gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
d2d0ec2b6d71a8228fd707eee1b7e0f0aa3ab0d1
trivy/pkg/detector/library/compare/compare.go
Teppei Fukuda d2d0ec2b6d chore: add modernize tool integration for code modernization (#9251) 
Co-authored-by: knqyf263 <knqyf263@users.noreply.github.com>
2025-07-29 07:13:54 +00:00

78 lines
2.3 KiB
Go
Raw Blame History

package compare
import (
"slices"
"strings"
"golang.org/x/xerrors"
"github.com/aquasecurity/go-version/pkg/version"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/log"
)
// Comparer is an interface for version comparison
type Comparer interface {
IsVulnerable(currentVersion string, advisory dbTypes.Advisory) bool
}
type matchVersion func(currentVersion, constraint string) (bool, error)
// IsVulnerable checks if the package version is vulnerable to the advisory.
func IsVulnerable(pkgVer string, advisory dbTypes.Advisory, match matchVersion) bool {
// If one of vulnerable/patched versions is empty, we should detect it anyway.
if slices.Contains(append(advisory.VulnerableVersions, advisory.PatchedVersions...), "") {
return true
}
var matched bool
var err error
if len(advisory.VulnerableVersions) != 0 {
matched, err = match(pkgVer, strings.Join(advisory.VulnerableVersions, " || "))
if err != nil {
log.Warn("Version matching error", log.Err(err))
return false
} else if !matched {
// the version is not vulnerable
return false
}
}
secureVersions := append(advisory.PatchedVersions, advisory.UnaffectedVersions...)
if len(secureVersions) == 0 {
// the version matches vulnerable versions and patched/unaffected versions are not provided
// or all values are empty
return matched
}
matched, err = match(pkgVer, strings.Join(secureVersions, " || "))
if err != nil {
log.Warn("Version matching error", log.Err(err))
return false
}
return !matched
}
// GenericComparer represents a comparer for semver-like versioning
type GenericComparer struct{}
// IsVulnerable checks if the package version is vulnerable to the advisory.
func (v GenericComparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return IsVulnerable(ver, advisory, v.matchVersion)
}
// matchVersion checks if the package version satisfies the given constraint.
func (v GenericComparer) matchVersion(currentVersion, constraint string) (bool, error) {
ver, err := version.Parse(currentVersion)
if err != nil {
return false, xerrors.Errorf("version error (%s): %s", currentVersion, err)
}
c, err := version.NewConstraints(constraint)
if err != nil {
return false, xerrors.Errorf("constraint error (%s): %s", currentVersion, err)
}
return c.Check(ver), nil
}
Reference in New Issue View Git Blame Copy Permalink