gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(vuln): include pkg identifier on detected vulnerabilities (#5439)

Browse Source 
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
Juan Ariza Toledano
2023-12-27 08:54:56 +01:00
committed by GitHub
parent 4cdff0e573
commit 1f0d6290c3
126 changed files with 4896 additions and 2131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
integration/client_server_test.go
View File

@@ -539,7 +539,7 @@ func TestClientServerWithRedis(t *testing.T) {
// Run Trivy client
err := execute(osArgs)
require.Error(t, err)
assert.Contains(t, err.Error(), "connect: connection refused")
assert.Contains(t, err.Error(), "unable to store cache")
})
}

54
integration/sbom_test.go
View File

@@ -41,9 +41,15 @@ func TestSBOM(t *testing.T) {
{
Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{
PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
@@ -82,9 +88,15 @@ func TestSBOM(t *testing.T) {
{
Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{
PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
@@ -105,9 +117,15 @@ func TestSBOM(t *testing.T) {
{
Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{
PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
@@ -128,9 +146,15 @@ func TestSBOM(t *testing.T) {
{
Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
Vulnerabilities: []types.DetectedVulnerability{
{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
{
PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
{
PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810",
},
},
},
},
@@ -200,6 +224,12 @@ func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant typ
want.Results[i].Target = result.Target
for j, vuln := range result.Vulnerabilities {
want.Results[i].Vulnerabilities[j].PkgRef = vuln.PkgRef
if vuln.PkgIdentifier.Empty() {
continue
}
want.Results[i].Vulnerabilities[j].PkgIdentifier = ftypes.PkgIdentifier{
PURL: vuln.PkgIdentifier.PURL,
}
}
}

3
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -56,6 +56,9 @@
"VulnerabilityID": "CVE-2021-3712",
"PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1"
},
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",
"Status": "fixed",

12
integration/testdata/alpine-310-registry.json.golden vendored
View File

@@ -64,6 +64,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -133,6 +136,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",
@@ -212,6 +218,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -281,6 +290,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",

12
integration/testdata/alpine-310.json.golden vendored
View File

@@ -58,6 +58,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -127,6 +130,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",
@@ -206,6 +212,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -275,6 +284,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",

6
integration/testdata/alpine-39-high-critical.json.golden vendored
View File

@@ -58,6 +58,9 @@
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Status": "fixed",
@@ -100,6 +103,9 @@
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Status": "fixed",

6
integration/testdata/alpine-39-ignore-cveids.json.golden vendored
View File

@@ -58,6 +58,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",
@@ -137,6 +140,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",

18
integration/testdata/alpine-39.json.golden vendored
View File

@@ -58,6 +58,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -127,6 +130,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",
@@ -206,6 +212,9 @@
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
"Status": "fixed",
@@ -275,6 +284,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1b-r1?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
"Status": "fixed",
@@ -354,6 +366,9 @@
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Status": "fixed",
@@ -396,6 +411,9 @@
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.20-r4?arch=x86_64\u0026distro=3.9.4"
},
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
"Status": "fixed",

3
integration/testdata/alpine-distroless.json.golden vendored
View File

@@ -53,6 +53,9 @@
"VulnerabilityID": "CVE-2022-24765",
"PkgID": "git@2.35.1-r2",
"PkgName": "git",
"PkgIdentifier": {
"PURL": "pkg:apk/alpine/git@2.35.1-r2?arch=x86_64\u0026distro=3.16"
},
"InstalledVersion": "2.35.1-r2",
"FixedVersion": "2.35.2-r0",
"Status": "fixed",

3
integration/testdata/amazon-1.json.golden vendored
View File

@@ -57,6 +57,9 @@
"VulnerabilityID": "CVE-2019-5481",
"PkgID": "curl@7.61.1-11.91.amzn1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03"
},
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",
"Status": "fixed",

6
integration/testdata/amazon-2.json.golden vendored
View File

@@ -57,6 +57,9 @@
"VulnerabilityID": "CVE-2019-5481",
"PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-12.amzn2.0.1",
"Status": "fixed",
@@ -125,6 +128,9 @@
"VulnerabilityID": "CVE-2019-5436",
"PkgID": "curl@7.61.1-9.amzn2.0.1.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-11.amzn2.0.2",
"Status": "fixed",

3
integration/testdata/amazonlinux2-gp2-x86-vm.json.golden vendored
View File

@@ -29,6 +29,9 @@
"VulnerabilityID": "CVE-2022-38177",
"PkgID": "bind-export-libs@9.11.4-26.P2.amzn2.5.2.x86_64",
"PkgName": "bind-export-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/bind-export-libs@9.11.4-26.P2.amzn2.5.2?arch=x86_64\u0026distro=amazon-2+%28Karoo%29\u0026epoch=32"
},
"InstalledVersion": "32:9.11.4-26.P2.amzn2.5.2",
"FixedVersion": "99:9.11.4-26.P2.amzn2.13",
"Status": "fixed",

6
integration/testdata/busybox-with-lockfile.json.golden vendored
View File

@@ -57,6 +57,9 @@
"VulnerabilityID": "CVE-2019-15542",
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Status": "fixed",
@@ -99,6 +102,9 @@
"VulnerabilityID": "CVE-2021-38193",
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Status": "fixed",

6
integration/testdata/centos-6.json.golden vendored
View File

@@ -79,6 +79,9 @@
"VulnerabilityID": "CVE-2020-29573",
"PkgID": "glibc@2.12-1.212.el6.x86_64",
"PkgName": "glibc",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10"
},
"InstalledVersion": "2.12-1.212.el6",
"Status": "end_of_life",
"Layer": {
@@ -132,6 +135,9 @@
],
"PkgID": "openssl@1.0.1e-57.el6.x86_64",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10"
},
"InstalledVersion": "1.0.1e-57.el6",
"FixedVersion": "1.0.1e-58.el6_10",
"Status": "fixed",

6
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -72,6 +72,9 @@
],
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Status": "fixed",
@@ -162,6 +165,9 @@
],
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Status": "fixed",

3
integration/testdata/centos-7-medium.json.golden vendored
View File

@@ -72,6 +72,9 @@
],
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Status": "fixed",

9
integration/testdata/centos-7.json.golden vendored
View File

@@ -69,6 +69,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.2.46-31.el7.x86_64",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810"
},
"InstalledVersion": "4.2.46-31.el7",
"Status": "will_not_fix",
"Layer": {
@@ -126,6 +129,9 @@
],
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Status": "fixed",
@@ -216,6 +222,9 @@
],
"PkgID": "openssl-libs@1.0.2k-16.el7.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
"Status": "fixed",

6
integration/testdata/cocoapods.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "_NIODataStructures@2.41.0",
"Name": "_NIODataStructures",
"Identifier": {
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
},
"Version": "2.41.0",
"Layer": {}
}
@@ -33,6 +36,9 @@
"VulnerabilityID": "CVE-2022-3215",
"PkgID": "_NIODataStructures@2.41.0",
"PkgName": "_NIODataStructures",
"PkgIdentifier": {
"PURL": "pkg:cocoapods/_NIODataStructures@2.41.0"
},
"InstalledVersion": "2.41.0",
"FixedVersion": "2.29.1, 2.39.1, 2.42.0",
"Status": "fixed",

9
integration/testdata/composer.lock.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "guzzlehttp/guzzle@7.4.4",
"Name": "guzzlehttp/guzzle",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/guzzle@7.4.4"
},
"Version": "7.4.4",
"Licenses": [
"MIT"
@@ -42,6 +45,9 @@
{
"ID": "guzzlehttp/psr7@1.8.3",
"Name": "guzzlehttp/psr7",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
},
"Version": "1.8.3",
"Licenses": [
"MIT"
@@ -61,6 +67,9 @@
"VulnerabilityID": "CVE-2022-24775",
"PkgID": "guzzlehttp/psr7@1.8.3",
"PkgName": "guzzlehttp/psr7",
"PkgIdentifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3"
},
"InstalledVersion": "1.8.3",
"FixedVersion": "1.8.4",
"Status": "fixed",

24
integration/testdata/conan.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "bzip2/1.0.8",
"Name": "bzip2",
"Identifier": {
"PURL": "pkg:conan/bzip2@1.0.8"
},
"Version": "1.0.8",
"Indirect": true,
"Layer": {},
@@ -37,6 +40,9 @@
{
"ID": "expat/2.4.8",
"Name": "expat",
"Identifier": {
"PURL": "pkg:conan/expat@2.4.8"
},
"Version": "2.4.8",
"Indirect": true,
"Layer": {},
@@ -50,6 +56,9 @@
{
"ID": "openssl/1.1.1q",
"Name": "openssl",
"Identifier": {
"PURL": "pkg:conan/openssl@1.1.1q"
},
"Version": "1.1.1q",
"Indirect": true,
"Layer": {},
@@ -63,6 +72,9 @@
{
"ID": "pcre/8.43",
"Name": "pcre",
"Identifier": {
"PURL": "pkg:conan/pcre@8.43"
},
"Version": "8.43",
"Indirect": true,
"DependsOn": [
@@ -80,6 +92,9 @@
{
"ID": "poco/1.9.4",
"Name": "poco",
"Identifier": {
"PURL": "pkg:conan/poco@1.9.4"
},
"Version": "1.9.4",
"DependsOn": [
"pcre/8.43",
@@ -99,6 +114,9 @@
{
"ID": "sqlite3/3.39.2",
"Name": "sqlite3",
"Identifier": {
"PURL": "pkg:conan/sqlite3@3.39.2"
},
"Version": "3.39.2",
"Indirect": true,
"Layer": {},
@@ -112,6 +130,9 @@
{
"ID": "zlib/1.2.12",
"Name": "zlib",
"Identifier": {
"PURL": "pkg:conan/zlib@1.2.12"
},
"Version": "1.2.12",
"Indirect": true,
"Layer": {},
@@ -128,6 +149,9 @@
"VulnerabilityID": "CVE-2020-14155",
"PkgID": "pcre/8.43",
"PkgName": "pcre",
"PkgIdentifier": {
"PURL": "pkg:conan/pcre@8.43"
},
"InstalledVersion": "8.43",
"FixedVersion": "8.45",
"Status": "fixed",

38
integration/testdata/conda-spdx.json.golden vendored
View File

@@ -22,7 +22,7 @@
},
{
"name": "openssl",
"SPDXID": "SPDXRef-Package-c75d9dc75200186f",
"SPDXID": "SPDXRef-Package-a4bad823866cc210",
"versionInfo": "1.1.1q",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
@@ -43,7 +43,7 @@
},
{
"name": "pip",
"SPDXID": "SPDXRef-Package-195557cddf18e4a9",
"SPDXID": "SPDXRef-Package-e8a0eb2c9979a021",
"versionInfo": "22.2.2",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
@@ -74,17 +74,6 @@
}
],
"files": [
{
"fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json",
"SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "a6a2db7668f1ad541d704369fc66c96a4415aa24"
}
],
"copyrightText": ""
},
{
"fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json",
"SPDXID": "SPDXRef-File-600e5e0110a84891",
@@ -95,6 +84,17 @@
}
],
"copyrightText": ""
},
{
"fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json",
"SPDXID": "SPDXRef-File-7eb62e2a3edddc0a",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "a6a2db7668f1ad541d704369fc66c96a4415aa24"
}
],
"copyrightText": ""
}
],
"relationships": [
@@ -110,22 +110,22 @@
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-195557cddf18e4a9",
"relatedSpdxElement": "SPDXRef-Package-a4bad823866cc210",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-195557cddf18e4a9",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"spdxElementId": "SPDXRef-Package-a4bad823866cc210",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
"relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f",
"relatedSpdxElement": "SPDXRef-Package-e8a0eb2c9979a021",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Package-c75d9dc75200186f",
"relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
"spdxElementId": "SPDXRef-Package-e8a0eb2c9979a021",
"relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
"relationshipType": "CONTAINS"
}
]

3
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -60,6 +60,9 @@
],
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Status": "fixed",

6
integration/testdata/debian-buster.json.golden vendored
View File

@@ -57,6 +57,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@5.0-4",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "5.0-4",
"Status": "affected",
"Layer": {
@@ -120,6 +123,9 @@
],
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Status": "fixed",

15
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -58,6 +58,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.4-5",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "4.4-5",
"Status": "end_of_life",
"Layer": {
@@ -121,6 +124,9 @@
],
"PkgID": "e2fslibs@1.43.4-2",
"PkgName": "e2fslibs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
"Status": "fixed",
@@ -191,6 +197,9 @@
],
"PkgID": "e2fsprogs@1.43.4-2",
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
"Status": "fixed",
@@ -261,6 +270,9 @@
],
"PkgID": "libcomerr2@1.43.4-2",
"PkgName": "libcomerr2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
"Status": "fixed",
@@ -331,6 +343,9 @@
],
"PkgID": "libss2@1.43.4-2",
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
"Status": "fixed",

12
integration/testdata/distroless-base.json.golden vendored
View File

@@ -56,6 +56,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
"Layer": {
@@ -137,6 +140,9 @@
],
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Status": "fixed",
@@ -224,6 +230,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
"Layer": {
@@ -305,6 +314,9 @@
],
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Status": "fixed",

12
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -73,6 +73,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
"Layer": {
@@ -154,6 +157,9 @@
],
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Status": "fixed",
@@ -241,6 +247,9 @@
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
"Layer": {
@@ -322,6 +331,9 @@
],
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
"Status": "fixed",

6
integration/testdata/dotnet.json.golden vendored
View File

@@ -23,6 +23,9 @@
"Packages": [
{
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"Version": "9.0.1",
"Layer": {},
"Locations": [
@@ -37,6 +40,9 @@
{
"VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"InstalledVersion": "9.0.1",
"FixedVersion": "13.0.1",
"Status": "fixed",

6
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -113,6 +113,9 @@
],
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Status": "fixed",
@@ -181,6 +184,9 @@
"VulnerabilityID": "CVE-2020-8165",
"PkgName": "activesupport",
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"PkgIdentifier": {
"PURL": "pkg:gem/activesupport@6.0.2.1"
},
"InstalledVersion": "6.0.2.1",
"FixedVersion": "6.0.3.1, 5.2.4.3",
"Status": "fixed",

9
integration/testdata/fluentd-multiple-lockfiles.json.golden vendored
View File

@@ -28,6 +28,9 @@
{
"VulnerabilityID": "CVE-2019-18276",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@5.0-4?distro=debian-10.2"
},
"InstalledVersion": "5.0-4",
"Status": "affected",
"Layer": {},
@@ -88,6 +91,9 @@
"DSA-4613-1"
],
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?distro=debian-10.2"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
"Status": "fixed",
@@ -154,6 +160,9 @@
"VulnerabilityID": "CVE-2020-8165",
"PkgName": "activesupport",
"PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
"PkgIdentifier": {
"PURL": "pkg:gem/activesupport@6.0.2.1"
},
"InstalledVersion": "6.0.2.1",
"FixedVersion": "6.0.3.1, 5.2.4.3",
"Status": "fixed",

12
integration/testdata/gomod-skip.json.golden vendored
View File

@@ -25,6 +25,9 @@
"VulnerabilityID": "GMS-2022-20",
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
@@ -48,6 +51,9 @@
"VulnerabilityID": "CVE-2022-23628",
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
},
"InstalledVersion": "0.35.0",
"FixedVersion": "0.37.0",
"Status": "fixed",
@@ -91,6 +97,9 @@
"VulnerabilityID": "CVE-2021-38561",
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6"
},
"InstalledVersion": "0.3.6",
"FixedVersion": "0.3.7",
"Status": "fixed",
@@ -120,6 +129,9 @@
"VulnerabilityID": "GMS-2022-20",
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",

15
integration/testdata/gomod.json.golden vendored
View File

@@ -25,6 +25,9 @@
"VulnerabilityID": "GMS-2022-20",
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
@@ -48,6 +51,9 @@
"VulnerabilityID": "CVE-2022-23628",
"PkgID": "github.com/open-policy-agent/opa@v0.35.0",
"PkgName": "github.com/open-policy-agent/opa",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/open-policy-agent/opa@0.35.0"
},
"InstalledVersion": "0.35.0",
"FixedVersion": "0.37.0",
"Status": "fixed",
@@ -91,6 +97,9 @@
"VulnerabilityID": "CVE-2021-38561",
"PkgID": "golang.org/x/text@v0.3.6",
"PkgName": "golang.org/x/text",
"PkgIdentifier": {
"PURL": "pkg:golang/golang.org/x/text@0.3.6"
},
"InstalledVersion": "0.3.6",
"FixedVersion": "0.3.7",
"Status": "fixed",
@@ -120,6 +129,9 @@
"VulnerabilityID": "GMS-2022-20",
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",
@@ -150,6 +162,9 @@
"VulnerabilityID": "GMS-2022-20",
"PkgID": "github.com/docker/distribution@v2.7.1+incompatible",
"PkgName": "github.com/docker/distribution",
"PkgIdentifier": {
"PURL": "pkg:golang/github.com/docker/distribution@2.7.1%2Bincompatible"
},
"InstalledVersion": "2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Status": "fixed",

6
integration/testdata/gradle.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"VulnerabilityID": "CVE-2020-9548",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Status": "fixed",
@@ -85,6 +88,9 @@
{
"VulnerabilityID": "CVE-2021-20190",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Status": "fixed",

6
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -41,6 +41,9 @@
{
"VulnerabilityID": "CVE-2022-0261",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
},
"InstalledVersion": "8.2.4081-1.cm1",
"Status": "affected",
"Layer": {
@@ -74,6 +77,9 @@
{
"VulnerabilityID": "CVE-2022-0158",
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64"
},
"InstalledVersion": "8.2.4081-1.cm1",
"FixedVersion": "8.2.4082-1.cm1",
"Status": "fixed",

3
integration/testdata/minikube-kbom.json.golden vendored
View File

@@ -33,6 +33,9 @@
{
"VulnerabilityID": "CVE-2023-2431",
"PkgName": "k8s.io/kubelet",
"PkgIdentifier": {
"PURL": "pkg:k8s/k8s.io%2Fkubelet@1.27.0"
},
"InstalledVersion": "1.27.0",
"FixedVersion": "1.24.14, 1.25.9, 1.26.4, 1.27.1",
"Status": "fixed",

33
integration/testdata/mix.lock.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "castore@0.1.18",
"Name": "castore",
"Identifier": {
"PURL": "pkg:hex/castore@0.1.18"
},
"Version": "0.1.18",
"Layer": {},
"Locations": [
@@ -36,6 +39,9 @@
{
"ID": "jason@1.4.0",
"Name": "jason",
"Identifier": {
"PURL": "pkg:hex/jason@1.4.0"
},
"Version": "1.4.0",
"Layer": {},
"Locations": [
@@ -48,6 +54,9 @@
{
"ID": "phoenix@1.6.13",
"Name": "phoenix",
"Identifier": {
"PURL": "pkg:hex/phoenix@1.6.13"
},
"Version": "1.6.13",
"Layer": {},
"Locations": [
@@ -60,6 +69,9 @@
{
"ID": "phoenix_html@3.2.0",
"Name": "phoenix_html",
"Identifier": {
"PURL": "pkg:hex/phoenix_html@3.2.0"
},
"Version": "3.2.0",
"Layer": {},
"Locations": [
@@ -72,6 +84,9 @@
{
"ID": "phoenix_pubsub@2.1.1",
"Name": "phoenix_pubsub",
"Identifier": {
"PURL": "pkg:hex/phoenix_pubsub@2.1.1"
},
"Version": "2.1.1",
"Layer": {},
"Locations": [
@@ -84,6 +99,9 @@
{
"ID": "phoenix_template@1.0.0",
"Name": "phoenix_template",
"Identifier": {
"PURL": "pkg:hex/phoenix_template@1.0.0"
},
"Version": "1.0.0",
"Layer": {},
"Locations": [
@@ -96,6 +114,9 @@
{
"ID": "phoenix_view@2.0.1",
"Name": "phoenix_view",
"Identifier": {
"PURL": "pkg:hex/phoenix_view@2.0.1"
},
"Version": "2.0.1",
"Layer": {},
"Locations": [
@@ -108,6 +129,9 @@
{
"ID": "plug@1.14.0",
"Name": "plug",
"Identifier": {
"PURL": "pkg:hex/plug@1.14.0"
},
"Version": "1.14.0",
"Layer": {},
"Locations": [
@@ -120,6 +144,9 @@
{
"ID": "plug_crypto@1.2.3",
"Name": "plug_crypto",
"Identifier": {
"PURL": "pkg:hex/plug_crypto@1.2.3"
},
"Version": "1.2.3",
"Layer": {},
"Locations": [
@@ -132,6 +159,9 @@
{
"ID": "telemetry@1.1.0",
"Name": "telemetry",
"Identifier": {
"PURL": "pkg:hex/telemetry@1.1.0"
},
"Version": "1.1.0",
"Layer": {},
"Locations": [
@@ -147,6 +177,9 @@
"VulnerabilityID": "CVE-2022-42975",
"PkgID": "phoenix@1.6.13",
"PkgName": "phoenix",
"PkgIdentifier": {
"PURL": "pkg:hex/phoenix@1.6.13"
},
"InstalledVersion": "1.6.13",
"FixedVersion": "1.6.14",
"Status": "fixed",

42
integration/testdata/npm-with-dev.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "asap@2.0.6",
"Name": "asap",
"Identifier": {
"PURL": "pkg:npm/asap@2.0.6"
},
"Version": "2.0.6",
"Indirect": true,
"Layer": {},
@@ -37,6 +40,9 @@
{
"ID": "jquery@3.3.9",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"Version": "3.3.9",
"Licenses": [
"MIT"
@@ -53,6 +59,9 @@
{
"ID": "js-tokens@4.0.0",
"Name": "js-tokens",
"Identifier": {
"PURL": "pkg:npm/js-tokens@4.0.0"
},
"Version": "4.0.0",
"Indirect": true,
"Layer": {},
@@ -66,6 +75,9 @@
{
"ID": "loose-envify@1.4.0",
"Name": "loose-envify",
"Identifier": {
"PURL": "pkg:npm/loose-envify@1.4.0"
},
"Version": "1.4.0",
"Indirect": true,
"DependsOn": [
@@ -82,6 +94,9 @@
{
"ID": "object-assign@4.1.1",
"Name": "object-assign",
"Identifier": {
"PURL": "pkg:npm/object-assign@4.1.1"
},
"Version": "4.1.1",
"Indirect": true,
"Layer": {},
@@ -95,6 +110,9 @@
{
"ID": "promise@8.0.3",
"Name": "promise",
"Identifier": {
"PURL": "pkg:npm/promise@8.0.3"
},
"Version": "8.0.3",
"Licenses": [
"MIT"
@@ -114,6 +132,9 @@
{
"ID": "prop-types@15.7.2",
"Name": "prop-types",
"Identifier": {
"PURL": "pkg:npm/prop-types@15.7.2"
},
"Version": "15.7.2",
"Indirect": true,
"DependsOn": [
@@ -132,6 +153,9 @@
{
"ID": "react@16.8.6",
"Name": "react",
"Identifier": {
"PURL": "pkg:npm/react@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
@@ -154,6 +178,9 @@
{
"ID": "react-is@16.8.6",
"Name": "react-is",
"Identifier": {
"PURL": "pkg:npm/react-is@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
@@ -170,6 +197,9 @@
{
"ID": "redux@4.0.1",
"Name": "redux",
"Identifier": {
"PURL": "pkg:npm/redux@4.0.1"
},
"Version": "4.0.1",
"Licenses": [
"MIT"
@@ -190,6 +220,9 @@
{
"ID": "scheduler@0.13.6",
"Name": "scheduler",
"Identifier": {
"PURL": "pkg:npm/scheduler@0.13.6"
},
"Version": "0.13.6",
"Indirect": true,
"DependsOn": [
@@ -207,6 +240,9 @@
{
"ID": "symbol-observable@1.2.0",
"Name": "symbol-observable",
"Identifier": {
"PURL": "pkg:npm/symbol-observable@1.2.0"
},
"Version": "1.2.0",
"Indirect": true,
"Layer": {},
@@ -220,6 +256,9 @@
{
"ID": "z-lock@1.0.0",
"Name": "z-lock",
"Identifier": {
"PURL": "pkg:npm/z-lock@1.0.0"
},
"Version": "1.0.0",
"Dev": true,
"Licenses": [
@@ -240,6 +279,9 @@
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",

39
integration/testdata/npm.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "asap@2.0.6",
"Name": "asap",
"Identifier": {
"PURL": "pkg:npm/asap@2.0.6"
},
"Version": "2.0.6",
"Indirect": true,
"Layer": {},
@@ -37,6 +40,9 @@
{
"ID": "jquery@3.3.9",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"Version": "3.3.9",
"Licenses": [
"MIT"
@@ -53,6 +59,9 @@
{
"ID": "js-tokens@4.0.0",
"Name": "js-tokens",
"Identifier": {
"PURL": "pkg:npm/js-tokens@4.0.0"
},
"Version": "4.0.0",
"Indirect": true,
"Layer": {},
@@ -66,6 +75,9 @@
{
"ID": "loose-envify@1.4.0",
"Name": "loose-envify",
"Identifier": {
"PURL": "pkg:npm/loose-envify@1.4.0"
},
"Version": "1.4.0",
"Indirect": true,
"DependsOn": [
@@ -82,6 +94,9 @@
{
"ID": "object-assign@4.1.1",
"Name": "object-assign",
"Identifier": {
"PURL": "pkg:npm/object-assign@4.1.1"
},
"Version": "4.1.1",
"Indirect": true,
"Layer": {},
@@ -95,6 +110,9 @@
{
"ID": "promise@8.0.3",
"Name": "promise",
"Identifier": {
"PURL": "pkg:npm/promise@8.0.3"
},
"Version": "8.0.3",
"Licenses": [
"MIT"
@@ -114,6 +132,9 @@
{
"ID": "prop-types@15.7.2",
"Name": "prop-types",
"Identifier": {
"PURL": "pkg:npm/prop-types@15.7.2"
},
"Version": "15.7.2",
"Indirect": true,
"DependsOn": [
@@ -132,6 +153,9 @@
{
"ID": "react@16.8.6",
"Name": "react",
"Identifier": {
"PURL": "pkg:npm/react@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
@@ -154,6 +178,9 @@
{
"ID": "react-is@16.8.6",
"Name": "react-is",
"Identifier": {
"PURL": "pkg:npm/react-is@16.8.6"
},
"Version": "16.8.6",
"Licenses": [
"MIT"
@@ -170,6 +197,9 @@
{
"ID": "redux@4.0.1",
"Name": "redux",
"Identifier": {
"PURL": "pkg:npm/redux@4.0.1"
},
"Version": "4.0.1",
"Licenses": [
"MIT"
@@ -190,6 +220,9 @@
{
"ID": "scheduler@0.13.6",
"Name": "scheduler",
"Identifier": {
"PURL": "pkg:npm/scheduler@0.13.6"
},
"Version": "0.13.6",
"Indirect": true,
"DependsOn": [
@@ -207,6 +240,9 @@
{
"ID": "symbol-observable@1.2.0",
"Name": "symbol-observable",
"Identifier": {
"PURL": "pkg:npm/symbol-observable@1.2.0"
},
"Version": "1.2.0",
"Indirect": true,
"Layer": {},
@@ -223,6 +259,9 @@
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",

9
integration/testdata/nuget.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "Newtonsoft.Json@12.0.3",
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"Version": "12.0.3",
"Layer": {},
"Locations": [
@@ -36,6 +39,9 @@
{
"ID": "NuGet.Frameworks@5.7.0",
"Name": "NuGet.Frameworks",
"Identifier": {
"PURL": "pkg:nuget/NuGet.Frameworks@5.7.0"
},
"Version": "5.7.0",
"DependsOn": [
"Newtonsoft.Json@12.0.3"
@@ -54,6 +60,9 @@
"VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
"PkgID": "Newtonsoft.Json@12.0.3",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"InstalledVersion": "12.0.3",
"FixedVersion": "13.0.1",
"Status": "fixed",

6
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -65,6 +65,9 @@
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgID": "libopenssl1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "libopenssl1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Status": "fixed",
@@ -94,6 +97,9 @@
"VulnerabilityID": "openSUSE-SU-2020:0062-1",
"PkgID": "openssl-1_1@1.1.0i-lp151.8.3.1.x86_64",
"PkgName": "openssl-1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse.leap/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse.leap-15.1"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
"Status": "fixed",

6
integration/testdata/oraclelinux-8.json.golden vendored
View File

@@ -66,6 +66,9 @@
"VulnerabilityID": "CVE-2019-3823",
"PkgID": "curl@7.61.1-8.el8.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-11.el8",
"Status": "fixed",
@@ -133,6 +136,9 @@
"VulnerabilityID": "CVE-2019-5436",
"PkgID": "curl@7.61.1-8.el8.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-12.el8",
"Status": "fixed",

6
integration/testdata/packagesprops.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "Newtonsoft.Json@9.0.1",
"Name": "Newtonsoft.Json",
"Identifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"Version": "9.0.1",
"Layer": {}
}
@@ -33,6 +36,9 @@
"VulnerabilityID": "GHSA-5crp-9r3c-p9vr",
"PkgID": "Newtonsoft.Json@9.0.1",
"PkgName": "Newtonsoft.Json",
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"InstalledVersion": "9.0.1",
"FixedVersion": "13.0.1",
"Status": "fixed",

9
integration/testdata/photon-30.json.golden vendored
View File

@@ -67,6 +67,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.4.18-1.ph3.x86_64",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/bash@4.4.18-1.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "4.4.18-1.ph3",
"FixedVersion": "4.4.18-2.ph3",
"Status": "fixed",
@@ -127,6 +130,9 @@
"VulnerabilityID": "CVE-2019-5481",
"PkgID": "curl@7.61.1-4.ph3.x86_64",
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",
"Status": "fixed",
@@ -195,6 +201,9 @@
"VulnerabilityID": "CVE-2019-5481",
"PkgID": "curl-libs@7.61.1-4.ph3.x86_64",
"PkgName": "curl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl-libs@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",
"Status": "fixed",

27
integration/testdata/pip.json.golden vendored
View File

@@ -23,36 +23,57 @@
"Packages": [
{
"Name": "Flask",
"Identifier": {
"PURL": "pkg:pypi/flask@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
},
{
"Name": "Jinja2",
"Identifier": {
"PURL": "pkg:pypi/jinja2@3.0.0"
},
"Version": "3.0.0",
"Layer": {}
},
{
"Name": "Werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.11"
},
"Version": "0.11",
"Layer": {}
},
{
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/click@8.0.0"
},
"Version": "8.0.0",
"Layer": {}
},
{
"Name": "itsdangerous",
"Identifier": {
"PURL": "pkg:pypi/itsdangerous@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
},
{
"Name": "oauth2-client",
"Identifier": {
"PURL": "pkg:pypi/oauth2-client@4.0.0"
},
"Version": "4.0.0",
"Layer": {}
},
{
"Name": "python-gitlab",
"Identifier": {
"PURL": "pkg:pypi/python-gitlab@2.0.0"
},
"Version": "2.0.0",
"Layer": {}
}
@@ -61,6 +82,9 @@
{
"VulnerabilityID": "CVE-2019-14806",
"PkgName": "Werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11"
},
"InstalledVersion": "0.11",
"FixedVersion": "0.15.3",
"Status": "fixed",
@@ -114,6 +138,9 @@
{
"VulnerabilityID": "CVE-2020-28724",
"PkgName": "Werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11"
},
"InstalledVersion": "0.11",
"FixedVersion": "0.11.6",
"Status": "fixed",

9
integration/testdata/pipenv.json.golden vendored
View File

@@ -23,6 +23,9 @@
"Packages": [
{
"Name": "werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"Version": "0.11.1",
"Layer": {},
"Locations": [
@@ -37,6 +40,9 @@
{
"VulnerabilityID": "CVE-2019-14806",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.15.3",
"Status": "fixed",
@@ -90,6 +96,9 @@
{
"VulnerabilityID": "CVE-2020-28724",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"InstalledVersion": "0.11.1",
"FixedVersion": "0.11.6",
"Status": "fixed",

6
integration/testdata/pnpm.json.golden vendored
View File

@@ -25,6 +25,9 @@
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.3.9",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",
@@ -154,6 +157,9 @@
"VulnerabilityID": "CVE-2019-10744",
"PkgID": "lodash@4.17.4",
"PkgName": "lodash",
"PkgIdentifier": {
"PURL": "pkg:npm/lodash@4.17.4"
},
"InstalledVersion": "4.17.4",
"FixedVersion": "4.17.12",
"Status": "fixed",

12
integration/testdata/poetry.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "click@8.1.3",
"Name": "click",
"Identifier": {
"PURL": "pkg:pypi/click@8.1.3"
},
"Version": "8.1.3",
"DependsOn": [
"colorama@0.4.6"
@@ -33,6 +36,9 @@
{
"ID": "colorama@0.4.6",
"Name": "colorama",
"Identifier": {
"PURL": "pkg:pypi/colorama@0.4.6"
},
"Version": "0.4.6",
"Indirect": true,
"Layer": {}
@@ -40,6 +46,9 @@
{
"ID": "werkzeug@0.14",
"Name": "werkzeug",
"Identifier": {
"PURL": "pkg:pypi/werkzeug@0.14"
},
"Version": "0.14",
"Layer": {}
}
@@ -49,6 +58,9 @@
"VulnerabilityID": "CVE-2019-14806",
"PkgID": "werkzeug@0.14",
"PkgName": "werkzeug",
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.14"
},
"InstalledVersion": "0.14",
"FixedVersion": "0.15.3",
"Status": "fixed",

184
integration/testdata/pom-cyclonedx.json.golden vendored
View File

@@ -102,98 +102,6 @@
}
],
"vulnerabilities": [
{
"id": "CVE-2021-20190",
"source": {
"name": "glad",
"url": "https://gitlab.com/gitlab-org/advisories-community"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "high"
},
{
"source": {
"name": "nvd"
},
"score": 8.3,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2021-20190"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2854"
},
{
"url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w"
},
{
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210219-0008/"
}
],
"published": "2021-01-19T17:15:00+00:00",
"updated": "2021-07-20T23:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
},
{
"id": "CVE-2020-9548",
"source": {
@@ -315,6 +223,98 @@
]
}
]
},
{
"id": "CVE-2021-20190",
"source": {
"name": "glad",
"url": "https://gitlab.com/gitlab-org/advisories-community"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "high"
},
{
"source": {
"name": "nvd"
},
"score": 8.3,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2021-20190"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2854"
},
{
"url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w"
},
{
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210219-0008/"
}
],
"published": "2021-01-19T17:15:00+00:00",
"updated": "2021-07-20T23:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
}
]
}

6
integration/testdata/pom.json.golden vendored
View File

@@ -25,6 +25,9 @@
"VulnerabilityID": "CVE-2020-9548",
"PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Status": "fixed",
@@ -87,6 +90,9 @@
"VulnerabilityID": "CVE-2021-20190",
"PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
"PkgName": "com.fasterxml.jackson.core:jackson-databind",
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Status": "fixed",

9
integration/testdata/pubspec.lock.json.golden vendored
View File

@@ -24,12 +24,18 @@
{
"ID": "http@0.13.2",
"Name": "http",
"Identifier": {
"PURL": "pkg:pub/http@0.13.2"
},
"Version": "0.13.2",
"Layer": {}
},
{
"ID": "shelf@1.3.1",
"Name": "shelf",
"Identifier": {
"PURL": "pkg:pub/shelf@1.3.1"
},
"Version": "1.3.1",
"Indirect": true,
"Layer": {}
@@ -40,6 +46,9 @@
"VulnerabilityID": "CVE-2020-35669",
"PkgID": "http@0.13.2",
"PkgName": "http",
"PkgIdentifier": {
"PURL": "pkg:pub/http@0.13.2"
},
"InstalledVersion": "0.13.2",
"FixedVersion": "0.13.3",
"Status": "fixed",

3
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -56,6 +56,9 @@
"VulnerabilityID": "CVE-2021-3712",
"PkgID": "openssl-libs@1.1.1k-4.el8.x86_64",
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/rocky/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=rocky-8.5\u0026epoch=1"
},
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",
"Status": "fixed",

3
integration/testdata/spring4shell-jre11.json.golden vendored
View File

@@ -198,6 +198,9 @@
"VulnerabilityID": "CVE-2022-22965",
"PkgName": "org.springframework:spring-beans",
"PkgPath": "usr/local/tomcat/webapps/helloworld.war/WEB-INF/lib/spring-beans-5.3.15.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.springframework/spring-beans@5.3.15"
},
"InstalledVersion": "5.3.15",
"FixedVersion": "5.3.18",
"Status": "fixed",

3
integration/testdata/spring4shell-jre8.json.golden vendored
View File

@@ -198,6 +198,9 @@
"VulnerabilityID": "CVE-2022-22965",
"PkgName": "org.springframework:spring-beans",
"PkgPath": "usr/local/tomcat/webapps/helloworld.war/WEB-INF/lib/spring-beans-5.3.15.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.springframework/spring-beans@5.3.15"
},
"InstalledVersion": "5.3.15",
"FixedVersion": "5.3.18",
"Status": "fixed",

9
integration/testdata/swift.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "github.com/apple/swift-atomics@1.1.0",
"Name": "github.com/apple/swift-atomics",
"Identifier": {
"PURL": "pkg:swift/github.com/apple/swift-atomics@1.1.0"
},
"Version": "1.1.0",
"Layer": {},
"Locations": [
@@ -36,6 +39,9 @@
{
"ID": "github.com/apple/swift-nio@2.41.0",
"Name": "github.com/apple/swift-nio",
"Identifier": {
"PURL": "pkg:swift/github.com/apple/swift-nio@2.41.0"
},
"Version": "2.41.0",
"Layer": {},
"Locations": [
@@ -51,6 +57,9 @@
"VulnerabilityID": "CVE-2022-3215",
"PkgID": "github.com/apple/swift-nio@2.41.0",
"PkgName": "github.com/apple/swift-nio",
"PkgIdentifier": {
"PURL": "pkg:swift/github.com/apple/swift-nio@2.41.0"
},
"InstalledVersion": "2.41.0",
"FixedVersion": "2.29.1, 2.39.1, 2.42.0",
"Status": "fixed",

6
integration/testdata/test-repo.json.golden vendored
View File

@@ -25,6 +25,9 @@
"VulnerabilityID": "CVE-2019-15542",
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Status": "fixed",
@@ -64,6 +67,9 @@
"VulnerabilityID": "CVE-2021-38193",
"PkgID": "ammonia@1.9.0",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Status": "fixed",

3
integration/testdata/ubi-7.json.golden vendored
View File

@@ -80,6 +80,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.2.46-33.el7.x86_64",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/redhat/bash@4.2.46-33.el7?arch=x86_64\u0026distro=redhat-7.7"
},
"InstalledVersion": "4.2.46-33.el7",
"Status": "will_not_fix",
"Layer": {

12
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -76,6 +76,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "e2fsprogs@1.44.1-1ubuntu1.1",
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -143,6 +146,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libcom-err2@1.44.1-1ubuntu1.1",
"PkgName": "libcom-err2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -210,6 +216,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libext2fs2@1.44.1-1ubuntu1.1",
"PkgName": "libext2fs2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -277,6 +286,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libss2@1.44.1-1ubuntu1.1",
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",

15
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -76,6 +76,9 @@
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.4.18-2ubuntu1.2",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/bash@4.4.18-2ubuntu1.2?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "4.4.18-2ubuntu1.2",
"Status": "affected",
"Layer": {
@@ -135,6 +138,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "e2fsprogs@1.44.1-1ubuntu1.1",
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -202,6 +208,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libcom-err2@1.44.1-1ubuntu1.1",
"PkgName": "libcom-err2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -269,6 +278,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libext2fs2@1.44.1-1ubuntu1.1",
"PkgName": "libext2fs2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",
@@ -336,6 +348,9 @@
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "libss2@1.44.1-1ubuntu1.1",
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
"Status": "fixed",

3
integration/testdata/ubuntu-gp2-x86-vm.json.golden vendored
View File

@@ -29,6 +29,9 @@
"VulnerabilityID": "CVE-2022-3715",
"PkgID": "bash@5.1-6ubuntu1",
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/bash@5.1-6ubuntu1?arch=amd64\u0026distro=ubuntu-22.04"
},
"InstalledVersion": "5.1-6ubuntu1",
"Status": "affected",
"Layer": {},

6
integration/testdata/yarn.json.golden vendored
View File

@@ -24,6 +24,9 @@
{
"ID": "jquery@3.2.1",
"Name": "jquery",
"Identifier": {
"PURL": "pkg:npm/jquery@3.2.1"
},
"Version": "3.2.1",
"Licenses": [
"MIT"
@@ -42,6 +45,9 @@
"VulnerabilityID": "CVE-2019-11358",
"PkgID": "jquery@3.2.1",
"PkgName": "jquery",
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.2.1"
},
"InstalledVersion": "3.2.1",
"FixedVersion": "3.4.0",
"Status": "fixed",

1
pkg/detector/library/detect.go
View File

@@ -34,6 +34,7 @@ func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability
vulns[i].Layer = lib.Layer
vulns[i].PkgPath = lib.FilePath
vulns[i].PkgRef = lib.Ref
vulns[i].PkgIdentifier = lib.Identifier
}
vulnerabilities = append(vulnerabilities, vulns...)
}

2
pkg/detector/ospkg/alma/alma.go
View File

@@ -81,7 +81,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
fixedVersion := version.NewVersion(adv.FixedVersion)
if installedVersion.LessThan(fixedVersion) {
@@ -92,6 +91,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
InstalledVersion: installed,
FixedVersion: fixedVersion.String(),
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
DataSource: adv.DataSource,
Custom: adv.Custom,

1
pkg/detector/ospkg/alpine/alpine.go
View File

@@ -131,6 +131,7 @@ func (s *Scanner) Detect(osVer string, repo *ftypes.Repository, pkgs []ftypes.Pa
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Custom: adv.Custom,
DataSource: adv.DataSource,
})

1
pkg/detector/ospkg/amazon/amazon.go
View File

@@ -104,6 +104,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
DataSource: adv.DataSource,

1
pkg/detector/ospkg/chainguard/chainguard.go
View File

@@ -82,6 +82,7 @@ func (s *Scanner) Detect(_ string, _ *ftypes.Repository, pkgs []ftypes.Package)
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Custom: adv.Custom,
DataSource: adv.DataSource,
})

1
pkg/detector/ospkg/debian/debian.go
View File

@@ -104,6 +104,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
InstalledVersion: utils.FormatVersion(pkg),
FixedVersion: adv.FixedVersion,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Status: adv.Status,
Layer: pkg.Layer,
Custom: adv.Custom,

1
pkg/detector/ospkg/mariner/mariner.go
View File

@@ -50,6 +50,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
PkgName: pkg.Name,
InstalledVersion: utils.FormatVersion(pkg),
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
DataSource: adv.DataSource,
}

1
pkg/detector/ospkg/oracle/oracle.go
View File

@@ -87,6 +87,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
PkgName: pkg.Name,
InstalledVersion: installed,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
DataSource: adv.DataSource,

1
pkg/detector/ospkg/photon/photon.go
View File

@@ -82,6 +82,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
PkgName: pkg.Name,
InstalledVersion: installed,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
DataSource: adv.DataSource,

1
pkg/detector/ospkg/redhat/redhat.go
View File

@@ -158,6 +158,7 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
PkgName: pkg.Name,
InstalledVersion: utils.FormatVersion(pkg),
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Status: adv.Status,
Layer: pkg.Layer,
SeveritySource: vulnerability.RedHat,

1
pkg/detector/ospkg/rocky/rocky.go
View File

@@ -91,6 +91,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
InstalledVersion: installed,
FixedVersion: fixedVersion.String(),
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
DataSource: adv.DataSource,
Custom: adv.Custom,

1
pkg/detector/ospkg/suse/suse.go
View File

@@ -134,6 +134,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
PkgName: pkg.Name,
InstalledVersion: installed,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
DataSource: adv.DataSource,

1
pkg/detector/ospkg/ubuntu/ubuntu.go
View File

@@ -124,6 +124,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
InstalledVersion: utils.FormatVersion(pkg),
FixedVersion: adv.FixedVersion,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
DataSource: adv.DataSource,

1
pkg/detector/ospkg/wolfi/wolfi.go
View File

@@ -82,6 +82,7 @@ func (s *Scanner) Detect(_ string, _ *ftypes.Repository, pkgs []ftypes.Package)
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
PkgRef: pkg.Ref,
PkgIdentifier: pkg.Identifier,
Custom: adv.Custom,
DataSource: adv.DataSource,
})

12
pkg/fanal/analyzer/imgconf/apk/apk.go
View File

@@ -13,6 +13,7 @@ import (
"time"
v1 "github.com/google/go-containerregistry/pkg/v1"
"golang.org/x/exp/maps"
"golang.org/x/xerrors"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -56,11 +57,11 @@ type archive struct {
}
type provide struct {
SO map[string]pkg // package which provides the shared object
Package map[string]pkg // package which provides the package
SO map[string]apk // package which provides the shared object
Package map[string]apk // package which provides the package
}
type pkg struct {
type apk struct {
Package string
Versions version
}
@@ -135,11 +136,8 @@ func (a alpineCmdAnalyzer) parseConfig(apkIndexArchive *apkIndex, config *v1.Con
uniqPkgs[result.Name] = result
}
}
for _, pkg := range uniqPkgs {
packages = append(packages, pkg)
}
return packages
return maps.Values(uniqPkgs)
}
func (a alpineCmdAnalyzer) parseCommand(command string, envs map[string]string) (pkgs []string) {

4
pkg/fanal/analyzer/imgconf/apk/apk_test.go
View File

@@ -1070,11 +1070,11 @@ func TestAnalyze(t *testing.T) {
args: args{
targetOS: types.OS{
Family: "alpine",
Name: "",
Name: "3.9.1",
},
config: alpineConfig,
},
apkIndexArchivePath: testServer.URL + "%v",
apkIndexArchivePath: testServer.URL + "/%v",
want: wantPkgs,
},
}

6
pkg/fanal/analyzer/language/analyze.go
View File

@@ -116,7 +116,8 @@ func toApplication(fileType types.LangType, filePath, libFilePath string, r dio.
if lib.FilePath != "" {
libPath = lib.FilePath
}
pkgs = append(pkgs, types.Package{
newPkg := types.Package{
ID: lib.ID,
Name: lib.Name,
Version: lib.Version,
@@ -127,7 +128,8 @@ func toApplication(fileType types.LangType, filePath, libFilePath string, r dio.
DependsOn: deps[lib.ID],
Locations: locs,
Digest: d,
})
}
pkgs = append(pkgs, newPkg)
}
return &types.Application{

5
pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
View File

@@ -623,8 +623,9 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
Arch: "amd64",
},
{
ID: "libgpg-error0@1.27-6",
Name: "libgpg-error0",
ID: "libgpg-error0@1.27-6",
Name: "libgpg-error0",
Version: "1.27",
Release: "6",
SrcName: "libgpg-error",

7
pkg/fanal/analyzer/pkg/rpm/rpm_test.go
View File

@@ -3,14 +3,15 @@ package rpm
import (
"context"
"errors"
"os"
"strings"
"testing"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/types"
rpmdb "github.com/knqyf263/go-rpmdb/pkg"
"github.com/samber/lo"
"github.com/stretchr/testify/require"
"os"
"strings"
"testing"
"github.com/stretchr/testify/assert"
)

5
pkg/fanal/analyzer/pkg/rpm/rpmqa.go
View File

@@ -68,7 +68,7 @@ func (a rpmqaPkgAnalyzer) parseRpmqaManifest(r io.ReadSeekerAt) ([]types.Package
if err != nil {
return nil, xerrors.Errorf("failed to split source rpm: %w", err)
}
pkg := types.Package{
pkgs = append(pkgs, types.Package{
Name: name,
Version: ver,
Release: rel,
@@ -76,8 +76,7 @@ func (a rpmqaPkgAnalyzer) parseRpmqaManifest(r io.ReadSeekerAt) ([]types.Package
SrcName: srcName,
SrcVersion: srcVer,
SrcRelease: srcRel,
}
pkgs = append(pkgs, pkg)
})
}
return pkgs, nil
}

6
pkg/fanal/analyzer/sbom/sbom.go
View File

@@ -86,7 +86,11 @@ func handleBitnamiImages(componentPath string, bom types.SBOM) {
// e.g. modules/apm/elastic-apm-agent-1.36.0.jar
// => opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar
// If the file path is empty, the file path will be set to the component dir path.
bom.Applications[i].Libraries[j].FilePath = path.Join(componentPath, pkg.FilePath)
filePath := path.Join(componentPath, pkg.FilePath)
bom.Applications[i].Libraries[j].FilePath = filePath
if pkg.Identifier.PURL != nil && pkg.Identifier.PURL.FilePath != "" {
bom.Applications[i].Libraries[j].Identifier.PURL.FilePath = filePath
}
}
}
}

114
pkg/fanal/analyzer/sbom/sbom_test.go
View File

@@ -2,6 +2,7 @@ package sbom
import (
"context"
"github.com/package-url/packageurl-go"
"os"
"testing"
@@ -34,24 +35,64 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent@1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
},
},
},
{
Name: "co.elastic.apm:apm-agent-cached-lookup-key",
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
},
},
},
{
Name: "co.elastic.apm:apm-agent-common",
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent-common@1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-common",
Version: "1.36.0",
},
},
},
},
{
Name: "co.elastic.apm:apm-agent-core",
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent-core@1.36.0",
FilePath: "opt/bitnami/elasticsearch",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-core",
Version: "1.36.0",
},
},
},
},
},
},
@@ -65,6 +106,21 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Ref: "pkg:bitnami/elasticsearch@8.9.1?arch=arm64",
Arch: "arm64",
Licenses: []string{"Elastic-2.0"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "elasticsearch",
Version: "8.9.1",
Qualifiers: packageurl.Qualifiers{
{
Key: "arch",
Value: "arm64",
},
},
},
},
},
},
},
},
@@ -86,12 +142,34 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Name: "co.elastic.apm:apm-agent",
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent@1.36.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
},
},
},
{
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
Name: "co.elastic.apm:apm-agent-cached-lookup-key",
Version: "1.36.0",
Ref: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent-cached-lookup-key",
Version: "1.36.0",
},
FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
},
},
},
},
},
@@ -114,24 +192,60 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
Version: "3.7.1",
Ref: "pkg:bitnami/gdal@3.7.1",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "gdal",
Version: "3.7.1",
},
},
},
},
{
Name: "geos",
Version: "3.8.3",
Ref: "pkg:bitnami/geos@3.8.3",
Licenses: []string{"LGPL-2.1-only"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "geos",
Version: "3.8.3",
},
},
},
},
{
Name: "postgresql",
Version: "15.3.0",
Ref: "pkg:bitnami/postgresql@15.3.0",
Licenses: []string{"PostgreSQL"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "postgresql",
Version: "15.3.0",
},
},
},
},
{
Name: "proj",
Version: "6.3.2",
Ref: "pkg:bitnami/proj@6.3.2",
Licenses: []string{"MIT"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeBitnami,
Name: "proj",
Version: "6.3.2",
},
},
},
},
},
},

174
pkg/fanal/applier/applier_test.go
View File

@@ -1,6 +1,7 @@
package applier_test
import (
"github.com/package-url/packageurl-go"
"sort"
"testing"
@@ -149,6 +150,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
Version: "2.24-11+deb9u4",
SrcName: "glibc",
SrcVersion: "2.24-11+deb9u4",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "debian",
Name: "libc6",
Version: "2.24-11+deb9u4",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "debian-9.9",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
@@ -159,6 +176,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
Version: "2019a-0+deb9u1",
SrcName: "tzdata",
SrcVersion: "2019a-0+deb9u1",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "debian",
Name: "tzdata",
Version: "2019a-0+deb9u1",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "debian-9.9",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -177,6 +210,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "guzzlehttp",
Name: "guzzle",
Version: "6.2.0",
},
},
},
},
{
Name: "symfony/process",
@@ -185,6 +228,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "symfony",
Name: "process",
Version: "v4.2.7",
},
},
},
},
},
},
@@ -299,6 +352,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
{
Name: "busybox",
Version: "1.30.1-r3",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "busybox",
Version: "1.30.1-r3",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10.4",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -307,6 +376,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
{
Name: "libcrypto1.1",
Version: "1.1.1d-r2",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "libcrypto1.1",
Version: "1.1.1d-r2",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10.4",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -315,6 +400,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
{
Name: "libssl1.1",
Version: "1.1.1d-r2",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "libssl1.1",
Version: "1.1.1d-r2",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10.4",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -323,6 +424,22 @@ func TestApplier_ApplyLayers(t *testing.T) {
{
Name: "musl",
Version: "1.1.22-r3",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "musl",
Version: "1.1.22-r3",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10.4",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -331,6 +448,23 @@ func TestApplier_ApplyLayers(t *testing.T) {
{
Name: "openssl",
Version: "1.1.1d-r2",
Identifier: types.PkgIdentifier{
//PURL: "pkg:apk/alpine/openssl@1.1.1d-r2?distro=3.10.4",
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "openssl",
Version: "1.1.1d-r2",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10.4",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -549,6 +683,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "guzzlehttp",
Name: "guzzle",
Version: "6.2.0",
},
},
},
},
{
Name: "symfony/process",
@@ -557,6 +701,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203",
DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "symfony",
Name: "process",
Version: "v4.2.7",
},
},
},
},
},
},
@@ -741,6 +895,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "guzzlehttp",
Name: "guzzle",
Version: "6.2.0",
},
},
},
},
{
Name: "symfony/process",
@@ -749,6 +913,16 @@ func TestApplier_ApplyLayers(t *testing.T) {
Digest: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "symfony",
Name: "process",
Version: "v4.2.7",
},
},
},
},
},
},

83
pkg/fanal/applier/docker.go
View File

@@ -8,7 +8,10 @@ import (
"github.com/knqyf263/nested"
"github.com/samber/lo"
"github.com/aquasecurity/trivy/pkg/fanal/types"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/purl"
"github.com/aquasecurity/trivy/pkg/types"
)
type Config struct {
@@ -25,7 +28,7 @@ type History struct {
CreatedBy string `json:"created_by"`
}
func containsPackage(e types.Package, s []types.Package) bool {
func containsPackage(e ftypes.Package, s []ftypes.Package) bool {
for _, a := range s {
if a.Name == e.Name && a.Version == e.Version && a.Release == e.Release {
return true
@@ -34,7 +37,7 @@ func containsPackage(e types.Package, s []types.Package) bool {
return false
}
func lookupOriginLayerForPkg(pkg types.Package, layers []types.BlobInfo) (string, string, *types.BuildInfo) {
func lookupOriginLayerForPkg(pkg ftypes.Package, layers []ftypes.BlobInfo) (string, string, *ftypes.BuildInfo) {
for i, layer := range layers {
for _, info := range layer.PackageInfos {
if containsPackage(pkg, info.Packages) {
@@ -46,7 +49,7 @@ func lookupOriginLayerForPkg(pkg types.Package, layers []types.BlobInfo) (string
}
// lookupBuildInfo looks up Red Hat content sets from all layers
func lookupBuildInfo(index int, layers []types.BlobInfo) *types.BuildInfo {
func lookupBuildInfo(index int, layers []ftypes.BlobInfo) *ftypes.BuildInfo {
if layers[index].BuildInfo != nil {
return layers[index].BuildInfo
}
@@ -70,7 +73,7 @@ func lookupBuildInfo(index int, layers []types.BlobInfo) *types.BuildInfo {
return nil
}
func lookupOriginLayerForLib(filePath string, lib types.Package, layers []types.BlobInfo) (string, string) {
func lookupOriginLayerForLib(filePath string, lib ftypes.Package, layers []ftypes.BlobInfo) (string, string) {
for _, layer := range layers {
for _, layerApp := range layer.Applications {
if filePath != layerApp.FilePath {
@@ -86,11 +89,11 @@ func lookupOriginLayerForLib(filePath string, lib types.Package, layers []types.
// ApplyLayers returns the merged layer
// nolint: gocyclo
func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
func ApplyLayers(layers []ftypes.BlobInfo) ftypes.ArtifactDetail {
sep := "/"
nestedMap := nested.Nested{}
secretsMap := make(map[string]types.Secret)
var mergedLayer types.ArtifactDetail
secretsMap := make(map[string]ftypes.Secret)
var mergedLayer ftypes.ArtifactDetail
for _, layer := range layers {
for _, opqDir := range layer.OpaqueDirs {
@@ -121,7 +124,7 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// Apply misconfigurations
for _, config := range layer.Misconfigurations {
config.Layer = types.Layer{
config.Layer = ftypes.Layer{
Digest: layer.Digest,
DiffID: layer.DiffID,
}
@@ -131,7 +134,7 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// Apply secrets
for _, secret := range layer.Secrets {
l := types.Layer{
l := ftypes.Layer{
Digest: layer.Digest,
DiffID: layer.DiffID,
CreatedBy: layer.CreatedBy,
@@ -141,7 +144,7 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// Apply license files
for _, license := range layer.Licenses {
license.Layer = types.Layer{
license.Layer = ftypes.Layer{
Digest: layer.Digest,
DiffID: layer.DiffID,
}
@@ -152,7 +155,7 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// Apply custom resources
for _, customResource := range layer.CustomResources {
key := fmt.Sprintf("%s/custom:%s", customResource.FilePath, customResource.Type)
customResource.Layer = types.Layer{
customResource.Layer = ftypes.Layer{
Digest: layer.Digest,
DiffID: layer.DiffID,
}
@@ -163,15 +166,15 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// nolint
_ = nestedMap.Walk(func(keys []string, value interface{}) error {
switch v := value.(type) {
case types.PackageInfo:
case ftypes.PackageInfo:
mergedLayer.Packages = append(mergedLayer.Packages, v.Packages...)
case types.Application:
case ftypes.Application:
mergedLayer.Applications = append(mergedLayer.Applications, v)
case types.Misconfiguration:
case ftypes.Misconfiguration:
mergedLayer.Misconfigurations = append(mergedLayer.Misconfigurations, v)
case types.LicenseFile:
case ftypes.LicenseFile:
mergedLayer.Licenses = append(mergedLayer.Licenses, v)
case types.CustomResource:
case ftypes.CustomResource:
mergedLayer.CustomResources = append(mergedLayer.CustomResources, v)
}
return nil
@@ -185,14 +188,14 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
// The license information is not stored in the dpkg database and in a separate file,
// so we have to merge the license information into the package.
dpkgLicenses := make(map[string][]string)
mergedLayer.Licenses = lo.Reject(mergedLayer.Licenses, func(license types.LicenseFile, _ int) bool {
if license.Type != types.LicenseTypeDpkg {
mergedLayer.Licenses = lo.Reject(mergedLayer.Licenses, func(license ftypes.LicenseFile, _ int) bool {
if license.Type != ftypes.LicenseTypeDpkg {
return false
}
// e.g.
// "adduser" => {"GPL-2"}
// "openssl" => {"MIT", "BSD"}
dpkgLicenses[license.PkgName] = lo.Map(license.Findings, func(finding types.LicenseFinding, _ int) string {
dpkgLicenses[license.PkgName] = lo.Map(license.Findings, func(finding ftypes.LicenseFinding, _ int) string {
return finding.Name
})
// Remove this license in the merged result as it is merged into the package information.
@@ -208,11 +211,14 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
continue
}
originLayerDigest, originLayerDiffID, buildInfo := lookupOriginLayerForPkg(pkg, layers)
mergedLayer.Packages[i].Layer = types.Layer{
mergedLayer.Packages[i].Layer = ftypes.Layer{
Digest: originLayerDigest,
DiffID: originLayerDiffID,
}
mergedLayer.Packages[i].BuildInfo = buildInfo
if mergedLayer.OS.Family != "" {
mergedLayer.Packages[i].Identifier.PURL = newPURL(mergedLayer.OS.Family, types.Metadata{OS: &mergedLayer.OS}, pkg)
}
// Only debian packages
if licenses, ok := dpkgLicenses[pkg.Name]; ok {
@@ -227,10 +233,13 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
continue
}
originLayerDigest, originLayerDiffID := lookupOriginLayerForLib(app.FilePath, lib, layers)
app.Libraries[i].Layer = types.Layer{
app.Libraries[i].Layer = ftypes.Layer{
Digest: originLayerDigest,
DiffID: originLayerDiffID,
}
if lib.Identifier.PURL == nil {
app.Libraries[i].Identifier.PURL = newPURL(app.Type, types.Metadata{}, lib)
}
}
}
@@ -240,16 +249,24 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
return mergedLayer
}
// aggregate merges all packages installed by pip/gem/npm/jar/conda into each application
func aggregate(detail *types.ArtifactDetail) {
var apps []types.Application
func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) *ftypes.PackageURL {
p, err := purl.New(pkgType, metadata, pkg)
if err != nil {
log.Logger.Errorf("Failed to create PackageURL: %s", err)
}
return p
}
aggregatedApps := map[types.LangType]*types.Application{
types.PythonPkg: {Type: types.PythonPkg},
types.CondaPkg: {Type: types.CondaPkg},
types.GemSpec: {Type: types.GemSpec},
types.NodePkg: {Type: types.NodePkg},
types.Jar: {Type: types.Jar},
// aggregate merges all packages installed by pip/gem/npm/jar/conda into each application
func aggregate(detail *ftypes.ArtifactDetail) {
var apps []ftypes.Application
aggregatedApps := map[ftypes.LangType]*ftypes.Application{
ftypes.PythonPkg: {Type: ftypes.PythonPkg},
ftypes.CondaPkg: {Type: ftypes.CondaPkg},
ftypes.GemSpec: {Type: ftypes.GemSpec},
ftypes.NodePkg: {Type: ftypes.NodePkg},
ftypes.Jar: {Type: ftypes.Jar},
}
for _, app := range detail.Applications {
@@ -273,7 +290,7 @@ func aggregate(detail *types.ArtifactDetail) {
// We must save secrets from all layers even though they are removed in the uppler layer.
// If the secret was changed at the top level, we need to overwrite it.
func mergeSecrets(secretsMap map[string]types.Secret, newSecret types.Secret, layer types.Layer) map[string]types.Secret {
func mergeSecrets(secretsMap map[string]ftypes.Secret, newSecret ftypes.Secret, layer ftypes.Layer) map[string]ftypes.Secret {
for i := range newSecret.Findings { // add layer to the Findings from the new secret
newSecret.Findings[i].Layer = layer
}
@@ -294,7 +311,7 @@ func mergeSecrets(secretsMap map[string]types.Secret, newSecret types.Secret, la
return secretsMap
}
func secretFindingsContains(findings []types.SecretFinding, finding types.SecretFinding) bool {
func secretFindingsContains(findings []ftypes.SecretFinding, finding ftypes.SecretFinding) bool {
for _, f := range findings {
if f.RuleID == finding.RuleID {
return true

169
pkg/fanal/applier/docker_test.go
View File

@@ -1,6 +1,7 @@
package applier_test
import (
"github.com/package-url/packageurl-go"
"sort"
"testing"
@@ -143,6 +144,22 @@ func TestApplyLayers(t *testing.T) {
Name: "musl",
Version: "1.2.4",
Release: "4.5.8",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "musl",
Version: "1.2.4-4.5.8",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -152,6 +169,22 @@ func TestApplyLayers(t *testing.T) {
Name: "openssl",
Version: "1.2.3",
Release: "4.5.6",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "openssl",
Version: "1.2.3-4.5.6",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.10",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -170,6 +203,16 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGem,
Name: "activesupport",
Version: "6.0.2.1",
},
FilePath: "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
},
},
},
{
Name: "gon",
@@ -179,6 +222,16 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGem,
Name: "gon",
Version: "6.3.2",
},
FilePath: "usr/local/bundle/specifications/gon-6.3.2.gemspec",
},
},
},
},
},
@@ -193,6 +246,15 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGem,
Name: "gemlibrary1",
Version: "1.2.3",
},
},
},
},
},
},
@@ -413,6 +475,15 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGem,
Name: "rack",
Version: "4.0.0",
},
},
},
},
{
Name: "rails",
@@ -421,6 +492,15 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGem,
Name: "rails",
Version: "6.0.0",
},
},
},
},
},
},
@@ -435,6 +515,15 @@ func TestApplyLayers(t *testing.T) {
Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Name: "phplibrary1",
Version: "6.6.6",
},
},
},
},
},
},
@@ -691,6 +780,22 @@ func TestApplyLayers(t *testing.T) {
Version: "1.2.4",
Release: "4.5.7",
Licenses: []string{"GPL-2"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "debian",
Name: "libc",
Version: "1.2.4-4.5.7",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "debian-8",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -701,6 +806,22 @@ func TestApplyLayers(t *testing.T) {
Version: "1.2.3",
Release: "4.5.6",
Licenses: []string{"OpenSSL"},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "debian",
Name: "openssl",
Version: "1.2.3-4.5.6",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "debian-8",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
@@ -837,6 +958,22 @@ func TestApplyLayers(t *testing.T) {
Name: "bash",
Version: "5.6.7",
Release: "8",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeRPM,
Namespace: "redhat",
Name: "bash",
Version: "5.6.7-8",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "redhat-8",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -850,6 +987,22 @@ func TestApplyLayers(t *testing.T) {
Name: "libc",
Version: "1.2.4",
Release: "5",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeRPM,
Namespace: "redhat",
Name: "libc",
Version: "1.2.4-5",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "redhat-8",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -865,6 +1018,22 @@ func TestApplyLayers(t *testing.T) {
Name: "openssl",
Version: "1.2.3",
Release: "4",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeRPM,
Namespace: "redhat",
Name: "openssl",
Version: "1.2.3-4",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "redhat-8",
},
},
},
},
},
Layer: types.Layer{
Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",

58
pkg/fanal/artifact/image/remote_sbom_test.go
View File

@@ -2,6 +2,7 @@ package image_test
import (
"context"
"github.com/package-url/packageurl-go"
"net/http"
"net/http/httptest"
"net/url"
@@ -69,7 +70,7 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) {
putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e",
BlobID: "sha256:754c66ef82bae2e07dc6e7a7bc42f078e1f48cbbc5b9124d18f1c18a48e1ad31",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
OS: types.OS{
@@ -80,8 +81,24 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) {
{
Packages: types.Packages{
{
Name: "musl",
Version: "1.2.3-r0",
Name: "musl",
Version: "1.2.3-r0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "musl",
Version: "1.2.3-r0",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.16.2",
},
},
},
},
},
SrcName: "musl",
SrcVersion: "1.2.3-r0",
Licenses: []string{"MIT"},
@@ -104,9 +121,9 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) {
want: types.ArtifactReference{
Name: "test/image:10",
Type: types.ArtifactCycloneDX,
ID: "sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e",
ID: "sha256:754c66ef82bae2e07dc6e7a7bc42f078e1f48cbbc5b9124d18f1c18a48e1ad31",
BlobIDs: []string{
"sha256:9c23872047046e145f49fb5533b63ace0cbf819f5b68e33f69f4e9bbab4c517e",
"sha256:754c66ef82bae2e07dc6e7a7bc42f078e1f48cbbc5b9124d18f1c18a48e1ad31",
},
},
},
@@ -173,7 +190,6 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
case "/v2/test/image/blobs/sha256:9e05dda2a2dcdd526c9204be8645ae48742861c27f093bf496a6397834acecf2":
http.ServeFile(w, r, "testdata/cyclonedx.json")
}
return
}))
defer ts.Close()
@@ -208,7 +224,7 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5",
BlobID: "sha256:c4e3bd56d4b5f9634c918d0953f7667928c2410e23bdacb299bfe5802217809a",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Applications: []types.Application{
@@ -218,12 +234,32 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
{
Name: "github.com/opencontainers/go-digest",
Version: "v1.0.0",
Ref: "pkg:golang/github.com/opencontainers/go-digest@v1.0.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/opencontainers",
Name: "go-digest",
Version: "v1.0.0",
},
},
},
Ref: "pkg:golang/github.com/opencontainers/go-digest@v1.0.0",
},
{
Name: "golang.org/x/sync",
Version: "v0.1.0",
Ref: "pkg:golang/golang.org/x/sync@v0.1.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "golang.org/x",
Name: "sync",
Version: "v0.1.0",
},
},
},
Ref: "pkg:golang/golang.org/x/sync@v0.1.0",
},
},
},
@@ -235,9 +271,9 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
want: types.ArtifactReference{
Name: registry + "/test/image:10",
Type: types.ArtifactCycloneDX,
ID: "sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5",
ID: "sha256:c4e3bd56d4b5f9634c918d0953f7667928c2410e23bdacb299bfe5802217809a",
BlobIDs: []string{
"sha256:d07a1894bfd283b4ac26682ab48f12ad22cdc4fef9cf8b4c09056f631d3667a5",
"sha256:c4e3bd56d4b5f9634c918d0953f7667928c2410e23bdacb299bfe5802217809a",
},
},
},

20
pkg/fanal/artifact/local/fs_test.go
View File

@@ -47,7 +47,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:bb194ca778e3ecfa4b2addeae7b2c6b22ed10ab054b9d23e601c54e332913055",
BlobID: "sha256:ff28bff7756fb32d0a060b3b474b31a781a2d365dcd2789f47b4ae556a34947e",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
OS: types.OS{
@@ -82,9 +82,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: "host",
Type: types.ArtifactFilesystem,
ID: "sha256:bb194ca778e3ecfa4b2addeae7b2c6b22ed10ab054b9d23e601c54e332913055",
ID: "sha256:ff28bff7756fb32d0a060b3b474b31a781a2d365dcd2789f47b4ae556a34947e",
BlobIDs: []string{
"sha256:bb194ca778e3ecfa4b2addeae7b2c6b22ed10ab054b9d23e601c54e332913055",
"sha256:ff28bff7756fb32d0a060b3b474b31a781a2d365dcd2789f47b4ae556a34947e",
},
},
},
@@ -125,7 +125,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:bb194ca778e3ecfa4b2addeae7b2c6b22ed10ab054b9d23e601c54e332913055",
BlobID: "sha256:ff28bff7756fb32d0a060b3b474b31a781a2d365dcd2789f47b4ae556a34947e",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
OS: types.OS{
@@ -175,7 +175,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
BlobID: "sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Applications: []types.Application{
@@ -197,9 +197,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/requirements.txt",
Type: types.ArtifactFilesystem,
ID: "sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
ID: "sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
BlobIDs: []string{
"sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
"sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
},
},
},
@@ -210,7 +210,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
BlobID: "sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Applications: []types.Application{
@@ -232,9 +232,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: "testdata/requirements.txt",
Type: types.ArtifactFilesystem,
ID: "sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
ID: "sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
BlobIDs: []string{
"sha256:0e0d362332d8928f71ac2c11e0813e2ec251dca9bdf1a66bd69cad8f2ef66ca1",
"sha256:09aa251b64e824d0ec71a8c469619e57c9bd91d885f26e4a840de94209acbe4f",
},
},
},

161
pkg/fanal/artifact/sbom/sbom_test.go
View File

@@ -3,6 +3,7 @@ package sbom_test
import (
"context"
"errors"
"github.com/package-url/packageurl-go"
"path/filepath"
"strings"
"testing"
@@ -29,7 +30,7 @@ func TestArtifact_Inspect(t *testing.T) {
filePath: filepath.Join("testdata", "bom.json"),
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
BlobID: "sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
OS: types.OS{
@@ -49,6 +50,22 @@ func TestArtifact_Inspect(t *testing.T) {
Layer: types.Layer{
DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "musl",
Version: "1.2.3-r0",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.16.0",
},
},
},
},
},
},
},
},
@@ -65,6 +82,16 @@ func TestArtifact_Inspect(t *testing.T) {
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "pear",
Name: "log",
Version: "1.13.1",
},
},
},
},
{
@@ -74,6 +101,16 @@ func TestArtifact_Inspect(t *testing.T) {
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "pear",
Name: "pear_exception",
Version: "v1.0.0",
},
},
},
},
},
},
@@ -88,6 +125,16 @@ func TestArtifact_Inspect(t *testing.T) {
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/package-url",
Name: "packageurl-go",
Version: "v0.1.1-0.20220203205134-d70459300c8a",
},
},
},
},
},
},
@@ -103,6 +150,17 @@ func TestArtifact_Inspect(t *testing.T) {
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
FilePath: "app/maven/target/child-project-1.0.jar",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.codehaus.mojo",
Name: "child-project",
Version: "1.0",
},
FilePath: "app/maven/target/child-project-1.0.jar",
},
},
},
},
},
@@ -119,6 +177,16 @@ func TestArtifact_Inspect(t *testing.T) {
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
FilePath: "app/app/package.json",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeNPM,
Name: "bootstrap",
Version: "5.0.2",
},
FilePath: "app/app/package.json",
},
},
},
},
},
@@ -130,9 +198,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: filepath.Join("testdata", "bom.json"),
Type: types.ArtifactCycloneDX,
ID: "sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
ID: "sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
BlobIDs: []string{
"sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
"sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
},
},
},
@@ -141,7 +209,7 @@ func TestArtifact_Inspect(t *testing.T) {
filePath: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"),
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
BlobID: "sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
OS: types.OS{
@@ -157,7 +225,23 @@ func TestArtifact_Inspect(t *testing.T) {
SrcName: "musl",
SrcVersion: "1.2.3-r0",
Licenses: []string{"MIT"},
Ref: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeApk,
Namespace: "alpine",
Name: "musl",
Version: "1.2.3-r0",
Qualifiers: packageurl.Qualifiers{
{
Key: "distro",
Value: "3.16.0",
},
},
},
},
},
Ref: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
Layer: types.Layer{
DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
},
@@ -173,7 +257,17 @@ func TestArtifact_Inspect(t *testing.T) {
{
Name: "pear/log",
Version: "1.13.1",
Ref: "pkg:composer/pear/log@1.13.1",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "pear",
Name: "log",
Version: "1.13.1",
},
},
},
Ref: "pkg:composer/pear/log@1.13.1",
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
@@ -182,7 +276,17 @@ func TestArtifact_Inspect(t *testing.T) {
Name: "pear/pear_exception",
Version: "v1.0.0",
Ref: "pkg:composer/pear/pear_exception@v1.0.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeComposer,
Namespace: "pear",
Name: "pear_exception",
Version: "v1.0.0",
},
},
},
Ref: "pkg:composer/pear/pear_exception@v1.0.0",
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
@@ -196,7 +300,17 @@ func TestArtifact_Inspect(t *testing.T) {
{
Name: "github.com/package-url/packageurl-go",
Version: "v0.1.1-0.20220203205134-d70459300c8a",
Ref: "pkg:golang/github.com/package-url/packageurl-go@v0.1.1-0.20220203205134-d70459300c8a",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/package-url",
Name: "packageurl-go",
Version: "v0.1.1-0.20220203205134-d70459300c8a",
},
},
},
Ref: "pkg:golang/github.com/package-url/packageurl-go@v0.1.1-0.20220203205134-d70459300c8a",
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
@@ -209,8 +323,19 @@ func TestArtifact_Inspect(t *testing.T) {
Libraries: types.Packages{
{
Name: "org.codehaus.mojo:child-project",
Ref: "pkg:maven/org.codehaus.mojo/child-project@1.0?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
Version: "1.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "org.codehaus.mojo",
Name: "child-project",
Version: "1.0",
},
FilePath: "app/maven/target/child-project-1.0.jar",
},
},
Ref: "pkg:maven/org.codehaus.mojo/child-project@1.0?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
Layer: types.Layer{
DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
},
@@ -223,8 +348,18 @@ func TestArtifact_Inspect(t *testing.T) {
FilePath: "",
Libraries: types.Packages{
{
Name: "bootstrap",
Version: "5.0.2",
Name: "bootstrap",
Version: "5.0.2",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeNPM,
Name: "bootstrap",
Version: "5.0.2",
},
FilePath: "app/app/package.json",
},
},
Ref: "pkg:npm/bootstrap@5.0.2?file_path=app%2Fapp%2Fpackage.json",
Licenses: []string{"MIT"},
Layer: types.Layer{
@@ -242,9 +377,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"),
Type: types.ArtifactCycloneDX,
ID: "sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
ID: "sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
BlobIDs: []string{
"sha256:3dca5f9082ac4e9669b5e461ae54ffe70db4ea275a09506014b17e012687e855",
"sha256:c1cc58e08422fd7606a8e9ee2b42bf722b7af8b703b895461c23b83956f33227",
},
},
},

8
pkg/fanal/artifact/vm/vm_test.go
View File

@@ -121,7 +121,7 @@ func TestArtifact_Inspect(t *testing.T) {
rootDir: "testdata/alpine",
putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
Args: cache.ArtifactCachePutBlobArgs{
BlobID: "sha256:aeadb167e49ab2616738bc1d8b39f742968bef78baed984cf5801c678d6750ce",
BlobID: "sha256:84a726d23c36d0e1857101969b257c1199de5432489d44581750d54ea8eff8cd",
BlobInfo: expectedBlobInfo,
},
Returns: cache.ArtifactCachePutBlobReturns{},
@@ -129,7 +129,7 @@ func TestArtifact_Inspect(t *testing.T) {
putArtifactExpectations: []cache.ArtifactCachePutArtifactExpectation{
{
Args: cache.ArtifactCachePutArtifactArgs{
ArtifactID: "sha256:aeadb167e49ab2616738bc1d8b39f742968bef78baed984cf5801c678d6750ce",
ArtifactID: "sha256:84a726d23c36d0e1857101969b257c1199de5432489d44581750d54ea8eff8cd",
ArtifactInfo: types.ArtifactInfo{
SchemaVersion: types.ArtifactJSONSchemaVersion,
},
@@ -139,9 +139,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: types.ArtifactReference{
Name: "rawdata.img",
Type: types.ArtifactVM,
ID: "sha256:aeadb167e49ab2616738bc1d8b39f742968bef78baed984cf5801c678d6750ce",
ID: "sha256:84a726d23c36d0e1857101969b257c1199de5432489d44581750d54ea8eff8cd",
BlobIDs: []string{
"sha256:aeadb167e49ab2616738bc1d8b39f742968bef78baed984cf5801c678d6750ce",
"sha256:84a726d23c36d0e1857101969b257c1199de5432489d44581750d54ea8eff8cd",
},
},
},

4
pkg/fanal/cache/fs_test.go vendored
View File

@@ -225,6 +225,7 @@ func TestFSCache_PutBlob(t *testing.T) {
{
"Name": "musl",
"Version": "1.1.22-r3",
"Identifier": {},
"Layer": {}
}
]
@@ -238,11 +239,13 @@ func TestFSCache_PutBlob(t *testing.T) {
{
"Name":"guzzlehttp/guzzle",
"Version":"6.2.0",
"Identifier": {},
"Layer": {}
},
{
"Name":"guzzlehttp/promises",
"Version":"v1.3.1",
"Identifier": {},
"Layer": {}
}
]
@@ -341,6 +344,7 @@ func TestFSCache_PutArtifact(t *testing.T) {
{
"Name": "musl",
"Version": "1.2.3",
"Identifier": {},
"Layer": {}
}
]

5
pkg/fanal/cache/mock_artifact_cache.go vendored
View File

@@ -193,7 +193,7 @@ type ArtifactCachePutBlobExpectation struct {
Returns ArtifactCachePutBlobReturns
}
func (_m *MockArtifactCache) ApplyPutBlobExpectation(e ArtifactCachePutBlobExpectation) {
func (_m *MockArtifactCache) ApplyPutBlobExpectation(e ArtifactCachePutBlobExpectation) *mock.Call{
var args []interface{}
if e.Args.BlobIDAnything {
args = append(args, mock.Anything)
@@ -205,7 +205,8 @@ func (_m *MockArtifactCache) ApplyPutBlobExpectation(e ArtifactCachePutBlobExpec
} else {
args = append(args, e.Args.BlobInfo)
}
_m.On("PutBlob", args...).Return(e.Returns.Err)
return _m.On("PutBlob", args...).Return(e.Returns.Err)
//return _m.On("PutBlob", mock.AnythingOfType("string"), mock.Anything).Return(e.Returns.Err)
}
func (_m *MockArtifactCache) ApplyPutBlobExpectations(expectations []ArtifactCachePutBlobExpectation) {

2
pkg/fanal/handler/sysfile/filter_test.go
View File

@@ -178,7 +178,7 @@ func Test_systemFileFilterHook_Hook(t *testing.T) {
},
},
{
name: "distoless",
name: "distroless",
result: &analyzer.AnalysisResult{},
blob: &types.BlobInfo{
Applications: []types.Application{

11
pkg/fanal/handler/unpackaged/unpackaged_test.go
View File

@@ -2,6 +2,7 @@ package unpackaged_test
import (
"context"
"github.com/package-url/packageurl-go"
"testing"
"github.com/stretchr/testify/assert"
@@ -45,6 +46,16 @@ func Test_unpackagedHook_Handle(t *testing.T) {
Name: "github.com/spf13/cobra",
Version: "1.5.0",
Ref: "pkg:golang/github.com/spf13/cobra@1.5.0",
Identifier: types.PkgIdentifier{
PURL: &types.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/spf13",
Name: "cobra",
Version: "1.5.0",
},
},
},
},
},
},

8
pkg/fanal/test/integration/library_test.go
View File

@@ -362,6 +362,14 @@ func checkLangPkgs(detail types.ArtifactDetail, t *testing.T, tc testCase) {
func checkPackageFromCommands(t *testing.T, detail types.ArtifactDetail, tc testCase) {
if tc.wantPkgsFromCmds != "" {
if *update {
sort.Sort(types.Packages(detail.ImageConfig.Packages))
b, err := json.MarshalIndent(detail.ImageConfig.Packages, "", " ")
require.NoError(t, err)
err = os.WriteFile(tc.wantPkgsFromCmds, b, 0666)
require.NoError(t, err)
return
}
data, _ := os.ReadFile(tc.wantPkgsFromCmds)
var expectedPkgsFromCmds []types.Package

42
pkg/fanal/test/integration/testdata/goldens/packages/alpine-310.json.golden vendored
View File

@@ -2,6 +2,9 @@
{
"ID": "alpine-baselayout@3.1.2-r0",
"Name": "alpine-baselayout",
"Identifier": {
"PURL": "pkg:apk/alpine/alpine-baselayout@3.1.2-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "3.1.2-r0",
"Arch": "x86_64",
"SrcName": "alpine-baselayout",
@@ -49,6 +52,9 @@
{
"ID": "alpine-keys@2.1-r2",
"Name": "alpine-keys",
"Identifier": {
"PURL": "pkg:apk/alpine/alpine-keys@2.1-r2?arch=x86_64\u0026distro=3.10.2"
},
"Version": "2.1-r2",
"Arch": "x86_64",
"SrcName": "alpine-keys",
@@ -85,6 +91,9 @@
{
"ID": "apk-tools@2.10.4-r2",
"Name": "apk-tools",
"Identifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.4-r2?arch=x86_64\u0026distro=3.10.2"
},
"Version": "2.10.4-r2",
"Arch": "x86_64",
"SrcName": "apk-tools",
@@ -110,6 +119,9 @@
{
"ID": "busybox@1.30.1-r2",
"Name": "busybox",
"Identifier": {
"PURL": "pkg:apk/alpine/busybox@1.30.1-r2?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.30.1-r2",
"Arch": "x86_64",
"SrcName": "busybox",
@@ -137,6 +149,9 @@
{
"ID": "ca-certificates-cacert@20190108-r0",
"Name": "ca-certificates-cacert",
"Identifier": {
"PURL": "pkg:apk/alpine/ca-certificates-cacert@20190108-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "20190108-r0",
"Arch": "x86_64",
"SrcName": "ca-certificates",
@@ -157,6 +172,9 @@
{
"ID": "libc-utils@0.7.1-r0",
"Name": "libc-utils",
"Identifier": {
"PURL": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "0.7.1-r0",
"Arch": "x86_64",
"SrcName": "libc-dev",
@@ -176,6 +194,9 @@
{
"ID": "libcrypto1.1@1.1.1c-r0",
"Name": "libcrypto1.1",
"Identifier": {
"PURL": "pkg:apk/alpine/libcrypto1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.1.1c-r0",
"Arch": "x86_64",
"SrcName": "openssl",
@@ -209,6 +230,9 @@
{
"ID": "libssl1.1@1.1.1c-r0",
"Name": "libssl1.1",
"Identifier": {
"PURL": "pkg:apk/alpine/libssl1.1@1.1.1c-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.1.1c-r0",
"Arch": "x86_64",
"SrcName": "openssl",
@@ -233,6 +257,9 @@
{
"ID": "libtls-standalone@2.9.1-r0",
"Name": "libtls-standalone",
"Identifier": {
"PURL": "pkg:apk/alpine/libtls-standalone@2.9.1-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "2.9.1-r0",
"Arch": "x86_64",
"SrcName": "libtls-standalone",
@@ -259,6 +286,9 @@
{
"ID": "musl@1.1.22-r3",
"Name": "musl",
"Identifier": {
"PURL": "pkg:apk/alpine/musl@1.1.22-r3?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.1.22-r3",
"Arch": "x86_64",
"SrcName": "musl",
@@ -279,6 +309,9 @@
{
"ID": "musl-utils@1.1.22-r3",
"Name": "musl-utils",
"Identifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.22-r3?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.1.22-r3",
"Arch": "x86_64",
"SrcName": "musl",
@@ -308,6 +341,9 @@
{
"ID": "scanelf@1.2.3-r0",
"Name": "scanelf",
"Identifier": {
"PURL": "pkg:apk/alpine/scanelf@1.2.3-r0?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.2.3-r0",
"Arch": "x86_64",
"SrcName": "pax-utils",
@@ -330,6 +366,9 @@
{
"ID": "ssl_client@1.30.1-r2",
"Name": "ssl_client",
"Identifier": {
"PURL": "pkg:apk/alpine/ssl_client@1.30.1-r2?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.30.1-r2",
"Arch": "x86_64",
"SrcName": "busybox",
@@ -353,6 +392,9 @@
{
"ID": "zlib@1.2.11-r1",
"Name": "zlib",
"Identifier": {
"PURL": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.10.2"
},
"Version": "1.2.11-r1",
"Arch": "x86_64",
"SrcName": "zlib",

174
pkg/fanal/test/integration/testdata/goldens/packages/vulnimage.json.golden vendored
View File

@@ -2,6 +2,9 @@
{
"ID": ".composer-phpext-rundeps@0",
"Name": ".composer-phpext-rundeps",
"Identifier": {
"PURL": "pkg:apk/alpine/.composer-phpext-rundeps@0?arch=noarch\u0026distro=3.7.1"
},
"Version": "0",
"Arch": "noarch",
"DependsOn": [
@@ -18,6 +21,9 @@
{
"ID": ".persistent-deps@0",
"Name": ".persistent-deps",
"Identifier": {
"PURL": "pkg:apk/alpine/.persistent-deps@0?arch=noarch\u0026distro=3.7.1"
},
"Version": "0",
"Arch": "noarch",
"DependsOn": [
@@ -36,6 +42,9 @@
{
"ID": ".php-rundeps@0",
"Name": ".php-rundeps",
"Identifier": {
"PURL": "pkg:apk/alpine/.php-rundeps@0?arch=noarch\u0026distro=3.7.1"
},
"Version": "0",
"Arch": "noarch",
"DependsOn": [
@@ -57,6 +66,9 @@
{
"ID": "alpine-baselayout@3.0.5-r2",
"Name": "alpine-baselayout",
"Identifier": {
"PURL": "pkg:apk/alpine/alpine-baselayout@3.0.5-r2?arch=x86_64\u0026distro=3.7.1"
},
"Version": "3.0.5-r2",
"Arch": "x86_64",
"SrcName": "alpine-baselayout",
@@ -105,6 +117,9 @@
{
"ID": "alpine-keys@2.1-r1",
"Name": "alpine-keys",
"Identifier": {
"PURL": "pkg:apk/alpine/alpine-keys@2.1-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.1-r1",
"Arch": "x86_64",
"SrcName": "alpine-keys",
@@ -141,6 +156,9 @@
{
"ID": "apk-tools@2.10.1-r0",
"Name": "apk-tools",
"Identifier": {
"PURL": "pkg:apk/alpine/apk-tools@2.10.1-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.10.1-r0",
"Arch": "x86_64",
"SrcName": "apk-tools",
@@ -166,6 +184,9 @@
{
"ID": "apr@1.6.3-r0",
"Name": "apr",
"Identifier": {
"PURL": "pkg:apk/alpine/apr@1.6.3-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.6.3-r0",
"Arch": "x86_64",
"SrcName": "apr",
@@ -191,6 +212,9 @@
{
"ID": "apr-util@1.6.1-r1",
"Name": "apr-util",
"Identifier": {
"PURL": "pkg:apk/alpine/apr-util@1.6.1-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.6.1-r1",
"Arch": "x86_64",
"SrcName": "apr-util",
@@ -219,6 +243,9 @@
{
"ID": "bash@4.4.19-r1",
"Name": "bash",
"Identifier": {
"PURL": "pkg:apk/alpine/bash@4.4.19-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "4.4.19-r1",
"Arch": "x86_64",
"SrcName": "bash",
@@ -330,6 +357,9 @@
{
"ID": "busybox@1.27.2-r11",
"Name": "busybox",
"Identifier": {
"PURL": "pkg:apk/alpine/busybox@1.27.2-r11?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.27.2-r11",
"Arch": "x86_64",
"SrcName": "busybox",
@@ -357,6 +387,9 @@
{
"ID": "ca-certificates@20171114-r0",
"Name": "ca-certificates",
"Identifier": {
"PURL": "pkg:apk/alpine/ca-certificates@20171114-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "20171114-r0",
"Arch": "x86_64",
"SrcName": "ca-certificates",
@@ -537,6 +570,9 @@
{
"ID": "curl@7.61.0-r0",
"Name": "curl",
"Identifier": {
"PURL": "pkg:apk/alpine/curl@7.61.0-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.61.0-r0",
"Arch": "x86_64",
"SrcName": "curl",
@@ -562,6 +598,9 @@
{
"ID": "db@5.3.28-r0",
"Name": "db",
"Identifier": {
"PURL": "pkg:apk/alpine/db@5.3.28-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "5.3.28-r0",
"Arch": "x86_64",
"SrcName": "db",
@@ -584,6 +623,9 @@
{
"ID": "expat@2.2.5-r0",
"Name": "expat",
"Identifier": {
"PURL": "pkg:apk/alpine/expat@2.2.5-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.2.5-r0",
"Arch": "x86_64",
"SrcName": "expat",
@@ -608,6 +650,9 @@
{
"ID": "gdbm@1.13-r1",
"Name": "gdbm",
"Identifier": {
"PURL": "pkg:apk/alpine/gdbm@1.13-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.13-r1",
"Arch": "x86_64",
"SrcName": "gdbm",
@@ -636,6 +681,9 @@
{
"ID": "git@2.15.2-r0",
"Name": "git",
"Identifier": {
"PURL": "pkg:apk/alpine/git@2.15.2-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.15.2-r0",
"Arch": "x86_64",
"SrcName": "git",
@@ -852,6 +900,9 @@
{
"ID": "libbz2@1.0.6-r6",
"Name": "libbz2",
"Identifier": {
"PURL": "pkg:apk/alpine/libbz2@1.0.6-r6?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.0.6-r6",
"Arch": "x86_64",
"SrcName": "bzip2",
@@ -875,6 +926,9 @@
{
"ID": "libc-utils@0.7.1-r0",
"Name": "libc-utils",
"Identifier": {
"PURL": "pkg:apk/alpine/libc-utils@0.7.1-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "0.7.1-r0",
"Arch": "x86_64",
"SrcName": "libc-dev",
@@ -894,6 +948,9 @@
{
"ID": "libcurl@7.61.1-r0",
"Name": "libcurl",
"Identifier": {
"PURL": "pkg:apk/alpine/libcurl@7.61.1-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.61.1-r0",
"Arch": "x86_64",
"SrcName": "curl",
@@ -922,6 +979,9 @@
{
"ID": "libedit@20170329.3.1-r3",
"Name": "libedit",
"Identifier": {
"PURL": "pkg:apk/alpine/libedit@20170329.3.1-r3?arch=x86_64\u0026distro=3.7.1"
},
"Version": "20170329.3.1-r3",
"Arch": "x86_64",
"SrcName": "libedit",
@@ -946,6 +1006,9 @@
{
"ID": "libffi@3.2.1-r4",
"Name": "libffi",
"Identifier": {
"PURL": "pkg:apk/alpine/libffi@3.2.1-r4?arch=x86_64\u0026distro=3.7.1"
},
"Version": "3.2.1-r4",
"Arch": "x86_64",
"SrcName": "libffi",
@@ -969,6 +1032,9 @@
{
"ID": "libressl@2.6.5-r0",
"Name": "libressl",
"Identifier": {
"PURL": "pkg:apk/alpine/libressl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.6.5-r0",
"Arch": "x86_64",
"SrcName": "libressl",
@@ -995,6 +1061,9 @@
{
"ID": "libressl2.6-libcrypto@2.6.5-r0",
"Name": "libressl2.6-libcrypto",
"Identifier": {
"PURL": "pkg:apk/alpine/libressl2.6-libcrypto@2.6.5-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.6.5-r0",
"Arch": "x86_64",
"SrcName": "libressl",
@@ -1023,6 +1092,9 @@
{
"ID": "libressl2.6-libssl@2.6.5-r0",
"Name": "libressl2.6-libssl",
"Identifier": {
"PURL": "pkg:apk/alpine/libressl2.6-libssl@2.6.5-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.6.5-r0",
"Arch": "x86_64",
"SrcName": "libressl",
@@ -1049,6 +1121,9 @@
{
"ID": "libressl2.6-libtls@2.6.5-r0",
"Name": "libressl2.6-libtls",
"Identifier": {
"PURL": "pkg:apk/alpine/libressl2.6-libtls@2.6.5-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.6.5-r0",
"Arch": "x86_64",
"SrcName": "libressl",
@@ -1076,6 +1151,9 @@
{
"ID": "libsasl@2.1.26-r11",
"Name": "libsasl",
"Identifier": {
"PURL": "pkg:apk/alpine/libsasl@2.1.26-r11?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.1.26-r11",
"Arch": "x86_64",
"SrcName": "cyrus-sasl",
@@ -1109,6 +1187,9 @@
{
"ID": "libsodium@1.0.15-r0",
"Name": "libsodium",
"Identifier": {
"PURL": "pkg:apk/alpine/libsodium@1.0.15-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.0.15-r0",
"Arch": "x86_64",
"SrcName": "libsodium",
@@ -1132,6 +1213,9 @@
{
"ID": "libssh2@1.8.0-r2",
"Name": "libssh2",
"Identifier": {
"PURL": "pkg:apk/alpine/libssh2@1.8.0-r2?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.8.0-r2",
"Arch": "x86_64",
"SrcName": "libssh2",
@@ -1157,6 +1241,9 @@
{
"ID": "libuuid@2.31-r0",
"Name": "libuuid",
"Identifier": {
"PURL": "pkg:apk/alpine/libuuid@2.31-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.31-r0",
"Arch": "x86_64",
"SrcName": "util-linux",
@@ -1185,6 +1272,9 @@
{
"ID": "libxml2@2.9.7-r0",
"Name": "libxml2",
"Identifier": {
"PURL": "pkg:apk/alpine/libxml2@2.9.7-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.9.7-r0",
"Arch": "x86_64",
"SrcName": "libxml2",
@@ -1209,6 +1299,9 @@
{
"ID": "mercurial@4.5.2-r0",
"Name": "mercurial",
"Identifier": {
"PURL": "pkg:apk/alpine/mercurial@4.5.2-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "4.5.2-r0",
"Arch": "x86_64",
"SrcName": "mercurial",
@@ -1950,6 +2043,9 @@
{
"ID": "musl@1.1.18-r3",
"Name": "musl",
"Identifier": {
"PURL": "pkg:apk/alpine/musl@1.1.18-r3?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.1.18-r3",
"Arch": "x86_64",
"SrcName": "musl",
@@ -1970,6 +2066,9 @@
{
"ID": "musl-utils@1.1.18-r3",
"Name": "musl-utils",
"Identifier": {
"PURL": "pkg:apk/alpine/musl-utils@1.1.18-r3?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.1.18-r3",
"Arch": "x86_64",
"SrcName": "musl",
@@ -1999,6 +2098,9 @@
{
"ID": "ncurses-libs@6.0_p20171125-r1",
"Name": "ncurses-libs",
"Identifier": {
"PURL": "pkg:apk/alpine/ncurses-libs@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "6.0_p20171125-r1",
"Arch": "x86_64",
"SrcName": "ncurses",
@@ -2031,6 +2133,9 @@
{
"ID": "ncurses-terminfo@6.0_p20171125-r1",
"Name": "ncurses-terminfo",
"Identifier": {
"PURL": "pkg:apk/alpine/ncurses-terminfo@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "6.0_p20171125-r1",
"Arch": "x86_64",
"SrcName": "ncurses",
@@ -4781,6 +4886,9 @@
{
"ID": "ncurses-terminfo-base@6.0_p20171125-r1",
"Name": "ncurses-terminfo-base",
"Identifier": {
"PURL": "pkg:apk/alpine/ncurses-terminfo-base@6.0_p20171125-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "6.0_p20171125-r1",
"Arch": "x86_64",
"SrcName": "ncurses",
@@ -4813,6 +4921,9 @@
{
"ID": "openssh@7.5_p1-r9",
"Name": "openssh",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4839,6 +4950,9 @@
{
"ID": "openssh-client@7.5_p1-r9",
"Name": "openssh-client",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh-client@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4874,6 +4988,9 @@
{
"ID": "openssh-keygen@7.5_p1-r9",
"Name": "openssh-keygen",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh-keygen@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4897,6 +5014,9 @@
{
"ID": "openssh-server@7.5_p1-r9",
"Name": "openssh-server",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4923,6 +5043,9 @@
{
"ID": "openssh-server-common@7.5_p1-r9",
"Name": "openssh-server-common",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh-server-common@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4944,6 +5067,9 @@
{
"ID": "openssh-sftp-server@7.5_p1-r9",
"Name": "openssh-sftp-server",
"Identifier": {
"PURL": "pkg:apk/alpine/openssh-sftp-server@7.5_p1-r9?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.5_p1-r9",
"Arch": "x86_64",
"SrcName": "openssh",
@@ -4966,6 +5092,9 @@
{
"ID": "patch@2.7.5-r2",
"Name": "patch",
"Identifier": {
"PURL": "pkg:apk/alpine/patch@2.7.5-r2?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.7.5-r2",
"Arch": "x86_64",
"SrcName": "patch",
@@ -4988,6 +5117,9 @@
{
"ID": "pcre2@10.30-r0",
"Name": "pcre2",
"Identifier": {
"PURL": "pkg:apk/alpine/pcre2@10.30-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "10.30-r0",
"Arch": "x86_64",
"SrcName": "pcre2",
@@ -5013,6 +5145,9 @@
{
"ID": "pkgconf@1.3.10-r0",
"Name": "pkgconf",
"Identifier": {
"PURL": "pkg:apk/alpine/pkgconf@1.3.10-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.3.10-r0",
"Arch": "x86_64",
"SrcName": "pkgconf",
@@ -5039,6 +5174,9 @@
{
"ID": "python2@2.7.15-r2",
"Name": "python2",
"Identifier": {
"PURL": "pkg:apk/alpine/python2@2.7.15-r2?arch=x86_64\u0026distro=3.7.1"
},
"Version": "2.7.15-r2",
"Arch": "x86_64",
"SrcName": "python2",
@@ -7481,6 +7619,9 @@
{
"ID": "readline@7.0.003-r0",
"Name": "readline",
"Identifier": {
"PURL": "pkg:apk/alpine/readline@7.0.003-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "7.0.003-r0",
"Arch": "x86_64",
"SrcName": "readline",
@@ -7505,6 +7646,9 @@
{
"ID": "scanelf@1.2.2-r1",
"Name": "scanelf",
"Identifier": {
"PURL": "pkg:apk/alpine/scanelf@1.2.2-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.2.2-r1",
"Arch": "x86_64",
"SrcName": "pax-utils",
@@ -7527,6 +7671,9 @@
{
"ID": "serf@1.3.9-r3",
"Name": "serf",
"Identifier": {
"PURL": "pkg:apk/alpine/serf@1.3.9-r3?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.3.9-r3",
"Arch": "x86_64",
"SrcName": "serf",
@@ -7555,6 +7702,9 @@
{
"ID": "sqlite-libs@3.21.0-r1",
"Name": "sqlite-libs",
"Identifier": {
"PURL": "pkg:apk/alpine/sqlite-libs@3.21.0-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "3.21.0-r1",
"Arch": "x86_64",
"SrcName": "sqlite",
@@ -7578,6 +7728,9 @@
{
"ID": "ssl_client@1.27.2-r11",
"Name": "ssl_client",
"Identifier": {
"PURL": "pkg:apk/alpine/ssl_client@1.27.2-r11?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.27.2-r11",
"Arch": "x86_64",
"SrcName": "busybox",
@@ -7601,6 +7754,9 @@
{
"ID": "subversion@1.9.7-r0",
"Name": "subversion",
"Identifier": {
"PURL": "pkg:apk/alpine/subversion@1.9.7-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.9.7-r0",
"Arch": "x86_64",
"SrcName": "subversion",
@@ -7656,6 +7812,9 @@
{
"ID": "subversion-libs@1.9.7-r0",
"Name": "subversion-libs",
"Identifier": {
"PURL": "pkg:apk/alpine/subversion-libs@1.9.7-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.9.7-r0",
"Arch": "x86_64",
"SrcName": "subversion",
@@ -7716,6 +7875,9 @@
{
"ID": "tar@1.29-r1",
"Name": "tar",
"Identifier": {
"PURL": "pkg:apk/alpine/tar@1.29-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.29-r1",
"Arch": "x86_64",
"SrcName": "tar",
@@ -7740,6 +7902,9 @@
{
"ID": "tini@0.16.1-r0",
"Name": "tini",
"Identifier": {
"PURL": "pkg:apk/alpine/tini@0.16.1-r0?arch=x86_64\u0026distro=3.7.1"
},
"Version": "0.16.1-r0",
"Arch": "x86_64",
"SrcName": "tini",
@@ -7762,6 +7927,9 @@
{
"ID": "xz@5.2.3-r1",
"Name": "xz",
"Identifier": {
"PURL": "pkg:apk/alpine/xz@5.2.3-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "5.2.3-r1",
"Arch": "x86_64",
"SrcName": "xz",
@@ -7807,6 +7975,9 @@
{
"ID": "xz-libs@5.2.3-r1",
"Name": "xz-libs",
"Identifier": {
"PURL": "pkg:apk/alpine/xz-libs@5.2.3-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "5.2.3-r1",
"Arch": "x86_64",
"SrcName": "xz",
@@ -7830,6 +8001,9 @@
{
"ID": "zlib@1.2.11-r1",
"Name": "zlib",
"Identifier": {
"PURL": "pkg:apk/alpine/zlib@1.2.11-r1?arch=x86_64\u0026distro=3.7.1"
},
"Version": "1.2.11-r1",
"Arch": "x86_64",
"SrcName": "zlib",

630
pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedlibs.golden vendored
View File

File diff suppressed because it is too large Load Diff

1448
pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden vendored
View File

File diff suppressed because it is too large Load Diff

47
pkg/fanal/types/artifact.go
View File

@@ -62,25 +62,32 @@ type Layer struct {
}
type Package struct {
ID string `json:",omitempty"`
Name string `json:",omitempty"`
Version string `json:",omitempty"`
Release string `json:",omitempty"`
Epoch int `json:",omitempty"`
Arch string `json:",omitempty"`
Dev bool `json:",omitempty"`
SrcName string `json:",omitempty"`
SrcVersion string `json:",omitempty"`
SrcRelease string `json:",omitempty"`
SrcEpoch int `json:",omitempty"`
Licenses []string `json:",omitempty"`
Maintainer string `json:",omitempty"`
ID string `json:",omitempty"`
Name string `json:",omitempty"`
Identifier PkgIdentifier `json:",omitempty"`
Version string `json:",omitempty"`
Release string `json:",omitempty"`
Epoch int `json:",omitempty"`
Arch string `json:",omitempty"`
Dev bool `json:",omitempty"`
SrcName string `json:",omitempty"`
SrcVersion string `json:",omitempty"`
SrcRelease string `json:",omitempty"`
SrcEpoch int `json:",omitempty"`
Licenses []string `json:",omitempty"`
Maintainer string `json:",omitempty"`
Modularitylabel string `json:",omitempty"` // only for Red Hat based distributions
BuildInfo *BuildInfo `json:",omitempty"` // only for Red Hat
Indirect bool `json:",omitempty"` // this package is direct dependency of the project or not
Ref string `json:",omitempty"` // identifier which can be used to reference the component elsewhere
Indirect bool `json:",omitempty"` // this package is direct dependency of the project or not
// TO BE DEPRECATED - use Identifier instead
// Only used when scanning SBOM and contains the reference ID used in it.
// It could be PURL, UUID, etc.
// e.g.
// - pkg:npm/acme/component@1.0.0
// - b2a46a4b-8367-4bae-9820-95557cfe03a8
Ref string `json:",omitempty"`
// Dependencies of this package
// Note: it may have interdependencies, which may lead to infinite loops.
@@ -101,6 +108,16 @@ type Package struct {
InstalledFiles []string `json:",omitempty"`
}
// PkgIdentifier represents a software identifiers in one of more of the supported formats.
type PkgIdentifier struct {
// PURL is a package URL
PURL *PackageURL `json:",omitempty"`
}
func (id *PkgIdentifier) Empty() bool {
return id.PURL == nil
}
type Location struct {
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`

3
pkg/fanal/types/handler.go
View File

@@ -9,6 +9,5 @@ const (
// SystemFileFilteringPostHandlerPriority should be higher than other handlers.
// Otherwise, other handlers need to process unnecessary files.
SystemFileFilteringPostHandlerPriority = 100
UnpackagedPostHandlerPriority = 50
UnpackagedPostHandlerPriority = 50
)

78
pkg/fanal/types/purl.go Normal file
View File

@@ -0,0 +1,78 @@
package types
import (
"encoding/json"
"github.com/package-url/packageurl-go"
"golang.org/x/xerrors"
)
type PackageURL struct {
packageurl.PackageURL
FilePath string
}
func (p *PackageURL) BOMRef() string {
// 'bom-ref' must be unique within BOM, but PURLs may conflict
// when the same packages are installed in an artifact.
// In that case, we prefer to make PURLs unique by adding file paths,
// rather than using UUIDs, even if it is not PURL technically.
// ref. https://cyclonedx.org/use-cases/#dependency-graph
purl := p.PackageURL // so that it will not override the qualifiers below
if p.FilePath != "" {
purl.Qualifiers = append(purl.Qualifiers,
packageurl.Qualifier{
Key: "file_path",
Value: p.FilePath,
},
)
}
return purl.String()
}
func (p *PackageURL) MarshalJSON() ([]byte, error) {
if p == nil {
return nil, nil
}
return json.Marshal(p.String())
}
func (p *PackageURL) UnmarshalJSON(b []byte) error {
var s string
if err := json.Unmarshal(b, &s); err != nil {
return err
}
purl, err := NewPackageURL(s)
if err != nil {
return xerrors.Errorf("failed to parse purl(%s): %w", string(b), err)
}
*p = *purl
return nil
}
func NewPackageURL(s string) (*PackageURL, error) {
p, err := packageurl.FromString(s)
if err != nil {
return nil, xerrors.Errorf("failed to parse purl(%s): %w", s, err)
}
// Take out and delete the file path from qualifiers
var filePath string
for i, q := range p.Qualifiers {
if q.Key != "file_path" {
continue
}
filePath = q.Value
p.Qualifiers = append(p.Qualifiers[:i], p.Qualifiers[i+1:]...)
break
}
if len(p.Qualifiers) == 0 {
p.Qualifiers = nil
}
return &PackageURL{
PackageURL: p,
FilePath: filePath,
}, nil
}

Some files were not shown because too many files have changed in this diff Show More