feat: add support for conan.lock file (#2779)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/workflows/semantic-pr.yaml

@@ -64,6 +64,8 @@ jobs:
             dotnet
             java
             go
+            c
+            c++
 
             os
             lang

docs/docs/vulnerability/detection/data-source.md

@@ -19,22 +19,23 @@
 
 # Programming Language
 
-| Language                     | Source                                              | Commercial Use  | Delay[^1]|
-| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
-| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
-|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
-| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| Language | Source                                              | Commercial Use  | Delay[^1]|
+|----------|-----------------------------------------------------|:---------------:|:--------:|
+| PHP      | [PHP Security Advisories Database][php]             | ✅              | -        |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby     | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java     | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go       | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|          | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
+| C/C++    | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 

docs/docs/vulnerability/detection/language.md

@@ -26,6 +26,7 @@
 |          | go.mod[^7]                                                                                 |     -     |     -      |        ✅        |        ✅        | included         |
 | Rust     | Cargo.lock                                                                                 |     ✅     |     ✅      |        ✅        |        ✅        | included         |
 |          | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |        -        |        -        | excluded   
+| C/C++    | conan.lock[^12]                                                                            |     -     |     -      |        ✅        |        ✅        | excluded         |
 
 The path of these files does not matter.
 
@@ -42,3 +43,4 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
 [^9]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
 [^10]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
 [^11]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^12]: To scan a filename other than the default filename(`conan.lock`) use [file-patterns](../examples/others.md#file-patterns)

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.23.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220830123424-46cde9383d60
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220904090510-d2cb7a409fe8
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

go.sum

@@ -206,8 +206,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.71.9 h1:eo244v1RQzziClY9xXyVftPibE0fddXbTtkvH52/slU=
 github.com/aquasecurity/defsec v0.71.9/go.mod h1:2jYgkIi3UFbkrbtpnr3Cu49JZ3MGuLMJAhyh63jV1I4=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220830123424-46cde9383d60 h1:lBkhapZtunGpC8yu2fjGvGXUNbB2pNgmn5XPuHrPxnw=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220830123424-46cde9383d60/go.mod h1:6G1Y5nht5TL9kr1SzmrdE8PrmbNXo9nHx3qFR3qURg0=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220904090510-d2cb7a409fe8 h1:8jcz2qlLrsNDT/406nXMsi87Hsv/v1fw8SMbSpRhVP0=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220904090510-d2cb7a409fe8/go.mod h1:6G1Y5nht5TL9kr1SzmrdE8PrmbNXo9nHx3qFR3qURg0=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=

integration/fs_test.go

@@ -81,6 +81,15 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/gradle.json.golden",
 		},
+		{
+			name: "conan",
+			args: args{
+				securityChecks: "vuln",
+				listAllPkgs:    true,
+				input:          "testdata/fixtures/fs/conan",
+			},
+			golden: "testdata/conan.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{

integration/integration_test.go

@@ -103,7 +103,6 @@ func readReport(t *testing.T, filePath string) types.Report {
 
 	// We don't compare repo tags because the archive doesn't support it
 	report.Metadata.RepoTags = nil
-
 	report.Metadata.RepoDigests = nil
 
 	for i, result := range report.Results {

integration/testdata/conan.json.golden

@@ -0,0 +1,76 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/fs/conan",
+  "ArtifactType": "filesystem",
+  "Results": [
+    {
+      "Target": "conan.lock",
+      "Class": "lang-pkgs",
+      "Type": "conan",
+      "Packages": [
+        {
+          "ID": "bzip2/1.0.8",
+          "Name": "bzip2",
+          "Version": "1.0.8",
+          "Indirect": true
+        },
+        {
+          "ID": "expat/2.4.8",
+          "Name": "expat",
+          "Version": "2.4.8",
+          "Indirect": true
+        },
+        {
+          "ID": "openssl/1.1.1q",
+          "Name": "openssl",
+          "Version": "1.1.1q",
+          "Indirect": true
+        },
+        {
+          "ID": "pcre/8.43",
+          "Name": "pcre",
+          "Version": "8.43",
+          "Indirect": true,
+          "DependsOn": [
+            "bzip2/1.0.8",
+            "zlib/1.2.12"
+          ]
+        },
+        {
+          "ID": "poco/1.9.4",
+          "Name": "poco",
+          "Version": "1.9.4",
+          "DependsOn": [
+            "pcre/8.43",
+            "zlib/1.2.12",
+            "expat/2.4.8",
+            "sqlite3/3.39.2",
+            "openssl/1.1.1q"
+          ]
+        },
+        {
+          "ID": "sqlite3/3.39.2",
+          "Name": "sqlite3",
+          "Version": "3.39.2",
+          "Indirect": true
+        },
+        {
+          "ID": "zlib/1.2.12",
+          "Name": "zlib",
+          "Version": "1.2.12",
+          "Indirect": true
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-14155",
+          "PkgID": "pcre/8.43",
+          "PkgName": "pcre",
+          "InstalledVersion": "8.43",
+          "FixedVersion": "8.45",
+          "Severity": "UNKNOWN"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/fixtures/db/conan.yaml

@@ -0,0 +1,10 @@
+- bucket: conan::GitLab Advisory Database Community
+  pairs:
+    - bucket: pcre
+      pairs:
+        - key: CVE-2020-14155
+          value:
+            PatchedVersions:
+              - "8.45"
+            VulnerableVersions:
+              - "<8.44"

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1206,4 +1206,27 @@
         - "https://github.com/advisories/GHSA-36p3-wjmg-h94x",
       PublishedDate: "2022-04-01T23:15:00Z"
       LastModifiedDate: "2022-05-19T14:21:00Z"
-
+  - key: CVE-2020-14155
+    value:
+      Title: "pcre: Integer overflow when parsing callout numeric arguments"
+      Description: "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring."
+      Severity: MEDIUM
+      CweIDs:
+        - CWE-190
+      VendorSeverity:
+        alma: 1
+        nvd: 2
+      CVSS:
+        nvd:
+          V2Vector: "AV:N/AC:L/Au:N/C:N/I:N/A:P"
+          V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+          V2Score: 5
+          V3Score: 5.3
+        redhat:
+          V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+          V3Score: 5.3
+      References:
+        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
+        - "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
+      PublishedDate: "2020-06-15T17:15:00Z"
+      LastModifiedDate: "2022-04-28T15:06:00Z"