Display advisory information (#2)

* Use fork tablewriter

* Display advisory information

* Update README

.circleci/config.yml

@@ -2,9 +2,16 @@ defaults: &defaults
   docker :
     - image: knqyf263/ci-trivy:latest
   environment:
-    CGO_ENABLED: "1"
+    CGO_ENABLED: "0"
 
 jobs:
+  test:
+    <<: *defaults
+    steps:
+      - checkout
+      - run:
+          name: Test
+          command: go test ./...
   release:
     <<: *defaults
     steps:
@@ -34,6 +41,7 @@ workflows:
   version: 2
   release:
     jobs:  
+      - test
       - release:
           filters:
             branches:

README.md

@@ -1,10 +1,12 @@
-# trivy
+<img src="imgs/logo.png" width="300">
 
 [![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
-[![Build Status](https://travis-ci.org/knqyf263/trivy.svg?branch=master)](https://travis-ci.org/knqyf263/trivy)
+[![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
 [![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
 [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
 
+A Simple and Comprehensive Vulnerability Scanner for Containers
+
 # Abstract
 Scan containers
 
@@ -116,6 +118,14 @@ $ brew unlink trivy && brew uninstall trivy
 $ brew install knqyf263/trivy/trivy
 ```
 
+## Others
+### Unknown error
+Try again with `--clean` option
+
+```
+$ trivy --clean alpine:3.8
+```
+
 # Contribute
 
 1. fork a repository: github.com/knqyf263/trivy to github.com/you/repo
@@ -129,6 +139,9 @@ $ brew install knqyf263/trivy/trivy
 
 ----
 
+# Credits
+Special thanks to [Tomoya Amachi](https://github.com/tomoyamachi)
+
 # License
 MIT
 

go.mod

@@ -37,3 +37,5 @@ require (
 )
 
 replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55
+
+replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2

go.sum

@@ -128,6 +128,8 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
+github.com/knqyf263/tablewriter v0.0.2 h1:lGaBruL/oJt8FAlMVy9KU0oQ/6NXAJjvK7wBgZyc+Og=
+github.com/knqyf263/tablewriter v0.0.2/go.mod h1:NDOJQAZxabBL3e13jQVktkvbr6bxXXPon8Lyh7fRPPc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=

pkg/scanner/library/bundler/advisory.go

@@ -1,10 +1,16 @@
 package bundler
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/trivy/pkg/git"
@@ -28,6 +34,9 @@ type Advisory struct {
 	Osvdb              string
 	Title              string
 	Url                string
+	Description        string
+	CvssV2             float64  `yaml:"cvss_v2"`
+	CvssV3             float64  `yaml:"cvss_v3"`
 	PatchedVersions    []string `yaml:"patched_versions"`
 	UnaffectedVersions []string `yaml:"unaffected_versions"`
 	Related            Related
@@ -42,14 +51,15 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err)
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	root := filepath.Join(repoPath, "gems")
 
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() {
 			return nil
@@ -65,16 +75,48 @@ func walk() (AdvisoryDB, error) {
 			return xerrors.Errorf("failed to unmarshal YAML: %w", err)
 		}
 
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Gem]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Gem] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		var vulnerabilityID string
+		if advisory.Cve != "" {
+			vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
+		} else if advisory.Osvdb != "" {
+			vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
+		}
+		vulns = append(vulns, vulnerability.Vulnerability{
+			ID:          vulnerabilityID,
+			CvssScore:   advisory.CvssV2,
+			CvssScoreV3: advisory.CvssV3,
+			References:  append([]string{advisory.Url}, advisory.Related.Url...),
+			Title:       advisory.Title,
+			Description: advisory.Description,
+		})
+
 		return nil
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("error in file wakl: %w", err)
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+
+	if err = s.saveVulnerabilities(vulns); err != nil {
+		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.RubySec, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}

pkg/scanner/library/composer/advisory.go

@@ -6,7 +6,13 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"golang.org/x/xerrors"
+
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 	"gopkg.in/yaml.v2"
@@ -38,12 +44,13 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") {
 			return nil
@@ -58,16 +65,39 @@ func walk() (AdvisoryDB, error) {
 		if err != nil {
 			return err
 		}
+
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Reference]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Reference] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		vulns = append(vulns, vulnerability.Vulnerability{
+			ID:         advisory.Cve,
+			References: []string{advisory.Link},
+			Title:      advisory.Title,
+		})
+
 		return nil
 	})
 	if err != nil {
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.PhpSecurityAdvisories, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}

pkg/scanner/library/npm/advisory.go

@@ -2,12 +2,19 @@ package npm
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"golang.org/x/xerrors"
+
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -29,6 +36,7 @@ type Advisory struct {
 	Cves               []string
 	VulnerableVersions string `json:"vulnerable_versions"`
 	PatchedVersions    string `json:"patched_versions"`
+	Overview           string
 	Recommendation     string
 	References         []string
 	CvssScoreNumber    json.Number `json:"cvss_score"`
@@ -39,12 +47,13 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
 			return nil
@@ -68,16 +77,46 @@ func walk() (AdvisoryDB, error) {
 			advisory.CvssScore = -1
 		}
 
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.ModuleName]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.ModuleName] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		vulnerabilityIDs := advisory.Cves
+		if len(vulnerabilityIDs) == 0 {
+			vulnerabilityIDs = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)}
+		}
+		for _, vulnID := range vulnerabilityIDs {
+			vulns = append(vulns, vulnerability.Vulnerability{
+				ID:          vulnID,
+				CvssScore:   advisory.CvssScore,
+				References:  advisory.References,
+				Title:       advisory.Title,
+				Description: advisory.Overview,
+			})
+		}
+
 		return nil
 	})
 	if err != nil {
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.NodejsSecurityWg, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}

pkg/scanner/library/pipenv/advisory.go

@@ -5,9 +5,14 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -34,14 +39,14 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = parse()
+	s.db, err = s.parse()
 	if err != nil {
 		return xerrors.Errorf("failed to parse python safety-db: %w", err)
 	}
 	return nil
 }
 
-func parse() (AdvisoryDB, error) {
+func (s *Scanner) parse() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json"))
 	if err != nil {
@@ -49,9 +54,39 @@ func parse() (AdvisoryDB, error) {
 	}
 	defer f.Close()
 
+	// for detecting vulnerabilities
 	if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil {
 		return nil, err
 	}
 
+	// for displaying vulnerability detail
+	var vulns []vulnerability.Vulnerability
+	for _, advisories := range advisoryDB {
+		for _, advisory := range advisories {
+			vulnerabilityID := advisory.Cve
+			if vulnerabilityID == "" {
+				vulnerabilityID = advisory.ID
+			}
+			vulns = append(vulns, vulnerability.Vulnerability{
+				ID:    vulnerabilityID,
+				Title: advisory.Advisory,
+			})
+		}
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
+		return nil, err
+	}
+
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.PythonSafetyDB, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}

pkg/scanner/library/scan.go

@@ -96,7 +96,7 @@ func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error)
 		return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
 	}
 
-	log.Logger.Infof("Detect %s vulnerabilities", scanner.Type())
+	log.Logger.Infof("Detecting %s vulnerabilities...", scanner.Type())
 	var vulnerabilities []types.Vulnerability
 	for _, pkg := range pkgs {
 		v, err := version.NewVersion(pkg.Version)

pkg/scanner/scan.go

@@ -25,6 +25,12 @@ import (
 	"github.com/knqyf263/fanal/extractor"
 )
 
+var (
+	sources = []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
+		vulnerability.DebianOVAL, vulnerability.Alpine, vulnerability.RubySec, vulnerability.PhpSecurityAdvisories,
+		vulnerability.NodejsSecurityWg, vulnerability.PythonSafetyDB}
+)
+
 func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
 	var results report.Results
 	var err error
@@ -134,8 +140,7 @@ func getDetail(vulnID string) (vulnerability.Severity, string) {
 }
 
 func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
-	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
-		vulnerability.DebianOVAL, vulnerability.Alpine} {
+	for _, source := range sources {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -154,8 +159,7 @@ func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.S
 }
 
 func getTitle(details map[string]vulnerability.Vulnerability) string {
-	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
-		vulnerability.DebianOVAL, vulnerability.Alpine} {
+	for _, source := range sources {
 		d, ok := details[source]
 		if !ok {
 			continue

pkg/vulnsrc/vulnerability/const.go

@@ -2,13 +2,17 @@ package vulnerability
 
 const (
 	// Data source
-	Nvd        = "nvd"
-	RedHat     = "redhat"
-	Debian     = "debian"
-	DebianOVAL = "debian-oval"
-	Ubuntu     = "ubuntu"
-	CentOS     = "centos"
-	Fedora     = "fedora"
-	Amazon     = "amazon"
-	Alpine     = "alpine"
+	Nvd                   = "nvd"
+	RedHat                = "redhat"
+	Debian                = "debian"
+	DebianOVAL            = "debian-oval"
+	Ubuntu                = "ubuntu"
+	CentOS                = "centos"
+	Fedora                = "fedora"
+	Amazon                = "amazon"
+	Alpine                = "alpine"
+	RubySec               = "ruby-advisory-db"
+	PhpSecurityAdvisories = "php-security-advisories"
+	NodejsSecurityWg      = "nodejs-security-wg"
+	PythonSafetyDB        = "python-safety-db"
 )

pkg/vulnsrc/vulnerability/types.go

@@ -19,18 +19,18 @@ const (
 
 var (
 	SeverityNames = []string{
-		"CRITICAL",
-		"HIGH",
-		"MEDIUM",
-		"LOW",
 		"UNKNOWN",
+		"LOW",
+		"MEDIUM",
+		"HIGH",
+		"CRITICAL",
 	}
 	SeverityColor = []func(a ...interface{}) string{
-		color.New(color.FgRed).SprintFunc(),
-		color.New(color.FgHiRed).SprintFunc(),
-		color.New(color.FgYellow).SprintFunc(),
-		color.New(color.FgBlue).SprintFunc(),
 		color.New(color.FgCyan).SprintFunc(),
+		color.New(color.FgBlue).SprintFunc(),
+		color.New(color.FgYellow).SprintFunc(),
+		color.New(color.FgHiRed).SprintFunc(),
+		color.New(color.FgRed).SprintFunc(),
 	}
 )
 

pkg/vulnsrc/vulnerability/vulnerability.go

@@ -13,6 +13,7 @@ const (
 )
 
 type Vulnerability struct {
+	ID          string // e.g. CVE-2019-8331, OSVDB-104365
 	CvssScore   float64
 	CvssScoreV3 float64
 	Severity    Severity