mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-10 06:40:46 -08:00
Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
eaf2da20a6 | ||
|
|
083c157b05 | ||
|
|
e26e39a7f8 | ||
|
|
04e7ccabea | ||
|
|
415e1d8ea3 | ||
|
|
3bb8852ef7 | ||
|
|
c0fddd9467 |
11
.github/workflows/mkdocs-latest.yaml
vendored
11
.github/workflows/mkdocs-latest.yaml
vendored
@@ -1,5 +1,10 @@
|
||||
name: Deploy the latest documentation
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
version:
|
||||
description: Version to be deployed
|
||||
required: true
|
||||
push:
|
||||
tags:
|
||||
- "v*"
|
||||
@@ -27,7 +32,11 @@ jobs:
|
||||
run: |
|
||||
git config user.name "knqyf263"
|
||||
git config user.email "knqyf263@gmail.com"
|
||||
- name: Deploy the latest documents
|
||||
- name: Deploy the latest documents from new tag push
|
||||
if: ${{ github.event.inputs.version == '' }}
|
||||
run: |
|
||||
VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g")
|
||||
mike deploy --push --update-aliases $VERSION latest
|
||||
- name: Deploy the latest documents from manual trigger
|
||||
if: ${{ github.event.inputs.version != '' }}
|
||||
run: mike deploy --push --update-aliases ${{ github.event.inputs.version }} latest
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
FROM alpine:3.12
|
||||
FROM alpine:3.13
|
||||
RUN apk --no-cache add ca-certificates git
|
||||
COPY trivy /usr/local/bin/trivy
|
||||
COPY contrib/*.tpl contrib/
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
"version": "0.15.0",
|
||||
"rules": [
|
||||
{{- $t_first := true }}
|
||||
{{- range . }}
|
||||
{{- range $result := . }}
|
||||
{{- $vulnerabilityType := .Type }}
|
||||
{{- range .Vulnerabilities -}}
|
||||
{{- if $t_first -}}
|
||||
@@ -20,7 +20,7 @@
|
||||
,
|
||||
{{- end }}
|
||||
{
|
||||
"id": "{{ .VulnerabilityID }}/{{ .PkgName }}",
|
||||
"id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
|
||||
"name": "{{ toSarifRuleName $vulnerabilityType }}",
|
||||
"shortDescription": {
|
||||
"text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
|
||||
@@ -57,7 +57,7 @@
|
||||
},
|
||||
"results": [
|
||||
{{- $t_first := true }}
|
||||
{{- range . }}
|
||||
{{- range $result := . }}
|
||||
{{- $filePath := .Target }}
|
||||
{{- range $index, $vulnerability := .Vulnerabilities -}}
|
||||
{{- if $t_first -}}
|
||||
@@ -66,7 +66,7 @@
|
||||
,
|
||||
{{- end }}
|
||||
{
|
||||
"ruleId": "{{ $vulnerability.VulnerabilityID }}/{{ $vulnerability.PkgName }}",
|
||||
"ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
|
||||
"ruleIndex": {{ $index }},
|
||||
"level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
|
||||
"message": {
|
||||
@@ -92,4 +92,4 @@
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -19,7 +19,8 @@
|
||||
- Java
|
||||
- JAR/WAR/EAR files (*.jar, *.war, and *.ear)
|
||||
- Go
|
||||
- Binaries built by Go
|
||||
- Binaries built by Go (UPX-compressed binaries don't work)
|
||||
- go.sum
|
||||
|
||||
The path of these files does not matter.
|
||||
|
||||
|
||||
2
go.mod
2
go.mod
@@ -6,7 +6,7 @@ require (
|
||||
github.com/Masterminds/goutils v1.1.0 // indirect
|
||||
github.com/Masterminds/sprig v2.22.0+incompatible
|
||||
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
|
||||
github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70
|
||||
github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1
|
||||
github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976
|
||||
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
|
||||
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
|
||||
|
||||
4
go.sum
4
go.sum
@@ -172,6 +172,10 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
|
||||
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70 h1:0v2pf+hIElPvGKLyDye08UtPH8AjujTVLUOWOgoM5O4=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210430044351-34b55f31bc70/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210501093021-8aaac3e8dea7 h1:bY5D5GVthqQCvnNllG2NVXYpOQJJRi7KFhLdVrskaDg=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210501093021-8aaac3e8dea7/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1 h1:xgdjcsA4Go/9k9XDXYimVF+BgyMlt7YoeWTMs2DpR8Y=
|
||||
github.com/aquasecurity/fanal v0.0.0-20210501235003-c816628070c1/go.mod h1:cPTOJcf8bdP24oXhBsPVVczcjkICcApAwAOsn6CpHTI=
|
||||
github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976 h1:ypl/IDxujzEymmwtzGJqQyboI2oZr1se+OoYaGqgBzQ=
|
||||
github.com/aquasecurity/go-dep-parser v0.0.0-20210427143403-3c97ccc53976/go.mod h1:Cv/FOCXy6gwvDbz/KX48+y//SmbnKroFwW5hquXn5G4=
|
||||
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
|
||||
|
||||
@@ -1,18 +1,17 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC+jCCAeKgAwIBAgIRAJLJ5vw48YZwoHlC8i6VdHswDQYJKoZIhvcNAQELBQAw
|
||||
EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0yMDA1MDMxMTU2MzhaFw0yMTA1MDMxMTU2
|
||||
MzhaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
|
||||
ggEKAoIBAQDhnepAL1Atd1xVh/TOZpTK7yHwtOrtGWNEqNkFbcyD7x9CNgUkxjO8
|
||||
nc4ynEo4ARpLj+2VDLIwi93weCFj6mcz2tdHi7n0eiPR7+PSNMNpPFwablLOEtaX
|
||||
XVqHhJNsHcJx6okX6ullksJoRnZGu+n1LvGRMMLWjS3UJZA6+1pujoifyrx9YXLU
|
||||
qSjkRRv3Ly8HmAPJq0T19uCZiJ8qbrW1Vx3hdUILL4OlJmpjZvGKMRnolinko2Vk
|
||||
0pHH5MWz0iUbqWQjHZmQWi0rDHRAFbuCqQdmFsEneXmUzExXZbyHwrTH/mrjJTCJ
|
||||
YmtR7Eq80AxsWnXNI3Z0mVQ9/nZDsT31AgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
|
||||
oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
|
||||
CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAG7spAmpZVKOV913WhKZp8o1+
|
||||
T6v/b6KUOAZ0iWXeGWO7LwnRaulkyauGav9xJUpfEw7Z/57qwTVIGZD6mZF6tt77
|
||||
FsXXiQJA88LrQnt1BRTeNK8sRp4S3N1hrtY3akTit/dyQcfh3NSDttzkYsoUu0qT
|
||||
DUkXD0b4eDmaD47+0Z6eIVp3aEcPMzpiy6qWc5fMjMeHjtYF4lBSF0JTWzmxNUGl
|
||||
fiGhMJStQK/n73t58O7h5Adva5wRV+Km6pa+6SfOxPNUjsxXjG0LzWA9dJg/q2rs
|
||||
k/ouIE05BfB3z538ncQVBTwfPMClbIiJhAs3b6ej22+j/O+vbFBmdfkpVpFRtg==
|
||||
MIICwTCCAamgAwIBAgIJAP09YW8ChPlwMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
|
||||
BAoMB0FjbWUgQ28wIBcNMjEwNTEyMDQ0NzA1WhgPMjEwMDA0MTQwNDQ3MDVaMBIx
|
||||
EDAOBgNVBAoMB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
|
||||
AQDNmKpDOzU8GK5Xb3GfeqU1kKQ0gBejGtqK5ydH8tlRoy2NKGvjJ95nhIxUXMKe
|
||||
e345JFlzkCen5Ekvt70LT0O253z0FecfpaFilreIiu5J2YWWNtlruMhpjp4kYVMO
|
||||
piKnujiNK9eAUcz++YeAmrog7QPBJBCgdu18xTy/yOW/Y414e1efvbRJZ4TaQb0Y
|
||||
LgXRl1nlOLPPr5ew9pgnct7DxJVXpjXtgBxCsfcjH4kZGfc9zP0IKyODqaSCFRtj
|
||||
eKH8gSpJCimBp3hpWvsSTHTRraOxAGXqhIYPhqRM83eB2QbeHnyk+YOn76pdMndb
|
||||
vqAPksmTyHcgZShkhGcHKvbVAgMBAAGjGDAWMBQGA1UdEQQNMAuCCWxvY2FsaG9z
|
||||
dDANBgkqhkiG9w0BAQsFAAOCAQEAHxXOTKGP1hl3J2jQrpha5LuYdMEbK1HFbPhV
|
||||
042k0tBmfP3wRgx0o/WQhg4f5RswQRtipdUCmMZVOAoQfos8j9LFmIKwcsboEQe/
|
||||
Fvqq2+W/5TRhsKn/1OxvCZAEurazSygtm6hyiMGwKjJLfyzwjZx+Oopn3lqRUP36
|
||||
gLQQ57szoNZFKyPN2z2unXAuDG5wpG2InX8WJvlrhaiCHGUoxO8r0rVawm58bahM
|
||||
uGPlVPCNdxl1h7K8aecKpm+7Wh8n06Nl/kOWBDFAXeI8IwrnIy1rAZLngvnjqL//
|
||||
umjXKCBWya48ed9HMoOR2aruzseXc8k6cGXuBxYFtHissPvPPQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@@ -1,28 +1,27 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhnepAL1Atd1xV
|
||||
h/TOZpTK7yHwtOrtGWNEqNkFbcyD7x9CNgUkxjO8nc4ynEo4ARpLj+2VDLIwi93w
|
||||
eCFj6mcz2tdHi7n0eiPR7+PSNMNpPFwablLOEtaXXVqHhJNsHcJx6okX6ullksJo
|
||||
RnZGu+n1LvGRMMLWjS3UJZA6+1pujoifyrx9YXLUqSjkRRv3Ly8HmAPJq0T19uCZ
|
||||
iJ8qbrW1Vx3hdUILL4OlJmpjZvGKMRnolinko2Vk0pHH5MWz0iUbqWQjHZmQWi0r
|
||||
DHRAFbuCqQdmFsEneXmUzExXZbyHwrTH/mrjJTCJYmtR7Eq80AxsWnXNI3Z0mVQ9
|
||||
/nZDsT31AgMBAAECggEBAKwwGhSMR3O7sdNxJIvVzF8orE2JtfXoN1OyTZcQGlLi
|
||||
z4d3tOtA/UFJapJDp30gklHy8Y6clu3oASVCebFItyTjMwPehrgn82iI3eWS8URC
|
||||
lcRySG4QAIia7bmZm+2atMi+B40icqhbnlV42VHYnpDKGAEIJtsZ+kz7shzhsj3G
|
||||
yTQMFyuqk0DUmsbSVKPjryv15DXsT9Rk2pVZYFhiRw/gQpWD58GMP/HMrSz+sjuX
|
||||
ZIlhSMGVWA4Yc7le4PpWI2qAZLR+X1EgkzxcMJ0kWvnvzEXFmofaYzkbEcNOlguF
|
||||
Bv9kP5fh35AbQbTLykGO9h4VrfDajlHequzNBJs1z60CgYEA53cwBh42pg/fSmaO
|
||||
sowpFV52ZfbfUPcuXRuaidHWougByB8P8XTMeQTse4NLt+2oat/5rdP3keGr5OR5
|
||||
8q7v8/R/KY0NQOa/93BUeRDW4ntxMECWbC2p/sq2wnRKTl+yepAWrRXzk8z9vFP/
|
||||
TZM5m65aj3IsZ3Bo1WG+SSf8bvsCgYEA+YgFxmiTauKRO4IVPuOqJ88yC5SQ83mF
|
||||
T54ILYalG3yq/Jm1TTOzoZAoKvHrJeeZqQvjS4jSY5gc5TCrUVTdsw5nXtrRKZJs
|
||||
HjtVT78qfzjCSHzImvc3Rw5+SNO2+j9yxuBSAG4tEKD3KKxSodXnKtD4CwzvRdyI
|
||||
gUyjQi3Os88CgYEAgrzegkYkhe2nKKX+6bijJ+/AHl2vy1KifHKv+jJs8nzrLLbm
|
||||
0XIwYBa44BbL+Oqi2yMBKv7z8hEuf03R15KZ9Ahgnv6Nwt/TBBcNj4hEZ45j42ZH
|
||||
0HiGcWTcj78RjW0eKX4jYMZqW0xI8Uvcg1uqCVYUzrsle5ORkxzvVvDf82sCgYEA
|
||||
4hS9tsA1IJhaoaIAgdRf7GWroBZhJlep0zMJkcX2fer8OJVDUMlRLUahPhelx9gI
|
||||
vsLIkz1J8XZ2Z6kq7yuHGp4oRibXb2T8lH+JkhFP/ah9TpPQZacq7DRTcsRvelhW
|
||||
M542bbFlHzXX+X/39i0Jnx9qPQjhGVjwTMYU/Pbn2r0CgYAkwwh2oq6BP3w7/4xe
|
||||
giaW/5zzMA8R9ZXFfkE4OXk2vig8LzUn1IO0JeGLyHQbdg8exYxTU3zygIlSvCQP
|
||||
Zbl0+RB+NHwGOqlpEDdPFXsqi1GAdWOC6FzYtBFNk9WyjFICXjB42wnfIIUQPLU1
|
||||
kQKFaehfx9KR0iW1dnm3vbFlzw==
|
||||
-----END PRIVATE KEY-----
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEpQIBAAKCAQEAzZiqQzs1PBiuV29xn3qlNZCkNIAXoxraiucnR/LZUaMtjShr
|
||||
4yfeZ4SMVFzCnnt+OSRZc5Anp+RJL7e9C09Dtud89BXnH6WhYpa3iIruSdmFljbZ
|
||||
a7jIaY6eJGFTDqYip7o4jSvXgFHM/vmHgJq6IO0DwSQQoHbtfMU8v8jlv2ONeHtX
|
||||
n720SWeE2kG9GC4F0ZdZ5Tizz6+XsPaYJ3Lew8SVV6Y17YAcQrH3Ix+JGRn3Pcz9
|
||||
CCsjg6mkghUbY3ih/IEqSQopgad4aVr7Ekx00a2jsQBl6oSGD4akTPN3gdkG3h58
|
||||
pPmDp++qXTJ3W76gD5LJk8h3IGUoZIRnByr21QIDAQABAoIBAQCVN2ETjIxVgqA+
|
||||
K08u7Ses2b6jr/f31AybVasnx/S8EI+F7Llo003SmdvzeqNxvLVeqagWfKCbdM89
|
||||
R8B3zd6aiCYjTSZCzMZ1tGeePR83EB2paUOhsCocmnricpSChEeQrlJO+2vb4QLE
|
||||
Z7xVtXazYPIhophCri4tKUWu+BLvNPez+TndaE5Xg77HLmu24rloZh6XhYDdFWd+
|
||||
u/eF+QiWy4/EoLUv2TLym8ivUws+r2G9yK57kcQCJw+BqlaRew7Ts0RHnam53OxV
|
||||
T4dEHJxAfXO8jC1F5NCjoBO/+0HJqrMtD0NqWH9G+fEtakL7h5oeh6vYrSQfpZGC
|
||||
V7MXojqdAoGBAOhwBi0erXOn4strtkGvSjJ6HVLwWfmm+rlfm23JGigYghYTSxBM
|
||||
ESuwppt1QPXK5jfil89RqrvDqKG9BjXV4yWyaJlIRaYeJe8/TZa3e8WkLr0XaKGH
|
||||
v1LTW+/uc73ihDJ/M2axmP4vjThCfqiG9aKXLCDM+DIgfdvIbkXUfPZjAoGBAOJw
|
||||
Fc6D3z0r09F3/UgtADhQlbD2jzs6xdcqCu7af3527F6ePXXU8CTLS5jusAiDW5xH
|
||||
ukQS/0ZM92UTUJxpQxgzHSWOImhcv3o45vzQ0C0pXSSaE+Pp8QYWaE/BdE+VoVOK
|
||||
YGAfppZywPGnKYt4R5ho5XLwAL3rrH+2m7z51mdnAoGBANP5LbjCLF64Mb1f2pOm
|
||||
f1zvPoTfyr5BSI/7n+yMJL2CNEhbie4v4MzeSeKmGPrO8grvK5EXIkQgGE5/6wT3
|
||||
rTI4tOltHo9zGRdJvMGBTXAd3b32diYxfQrU1BhIducph3PhyweRWTweM4SmJ4ob
|
||||
ojGH+edj5ckZFo50CBTIxrmPAoGBAI8SpSSsfCRJiffjadzt2iK7AColT9DrzM+r
|
||||
1+adlksQ1z7dmxXVqrqE3UpPHljyrrKrO40Bt9vyi6qIrrl1ZRhoS3VMPn9UgwO1
|
||||
6nU5dx/h7+FNnV23ljvzcotaP6R9dca0OzrhJMAQ18qYhY6DPDGXrcqWzNEzlPXJ
|
||||
KtQXxBnnAoGAFQPvW/wDahrGcm1MBw83E0TgNJpoB10tz6R1dLdKVSHJUXMfxmij
|
||||
Wj4MaF0JB0GWRRjutng+i7y7Tx+mUpu80qV8E9zAH7jGFnpqjw8A9zp5ftK00e7Y
|
||||
shRlg+lhJhlvMA5QCYNzpYj+7EXJm7nzbhC6pMtBapT9a/MUPYFte38=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
34
integration/testdata/alpine-310.sarif.golden
vendored
34
integration/testdata/alpine-310.sarif.golden
vendored
@@ -11,7 +11,7 @@
|
||||
"version": "0.15.0",
|
||||
"rules": [
|
||||
{
|
||||
"id": "CVE-2019-1549/libcrypto1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1549 Package: libcrypto1.1"
|
||||
@@ -37,7 +37,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1551/libcrypto1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1551 Package: libcrypto1.1"
|
||||
@@ -63,7 +63,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1563/libcrypto1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1563 Package: libcrypto1.1"
|
||||
@@ -89,7 +89,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1547/libcrypto1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1547 Package: libcrypto1.1"
|
||||
@@ -115,7 +115,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1549/libssl1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1549 Package: libssl1.1"
|
||||
@@ -141,7 +141,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1551/libssl1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1551 Package: libssl1.1"
|
||||
@@ -167,7 +167,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1563/libssl1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1563 Package: libssl1.1"
|
||||
@@ -193,7 +193,7 @@
|
||||
}
|
||||
},
|
||||
{
|
||||
"id": "CVE-2019-1547/libssl1.1",
|
||||
"id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
|
||||
"name": "OS Package Vulnerability (Alpine)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-2019-1547 Package: libssl1.1"
|
||||
@@ -222,7 +222,7 @@
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "CVE-2019-1549/libcrypto1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
|
||||
"ruleIndex": 0,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -238,7 +238,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1551/libcrypto1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
|
||||
"ruleIndex": 1,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -254,7 +254,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1563/libcrypto1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
|
||||
"ruleIndex": 2,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -270,7 +270,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1547/libcrypto1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
|
||||
"ruleIndex": 3,
|
||||
"level": "note",
|
||||
"message": {
|
||||
@@ -286,7 +286,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1549/libssl1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
|
||||
"ruleIndex": 4,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -302,7 +302,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1551/libssl1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
|
||||
"ruleIndex": 5,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -318,7 +318,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1563/libssl1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
|
||||
"ruleIndex": 6,
|
||||
"level": "warning",
|
||||
"message": {
|
||||
@@ -334,7 +334,7 @@
|
||||
}]
|
||||
},
|
||||
{
|
||||
"ruleId": "CVE-2019-1547/libssl1.1",
|
||||
"ruleId": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
|
||||
"ruleIndex": 7,
|
||||
"level": "note",
|
||||
"message": {
|
||||
@@ -357,4 +357,4 @@
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -39,7 +39,7 @@ func NewDriver(libType string) (Driver, error) {
|
||||
driver = newNugetDriver()
|
||||
case library.Jar:
|
||||
driver = newMavenDriver()
|
||||
case library.GoBinary:
|
||||
case library.GoBinary, library.GoMod:
|
||||
driver = Driver{
|
||||
ecosystem: vulnerability.Go,
|
||||
advisories: []advisory{NewAdvisory(vulnerability.Go, comparer.GenericComparer{})},
|
||||
|
||||
@@ -409,7 +409,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
|
||||
"version": "0.15.0",
|
||||
"rules": [
|
||||
{
|
||||
"id": "CVE-1234-5678/foopackage",
|
||||
"id": "foo/target/alpine-310.tar.gz (alpine 3.10.2): foopackage-1.2.3 CVE-1234-5678",
|
||||
"name": "Other Vulnerability (Footype)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-1234-5678 Package: foopackage"
|
||||
@@ -437,7 +437,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "CVE-1234-5678/foopackage",
|
||||
"ruleId": "foo/target/alpine-310.tar.gz (alpine 3.10.2): foopackage-1.2.3 CVE-1234-5678",
|
||||
"ruleIndex": 0,
|
||||
"level": "error",
|
||||
"message": {
|
||||
@@ -493,7 +493,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
|
||||
"version": "0.15.0",
|
||||
"rules": [
|
||||
{
|
||||
"id": "CVE-1234-5678/foopackage",
|
||||
"id": "rust-app\\Cargo.lock: foopackage-1.2.3 CVE-1234-5678",
|
||||
"name": "Other Vulnerability (Footype)",
|
||||
"shortDescription": {
|
||||
"text": "CVE-1234-5678 Package: foopackage"
|
||||
@@ -522,7 +522,7 @@ func TestReportWriter_Template_SARIF(t *testing.T) {
|
||||
},
|
||||
"results": [
|
||||
{
|
||||
"ruleId": "CVE-1234-5678/foopackage",
|
||||
"ruleId": "rust-app\\Cargo.lock: foopackage-1.2.3 CVE-1234-5678",
|
||||
"ruleIndex": 0,
|
||||
"level": "error",
|
||||
"message": {
|
||||
|
||||
@@ -18,6 +18,7 @@ import (
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/composer"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/gobinary"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/gomod"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/jar"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/npm"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/library/nuget"
|
||||
|
||||
@@ -28,6 +28,8 @@ func (v BySeverity) Len() int { return len(v) }
|
||||
func (v BySeverity) Less(i, j int) bool {
|
||||
if v[i].PkgName != v[j].PkgName {
|
||||
return v[i].PkgName < v[j].PkgName
|
||||
} else if v[i].InstalledVersion != v[j].InstalledVersion {
|
||||
return v[i].InstalledVersion < v[j].InstalledVersion
|
||||
}
|
||||
ret := types.CompareSeverityString(
|
||||
v[j].Severity, v[i].Severity,
|
||||
|
||||
@@ -3,6 +3,7 @@ package vulnerability
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"sort"
|
||||
@@ -148,25 +149,8 @@ func (c Client) getPrimaryURL(vulnID string, refs []string, source string) strin
|
||||
func (c Client) Filter(ctx context.Context, vulns []types.DetectedVulnerability, severities []dbTypes.Severity,
|
||||
ignoreUnfixed bool, ignoreFile string, policyFile string) ([]types.DetectedVulnerability, error) {
|
||||
ignoredIDs := getIgnoredIDs(ignoreFile)
|
||||
var vulnerabilities []types.DetectedVulnerability
|
||||
for _, vuln := range vulns {
|
||||
if vuln.Severity == "" {
|
||||
vuln.Severity = dbTypes.SeverityUnknown.String()
|
||||
}
|
||||
// Filter vulnerabilities by severity
|
||||
for _, s := range severities {
|
||||
if s.String() == vuln.Severity {
|
||||
// Ignore unfixed vulnerabilities
|
||||
if ignoreUnfixed && vuln.FixedVersion == "" {
|
||||
continue
|
||||
} else if utils.StringInSlice(vuln.VulnerabilityID, ignoredIDs) {
|
||||
continue
|
||||
}
|
||||
vulnerabilities = append(vulnerabilities, vuln)
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
vulnerabilities := filterVulnerabilities(vulns, severities, ignoredIDs, ignoreUnfixed)
|
||||
|
||||
if policyFile != "" {
|
||||
var err error
|
||||
@@ -179,6 +163,49 @@ func (c Client) Filter(ctx context.Context, vulns []types.DetectedVulnerability,
|
||||
return vulnerabilities, nil
|
||||
}
|
||||
|
||||
func filterVulnerabilities(vulns []types.DetectedVulnerability, severities []dbTypes.Severity, ignoredIDs []string,
|
||||
ignoreUnfixed bool) []types.DetectedVulnerability {
|
||||
uniqVulns := make(map[string]types.DetectedVulnerability)
|
||||
for _, vuln := range vulns {
|
||||
if vuln.Severity == "" {
|
||||
vuln.Severity = dbTypes.SeverityUnknown.String()
|
||||
}
|
||||
// Filter vulnerabilities by severity
|
||||
for _, s := range severities {
|
||||
if s.String() != vuln.Severity {
|
||||
continue
|
||||
}
|
||||
|
||||
// Ignore unfixed vulnerabilities
|
||||
if ignoreUnfixed && vuln.FixedVersion == "" {
|
||||
continue
|
||||
} else if utils.StringInSlice(vuln.VulnerabilityID, ignoredIDs) {
|
||||
continue
|
||||
}
|
||||
|
||||
// Check if there is a duplicate vulnerability
|
||||
key := fmt.Sprintf("%s/%s/%s", vuln.VulnerabilityID, vuln.PkgName, vuln.InstalledVersion)
|
||||
if old, ok := uniqVulns[key]; ok && !shouldOverwrite(old, vuln) {
|
||||
continue
|
||||
}
|
||||
uniqVulns[key] = vuln
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return toSlice(uniqVulns)
|
||||
}
|
||||
|
||||
func toSlice(uniqVulns map[string]types.DetectedVulnerability) []types.DetectedVulnerability {
|
||||
// Convert map to slice
|
||||
var vulnerabilities []types.DetectedVulnerability
|
||||
for _, vuln := range uniqVulns {
|
||||
vulnerabilities = append(vulnerabilities, vuln)
|
||||
}
|
||||
|
||||
return vulnerabilities
|
||||
}
|
||||
|
||||
func applyPolicy(ctx context.Context, vulns []types.DetectedVulnerability, policyFile string) ([]types.DetectedVulnerability, error) {
|
||||
policy, err := ioutil.ReadFile(policyFile)
|
||||
if err != nil {
|
||||
@@ -236,3 +263,8 @@ func getIgnoredIDs(ignoreFile string) []string {
|
||||
}
|
||||
return ignoredIDs
|
||||
}
|
||||
|
||||
func shouldOverwrite(old, new types.DetectedVulnerability) bool {
|
||||
// The same vulnerability must be picked always.
|
||||
return old.FixedVersion < new.FixedVersion
|
||||
}
|
||||
|
||||
@@ -675,6 +675,134 @@ func TestClient_Filter(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "happy path with duplicates, one with empty fixed version",
|
||||
args: args{
|
||||
vulns: []types.DetectedVulnerability{
|
||||
{
|
||||
VulnerabilityID: "CVE-2019-0001",
|
||||
PkgName: "foo",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityLow.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2019-0001",
|
||||
PkgName: "foo",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "1.2.4",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityLow.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2019-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "1.2.4",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityCritical.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2019-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "1.2.5",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityCritical.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0001",
|
||||
PkgName: "baz",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityHigh.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0001",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityCritical.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: "",
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "2.0.0",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: "",
|
||||
},
|
||||
},
|
||||
},
|
||||
severities: []dbTypes.Severity{dbTypes.SeverityCritical, dbTypes.SeverityHigh, dbTypes.SeverityUnknown},
|
||||
ignoreUnfixed: false,
|
||||
},
|
||||
want: []types.DetectedVulnerability{
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0001",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityCritical.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2019-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "1.2.5",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityCritical.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityUnknown.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0002",
|
||||
PkgName: "bar",
|
||||
InstalledVersion: "2.0.0",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityUnknown.String(),
|
||||
},
|
||||
},
|
||||
{
|
||||
VulnerabilityID: "CVE-2018-0001",
|
||||
PkgName: "baz",
|
||||
InstalledVersion: "1.2.3",
|
||||
FixedVersion: "",
|
||||
Vulnerability: dbTypes.Vulnerability{
|
||||
Severity: dbTypes.SeverityHigh.String(),
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user