Update README

2025-12-09 22:30:46 -08:00 · 2019-05-07 15:48:22 +09:00
14 changed files with 33 additions and 205 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,16 +2,9 @@ defaults: &defaults
  docker :
    - image: knqyf263/ci-trivy:latest
  environment:
-    CGO_ENABLED: "0"
+    CGO_ENABLED: "1"
 jobs:
  test:
    <<: *defaults
    steps:
      - checkout
      - run:
          name: Test
          command: go test ./...
  release:
    <<: *defaults
    steps:
@@ -41,7 +34,6 @@ workflows:
  version: 2
  release:
    jobs:  
      - test
      - release:
          filters:
            branches:
--- a/README.md
+++ b/README.md
@@ -1,12 +1,10 @@
-<img src="imgs/logo.png" width="300">
+# trivy
 [![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
 [![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
 [![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
 [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
 A Simple and Comprehensive Vulnerability Scanner for Containers
 # Abstract
 Scan containers
@@ -139,9 +137,6 @@ $ trivy --clean alpine:3.8
 ----
 # Credits
 Special thanks to [Tomoya Amachi](https://github.com/tomoyamachi)
 # License
 MIT
--- a/go.mod
+++ b/go.mod
@@ -37,5 +37,3 @@ require (
 )
 replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55
 replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2
--- a/go.sum
+++ b/go.sum
@@ -128,8 +128,6 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
 github.com/knqyf263/tablewriter v0.0.2 h1:lGaBruL/oJt8FAlMVy9KU0oQ/6NXAJjvK7wBgZyc+Og=
 github.com/knqyf263/tablewriter v0.0.2/go.mod h1:NDOJQAZxabBL3e13jQVktkvbr6bxXXPon8Lyh7fRPPc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
--- a/imgs/logo.png
+++ b/imgs/logo.png
--- a/pkg/scanner/library/bundler/advisory.go
+++ b/pkg/scanner/library/bundler/advisory.go
@@ -1,16 +1,10 @@
 package bundler
 import (
 	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 	"github.com/etcd-io/bbolt"
 	"github.com/knqyf263/trivy/pkg/db"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"golang.org/x/xerrors"
 	"github.com/knqyf263/trivy/pkg/git"
@@ -34,9 +28,6 @@ type Advisory struct {
 	Osvdb              string
 	Title              string
 	Url                string
 	Description        string
 	CvssV2             float64  `yaml:"cvss_v2"`
 	CvssV3             float64  `yaml:"cvss_v3"`
 	PatchedVersions    []string `yaml:"patched_versions"`
 	UnaffectedVersions []string `yaml:"unaffected_versions"`
 	Related            Related
@@ -51,15 +42,14 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err)
 	}
-	s.db, err = s.walk()
+	s.db, err = walk()
 	return err
 }
-func (s *Scanner) walk() (AdvisoryDB, error) {
+func walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	root := filepath.Join(repoPath, "gems")
 	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() {
 			return nil
@@ -75,48 +65,16 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 			return xerrors.Errorf("failed to unmarshal YAML: %w", err)
 		}
 		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Gem]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Gem] = append(advisories, advisory)
 		// for displaying vulnerability detail
 		var vulnerabilityID string
 		if advisory.Cve != "" {
 			vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
 		} else if advisory.Osvdb != "" {
 			vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
 		}
 		vulns = append(vulns, vulnerability.Vulnerability{
 			ID:          vulnerabilityID,
 			CvssScore:   advisory.CvssV2,
 			CvssScoreV3: advisory.CvssV3,
 			References:  append([]string{advisory.Url}, advisory.Related.Url...),
 			Title:       advisory.Title,
 			Description: advisory.Description,
 		})
 		return nil
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("error in file walk: %w", err)
+		return nil, xerrors.Errorf("error in file wakl: %w", err)
 	}
 	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
 func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
 	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.RubySec, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
 			}
 		}
 		return nil
 	})
 }
--- a/pkg/scanner/library/composer/advisory.go
+++ b/pkg/scanner/library/composer/advisory.go
@@ -6,13 +6,7 @@ import (
 	"path/filepath"
 	"strings"
 	"github.com/etcd-io/bbolt"
 	"github.com/knqyf263/trivy/pkg/db"
 	"golang.org/x/xerrors"
 	"github.com/knqyf263/trivy/pkg/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"github.com/knqyf263/trivy/pkg/git"
 	"gopkg.in/yaml.v2"
@@ -44,13 +38,12 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = s.walk()
+	s.db, err = walk()
 	return err
 }
-func (s *Scanner) walk() (AdvisoryDB, error) {
+func walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") {
 			return nil
@@ -65,39 +58,16 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 		if err != nil {
 			return err
 		}
 		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Reference]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Reference] = append(advisories, advisory)
 		// for displaying vulnerability detail
 		vulns = append(vulns, vulnerability.Vulnerability{
 			ID:         advisory.Cve,
 			References: []string{advisory.Link},
 			Title:      advisory.Title,
 		})
 		return nil
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("error in file walk: %w", err)
 	}
 	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
 	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.PhpSecurityAdvisories, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
 			}
 		}
 		return nil
 	})
 }
--- a/pkg/scanner/library/npm/advisory.go
+++ b/pkg/scanner/library/npm/advisory.go
@@ -2,19 +2,12 @@ package npm
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"github.com/etcd-io/bbolt"
 	"github.com/knqyf263/trivy/pkg/db"
 	"golang.org/x/xerrors"
 	"github.com/knqyf263/trivy/pkg/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -36,7 +29,6 @@ type Advisory struct {
 	Cves               []string
 	VulnerableVersions string `json:"vulnerable_versions"`
 	PatchedVersions    string `json:"patched_versions"`
 	Overview           string
 	Recommendation     string
 	References         []string
 	CvssScoreNumber    json.Number `json:"cvss_score"`
@@ -47,13 +39,12 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = s.walk()
+	s.db, err = walk()
 	return err
 }
-func (s *Scanner) walk() (AdvisoryDB, error) {
+func walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
 			return nil
@@ -77,46 +68,16 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 			advisory.CvssScore = -1
 		}
 		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.ModuleName]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.ModuleName] = append(advisories, advisory)
 		// for displaying vulnerability detail
 		vulnerabilityIDs := advisory.Cves
 		if len(vulnerabilityIDs) == 0 {
 			vulnerabilityIDs = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)}
 		}
 		for _, vulnID := range vulnerabilityIDs {
 			vulns = append(vulns, vulnerability.Vulnerability{
 				ID:          vulnID,
 				CvssScore:   advisory.CvssScore,
 				References:  advisory.References,
 				Title:       advisory.Title,
 				Description: advisory.Overview,
 			})
 		}
 		return nil
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("error in file walk: %w", err)
 	}
 	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
 	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.NodejsSecurityWg, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
 			}
 		}
 		return nil
 	})
 }
--- a/pkg/scanner/library/pipenv/advisory.go
+++ b/pkg/scanner/library/pipenv/advisory.go
@@ -5,14 +5,9 @@ import (
 	"os"
 	"path/filepath"
 	"github.com/etcd-io/bbolt"
 	"github.com/knqyf263/trivy/pkg/db"
 	"golang.org/x/xerrors"
 	"github.com/knqyf263/trivy/pkg/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -39,14 +34,14 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = s.parse()
+	s.db, err = parse()
 	if err != nil {
 		return xerrors.Errorf("failed to parse python safety-db: %w", err)
 	}
 	return nil
 }
-func (s *Scanner) parse() (AdvisoryDB, error) {
+func parse() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json"))
 	if err != nil {
@@ -54,39 +49,9 @@ func (s *Scanner) parse() (AdvisoryDB, error) {
 	}
 	defer f.Close()
 	// for detecting vulnerabilities
 	if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil {
 		return nil, err
 	}
 	// for displaying vulnerability detail
 	var vulns []vulnerability.Vulnerability
 	for _, advisories := range advisoryDB {
 		for _, advisory := range advisories {
 			vulnerabilityID := advisory.Cve
 			if vulnerabilityID == "" {
 				vulnerabilityID = advisory.ID
 			}
 			vulns = append(vulns, vulnerability.Vulnerability{
 				ID:    vulnerabilityID,
 				Title: advisory.Advisory,
 			})
 		}
 	}
 	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
 	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.PythonSafetyDB, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
 			}
 		}
 		return nil
 	})
 }
--- a/pkg/scanner/library/scan.go
+++ b/pkg/scanner/library/scan.go
@@ -96,7 +96,7 @@ func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error)
 		return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
 	}
-	log.Logger.Infof("Detecting %s vulnerabilities...", scanner.Type())
+	log.Logger.Infof("Detect %s vulnerabilities", scanner.Type())
 	var vulnerabilities []types.Vulnerability
 	for _, pkg := range pkgs {
 		v, err := version.NewVersion(pkg.Version)
--- a/pkg/scanner/scan.go
+++ b/pkg/scanner/scan.go
@@ -25,12 +25,6 @@ import (
 	"github.com/knqyf263/fanal/extractor"
 )
 var (
 	sources = []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
 		vulnerability.DebianOVAL, vulnerability.Alpine, vulnerability.RubySec, vulnerability.PhpSecurityAdvisories,
 		vulnerability.NodejsSecurityWg, vulnerability.PythonSafetyDB}
 )
 func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
 	var results report.Results
 	var err error
@@ -140,7 +134,8 @@ func getDetail(vulnID string) (vulnerability.Severity, string) {
 }
 func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
-	for _, source := range sources {
+	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
 		vulnerability.DebianOVAL, vulnerability.Alpine} {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -159,7 +154,8 @@ func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.S
 }
 func getTitle(details map[string]vulnerability.Vulnerability) string {
-	for _, source := range sources {
+	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
 		vulnerability.DebianOVAL, vulnerability.Alpine} {
 		d, ok := details[source]
 		if !ok {
 			continue
--- a/pkg/vulnsrc/vulnerability/const.go
+++ b/pkg/vulnsrc/vulnerability/const.go
@@ -2,17 +2,13 @@ package vulnerability
 const (
 	// Data source
-	Nvd                   = "nvd"
+	Nvd        = "nvd"
-	RedHat                = "redhat"
+	RedHat     = "redhat"
-	Debian                = "debian"
+	Debian     = "debian"
-	DebianOVAL            = "debian-oval"
+	DebianOVAL = "debian-oval"
-	Ubuntu                = "ubuntu"
+	Ubuntu     = "ubuntu"
-	CentOS                = "centos"
+	CentOS     = "centos"
-	Fedora                = "fedora"
+	Fedora     = "fedora"
-	Amazon                = "amazon"
+	Amazon     = "amazon"
-	Alpine                = "alpine"
+	Alpine     = "alpine"
 	RubySec               = "ruby-advisory-db"
 	PhpSecurityAdvisories = "php-security-advisories"
 	NodejsSecurityWg      = "nodejs-security-wg"
 	PythonSafetyDB        = "python-safety-db"
 )
--- a/pkg/vulnsrc/vulnerability/types.go
+++ b/pkg/vulnsrc/vulnerability/types.go
@@ -19,18 +19,18 @@ const (
 var (
 	SeverityNames = []string{
 		"UNKNOWN",
 		"LOW",
 		"MEDIUM",
 		"HIGH",
 		"CRITICAL",
 		"HIGH",
 		"MEDIUM",
 		"LOW",
 		"UNKNOWN",
 	}
 	SeverityColor = []func(a ...interface{}) string{
 		color.New(color.FgCyan).SprintFunc(),
 		color.New(color.FgBlue).SprintFunc(),
 		color.New(color.FgYellow).SprintFunc(),
 		color.New(color.FgHiRed).SprintFunc(),
 		color.New(color.FgRed).SprintFunc(),
 		color.New(color.FgHiRed).SprintFunc(),
 		color.New(color.FgYellow).SprintFunc(),
 		color.New(color.FgBlue).SprintFunc(),
 		color.New(color.FgCyan).SprintFunc(),
 	}
 )
--- a/pkg/vulnsrc/vulnerability/vulnerability.go
+++ b/pkg/vulnsrc/vulnerability/vulnerability.go
@@ -13,7 +13,6 @@ const (
 )
 type Vulnerability struct {
 	ID          string // e.g. CVE-2019-8331, OSVDB-104365
 	CvssScore   float64
 	CvssScoreV3 float64
 	Severity    Severity