Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(image): updated json report added package locations fields #6333

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
+530 −197
Open

feat(image): updated json report added package locations fields #6333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
40c86c0
feat(image): updated json report added package locations fields
parvez0 Mar 16, 2024
87416cb
test(integration): updated integration test golden output to verify l…
parvez0 Mar 17, 2024
85cf901
updated detector library to populate Locations data
parvez0 Mar 19, 2024
1338fee
updated report golden for busybox-with-lockfile.json.golden
parvez0 Mar 19, 2024
0c55925
fixed integration test failures and rewrote sarif test case with loca…
parvez0 Mar 20, 2024
595039e
updated sarif.go to use vulnerabity location
parvez0 Mar 20, 2024
925ab6c
updated sarif.go to use vulnerabity location
parvez0 Mar 20, 2024
8dc5a91
fixed integration test failures for dockerclient
parvez0 Mar 21, 2024
5fc788f
update rpc/client_server with location data and fix testcases
parvez0 Mar 22, 2024
52b84ac
updated server_test.go
parvez0 Mar 23, 2024
318a010
fixed integration test
parvez0 Mar 25, 2024
bac7a6c
nit: fixed lint errors
parvez0 Mar 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion integration/docker_engine_test.go
View file
Open in desktop
Expand Up @@ -5,12 +5,13 @@ package integration

import (
"context"
"github.com/aquasecurity/trivy/pkg/types"
"io"
"os"
"strings"
"testing"

"github.com/aquasecurity/trivy/pkg/types"

api "github.com/docker/docker/api/types"
"github.com/docker/docker/client"
"github.com/stretchr/testify/assert"
Expand Down
3 changes: 2 additions & 1 deletion integration/repo_test.go
View file
Open in desktop
Expand Up @@ -4,11 +4,12 @@ package integration

import (
"fmt"
"github.com/stretchr/testify/assert"
"os"
"strings"
"testing"

"github.com/stretchr/testify/assert"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)
Expand Down
3 changes: 2 additions & 1 deletion integration/standalone_tar_test.go
View file
Open in desktop
Expand Up @@ -3,12 +3,13 @@
package integration

import (
"github.com/aquasecurity/trivy/pkg/types"
"os"
"path/filepath"
"strings"
"testing"

"github.com/aquasecurity/trivy/pkg/types"

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand Down
12 changes: 12 additions & 0 deletions integration/testdata/busybox-with-lockfile.json.golden
View file
Open in desktop
Expand Up @@ -60,6 +60,12 @@
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"Locations": [
{
"StartLine": 2,
"EndLine": 13
}
],
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Status": "fixed",
Expand Down Expand Up @@ -105,6 +111,12 @@
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"Locations": [
{
"StartLine": 2,
"EndLine": 13
}
],
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/composer.lock.json.golden
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions integration/testdata/conan.json.golden
View file
Open in desktop
Expand Up @@ -159,6 +159,12 @@
"PkgIdentifier": {
"PURL": "pkg:conan/pcre@8.43"
},
"Locations": [
{
"StartLine": 26,
"EndLine": 36
}
],
"InstalledVersion": "8.43",
"FixedVersion": "8.45",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/dotnet.json.golden
View file
Open in desktop
Expand Up @@ -43,6 +43,12 @@
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@9.0.1"
},
"Locations": [
{
"StartLine": 8,
"EndLine": 14
}
],
"InstalledVersion": "9.0.1",
"FixedVersion": "13.0.1",
"Status": "fixed",
Expand Down
12 changes: 12 additions & 0 deletions integration/testdata/gradle.json.golden
View file
Open in desktop
Expand Up @@ -28,6 +28,12 @@
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Status": "fixed",
Expand Down Expand Up @@ -93,6 +99,12 @@
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/mix.lock.json.golden
View file
Open in desktop
Expand Up @@ -180,6 +180,12 @@
"PkgIdentifier": {
"PURL": "pkg:hex/phoenix@1.6.13"
},
"Locations": [
{
"StartLine": 4,
"EndLine": 4
}
],
"InstalledVersion": "1.6.13",
"FixedVersion": "1.6.14",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/npm-with-dev.json.golden
View file
Open in desktop
Expand Up @@ -269,6 +269,12 @@
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"Locations": [
{
"StartLine": 11,
"EndLine": 15
}
],
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/npm.json.golden
View file
Open in desktop
Expand Up @@ -250,6 +250,12 @@
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.3.9"
},
"Locations": [
{
"StartLine": 11,
"EndLine": 15
}
],
"InstalledVersion": "3.3.9",
"FixedVersion": "3.4.0",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/nuget.json.golden
View file
Open in desktop
Expand Up @@ -65,6 +65,12 @@
"PkgIdentifier": {
"PURL": "pkg:nuget/Newtonsoft.Json@12.0.3"
},
"Locations": [
{
"StartLine": 5,
"EndLine": 10
}
],
"InstalledVersion": "12.0.3",
"FixedVersion": "13.0.1",
"Status": "fixed",
Expand Down
12 changes: 12 additions & 0 deletions integration/testdata/pipenv.json.golden
View file
Open in desktop
Expand Up @@ -43,6 +43,12 @@
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"Locations": [
{
"StartLine": 19,
"EndLine": 26
}
],
"InstalledVersion": "0.11.1",
"FixedVersion": "0.15.3",
"Status": "fixed",
Expand Down Expand Up @@ -99,6 +105,12 @@
"PkgIdentifier": {
"PURL": "pkg:pypi/werkzeug@0.11.1"
},
"Locations": [
{
"StartLine": 19,
"EndLine": 26
}
],
"InstalledVersion": "0.11.1",
"FixedVersion": "0.11.6",
"Status": "fixed",
Expand Down
12 changes: 12 additions & 0 deletions integration/testdata/pom.json.golden
View file
Open in desktop
Expand Up @@ -28,6 +28,12 @@
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"Locations": [
{
"StartLine": 41,
"EndLine": 45
}
],
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.4",
"Status": "fixed",
Expand Down Expand Up @@ -93,6 +99,12 @@
"PkgIdentifier": {
"PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
},
"Locations": [
{
"StartLine": 41,
"EndLine": 45
}
],
"InstalledVersion": "2.9.1",
"FixedVersion": "2.9.10.7",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/swift.json.golden
View file
Open in desktop
Expand Up @@ -60,6 +60,12 @@
"PkgIdentifier": {
"PURL": "pkg:swift/github.com/apple/swift-nio@2.41.0"
},
"Locations": [
{
"StartLine": 13,
"EndLine": 21
}
],
"InstalledVersion": "2.41.0",
"FixedVersion": "2.29.1, 2.39.1, 2.42.0",
"Status": "fixed",
Expand Down
8 changes: 8 additions & 0 deletions integration/testdata/test-repo.json.golden
View file
Open in desktop
Expand Up @@ -28,6 +28,10 @@
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"Locations": [{
"StartLine": 2,
"EndLine": 13
}],
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 2.1.0",
"Status": "fixed",
Expand Down Expand Up @@ -70,6 +74,10 @@
"PkgIdentifier": {
"PURL": "pkg:cargo/ammonia@1.9.0"
},
"Locations": [{
"StartLine": 2,
"EndLine": 13
}],
"InstalledVersion": "1.9.0",
"FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
"Status": "fixed",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/yarn.json.golden
View file
Open in desktop
Expand Up @@ -49,6 +49,12 @@
"PkgIdentifier": {
"PURL": "pkg:npm/jquery@3.2.1"
},
"Locations": [
{
"StartLine": 10,
"EndLine": 13
}
],
"InstalledVersion": "3.2.1",
"FixedVersion": "3.4.0",
"Status": "fixed",
Expand Down
1 change: 1 addition & 0 deletions pkg/detector/library/detect.go
View file
Open in desktop
Expand Up @@ -42,6 +42,7 @@ func detect(ctx context.Context, driver Driver, pkgs []ftypes.Package) ([]types.
vulns[i].Layer = pkg.Layer
vulns[i].PkgPath = pkg.FilePath
vulns[i].PkgIdentifier = pkg.Identifier
vulns[i].Locations = pkg.Locations
}
vulnerabilities = append(vulnerabilities, vulns...)
}
Expand Down
26 changes: 8 additions & 18 deletions pkg/report/sarif.go
View file
Open in desktop
Expand Up @@ -165,7 +165,7 @@ func (sw *SarifWriter) Write(ctx context.Context, report types.Report) error {
resourceClass: res.Class,
artifactLocation: path,
locationMessage: fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion),
locations: sw.getLocations(vuln.PkgName, vuln.InstalledVersion, path, res.Packages),
locations: sw.getLocations(vuln.Locations),
resultIndex: getRuleIndex(vuln.VulnerabilityID, ruleIndexes),
shortDescription: html.EscapeString(vuln.Title),
fullDescription: html.EscapeString(fullDescription),
Expand Down Expand Up @@ -346,23 +346,13 @@ func clearURI(s string) string {
return strings.ReplaceAll(strings.ReplaceAll(s, "\\", "/"), "git::https:/", "")
}

func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Package) []location {
id := fmt.Sprintf("%s@%s@%s", path, name, version)
locs, ok := sw.locationCache[id]
if !ok {
for _, pkg := range pkgs {
if name == pkg.Name && version == pkg.Version {
for _, l := range pkg.Locations {
loc := location{
startLine: l.StartLine,
endLine: l.EndLine,
}
locs = append(locs, loc)
}
sw.locationCache[id] = locs
return locs
}
}
func (sw *SarifWriter) getLocations(vulnLocations []ftypes.Location) []location {
var locs []location
for _, loc := range vulnLocations {
locs = append(locs, location{
startLine: loc.StartLine,
endLine: loc.EndLine,
})
}
return locs
}
Expand Down