diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Package.java b/src/main/java/org/dependencytrack/parser/trivy/model/Package.java index f1d3132084..3b3961ea05 100644 --- a/src/main/java/org/dependencytrack/parser/trivy/model/Package.java +++ b/src/main/java/org/dependencytrack/parser/trivy/model/Package.java @@ -32,21 +32,26 @@ public class Package { private String srcVersion; @SerializedName("src_epoch") private Integer srcEpoch; + @SerializedName("src_release") + private String srcRelease; private String[] licenses; private OS layer; - public Package(String name, String version, String arch, Integer epoch) { + public Package(String name, String version, String arch, Integer epoch, String srcName, String srcVersion, String srcRelease) { this.name = name; this.version = version; this.arch = arch; this.epoch = epoch; - this.srcName = name; - this.srcVersion = version; + this.srcName = (srcName == null) ? name : srcName; + this.srcVersion = (srcVersion == null) ? version : srcVersion; this.srcEpoch = epoch; + this.srcRelease = srcRelease; this.licenses = new String[] {}; this.layer = new OS(); } + + } \ No newline at end of file diff --git a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java index b28a2f9395..709cffcba4 100644 --- a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java +++ b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java @@ -46,6 +46,7 @@ import org.dependencytrack.event.TrivyAnalysisEvent; import org.dependencytrack.model.Classifier; import org.dependencytrack.model.Component; +import org.dependencytrack.model.ComponentProperty; import org.dependencytrack.model.ConfigPropertyConstants; import org.dependencytrack.model.Vulnerability; import org.dependencytrack.model.VulnerabilityAnalysisLevel; @@ -225,6 +226,10 @@ public void analyze(final List components) { LOGGER.debug("add library %s".formatted(component.toString())); app.addLibrary(new Library(name, component.getVersion())); } else { + String srcName = null; + String srcVersion = null; + String srcRelease = null; + String pkgType = component.getPurl().getType(); String arch = null; Integer epoch = null; @@ -246,6 +251,17 @@ public void analyze(final List components) { } } + for (final ComponentProperty property : component.getProperties()) { + + if (property.getPropertyName().equals("trivy:SrcName")) { + srcName = property.getPropertyValue(); + } else if (property.getPropertyName().equals("trivy:SrcVersion")) { + srcVersion = property.getPropertyValue(); + } else if (property.getPropertyName().equals("trivy:SrcRelease")) { + srcRelease = property.getPropertyValue(); + } + } + final PackageInfo pkg = pkgs.computeIfAbsent(pkgType, ignored -> new PackageInfo()); versionKey += component.getVersion(); @@ -254,7 +270,7 @@ public void analyze(final List components) { LOGGER.debug("Add key %s to map".formatted(key)); map.put(key, component); LOGGER.debug("add package %s".formatted(component.toString())); - pkg.addPackage(new Package(component.getName(), component.getVersion(), arch != null ? arch : "x86_64", epoch)); + pkg.addPackage(new Package(component.getName(), component.getVersion(), arch != null ? arch : "x86_64", epoch, srcName, srcVersion, srcRelease)); } }