gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)

Browse Source
This commit is contained in:
santhosh1729
2024-11-21 13:26:05 +05:30
committed by GitHub
parent 45d3b40044
commit 461a68afd6
9 changed files with 563 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

527
integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

1
pkg/detector/library/driver.go
View File

@@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
InstalledVersion: pkgVer, InstalledVersion: pkgVer,
FixedVersion: createFixedVersions(adv), FixedVersion: createFixedVersions(adv),
DataSource: adv.DataSource, DataSource: adv.DataSource,
Custom: adv.Custom,
} }
vulns = append(vulns, vuln) vulns = append(vulns, vuln)
} }

26
pkg/detector/library/driver_test.go
View File

@@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) {
}, },
}, },
}, },
{
name: "Custom data for vulnerability",
fixtures: []string{
"testdata/fixtures/go-custom-data.yaml",
"testdata/fixtures/data-source.yaml",
},
libType: ftypes.GoBinary,
args: args{
pkgName: "github.com/docker/docker",
pkgVer: "23.0.14",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "GHSA-v23v-6jw2-98fq",
PkgName: "github.com/docker/docker",
InstalledVersion: "23.0.14",
FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Go",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
},
Custom: map[string]any{"Severity": 2.0},
},
},
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

5
pkg/detector/library/testdata/fixtures/data-source.yaml vendored
View File

@@ -25,3 +25,8 @@
ID: "ghsa" ID: "ghsa"
Name: "GitHub Security Advisory Pip" Name: "GitHub Security Advisory Pip"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
- key: "go::GitHub Security Advisory Go"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Go"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"

18
pkg/detector/library/testdata/fixtures/go-custom-data.yaml vendored Normal file
View File

@@ -0,0 +1,18 @@
- bucket: "go::GitHub Security Advisory Go"
pairs:
- bucket: github.com/docker/docker
pairs:
- key: "GHSA-v23v-6jw2-98fq"
value:
PatchedVersions:
- "23.0.15"
- "26.1.5"
- "27.1.1"
- "25.0.6"
VulnerableVersions:
- ">=19.03.0, <23.0.15"
- ">=26.0.0, <26.1.5"
- ">=27.0.0, <27.1.1"
- ">=24.0.0, <25.0.6"
Custom:
Severity: 2

2
pkg/rpc/convert.go
View File

@@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
DependsOn: pkg.DependsOn, DependsOn: pkg.DependsOn,
Digest: pkg.Digest.String(), Digest: pkg.Digest.String(),
Indirect: pkg.Indirect, Indirect: pkg.Indirect,
Maintainer: pkg.Maintainer,
}) })
} }
return rpcPkgs return rpcPkgs
@@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
DependsOn: pkg.DependsOn, DependsOn: pkg.DependsOn,
Digest: digest.Digest(pkg.Digest), Digest: digest.Digest(pkg.Digest),
Indirect: pkg.Indirect, Indirect: pkg.Indirect,
Maintainer: pkg.Maintainer,
}) })
} }
return pkgs return pkgs

72
pkg/rpc/convert_test.go
View File

@@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
}, },
}, },
}, },
{
args: args{
rpcPkgs: []*common.Package{
{
Name: "binary",
Version: "4.2+dfsg",
Release: "0.1+deb7u4",
Epoch: 0,
Arch: "amd64",
SrcName: "bash",
SrcVersion: "4.2+dfsg",
SrcRelease: "0.1+deb7u4",
SrcEpoch: 0,
Licenses: []string{"GPL-3.0"},
Locations: []*common.Location{
{
StartLine: 10,
EndLine: 20,
},
{
StartLine: 22,
EndLine: 32,
},
},
Layer: &common.Layer{
Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
},
Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
Indirect: false,
Identifier: &common.PkgIdentifier{
Uid: "63f8bef824b960e3",
},
Maintainer: "alice@example.com",
},
},
},
want: []ftypes.Package{
{
Name: "binary",
Version: "4.2+dfsg",
Release: "0.1+deb7u4",
Epoch: 0,
Arch: "amd64",
SrcName: "bash",
SrcVersion: "4.2+dfsg",
SrcRelease: "0.1+deb7u4",
SrcEpoch: 0,
Licenses: []string{"GPL-3.0"},
Locations: []ftypes.Location{
{
StartLine: 10,
EndLine: 20,
},
{
StartLine: 22,
EndLine: 32,
},
},
Layer: ftypes.Layer{
Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
},
Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
Indirect: false,
Identifier: ftypes.PkgIdentifier{
UID: "63f8bef824b960e3",
},
Maintainer: "alice@example.com",
},
},
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {

14
rpc/common/service.pb.go
View File

@@ -465,6 +465,7 @@ type Package struct {
Digest string `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"` Digest string `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"`
Dev bool `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"` Dev bool `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"`
Indirect bool `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"` Indirect bool `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"`
Maintainer string `protobuf:"bytes,21,opt,name=maintainer,proto3" json:"maintainer,omitempty"`
} }
func (x *Package) Reset() { func (x *Package) Reset() {
@@ -632,6 +633,13 @@ func (x *Package) GetIndirect() bool {
return false return false
} }
func (x *Package) GetMaintainer() string {
if x != nil {
return x.Maintainer
}
return ""
}
type PkgIdentifier struct { type PkgIdentifier struct {
state protoimpl.MessageState state protoimpl.MessageState
sizeCache protoimpl.SizeCache sizeCache protoimpl.SizeCache
@@ -2428,7 +2436,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b,
0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69, 0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69,
0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67,
0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xc1, 0x04, 0x0a, 0x07, 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xe1, 0x04, 0x0a, 0x07,
0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20,
0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76,
@@ -2464,7 +2472,9 @@ var file_rpc_common_service_proto_rawDesc = []byte{
0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73,
0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03,
0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18,
0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12,
0x1e, 0x0a, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x15, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x22,
0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72,
0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18, 0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18,

11
rpc/common/service.proto
View File

@@ -54,6 +54,7 @@ message Package {
string digest = 16; string digest = 16;
bool dev = 17; bool dev = 17;
bool indirect = 18; bool indirect = 18;
string maintainer = 21;
} }
message PkgIdentifier { message PkgIdentifier {
@@ -68,11 +69,11 @@ message Location {
} }
message Misconfiguration { message Misconfiguration {
string file_type = 1; string file_type = 1;
string file_path = 2; string file_path = 2;
repeated MisconfResult successes = 3; repeated MisconfResult successes = 3;
repeated MisconfResult warnings = 4; repeated MisconfResult warnings = 4;
repeated MisconfResult failures = 5; repeated MisconfResult failures = 5;
reserved 6; // deprecated 'exceptions' reserved 6; // deprecated 'exceptions'
} }