mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-13 08:00:53 -08:00
fix: check unescaped BomRef when matching PkgIdentifier (#6025)
Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
DmitriyLewen
@@ -2,6 +2,7 @@ package types
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
v1 "github.com/google/go-containerregistry/pkg/v1"
|
v1 "github.com/google/go-containerregistry/pkg/v1"
|
||||||
@@ -156,6 +157,13 @@ func (id *PkgIdentifier) Empty() bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (id *PkgIdentifier) Match(s string) bool {
|
func (id *PkgIdentifier) Match(s string) bool {
|
||||||
|
// Encode string as PURL
|
||||||
|
if strings.HasPrefix(s, "pkg:") {
|
||||||
|
if p, err := packageurl.FromString(s); err == nil {
|
||||||
|
s = p.String()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
case id.BOMRef == s:
|
case id.BOMRef == s:
|
||||||
return true
|
return true
|
||||||
|
|||||||
21
pkg/vex/testdata/cyclonedx.json
vendored
21
pkg/vex/testdata/cyclonedx.json
vendored
@@ -18,6 +18,27 @@
|
|||||||
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
|
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"id": "CVE-2022-27943",
|
||||||
|
"source": {
|
||||||
|
"name": "ubuntu",
|
||||||
|
"url": "https://git.launchpad.net/ubuntu-cve-tracker"
|
||||||
|
},
|
||||||
|
"affects": [
|
||||||
|
{
|
||||||
|
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04",
|
||||||
|
"versions": [
|
||||||
|
{
|
||||||
|
"version": "12.3.0-1ubuntu1~22.04",
|
||||||
|
"status": "affected"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"analysis": {
|
||||||
|
"state": "not_affected"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -149,6 +149,31 @@ func TestVEX_Filter(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
VulnerabilityID: "CVE-2022-27943",
|
||||||
|
PkgID: "libstdc++6@12.3.0-1ubuntu1~22.04",
|
||||||
|
PkgName: "libstdc++6",
|
||||||
|
InstalledVersion: "12.3.0-1ubuntu1~22.04",
|
||||||
|
PkgIdentifier: ftypes.PkgIdentifier{
|
||||||
|
BOMRef: "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?distro=ubuntu-22.04&arch=amd64",
|
||||||
|
PURL: &packageurl.PackageURL{
|
||||||
|
Type: packageurl.TypeDebian,
|
||||||
|
Namespace: "ubuntu",
|
||||||
|
Name: "libstdc++6",
|
||||||
|
Version: "12.3.0-1ubuntu1~22.04",
|
||||||
|
Qualifiers: []packageurl.Qualifier{
|
||||||
|
{
|
||||||
|
Key: "arch",
|
||||||
|
Value: "amd64",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Key: "distro",
|
||||||
|
Value: "ubuntu-22.04",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
want: []types.DetectedVulnerability{
|
want: []types.DetectedVulnerability{
|
||||||
|
|||||||
Reference in New Issue
Block a user