mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-23 07:29:00 -08:00
b6d5b82c48
* feat: add comparer * refactor: rename lang with ecosystem * feat(bundler): add comparer * feat(node): add comparer * feat(bundler): integrate comparer * feat(cargo): integrate comparer * feat(composer): add comparer * feat(ghsa): integrate comparer * feat(node): integrate comparer * feat(python): integrate comparer * test(bundler): add tests * test(cargo): add tests * test(composer): add tests * test(ghsa): add tests * test(node): add tests * test(python): add tests * refactor(utils): remove unnecessary functions * test(utils): add tests * test: rename bucket prefixes * fix(detect): use string * chore: update dependencies * docs: add comments * fix(cargo): handle unpatched vulnerability * test(db): update trivy-db for integration tests * test(integration): update a golden file * test(cargo): Add a case for missing patched version Signed-off-by: Simarpreet Singh <simar@linux.com> * refactor(advisory): update comments * refactor(node/advisory): change the receiver * chore(mod): update dependencies * refactor(comparer): unexport MatchVersion * refactor: fix maligned structs * test(node): add empty value * refactor * refactor: sort imports * chore(mod): update trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>
73 lines
2.1 KiB
Go
73 lines
2.1 KiB
Go
package comparer
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/aquasecurity/go-version/pkg/version"
|
|
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
|
"github.com/aquasecurity/trivy/pkg/log"
|
|
)
|
|
|
|
// Comparer is an interface for version comparison
|
|
type Comparer interface {
|
|
IsVulnerable(currentVersion string, advisory dbTypes.Advisory) bool
|
|
}
|
|
|
|
type matchVersion func(currentVersion, constraint string) (bool, error)
|
|
|
|
// IsVulnerable checks if the package version is vulnerable to the advisory.
|
|
func IsVulnerable(pkgVer string, advisory dbTypes.Advisory, match matchVersion) bool {
|
|
var matched bool
|
|
var err error
|
|
|
|
if len(advisory.VulnerableVersions) != 0 {
|
|
matched, err = match(pkgVer, strings.Join(advisory.VulnerableVersions, " || "))
|
|
if err != nil {
|
|
log.Logger.Warn(err)
|
|
return false
|
|
} else if !matched {
|
|
// the version is not vulnerable
|
|
return false
|
|
}
|
|
}
|
|
|
|
secureVersions := append(advisory.PatchedVersions, advisory.UnaffectedVersions...)
|
|
if len(secureVersions) == 0 {
|
|
// the version matches vulnerable versions and patched/unaffected versions are not provided
|
|
// or all values are empty
|
|
return matched
|
|
}
|
|
|
|
matched, err = match(pkgVer, strings.Join(secureVersions, " || "))
|
|
if err != nil {
|
|
log.Logger.Warn(err)
|
|
return false
|
|
}
|
|
return !matched
|
|
}
|
|
|
|
// GenericComparer represents a comparer for semver-like versioning
|
|
type GenericComparer struct{}
|
|
|
|
// IsVulnerable checks if the package version is vulnerable to the advisory.
|
|
func (v GenericComparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
|
|
return IsVulnerable(ver, advisory, v.matchVersion)
|
|
}
|
|
|
|
// matchVersion checks if the package version satisfies the given constraint.
|
|
func (v GenericComparer) matchVersion(currentVersion, constraint string) (bool, error) {
|
|
ver, err := version.Parse(currentVersion)
|
|
if err != nil {
|
|
return false, xerrors.Errorf("version error (%s): %s", currentVersion, err)
|
|
}
|
|
|
|
c, err := version.NewConstraints(constraint)
|
|
if err != nil {
|
|
return false, xerrors.Errorf("constraint error (%s): %s", currentVersion, err)
|
|
}
|
|
|
|
return c.Check(ver), nil
|
|
}
|