gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6eebed33b2009471a1608891d0df77cd4090548c
trivy/pkg/detector/library/node/advisory.go
rahul2393 6eebed33b2 improve ruby comparison version check. (#552) 
* Implemented ruby comparison version check.

* Added semver package to validate and check version

* Added more tests

* Replaced go-version with semver

* Removing go-version from dependency

* Added check for ruby gem version format

* Updated semver model and patch rewrite process

* Refactoring
2020-07-19 18:03:56 +03:00

66 lines
1.7 KiB
Go
Raw Blame History

package node
import (
"strings"
"golang.org/x/xerrors"
"github.com/Masterminds/semver/v3"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/node"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types"
)
type Advisory struct {
vs node.VulnSrc
}
func NewAdvisory() *Advisory {
return &Advisory{
vs: node.NewVulnSrc(),
}
}
func (s *Advisory) DetectVulnerabilities(pkgName string, pkgVer *semver.Version) ([]types.DetectedVulnerability, error) {
replacer := strings.NewReplacer(".alpha", "-alpha", ".beta", "-beta", ".rc", "-rc", " <", ", <", " >", ", >")
advisories, err := s.vs.Get(pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get node advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
// e.g. <= 2.15.0 || >= 3.0.0 <= 3.8.2
// => {"<=2.15.0", ">= 3.0.0, <= 3.8.2"}
var vulnerableVersions []string
for _, version := range strings.Split(advisory.VulnerableVersions, " || ") {
version = strings.TrimSpace(version)
vulnerableVersions = append(vulnerableVersions, replacer.Replace(version))
}
if !utils.MatchVersions(pkgVer, vulnerableVersions) {
continue
}
var patchedVersions []string
for _, version := range strings.Split(advisory.PatchedVersions, " || ") {
version = strings.TrimSpace(version)
patchedVersions = append(patchedVersions, replacer.Replace(version))
}
if utils.MatchVersions(pkgVer, patchedVersions) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer.String(),
FixedVersion: strings.Join(patchedVersions, ", "),
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
Reference in New Issue View Git Blame Copy Permalink