gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-22 07:10:41 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ce77bb46c34c2384e22fbbfee78a88119eba8cae
trivy/pkg/vulnerability/vulnerability.go
DmitriyLewen ce77bb46c3 remove govulndb (#4783)
2023-07-19 07:24:35 +00:00

141 lines
3.7 KiB
Go
Raw Blame History

package vulnerability
import (
"strings"
"github.com/google/wire"
"github.com/aquasecurity/trivy-db/pkg/db"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
)
var (
primaryURLPrefixes = map[dbTypes.SourceID][]string{
vulnerability.Debian: {
"http://www.debian.org",
"https://www.debian.org",
},
vulnerability.Ubuntu: {
"http://www.ubuntu.com",
"https://usn.ubuntu.com",
},
vulnerability.RedHat: {"https://access.redhat.com"},
vulnerability.SuseCVRF: {
"http://lists.opensuse.org",
"https://lists.opensuse.org",
},
vulnerability.OracleOVAL: {
"http://linux.oracle.com/errata",
"https://linux.oracle.com/errata",
},
vulnerability.NodejsSecurityWg: {
"https://www.npmjs.com",
"https://hackerone.com",
},
vulnerability.RubySec: {"https://groups.google.com"},
}
)
// SuperSet binds the dependencies
var SuperSet = wire.NewSet(
wire.Struct(new(db.Config)),
wire.Bind(new(db.Operation), new(db.Config)),
NewClient,
)
// Client manipulates vulnerabilities
type Client struct {
dbc db.Operation
}
// NewClient is the factory method for Client
func NewClient(dbc db.Operation) Client {
return Client{dbc: dbc}
}
// FillInfo fills extra info in vulnerability objects
func (c Client) FillInfo(vulns []types.DetectedVulnerability) {
for i := range vulns {
vulnID := vulns[i].VulnerabilityID
vuln, err := c.dbc.GetVulnerability(vulnID)
if err != nil {
log.Logger.Warnf("Error while getting vulnerability details: %s", err)
continue
}
// Detect the data source
var source dbTypes.SourceID
if vulns[i].DataSource != nil {
source = vulns[i].DataSource.ID
}
// Select the severity according to the detected source.
severity, severitySource := c.getVendorSeverity(vulnID, &vuln, source)
// The vendor might provide package-specific severity like Debian.
// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
// In that case, we keep the severity as is.
if vulns[i].SeveritySource != "" {
severity = vulns[i].Severity
severitySource = vulns[i].SeveritySource
}
// Add the vulnerability detail
vulns[i].Vulnerability = vuln
vulns[i].Severity = severity
vulns[i].SeveritySource = severitySource
vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
}
}
func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, source dbTypes.SourceID) (string, dbTypes.SourceID) {
if vs, ok := vuln.VendorSeverity[source]; ok {
return vs.String(), source
}
// use severity from GitHub for all GHSA-xxx vulnerabilities
if strings.HasPrefix(vulnID, "GHSA-") {
if vs, ok := vuln.VendorSeverity[vulnerability.GHSA]; ok {
return vs.String(), vulnerability.GHSA
}
}
// Try NVD as a fallback if it exists
if vs, ok := vuln.VendorSeverity[vulnerability.NVD]; ok {
return vs.String(), vulnerability.NVD
}
if vuln.Severity == "" {
return dbTypes.SeverityUnknown.String(), ""
}
return vuln.Severity, ""
}
func (c Client) getPrimaryURL(vulnID string, refs []string, source dbTypes.SourceID) string {
switch {
case strings.HasPrefix(vulnID, "CVE-"):
return "https://avd.aquasec.com/nvd/" + strings.ToLower(vulnID)
case strings.HasPrefix(vulnID, "RUSTSEC-"):
return "https://osv.dev/vulnerability/" + vulnID
case strings.HasPrefix(vulnID, "GHSA-"):
return "https://github.com/advisories/" + vulnID
case strings.HasPrefix(vulnID, "TEMP-"):
return "https://security-tracker.debian.org/tracker/" + vulnID
}
prefixes := primaryURLPrefixes[source]
for _, pre := range prefixes {
for _, ref := range refs {
if strings.HasPrefix(ref, pre) {
return ref
}
}
}
return ""
}
Reference in New Issue View Git Blame Copy Permalink