mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-23 07:29:00 -08:00
92 lines
2.2 KiB
Go
92 lines
2.2 KiB
Go
package vulnerability
|
|
|
|
import (
|
|
"bufio"
|
|
"os"
|
|
"sort"
|
|
"strings"
|
|
|
|
"github.com/aquasecurity/trivy-db/pkg/db"
|
|
|
|
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
|
"github.com/aquasecurity/trivy/pkg/log"
|
|
"github.com/aquasecurity/trivy/pkg/types"
|
|
"github.com/aquasecurity/trivy/pkg/utils"
|
|
)
|
|
|
|
const (
|
|
DefaultIgnoreFile = ".trivyignore"
|
|
)
|
|
|
|
func FillAndFilter(vulns []types.DetectedVulnerability, severities []dbTypes.Severity,
|
|
ignoreUnfixed bool, ignoreFile string, light bool) []types.DetectedVulnerability {
|
|
var err error
|
|
var severity dbTypes.Severity
|
|
|
|
dbc := db.Config{}
|
|
ignoredIDs := getIgnoredIDs(ignoreFile)
|
|
var vulnerabilities []types.DetectedVulnerability
|
|
for _, vuln := range vulns {
|
|
var vulnerability dbTypes.Vulnerability
|
|
if light {
|
|
severity, err = dbc.GetSeverity(vuln.VulnerabilityID)
|
|
vulnerability.Severity = severity.String()
|
|
} else {
|
|
vulnerability, err = dbc.GetVulnerability(vuln.VulnerabilityID)
|
|
}
|
|
if err != nil {
|
|
log.Logger.Debug(err)
|
|
continue
|
|
}
|
|
|
|
// Filter vulnerabilities by severity
|
|
for _, s := range severities {
|
|
if s.String() == vulnerability.Severity {
|
|
vuln.Vulnerability = vulnerability
|
|
|
|
// Ignore unfixed vulnerabilities
|
|
if ignoreUnfixed && vuln.FixedVersion == "" {
|
|
continue
|
|
} else if utils.StringInSlice(vuln.VulnerabilityID, ignoredIDs) {
|
|
continue
|
|
}
|
|
vulnerabilities = append(vulnerabilities, vuln)
|
|
break
|
|
}
|
|
}
|
|
}
|
|
sort.Slice(vulnerabilities, func(i, j int) bool {
|
|
if vulnerabilities[i].PkgName != vulnerabilities[j].PkgName {
|
|
return vulnerabilities[i].PkgName < vulnerabilities[j].PkgName
|
|
}
|
|
ret := dbTypes.CompareSeverityString(
|
|
vulnerabilities[j].Severity, vulnerabilities[i].Severity,
|
|
)
|
|
if ret != 0 {
|
|
return ret > 0
|
|
}
|
|
return vulnerabilities[i].VulnerabilityID < vulnerabilities[j].VulnerabilityID
|
|
})
|
|
return vulnerabilities
|
|
}
|
|
|
|
func getIgnoredIDs(ignoreFile string) []string {
|
|
f, err := os.Open(ignoreFile)
|
|
if err != nil {
|
|
// trivy must work even if no .trivyignore exist
|
|
return nil
|
|
}
|
|
|
|
var ignoredIDs []string
|
|
scanner := bufio.NewScanner(f)
|
|
for scanner.Scan() {
|
|
line := scanner.Text()
|
|
line = strings.TrimSpace(line)
|
|
if strings.HasPrefix(line, "#") || line == "" {
|
|
continue
|
|
}
|
|
ignoredIDs = append(ignoredIDs, line)
|
|
}
|
|
return ignoredIDs
|
|
}
|