gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(report): add package path (#1274)

Browse Source
This commit is contained in:
Teppei Fukuda
2021-10-06 16:28:48 +09:00
committed by GitHub
parent 1c9ccb5e03
commit f12446d3ba
15 changed files with 80 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@@ -7,7 +7,7 @@ require (
github.com/Masterminds/sprig v2.22.0+incompatible github.com/Masterminds/sprig v2.22.0+incompatible
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398 github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

4
go.sum
View File

@@ -202,8 +202,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8= github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398 h1:D2/7fMPN4qG54w2Baw6odXfO/Itojjl9ZWjTwegqj3A= github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c h1:pBpjKZpfpWdcotMqZ2J6hMI/lDK5pKshdj2o7+xzLkg=
github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398/go.mod h1:nXdCM1C89phZEkn/sHQ6S5IjcvxdTnXLSKcftmhFodg= github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c/go.mod h1:nXdCM1C89phZEkn/sHQ6S5IjcvxdTnXLSKcftmhFodg=
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 h1:xsniAD6IrP+stY8tkytxE2tk8czkzSN3XaUvzoi1hCk= github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 h1:xsniAD6IrP+stY8tkytxE2tk8czkzSN3XaUvzoi1hCk=
github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU= github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM= github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

10
integration/testdata/dockerfile-custom-policies.json.golden vendored
View File

@@ -33,10 +33,7 @@
"Namespace": "user.bar", "Namespace": "user.bar",
"Query": "data.user.bar.deny", "Query": "data.user.bar.deny",
"Severity": "UNKNOWN", "Severity": "UNKNOWN",
"Status": "FAIL", "Status": "FAIL"
"Layer": {
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
}
}, },
{ {
"Type": "N/A", "Type": "N/A",
@@ -46,10 +43,7 @@
"Namespace": "user.foo", "Namespace": "user.foo",
"Query": "data.user.foo.deny", "Query": "data.user.foo.deny",
"Severity": "UNKNOWN", "Severity": "UNKNOWN",
"Status": "FAIL", "Status": "FAIL"
"Layer": {
"DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
}
} }
] ]
} }

5
integration/testdata/dockerfile.json.golden vendored
View File

@@ -40,10 +40,7 @@
"https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
"https://avd.aquasec.com/appshield/ds002" "https://avd.aquasec.com/appshield/ds002"
], ],
"Status": "FAIL", "Status": "FAIL"
"Layer": {
"DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca"
}
} }
] ]
} }

15
integration/testdata/nodejs.json.golden vendored
View File

@@ -25,9 +25,6 @@
"PkgName": "jquery", "PkgName": "jquery",
"InstalledVersion": "3.3.9", "InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0", "FixedVersion": "3.4.0",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg", "SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
"Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection", "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -95,9 +92,6 @@
"PkgName": "lodash", "PkgName": "lodash",
"InstalledVersion": "4.17.4", "InstalledVersion": "4.17.4",
"FixedVersion": "4.17.12", "FixedVersion": "4.17.12",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nvd", "SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
"Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
@@ -135,9 +129,6 @@
"PkgName": "lodash", "PkgName": "lodash",
"InstalledVersion": "4.17.4", "InstalledVersion": "4.17.4",
"FixedVersion": "4.17.11", "FixedVersion": "4.17.11",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg", "SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
"Title": "lodash: Prototype pollution in utilities function", "Title": "lodash: Prototype pollution in utilities function",
@@ -173,9 +164,6 @@
"PkgName": "lodash", "PkgName": "lodash",
"InstalledVersion": "4.17.4", "InstalledVersion": "4.17.4",
"FixedVersion": "4.17.11", "FixedVersion": "4.17.11",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nvd", "SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
"Title": "Moderate severity vulnerability that affects lodash", "Title": "Moderate severity vulnerability that affects lodash",
@@ -208,9 +196,6 @@
"PkgName": "lodash", "PkgName": "lodash",
"InstalledVersion": "4.17.4", "InstalledVersion": "4.17.4",
"FixedVersion": "4.17.5", "FixedVersion": "4.17.5",
"Layer": {
"DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
},
"SeveritySource": "nodejs-security-wg", "SeveritySource": "nodejs-security-wg",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
"Title": "lodash: Prototype pollution in utilities function", "Title": "lodash: Prototype pollution in utilities function",

15
integration/testdata/pip.json.golden vendored
View File

@@ -25,9 +25,6 @@
"PkgName": "Werkzeug", "PkgName": "Werkzeug",
"InstalledVersion": "0.11", "InstalledVersion": "0.11",
"FixedVersion": "0.15.3", "FixedVersion": "0.15.3",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"SeveritySource": "nvd", "SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
"Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability", "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
@@ -65,9 +62,6 @@
"PkgName": "Werkzeug", "PkgName": "Werkzeug",
"InstalledVersion": "0.11", "InstalledVersion": "0.11",
"FixedVersion": "0.11.11", "FixedVersion": "0.11.11",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"SeveritySource": "nvd", "SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
"Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py", "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
@@ -103,9 +97,6 @@
"PkgName": "Werkzeug", "PkgName": "Werkzeug",
"InstalledVersion": "0.11", "InstalledVersion": "0.11",
"FixedVersion": "0.11.6", "FixedVersion": "0.11.6",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
"Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.", "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
"Severity": "UNKNOWN" "Severity": "UNKNOWN"
@@ -115,9 +106,6 @@
"PkgName": "Werkzeug", "PkgName": "Werkzeug",
"InstalledVersion": "0.11", "InstalledVersion": "0.11",
"FixedVersion": "0.12", "FixedVersion": "0.12",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.", "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
"Severity": "UNKNOWN" "Severity": "UNKNOWN"
}, },
@@ -126,9 +114,6 @@
"PkgName": "Werkzeug", "PkgName": "Werkzeug",
"InstalledVersion": "0.11", "InstalledVersion": "0.11",
"FixedVersion": "0.15.0", "FixedVersion": "0.15.0",
"Layer": {
"DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
},
"Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.", "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
"Severity": "UNKNOWN" "Severity": "UNKNOWN"
} }

6
pkg/detector/library/detect.go
View File

@@ -8,7 +8,7 @@ import (
) )
// Detect scans and returns vulnerabilities of library // Detect scans and returns vulnerabilities of library
func Detect(libType string, pkgs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) { func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
driver, err := NewDriver(libType) driver, err := NewDriver(libType)
if err != nil { if err != nil {
return nil, xerrors.Errorf("failed to new driver: %w", err) return nil, xerrors.Errorf("failed to new driver: %w", err)
@@ -22,10 +22,10 @@ func Detect(libType string, pkgs []ftypes.LibraryInfo) ([]types.DetectedVulnerab
return vulns, nil return vulns, nil
} }
func detect(driver Driver, libs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) { func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability, error) {
var vulnerabilities []types.DetectedVulnerability var vulnerabilities []types.DetectedVulnerability
for _, lib := range libs { for _, lib := range libs {
vulns, err := driver.Detect(lib.Library.Name, lib.Library.Version) vulns, err := driver.Detect(lib.Name, lib.Version)
if err != nil { if err != nil {
return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err) return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err)
} }

8
pkg/detector/library/mock_operation.go
View File

@@ -19,7 +19,7 @@ type OperationDetectArgs struct {
FilePathAnything bool FilePathAnything bool
Created time.Time Created time.Time
CreatedAnything bool CreatedAnything bool
Pkgs []types.LibraryInfo Pkgs []types.Package
PkgsAnything bool PkgsAnything bool
} }
@@ -65,11 +65,11 @@ func (_m *MockOperation) ApplyDetectExpectations(expectations []OperationDetectE
} }
// Detect provides a mock function with given fields: imageName, filePath, created, pkgs // Detect provides a mock function with given fields: imageName, filePath, created, pkgs
func (_m *MockOperation) Detect(imageName string, filePath string, created time.Time, pkgs []types.LibraryInfo) ([]pkgtypes.DetectedVulnerability, error) { func (_m *MockOperation) Detect(imageName string, filePath string, created time.Time, pkgs []types.Package) ([]pkgtypes.DetectedVulnerability, error) {
ret := _m.Called(imageName, filePath, created, pkgs) ret := _m.Called(imageName, filePath, created, pkgs)
var r0 []pkgtypes.DetectedVulnerability var r0 []pkgtypes.DetectedVulnerability
if rf, ok := ret.Get(0).(func(string, string, time.Time, []types.LibraryInfo) []pkgtypes.DetectedVulnerability); ok { if rf, ok := ret.Get(0).(func(string, string, time.Time, []types.Package) []pkgtypes.DetectedVulnerability); ok {
r0 = rf(imageName, filePath, created, pkgs) r0 = rf(imageName, filePath, created, pkgs)
} else { } else {
if ret.Get(0) != nil { if ret.Get(0) != nil {
@@ -78,7 +78,7 @@ func (_m *MockOperation) Detect(imageName string, filePath string, created time.
} }
var r1 error var r1 error
if rf, ok := ret.Get(1).(func(string, string, time.Time, []types.LibraryInfo) error); ok { if rf, ok := ret.Get(1).(func(string, string, time.Time, []types.Package) error); ok {
r1 = rf(imageName, filePath, created, pkgs) r1 = rf(imageName, filePath, created, pkgs)
} else { } else {
r1 = ret.Error(1) r1 = ret.Error(1)

16
pkg/rpc/convert.go
View File

@@ -60,18 +60,16 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
} }
// ConvertFromRPCLibraries returns list of Fanal library // ConvertFromRPCLibraries returns list of Fanal library
func ConvertFromRPCLibraries(rpcLibs []*common.Library) []ftypes.LibraryInfo { func ConvertFromRPCLibraries(rpcLibs []*common.Library) []ftypes.Package {
var libs []ftypes.LibraryInfo var pkgs []ftypes.Package
for _, l := range rpcLibs { for _, l := range rpcLibs {
libs = append(libs, ftypes.LibraryInfo{ pkgs = append(pkgs, ftypes.Package{
Library: deptypes.Library{
Name: l.Name, Name: l.Name,
Version: l.Version, Version: l.Version,
License: l.License, License: l.License,
},
}) })
} }
return libs return pkgs
} }
// ConvertToRPCLibraries returns list of libraries // ConvertToRPCLibraries returns list of libraries
@@ -411,9 +409,9 @@ func ConvertToRPCBlobInfo(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlo
var libs []*common.Library var libs []*common.Library
for _, lib := range app.Libraries { for _, lib := range app.Libraries {
libs = append(libs, &common.Library{ libs = append(libs, &common.Library{
Name: lib.Library.Name, Name: lib.Name,
Version: lib.Library.Version, Version: lib.Version,
License: lib.Library.License, License: lib.License,
}) })
} }
applications = append(applications, &common.Application{ applications = append(applications, &common.Application{

8
pkg/rpc/convert_test.go
View File

@@ -141,7 +141,7 @@ func TestConvertFromRpcLibraries(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
args args args args
want []ftypes.LibraryInfo want []ftypes.Package
}{ }{
{ {
name: "happy path", name: "happy path",
@@ -151,9 +151,9 @@ func TestConvertFromRpcLibraries(t *testing.T) {
{Name: "bar", Version: "4.5.6"}, {Name: "bar", Version: "4.5.6"},
}, },
}, },
want: []ftypes.LibraryInfo{ want: []ftypes.Package{
{Library: ptypes.Library{Name: "foo", Version: "1.2.3"}}, {Name: "foo", Version: "1.2.3"},
{Library: ptypes.Library{Name: "bar", Version: "4.5.6"}}, {Name: "bar", Version: "4.5.6"},
}, },
}, },
} }

7
pkg/rpc/server/server_test.go
View File

@@ -15,7 +15,6 @@ import (
"github.com/aquasecurity/fanal/cache" "github.com/aquasecurity/fanal/cache"
ftypes "github.com/aquasecurity/fanal/types" ftypes "github.com/aquasecurity/fanal/types"
deptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils" "github.com/aquasecurity/trivy-db/pkg/utils"
@@ -406,22 +405,18 @@ func TestCacheServer_PutBlob(t *testing.T) {
{ {
Type: "composer", Type: "composer",
FilePath: "php-app/composer.lock", FilePath: "php-app/composer.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: deptypes.Library{
Name: "guzzlehttp/guzzle", Name: "guzzlehttp/guzzle",
Version: "6.2.0", Version: "6.2.0",
}, },
},
{ {
Library: deptypes.Library{
Name: "guzzlehttp/promises", Name: "guzzlehttp/promises",
Version: "v1.3.1", Version: "v1.3.1",
}, },
}, },
}, },
}, },
},
OpaqueDirs: []string{"etc/"}, OpaqueDirs: []string{"etc/"},
WhiteoutFiles: []string{"etc/hostname"}, WhiteoutFiles: []string{"etc/hostname"},
}, },

19
pkg/scanner/local/scan.go
View File

@@ -216,7 +216,7 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
Type: app.Type, Type: app.Type,
} }
if options.ListAllPackages { if options.ListAllPackages {
libReport.Packages = s.listAllPkgs(app) libReport.Packages = app.Libraries
} }
results = append(results, libReport) results = append(results, libReport)
} }
@@ -226,23 +226,6 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
return results, nil return results, nil
} }
func (s Scanner) listAllPkgs(app ftypes.Application) []ftypes.Package {
var pkgs []ftypes.Package
for _, lib := range app.Libraries {
pkgs = append(pkgs, ftypes.Package{
Name: lib.Library.Name,
Version: lib.Library.Version,
License: lib.Library.License,
Layer: lib.Layer,
})
}
sort.Slice(pkgs, func(i, j int) bool {
return strings.Compare(pkgs[i].Name, pkgs[j].Name) <= 0
})
return pkgs
}
func (s Scanner) misconfsToResults(misconfs []ftypes.Misconfiguration, options types.ScanOptions) report.Results { func (s Scanner) misconfsToResults(misconfs []ftypes.Misconfiguration, options types.ScanOptions) report.Results {
log.Logger.Infof("Detected config files: %d", len(misconfs)) log.Logger.Infof("Detected config files: %d", len(misconfs))
var results report.Results var results report.Results

41
pkg/scanner/local/scan_test.go
View File

@@ -9,7 +9,6 @@ import (
"github.com/aquasecurity/fanal/analyzer" "github.com/aquasecurity/fanal/analyzer"
ftypes "github.com/aquasecurity/fanal/types" ftypes "github.com/aquasecurity/fanal/types"
dtypes "github.com/aquasecurity/go-dep-parser/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/dbtest" "github.com/aquasecurity/trivy/pkg/dbtest"
@@ -68,9 +67,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: ftypes.Bundler, Type: ftypes.Bundler,
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
}, },
@@ -194,9 +194,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
}, },
@@ -331,9 +332,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
}, },
@@ -389,9 +391,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33",
}, },
@@ -467,9 +470,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
}, },
@@ -567,9 +571,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "4.0.2"}, Name: "rails",
Version: "4.0.2",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:5cb2a5009179b1e78ecfef81a19756328bb266456cf9a9dbbcf9af8b83b735f0", DiffID: "sha256:5cb2a5009179b1e78ecfef81a19756328bb266456cf9a9dbbcf9af8b83b735f0",
}, },
@@ -579,9 +584,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "composer", Type: "composer",
FilePath: "/app/composer-lock.json", FilePath: "/app/composer-lock.json",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "laravel/framework", Version: "6.0.0"}, Name: "laravel/framework",
Version: "6.0.0",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303", DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
}, },
@@ -890,9 +896,10 @@ func TestScanner_Scan(t *testing.T) {
{ {
Type: "bundler", Type: "bundler",
FilePath: "/app/Gemfile.lock", FilePath: "/app/Gemfile.lock",
Libraries: []ftypes.LibraryInfo{ Libraries: []ftypes.Package{
{ {
Library: dtypes.Library{Name: "rails", Version: "6.0"}, Name: "rails",
Version: "6.0",
Layer: ftypes.Layer{ Layer: ftypes.Layer{
DiffID: "sha256:9bdb2c849099a99c8ab35f6fd7469c623635e8f4479a0a5a3df61e22bae509f6", DiffID: "sha256:9bdb2c849099a99c8ab35f6fd7469c623635e8f4479a0a5a3df61e22bae509f6",
}, },

21
pkg/scanner/scan.go
View File

@@ -108,6 +108,11 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (r
log.Logger.Warnf("The vulnerability detection may be insufficient because security updates are not provided") log.Logger.Warnf("The vulnerability detection may be insufficient because security updates are not provided")
} }
// Layer makes sense only when scanning container images
if artifactInfo.Type != ftypes.ArtifactContainerImage {
removeLayer(results)
}
return report.Report{ return report.Report{
SchemaVersion: report.SchemaVersion, SchemaVersion: report.SchemaVersion,
ArtifactName: artifactInfo.Name, ArtifactName: artifactInfo.Name,
@@ -123,3 +128,19 @@ func (s Scanner) ScanArtifact(ctx context.Context, options types.ScanOptions) (r
Results: results, Results: results,
}, nil }, nil
} }
func removeLayer(results report.Results) {
for i := range results {
result := results[i]
for j := range result.Packages {
result.Packages[j].Layer = ftypes.Layer{}
}
for j := range result.Vulnerabilities {
result.Vulnerabilities[j].Layer = ftypes.Layer{}
}
for j := range result.Misconfigurations {
result.Misconfigurations[j].Layer = ftypes.Layer{}
}
}
}

2
pkg/scanner/scan_test.go
View File

@@ -38,6 +38,7 @@ func TestScanner_ScanArtifact(t *testing.T) {
Returns: artifact.ArtifactInspectReturns{ Returns: artifact.ArtifactInspectReturns{
Reference: ftypes.ArtifactReference{ Reference: ftypes.ArtifactReference{
Name: "alpine:3.11", Name: "alpine:3.11",
Type: ftypes.ArtifactContainerImage,
ID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a", ID: "sha256:e7d92cdc71feacf90708cb59182d0df1b911f8ae022d29e8e95d75ca6a99776a",
BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
ImageMetadata: ftypes.ImageMetadata{ ImageMetadata: ftypes.ImageMetadata{
@@ -96,6 +97,7 @@ func TestScanner_ScanArtifact(t *testing.T) {
want: report.Report{ want: report.Report{
SchemaVersion: 2, SchemaVersion: 2,
ArtifactName: "alpine:3.11", ArtifactName: "alpine:3.11",
ArtifactType: ftypes.ArtifactContainerImage,
Metadata: report.Metadata{ Metadata: report.Metadata{
OS: &ftypes.OS{ OS: &ftypes.OS{
Family: "alpine", Family: "alpine",