fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
2025-12-12 07:40:48 -08:00 · 2025-10-09 13:32:28 +03:00
parent 3bc1490c8c
commit 1a840935bb
5 changed files with 90 additions and 54 deletions
--- a/pkg/rpc/client/client_test.go
+++ b/pkg/rpc/client/client_test.go
@@ -140,13 +140,13 @@ func TestScanner_Scan(t *testing.T) {
 									CweIDs:           []string{"CWE-78"},
 									LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
 									PublishedDate:    utils.MustTimeParse("2001-01-01T01:01:00Z"),
-									Custom:           []uint8(nil),
+									Custom:           nil,
 								},
 								SeveritySource: "nvd",
 								Layer: ftypes.Layer{
 									DiffID: "sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10",
 								},
-								Custom: []uint8(nil),
+								Custom: nil,
 							},
 						},
 					},
--- a/pkg/rpc/convert.go
+++ b/pkg/rpc/convert.go
@@ -1,7 +1,8 @@
 package rpc

 import (
-	"encoding/json"
+	jsonv2 "encoding/json/v2"
+	"strings"
 	"time"

 	"github.com/package-url/packageurl-go"
@@ -299,14 +300,17 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
 			publishedDate = timestamppb.New(*vuln.PublishedDate) // nolint: errcheck
 		}

-		var customAdvisoryData, customVulnData []byte
+		var customAdvisoryData, customVulnData *structpb.Value
+		var builder strings.Builder
 		if vuln.Custom != nil {
-			jsonBytes, _ := json.Marshal(vuln.Custom) // nolint: errcheck
-			customAdvisoryData = jsonBytes
+			builder.Reset()
+			_ = jsonv2.MarshalWrite(&builder, vuln.Custom) // nolint: errcheck
+			customAdvisoryData = structpb.NewStringValue(builder.String())
 		}
 		if vuln.Vulnerability.Custom != nil {
-			jsonBytes, _ := json.Marshal(vuln.Vulnerability.Custom) // nolint: errcheck
-			customVulnData = jsonBytes
+			builder.Reset()
+			_ = jsonv2.MarshalWrite(&builder, vuln.Vulnerability.Custom) // nolint: errcheck
+			customVulnData = structpb.NewStringValue(builder.String())
 		}

 		rpcVulns = append(rpcVulns, &common.Vulnerability{
@@ -600,6 +604,15 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
 			publishedDate = lo.ToPtr(vuln.PublishedDate.AsTime())
 		}

+		// Handle custom data conversion from protobuf.Value
+		var customVulnData, customAdvisoryData any
+		if vuln.CustomVulnData != nil {
+			customVulnData = vuln.CustomVulnData.AsInterface()
+		}
+		if vuln.CustomAdvisoryData != nil {
+			customAdvisoryData = vuln.CustomAdvisoryData.AsInterface()
+		}
+
 		vulns = append(vulns, types.DetectedVulnerability{
 			VulnerabilityID:  vuln.VulnerabilityId,
 			VendorIDs:        vuln.VendorIds,
@@ -619,13 +632,13 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
 				CweIDs:           vuln.CweIds,
 				LastModifiedDate: lastModifiedDate,
 				PublishedDate:    publishedDate,
-				Custom:           vuln.CustomVulnData,
+				Custom:           customVulnData,
 				VendorSeverity:   vendorSeverityMap,
 			},
 			Layer:          ConvertFromRPCLayer(vuln.Layer),
 			SeveritySource: dbTypes.SourceID(vuln.SeveritySource),
 			PrimaryURL:     vuln.PrimaryUrl,
-			Custom:         vuln.CustomAdvisoryData,
+			Custom:         customAdvisoryData,
 			DataSource:     ConvertFromRPCDataSource(vuln.DataSource),
 		})
 	}
--- a/pkg/rpc/convert_test.go
+++ b/pkg/rpc/convert_test.go
@@ -1,10 +1,13 @@
 package rpc

 import (
+	jsonv2 "encoding/json/v2"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
@@ -273,6 +276,14 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 func TestConvertToRpcVulns(t *testing.T) {
 	fixedPublishedDate := time.Unix(1257894000, 0)
 	fixedLastModifiedDate := time.Unix(1257894010, 0)
+	type customStruct struct {
+		Field  string
+		Number int
+	}
+	customData := customStruct{Field: "value", Number: 1}
+	customJSONBytes, err := jsonv2.Marshal(customData)
+	require.NoError(t, err)
+	customJSON := string(customJSONBytes)

 	type args struct {
 		vulns []types.DetectedVulnerability
@@ -295,6 +306,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 							Title:       "DoS",
 							Description: "Denial of Service",
 							Severity:    "MEDIUM",
+							Custom:      customData,
 							VendorSeverity: dbTypes.VendorSeverity{
 								vulnerability.RedHat: dbTypes.SeverityMedium,
 							},
@@ -327,6 +339,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 							Name: "GitHub Security Advisory Maven",
 							URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
 						},
+						Custom: customData,
 					},
 				},
 			},
@@ -363,9 +376,11 @@ func TestConvertToRpcVulns(t *testing.T) {
 						Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 						DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 					},
-					PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
-					PublishedDate:    timestamppb.New(fixedPublishedDate),
-					LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+					CustomVulnData:     structpb.NewStringValue(customJSON),
+					CustomAdvisoryData: structpb.NewStringValue(customJSON),
+					PrimaryUrl:         "https://avd.aquasec.com/nvd/CVE-2019-0001",
+					PublishedDate:      timestamppb.New(fixedPublishedDate),
+					LastModifiedDate:   timestamppb.New(fixedLastModifiedDate),
 					DataSource: &common.DataSource{
 						Name: "GitHub Security Advisory Maven",
 						Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
@@ -434,6 +449,7 @@ func TestConvertToRpcVulns(t *testing.T) {
 func TestConvertFromRPCResults(t *testing.T) {
 	fixedPublishedDate := time.Date(2009, 11, 10, 23, 0, 0, 0, time.UTC)
 	fixedLastModifiedDate := time.Date(2009, 11, 10, 23, 0, 10, 0, time.UTC)
+	customJSON := `{"Field":"value","Number":1}`

 	type args struct {
 		rpcResults []*scanner.Result
@@ -480,9 +496,11 @@ func TestConvertFromRPCResults(t *testing.T) {
 									Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 									DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 								},
-								PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
-								PublishedDate:    timestamppb.New(fixedPublishedDate),
-								LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+								CustomVulnData:     structpb.NewStringValue(customJSON),
+								CustomAdvisoryData: structpb.NewStringValue(customJSON),
+								PrimaryUrl:         "https://avd.aquasec.com/nvd/CVE-2019-0001",
+								PublishedDate:      timestamppb.New(fixedPublishedDate),
+								LastModifiedDate:   timestamppb.New(fixedLastModifiedDate),
 								DataSource: &common.DataSource{
 									Name: "GitHub Security Advisory Maven",
 									Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
@@ -530,13 +548,13 @@ func TestConvertFromRPCResults(t *testing.T) {
 								References:       []string{"http://example.com"},
 								PublishedDate:    &fixedPublishedDate,
 								LastModifiedDate: &fixedLastModifiedDate,
-								Custom:           []uint8(nil),
+								Custom:           customJSON,
 							},
 							DataSource: &dbTypes.DataSource{
 								Name: "GitHub Security Advisory Maven",
 								URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
 							},
-							Custom: []uint8(nil),
+							Custom: customJSON,
 						},
 					},
 				},
@@ -618,9 +636,9 @@ func TestConvertFromRPCResults(t *testing.T) {
 									},
 								},
 								References: []string{"http://example.com"},
-								Custom:     []uint8(nil),
+								Custom:     any(nil),
 							},
-							Custom: []uint8(nil),
+							Custom: any(nil),
 						},
 					},
 				},
--- a/rpc/common/service.pb.go
+++ b/rpc/common/service.pb.go
@@ -1262,8 +1262,8 @@ type Vulnerability struct {
 	PrimaryUrl         string                 `protobuf:"bytes,14,opt,name=primary_url,json=primaryUrl,proto3" json:"primary_url,omitempty"`
 	PublishedDate      *timestamppb.Timestamp `protobuf:"bytes,15,opt,name=published_date,json=publishedDate,proto3" json:"published_date,omitempty"`
 	LastModifiedDate   *timestamppb.Timestamp `protobuf:"bytes,16,opt,name=last_modified_date,json=lastModifiedDate,proto3" json:"last_modified_date,omitempty"`
-	CustomAdvisoryData []byte                 `protobuf:"bytes,17,opt,name=custom_advisory_data,json=customAdvisoryData,proto3" json:"custom_advisory_data,omitempty"`
-	CustomVulnData     []byte                 `protobuf:"bytes,18,opt,name=custom_vuln_data,json=customVulnData,proto3" json:"custom_vuln_data,omitempty"`
+	CustomAdvisoryData *structpb.Value        `protobuf:"bytes,17,opt,name=custom_advisory_data,json=customAdvisoryData,proto3" json:"custom_advisory_data,omitempty"`
+	CustomVulnData     *structpb.Value        `protobuf:"bytes,18,opt,name=custom_vuln_data,json=customVulnData,proto3" json:"custom_vuln_data,omitempty"`
 	VendorIds          []string               `protobuf:"bytes,19,rep,name=vendor_ids,json=vendorIds,proto3" json:"vendor_ids,omitempty"`
 	DataSource         *DataSource            `protobuf:"bytes,20,opt,name=data_source,json=dataSource,proto3" json:"data_source,omitempty"`
 	VendorSeverity     map[string]Severity    `protobuf:"bytes,21,rep,name=vendor_severity,json=vendorSeverity,proto3" json:"vendor_severity,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3,enum=trivy.common.Severity"`
@@ -1416,14 +1416,14 @@ func (x *Vulnerability) GetLastModifiedDate() *timestamppb.Timestamp {
 	return nil
 }

-func (x *Vulnerability) GetCustomAdvisoryData() []byte {
+func (x *Vulnerability) GetCustomAdvisoryData() *structpb.Value {
 	if x != nil {
 		return x.CustomAdvisoryData
 	}
 	return nil
 }

-func (x *Vulnerability) GetCustomVulnData() []byte {
+func (x *Vulnerability) GetCustomVulnData() *structpb.Value {
 	if x != nil {
 		return x.CustomVulnData
 	}
@@ -2736,7 +2736,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
 	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x15, 0x0a, 0x06, 0x61, 0x76, 0x64, 0x5f, 0x69,
 	0x64, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x61, 0x76, 0x64, 0x49, 0x64, 0x12, 0x14,
 	0x0a, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x71,
-	0x75, 0x65, 0x72, 0x79, 0x22, 0xcf, 0x09, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61,
+	0x75, 0x65, 0x72, 0x79, 0x22, 0xff, 0x09, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61,
 	0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72,
 	0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x0f, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x49,
@@ -2781,11 +2781,14 @@ var file_rpc_common_service_proto_rawDesc = []byte{
 	0x18, 0x10, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
 	0x6d, 0x70, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x4d, 0x6f, 0x64, 0x69, 0x66, 0x69, 0x65, 0x64,
-	0x44, 0x61, 0x74, 0x65, 0x12, 0x30, 0x0a, 0x14, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x61,
+	0x44, 0x61, 0x74, 0x65, 0x12, 0x48, 0x0a, 0x14, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x61,
 	0x64, 0x76, 0x69, 0x73, 0x6f, 0x72, 0x79, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x11, 0x20, 0x01,
-	0x28, 0x0c, 0x52, 0x12, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x41, 0x64, 0x76, 0x69, 0x73, 0x6f,
-	0x72, 0x79, 0x44, 0x61, 0x74, 0x61, 0x12, 0x28, 0x0a, 0x10, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d,
-	0x5f, 0x76, 0x75, 0x6c, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x12, 0x20, 0x01, 0x28, 0x0c,
+	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x12, 0x63, 0x75, 0x73, 0x74,
+	0x6f, 0x6d, 0x41, 0x64, 0x76, 0x69, 0x73, 0x6f, 0x72, 0x79, 0x44, 0x61, 0x74, 0x61, 0x12, 0x40,
+	0x0a, 0x10, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x76, 0x75, 0x6c, 0x6e, 0x5f, 0x64, 0x61,
+	0x74, 0x61, 0x18, 0x12, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65,
 	0x52, 0x0e, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x56, 0x75, 0x6c, 0x6e, 0x44, 0x61, 0x74, 0x61,
 	0x12, 0x1d, 0x0a, 0x0a, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x13,
 	0x20, 0x03, 0x28, 0x09, 0x52, 0x09, 0x76, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x49, 0x64, 0x73, 0x12,
@@ -3049,29 +3052,31 @@ var file_rpc_common_service_proto_depIdxs = []int32{
 	31, // 16: trivy.common.Vulnerability.cvss:type_name -> trivy.common.Vulnerability.CvssEntry
 	33, // 17: trivy.common.Vulnerability.published_date:type_name -> google.protobuf.Timestamp
 	33, // 18: trivy.common.Vulnerability.last_modified_date:type_name -> google.protobuf.Timestamp
-	16, // 19: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource
-	32, // 20: trivy.common.Vulnerability.vendor_severity:type_name -> trivy.common.Vulnerability.VendorSeverityEntry
-	22, // 21: trivy.common.CauseMetadata.code:type_name -> trivy.common.Code
-	23, // 22: trivy.common.CauseMetadata.rendered_cause:type_name -> trivy.common.RenderedCause
-	17, // 23: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer
-	34, // 24: trivy.common.CustomResource.data:type_name -> google.protobuf.Value
-	21, // 25: trivy.common.Code.lines:type_name -> trivy.common.Line
-	22, // 26: trivy.common.SecretFinding.code:type_name -> trivy.common.Code
-	17, // 27: trivy.common.SecretFinding.layer:type_name -> trivy.common.Layer
-	24, // 28: trivy.common.Secret.findings:type_name -> trivy.common.SecretFinding
-	0,  // 29: trivy.common.DetectedLicense.severity:type_name -> trivy.common.Severity
-	1,  // 30: trivy.common.DetectedLicense.category:type_name -> trivy.common.LicenseCategory.Enum
-	2,  // 31: trivy.common.LicenseFile.license_type:type_name -> trivy.common.LicenseType.Enum
-	28, // 32: trivy.common.LicenseFile.fingings:type_name -> trivy.common.LicenseFinding
-	17, // 33: trivy.common.LicenseFile.layer:type_name -> trivy.common.Layer
-	1,  // 34: trivy.common.LicenseFinding.category:type_name -> trivy.common.LicenseCategory.Enum
-	19, // 35: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS
-	0,  // 36: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity
-	37, // [37:37] is the sub-list for method output_type
-	37, // [37:37] is the sub-list for method input_type
-	37, // [37:37] is the sub-list for extension type_name
-	37, // [37:37] is the sub-list for extension extendee
-	0,  // [0:37] is the sub-list for field type_name
+	34, // 19: trivy.common.Vulnerability.custom_advisory_data:type_name -> google.protobuf.Value
+	34, // 20: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value
+	16, // 21: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource
+	32, // 22: trivy.common.Vulnerability.vendor_severity:type_name -> trivy.common.Vulnerability.VendorSeverityEntry
+	22, // 23: trivy.common.CauseMetadata.code:type_name -> trivy.common.Code
+	23, // 24: trivy.common.CauseMetadata.rendered_cause:type_name -> trivy.common.RenderedCause
+	17, // 25: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer
+	34, // 26: trivy.common.CustomResource.data:type_name -> google.protobuf.Value
+	21, // 27: trivy.common.Code.lines:type_name -> trivy.common.Line
+	22, // 28: trivy.common.SecretFinding.code:type_name -> trivy.common.Code
+	17, // 29: trivy.common.SecretFinding.layer:type_name -> trivy.common.Layer
+	24, // 30: trivy.common.Secret.findings:type_name -> trivy.common.SecretFinding
+	0,  // 31: trivy.common.DetectedLicense.severity:type_name -> trivy.common.Severity
+	1,  // 32: trivy.common.DetectedLicense.category:type_name -> trivy.common.LicenseCategory.Enum
+	2,  // 33: trivy.common.LicenseFile.license_type:type_name -> trivy.common.LicenseType.Enum
+	28, // 34: trivy.common.LicenseFile.fingings:type_name -> trivy.common.LicenseFinding
+	17, // 35: trivy.common.LicenseFile.layer:type_name -> trivy.common.Layer
+	1,  // 36: trivy.common.LicenseFinding.category:type_name -> trivy.common.LicenseCategory.Enum
+	19, // 37: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS
+	0,  // 38: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity
+	39, // [39:39] is the sub-list for method output_type
+	39, // [39:39] is the sub-list for method input_type
+	39, // [39:39] is the sub-list for extension type_name
+	39, // [39:39] is the sub-list for extension extendee
+	0,  // [0:39] is the sub-list for field type_name
 }

 func init() { file_rpc_common_service_proto_init() }
--- a/rpc/common/service.proto
+++ b/rpc/common/service.proto
@@ -140,8 +140,8 @@ message Vulnerability {
  string primary_url = 14;
  google.protobuf.Timestamp published_date = 15;
  google.protobuf.Timestamp last_modified_date = 16;
-  bytes custom_advisory_data = 17;
-  bytes custom_vuln_data = 18;
+  google.protobuf.Value custom_advisory_data = 17;
+  google.protobuf.Value custom_vuln_data = 18;
  repeated string vendor_ids = 19;
  DataSource data_source = 20;
  map<string, Severity> vendor_severity = 21;