diff --git a/README.md b/README.md index b4098a13b2..96bd9166b1 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ See [here](#continuous-integration-ci) for details. # Features - Detect comprehensive vulnerabilities - - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux and Distroless) + - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless) - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo) - Simple - Specify only an image name @@ -1316,11 +1316,12 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi | Amazon Linux | 1, 2 | Installed by yum/rpm | NO | | openSUSE Leap | 42, 15 | Installed by zypper/rpm | NO | | SUSE Enterprise Linux | 11, 12, 15 | Installed by zypper/rpm | NO | +| Photon OS | 1.0, 2.0, 3.0 | Installed by tdnf/yum/rpm | NO | | Debian GNU/Linux | wheezy, jessie, stretch, buster | Installed by apt/apt-get/dpkg | YES | | Ubuntu | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg | YES | | Distroless | Any | Installed by apt/apt-get/dpkg | YES | -RHEL, CentOS, Oracle Linux, SUSE and Amazon Linux package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available. +RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux and Photon OS package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available. Distroless: https://github.com/GoogleContainerTools/distroless diff --git a/go.mod b/go.mod index 13f1292ca0..7df8ea1343 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.13 require ( github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b - github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297 + github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1 github.com/caarlos0/env/v6 v6.0.0 github.com/cheggaaa/pb/v3 v3.0.3 github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f diff --git a/go.sum b/go.sum index 31193abb15..4a7d21ed1a 100644 --- a/go.sum +++ b/go.sum @@ -34,8 +34,8 @@ github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8/go.mod h1:I+y3t github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4= github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ= github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4= -github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297 h1:XyGsaTMGASjxlXW2w+Dn6vwRje8MHASymxj1QEE+xwI= -github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= +github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1 h1:IVXoVH8ejJuBdxgH/+er2WjBxc0tqIGuBCqI5aWW3A0= +github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA= github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ= github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8= diff --git a/integration/client_server_test.go b/integration/client_server_test.go index b0b893a873..a4388a4df1 100644 --- a/integration/client_server_test.go +++ b/integration/client_server_test.go @@ -277,6 +277,30 @@ func TestClientServer(t *testing.T) { }, golden: "testdata/opensuse-leap-423.json.golden", }, + { + name: "photon 1.0 integration", + testArgs: args{ + Version: "dev", + Input: "testdata/fixtures/photon-10.tar.gz", + }, + golden: "testdata/photon-10.json.golden", + }, + { + name: "photon 2.0 integration", + testArgs: args{ + Version: "dev", + Input: "testdata/fixtures/photon-20.tar.gz", + }, + golden: "testdata/photon-20.json.golden", + }, + { + name: "photon 3.0 integration", + testArgs: args{ + Version: "dev", + Input: "testdata/fixtures/photon-30.tar.gz", + }, + golden: "testdata/photon-30.json.golden", + }, { name: "invalid token", testArgs: args{ diff --git a/integration/standalone_test.go b/integration/standalone_test.go index 4775c13cca..fe807932bd 100644 --- a/integration/standalone_test.go +++ b/integration/standalone_test.go @@ -311,6 +311,36 @@ func TestRun_WithTar(t *testing.T) { }, golden: "testdata/opensuse-leap-423.json.golden", }, + { + name: "photon 1.0 integration", + testArgs: args{ + Version: "dev", + SkipUpdate: true, + Format: "json", + Input: "testdata/fixtures/photon-10.tar.gz", + }, + golden: "testdata/photon-10.json.golden", + }, + { + name: "photon 2.0 integration", + testArgs: args{ + Version: "dev", + SkipUpdate: true, + Format: "json", + Input: "testdata/fixtures/photon-20.tar.gz", + }, + golden: "testdata/photon-20.json.golden", + }, + { + name: "photon 3.0 integration", + testArgs: args{ + Version: "dev", + SkipUpdate: true, + Format: "json", + Input: "testdata/fixtures/photon-30.tar.gz", + }, + golden: "testdata/photon-30.json.golden", + }, } for _, c := range cases { diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden index be4d071d79..ebb3460bf6 100644 --- a/integration/testdata/opensuse-leap-151.json.golden +++ b/integration/testdata/opensuse-leap-151.json.golden @@ -100,4 +100,4 @@ } ] } -] +] \ No newline at end of file diff --git a/integration/testdata/opensuse-leap-423.json.golden b/integration/testdata/opensuse-leap-423.json.golden index 95af7e1020..2848be9b57 100644 --- a/integration/testdata/opensuse-leap-423.json.golden +++ b/integration/testdata/opensuse-leap-423.json.golden @@ -3,4 +3,4 @@ "Target": "testdata/fixtures/opensuse-leap-423.tar.gz (opensuse.leap 42.3)", "Vulnerabilities": null } -] +] \ No newline at end of file diff --git a/integration/testdata/oraclelinux-6-slim.json.golden b/integration/testdata/oraclelinux-6-slim.json.golden index 437e5c281a..0f3aba0ba1 100644 --- a/integration/testdata/oraclelinux-6-slim.json.golden +++ b/integration/testdata/oraclelinux-6-slim.json.golden @@ -162,5 +162,4 @@ } ] } -] - +] \ No newline at end of file diff --git a/integration/testdata/oraclelinux-7-slim.json.golden b/integration/testdata/oraclelinux-7-slim.json.golden index 7cdf4bc865..b29f046486 100644 --- a/integration/testdata/oraclelinux-7-slim.json.golden +++ b/integration/testdata/oraclelinux-7-slim.json.golden @@ -855,5 +855,4 @@ } ] } -] - +] \ No newline at end of file diff --git a/integration/testdata/oraclelinux-8-slim.json.golden b/integration/testdata/oraclelinux-8-slim.json.golden index c813ffbfea..1ea4cc3b14 100644 --- a/integration/testdata/oraclelinux-8-slim.json.golden +++ b/integration/testdata/oraclelinux-8-slim.json.golden @@ -3,4 +3,4 @@ "Target": "testdata/fixtures/oraclelinux-8-slim.tar.gz (oracle 8.0)", "Vulnerabilities": null } -] +] \ No newline at end of file diff --git a/integration/testdata/photon-10.json.golden b/integration/testdata/photon-10.json.golden new file mode 100644 index 0000000000..0c4077c8ab --- /dev/null +++ b/integration/testdata/photon-10.json.golden @@ -0,0 +1,61 @@ +[ + { + "Target": "testdata/fixtures/photon-10.tar.gz (photon 1.0)", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2012-6711", + "PkgName": "bash", + "InstalledVersion": "4.3.48-3.ph1", + "FixedVersion": "4.3.48-4.ph1", + "Title": "bash: heap-based buffer overflow during echo of unsupported characters", + "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().", + "Severity": "MEDIUM", + "References": [ + "http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel\u0026id=863d31ae775d56b785dc5b0105b6d251515d81d5", + "http://www.securityfocus.com/bid/108824", + "https://bugzilla.redhat.com/show_bug.cgi?id=1721071", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph1", + "FixedVersion": "1.0.2t-1.ph1", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph1", + "FixedVersion": "1.0.2t-1.ph1", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + } + ] + } +] \ No newline at end of file diff --git a/integration/testdata/photon-20.json.golden b/integration/testdata/photon-20.json.golden new file mode 100644 index 0000000000..1ae6588b9f --- /dev/null +++ b/integration/testdata/photon-20.json.golden @@ -0,0 +1,227 @@ +[ + { + "Target": "testdata/fixtures/photon-20.tar.gz (photon 2.0)", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-9.ph2", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-9.ph2", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16890", + "PkgName": "curl", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-8.ph2", + "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106947", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-16890.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl-libs", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-9.ph2", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl-libs", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-9.ph2", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2018-16890", + "PkgName": "curl-libs", + "InstalledVersion": "7.59.0-7.ph2", + "FixedVersion": "7.59.0-8.ph2", + "Title": "curl: NTLM type-2 heap out-of-bounds buffer read", + "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.", + "Severity": "MEDIUM", + "References": [ + "http://www.securityfocus.com/bid/106947", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890", + "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf", + "https://curl.haxx.se/docs/CVE-2018-16890.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890", + "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190315-0001/", + "https://usn.ubuntu.com/3882-1/", + "https://www.debian.org/security/2019/dsa-4386", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-5094", + "PkgName": "e2fsprogs-libs", + "InstalledVersion": "1.43.4-2.ph2", + "FixedVersion": "1.43.4-3.ph2", + "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html", + "https://seclists.org/bugtraq/2019/Sep/58", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887", + "https://usn.ubuntu.com/4142-2/", + "https://www.debian.org/security/2019/dsa-4535" + ] + }, + { + "VulnerabilityID": "CVE-2018-20843", + "PkgName": "expat-libs", + "InstalledVersion": "2.2.4-1.ph2", + "FixedVersion": "2.2.4-2.ph2", + "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS", + "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).", + "Severity": "HIGH", + "References": [ + "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226", + "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843", + "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes", + "https://github.com/libexpat/libexpat/issues/186", + "https://github.com/libexpat/libexpat/pull/262", + "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6", + "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html", + "https://seclists.org/bugtraq/2019/Jun/39", + "https://security.netapp.com/advisory/ntap-20190703-0001/", + "https://usn.ubuntu.com/4040-1/", + "https://usn.ubuntu.com/4040-2/", + "https://www.debian.org/security/2019/dsa-4472" + ] + }, + { + "VulnerabilityID": "CVE-2019-13115", + "PkgName": "libssh2", + "InstalledVersion": "1.8.2-1.ph2", + "FixedVersion": "1.9.0-1.ph2", + "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write", + "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.", + "Severity": "MEDIUM", + "References": [ + "https://blog.semmle.com/libssh2-integer-overflow/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115", + "https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa", + "https://github.com/libssh2/libssh2/pull/350", + "https://libssh2.org/changes.html", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph2", + "FixedVersion": "1.0.2t-1.ph2", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph2", + "FixedVersion": "1.0.2t-1.ph2", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-16168", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph2", + "FixedVersion": "3.27.2-5.ph2", + "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", + "Severity": "MEDIUM", + "References": [ + "https://security.netapp.com/advisory/ntap-20190926-0003/", + "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html", + "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62", + "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" + ] + } + ] + } +] \ No newline at end of file diff --git a/integration/testdata/photon-30.json.golden b/integration/testdata/photon-30.json.golden new file mode 100644 index 0000000000..da23dcf165 --- /dev/null +++ b/integration/testdata/photon-30.json.golden @@ -0,0 +1,142 @@ +[ + { + "Target": "testdata/fixtures/photon-30.tar.gz (photon 3.0)", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl", + "InstalledVersion": "7.61.1-4.ph3", + "FixedVersion": "7.61.1-5.ph3", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl", + "InstalledVersion": "7.61.1-4.ph3", + "FixedVersion": "7.61.1-5.ph3", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5481", + "PkgName": "curl-libs", + "InstalledVersion": "7.61.1-4.ph3", + "FixedVersion": "7.61.1-5.ph3", + "Title": "curl: double free due to subsequent call of realloc()", + "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5481.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5482", + "PkgName": "curl-libs", + "InstalledVersion": "7.61.1-4.ph3", + "FixedVersion": "7.61.1-5.ph3", + "Title": "curl: heap buffer overflow in function tftp_receive_packet()", + "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.", + "Severity": "HIGH", + "References": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html", + "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html", + "https://curl.haxx.se/docs/CVE-2019-5482.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/" + ] + }, + { + "VulnerabilityID": "CVE-2019-5094", + "PkgName": "e2fsprogs-libs", + "InstalledVersion": "1.44.3-2.ph3", + "FixedVersion": "1.44.3-3.ph3", + "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.", + "Severity": "MEDIUM", + "References": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094", + "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html", + "https://seclists.org/bugtraq/2019/Sep/58", + "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887", + "https://usn.ubuntu.com/4142-2/", + "https://www.debian.org/security/2019/dsa-4535" + ] + }, + { + "VulnerabilityID": "CVE-2019-1563", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph3", + "FixedVersion": "1.0.2t-1.ph3", + "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey", + "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "MEDIUM", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-1547", + "PkgName": "openssl", + "InstalledVersion": "1.0.2s-1.ph3", + "FixedVersion": "1.0.2t-1.ph3", + "Title": "openssl: side-channel weak encryption vulnerability", + "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).", + "Severity": "LOW", + "References": [ + "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", + "https://arxiv.org/abs/1909.01785", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8", + "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", + "https://seclists.org/bugtraq/2019/Sep/25", + "https://security.netapp.com/advisory/ntap-20190919-0002/", + "https://www.openssl.org/news/secadv/20190910.txt" + ] + }, + { + "VulnerabilityID": "CVE-2019-16168", + "PkgName": "sqlite-libs", + "InstalledVersion": "3.27.2-3.ph3", + "FixedVersion": "3.27.2-5.ph3", + "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"", + "Severity": "MEDIUM", + "References": [ + "https://security.netapp.com/advisory/ntap-20190926-0003/", + "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html", + "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62", + "https://www.sqlite.org/src/timeline?c=98357d8c1263920b" + ] + } + ] + } +] \ No newline at end of file diff --git a/integration/testdata/trivy.db.gz b/integration/testdata/trivy.db.gz index f4a8971689..c3c15a55fc 100644 Binary files a/integration/testdata/trivy.db.gz and b/integration/testdata/trivy.db.gz differ diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go index 1355f55c78..d3d89687ec 100644 --- a/pkg/detector/ospkg/detect.go +++ b/pkg/detector/ospkg/detect.go @@ -5,6 +5,7 @@ import ( "github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon" "github.com/aquasecurity/trivy/pkg/detector/ospkg/debian" "github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle" + "github.com/aquasecurity/trivy/pkg/detector/ospkg/photon" "github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat" "github.com/aquasecurity/trivy/pkg/detector/ospkg/suse" "github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu" @@ -73,6 +74,8 @@ func newDriver(osFamily, osName string) Driver { d = suse.NewScanner(suse.OpenSUSE) case fos.SLES: d = suse.NewScanner(suse.SUSEEnterpriseLinux) + case fos.Photon: + d = photon.NewScanner() default: log.Logger.Warnf("unsupported os : %s", osFamily) return nil diff --git a/pkg/detector/ospkg/photon/photon.go b/pkg/detector/ospkg/photon/photon.go new file mode 100644 index 0000000000..1daed41cd3 --- /dev/null +++ b/pkg/detector/ospkg/photon/photon.go @@ -0,0 +1,68 @@ +package photon + +import ( + "time" + + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/photon" + version "github.com/knqyf263/go-rpm-version" + + "golang.org/x/xerrors" + + "github.com/aquasecurity/fanal/analyzer" + dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy/pkg/log" + "github.com/aquasecurity/trivy/pkg/scanner/utils" + "github.com/aquasecurity/trivy/pkg/types" + + "k8s.io/utils/clock" +) + +var ( + eolDates = map[string]time.Time{} +) + +type Scanner struct { + vs dbTypes.VulnSrc + clock clock.Clock +} + +func NewScanner() *Scanner { + return &Scanner{ + vs: photon.NewVulnSrc(), + clock: clock.RealClock{}, + } +} + +func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) { + log.Logger.Info("Detecting Photon Linux vulnerabilities...") + log.Logger.Debugf("Photon Linux: os version: %s", osVer) + log.Logger.Debugf("Photon Linux: the number of packages: %d", len(pkgs)) + + var vulns []types.DetectedVulnerability + for _, pkg := range pkgs { + advisories, err := s.vs.Get(osVer, pkg.SrcName) + if err != nil { + return nil, xerrors.Errorf("failed to get Photon Linux advisory: %w", err) + } + + installed := utils.FormatVersion(pkg) + installedVersion := version.NewVersion(installed) + for _, adv := range advisories { + fixedVersion := version.NewVersion(adv.FixedVersion) + vuln := types.DetectedVulnerability{ + VulnerabilityID: adv.VulnerabilityID, + PkgName: pkg.Name, + InstalledVersion: installed, + } + if installedVersion.LessThan(fixedVersion) { + vuln.FixedVersion = adv.FixedVersion + vulns = append(vulns, vuln) + } + } + } + return vulns, nil +} + +func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool { + return true +} diff --git a/pkg/scanner/ospkg/scan.go b/pkg/scanner/ospkg/scan.go index c496c6b699..95fbec6f9a 100644 --- a/pkg/scanner/ospkg/scan.go +++ b/pkg/scanner/ospkg/scan.go @@ -8,6 +8,7 @@ import ( _ "github.com/aquasecurity/fanal/analyzer/os/alpine" _ "github.com/aquasecurity/fanal/analyzer/os/amazonlinux" _ "github.com/aquasecurity/fanal/analyzer/os/debianbase" + _ "github.com/aquasecurity/fanal/analyzer/os/photon" _ "github.com/aquasecurity/fanal/analyzer/os/redhatbase" _ "github.com/aquasecurity/fanal/analyzer/os/suse" _ "github.com/aquasecurity/fanal/analyzer/pkg/apk" diff --git a/pkg/vulnerability/vulnerability.go b/pkg/vulnerability/vulnerability.go index c9abc7753e..089adc1634 100644 --- a/pkg/vulnerability/vulnerability.go +++ b/pkg/vulnerability/vulnerability.go @@ -33,7 +33,7 @@ type Operation interface { } type Client struct { - dbc db.Operations + dbc db.Operation } func NewClient(dbc db.Config) Client { diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go index aaed1667a5..d73a94999e 100644 --- a/pkg/vulnerability/vulnerability_test.go +++ b/pkg/vulnerability/vulnerability_test.go @@ -26,41 +26,26 @@ func TestMain(m *testing.M) { } func TestClient_FillInfo(t *testing.T) { - type getSeverityOutput struct { - severity dbTypes.Severity - err error - } - type getSeverity struct { - input string - output getSeverityOutput - } - type getVulnerabilityOutput struct { - vulnerability dbTypes.Vulnerability - err error - } - type getVulnerability struct { - input string - output getVulnerabilityOutput - } - type args struct { vulns []types.DetectedVulnerability light bool } tests := []struct { name string - getSeverity []getSeverity - getVulnerability []getVulnerability + getSeverity []db.GetSeverityExpectation + getVulnerability []db.GetVulnerabilityExpectation args args expected []types.DetectedVulnerability }{ { name: "happy path", - getVulnerability: []getVulnerability{ + getVulnerability: []db.GetVulnerabilityExpectation{ { - input: "CVE-2019-0001", - output: getVulnerabilityOutput{ - vulnerability: dbTypes.Vulnerability{ + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2019-0001", + }, + Returns: db.GetVulnerabilityReturns{ + Vulnerability: dbTypes.Vulnerability{ Title: "dos", Description: "dos vulnerability", Severity: dbTypes.SeverityMedium.String(), @@ -89,17 +74,21 @@ func TestClient_FillInfo(t *testing.T) { }, { name: "happy path with light option", - getSeverity: []getSeverity{ + getSeverity: []db.GetSeverityExpectation{ { - input: "CVE-2019-0001", - output: getSeverityOutput{ - severity: dbTypes.SeverityCritical, + Args: db.GetSeverityArgs{ + VulnerabilityID: "CVE-2019-0001", + }, + Returns: db.GetSeverityReturns{ + Severity: dbTypes.SeverityCritical, }, }, { - input: "CVE-2019-0002", - output: getSeverityOutput{ - severity: dbTypes.SeverityHigh, + Args: db.GetSeverityArgs{ + VulnerabilityID: "CVE-2019-0002", + }, + Returns: db.GetSeverityReturns{ + Severity: dbTypes.SeverityHigh, }, }, }, @@ -127,11 +116,13 @@ func TestClient_FillInfo(t *testing.T) { }, { name: "GetVulnerability returns an error", - getVulnerability: []getVulnerability{ + getVulnerability: []db.GetVulnerabilityExpectation{ { - input: "CVE-2019-0004", - output: getVulnerabilityOutput{ - err: xerrors.New("failed"), + Args: db.GetVulnerabilityArgs{ + VulnerabilityID: "CVE-2019-0004", + }, + Returns: db.GetVulnerabilityReturns{ + Err: xerrors.New("failed"), }, }, }, @@ -147,11 +138,13 @@ func TestClient_FillInfo(t *testing.T) { }, { name: "GetSeverity returns an error", - getSeverity: []getSeverity{ + getSeverity: []db.GetSeverityExpectation{ { - input: "CVE-2019-0003", - output: getSeverityOutput{ - err: xerrors.New("failed"), + Args: db.GetSeverityArgs{ + VulnerabilityID: "CVE-2019-0003", + }, + Returns: db.GetSeverityReturns{ + Err: xerrors.New("failed"), }, }, }, @@ -174,18 +167,13 @@ func TestClient_FillInfo(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - mockDBConfig := new(db.MockDBConfig) + mockDBConfig := new(db.MockOperation) + mockDBConfig.ApplyGetSeverityExpectations(tt.getSeverity) + mockDBConfig.ApplyGetVulnerabilityExpectations(tt.getVulnerability) + c := Client{ dbc: mockDBConfig, } - for _, gs := range tt.getSeverity { - mockDBConfig.On("GetSeverity", gs.input).Return( - gs.output.severity, gs.output.err) - } - for _, gv := range tt.getVulnerability { - mockDBConfig.On("GetVulnerability", gv.input).Return( - gv.output.vulnerability, gv.output.err) - } c.FillInfo(tt.args.vulns, tt.args.light) assert.Equal(t, tt.expected, tt.args.vulns, tt.name)