gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 23:26:39 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b6d5b82c48c1ac12176555ef3039705ff0aa7850
trivy/pkg/detector/library/driver.go
Teppei Fukuda b6d5b82c48 fix: version comparison (#740) 
* feat: add comparer

* refactor: rename lang with ecosystem

* feat(bundler): add comparer

* feat(node): add comparer

* feat(bundler): integrate comparer

* feat(cargo): integrate comparer

* feat(composer): add comparer

* feat(ghsa): integrate comparer

* feat(node): integrate comparer

* feat(python): integrate comparer

* test(bundler): add tests

* test(cargo): add tests

* test(composer): add tests

* test(ghsa): add tests

* test(node): add tests

* test(python): add tests

* refactor(utils): remove unnecessary functions

* test(utils): add tests

* test: rename bucket prefixes

* fix(detect): use string

* chore: update dependencies

* docs: add comments

* fix(cargo): handle unpatched vulnerability

* test(db): update trivy-db for integration tests

* test(integration): update a golden file

* test(cargo): Add a case for missing patched version

Signed-off-by: Simarpreet Singh <simar@linux.com>

* refactor(advisory): update comments

* refactor(node/advisory): change the receiver

* chore(mod): update dependencies

* refactor(comparer): unexport MatchVersion

* refactor: fix maligned structs

* test(node): add empty value

* refactor

* refactor: sort imports

* chore(mod): update trivy-db

Co-authored-by: Simarpreet Singh <simar@linux.com>
2020-11-17 11:38:58 +02:00

117 lines
3.3 KiB
Go
Raw Blame History

package library
import (
"fmt"
"golang.org/x/xerrors"
ecosystem "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
"github.com/aquasecurity/trivy/pkg/detector/library/cargo"
"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
"github.com/aquasecurity/trivy/pkg/detector/library/composer"
"github.com/aquasecurity/trivy/pkg/detector/library/ghsa"
"github.com/aquasecurity/trivy/pkg/detector/library/node"
"github.com/aquasecurity/trivy/pkg/detector/library/python"
"github.com/aquasecurity/trivy/pkg/types"
)
// Factory defines library operations
type Factory interface {
NewDriver(filename string) (Driver, error)
}
type advisory interface {
DetectVulnerabilities(string, string) ([]types.DetectedVulnerability, error)
}
// DriverFactory implements Factory
type DriverFactory struct{}
// NewDriver factory method for driver
func (d DriverFactory) NewDriver(filename string) (Driver, error) {
var driver Driver
switch filename {
case "Gemfile.lock":
driver = newRubyGemsDriver()
case "Cargo.lock":
driver = newCargoDriver()
case "composer.lock":
driver = newComposerDriver()
case "package-lock.json", "yarn.lock":
driver = newNpmDriver()
case "Pipfile.lock", "poetry.lock":
driver = newPipDriver()
default:
return Driver{}, xerrors.New(fmt.Sprintf("unsupport filename %s", filename))
}
return driver, nil
}
// Driver implements the advisory
type Driver struct {
ecosystem string
advisories []advisory
}
// NewDriver is the factory method from drier
func NewDriver(advisories ...advisory) Driver {
return Driver{advisories: advisories}
}
// Detect scans and returns vulnerabilities
func (d *Driver) Detect(pkgName string, pkgVer string) ([]types.DetectedVulnerability, error) {
var detectedVulnerabilities []types.DetectedVulnerability
uniqVulnIDMap := make(map[string]struct{})
for _, d := range d.advisories {
vulns, err := d.DetectVulnerabilities(pkgName, pkgVer)
if err != nil {
return nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err)
}
for _, vuln := range vulns {
if _, ok := uniqVulnIDMap[vuln.VulnerabilityID]; ok {
continue
}
uniqVulnIDMap[vuln.VulnerabilityID] = struct{}{}
detectedVulnerabilities = append(detectedVulnerabilities, vuln)
}
}
return detectedVulnerabilities, nil
}
// Type returns the driver ecosystem
func (d *Driver) Type() string {
return d.ecosystem
}
func newRubyGemsDriver() Driver {
c := bundler.RubyGemsComparer{}
return NewDriver(ghsa.NewAdvisory(ecosystem.Rubygems, c), bundler.NewAdvisory(),
NewAdvisory(vulnerability.RubyGems, c))
}
func newComposerDriver() Driver {
c := comparer.GenericComparer{}
return NewDriver(
ghsa.NewAdvisory(ecosystem.Composer, c), composer.NewAdvisory(),
NewAdvisory(vulnerability.Composer, c))
}
func newCargoDriver() Driver {
return NewDriver(cargo.NewAdvisory(), NewAdvisory(vulnerability.Cargo, comparer.GenericComparer{}))
}
func newNpmDriver() Driver {
c := node.NpmComparer{}
return NewDriver(ghsa.NewAdvisory(ecosystem.Npm, c), node.NewAdvisory(),
NewAdvisory(vulnerability.Npm, c))
}
func newPipDriver() Driver {
c := comparer.GenericComparer{}
return NewDriver(ghsa.NewAdvisory(ecosystem.Pip, c), python.NewAdvisory(),
NewAdvisory(vulnerability.Pip, c))
}
Reference in New Issue View Git Blame Copy Permalink