gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 07:29:00 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c47ed0d816a8bedbfbef86b634790d604e623e43
trivy/pkg/vex/vex.go
Juan Ariza Toledano c47ed0d816 feat(vex): Add support for CSAF format (#5535) 
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
2024-01-06 10:48:39 +00:00

105 lines
2.6 KiB
Go
Raw Blame History

package vex
import (
"encoding/json"
"io"
"os"
csaf "github.com/csaf-poc/csaf_distribution/v3/csaf"
"github.com/hashicorp/go-multierror"
openvex "github.com/openvex/go-vex/pkg/vex"
"github.com/sirupsen/logrus"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/sbom"
"github.com/aquasecurity/trivy/pkg/sbom/cyclonedx"
"github.com/aquasecurity/trivy/pkg/types"
)
// VEX represents Vulnerability Exploitability eXchange. It abstracts multiple VEX formats.
// Note: This is in the experimental stage and does not yet support many specifications.
// The implementation may change significantly.
type VEX interface {
Filter([]types.DetectedVulnerability) []types.DetectedVulnerability
}
func New(filePath string, report types.Report) (VEX, error) {
if filePath == "" {
return nil, nil
}
f, err := os.Open(filePath)
if err != nil {
return nil, xerrors.Errorf("file open error: %w", err)
}
defer f.Close()
var errs error
// Try CycloneDX JSON
if ok, err := sbom.IsCycloneDXJSON(f); err != nil {
errs = multierror.Append(errs, err)
} else if ok {
return decodeCycloneDXJSON(f, report)
}
// Try OpenVEX
if v, err := decodeOpenVEX(f); err != nil {
errs = multierror.Append(errs, err)
} else if v != nil {
return v, nil
}
// Try CSAF
if v, err := decodeCSAF(f); err != nil {
errs = multierror.Append(errs, err)
} else if v != nil {
return v, nil
}
return nil, xerrors.Errorf("unable to load VEX: %w", errs)
}
func decodeCycloneDXJSON(r io.ReadSeeker, report types.Report) (VEX, error) {
if _, err := r.Seek(0, io.SeekStart); err != nil {
return nil, xerrors.Errorf("seek error: %w", err)
}
vex, err := cyclonedx.DecodeJSON(r)
if err != nil {
return nil, xerrors.Errorf("json decode error: %w", err)
}
if report.CycloneDX == nil {
return nil, xerrors.New("CycloneDX VEX can be used with CycloneDX SBOM")
}
return newCycloneDX(report.CycloneDX, vex), nil
}
func decodeOpenVEX(r io.ReadSeeker) (VEX, error) {
// openvex/go-vex outputs log messages by default
logrus.SetOutput(io.Discard)
if _, err := r.Seek(0, io.SeekStart); err != nil {
return nil, xerrors.Errorf("seek error: %w", err)
}
var openVEX openvex.VEX
if err := json.NewDecoder(r).Decode(&openVEX); err != nil {
return nil, err
}
if openVEX.Context == "" {
return nil, nil
}
return newOpenVEX(openVEX), nil
}
func decodeCSAF(r io.ReadSeeker) (VEX, error) {
if _, err := r.Seek(0, io.SeekStart); err != nil {
return nil, xerrors.Errorf("seek error: %w", err)
}
var adv csaf.Advisory
if err := json.NewDecoder(r).Decode(&adv); err != nil {
return nil, err
}
if adv.Vulnerabilities == nil {
return nil, nil
}
return newCSAF(adv), nil
}
Reference in New Issue View Git Blame Copy Permalink