* feat: support vulnerability status
* feat: show status in table
* don't add `fixed` status in debian/redhat
* update test golden files
* add Status in rpc
* update docs
* update ignore-status example
* add ignore-status in integration test
* docs: add the explanation for statuses
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* wip: Add a failing test to demo severity override
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan.go: Return osFound for use in determining vendor.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* pkg: Fix ScanImage return in case an OSFound
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Include a package-lock.json for happy path
Signed-off-by: Simarpreet Singh <simar@linux.com>
* wip: Add a test to include various reportResult types
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Makefile: Add a target to generate mocks.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Pass reportType as argument for FillInfo.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add other types of vulnerabilities.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update golden files.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* ospkg: Fix FillInfo for ospkg/server
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Add os.Family type to Response.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test.go: Add case where no vendor severity exists.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Fallback to NVD if it exists.
Also add tests for other cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Fix a few sites with reportType info and tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Remove VendorSeverity from displayed results
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add vulnerability source information.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add VendorSeverity logic for lightDB as well.
This commit also makes FillInfo logic common to both light and full DBs.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* remove some crufty TODOs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test: Add a case for light db for documentation purposes
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: update trivy-db to point to master
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Remove cruft and bring back test cases
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Add pkg Type to mock return
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: reorder err check after err
Signed-off-by: Simarpreet Singh <simar@linux.com>
* client_test: Fix import ordering
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert.go: Use result.Type
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert: Use result.Type and simplify ConvertFromRpcResults signature
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Refactor calls to getVendorSeverity
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Remove centos-7-critical.json.golden
There's no critical vulnerability in CentOS 7 anymore.
In addition this test was not adding any value that is already
not covered by existing tests cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Include severity source in tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update test db to include VendorSeverity.
Test DB is now a snapshot of full database from trivy-db.
Also update golden files to include SeveritySource.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Make centos7 use RHEL vendor severities
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Support Amazon Linux
* amazon: Add tests for Scanner Detect functionality
* amazon: Add more test cases for unhappy paths.
This commit also asserts the logged output via observer.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Add a test case for invalid fixed pkg version
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: go mod tidy
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Inject dependency seams for exposed db interface and logger.
This commit also exposes an interface for doing db operations.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Use injected logger for scanner.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon_test: Add a sample testdata dir
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Add tests for for Get() for amazon vulns.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnsrc_test: Fix invocation call to SetVersion()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon_test: Add a test for severirtyFromPriority
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon_test: Add tests for constructVersion()
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Refactor walkFunc outside for testability purposes
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Refactor walkFn and add tests for it.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* amazon: Refactor commitFunc closure and add tests
This commit also introduces an interface for the
vulnerability package to be used as a seam.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Revert "amazon: Use injected logger for scanner."
This reverts commit 5a81e4d824a95f4de4aae2e2b903eedd0f7e241f.
* test(amazon): fix failed tests
* fix(vulnerability): trim references
* test(amazon): add integration test
* divide into NewApp function
* sort scan results for idempotency
* chore(integration): add integration tests
* tar_input_test: strengthen assertions
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: Add a happy path for TestReportWriter
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: switch to table test cases
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: Add more scenarios for TestReportWriter_Table
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer: Change back to []Results and add happy path for JSON writer
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: Switch to a table driven format
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: cleanup
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan: Go back to report.Result by value
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Revert "scan: Go back to report.Result by value"
This reverts commit 03b6f7abd7d0d22d87c825d0ef3759cca200b9fc.
* switch back to by value for results
Signed-off-by: Simarpreet Singh <simar@linux.com>
* writer_test: document a behavior with template inputs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add a failing test to show unexpected sorting behavior.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* report: Simplify []*Result to []Result.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* test(template): add happy path
* test(vulnerability): fix expected values
* tar_input_test: Move gunzipDB
Signed-off-by: Simarpreet Singh <simar@linux.com>
