mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-21 23:00:42 -08:00
c9f22f4e55
* refactor(server): remove Detect endpoint * refactor(library): do not use interface * refactor: add dbtest package * test: add bolt fixtures * feat: support jar scanning * refactor: rename node to npm * refactor: fix lint issues * test(maven): remove some tests * chore(mod): update fanal * docs: update README * chore(mod): update trivy-db * fix(library/drive): add ecosystem * fix: do not display 0 vulnerabilities * refactor(table): split method * Update README.md (#838) * fix(app): increase the default value of timeout (#842) * feat(maven): use go-mvn-version * test(maven): update tests * fix(scan): skip files and dirs before vulnerability detection * fix: display log messages only once per type * docs(README): add file suffixes * chore(mod): update go-mvn-version * feat(log): set go-dep-parser logger * chore(mod): update fanal * docs: update README * docs(README): add java source * test(maven): fix invalid case
74 lines
1.9 KiB
Go
74 lines
1.9 KiB
Go
package npm
|
|
|
|
import (
|
|
"strings"
|
|
|
|
"golang.org/x/xerrors"
|
|
|
|
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
|
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/node"
|
|
"github.com/aquasecurity/trivy/pkg/types"
|
|
)
|
|
|
|
// Advisory encapsulate Node vulnerability source
|
|
type Advisory struct {
|
|
comparer Comparer
|
|
vs node.VulnSrc
|
|
}
|
|
|
|
// NewAdvisory is the factory method for Node Advisory
|
|
func NewAdvisory() *Advisory {
|
|
return &Advisory{
|
|
vs: node.NewVulnSrc(),
|
|
comparer: Comparer{},
|
|
}
|
|
}
|
|
|
|
// DetectVulnerabilities scans and return vulnerability using Node package scanner
|
|
func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.DetectedVulnerability, error) {
|
|
advisories, err := a.vs.Get(pkgName)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to get node advisories: %w", err)
|
|
}
|
|
|
|
var vulns []types.DetectedVulnerability
|
|
for _, advisory := range advisories {
|
|
adv := convertToGenericAdvisory(advisory)
|
|
if !a.comparer.IsVulnerable(pkgVer, adv) {
|
|
continue
|
|
}
|
|
|
|
vuln := types.DetectedVulnerability{
|
|
VulnerabilityID: advisory.VulnerabilityID,
|
|
PkgName: pkgName,
|
|
InstalledVersion: pkgVer,
|
|
FixedVersion: createFixedVersions(advisory.PatchedVersions),
|
|
}
|
|
vulns = append(vulns, vuln)
|
|
}
|
|
return vulns, nil
|
|
}
|
|
|
|
func convertToGenericAdvisory(advisory node.Advisory) dbTypes.Advisory {
|
|
var vulnerable, patched []string
|
|
if advisory.VulnerableVersions != "" {
|
|
vulnerable = strings.Split(advisory.VulnerableVersions, "||")
|
|
}
|
|
if advisory.PatchedVersions != "" {
|
|
patched = strings.Split(advisory.PatchedVersions, "||")
|
|
}
|
|
|
|
return dbTypes.Advisory{
|
|
VulnerableVersions: vulnerable,
|
|
PatchedVersions: patched,
|
|
}
|
|
}
|
|
|
|
func createFixedVersions(patchedVersions string) string {
|
|
var fixedVersions []string
|
|
for _, s := range strings.Split(patchedVersions, "||") {
|
|
fixedVersions = append(fixedVersions, strings.TrimSpace(s))
|
|
}
|
|
return strings.Join(fixedVersions, ", ")
|
|
}
|