gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b6d5b82c48c1ac12176555ef3039705ff0aa7850
trivy/pkg/detector/library/composer/advisory.go
Teppei Fukuda b6d5b82c48 fix: version comparison (#740) 
* feat: add comparer

* refactor: rename lang with ecosystem

* feat(bundler): add comparer

* feat(node): add comparer

* feat(bundler): integrate comparer

* feat(cargo): integrate comparer

* feat(composer): add comparer

* feat(ghsa): integrate comparer

* feat(node): integrate comparer

* feat(python): integrate comparer

* test(bundler): add tests

* test(cargo): add tests

* test(composer): add tests

* test(ghsa): add tests

* test(node): add tests

* test(python): add tests

* refactor(utils): remove unnecessary functions

* test(utils): add tests

* test: rename bucket prefixes

* fix(detect): use string

* chore: update dependencies

* docs: add comments

* fix(cargo): handle unpatched vulnerability

* test(db): update trivy-db for integration tests

* test(integration): update a golden file

* test(cargo): Add a case for missing patched version

Signed-off-by: Simarpreet Singh <simar@linux.com>

* refactor(advisory): update comments

* refactor(node/advisory): change the receiver

* chore(mod): update dependencies

* refactor(comparer): unexport MatchVersion

* refactor: fix maligned structs

* test(node): add empty value

* refactor

* refactor: sort imports

* chore(mod): update trivy-db

Co-authored-by: Simarpreet Singh <simar@linux.com>
2020-11-17 11:38:58 +02:00

65 lines
1.8 KiB
Go
Raw Blame History

package composer
import (
"fmt"
"strings"
"golang.org/x/xerrors"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
composerSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/composer"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/types"
)
// Advisory encapsulates composer.VulnSrc
type Advisory struct {
vs composerSrc.VulnSrc
comparer comparer.Comparer // TODO: implement a comparer for Composer
}
// NewAdvisory is the factory method of Advisory
func NewAdvisory() *Advisory {
return &Advisory{
vs: composerSrc.NewVulnSrc(),
comparer: comparer.GenericComparer{},
}
}
// DetectVulnerabilities returns the vulnerabilities in a package
func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
ref := fmt.Sprintf("composer://%s", pkgName)
advisories, err := s.vs.Get(ref)
if err != nil {
return nil, xerrors.Errorf("failed to get composer advisories: %w", err)
}
var vulns []types.DetectedVulnerability
for _, advisory := range advisories {
var affectedVersions []string
var patchedVersions []string
for _, branch := range advisory.Branches {
for _, version := range branch.Versions {
if !strings.HasPrefix(version, "<=") && strings.HasPrefix(version, "<") {
patchedVersions = append(patchedVersions, strings.Trim(version, "<"))
}
}
affectedVersions = append(affectedVersions, strings.Join(branch.Versions, ", "))
}
adv := dbTypes.Advisory{VulnerableVersions: affectedVersions}
if !s.comparer.IsVulnerable(pkgVer, adv) {
continue
}
vuln := types.DetectedVulnerability{
VulnerabilityID: advisory.VulnerabilityID,
PkgName: pkgName,
InstalledVersion: pkgVer,
FixedVersion: strings.Join(patchedVersions, ", "),
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
Reference in New Issue View Git Blame Copy Permalink