gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit (#1)

Browse Source 
* initial
This commit is contained in:
Teppei Fukuda
2019-05-07 15:41:03 +09:00
committed by GitHub
parent fc51f69982
commit 84fec5ae12
53 changed files with 4189 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.circleci/config.yml Normal file
View File

@@ -0,0 +1,42 @@
defaults: &defaults
docker :
- image: knqyf263/ci-trivy:latest
environment:
CGO_ENABLED: "1"
jobs:
release:
<<: *defaults
steps:
- checkout
- run:
name: Release
command: goreleaser --rm-dist
- run:
name: Clone trivy repository
command: git clone git@github.com:knqyf263/trivy-repo.git
- run:
name: Setup git settings
command: |
git config --global user.email "knqyf263@gmail.com"
git config --global user.name "Teppei Fukuda"
- run:
name: Create rpm repository
command: ci/deploy-rpm.sh
- run:
name: Import GPG key
command: echo -e "$GPG_KEY" | gpg --import
- run:
name: Create deb repository
command: ci/deploy-deb.sh
workflows:
version: 2
release:
jobs:
- release:
filters:
branches:
ignore: /.*/
tags:
only: /.*/

2
.gitignore vendored
View File

@@ -10,3 +10,5 @@
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
.idea

137
README.md
View File

@@ -1 +1,136 @@
# trivy
# trivy
[![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
[![Build Status](https://travis-ci.org/knqyf263/trivy.svg?branch=master)](https://travis-ci.org/knqyf263/trivy)
[![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
[![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
# Abstract
Scan containers
# Features
# Installation
## RHEL/CentOS
Add repository setting to `/etc/yum.repos.d`.
```
$ sudo vim /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://knqyf263.github.io/trivy-repo/rpm/releases/$releasever/$basearch/
gpgcheck=0
enabled=1
$ sudo yum -y update
$ sudo yum -y install trivy
```
## Debian/Ubuntu
Replace `[CODE_NAME]` with your code name
CODE_NAME: wheezy, jessie, stretch, buster, trusty, xenial, bionic
```
$ sudo apt-get install apt-transport-https gnupg
$ wget -qO - https://knqyf263.github.io/trivy-repo/deb/public.key | sudo apt-key add -
$ echo deb https://knqyf263.github.io/trivy-repo/deb [CODE_NAME] main | sudo tee -a /etc/apt/sources.list
$ sudo apt-get update
$ sudo apt-get install trivy
```
## Mac OS X / Homebrew
You can use homebrew on OS X.
```
$ brew tap knqyf263/trivy
$ brew install knqyf263/trivy/trivy
```
## Binary (Including Windows)
Go to [the releases page](https://github.com/knqyf263/trivy/releases), find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
## From source
```sh
$ go get -u github.com/knqyf263/trivy
```
# Examples
# Usage
```
$ trivy -h
NAME:
trivy - A simple and comprehensive vulnerability scanner for containers
USAGE:
main [options] image_name
VERSION:
0.0.1
OPTIONS:
--format value, -f value format (table, json) (default: "table")
--input value, -i value input file path instead of image name
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN")
--output value, -o value output file name
--skip-update skip db update
--clean, -c clean all cache
--debug, -d debug mode
--help, -h show help
--version, -v print the version
```
# Q&A
## Homebrew
### Error: Your macOS keychain GitHub credentials do not have sufficient scope!
```
$ brew tap knqyf263/trivy
Error: Your macOS keychain GitHub credentials do not have sufficient scope!
Scopes they need: none
Scopes they have:
Create a personal access token:
https://github.com/settings/tokens/new?scopes=gist,public_repo&description=Homebrew
echo 'export HOMEBREW_GITHUB_API_TOKEN=your_token_here' >> ~/.zshrc
```
Try:
```
$ printf "protocol=https\nhost=github.com\n" | git credential-osxkeychain erase
```
### Error: knqyf263/trivy/trivy 64 already installed
```
$ brew upgrade
...
Error: knqyf263/trivy/trivy 64 already installed
```
Try:
```
$ brew unlink trivy && brew uninstall trivy
($ rm -rf /usr/local/Cellar/trivy/64)
$ brew install knqyf263/trivy/trivy
```
# Contribute
1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo
2. get original code: `go get github.com/knqyf263/trivy`
3. work on original code
4. add remote to your repo: git remote add myfork https://github.com/you/repo.git
5. push your changes: git push myfork
6. create a new Pull Request
- see [GitHub and Go: forking, pull requests, and go-getting](http://blog.campoy.cat/2014/03/github-and-go-forking-pull-requests-and.html)
----
# License
MIT
# Author
Teppei Fukuda (knqyf263)

20
ci/Dockerfile Normal file
View File

@@ -0,0 +1,20 @@
FROM bepsays/ci-goreleaser:1.12-2
RUN apt-get -y update \
&& apt-get -y install vim rpm reprepro createrepo \
&& wget https://dl.bintray.com/homebrew/mirror/berkeley-db-18.1.32.tar.gz \
# Berkeley DB
&& tar zxvf berkeley-db-18.1.32.tar.gz \
&& cd db-18.1.32/build_unix \
# Linux
&& ../dist/configure --prefix=/usr/local --host=x86_64-linux \
&& make \
&& make install \
# Darwin
&& make clean \
&& ../dist/configure --prefix=/usr/local --host=x86_64-apple-darwin15 \
&& make \
&& make install

17
ci/deploy-deb.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
RELEASES=(wheezy jessie stretch buster trusty xenial bionic)
cd trivy-repo/deb
for release in ${RELEASES[@]}; do
echo "Adding deb package to $release"
reprepro -A i386 remove $release trivy
reprepro -A amd64 remove $release trivy
reprepro includedeb $release ../../dist/*Linux-64bit.deb
reprepro includedeb $release ../../dist/*Linux-32bit.deb
done
git add .
git commit -m "Update deb packages"
git push origin master

20
ci/deploy-rpm.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
RPM_EL6=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el6/' -e 's/-64bit/.x86_64/')
RPM_EL7=$(find dist/ -type f -name "*64bit.rpm" -printf "%f\n" | head -n1 | sed -e 's/_/-/g' -e 's/-Linux/.el7/' -e 's/-64bit/.x86_64/')
cd trivy-repo
mkdir -p rpm/releases/6/x86_64
mkdir -p rpm/releases/7/x86_64
cd rpm
cp ../../dist/*64bit.rpm releases/6/x86_64/${RPM_EL6}
cp ../../dist/*64bit.rpm releases/7/x86_64/${RPM_EL7}
createrepo --update releases/6/x86_64/
createrepo --update releases/7/x86_64/
git add .
git commit -m "Update rpm packages"
git push origin master

67
cmd/remic/main.go Normal file
View File

@@ -0,0 +1,67 @@
package main
import (
"os"
"strings"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/remic"
"github.com/urfave/cli"
"github.com/knqyf263/trivy/pkg/log"
)
func main() {
cli.AppHelpTemplate = `NAME:
{{.Name}}{{if .Usage}} - {{.Usage}}{{end}}
USAGE:
{{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
VERSION:
{{.Version}}{{end}}{{end}}{{if .Description}}
DESCRIPTION:
{{.Description}}{{end}}{{if len .Authors}}
AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
{{range $index, $author := .Authors}}{{if $index}}
{{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}}
OPTIONS:
{{range $index, $option := .VisibleFlags}}{{if $index}}
{{end}}{{$option}}{{end}}{{end}}
`
app := cli.NewApp()
app.Name = "remic"
app.Version = "0.0.1"
app.ArgsUsage = "file"
app.Usage = "A simple and fast tool for detecting vulnerabilities in application dependencies"
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "format, f",
Value: "table",
Usage: "format (table, json)",
},
cli.StringFlag{
Name: "severity, s",
Value: strings.Join(vulnerability.SeverityNames, ","),
Usage: "severity of vulnerabilities to be displayed",
},
cli.StringFlag{
Name: "output, o",
Usage: "output file name",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "debug mode",
},
}
app.Action = func(c *cli.Context) error {
return remic.Run(c)
}
err := app.Run(os.Args)
if err != nil {
log.Logger.Fatal(err)
}
}

84
cmd/trivy/main.go Normal file
View File

@@ -0,0 +1,84 @@
package main
import (
"os"
"strings"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/urfave/cli"
"github.com/knqyf263/trivy/pkg"
"github.com/knqyf263/trivy/pkg/log"
)
var (
version = "dev"
)
func main() {
cli.AppHelpTemplate = `NAME:
{{.Name}}{{if .Usage}} - {{.Usage}}{{end}}
USAGE:
{{if .UsageText}}{{.UsageText}}{{else}}{{.HelpName}} {{if .VisibleFlags}}[options]{{end}} {{if .ArgsUsage}}{{.ArgsUsage}}{{else}}[arguments...]{{end}}{{end}}{{if .Version}}{{if not .HideVersion}}
VERSION:
{{.Version}}{{end}}{{end}}{{if .Description}}
DESCRIPTION:
{{.Description}}{{end}}{{if len .Authors}}
AUTHOR{{with $length := len .Authors}}{{if ne 1 $length}}S{{end}}{{end}}:
{{range $index, $author := .Authors}}{{if $index}}
{{end}}{{$author}}{{end}}{{end}}{{if .VisibleCommands}}
OPTIONS:
{{range $index, $option := .VisibleFlags}}{{if $index}}
{{end}}{{$option}}{{end}}{{end}}
`
app := cli.NewApp()
app.Name = "trivy"
app.Version = version
app.ArgsUsage = "image_name"
app.Usage = "A simple and comprehensive vulnerability scanner for containers"
app.Flags = []cli.Flag{
cli.StringFlag{
Name: "format, f",
Value: "table",
Usage: "format (table, json)",
},
cli.StringFlag{
Name: "input, i",
Value: "",
Usage: "input file path instead of image name",
},
cli.StringFlag{
Name: "severity, s",
Value: strings.Join(vulnerability.SeverityNames, ","),
Usage: "severities of vulnerabilities to be displayed (comma separated)",
},
cli.StringFlag{
Name: "output, o",
Usage: "output file name",
},
cli.BoolFlag{
Name: "skip-update",
Usage: "skip db update",
},
cli.BoolFlag{
Name: "clean, c",
Usage: "clean all cache",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "debug mode",
},
}
app.Action = func(c *cli.Context) error {
return pkg.Run(c)
}
err := app.Run(os.Args)
if err != nil {
log.Logger.Fatal(err)
}
}

39
go.mod Normal file
View File

@@ -0,0 +1,39 @@
module github.com/knqyf263/trivy
go 1.12
require (
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91
github.com/emirpasic/gods v1.12.0 // indirect
github.com/etcd-io/bbolt v1.3.2
github.com/fatih/color v1.7.0
github.com/gliderlabs/ssh v0.1.3 // indirect
github.com/golang/protobuf v1.3.1 // indirect
github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6
github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b
github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
github.com/knqyf263/go-version v1.1.1
github.com/mattn/go-colorable v0.1.1 // indirect
github.com/mattn/go-runewidth v0.0.4 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/olekukonko/tablewriter v0.0.1
github.com/stretchr/testify v1.3.0 // indirect
github.com/urfave/cli v1.20.0
github.com/xanzy/ssh-agent v0.2.1 // indirect
go.etcd.io/bbolt v1.3.2 // indirect
go.uber.org/atomic v1.3.2 // indirect
go.uber.org/multierr v1.1.0 // indirect
go.uber.org/zap v1.9.1
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 // indirect
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 // indirect
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373
gopkg.in/cheggaaa/pb.v1 v1.0.28
gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect
gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 // indirect
gopkg.in/src-d/go-git.v4 v4.10.0
gopkg.in/yaml.v2 v2.2.2
)
replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55

315
go.sum Normal file
View File

@@ -0,0 +1,315 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.37.4 h1:glPeL3BQJsbF6aIIYfZizMwc5LTYz250bDMjttbBGAU=
cloud.google.com/go v0.37.4/go.mod h1:NHPJ89PdicEuT9hdPXMROBD91xc5uRDxsMtSB16k7hw=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
github.com/Microsoft/go-winio v0.4.11 h1:zoIOcVf0xPN1tnMVbTtEdI+P8OofVk3NObnwOQ6nK2Q=
github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjoQ=
github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 h1:GMmnK0dvr0Sf0gx3DvTbln0c8DE07B7sPVD9dgHOqo4=
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU=
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb h1:qSMRxG547z/BgQmyVyADxaMADQXVAD9uleP2sQeClbo=
github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a h1:glxUtT0RlaVJU86kg78ygzfhwW6D+uj5H+aOK01QDgI=
github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a/go.mod h1:uXhHPWAoRqw0jJc2f8RrPCwRhIo9otQ8OEWUFtpCiwA=
github.com/d4l3k/messagediff v1.2.1 h1:ZcAIMYsUg0EAp9X+tt8/enBE/Q8Yd5kzPynLyKptt9U=
github.com/d4l3k/messagediff v1.2.1/go.mod h1:Oozbb1TVXFac9FtSIxHBMnBCq2qeH/2KkEQxENCrlLo=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9rTHJQ=
github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ=
github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c h1:QlAVcyoF7QQVN7zV+xYBjgwtRVlRU3WCTCpb2mcqQrM=
github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f h1:hYf+mPizfvpH6VgIxdntnOmQHd1F1mQUc1oG+j3Ol2g=
github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f h1:W4fbqg0JUwy6lLesoJaV/rE0fwAmtdtinMa64X1CEh0=
github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43 h1:gZ4lWixV821UVbYtr+oz1ZPCHkbtE+ivfmHyZRgyl2Y=
github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43/go.mod h1:l1FUGRYBvbjnZ8MS6A2xOji4aZFlY/Qmgz7p4oXH7ac=
github.com/docker/docker-credential-helpers v0.6.1 h1:Dq4iIfcM7cNtddhLVWe9h4QDjsi4OER3Z8voPu/I52g=
github.com/docker/docker-credential-helpers v0.6.1/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
github.com/docker/go-connections v0.0.0-20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916 h1:yWHOI+vFjEsAakUTSrtqc/SAHrhSkmn48pqjidZX3QA=
github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
github.com/emirpasic/gods v1.9.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0=
github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/genuinetools/pkg v0.0.0-20180910213200-1c141f661797/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8=
github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
github.com/gliderlabs/ssh v0.1.3 h1:cBU46h1lYQk5f2Z+jZbewFKy+1zzE2aUX/ilcPDAm9M=
github.com/gliderlabs/ssh v0.1.3/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8=
github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6 h1:iSztZNfwEPMN2CvUX1SxNEclRZn+rwRMdsnAegxRJk4=
github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6/go.mod h1:OiuWIClssf5WzbMcR8lfspdBVaP+vRQndY4kHeFgrDw=
github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b h1:DiDMmSwuY27PJxA2Gs0+uI/bQ/ehKARaGXRdlp+wFis=
github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790 h1:c02gG0yRNr25lcLOH+678SuuxxMUq36i48PQnmAweWk=
github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790/go.mod h1:CtT+dtv38jSz5EYYCX21LgtVXP+J3soF2fzQT8lHCfY=
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8=
github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9DxI2o=
github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
github.com/mattn/go-colorable v0.1.1 h1:G1f5SKeVxmagw/IyvzvtZE4Gybcc4Tr1tf7I8z0XgOg=
github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
github.com/mattn/go-isatty v0.0.5 h1:tHXDdz1cpzGaovsTB+TVB8q90WEokoVmfMqoVcrLUgw=
github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y=
github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/olekukonko/tablewriter v0.0.1 h1:b3iUnf1v+ppJiOfNX4yxxqfWKMQPZR5yoh8urCTFX88=
github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 h1:QhPf3A2AZW3tTGvHPg0TA+CR3oHbVLlXUhlghqISp1I=
github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y=
github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
github.com/pelletier/go-buffruneio v0.2.0 h1:U4t4R6YkofJ5xHm3dJzuRpPZ0mr5MMCoAWooScCR7aA=
github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
github.com/peterhellberg/link v1.0.0 h1:mUWkiegowUXEcmlb+ybF75Q/8D2Y0BjZtR8cxoKhaQo=
github.com/peterhellberg/link v1.0.0/go.mod h1:gtSlOT4jmkY8P47hbTc8PTgiDDWpdPbFYl75keYyBB8=
github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_golang v0.0.0-20180924113449-f69c853d21c1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 h1:D+CiwcpGTW6pL6bv6KI3KbyEyCKyS+1JWS2h8PNDnGA=
github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f h1:BVwpUVJDADN2ufcGik7W992pyps0wZ888b/y9GXcLTU=
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU=
github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/procfs v0.0.0-20180920065004-418d78d0b9a7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1 h1:/K3IL0Z1quvmJ7X0A1AwNEK7CRkVK3YwfOU/QAL4WGg=
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55 h1:O7Xl4zpk6zjYnwxUd7lubrx7xdzQ+PqfTgaxLE9nF+o=
github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55/go.mod h1:12Fe9EIvK3dG/qWhNk5e9O96I8SGmCKLsJ8GsXUbk+Y=
github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
github.com/xanzy/ssh-agent v0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8=
github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70=
github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=
go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o=
go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180925072008-f04abc6bdfa7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 h1:1Fzlr8kkDLQwqMP8GxrhptBLqZG/EDpiATneiZHY998=
golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c h1:fqgJT0MGcGpPgpWU7VRdRjuArfcOvC4AoJmILihzhDg=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20180924164928-221a8d4f7494/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 h1:xtNn7qFlagY2mQNFHMSRPjT2RkOV4OXM7P5TVy9xATo=
google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/grpc v1.15.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
gopkg.in/src-d/go-billy.v4 v4.3.0 h1:KtlZ4c1OWbIs4jCv5ZXrTqG8EQocr0g/d4DjNg70aek=
gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
gopkg.in/src-d/go-git-fixtures.v3 v3.1.1/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 h1:KFpaNTUcLHLoP/OkdcRXR+MA5p55MhA41YVb7Wd8EfM=
gopkg.in/src-d/go-git-fixtures.v3 v3.4.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
gopkg.in/src-d/go-git.v4 v4.10.0 h1:NWjTJTQnk8UpIGlssuefyDZ6JruEjo5s88vm88uASbw=
gopkg.in/src-d/go-git.v4 v4.10.0/go.mod h1:Vtut8izDyrM8BUVQnzJ+YvmNcem2J89EmfZYCkLokZk=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gotest.tools v2.1.0+incompatible h1:5USw7CrJBYKqjg9R7QlA6jzqZKEAtvW82aNmsxxGPxw=
gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

81
goreleaser.yml Normal file
View File

@@ -0,0 +1,81 @@
project_name: trivy
builds:
- main: cmd/trivy/main.go
binary: trivy
ldflags:
- -s -w
- "-extldflags '-static'"
- -X main.version={{.Version}}
env:
- CGO_ENABLED=0
goos:
- darwin
- linux
- windows
- freebsd
- openbsd
goarch:
- amd64
- 386
- arm
- arm64
goarm:
- 7
nfpm:
formats:
- deb
- rpm
dependencies:
- rpm
vendor: "knqyf263"
homepage: "https://github.com/knqyf263"
maintainer: "Teppei Fukuda <knqyf263@gmail.com>"
description: "A Fast Vulnerability Scanner for Containers"
license: "MIT"
name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
replacements:
amd64: 64bit
386: 32bit
arm: ARM
arm64: ARM64
darwin: macOS
linux: Linux
windows: Windows
openbsd: OpenBSD
netbsd: NetBSD
freebsd: FreeBSD
dragonfly: DragonFlyBSD
archive:
format: tar.gz
format_overrides:
- goos: windows
format: zip
name_template: "{{.ProjectName}}_{{.Version}}_{{.Os}}-{{.Arch}}"
replacements:
amd64: 64bit
386: 32bit
arm: ARM
arm64: ARM64
darwin: macOS
linux: Linux
windows: Windows
openbsd: OpenBSD
netbsd: NetBSD
freebsd: FreeBSD
dragonfly: DragonFlyBSD
files:
- README.md
- LICENSE
brew:
github:
owner: knqyf263
name: homebrew-trivy
dependencies:
- rpm
homepage: "https://github.com/knqyf263/trivy"
description: ""
test: |
system "#{bin}/program --version"

116
pkg/db/db.go Normal file
View File

@@ -0,0 +1,116 @@
package db
import (
"encoding/json"
"github.com/knqyf263/trivy/pkg/log"
"os"
"path/filepath"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/utils"
bolt "github.com/etcd-io/bbolt"
)
var (
db *bolt.DB
)
func Init() (err error) {
dbDir := filepath.Join(utils.CacheDir(), "db")
if err = os.MkdirAll(dbDir, 0700); err != nil {
return xerrors.Errorf("failed to mkdir: %w", err)
}
dbPath := filepath.Join(dbDir, "trivy.db")
log.Logger.Debugf("db path: %s", dbPath)
db, err = bolt.Open(dbPath, 0600, nil)
if err != nil {
return xerrors.Errorf("failed to open db: %w", err)
}
return nil
}
func Update(rootBucket, nestedBucket, key string, value interface{}) error {
err := db.Update(func(tx *bolt.Tx) error {
return PutNestedBucket(tx, rootBucket, nestedBucket, key, value)
})
if err != nil {
return xerrors.Errorf("error in db update: %w", err)
}
return err
}
func PutNestedBucket(tx *bolt.Tx, rootBucket, nestedBucket, key string, value interface{}) error {
root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
if err != nil {
return xerrors.Errorf("failed to create a bucket: %w", err)
}
return Put(root, nestedBucket, key, value)
}
func Put(root *bolt.Bucket, nestedBucket, key string, value interface{}) error {
nested, err := root.CreateBucketIfNotExists([]byte(nestedBucket))
if err != nil {
return xerrors.Errorf("failed to create a bucket: %w", err)
}
v, err := json.Marshal(value)
if err != nil {
return xerrors.Errorf("failed to unmarshal JSON: %w", err)
}
return nested.Put([]byte(key), v)
}
func BatchUpdate(fn func(tx *bolt.Tx) error) error {
err := db.Batch(func(tx *bolt.Tx) error {
return fn(tx)
})
if err != nil {
return xerrors.Errorf("error in batch update: %w", err)
}
return nil
}
func Get(rootBucket, nestedBucket, key string) (value []byte, err error) {
err = db.View(func(tx *bolt.Tx) error {
root := tx.Bucket([]byte(rootBucket))
if root == nil {
return nil
}
nested := root.Bucket([]byte(nestedBucket))
if nested == nil {
return nil
}
value = nested.Get([]byte(key))
return nil
})
if err != nil {
return nil, xerrors.Errorf("failed to get data from db: %w", err)
}
return value, nil
}
func ForEach(rootBucket, nestedBucket string) (value map[string][]byte, err error) {
value = map[string][]byte{}
err = db.View(func(tx *bolt.Tx) error {
root := tx.Bucket([]byte(rootBucket))
if root == nil {
return nil
}
nested := root.Bucket([]byte(nestedBucket))
if nested == nil {
return nil
}
err := nested.ForEach(func(k, v []byte) error {
value[string(k)] = v
return nil
})
if err != nil {
return xerrors.Errorf("error in db foreach: %w", err)
}
return nil
})
if err != nil {
return nil, xerrors.Errorf("failed to get all key/value in the specified bucket: %w", err)
}
return value, nil
}

188
pkg/git/git.go Normal file
View File

@@ -0,0 +1,188 @@
package git
import (
"os"
"path/filepath"
"strings"
"time"
"github.com/briandowns/spinner"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/utils"
"golang.org/x/xerrors"
git "gopkg.in/src-d/go-git.v4"
"gopkg.in/src-d/go-git.v4/plumbing/object"
"gopkg.in/src-d/go-git.v4/plumbing/storer"
)
func CloneOrPull(url, repoPath string) (map[string]struct{}, error) {
exists, err := utils.Exists(filepath.Join(repoPath, ".git"))
if err != nil {
return nil, xerrors.Errorf("failed to check if a file exists: %w", err)
}
updatedFiles := map[string]struct{}{}
if exists {
log.Logger.Debug("git pull")
files, err := pull(repoPath)
if err != nil {
return nil, xerrors.Errorf("failed to pull repository: %w", err)
}
for _, filename := range files {
updatedFiles[strings.TrimSpace(filename)] = struct{}{}
}
} else {
log.Logger.Debug("remove an existed directory")
s := spinner.New(spinner.CharSets[36], 100*time.Millisecond)
s.Suffix = " The first time will take a while..."
s.Start()
defer s.Stop()
if err = os.RemoveAll(repoPath); err != nil {
return nil, xerrors.Errorf("failed to remove an existed directory: %w", err)
}
if err = os.MkdirAll(repoPath, 0700); err != nil {
return nil, xerrors.Errorf("failed to mkdir: %w", err)
}
if err := clone(url, repoPath); err != nil {
return nil, xerrors.Errorf("failed to clone repository: %w", err)
}
err = filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
if info.IsDir() {
return nil
}
rel, err := filepath.Rel(repoPath, path)
if err != nil {
return xerrors.Errorf("failed to get a relative path: %w", err)
}
updatedFiles[rel] = struct{}{}
return nil
})
if err != nil {
return nil, xerrors.Errorf("error in file walk: %w", err)
}
}
return updatedFiles, nil
}
func clone(url, repoPath string) error {
if utils.IsCommandAvailable("git") {
return cloneByOSCommand(url, repoPath)
}
log.Logger.Warn("Recommend installing git (if not, DB update is very slow)")
_, err := git.PlainClone(repoPath, false, &git.CloneOptions{
URL: url,
})
if err != nil && err != git.ErrRepositoryAlreadyExists {
return xerrors.Errorf("unexpected error in git clone: %w", err)
}
return nil
}
func cloneByOSCommand(url, repoPath string) error {
commandAndArgs := []string{"clone", url, repoPath}
_, err := utils.Exec("git", commandAndArgs)
if err != nil {
return xerrors.Errorf("error in git clone: %w", err)
}
return nil
}
func pull(repoPath string) ([]string, error) {
if utils.IsCommandAvailable("git") {
return pullByOSCommand(repoPath)
}
r, err := git.PlainOpen(repoPath)
if err != nil {
return nil, xerrors.Errorf("failed to open repository: %w", err)
}
log.Logger.Debug("Retrieve the branch being pointed by HEAD")
ref, err := r.Head()
if err != nil {
return nil, xerrors.Errorf("failed to get HEAD: %w", err)
}
log.Logger.Debug("Get the working directory for the repository")
w, err := r.Worktree()
if err != nil {
return nil, xerrors.Errorf("failed to get the working directory: %w", err)
}
log.Logger.Debug("Pull the latest changes from the origin remote and merge into the current branch")
err = w.Pull(&git.PullOptions{RemoteName: "origin"})
if err != nil && err != git.NoErrAlreadyUpToDate {
return nil, err
} else if err == git.NoErrAlreadyUpToDate {
return []string{}, nil
}
log.Logger.Debug("Retrieve the commit history")
commits, err := r.Log(&git.LogOptions{})
if err != nil {
return nil, xerrors.Errorf("error in git log: %w", err)
}
log.Logger.Debug("Detect the updated files")
var prevCommit *object.Commit
var updatedFiles []string
err = commits.ForEach(func(commit *object.Commit) error {
if prevCommit == nil {
prevCommit = commit
return nil
}
patch, err := commit.Patch(prevCommit)
if err != nil {
return xerrors.Errorf("error in patch: %w", err)
}
for _, stat := range patch.Stats() {
updatedFiles = append(updatedFiles, stat.Name)
}
if commit.Hash == ref.Hash() {
return storer.ErrStop
}
prevCommit = commit
return nil
})
if err != nil {
return nil, xerrors.Errorf("error in commit foreach: %w", err)
}
return updatedFiles, nil
}
func pullByOSCommand(repoPath string) ([]string, error) {
gitDir := filepath.Join(repoPath, ".git")
commandArgs := []string{"--git-dir", gitDir, "--work-tree", repoPath}
revParseCmd := []string{"rev-parse", "HEAD"}
output, err := utils.Exec("git", append(commandArgs, revParseCmd...))
if err != nil {
return nil, xerrors.Errorf("error in git rev-parse: %w", err)
}
commitHash := strings.TrimSpace(output)
pullCmd := []string{"pull", "origin", "master"}
_, err = utils.Exec("git", append(commandArgs, pullCmd...))
if err != nil {
return nil, xerrors.Errorf("error in git pull: %w", err)
}
diffCmd := []string{"diff", commitHash, "HEAD", "--name-only"}
output, err = utils.Exec("git", append(commandArgs, diffCmd...))
if err != nil {
return nil, xerrors.Errorf("error in git diff: %w", err)
}
updatedFiles := strings.Split(strings.TrimSpace(output), "\n")
return updatedFiles, nil
}

55
pkg/log/logger.go Normal file
View File

@@ -0,0 +1,55 @@
package log
import (
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"golang.org/x/xerrors"
)
var Logger *zap.SugaredLogger
func InitLogger(debug bool) (err error) {
Logger, err = newLogger(debug)
if err != nil {
return xerrors.Errorf("error in new logger: %w", err)
}
return nil
}
func newLogger(debug bool) (*zap.SugaredLogger, error) {
level := zap.NewAtomicLevel()
if debug {
level.SetLevel(zapcore.DebugLevel)
} else {
level.SetLevel(zapcore.InfoLevel)
}
myConfig := zap.Config{
Level: level,
Encoding: "console",
Development: debug,
DisableStacktrace: !debug,
DisableCaller: !debug,
EncoderConfig: zapcore.EncoderConfig{
TimeKey: "Time",
LevelKey: "Level",
NameKey: "Name",
CallerKey: "Caller",
MessageKey: "Msg",
StacktraceKey: "St",
EncodeLevel: zapcore.CapitalColorLevelEncoder,
EncodeTime: zapcore.ISO8601TimeEncoder,
EncodeDuration: zapcore.StringDurationEncoder,
EncodeCaller: zapcore.ShortCallerEncoder,
},
OutputPaths: []string{"stdout"},
ErrorOutputPaths: []string{"stderr"},
}
logger, err := myConfig.Build()
if err != nil {
return nil, xerrors.Errorf("failed to build zap config: %w", err)
}
return logger.Sugar(), nil
}

85
pkg/remic/run.go Normal file
View File

@@ -0,0 +1,85 @@
package remic
import (
l "log"
"os"
"strings"
"github.com/knqyf263/trivy/pkg/scanner"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/vulnsrc"
"github.com/urfave/cli"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/report"
)
func Run(c *cli.Context) (err error) {
debug := c.Bool("debug")
if err = log.InitLogger(debug); err != nil {
l.Fatal(err)
}
args := c.Args()
if len(args) == 0 {
return xerrors.New(`remic" requires at least 1 argument.`)
}
o := c.String("output")
output := os.Stdout
if o != "" {
if output, err = os.Create(o); err != nil {
return err
}
}
var severities []vulnerability.Severity
for _, s := range strings.Split(c.String("severity"), ",") {
severity, err := vulnerability.NewSeverity(s)
if err != nil {
return err
}
severities = append(severities, severity)
}
if err = db.Init(); err != nil {
return err
}
if err = vulnsrc.Update(); err != nil {
return err
}
fileName := args[0]
f, err := os.Open(fileName)
if err != nil {
return xerrors.Errorf("failed to open a file: %w", err)
}
defer f.Close()
result, err := scanner.ScanFile(f, severities)
if err != nil {
return xerrors.Errorf("failed to scan a file: %w", err)
}
var writer report.Writer
switch c.String("format") {
case "table":
writer = &report.TableWriter{Output: output}
case "json":
writer = &report.JsonWriter{Output: output}
default:
return xerrors.New("unknown format")
}
if err = writer.Write([]report.Result{result}); err != nil {
return xerrors.Errorf("failed to write results: %w", err)
}
return nil
}

87
pkg/report/writer.go Normal file
View File

@@ -0,0 +1,87 @@
package report
import (
"encoding/json"
"fmt"
"io"
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/types"
"github.com/olekukonko/tablewriter"
)
type Results []Result
type Result struct {
FileName string `json:"file"`
Vulnerabilities []types.Vulnerability
}
type Writer interface {
Write(Results) error
}
type TableWriter struct {
Output io.Writer
}
func (tw TableWriter) Write(results Results) error {
for _, result := range results {
tw.write(result)
}
return nil
}
func (tw TableWriter) write(result Result) {
table := tablewriter.NewWriter(tw.Output)
table.SetHeader([]string{"Library", "Vulnerability ID", "Severity", "Installed Version", "Fixed Version", "Title"})
severityCount := map[string]int{}
for _, v := range result.Vulnerabilities {
severityCount[v.Severity]++
table.Append([]string{v.PkgName, v.VulnerabilityID, vulnerability.ColorizeSeverity(v.Severity),
v.InstalledVersion, v.FixedVersion, v.Title})
}
var results []string
for _, severity := range vulnerability.SeverityNames {
r := fmt.Sprintf("%s: %d", severity, severityCount[severity])
results = append(results, r)
}
fmt.Printf("\n%s\n", result.FileName)
fmt.Println(strings.Repeat("=", len(result.FileName)))
fmt.Printf("Total: %d (%s)\n\n", len(result.Vulnerabilities), strings.Join(results, ", "))
if len(result.Vulnerabilities) == 0 {
return
}
table.SetAutoMergeCells(true)
table.SetRowLine(true)
table.Render()
return
}
type JsonWriter struct {
Output io.Writer
}
func (jw JsonWriter) Write(results Results) error {
out := map[string][]types.Vulnerability{}
for _, result := range results {
out[result.FileName] = result.Vulnerabilities
}
output, err := json.MarshalIndent(out, "", " ")
if err != nil {
return xerrors.Errorf("failed to marshal json: %w", err)
}
if _, err = fmt.Fprint(jw.Output, string(output)); err != nil {
return xerrors.Errorf("failed to write json: %w", err)
}
return nil
}

95
pkg/run.go Normal file
View File

@@ -0,0 +1,95 @@
package pkg
import (
l "log"
"os"
"strings"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/report"
"github.com/knqyf263/trivy/pkg/scanner"
"github.com/knqyf263/trivy/pkg/vulnsrc"
"github.com/urfave/cli"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/log"
)
func Run(c *cli.Context) (err error) {
debug := c.Bool("debug")
if err = log.InitLogger(debug); err != nil {
l.Fatal(err)
}
log.Logger.Debugf("cache dir: %s", utils.CacheDir())
args := c.Args()
filePath := c.String("input")
if filePath == "" && len(args) == 0 {
log.Logger.Info(`trivy" requires at least 1 argument or --input option.`)
cli.ShowAppHelpAndExit(c, 1)
}
clean := c.Bool("clean")
if clean {
log.Logger.Info("Cleaning caches...")
if err = os.RemoveAll(utils.CacheDir()); err != nil {
return xerrors.New("failed to remove cache")
}
}
o := c.String("output")
output := os.Stdout
if o != "" {
if output, err = os.Create(o); err != nil {
return xerrors.Errorf("failed to create an output file: %w", err)
}
}
var severities []vulnerability.Severity
for _, s := range strings.Split(c.String("severity"), ",") {
severity, err := vulnerability.NewSeverity(s)
if err != nil {
return xerrors.Errorf("error in severity option: %w", err)
}
severities = append(severities, severity)
}
if err = db.Init(); err != nil {
return xerrors.Errorf("error in vulnerability DB initialize: %w", err)
}
if !c.Bool("skip-update") {
if err = vulnsrc.Update(); err != nil {
return xerrors.Errorf("error in vulnerability DB update: %w", err)
}
}
var imageName string
if filePath == "" {
imageName = args[0]
}
results, err := scanner.ScanImage(imageName, filePath, severities)
if err != nil {
return xerrors.Errorf("error in image scan: %w", err)
}
var writer report.Writer
switch c.String("format") {
case "table":
writer = &report.TableWriter{Output: output}
case "json":
writer = &report.JsonWriter{Output: output}
default:
xerrors.New("unknown format")
}
if err = writer.Write(results); err != nil {
return err
}
return nil
}

80
pkg/scanner/library/bundler/advisory.go Normal file
View File

@@ -0,0 +1,80 @@
package bundler
import (
"io/ioutil"
"os"
"path/filepath"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/git"
"github.com/knqyf263/trivy/pkg/utils"
"gopkg.in/yaml.v2"
)
const (
dbURL = "https://github.com/rubysec/ruby-advisory-db.git"
)
var (
repoPath = filepath.Join(utils.CacheDir(), "ruby-advisory-db")
)
type AdvisoryDB map[string][]Advisory
type Advisory struct {
Gem string
Cve string
Osvdb string
Title string
Url string
PatchedVersions []string `yaml:"patched_versions"`
UnaffectedVersions []string `yaml:"unaffected_versions"`
Related Related
}
type Related struct {
Cve []string
Url []string
}
func (s *Scanner) UpdateDB() (err error) {
if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err)
}
s.db, err = walk()
return err
}
func walk() (AdvisoryDB, error) {
advisoryDB := AdvisoryDB{}
root := filepath.Join(repoPath, "gems")
err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
if info.IsDir() {
return nil
}
buf, err := ioutil.ReadFile(path)
if err != nil {
return xerrors.Errorf("failed to read a file: %w", err)
}
advisory := Advisory{}
err = yaml.Unmarshal(buf, &advisory)
if err != nil {
return xerrors.Errorf("failed to unmarshal YAML: %w", err)
}
advisories, ok := advisoryDB[advisory.Gem]
if !ok {
advisories = []Advisory{}
}
advisoryDB[advisory.Gem] = append(advisories, advisory)
return nil
})
if err != nil {
return nil, xerrors.Errorf("error in file wakl: %w", err)
}
return advisoryDB, nil
}

67
pkg/scanner/library/bundler/scan.go Normal file
View File

@@ -0,0 +1,67 @@
package bundler
import (
"fmt"
"os"
"strings"
"github.com/knqyf263/go-dep-parser/pkg/bundler"
ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/trivy/pkg/types"
"golang.org/x/xerrors"
)
const (
scannerType = "bundler"
)
type Scanner struct {
db AdvisoryDB
}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) {
var vulns []types.Vulnerability
for _, advisory := range s.db[pkgName] {
if utils.MatchVersions(pkgVer, advisory.PatchedVersions) {
continue
}
if utils.MatchVersions(pkgVer, advisory.UnaffectedVersions) {
continue
}
var vulnerabilityID string
if advisory.Cve != "" {
vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
} else if advisory.Osvdb != "" {
vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
}
vuln := types.Vulnerability{
VulnerabilityID: vulnerabilityID,
PkgName: strings.TrimSpace(advisory.Gem),
Title: strings.TrimSpace(advisory.Title),
InstalledVersion: pkgVer.String(),
FixedVersion: strings.Join(advisory.PatchedVersions, ", "),
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
libs, err := bundler.Parse(f)
if err != nil {
return nil, xerrors.Errorf("invalid Gemfile.lock format: %w", err)
}
return libs, nil
}
func (s *Scanner) Type() string {
return scannerType
}

73
pkg/scanner/library/composer/advisory.go Normal file
View File

@@ -0,0 +1,73 @@
package composer
import (
"io/ioutil"
"os"
"path/filepath"
"strings"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/git"
"gopkg.in/yaml.v2"
)
const (
dbURL = "https://github.com/FriendsOfPHP/security-advisories"
)
var (
repoPath = filepath.Join(utils.CacheDir(), "php-security-advisories")
)
type AdvisoryDB map[string][]Advisory
type Advisory struct {
Cve string
Title string
Link string
Reference string
Branches map[string]Branch
}
type Branch struct {
Versions []string
}
func (s *Scanner) UpdateDB() (err error) {
if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
return err
}
s.db, err = walk()
return err
}
func walk() (AdvisoryDB, error) {
advisoryDB := AdvisoryDB{}
err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") {
return nil
}
buf, err := ioutil.ReadFile(path)
if err != nil {
return err
}
advisory := Advisory{}
err = yaml.Unmarshal(buf, &advisory)
if err != nil {
return err
}
advisories, ok := advisoryDB[advisory.Reference]
if !ok {
advisories = []Advisory{}
}
advisoryDB[advisory.Reference] = append(advisories, advisory)
return nil
})
if err != nil {
return nil, err
}
return advisoryDB, nil
}

69
pkg/scanner/library/composer/scan.go Normal file
View File

@@ -0,0 +1,69 @@
package composer
import (
"fmt"
"os"
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/go-dep-parser/pkg/composer"
ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/trivy/pkg/types"
)
const (
scannerType = "composer"
)
type Scanner struct {
db AdvisoryDB
}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) {
var vulns []types.Vulnerability
ref := fmt.Sprintf("composer://%s", pkgName)
for _, advisory := range s.db[ref] {
var affectedVersions []string
var patchedVersions []string
for _, branch := range advisory.Branches {
for _, version := range branch.Versions {
if !strings.HasPrefix(version, "<=") && strings.HasPrefix(version, "<") {
patchedVersions = append(patchedVersions, strings.Trim(version, "<"))
}
}
affectedVersions = append(affectedVersions, strings.Join(branch.Versions, ", "))
}
if !utils.MatchVersions(pkgVer, affectedVersions) {
continue
}
vuln := types.Vulnerability{
VulnerabilityID: advisory.Cve,
PkgName: pkgName,
Title: strings.TrimSpace(advisory.Title),
InstalledVersion: pkgVer.String(),
FixedVersion: strings.Join(patchedVersions, ", "),
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
libs, err := composer.Parse(f)
if err != nil {
return nil, xerrors.Errorf("invalid composer.lock format: %w", err)
}
return libs, nil
}
func (s *Scanner) Type() string {
return scannerType
}

83
pkg/scanner/library/npm/advisory.go Normal file
View File

@@ -0,0 +1,83 @@
package npm
import (
"encoding/json"
"os"
"path/filepath"
"strconv"
"strings"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/git"
)
const (
dbURL = "https://github.com/nodejs/security-wg.git"
)
var (
repoPath = filepath.Join(utils.CacheDir(), "nodejs-security-wg")
)
type AdvisoryDB map[string][]Advisory
type Advisory struct {
ID int
Title string
ModuleName string `json:"module_name""`
Cves []string
VulnerableVersions string `json:"vulnerable_versions"`
PatchedVersions string `json:"patched_versions"`
Recommendation string
References []string
CvssScoreNumber json.Number `json:"cvss_score"`
CvssScore float64
}
func (s *Scanner) UpdateDB() (err error) {
if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
return err
}
s.db, err = walk()
return err
}
func walk() (AdvisoryDB, error) {
advisoryDB := AdvisoryDB{}
err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error {
if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
return nil
}
f, err := os.Open(path)
if err != nil {
return err
}
defer f.Close()
advisory := Advisory{}
if err = json.NewDecoder(f).Decode(&advisory); err != nil {
return err
}
advisory.ModuleName = strings.ToLower(advisory.ModuleName)
// `cvss_score` returns float or string like "4.8 (MEDIUM)"
s := strings.Split(advisory.CvssScoreNumber.String(), " ")
advisory.CvssScore, err = strconv.ParseFloat(s[0], 64)
if err != nil {
advisory.CvssScore = -1
}
advisories, ok := advisoryDB[advisory.ModuleName]
if !ok {
advisories = []Advisory{}
}
advisoryDB[advisory.ModuleName] = append(advisories, advisory)
return nil
})
if err != nil {
return nil, err
}
return advisoryDB, nil
}

82
pkg/scanner/library/npm/scan.go Normal file
View File

@@ -0,0 +1,82 @@
package npm
import (
"fmt"
"os"
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/go-dep-parser/pkg/npm"
ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/trivy/pkg/types"
)
const (
scannerType = "npm"
)
type Scanner struct {
db AdvisoryDB
}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) {
replacer := strings.NewReplacer(".alpha", "-alpha", ".beta", "-beta", ".rc", "-rc", " <", ", <", " >", ", >")
var vulns []types.Vulnerability
for _, advisory := range s.db[pkgName] {
// e.g. <= 2.15.0 || >= 3.0.0 <= 3.8.2
// => {"<=2.15.0", ">= 3.0.0, <= 3.8.2"}
var vulnerableVersions []string
for _, version := range strings.Split(advisory.VulnerableVersions, " || ") {
version = strings.TrimSpace(version)
vulnerableVersions = append(vulnerableVersions, replacer.Replace(version))
}
if !utils.MatchVersions(pkgVer, vulnerableVersions) {
continue
}
var patchedVersions []string
for _, version := range strings.Split(advisory.PatchedVersions, " || ") {
version = strings.TrimSpace(version)
patchedVersions = append(patchedVersions, replacer.Replace(version))
}
if utils.MatchVersions(pkgVer, patchedVersions) {
continue
}
if len(advisory.Cves) == 0 {
advisory.Cves = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)}
}
for _, cveID := range advisory.Cves {
vuln := types.Vulnerability{
VulnerabilityID: cveID,
PkgName: pkgName,
Title: strings.TrimSpace(advisory.Title),
InstalledVersion: pkgVer.String(),
FixedVersion: strings.Join(patchedVersions, ", "),
}
vulns = append(vulns, vuln)
}
}
return vulns, nil
}
func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
libs, err := npm.Parse(f)
if err != nil {
return nil, xerrors.Errorf("invalid package-lock.json format: %w", err)
}
return libs, nil
}
func (s *Scanner) Type() string {
return scannerType
}

57
pkg/scanner/library/pipenv/advisory.go Normal file
View File

@@ -0,0 +1,57 @@
package pipenv
import (
"encoding/json"
"os"
"path/filepath"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/git"
)
const (
dbURL = "https://github.com/pyupio/safety-db.git"
)
var (
repoPath = filepath.Join(utils.CacheDir(), "python-safety-db")
)
type AdvisoryDB map[string][]Advisory
type Advisory struct {
ID string
Advisory string
Cve string
Specs []string
Version string `json:"v"`
}
func (s *Scanner) UpdateDB() (err error) {
if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
return err
}
s.db, err = parse()
if err != nil {
return xerrors.Errorf("failed to parse python safety-db: %w", err)
}
return nil
}
func parse() (AdvisoryDB, error) {
advisoryDB := AdvisoryDB{}
f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json"))
if err != nil {
return nil, err
}
defer f.Close()
if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil {
return nil, err
}
return advisoryDB, nil
}

73
pkg/scanner/library/pipenv/scan.go Normal file
View File

@@ -0,0 +1,73 @@
package pipenv
import (
"os"
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/go-dep-parser/pkg/pipenv"
ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/trivy/pkg/types"
)
const (
scannerType = "pipenv"
)
type Scanner struct {
db AdvisoryDB
}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]types.Vulnerability, error) {
var vulns []types.Vulnerability
for _, advisory := range s.db[pkgName] {
if !utils.MatchVersions(pkgVer, advisory.Specs) {
continue
}
vulnerabilityID := advisory.Cve
if vulnerabilityID == "" {
vulnerabilityID = advisory.ID
}
vuln := types.Vulnerability{
VulnerabilityID: vulnerabilityID,
PkgName: pkgName,
Title: strings.TrimSpace(advisory.Advisory),
InstalledVersion: pkgVer.String(),
FixedVersion: createFixedVersions(advisory.Specs),
}
vulns = append(vulns, vuln)
}
return vulns, nil
}
func createFixedVersions(specs []string) string {
var fixedVersions []string
for _, spec := range specs {
for _, s := range strings.Split(spec, ",") {
if !strings.HasPrefix(s, "<=") && strings.HasPrefix(s, "<") {
fixedVersions = append(fixedVersions, strings.TrimPrefix(s, "<"))
}
}
}
return strings.Join(fixedVersions, ", ")
}
func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
libs, err := pipenv.Parse(f)
if err != nil {
return nil, xerrors.Errorf("invalid Pipfile.lock format: %w", err)
}
return libs, nil
}
func (s *Scanner) Type() string {
return scannerType
}

116
pkg/scanner/library/scan.go Normal file
View File

@@ -0,0 +1,116 @@
package library
import (
"os"
"path/filepath"
"github.com/knqyf263/fanal/analyzer"
_ "github.com/knqyf263/fanal/analyzer/library/bundler"
_ "github.com/knqyf263/fanal/analyzer/library/composer"
_ "github.com/knqyf263/fanal/analyzer/library/npm"
_ "github.com/knqyf263/fanal/analyzer/library/pipenv"
"github.com/knqyf263/fanal/extractor"
ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/scanner/library/bundler"
"github.com/knqyf263/trivy/pkg/scanner/library/composer"
"github.com/knqyf263/trivy/pkg/scanner/library/npm"
"github.com/knqyf263/trivy/pkg/scanner/library/pipenv"
"github.com/knqyf263/trivy/pkg/types"
"golang.org/x/xerrors"
)
type Scanner interface {
UpdateDB() error
ParseLockfile(*os.File) ([]ptypes.Library, error)
Detect(string, *version.Version) ([]types.Vulnerability, error)
Type() string
}
func NewScanner(filename string) Scanner {
var scanner Scanner
switch filename {
case "Gemfile.lock":
scanner = bundler.NewScanner()
case "composer.lock":
scanner = composer.NewScanner()
case "package-lock.json":
scanner = npm.NewScanner()
case "Pipfile.lock":
scanner = pipenv.NewScanner()
default:
return nil
}
return scanner
}
func Scan(files extractor.FileMap) (map[string][]types.Vulnerability, error) {
results, err := analyzer.GetLibraries(files)
if err != nil {
return nil, xerrors.Errorf("failed to analyze libraries: %w", err)
}
vulnerabilities := map[string][]types.Vulnerability{}
for path, pkgs := range results {
log.Logger.Debugf("Detecting library vulnerabilities, path: %s", path)
scanner := NewScanner(filepath.Base(string(path)))
if scanner == nil {
return nil, xerrors.New("unknown file type")
}
vulns, err := scan(scanner, pkgs)
if err != nil {
return nil, xerrors.Errorf("failed to scan %s vulnerabilities: %w", scanner.Type(), err)
}
if len(vulns) != 0 {
vulnerabilities[string(path)] = vulns
}
}
return vulnerabilities, nil
}
func ScanFile(f *os.File) ([]types.Vulnerability, error) {
scanner := NewScanner(f.Name())
if scanner == nil {
return nil, xerrors.New("unknown file type")
}
pkgs, err := scanner.ParseLockfile(f)
if err != nil {
return nil, err
}
vulns, err := scan(scanner, pkgs)
if err != nil {
return nil, err
}
return vulns, nil
}
func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error) {
log.Logger.Infof("Updating %s Security DB...", scanner.Type())
err := scanner.UpdateDB()
if err != nil {
return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
}
log.Logger.Infof("Detect %s vulnerabilities", scanner.Type())
var vulnerabilities []types.Vulnerability
for _, pkg := range pkgs {
v, err := version.NewVersion(pkg.Version)
if err != nil {
log.Logger.Debug(err)
continue
}
vulns, err := scanner.Detect(pkg.Name, v)
if err != nil {
return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", scanner.Type(), err)
}
vulnerabilities = append(vulnerabilities, vulns...)
}
return vulnerabilities, nil
}

57
pkg/scanner/ospkg/alpine/alpine.go Normal file
View File

@@ -0,0 +1,57 @@
package alpine
import (
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/go-rpm-version"
"github.com/knqyf263/trivy/pkg/vulnsrc/alpine"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/types"
)
type Scanner struct{}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) {
log.Logger.Info("Detecting Alpine vulnerabilities...")
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
log.Logger.Debugf("alpine: os version: %s", osVer)
log.Logger.Debugf("alpine: the number of packages: %s", len(pkgs))
var vulns []types.Vulnerability
for _, pkg := range pkgs {
advisories, err := alpine.Get(osVer, pkg.Name)
if err != nil {
return nil, xerrors.Errorf("failed to get alpine advisories: %w", err)
}
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
fixedVersion := version.NewVersion(adv.FixedVersion)
if installedVersion.LessThan(fixedVersion) {
vuln := types.Vulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
}
vulns = append(vulns, vuln)
}
}
}
return vulns, nil
}

81
pkg/scanner/ospkg/debian/debian.go Normal file
View File

@@ -0,0 +1,81 @@
package debian
import (
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/go-deb-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/types"
"github.com/knqyf263/trivy/pkg/vulnsrc/debian"
debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval"
)
type Scanner struct{}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) {
log.Logger.Info("Detecting Debian vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
log.Logger.Debugf("debian: os version: %s", osVer)
log.Logger.Debugf("debian: the number of packages: %s", len(pkgs))
var vulns []types.Vulnerability
for _, pkg := range pkgs {
if pkg.Type != analyzer.TypeSource {
continue
}
advisories, err := debianoval.Get(osVer, pkg.Name)
if err != nil {
return nil, xerrors.Errorf("failed to get debian OVAL: %w", err)
}
installed := utils.FormatVersion(pkg)
installedVersion, err := version.NewVersion(installed)
if err != nil {
log.Logger.Debugf("failed to parse Debian installed package version: %w", err)
continue
}
for _, adv := range advisories {
fixedVersion, err := version.NewVersion(adv.FixedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Debian package version: %w", err)
continue
}
if installedVersion.LessThan(fixedVersion) {
vuln := types.Vulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
}
vulns = append(vulns, vuln)
}
}
advisories, err = debian.Get(osVer, pkg.Name)
if err != nil {
return nil, xerrors.Errorf("failed to get debian advisory: %w", err)
}
for _, adv := range advisories {
vuln := types.Vulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
}
vulns = append(vulns, vuln)
}
}
return vulns, nil
}

56
pkg/scanner/ospkg/redhat/redhat.go Normal file
View File

@@ -0,0 +1,56 @@
package redhat
import (
"strings"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"github.com/knqyf263/go-rpm-version"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/types"
"github.com/knqyf263/trivy/pkg/vulnsrc/redhat"
)
type Scanner struct{}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) {
log.Logger.Info("Detecting RHEL/CentOS vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
log.Logger.Debugf("redhat: os version: %s", osVer)
log.Logger.Debugf("redhat: the number of packages: %s", len(pkgs))
var vulns []types.Vulnerability
for _, pkg := range pkgs {
advisories, err := redhat.Get(osVer, pkg.Name)
if err != nil {
return nil, xerrors.Errorf("failed to get Red Hat advisories: %w", err)
}
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
fixedVersion := version.NewVersion(adv.FixedVersion)
if installedVersion.LessThan(fixedVersion) {
vuln := types.Vulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
}
vulns = append(vulns, vuln)
}
}
}
return vulns, nil
}

57
pkg/scanner/ospkg/scan.go Normal file
View File

@@ -0,0 +1,57 @@
package ospkg
import (
"github.com/knqyf263/fanal/analyzer"
fos "github.com/knqyf263/fanal/analyzer/os"
_ "github.com/knqyf263/fanal/analyzer/os/alpine"
_ "github.com/knqyf263/fanal/analyzer/os/debianbase"
_ "github.com/knqyf263/fanal/analyzer/os/redhatbase"
_ "github.com/knqyf263/fanal/analyzer/pkg/apk"
_ "github.com/knqyf263/fanal/analyzer/pkg/dpkg"
"github.com/knqyf263/fanal/extractor"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/scanner/ospkg/alpine"
"github.com/knqyf263/trivy/pkg/scanner/ospkg/debian"
"github.com/knqyf263/trivy/pkg/scanner/ospkg/redhat"
"github.com/knqyf263/trivy/pkg/scanner/ospkg/ubuntu"
"github.com/knqyf263/trivy/pkg/types"
"golang.org/x/xerrors"
)
type Scanner interface {
Detect(string, []analyzer.Package) ([]types.Vulnerability, error)
}
func Scan(files extractor.FileMap) (string, string, []types.Vulnerability, error) {
os, err := analyzer.GetOS(files)
if err != nil {
return "", "", nil, xerrors.Errorf("failed to analyze OS: %w", err)
}
log.Logger.Debugf("OS family: %s, OS version: %s", os.Family, os.Name)
var s Scanner
switch os.Family {
case fos.Alpine:
s = alpine.NewScanner()
case fos.Debian:
s = debian.NewScanner()
case fos.Ubuntu:
s = ubuntu.NewScanner()
case fos.RedHat, fos.CentOS:
s = redhat.NewScanner()
default:
return "", "", nil, xerrors.New("unsupported os")
}
pkgs, err := analyzer.GetPackages(files)
if err != nil {
return "", "", nil, xerrors.Errorf("failed to analyze OS packages: %w", err)
}
log.Logger.Debugf("the number of packages: %d", len(pkgs))
vulns, err := s.Detect(os.Name, pkgs)
if err != nil {
return "", "", nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err)
}
return os.Family, os.Name, vulns, nil
}

7
pkg/scanner/ospkg/scan_bsd.go Normal file
View File

@@ -0,0 +1,7 @@
// +build freebsd netbsd openbsd
package ospkg
import (
_ "github.com/knqyf263/fanal/analyzer/pkg/rpmcmd"
)

9
pkg/scanner/ospkg/scan_unix.go Normal file
View File

@@ -0,0 +1,9 @@
// +build linux darwin
package ospkg
import (
_ "github.com/knqyf263/fanal/analyzer/pkg/rpmcmd"
// TODO: Eliminate the dependency on "rpm" command
// _ "github.com/knqyf263/fanal/analyzer/pkg/rpm"
)

64
pkg/scanner/ospkg/ubuntu/ubuntu.go Normal file
View File

@@ -0,0 +1,64 @@
package ubuntu
import (
"github.com/knqyf263/go-deb-version"
"github.com/knqyf263/trivy/pkg/scanner/utils"
"golang.org/x/xerrors"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/types"
"github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu"
)
type Scanner struct{}
func NewScanner() *Scanner {
return &Scanner{}
}
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.Vulnerability, error) {
log.Logger.Info("Detecting Ubuntu vulnerabilities...")
log.Logger.Debugf("ubuntu: os version: %s", osVer)
log.Logger.Debugf("ubuntu: the number of packages: %s", len(pkgs))
var vulns []types.Vulnerability
for _, pkg := range pkgs {
advisories, err := ubuntu.Get(osVer, pkg.Name)
if err != nil {
return nil, xerrors.Errorf("failed to get Ubuntu advisories: %w", err)
}
installed := utils.FormatVersion(pkg)
installedVersion, err := version.NewVersion(installed)
if err != nil {
log.Logger.Debugf("failed to parse Ubuntu installed package version: %w", err)
continue
}
for _, adv := range advisories {
vuln := types.Vulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
}
if adv.FixedVersion == "" {
vulns = append(vulns, vuln)
continue
}
fixedVersion, err := version.NewVersion(adv.FixedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Ubuntu package version: %w", err)
continue
}
if installedVersion.LessThan(fixedVersion) {
vulns = append(vulns, vuln)
}
}
}
return vulns, nil
}

181
pkg/scanner/scan.go Normal file
View File

@@ -0,0 +1,181 @@
package scanner
import (
"context"
"flag"
"fmt"
"os"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/report"
"github.com/knqyf263/trivy/pkg/scanner/library"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/types"
"github.com/knqyf263/trivy/pkg/scanner/ospkg"
"golang.org/x/crypto/ssh/terminal"
"golang.org/x/xerrors"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/fanal/extractor"
)
func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
var results report.Results
var err error
ctx := context.Background()
var target string
var files extractor.FileMap
if imageName != "" {
target = imageName
files, err = analyzer.Analyze(ctx, imageName)
if err != nil {
return nil, xerrors.Errorf("failed to analyze image: %w", err)
}
} else if filePath != "" {
target = filePath
rc, err := openStream(filePath)
if err != nil {
return nil, xerrors.Errorf("failed to open stream: %w", err)
}
files, err = analyzer.AnalyzeFromFile(ctx, rc)
if err != nil {
return nil, err
}
} else {
return nil, xerrors.New("image name or image file must be specified")
}
osFamily, osVersion, osVulns, err := ospkg.Scan(files)
if err != nil {
return nil, xerrors.New("failed to scan image")
}
results = append(results, report.Result{
FileName: fmt.Sprintf("%s (%s %s)", target, osFamily, osVersion),
Vulnerabilities: processVulnerabilties(osVulns, severities),
})
libVulns, err := library.Scan(files)
if err != nil {
return nil, xerrors.New("failed to scan libraries")
}
for path, vulns := range libVulns {
results = append(results, report.Result{
FileName: path,
Vulnerabilities: processVulnerabilties(vulns, severities),
})
}
return results, nil
}
func ScanFile(f *os.File, severities []vulnerability.Severity) (report.Result, error) {
vulns, err := library.ScanFile(f)
if err != nil {
return report.Result{}, xerrors.New("failed to scan libraries in file")
}
result := report.Result{
FileName: f.Name(),
Vulnerabilities: processVulnerabilties(vulns, severities),
}
return result, nil
}
func processVulnerabilties(vulns []types.Vulnerability, severities []vulnerability.Severity) []types.Vulnerability {
var vulnerabilities []types.Vulnerability
for _, vuln := range vulns {
sev, title := getDetail(vuln.VulnerabilityID)
// Filter vulnerabilities by severity
for _, s := range severities {
if s == sev {
vuln.Severity = fmt.Sprint(sev)
vuln.Title = title
vulnerabilities = append(vulnerabilities, vuln)
break
}
}
}
return vulnerabilities
}
func openStream(path string) (*os.File, error) {
if path == "-" {
if terminal.IsTerminal(0) {
flag.Usage()
os.Exit(64)
} else {
return os.Stdin, nil
}
}
return os.Open(path)
}
func getDetail(vulnID string) (vulnerability.Severity, string) {
details, err := vulnerability.Get(vulnID)
if err != nil {
log.Logger.Debug(err)
return vulnerability.SeverityUnknown, ""
} else if len(details) == 0 {
return vulnerability.SeverityUnknown, ""
}
severity := getSeverity(details)
title := getTitle(details)
return severity, title
}
func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
vulnerability.DebianOVAL, vulnerability.Alpine} {
d, ok := details[source]
if !ok {
continue
}
if d.Severity != 0 {
return d.Severity
} else if d.SeverityV3 != 0 {
return d.SeverityV3
} else if d.CvssScore > 0 {
return scoreToSeverity(d.CvssScore)
} else if d.CvssScoreV3 > 0 {
return scoreToSeverity(d.CvssScoreV3)
}
}
return vulnerability.SeverityUnknown
}
func getTitle(details map[string]vulnerability.Vulnerability) string {
for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
vulnerability.DebianOVAL, vulnerability.Alpine} {
d, ok := details[source]
if !ok {
continue
}
if d.Title != "" {
return d.Title
}
}
return ""
}
func scoreToSeverity(score float64) vulnerability.Severity {
if score >= 9.0 {
return vulnerability.SeverityCritical
} else if score >= 7.0 {
return vulnerability.SeverityHigh
} else if score >= 4.0 {
return vulnerability.SeverityMedium
} else if score > 0.0 {
return vulnerability.SeverityLow
}
return vulnerability.SeverityUnknown
}

40
pkg/scanner/utils/utils.go Normal file
View File

@@ -0,0 +1,40 @@
package utils
import (
"fmt"
"strings"
"github.com/knqyf263/fanal/analyzer"
"github.com/knqyf263/go-version"
"github.com/knqyf263/trivy/pkg/log"
)
var (
replacer = strings.NewReplacer(".alpha", "-alpha", ".beta", "-beta", ".rc", "-rc")
)
func MatchVersions(currentVersion *version.Version, rangeVersions []string) bool {
for _, p := range rangeVersions {
c, err := version.NewConstraint(replacer.Replace(p))
if err != nil {
log.Logger.Debug("NewConstraint", "error", err)
return false
}
if c.Check(currentVersion) {
return true
}
}
return false
}
func FormatVersion(pkg analyzer.Package) string {
v := pkg.Version
if pkg.Release != "" {
v = fmt.Sprintf("%s-%s", v, pkg.Release)
}
if pkg.Epoch != 0 {
v = fmt.Sprintf("%d:%s", pkg.Epoch, v)
}
return v
}

6
pkg/types/library.go Normal file
View File

@@ -0,0 +1,6 @@
package types
type Library struct{
Name string
Version string
}

11
pkg/types/vulnerability.go Normal file
View File

@@ -0,0 +1,11 @@
package types
type Vulnerability struct {
VulnerabilityID string
PkgName string
InstalledVersion string
FixedVersion string
Title string
Severity string
}

113
pkg/utils/utils.go Normal file
View File

@@ -0,0 +1,113 @@
package utils
import (
"bytes"
"io"
"os"
"os/exec"
"path/filepath"
"strings"
"github.com/knqyf263/trivy/pkg/log"
"golang.org/x/xerrors"
)
func CacheDir() string {
cacheDir, err := os.UserCacheDir()
if err != nil {
cacheDir = os.TempDir()
}
dir := filepath.Join(cacheDir, "trivy")
return dir
}
func FileWalk(root string, targetFiles map[string]struct{}, walkFn func(r io.Reader, path string) error) error {
err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
if info.IsDir() {
return nil
}
rel, err := filepath.Rel(root, path)
if err != nil {
return xerrors.Errorf("error in filepath rel: %w", err)
}
if _, ok := targetFiles[rel]; !ok {
return nil
}
if info.Size() == 0 {
log.Logger.Debugf("invalid size: %s", path)
return nil
}
f, err := os.Open(path)
defer f.Close()
if err != nil {
return xerrors.Errorf("failed to open file: %w", err)
}
if err = walkFn(f, path); err != nil {
return err
}
return nil
})
if err != nil {
return xerrors.Errorf("error in file walk: %w", err)
}
return nil
}
func IsCommandAvailable(name string) bool {
cmd := exec.Command(name, "--help")
if err := cmd.Run(); err != nil {
return false
}
return true
}
func Exists(path string) (bool, error) {
_, err := os.Stat(path)
if err == nil {
return true, nil
}
if os.IsNotExist(err) {
return false, nil
}
return true, err
}
func StringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
func Exec(command string, args []string) (string, error) {
cmd := exec.Command(command, args...)
var stdoutBuf, stderrBuf bytes.Buffer
cmd.Stdout = &stdoutBuf
cmd.Stderr = &stderrBuf
if err := cmd.Run(); err != nil {
log.Logger.Debug(stderrBuf.String())
return "", xerrors.Errorf("failed to exec: %w", err)
}
return stdoutBuf.String(), nil
}
func FilterTargets(prefixPath string, targets map[string]struct{}) (map[string]struct{}, error) {
filtered := map[string]struct{}{}
for filename := range targets {
if strings.HasPrefix(filename, prefixPath) {
rel, err := filepath.Rel(prefixPath, filename)
if err != nil {
return nil, xerrors.Errorf("error in filepath rel: %w", err)
}
filtered[rel] = struct{}{}
}
}
return filtered, nil
}

112
pkg/vulnsrc/alpine/alpine.go Normal file
View File

@@ -0,0 +1,112 @@
package alpine
import (
"encoding/json"
"fmt"
"gopkg.in/cheggaaa/pb.v1"
"io"
"path/filepath"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/log"
"golang.org/x/xerrors"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/utils"
)
const (
alpineDir = "alpine"
)
var (
platformFormat = "alpine %s"
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, alpineDir)
targets, err := utils.FilterTargets(alpineDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("Alpine: no updated file")
return nil
}
log.Logger.Debugf("Alpine updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var cves []AlpineCVE
err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error {
var cve AlpineCVE
if err = json.NewDecoder(r).Decode(&cve); err != nil {
return xerrors.Errorf("failed to decode Alpine JSON: %w", err)
}
cves = append(cves, cve)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in Alpine walk: %w", err)
}
if err = save(cves); err != nil {
return xerrors.Errorf("error in Alpine save: %w", err)
}
return nil
}
func save(cves []AlpineCVE) error {
log.Logger.Debug("Saving Alpine DB")
err := db.BatchUpdate(func(tx *bolt.Tx) error {
for _, cve := range cves {
platformName := fmt.Sprintf(platformFormat, cve.Release)
pkgName := cve.Package
advisory := Advisory{
VulnerabilityID: cve.VulnerabilityID,
FixedVersion: cve.FixedVersion,
Repository: cve.Repository,
}
if err := db.PutNestedBucket(tx, platformName, pkgName, cve.VulnerabilityID, advisory); err != nil {
return xerrors.Errorf("failed to save alpine advisory: %w", err)
}
vuln := vulnerability.Vulnerability{
Title: cve.Subject,
Description: cve.Description,
}
if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Alpine, vuln); err != nil {
return xerrors.Errorf("failed to save alpine vulnerability: %w", err)
}
}
return nil
})
if err != nil {
return xerrors.Errorf("error in db batch update: %w", err)
}
return nil
}
func Get(release string, pkgName string) ([]Advisory, error) {
bucket := fmt.Sprintf(platformFormat, release)
advisories, err := db.ForEach(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("error in Alpine foreach: %w", err)
}
var results []Advisory
for _, v := range advisories {
var advisory Advisory
if err = json.Unmarshal(v, &advisory); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Alpine JSON: %w", err)
}
results = append(results, advisory)
}
return results, nil
}

17
pkg/vulnsrc/alpine/types.go Normal file
View File

@@ -0,0 +1,17 @@
package alpine
type AlpineCVE struct {
VulnerabilityID string
Release string
Package string
Repository string
FixedVersion string
Subject string
Description string
}
type Advisory struct {
VulnerabilityID string
FixedVersion string
Repository string
}

165
pkg/vulnsrc/debian-oval/debian-oval.go Normal file
View File

@@ -0,0 +1,165 @@
package debianoval
import (
"encoding/json"
"fmt"
"gopkg.in/cheggaaa/pb.v1"
"io"
"os"
"path/filepath"
"strings"
"github.com/knqyf263/trivy/pkg/vulnsrc/debian"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/log"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/utils"
)
var (
debianDir = filepath.Join("oval", "debian")
// e.g. debian oval 8
platformFormat = "debian oval %s"
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, debianDir)
targets, err := utils.FilterTargets(debianDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("Debian OVAL: no updated file")
return nil
}
log.Logger.Debugf("Debian OVAL updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var cves []DebianOVAL
err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error {
var cve DebianOVAL
if err = json.NewDecoder(r).Decode(&cve); err != nil {
return xerrors.Errorf("failed to decode Debian OVAL JSON: %w", err)
}
dirs := strings.Split(path, string(os.PathSeparator))
if len(dirs) < 3 {
log.Logger.Debugf("invalid path: %s", path)
return nil
}
cve.Release = dirs[len(dirs)-3]
cves = append(cves, cve)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in Debian OVAL walk: %w", err)
}
if err = save(cves); err != nil {
return xerrors.Errorf("error in Debian OVAL save: %w", err)
}
return nil
}
// from https://github.com/kotakanbe/goval-dictionary/blob/c462c07a5cd0b6de52f167e9aa4298083edfc356/models/debian.go#L53
func walkDebian(cri Criteria, pkgs []Package) []Package {
for _, c := range cri.Criterions {
ss := strings.Split(c.Comment, " DPKG is earlier than ")
if len(ss) != 2 {
continue
}
// "0" means notyetfixed or erroneous information.
// Not available because "0" includes erroneous info...
if ss[1] == "0" {
continue
}
pkgs = append(pkgs, Package{
Name: ss[0],
FixedVersion: strings.Split(ss[1], " ")[0],
})
}
if len(cri.Criterias) == 0 {
return pkgs
}
for _, c := range cri.Criterias {
pkgs = walkDebian(c, pkgs)
}
return pkgs
}
func save(cves []DebianOVAL) error {
log.Logger.Debug("Saving Debian OVAL")
err := db.BatchUpdate(func(tx *bolt.Tx) error {
for _, cve := range cves {
affectedPkgs := walkDebian(cve.Criteria, []Package{})
for _, affectedPkg := range affectedPkgs {
// stretch => 9
majorVersion, ok := debian.DebianReleasesMapping[cve.Release]
if !ok {
continue
}
platformName := fmt.Sprintf(platformFormat, majorVersion)
cveID := cve.Metadata.Title
advisory := vulnerability.Advisory{
VulnerabilityID: cveID,
FixedVersion: affectedPkg.FixedVersion,
}
if err := db.PutNestedBucket(tx, platformName, affectedPkg.Name, cveID, advisory); err != nil {
return xerrors.Errorf("failed to save Debian OVAL advisory: %w", err)
}
var references []string
for _, ref := range cve.Metadata.References {
references = append(references, ref.RefURL)
}
vuln := vulnerability.Vulnerability{
Description: cve.Metadata.Description,
References: references,
}
if err := vulnerability.Put(tx, cveID, vulnerability.DebianOVAL, vuln); err != nil {
return xerrors.Errorf("failed to save Debian OVAL vulnerability: %w", err)
}
}
}
return nil
})
if err != nil {
return xerrors.Errorf("error in batch update: %w", err)
}
return nil
}
func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
bucket := fmt.Sprintf(platformFormat, release)
advisories, err := db.ForEach(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("error in Debian OVAL foreach: %w", err)
}
if len(advisories) == 0 {
return nil, nil
}
var results []vulnerability.Advisory
for _, v := range advisories {
var advisory vulnerability.Advisory
if err = json.Unmarshal(v, &advisory); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Debian OVAL JSON: %w", err)
}
results = append(results, advisory)
}
return results, nil
}

43
pkg/vulnsrc/debian-oval/types.go Normal file
View File

@@ -0,0 +1,43 @@
package debianoval
type DebianOVAL struct {
Metadata Metadata
Criteria Criteria
Release string
}
type Metadata struct {
Title string
AffectedList []Affected
Description string
References []Reference
}
type Affected struct {
Family string
Platform string
Product string
}
type Criteria struct {
Operator string
Criterias []Criteria
Criterions []Criterion
}
type Reference struct {
Source string
RefID string
RefURL string
}
type Criterion struct {
Negate bool
TestRef string
Comment string
}
type Package struct {
Name string
FixedVersion string
}

155
pkg/vulnsrc/debian/debian.go Normal file
View File

@@ -0,0 +1,155 @@
package debian
import (
"encoding/json"
"fmt"
"gopkg.in/cheggaaa/pb.v1"
"io"
"path/filepath"
"strings"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"golang.org/x/xerrors"
)
const (
debianDir = "debian"
)
var (
// e.g. debian 8
platformFormat = "debian %s"
DebianReleasesMapping = map[string]string{
// Code names
"squeeze": "6",
"wheezy": "7",
"jessie": "8",
"stretch": "9",
"buster": "10",
"sid": "unstable",
}
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, debianDir)
targets, err := utils.FilterTargets(debianDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("Debian: no updated file")
return nil
}
log.Logger.Debugf("Debian updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var cves []DebianCVE
err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error {
var cve DebianCVE
if err = json.NewDecoder(r).Decode(&cve); err != nil {
return xerrors.Errorf("failed to decode Debian JSON: %w", err)
}
cve.VulnerabilityID = strings.TrimSuffix(filepath.Base(path), ".json")
cve.Package = filepath.Base(filepath.Dir(path))
cves = append(cves, cve)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in Debian walk: %w", err)
}
if err = save(cves); err != nil {
return xerrors.Errorf("error in Debian save: %w", err)
}
return nil
}
func save(cves []DebianCVE) error {
log.Logger.Debug("Saving Debian DB")
err := db.BatchUpdate(func(tx *bolt.Tx) error {
for _, cve := range cves {
for _, release := range cve.Releases {
for releaseStr := range release.Repositories {
majorVersion, ok := DebianReleasesMapping[releaseStr]
if !ok {
continue
}
platformName := fmt.Sprintf(platformFormat, majorVersion)
if release.Status != "open" {
continue
}
advisory := vulnerability.Advisory{
VulnerabilityID: cve.VulnerabilityID,
//Severity: severityFromUrgency(release.Urgency),
}
if err := db.PutNestedBucket(tx, platformName, cve.Package, cve.VulnerabilityID, advisory); err != nil {
return xerrors.Errorf("failed to save Debian advisory: %w", err)
}
vuln := vulnerability.Vulnerability{
Severity: severityFromUrgency(release.Urgency),
Description: cve.Description,
}
if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Debian, vuln); err != nil {
return xerrors.Errorf("failed to save Debian vulnerability: %w", err)
}
}
}
}
return nil
})
if err != nil {
return xerrors.Errorf("error in batch update: %w", err)
}
return nil
}
func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
bucket := fmt.Sprintf(platformFormat, release)
advisories, err := db.ForEach(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("error in Debian foreach: %w", err)
}
if len(advisories) == 0 {
return nil, nil
}
var results []vulnerability.Advisory
for _, v := range advisories {
var advisory vulnerability.Advisory
if err = json.Unmarshal(v, &advisory); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Debian JSON: %w", err)
}
results = append(results, advisory)
}
return results, nil
}
func severityFromUrgency(urgency string) vulnerability.Severity {
switch urgency {
case "not yet assigned":
return vulnerability.SeverityUnknown
case "end-of-life", "unimportant", "low", "low*", "low**":
return vulnerability.SeverityLow
case "medium", "medium*", "medium**":
return vulnerability.SeverityMedium
case "high", "high*", "high**":
return vulnerability.SeverityHigh
default:
return vulnerability.SeverityUnknown
}
}

15
pkg/vulnsrc/debian/types.go Normal file
View File

@@ -0,0 +1,15 @@
package debian
type DebianCVE struct {
Description string `json:"description"`
Releases map[string]Release `json:"releases"`
Scope string `json:"scope"`
Package string
VulnerabilityID string
}
type Release struct {
Repositories map[string]string `json:"repositories"`
Status string `json:"status"`
Urgency string `json:"urgency"`
}

87
pkg/vulnsrc/nvd/nvd.go Normal file
View File

@@ -0,0 +1,87 @@
package nvd
import (
"encoding/json"
"gopkg.in/cheggaaa/pb.v1"
"io"
"path/filepath"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/utils"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
)
const (
nvdDir = "nvd"
rootBucket = "NVD"
nestedBucket = "dummy"
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, nvdDir)
targets, err := utils.FilterTargets(nvdDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("NVD: no updated file")
return nil
}
log.Logger.Debugf("NVD updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var items []vulnerability.Item
err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error {
item := vulnerability.Item{}
if err := json.NewDecoder(r).Decode(&item); err != nil {
return xerrors.Errorf("failed to decode NVD JSON: %w", err)
}
items = append(items, item)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in NVD walk: %w", err)
}
if err = save(items); err != nil {
return xerrors.Errorf("error in NVD save: %w", err)
}
return nil
}
func save(items []vulnerability.Item) error {
log.Logger.Debug("NVD batch update")
err := vulnerability.BatchUpdate(func(b *bolt.Bucket) error {
for _, item := range items {
cveID := item.Cve.Meta.ID
severity, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV2.Severity)
severityV3, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV3.CvssV3.BaseSeverity)
vuln := vulnerability.Vulnerability{
Severity: severity,
SeverityV3: severityV3,
// TODO
References: []string{},
Title: "",
Description: "",
}
if err := db.Put(b, cveID, vulnerability.Nvd, vuln); err != nil {
return err
}
}
return nil
})
if err != nil {
return xerrors.Errorf("error in batch update: %w", err)
}
return nil
}

248
pkg/vulnsrc/redhat/redhat.go Normal file
View File

@@ -0,0 +1,248 @@
package redhat
import (
"encoding/json"
"fmt"
"gopkg.in/cheggaaa/pb.v1"
"io"
"io/ioutil"
"path/filepath"
"strconv"
"strings"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/log"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
"github.com/knqyf263/trivy/pkg/utils"
"golang.org/x/xerrors"
)
const (
redhatDir = "redhat"
platformFormat = "Red Hat Enterprise Linux %s"
)
var (
targetPlatforms = []string{"Red Hat Enterprise Linux 5", "Red Hat Enterprise Linux 6", "Red Hat Enterprise Linux 7"}
targetStatus = []string{"Affected", "Fix deferred", "Will not fix"}
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, redhatDir)
targets, err := utils.FilterTargets(redhatDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("Red Hat: no updated file")
return nil
}
log.Logger.Debugf("Red Hat updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var cves []RedhatCVE
err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error {
content, err := ioutil.ReadAll(r)
if err != nil {
return err
}
cve := RedhatCVE{}
if err = json.Unmarshal(content, &cve); err != nil {
return xerrors.Errorf("failed to decode RedHat JSON: %w", err)
}
switch cve.TempAffectedRelease.(type) {
case []interface{}:
var ar RedhatCVEAffectedReleaseArray
if err = json.Unmarshal(content, &ar); err != nil {
return xerrors.Errorf("unknown affected_release type: %w", err)
}
cve.AffectedRelease = ar.AffectedRelease
case map[string]interface{}:
var ar RedhatCVEAffectedReleaseObject
if err = json.Unmarshal(content, &ar); err != nil {
return xerrors.Errorf("unknown affected_release type: %w", err)
}
cve.AffectedRelease = []RedhatAffectedRelease{ar.AffectedRelease}
case nil:
default:
return xerrors.New("unknown affected_release type")
}
switch cve.TempPackageState.(type) {
case []interface{}:
var ps RedhatCVEPackageStateArray
if err = json.Unmarshal(content, &ps); err != nil {
return xerrors.Errorf("unknown package_state type: %w", err)
}
cve.PackageState = ps.PackageState
case map[string]interface{}:
var ps RedhatCVEPackageStateObject
if err = json.Unmarshal(content, &ps); err != nil {
return xerrors.Errorf("unknown package_state type: %w", err)
}
cve.PackageState = []RedhatPackageState{ps.PackageState}
case nil:
default:
return xerrors.New("unknown package_state type")
}
cves = append(cves, cve)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in RedHat walk: %w", err)
}
if err = save(cves); err != nil {
return xerrors.Errorf("error in RedHat save: %w", err)
}
return nil
}
// platformName: pkgStatus
type platform map[string]pkg
// pkgName: advisoryStatus
type pkg map[string]advisory
// cveID: version
type advisory map[string]interface{}
func save(cves []RedhatCVE) error {
log.Logger.Debug("Saving RedHat DB")
err := db.BatchUpdate(func(tx *bolt.Tx) error {
for _, cve := range cves {
for _, affected := range cve.AffectedRelease {
if affected.Package == "" {
continue
}
// e.g. Red Hat Enterprise Linux 7
platformName := affected.ProductName
if !utils.StringInSlice(affected.ProductName, targetPlatforms) {
continue
}
pkgName, version := splitPkgName(affected.Package)
advisory := vulnerability.Advisory{
VulnerabilityID: cve.Name,
FixedVersion: version,
}
if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
return xerrors.Errorf("failed to save Red Hat advisory: %w", err)
}
}
for _, pkgState := range cve.PackageState {
pkgName := pkgState.PackageName
if pkgName == "" {
continue
}
// e.g. Red Hat Enterprise Linux 7
platformName := pkgState.ProductName
if !utils.StringInSlice(platformName, targetPlatforms) {
continue
}
if !utils.StringInSlice(pkgState.FixState, targetStatus) {
continue
}
advisory := vulnerability.Advisory{
// this means all versions
FixedVersion: "",
VulnerabilityID: cve.Name,
}
if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
return xerrors.Errorf("failed to save Red Hat advisory: %w", err)
}
}
cvssScore, _ := strconv.ParseFloat(cve.Cvss.CvssBaseScore, 64)
cvss3Score, _ := strconv.ParseFloat(cve.Cvss3.Cvss3BaseScore, 64)
title := strings.TrimPrefix(strings.TrimSpace(cve.Bugzilla.Description), cve.Name)
vuln := vulnerability.Vulnerability{
CvssScore: cvssScore,
CvssScoreV3: cvss3Score,
Severity: severityFromThreat(cve.ThreatSeverity),
References: cve.References,
Title: strings.TrimSpace(title),
Description: strings.TrimSpace(strings.Join(cve.Details, "")),
}
if err := vulnerability.Put(tx, cve.Name, vulnerability.RedHat, vuln); err != nil {
return xerrors.Errorf("failed to save Red Hat vulnerability: %w", err)
}
}
return nil
})
if err != nil {
return err
}
return nil
}
func Get(majorVersion string, pkgName string) ([]vulnerability.Advisory, error) {
bucket := fmt.Sprintf(platformFormat, majorVersion)
advisories, err := db.ForEach(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("error in Red Hat foreach: %w", err)
}
if len(advisories) == 0 {
return nil, nil
}
var results []vulnerability.Advisory
for _, v := range advisories {
var advisory vulnerability.Advisory
if err = json.Unmarshal(v, &advisory); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Red Hat JSON: %w", err)
}
results = append(results, advisory)
}
return results, nil
}
// ref. https://github.com/rpm-software-management/yum/blob/043e869b08126c1b24e392f809c9f6871344c60d/rpmUtils/miscutils.py#L301
func splitPkgName(pkgName string) (string, string) {
var version string
// Trim release
index := strings.LastIndex(pkgName, "-")
if index == -1 {
return "", ""
}
version = pkgName[index:]
pkgName = pkgName[:index]
// Trim version
index = strings.LastIndex(pkgName, "-")
if index == -1 {
return "", ""
}
version = pkgName[index+1:] + version
pkgName = pkgName[:index]
return pkgName, version
}
func severityFromThreat(sev string) vulnerability.Severity {
switch strings.Title(sev) {
case "Low":
return vulnerability.SeverityLow
case "Moderate":
return vulnerability.SeverityMedium
case "Important":
return vulnerability.SeverityHigh
case "Critical":
return vulnerability.SeverityCritical
}
return vulnerability.SeverityUnknown
}

80
pkg/vulnsrc/redhat/types.go Normal file
View File

@@ -0,0 +1,80 @@
package redhat
type RedhatCVE struct {
ThreatSeverity string `json:"threat_severity"`
PublicDate string `json:"public_date"`
Bugzilla RedhatBugzilla `json:"bugzilla"`
Cvss RedhatCvss `json:"cvss"`
Cvss3 RedhatCvss3 `json:"cvss3"`
Iava string `json:"iava"`
Cwe string `json:"cwe"`
Statement string `json:"statement"`
Acknowledgement string `json:"acknowledgement"`
Mitigation string `json:"mitigation"`
TempAffectedRelease interface{} `json:"affected_release"` // affected_release is array or object
AffectedRelease []RedhatAffectedRelease
TempPackageState interface{} `json:"package_state"` // package_state is array or object
PackageState []RedhatPackageState
Name string `json:"name"`
DocumentDistribution string `json:"document_distribution"`
Details []string `json:"details" gorm:"-"`
References []string `json:"references" gorm:"-"`
}
type RedhatCVEAffectedReleaseArray struct {
AffectedRelease []RedhatAffectedRelease `json:"affected_release"`
}
type RedhatCVEAffectedReleaseObject struct {
AffectedRelease RedhatAffectedRelease `json:"affected_release"`
}
type RedhatCVEPackageStateArray struct {
PackageState []RedhatPackageState `json:"package_state"`
}
type RedhatCVEPackageStateObject struct {
PackageState RedhatPackageState `json:"package_state"`
}
type RedhatDetail struct {
Detail string `sql:"type:text"`
}
type RedhatReference struct {
Reference string `sql:"type:text"`
}
type RedhatBugzilla struct {
Description string `json:"description" sql:"type:text"`
BugzillaID string `json:"id"`
URL string `json:"url"`
}
type RedhatCvss struct {
CvssBaseScore string `json:"cvss_base_score"`
CvssScoringVector string `json:"cvss_scoring_vector"`
Status string `json:"status"`
}
type RedhatCvss3 struct {
Cvss3BaseScore string `json:"cvss3_base_score"`
Cvss3ScoringVector string `json:"cvss3_scoring_vector"`
Status string `json:"status"`
}
type RedhatAffectedRelease struct {
ProductName string `json:"product_name"`
ReleaseDate string `json:"release_date"`
Advisory string `json:"advisory"`
Package string `json:"package"`
Cpe string `json:"cpe"`
}
type RedhatPackageState struct {
ProductName string `json:"product_name"`
FixState string `json:"fix_state"`
PackageName string `json:"package_name"`
Cpe string `json:"cpe"`
}

18
pkg/vulnsrc/ubuntu/types.go Normal file
View File

@@ -0,0 +1,18 @@
package ubuntu
type UbuntuCVE struct {
Description string `json:"description"`
Candidate string
Priority string
Patches map[PackageName]Patch
References []string
}
type PackageName string
type Release string
type Patch map[Release]Status
type Status struct {
Status string
Note string
}

165
pkg/vulnsrc/ubuntu/ubuntu.go Normal file
View File

@@ -0,0 +1,165 @@
package ubuntu
import (
"encoding/json"
"fmt"
"gopkg.in/cheggaaa/pb.v1"
"io"
"path/filepath"
"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
"github.com/knqyf263/trivy/pkg/log"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
"golang.org/x/xerrors"
"github.com/knqyf263/trivy/pkg/utils"
)
const (
ubuntuDir = "ubuntu"
platformFormat = "ubuntu %s"
t
)
var (
targetStatus = []string{"needed", "deferred", "released"}
UbuntuReleasesMapping = map[string]string{
"precise": "12.04",
"quantal": "12.10",
"raring": "13.04",
"trusty": "14.04",
"utopic": "14.10",
"vivid": "15.04",
"wily": "15.10",
"xenial": "16.04",
"yakkety": "16.10",
"zesty": "17.04",
"artful": "17.10",
"bionic": "18.04",
"cosmic": "18.10",
"disco": "19.04",
}
)
func Update(dir string, updatedFiles map[string]struct{}) error {
rootDir := filepath.Join(dir, ubuntuDir)
targets, err := utils.FilterTargets(ubuntuDir, updatedFiles)
if err != nil {
return xerrors.Errorf("failed to filter target files: %w", err)
} else if len(targets) == 0 {
log.Logger.Debug("Ubuntu: no updated file")
return nil
}
log.Logger.Debugf("Ubuntu OVAL updated files: %d", len(targets))
bar := pb.StartNew(len(targets))
defer bar.Finish()
var cves []UbuntuCVE
err = utils.FileWalk(rootDir, targets, func(r io.Reader, path string) error {
var cve UbuntuCVE
if err = json.NewDecoder(r).Decode(&cve); err != nil {
return xerrors.Errorf("failed to decode Ubuntu JSON: %w", err)
}
cves = append(cves, cve)
bar.Increment()
return nil
})
if err != nil {
return xerrors.Errorf("error in Ubuntu walk: %w", err)
}
if err = save(cves); err != nil {
return xerrors.Errorf("error in Ubuntu save: %w", err)
}
return nil
}
func save(cves []UbuntuCVE) error {
log.Logger.Debug("Saving Ubuntu DB")
err := db.BatchUpdate(func(tx *bolt.Tx) error {
for _, cve := range cves {
for packageName, patch := range cve.Patches {
pkgName := string(packageName)
for release, status := range patch {
if !utils.StringInSlice(status.Status, targetStatus) {
continue
}
osVersion, ok := UbuntuReleasesMapping[string(release)]
if !ok {
continue
}
platformName := fmt.Sprintf(platformFormat, osVersion)
advisory := vulnerability.Advisory{
VulnerabilityID: cve.Candidate,
}
if status.Status == "released" {
advisory.FixedVersion = status.Note
}
if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Candidate, advisory); err != nil {
return xerrors.Errorf("failed to save Ubuntu advisory: %w", err)
}
vuln := vulnerability.Vulnerability{
Severity: severityFromPriority(cve.Priority),
References: cve.References,
Description: cve.Description,
// TODO
Title: "",
}
if err := vulnerability.Put(tx, cve.Candidate, vulnerability.Ubuntu, vuln); err != nil {
return xerrors.Errorf("failed to save Ubuntu vulnerability: %w", err)
}
}
}
}
return nil
})
if err != nil {
return xerrors.Errorf("error in batch update: %w", err)
}
return nil
}
func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
bucket := fmt.Sprintf(platformFormat, release)
advisories, err := db.ForEach(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("error in Ubuntu foreach: %w", err)
}
if len(advisories) == 0 {
return nil, nil
}
var results []vulnerability.Advisory
for _, v := range advisories {
var advisory vulnerability.Advisory
if err = json.Unmarshal(v, &advisory); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Ubuntu JSON: %w", err)
}
results = append(results, advisory)
}
return results, nil
}
func severityFromPriority(priority string) vulnerability.Severity {
switch priority {
case "untriaged":
return vulnerability.SeverityUnknown
case "negligible", "low":
return vulnerability.SeverityLow
case "medium":
return vulnerability.SeverityMedium
case "high":
return vulnerability.SeverityHigh
case "critical":
return vulnerability.SeverityCritical
default:
return vulnerability.SeverityUnknown
}
}

14
pkg/vulnsrc/vulnerability/const.go Normal file
View File

@@ -0,0 +1,14 @@
package vulnerability
const (
// Data source
Nvd = "nvd"
RedHat = "redhat"
Debian = "debian"
DebianOVAL = "debian-oval"
Ubuntu = "ubuntu"
CentOS = "centos"
Fedora = "fedora"
Amazon = "amazon"
Alpine = "alpine"
)

95
pkg/vulnsrc/vulnerability/types.go Normal file
View File

@@ -0,0 +1,95 @@
package vulnerability
import (
"fmt"
"time"
"github.com/fatih/color"
)
type Severity int
const (
SeverityUnknown Severity = iota
SeverityLow
SeverityMedium
SeverityHigh
SeverityCritical
)
var (
SeverityNames = []string{
"CRITICAL",
"HIGH",
"MEDIUM",
"LOW",
"UNKNOWN",
}
SeverityColor = []func(a ...interface{}) string{
color.New(color.FgRed).SprintFunc(),
color.New(color.FgHiRed).SprintFunc(),
color.New(color.FgYellow).SprintFunc(),
color.New(color.FgBlue).SprintFunc(),
color.New(color.FgCyan).SprintFunc(),
}
)
func NewSeverity(severity string) (Severity, error) {
for i, name := range SeverityNames {
if severity == name {
return Severity(i), nil
}
}
return SeverityUnknown, fmt.Errorf("unknown severity: %s", severity)
}
func ColorizeSeverity(severity string) string {
for i, name := range SeverityNames {
if severity == name {
return SeverityColor[i](severity)
}
}
return color.New(color.FgBlue).SprintFunc()(severity)
}
func (s Severity) String() string {
return SeverityNames[s]
}
type LastUpdated struct {
Date time.Time
}
type NVD struct {
CVEItems []Item `json:"CVE_Items"`
}
type Item struct {
Cve Cve
Impact Impact
}
type Cve struct {
Meta Meta `json:"CVE_data_meta"`
}
type Meta struct {
ID string
}
type Impact struct {
BaseMetricV2 BaseMetricV2
BaseMetricV3 BaseMetricV3
}
type BaseMetricV2 struct {
Severity string
}
type BaseMetricV3 struct {
CvssV3 CvssV3
}
type CvssV3 struct {
BaseSeverity string
}

70
pkg/vulnsrc/vulnerability/vulnerability.go Normal file
View File

@@ -0,0 +1,70 @@
package vulnerability
import (
"encoding/json"
bolt "github.com/etcd-io/bbolt"
"github.com/knqyf263/trivy/pkg/db"
"golang.org/x/xerrors"
)
const (
rootBucket = "vulnerability"
)
type Vulnerability struct {
CvssScore float64
CvssScoreV3 float64
Severity Severity
SeverityV3 Severity
References []string
Title string
Description string
}
type Advisory struct {
VulnerabilityID string
FixedVersion string
}
func Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error {
root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
if err != nil {
return err
}
return db.Put(root, cveID, source, vuln)
}
func Update(cveID, source string, vuln Vulnerability) error {
return db.Update(rootBucket, cveID, source, vuln)
}
func BatchUpdate(fn func(b *bolt.Bucket) error) error {
return db.BatchUpdate(func(tx *bolt.Tx) error {
root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
if err != nil {
return err
}
return fn(root)
})
}
func Get(cveID string) (map[string]Vulnerability, error) {
values, err := db.ForEach(rootBucket, cveID)
if err != nil {
return nil, xerrors.Errorf("error in NVD get: %w", err)
}
if len(values) == 0 {
return nil, nil
}
vulns := map[string]Vulnerability{}
for source, value := range values {
var vuln Vulnerability
if err = json.Unmarshal(value, &vuln); err != nil {
return nil, xerrors.Errorf("failed to unmarshal Vulnerability JSON: %w", err)
}
vulns[source] = vuln
}
return vulns, nil
}

74
pkg/vulnsrc/vulnsrc.go Normal file
View File

@@ -0,0 +1,74 @@
package vulnsrc
import (
"github.com/knqyf263/trivy/pkg/git"
"github.com/knqyf263/trivy/pkg/log"
"github.com/knqyf263/trivy/pkg/utils"
"github.com/knqyf263/trivy/pkg/vulnsrc/alpine"
"github.com/knqyf263/trivy/pkg/vulnsrc/debian"
debianoval "github.com/knqyf263/trivy/pkg/vulnsrc/debian-oval"
"github.com/knqyf263/trivy/pkg/vulnsrc/nvd"
"github.com/knqyf263/trivy/pkg/vulnsrc/redhat"
"github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu"
"golang.org/x/xerrors"
"path/filepath"
)
const (
repoURL = "https://github.com/knqyf263/vuln-list.git"
)
func Update() (err error) {
log.Logger.Info("Updating vulnerability database...")
// Clone vuln-list repository
dir := filepath.Join(utils.CacheDir(), "vuln-list")
updatedFiles, err := git.CloneOrPull(repoURL, dir)
if err != nil {
return xerrors.Errorf("error in vulnsrc clone or pull: %w", err)
}
log.Logger.Debugf("total updated files: %d", len(updatedFiles))
// Only last_updated.json
if len(updatedFiles) <= 1 {
return nil
}
// Update NVD
log.Logger.Info("Updating NVD data...")
if err = nvd.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in NVD update: %w", err)
}
// Update Alpine OVAL
log.Logger.Info("Updating Alpine data...")
if err = alpine.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in Alpine OVAL update: %w", err)
}
//Update RedHat
log.Logger.Info("Updating RedHat data...")
if err = redhat.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in RedHat update: %w", err)
}
// Update Debian
log.Logger.Info("Updating Debian data...")
if err = debian.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in Debian update: %w", err)
}
// Update Debian OVAL
log.Logger.Info("Updating Debian OVAL data...")
if err = debianoval.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in Debian OVAL update: %w", err)
}
//Update Ubuntu
log.Logger.Info("Updating Ubuntu data...")
if err = ubuntu.Update(dir, updatedFiles); err != nil {
return xerrors.Errorf("error in Ubuntu update: %w", err)
}
return nil
}