanner/local/scan_test.go
View File

@@ -89,7 +89,7 @@ func TestScanner_Scan(t *testing.T) {
wantResults: types.Results{
{
Target: "alpine:latest (alpine 3.11)",
Class: types.ClassVulnOSPkg,
Class: types.ClassOSPkg,
Type: fos.Alpine,
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -111,7 +111,7 @@ func TestScanner_Scan(t *testing.T) {
},
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -228,25 +228,7 @@ func TestScanner_Scan(t *testing.T) {
},
},
},
},
{
Target: "/app/Gemfile.lock",
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Packages: []ftypes.Package{
{
Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{
DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
},
},
},
},
{
Target: "alpine:latest (alpine 3.11)",
Class: types.ClassVulnOSPkg,
Type: fos.Alpine,
// For backward compatibility, will be removed
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2020-9999",
@@ -267,8 +249,18 @@ func TestScanner_Scan(t *testing.T) {
},
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Packages: []ftypes.Package{
{
Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{
DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
},
},
},
// For backward compatibility, will be removed
Vulnerabilities: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2014-0081",
@@ -338,7 +330,7 @@ func TestScanner_Scan(t *testing.T) {
wantResults: types.Results{
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: "bundler",
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -409,12 +401,12 @@ func TestScanner_Scan(t *testing.T) {
wantResults: types.Results{
{
Target: "alpine:latest (alpine 3.11)",
Class: types.ClassVulnOSPkg,
Class: types.ClassOSPkg,
Type: fos.Alpine,
},
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -488,7 +480,7 @@ func TestScanner_Scan(t *testing.T) {
wantResults: types.Results{
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -607,7 +599,7 @@ func TestScanner_Scan(t *testing.T) {
wantResults: types.Results{
{
Target: "/app/Gemfile.lock",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Bundler,
Vulnerabilities: []types.DetectedVulnerability{
{
@@ -634,7 +626,7 @@ func TestScanner_Scan(t *testing.T) {
},
{
Target: "/app/composer-lock.json",
Class: types.ClassVulnLangPkg,
Class: types.ClassLangPkg,
Type: ftypes.Composer,
Vulnerabilities: []types.DetectedVulnerability{
{

6
pkg/types/report.go
View File

@@ -39,10 +39,8 @@ type Results []Result
type ResultClass string
const (
ClassOSPkg = "os-pkgs" // For OS packages
ClassLangPkg = "lang-pkgs" // For language-specific packages
ClassVulnOSPkg = "vuln-os-pkgs" // For detected vulnerabilities in OS packages
ClassVulnLangPkg = "vuln-lang-pkgs" // For detected vulnerabilities in language-specific packages
ClassOSPkg = "os-pkgs" // For detected packages and vulnerabilities in OS packages
ClassLangPkg = "lang-pkgs" // For detected packages and vulnerabilities in language-specific packages
ClassConfig = "config" // For detected misconfigurations
ClassSecret = "secret" // For detected secrets
ClassLicense = "license" // For detected package licenses