From 0bf952463091dad3c8e654f204c68d415d4cd5bf Mon Sep 17 00:00:00 2001 From: Tom Fay Date: Thu, 6 Jun 2024 15:32:16 +0100 Subject: [PATCH 1/4] feat(azure): Add Azure Linux support Azure Linux is a rebranding of CBL-Mariner, starting at version 3.0, so this reuses the existing Mariner parsing function. --- pkg/vulnsrc/azure/azure.go | 29 +++++ pkg/vulnsrc/azure/azure_test.go | 102 ++++++++++++++++++ .../azure/testdata/fixtures/happy.yaml | 7 ++ .../azure/3.0/definitions/2018/38656-1.json | 29 +++++ .../azure/3.0/definitions/2023/38611-1.json | 29 +++++ .../vuln-list/azure/3.0/objects/objects.json | 14 +++ .../vuln-list/azure/3.0/states/states.json | 22 ++++ .../vuln-list/azure/3.0/tests/tests.json | 28 +++++ pkg/vulnsrc/mariner/mariner.go | 43 ++++---- pkg/vulnsrc/vulnerability/const.go | 1 + pkg/vulnsrc/vulnerability/vulnerability.go | 2 +- 11 files changed, 284 insertions(+), 22 deletions(-) create mode 100644 pkg/vulnsrc/azure/azure.go create mode 100644 pkg/vulnsrc/azure/azure_test.go create mode 100644 pkg/vulnsrc/azure/testdata/fixtures/happy.yaml create mode 100644 pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json create mode 100644 pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json create mode 100644 pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json create mode 100644 pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json create mode 100644 pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json diff --git a/pkg/vulnsrc/azure/azure.go b/pkg/vulnsrc/azure/azure.go new file mode 100644 index 00000000..8eacbc5f --- /dev/null +++ b/pkg/vulnsrc/azure/azure.go @@ -0,0 +1,29 @@ +package azure + +import ( + "path/filepath" + + "golang.org/x/xerrors" + + "github.com/aquasecurity/trivy-db/pkg/db" + "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" +) + +var ( + ErrNotSupported = xerrors.New("format not supported") +) + +func NewVulnSrc() mariner.VulnSrc { + return mariner.VulnSrc{ + Dbc: db.Config{}, + VulnListDir: filepath.Join("azure"), + Source: types.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + }, + PlatformFormat: "Azure Linux %s", + } +} diff --git a/pkg/vulnsrc/azure/azure_test.go b/pkg/vulnsrc/azure/azure_test.go new file mode 100644 index 00000000..0423be8e --- /dev/null +++ b/pkg/vulnsrc/azure/azure_test.go @@ -0,0 +1,102 @@ +package azure_test + +import ( + "path/filepath" + "testing" + + "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" +) + +func TestVulnSrc_Update(t *testing.T) { + tests := []struct { + name string + dir string + wantValues []vulnsrctest.WantValues + wantErr string + noBuckets [][]string + }{ + { + name: "happy path", + dir: filepath.Join("testdata", "happy"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Azure Linux 3.0"}, + Value: types.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2018-1999023", "Azure Linux 3.0", "ceph"}, + Value: types.Advisory{ + FixedVersion: "0:18.2.1-1.azl3", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2023-27534", "Azure Linux 3.0", "tensorflow"}, + Value: types.Advisory{ + FixedVersion: "0:2.16.1-1.azl3", + }, + }, + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vs := azure.NewVulnSrc() + vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ + Dir: tt.dir, + WantValues: tt.wantValues, + WantErr: tt.wantErr, + NoBuckets: tt.noBuckets, + }) + }) + } +} + +func TestVulnSrc_Get(t *testing.T) { + tests := []struct { + name string + release string + pkgName string + fixtures []string + want []types.Advisory + wantErr string + }{ + { + name: "happy path", + release: "3.0", + pkgName: "ceph", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2018-1999023", + FixedVersion: "0:18.2.1-1.azl3", + }, + }, + }, + { + name: "unknown package", + release: "3.0", + pkgName: "unknown-package", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory(nil), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vs := azure.NewVulnSrc() + vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ + Fixtures: tt.fixtures, + WantValues: tt.want, + Release: tt.release, + PkgName: tt.pkgName, + WantErr: tt.wantErr, + }) + }) + } +} diff --git a/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml b/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml new file mode 100644 index 00000000..88b01a41 --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml @@ -0,0 +1,7 @@ +- bucket: Azure Linux 3.0 + pairs: + - bucket: ceph + pairs: + - key: CVE-2018-1999023 + value: + FixedVersion: 0:18.2.1-1.azl3 diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json new file mode 100644 index 00000000..5c9f9e84 --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json @@ -0,0 +1,29 @@ +{ + "Class": "vulnerability", + "ID": "oval:com.microsoft.azurelinux:def:38656", + "Version": "1", + "Metadata": { + "Title": "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1", + "Affected": { + "Family": "unix", + "Platform": "Azure Linux" + }, + "Reference": { + "RefID": "CVE-2018-1999023", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999023", + "Source": "CVE" + }, + "Patchable": "true", + "AdvisoryDate": "2024-04-17T22:02:46Z", + "AdvisoryID": "38656-1", + "Severity": "High", + "Description": "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1. An upgraded version of the package is available that resolves this issue." + }, + "Criteria": { + "Operator": "AND", + "Criterion": { + "Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023", + "TestRef": "oval:com.microsoft.azurelinux:tst:38656000" + } + } +} \ No newline at end of file diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json new file mode 100644 index 00000000..9335d166 --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json @@ -0,0 +1,29 @@ +{ + "Class": "vulnerability", + "ID": "oval:com.microsoft.azurelinux:def:38611", + "Version": "1", + "Metadata": { + "Title": "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1", + "Affected": { + "Family": "unix", + "Platform": "Azure Linux" + }, + "Reference": { + "RefID": "CVE-2023-27534", + "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534", + "Source": "CVE" + }, + "Patchable": "true", + "AdvisoryDate": "2024-04-17T22:02:46Z", + "AdvisoryID": "38611-1", + "Severity": "High", + "Description": "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1. An upgraded version of the package is available that resolves this issue." + }, + "Criteria": { + "Operator": "AND", + "Criterion": { + "Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534", + "TestRef": "oval:com.microsoft.azurelinux:tst:38611000" + } + } +} \ No newline at end of file diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json new file mode 100644 index 00000000..49cf45ae --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json @@ -0,0 +1,14 @@ +{ + "RpminfoObjects": [ + { + "ID": "oval:com.microsoft.azurelinux:obj:38656001", + "Version": "1", + "Name": "ceph" + }, + { + "ID": "oval:com.microsoft.azurelinux:obj:38611001", + "Version": "1", + "Name": "tensorflow" + } + ] +} diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json new file mode 100644 index 00000000..1afbc535 --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json @@ -0,0 +1,22 @@ +{ + "RpminfoState": [ + { + "ID": "oval:com.microsoft.azurelinux:ste:38656002", + "Version": "1", + "Evr": { + "Text": "0:18.2.1-1.azl3", + "Datatype": "evr_string", + "Operation": "less than" + } + }, + { + "ID": "oval:com.microsoft.azurelinux:ste:38611002", + "Version": "1", + "Evr": { + "Text": "0:2.16.1-1.azl3", + "Datatype": "evr_string", + "Operation": "less than" + } + } + ] +} diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json new file mode 100644 index 00000000..a1754378 --- /dev/null +++ b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json @@ -0,0 +1,28 @@ +{ + "RpminfoTests": [ + { + "Check": "at least one", + "Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023", + "ID": "oval:com.microsoft.azurelinux:tst:38656000", + "Version": "1", + "Object": { + "ObjectRef": "oval:com.microsoft.azurelinux:obj:38656001" + }, + "State": { + "StateRef": "oval:com.microsoft.azurelinux:ste:38656002" + } + }, + { + "Check": "at least one", + "Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534", + "ID": "oval:com.microsoft.azurelinux:tst:38611000", + "Version": "1", + "Object": { + "ObjectRef": "oval:com.microsoft.azurelinux:obj:38611001" + }, + "State": { + "StateRef": "oval:com.microsoft.azurelinux:ste:38611002" + } + } + ] +} diff --git a/pkg/vulnsrc/mariner/mariner.go b/pkg/vulnsrc/mariner/mariner.go index 940e6f37..59af7f57 100644 --- a/pkg/vulnsrc/mariner/mariner.go +++ b/pkg/vulnsrc/mariner/mariner.go @@ -17,15 +17,6 @@ import ( ) var ( - cblDir = filepath.Join("mariner") - platformFormat = "CBL-Mariner %s" - - source = types.DataSource{ - ID: vulnerability.CBLMariner, - Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", - } - ErrNotSupported = xerrors.New("format not supported") ) @@ -36,21 +27,31 @@ type resolvedTest struct { } type VulnSrc struct { - dbc db.Operation + Dbc db.Operation + VulnListDir string + Source types.DataSource + PlatformFormat string } func NewVulnSrc() VulnSrc { return VulnSrc{ - dbc: db.Config{}, + Dbc: db.Config{}, + VulnListDir: filepath.Join("mariner"), + Source: types.DataSource{ + ID: vulnerability.CBLMariner, + Name: "CBL-Mariner Vulnerability Data", + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + }, + PlatformFormat: "CBL-Mariner %s", } } func (vs VulnSrc) Name() types.SourceID { - return source.ID + return vs.Source.ID } func (vs VulnSrc) Update(dir string) error { - rootDir := filepath.Join(dir, "vuln-list", cblDir) + rootDir := filepath.Join(dir, "vuln-list", vs.VulnListDir) versions, err := os.ReadDir(rootDir) if err != nil { return xerrors.Errorf("unable to list directory entries (%s): %w", rootDir, err) @@ -185,9 +186,9 @@ func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map } func (vs VulnSrc) save(majorVer string, entries []Entry) error { - err := vs.dbc.BatchUpdate(func(tx *bolt.Tx) error { - platformName := fmt.Sprintf(platformFormat, majorVer) - if err := vs.dbc.PutDataSource(tx, platformName, source); err != nil { + err := vs.Dbc.BatchUpdate(func(tx *bolt.Tx) error { + platformName := fmt.Sprintf(vs.PlatformFormat, majorVer) + if err := vs.Dbc.PutDataSource(tx, platformName, vs.Source); err != nil { return xerrors.Errorf("failed to put data source: %w", err) } @@ -215,7 +216,7 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro continue } - if err := vs.dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { + if err := vs.Dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { return xerrors.Errorf("failed to save CBL-Mariner advisory detail: %w", err) } @@ -226,11 +227,11 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro Description: entry.Metadata.Description, References: []string{entry.Metadata.Reference.RefURL}, } - if err := vs.dbc.PutVulnerabilityDetail(tx, cveID, source.ID, vuln); err != nil { + if err := vs.Dbc.PutVulnerabilityDetail(tx, cveID, vs.Source.ID, vuln); err != nil { return xerrors.Errorf("failed to save CBL-Mariner vulnerability detail: %w", err) } - if err := vs.dbc.PutVulnerabilityID(tx, cveID); err != nil { + if err := vs.Dbc.PutVulnerabilityID(tx, cveID); err != nil { return xerrors.Errorf("failed to save the vulnerability ID: %w", err) } } @@ -238,8 +239,8 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro } func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) { - bucket := fmt.Sprintf(platformFormat, release) - advisories, err := vs.dbc.GetAdvisories(bucket, pkgName) + bucket := fmt.Sprintf(vs.PlatformFormat, release) + advisories, err := vs.Dbc.GetAdvisories(bucket, pkgName) if err != nil { return nil, xerrors.Errorf("failed to get CBL-Marina advisories: %w", err) } diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go index ab87c869..19fa371f 100644 --- a/pkg/vulnsrc/vulnerability/const.go +++ b/pkg/vulnsrc/vulnerability/const.go @@ -18,6 +18,7 @@ const ( Alpine types.SourceID = "alpine" ArchLinux types.SourceID = "arch-linux" Alma types.SourceID = "alma" + AzureLinux types.SourceID = "azure" CBLMariner types.SourceID = "cbl-mariner" Photon types.SourceID = "photon" RubySec types.SourceID = "ruby-advisory-db" diff --git a/pkg/vulnsrc/vulnerability/vulnerability.go b/pkg/vulnsrc/vulnerability/vulnerability.go index 10881032..663d4467 100644 --- a/pkg/vulnsrc/vulnerability/vulnerability.go +++ b/pkg/vulnsrc/vulnerability/vulnerability.go @@ -15,7 +15,7 @@ const ( var ( sources = []types.SourceID{NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon, - ArchLinux, Alma, Rocky, CBLMariner, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB, + ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB, } ) From 6a7145fad59f1a8a6cd1076d460396c403d09edc Mon Sep 17 00:00:00 2001 From: Tom Fay Date: Mon, 15 Jul 2024 10:57:36 +0100 Subject: [PATCH 2/4] merge azure and mariner packages --- pkg/vulnsrc/azure/azure.go | 229 +++++++++++++++- pkg/vulnsrc/azure/azure_test.go | 229 ++++++++++++++++ pkg/vulnsrc/azure/mariner.go | 22 ++ pkg/vulnsrc/{mariner => azure}/oval/oval.go | 2 +- pkg/vulnsrc/{mariner => azure}/oval/types.go | 0 .../testdata/fixtures/broken.yaml | 0 .../azure/testdata/fixtures/happy.yaml | 12 + .../mariner/1.0/definitions/2008/3173.json | 0 .../mariner/1.0/objects/objects.json | 0 .../vuln-list/mariner/1.0/states/states.json | 0 .../vuln-list/mariner/1.0/tests/tests.json | 0 .../mariner/2.0/definitions/2021/7412.json | 0 .../mariner/2.0/definitions/2023/31872-1.json | 0 .../mariner/2.0/definitions/2023/31880-1.json | 0 .../mariner/2.0/objects/objects.json | 0 .../vuln-list/mariner/2.0/states/states.json | 0 .../vuln-list/mariner/2.0/tests/tests.json | 0 .../mariner/2.0/definitions/2013/6640.json | 0 .../mariner/2.0/objects/objects.json | 0 .../vuln-list/mariner/2.0/states/states.json | 0 .../vuln-list/mariner/2.0/tests/tests.json | 0 .../mariner/1.0/definitions/2008/3173.json | 0 .../mariner/1.0/objects/objects.json | 0 .../vuln-list/mariner/1.0/states/states.json | 0 .../vuln-list/mariner/1.0/tests/tests.json | 0 .../mariner/1.0/definitions/2008/3173.json | 0 .../mariner/1.0/objects/objects.json | 0 .../vuln-list/mariner/1.0/states/states.json | 0 .../vuln-list/mariner/1.0/tests/tests.json | 0 .../mariner/1.0/objects/objects.json | 0 .../mariner/1.0/objects/objects.json | 0 .../vuln-list/mariner/1.0/states/states.json | 0 .../mariner/1.0/objects/objects.json | 0 .../vuln-list/mariner/1.0/states/states.json | 0 .../vuln-list/mariner/1.0/tests/tests.json | 0 pkg/vulnsrc/{mariner => azure}/types.go | 4 +- pkg/vulnsrc/mariner/mariner.go | 248 ------------------ pkg/vulnsrc/mariner/mariner_test.go | 213 --------------- .../mariner/testdata/fixtures/happy.yaml | 12 - pkg/vulnsrc/vulnsrc.go | 5 +- 40 files changed, 493 insertions(+), 483 deletions(-) create mode 100644 pkg/vulnsrc/azure/mariner.go rename pkg/vulnsrc/{mariner => azure}/oval/oval.go (96%) rename pkg/vulnsrc/{mariner => azure}/oval/types.go (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/fixtures/broken.yaml (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/1.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/1.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31872-1.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31880-1.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/happy/vuln-list/mariner/2.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/6640.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/not-applicable-definition/vuln-list/mariner/2.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/not-applicable-definition/vuln-list/mariner/2.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/not-applicable-definition/vuln-list/mariner/2.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/definitions/2008/3173.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/definitions/2008/3173.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-objects/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-states/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-states/vuln-list/mariner/1.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-tests/vuln-list/mariner/1.0/objects/objects.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-tests/vuln-list/mariner/1.0/states/states.json (100%) rename pkg/vulnsrc/{mariner => azure}/testdata/sad/invalid-tests/vuln-list/mariner/1.0/tests/tests.json (100%) rename pkg/vulnsrc/{mariner => azure}/types.go (59%) delete mode 100644 pkg/vulnsrc/mariner/mariner.go delete mode 100644 pkg/vulnsrc/mariner/mariner_test.go delete mode 100644 pkg/vulnsrc/mariner/testdata/fixtures/happy.yaml diff --git a/pkg/vulnsrc/azure/azure.go b/pkg/vulnsrc/azure/azure.go index 8eacbc5f..21d31ec3 100644 --- a/pkg/vulnsrc/azure/azure.go +++ b/pkg/vulnsrc/azure/azure.go @@ -1,13 +1,18 @@ package azure import ( + "fmt" + "log" + "os" "path/filepath" + "strings" + bolt "go.etcd.io/bbolt" "golang.org/x/xerrors" "github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy-db/pkg/types" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" ) @@ -15,10 +20,23 @@ var ( ErrNotSupported = xerrors.New("format not supported") ) -func NewVulnSrc() mariner.VulnSrc { - return mariner.VulnSrc{ - Dbc: db.Config{}, - VulnListDir: filepath.Join("azure"), +type resolvedTest struct { + Name string + Version string + Operator operator +} + +type VulnSrc struct { + Dbc db.Operation + AzureDir string + Source types.DataSource + PlatformFormat string +} + +func NewVulnSrc() VulnSrc { + return VulnSrc{ + Dbc: db.Config{}, + AzureDir: filepath.Join("azure"), Source: types.DataSource{ ID: vulnerability.AzureLinux, Name: "Azure Linux Vulnerability Data", @@ -27,3 +45,204 @@ func NewVulnSrc() mariner.VulnSrc { PlatformFormat: "Azure Linux %s", } } + +func (vs VulnSrc) Name() types.SourceID { + return vs.Source.ID +} + +func (vs VulnSrc) Update(dir string) error { + rootDir := filepath.Join(dir, "vuln-list", vs.AzureDir) + versions, err := os.ReadDir(rootDir) + if err != nil { + return xerrors.Errorf("unable to list directory entries (%s): %w", rootDir, err) + } + + for _, ver := range versions { + versionDir := filepath.Join(rootDir, ver.Name()) + entries, err := parseOVAL(filepath.Join(versionDir)) + if err != nil { + return xerrors.Errorf("failed to parse CBL-Mariner OVAL: %w ", err) + } + + if err = vs.save(ver.Name(), entries); err != nil { + return xerrors.Errorf("error in CBL-Mariner save: %w", err) + } + } + + return nil +} + +func parseOVAL(dir string) ([]Entry, error) { + log.Printf(" Parsing %s", dir) + + // Parse and resolve tests + tests, err := resolveTests(dir) + if err != nil { + return nil, xerrors.Errorf("failed to resolve tests: %w", err) + } + + defs, err := oval.ParseDefinitions(dir) + if err != nil { + return nil, xerrors.Errorf("failed to parse definitions: %w", err) + } + + return resolveDefinitions(defs, tests), nil +} + +func resolveDefinitions(defs []oval.Definition, tests map[string]resolvedTest) []Entry { + var entries []Entry + + for _, def := range defs { + test, ok := tests[def.Criteria.Criterion.TestRef] + if !ok { + continue + } + entry := Entry{ + PkgName: test.Name, + Version: test.Version, + Operator: test.Operator, + Metadata: def.Metadata, + } + + entries = append(entries, entry) + } + return entries +} + +const ( + lte operator = "less than or equal" + lt operator = "less than" +) + +func resolveTests(dir string) (map[string]resolvedTest, error) { + objects, err := oval.ParseObjects(dir) + if err != nil { + return nil, xerrors.Errorf("failed to parse objects: %w", err) + } + + states, err := oval.ParseStates(dir) + if err != nil { + return nil, xerrors.Errorf("failed to parse states: %w", err) + } + + tt, err := oval.ParseTests(dir) + if err != nil { + return nil, xerrors.Errorf("failed to parse tests: %w", err) + } + + tests := map[string]resolvedTest{} + for _, test := range tt.RpminfoTests { + // test directive has should be "at least one" + if test.Check != "at least one" { + continue + } + + t, err := followTestRefs(test, objects, states) + if err != nil { + return nil, xerrors.Errorf("unable to follow test refs: %w", err) + } + tests[test.ID] = t + } + + return tests, nil +} + +func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map[string]oval.RpmInfoState) (resolvedTest, error) { + // Follow object ref + if test.Object.ObjectRef == "" { + return resolvedTest{}, xerrors.New("invalid test, no object ref") + } + + pkgName, ok := objects[test.Object.ObjectRef] + if !ok { + return resolvedTest{}, xerrors.Errorf("invalid test data, can't find object ref: %s, test ref: %s", + test.Object.ObjectRef, test.ID) + } + + // Follow state ref + if test.State.StateRef == "" { + return resolvedTest{}, xerrors.New("invalid test, no state ref") + } + + state, ok := states[test.State.StateRef] + if !ok { + return resolvedTest{}, xerrors.Errorf("invalid tests data, can't find ovalstate ref %s, test ref: %s", + test.State.StateRef, test.ID) + } + + if state.Evr.Datatype != "evr_string" { + return resolvedTest{}, xerrors.Errorf("state data type (%s): %w", state.Evr.Datatype, ErrNotSupported) + } + + if state.Evr.Operation != string(lte) && state.Evr.Operation != string(lt) { + return resolvedTest{}, xerrors.Errorf("state operation (%s): %w", state.Evr.Operation, ErrNotSupported) + } + + return resolvedTest{ + Name: pkgName, + Version: state.Evr.Text, + Operator: operator(state.Evr.Operation), + }, nil +} + +func (vs VulnSrc) save(majorVer string, entries []Entry) error { + err := vs.Dbc.BatchUpdate(func(tx *bolt.Tx) error { + platformName := fmt.Sprintf(vs.PlatformFormat, majorVer) + if err := vs.Dbc.PutDataSource(tx, platformName, vs.Source); err != nil { + return xerrors.Errorf("failed to put data source: %w", err) + } + + if err := vs.commit(tx, platformName, entries); err != nil { + return xerrors.Errorf("%s commit error: %w", platformName, err) + } + return nil + }) + if err != nil { + return xerrors.Errorf("error in db batch update: %w", err) + } + return nil +} + +func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) error { + for _, entry := range entries { + cveID := entry.Metadata.Reference.RefID + advisory := types.Advisory{} + + // Definition.Metadata.Patchable has a bool and "Not Applicable" string. + patchable := strings.ToLower(entry.Metadata.Patchable) + if patchable == "true" { + advisory.FixedVersion = entry.Version + } else if patchable == "not applicable" { + continue + } + + if err := vs.Dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { + return xerrors.Errorf("failed to save %s advisory detail: %w", platformName, err) + } + + severity, _ := types.NewSeverity(strings.ToUpper(entry.Metadata.Severity)) + vuln := types.VulnerabilityDetail{ + Severity: severity, + Title: entry.Metadata.Title, + Description: entry.Metadata.Description, + References: []string{entry.Metadata.Reference.RefURL}, + } + if err := vs.Dbc.PutVulnerabilityDetail(tx, cveID, vs.Source.ID, vuln); err != nil { + return xerrors.Errorf("failed to save %s vulnerability detail: %w", platformName, err) + } + + if err := vs.Dbc.PutVulnerabilityID(tx, cveID); err != nil { + return xerrors.Errorf("failed to save the vulnerability ID: %w", err) + } + } + return nil +} + +func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) { + bucket := fmt.Sprintf(vs.PlatformFormat, release) + advisories, err := vs.Dbc.GetAdvisories(bucket, pkgName) + if err != nil { + return nil, xerrors.Errorf("failed to get %s advisories: %w", bucket, err) + } + return advisories, nil +} diff --git a/pkg/vulnsrc/azure/azure_test.go b/pkg/vulnsrc/azure/azure_test.go index 0423be8e..0630d9f7 100644 --- a/pkg/vulnsrc/azure/azure_test.go +++ b/pkg/vulnsrc/azure/azure_test.go @@ -10,6 +10,147 @@ import ( "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" ) +func TestMarinerVulnSrc_Update(t *testing.T) { + tests := []struct { + name string + dir string + wantValues []vulnsrctest.WantValues + wantErr string + noBuckets [][]string + }{ + { + name: "happy path", + dir: filepath.Join("testdata", "happy"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "CBL-Mariner 1.0"}, + Value: types.DataSource{ + ID: vulnerability.CBLMariner, + Name: "CBL-Mariner Vulnerability Data", + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + }, + }, + { + Key: []string{"data-source", "CBL-Mariner 2.0"}, + Value: types.DataSource{ + ID: vulnerability.CBLMariner, + Name: "CBL-Mariner Vulnerability Data", + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2008-3914", "CBL-Mariner 1.0", "clamav"}, + Value: types.Advisory{ + FixedVersion: "0:0.103.2-1.cm1", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2021-39924", "CBL-Mariner 2.0", "wireshark"}, + Value: types.Advisory{ + FixedVersion: "", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "openssl"}, + Value: types.Advisory{ + FixedVersion: "0:1.1.1k-28.cm2", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "edk2"}, + Value: types.Advisory{ + FixedVersion: "0:20230301gitf80f052277c8-38.cm2", + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2008-3914", "cbl-mariner"}, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityCritical, + Title: "CVE-2008-3914 affecting package clamav 0.101.2", + Description: "CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2008-3914"}, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2021-39924", "cbl-mariner"}, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityHigh, + Title: "CVE-2021-39924 affecting package wireshark 3.4.4", + Description: "CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2021-39924"}, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2023-5678", "cbl-mariner"}, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityMedium, + Title: "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28", + Description: "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-5678"}, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2008-3914"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2021-39924"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2023-5678"}, + Value: map[string]interface{}{}, + }, + }, + }, + { + name: "happy path not applicable", + dir: filepath.Join("testdata", "not-applicable-definition"), + noBuckets: [][]string{ + {"advisory-detail"}, + {"vulnerability-id"}, + {"vulnerability-detail"}, + }, + }, + { + name: "sad path invalid objects", + dir: filepath.Join("testdata", "sad", "invalid-objects"), + wantErr: "failed to parse objects", + }, + { + name: "sad path invalid states", + dir: filepath.Join("testdata", "sad", "invalid-states"), + wantErr: "failed to parse states", + }, + { + name: "sad path invalid tests", + dir: filepath.Join("testdata", "sad", "invalid-tests"), + wantErr: "failed to parse tests", + }, + { + name: "sad path empty test ref definition", + dir: filepath.Join("testdata", "sad", "empty-testref-definition"), + wantErr: "", + }, + { + name: "sad path empty state ref tests", + dir: filepath.Join("testdata", "sad", "empty-stateref-tests"), + wantErr: "unable to follow test refs: invalid test, no state ref", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vs := azure.NewMarinerVulnSrc() + vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ + Dir: tt.dir, + WantValues: tt.wantValues, + WantErr: tt.wantErr, + NoBuckets: tt.noBuckets, + }) + }) + } +} + func TestVulnSrc_Update(t *testing.T) { tests := []struct { name string @@ -42,6 +183,32 @@ func TestVulnSrc_Update(t *testing.T) { FixedVersion: "0:2.16.1-1.azl3", }, }, + { + Key: []string{"vulnerability-detail", "CVE-2023-27534", "azure"}, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityHigh, + Title: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1", + Description: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1. An upgraded version of the package is available that resolves this issue.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"}, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2018-1999023", "azure"}, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityHigh, + Title: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1", + Description: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1. An upgraded version of the package is available that resolves this issue.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2018-1999023"}, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2023-27534"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2018-1999023"}, + Value: map[string]interface{}{}, + }, }, }, } @@ -58,6 +225,67 @@ func TestVulnSrc_Update(t *testing.T) { } } +func TestMarinerVulnSrc_Get(t *testing.T) { + tests := []struct { + name string + release string + pkgName string + fixtures []string + want []types.Advisory + wantErr string + }{ + { + name: "happy path", + release: "1.0", + pkgName: "clamav", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2008-3914", + FixedVersion: "0:0.103.2-1.cm1", + }, + }, + }, + { + name: "happy path non fixed version", + release: "2.0", + pkgName: "bind", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2019-6470", + }, + }, + }, + { + name: "unknown package", + release: "2.0", + pkgName: "unknown-package", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory(nil), + }, + { + name: "broken bucket", + release: "1.0", + pkgName: "clamav", + fixtures: []string{"testdata/fixtures/broken.yaml"}, + wantErr: "failed to unmarshal advisory JSON", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vs := azure.NewMarinerVulnSrc() + vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ + Fixtures: tt.fixtures, + WantValues: tt.want, + Release: tt.release, + PkgName: tt.pkgName, + WantErr: tt.wantErr, + }) + }) + } +} + func TestVulnSrc_Get(t *testing.T) { tests := []struct { name string @@ -67,6 +295,7 @@ func TestVulnSrc_Get(t *testing.T) { want []types.Advisory wantErr string }{ + { name: "happy path", release: "3.0", diff --git a/pkg/vulnsrc/azure/mariner.go b/pkg/vulnsrc/azure/mariner.go new file mode 100644 index 00000000..8866eabe --- /dev/null +++ b/pkg/vulnsrc/azure/mariner.go @@ -0,0 +1,22 @@ +package azure + +import ( + "path/filepath" + + "github.com/aquasecurity/trivy-db/pkg/db" + "github.com/aquasecurity/trivy-db/pkg/types" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" +) + +func NewMarinerVulnSrc() VulnSrc { + return VulnSrc{ + Dbc: db.Config{}, + AzureDir: filepath.Join("mariner"), + Source: types.DataSource{ + ID: vulnerability.CBLMariner, + Name: "CBL-Mariner Vulnerability Data", + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + }, + PlatformFormat: "CBL-Mariner %s", + } +} diff --git a/pkg/vulnsrc/mariner/oval/oval.go b/pkg/vulnsrc/azure/oval/oval.go similarity index 96% rename from pkg/vulnsrc/mariner/oval/oval.go rename to pkg/vulnsrc/azure/oval/oval.go index 17904cea..58078a16 100644 --- a/pkg/vulnsrc/mariner/oval/oval.go +++ b/pkg/vulnsrc/azure/oval/oval.go @@ -27,7 +27,7 @@ func ParseDefinitions(dir string) ([]Definition, error) { return nil }) if err != nil { - return nil, xerrors.Errorf("CBL-Mariner OVAL walk error: %w", err) + return nil, xerrors.Errorf("Azure Linux OVAL walk error: %w", err) } return defs, nil diff --git a/pkg/vulnsrc/mariner/oval/types.go b/pkg/vulnsrc/azure/oval/types.go similarity index 100% rename from pkg/vulnsrc/mariner/oval/types.go rename to pkg/vulnsrc/azure/oval/types.go diff --git a/pkg/vulnsrc/mariner/testdata/fixtures/broken.yaml b/pkg/vulnsrc/azure/testdata/fixtures/broken.yaml similarity index 100% rename from pkg/vulnsrc/mariner/testdata/fixtures/broken.yaml rename to pkg/vulnsrc/azure/testdata/fixtures/broken.yaml diff --git a/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml b/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml index 88b01a41..9d67cd41 100644 --- a/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/azure/testdata/fixtures/happy.yaml @@ -1,3 +1,15 @@ +- bucket: CBL-Mariner 1.0 + pairs: + - bucket: clamav + pairs: + - key: CVE-2008-3914 + value: + FixedVersion: 0:0.103.2-1.cm1 +- bucket: CBL-Mariner 2.0 + pairs: + - bucket: bind + pairs: + - key: CVE-2019-6470 - bucket: Azure Linux 3.0 pairs: - bucket: ceph diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/states/states.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/states/states.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/1.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31872-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31872-1.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31872-1.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31872-1.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31880-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31880-1.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31880-1.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2023/31880-1.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/states/states.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/states/states.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/happy/vuln-list/mariner/2.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/6640.json b/pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/6640.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/6640.json rename to pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/definitions/2013/6640.json diff --git a/pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/states/states.json b/pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/states/states.json rename to pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/not-applicable-definition/vuln-list/mariner/2.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/not-applicable-definition/vuln-list/mariner/2.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/definitions/2008/3173.json b/pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/definitions/2008/3173.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/definitions/2008/3173.json rename to pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/definitions/2008/3173.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/states/states.json b/pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/states/states.json rename to pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/sad/empty-stateref-tests/vuln-list/mariner/1.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/definitions/2008/3173.json b/pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/definitions/2008/3173.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/definitions/2008/3173.json rename to pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/definitions/2008/3173.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/states/states.json b/pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/states/states.json rename to pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/sad/empty-testref-definition/vuln-list/mariner/1.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-objects/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/sad/invalid-objects/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-objects/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-objects/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-states/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/sad/invalid-states/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-states/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-states/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-states/vuln-list/mariner/1.0/states/states.json b/pkg/vulnsrc/azure/testdata/sad/invalid-states/vuln-list/mariner/1.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-states/vuln-list/mariner/1.0/states/states.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-states/vuln-list/mariner/1.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/objects/objects.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/objects/objects.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/objects/objects.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/states/states.json b/pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/states/states.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/states/states.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/states/states.json diff --git a/pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/tests/tests.json similarity index 100% rename from pkg/vulnsrc/mariner/testdata/sad/invalid-tests/vuln-list/mariner/1.0/tests/tests.json rename to pkg/vulnsrc/azure/testdata/sad/invalid-tests/vuln-list/mariner/1.0/tests/tests.json diff --git a/pkg/vulnsrc/mariner/types.go b/pkg/vulnsrc/azure/types.go similarity index 59% rename from pkg/vulnsrc/mariner/types.go rename to pkg/vulnsrc/azure/types.go index e3fe33c5..2b12c6ee 100644 --- a/pkg/vulnsrc/mariner/types.go +++ b/pkg/vulnsrc/azure/types.go @@ -1,6 +1,6 @@ -package mariner +package azure -import "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval" +import "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval" type operator string diff --git a/pkg/vulnsrc/mariner/mariner.go b/pkg/vulnsrc/mariner/mariner.go deleted file mode 100644 index 59af7f57..00000000 --- a/pkg/vulnsrc/mariner/mariner.go +++ /dev/null @@ -1,248 +0,0 @@ -package mariner - -import ( - "fmt" - "log" - "os" - "path/filepath" - "strings" - - bolt "go.etcd.io/bbolt" - "golang.org/x/xerrors" - - "github.com/aquasecurity/trivy-db/pkg/db" - "github.com/aquasecurity/trivy-db/pkg/types" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" -) - -var ( - ErrNotSupported = xerrors.New("format not supported") -) - -type resolvedTest struct { - Name string - Version string - Operator operator -} - -type VulnSrc struct { - Dbc db.Operation - VulnListDir string - Source types.DataSource - PlatformFormat string -} - -func NewVulnSrc() VulnSrc { - return VulnSrc{ - Dbc: db.Config{}, - VulnListDir: filepath.Join("mariner"), - Source: types.DataSource{ - ID: vulnerability.CBLMariner, - Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", - }, - PlatformFormat: "CBL-Mariner %s", - } -} - -func (vs VulnSrc) Name() types.SourceID { - return vs.Source.ID -} - -func (vs VulnSrc) Update(dir string) error { - rootDir := filepath.Join(dir, "vuln-list", vs.VulnListDir) - versions, err := os.ReadDir(rootDir) - if err != nil { - return xerrors.Errorf("unable to list directory entries (%s): %w", rootDir, err) - } - - for _, ver := range versions { - versionDir := filepath.Join(rootDir, ver.Name()) - entries, err := parseOVAL(filepath.Join(versionDir)) - if err != nil { - return xerrors.Errorf("failed to parse CBL-Mariner OVAL: %w ", err) - } - - if err = vs.save(ver.Name(), entries); err != nil { - return xerrors.Errorf("error in CBL-Mariner save: %w", err) - } - } - - return nil -} - -func parseOVAL(dir string) ([]Entry, error) { - log.Printf(" Parsing %s", dir) - - // Parse and resolve tests - tests, err := resolveTests(dir) - if err != nil { - return nil, xerrors.Errorf("failed to resolve tests: %w", err) - } - - defs, err := oval.ParseDefinitions(dir) - if err != nil { - return nil, xerrors.Errorf("failed to parse definitions: %w", err) - } - - return resolveDefinitions(defs, tests), nil -} - -func resolveDefinitions(defs []oval.Definition, tests map[string]resolvedTest) []Entry { - var entries []Entry - - for _, def := range defs { - test, ok := tests[def.Criteria.Criterion.TestRef] - if !ok { - continue - } - entry := Entry{ - PkgName: test.Name, - Version: test.Version, - Operator: test.Operator, - Metadata: def.Metadata, - } - - entries = append(entries, entry) - } - return entries -} - -const ( - lte operator = "less than or equal" - lt operator = "less than" -) - -func resolveTests(dir string) (map[string]resolvedTest, error) { - objects, err := oval.ParseObjects(dir) - if err != nil { - return nil, xerrors.Errorf("failed to parse objects: %w", err) - } - - states, err := oval.ParseStates(dir) - if err != nil { - return nil, xerrors.Errorf("failed to parse states: %w", err) - } - - tt, err := oval.ParseTests(dir) - if err != nil { - return nil, xerrors.Errorf("failed to parse tests: %w", err) - } - - tests := map[string]resolvedTest{} - for _, test := range tt.RpminfoTests { - // test directive has should be "at least one" - if test.Check != "at least one" { - continue - } - - t, err := followTestRefs(test, objects, states) - if err != nil { - return nil, xerrors.Errorf("unable to follow test refs: %w", err) - } - tests[test.ID] = t - } - - return tests, nil -} - -func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map[string]oval.RpmInfoState) (resolvedTest, error) { - // Follow object ref - if test.Object.ObjectRef == "" { - return resolvedTest{}, xerrors.New("invalid test, no object ref") - } - - pkgName, ok := objects[test.Object.ObjectRef] - if !ok { - return resolvedTest{}, xerrors.Errorf("invalid test data, can't find object ref: %s, test ref: %s", - test.Object.ObjectRef, test.ID) - } - - // Follow state ref - if test.State.StateRef == "" { - return resolvedTest{}, xerrors.New("invalid test, no state ref") - } - - state, ok := states[test.State.StateRef] - if !ok { - return resolvedTest{}, xerrors.Errorf("invalid tests data, can't find ovalstate ref %s, test ref: %s", - test.State.StateRef, test.ID) - } - - if state.Evr.Datatype != "evr_string" { - return resolvedTest{}, xerrors.Errorf("state data type (%s): %w", state.Evr.Datatype, ErrNotSupported) - } - - if state.Evr.Operation != string(lte) && state.Evr.Operation != string(lt) { - return resolvedTest{}, xerrors.Errorf("state operation (%s): %w", state.Evr.Operation, ErrNotSupported) - } - - return resolvedTest{ - Name: pkgName, - Version: state.Evr.Text, - Operator: operator(state.Evr.Operation), - }, nil -} - -func (vs VulnSrc) save(majorVer string, entries []Entry) error { - err := vs.Dbc.BatchUpdate(func(tx *bolt.Tx) error { - platformName := fmt.Sprintf(vs.PlatformFormat, majorVer) - if err := vs.Dbc.PutDataSource(tx, platformName, vs.Source); err != nil { - return xerrors.Errorf("failed to put data source: %w", err) - } - - if err := vs.commit(tx, platformName, entries); err != nil { - return xerrors.Errorf("CBL-Mariner %s commit error: %w", majorVer, err) - } - return nil - }) - if err != nil { - return xerrors.Errorf("error in db batch update: %w", err) - } - return nil -} - -func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) error { - for _, entry := range entries { - cveID := entry.Metadata.Reference.RefID - advisory := types.Advisory{} - - // Definition.Metadata.Patchable has a bool and "Not Applicable" string. - patchable := strings.ToLower(entry.Metadata.Patchable) - if patchable == "true" { - advisory.FixedVersion = entry.Version - } else if patchable == "not applicable" { - continue - } - - if err := vs.Dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { - return xerrors.Errorf("failed to save CBL-Mariner advisory detail: %w", err) - } - - severity, _ := types.NewSeverity(strings.ToUpper(entry.Metadata.Severity)) - vuln := types.VulnerabilityDetail{ - Severity: severity, - Title: entry.Metadata.Title, - Description: entry.Metadata.Description, - References: []string{entry.Metadata.Reference.RefURL}, - } - if err := vs.Dbc.PutVulnerabilityDetail(tx, cveID, vs.Source.ID, vuln); err != nil { - return xerrors.Errorf("failed to save CBL-Mariner vulnerability detail: %w", err) - } - - if err := vs.Dbc.PutVulnerabilityID(tx, cveID); err != nil { - return xerrors.Errorf("failed to save the vulnerability ID: %w", err) - } - } - return nil -} - -func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) { - bucket := fmt.Sprintf(vs.PlatformFormat, release) - advisories, err := vs.Dbc.GetAdvisories(bucket, pkgName) - if err != nil { - return nil, xerrors.Errorf("failed to get CBL-Marina advisories: %w", err) - } - return advisories, nil -} diff --git a/pkg/vulnsrc/mariner/mariner_test.go b/pkg/vulnsrc/mariner/mariner_test.go deleted file mode 100644 index eb978d7f..00000000 --- a/pkg/vulnsrc/mariner/mariner_test.go +++ /dev/null @@ -1,213 +0,0 @@ -package mariner_test - -import ( - "path/filepath" - "testing" - - "github.com/aquasecurity/trivy-db/pkg/types" - cbl "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" - "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" -) - -func TestVulnSrc_Update(t *testing.T) { - tests := []struct { - name string - dir string - wantValues []vulnsrctest.WantValues - wantErr string - noBuckets [][]string - }{ - { - name: "happy path", - dir: filepath.Join("testdata", "happy"), - wantValues: []vulnsrctest.WantValues{ - { - Key: []string{"data-source", "CBL-Mariner 1.0"}, - Value: types.DataSource{ - ID: vulnerability.CBLMariner, - Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", - }, - }, - { - Key: []string{"data-source", "CBL-Mariner 2.0"}, - Value: types.DataSource{ - ID: vulnerability.CBLMariner, - Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2008-3914", "CBL-Mariner 1.0", "clamav"}, - Value: types.Advisory{ - FixedVersion: "0:0.103.2-1.cm1", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2021-39924", "CBL-Mariner 2.0", "wireshark"}, - Value: types.Advisory{ - FixedVersion: "", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "openssl"}, - Value: types.Advisory{ - FixedVersion: "0:1.1.1k-28.cm2", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "edk2"}, - Value: types.Advisory{ - FixedVersion: "0:20230301gitf80f052277c8-38.cm2", - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2008-3914", "cbl-mariner"}, - Value: types.VulnerabilityDetail{ - Severity: types.SeverityCritical, - Title: "CVE-2008-3914 affecting package clamav 0.101.2", - Description: "CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue.", - References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2008-3914"}, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2021-39924", "cbl-mariner"}, - Value: types.VulnerabilityDetail{ - Severity: types.SeverityHigh, - Title: "CVE-2021-39924 affecting package wireshark 3.4.4", - Description: "CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently.", - References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2021-39924"}, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2023-5678", "cbl-mariner"}, - Value: types.VulnerabilityDetail{ - Severity: types.SeverityMedium, - Title: "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28", - Description: "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.", - References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-5678"}, - }, - }, - { - Key: []string{"vulnerability-id", "CVE-2008-3914"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2021-39924"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2023-5678"}, - Value: map[string]interface{}{}, - }, - }, - }, - { - name: "happy path not applicable", - dir: filepath.Join("testdata", "not-applicable-definition"), - noBuckets: [][]string{ - {"advisory-detail"}, - {"vulnerability-id"}, - {"vulnerability-detail"}, - }, - }, - { - name: "sad path invalid objects", - dir: filepath.Join("testdata", "sad", "invalid-objects"), - wantErr: "failed to parse objects", - }, - { - name: "sad path invalid states", - dir: filepath.Join("testdata", "sad", "invalid-states"), - wantErr: "failed to parse states", - }, - { - name: "sad path invalid tests", - dir: filepath.Join("testdata", "sad", "invalid-tests"), - wantErr: "failed to parse tests", - }, - { - name: "sad path empty test ref definition", - dir: filepath.Join("testdata", "sad", "empty-testref-definition"), - wantErr: "", - }, - { - name: "sad path empty state ref tests", - dir: filepath.Join("testdata", "sad", "empty-stateref-tests"), - wantErr: "unable to follow test refs: invalid test, no state ref", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - vs := cbl.NewVulnSrc() - vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ - Dir: tt.dir, - WantValues: tt.wantValues, - WantErr: tt.wantErr, - NoBuckets: tt.noBuckets, - }) - }) - } -} - -func TestVulnSrc_Get(t *testing.T) { - tests := []struct { - name string - release string - pkgName string - fixtures []string - want []types.Advisory - wantErr string - }{ - { - name: "happy path", - release: "1.0", - pkgName: "clamav", - fixtures: []string{"testdata/fixtures/happy.yaml"}, - want: []types.Advisory{ - { - VulnerabilityID: "CVE-2008-3914", - FixedVersion: "0:0.103.2-1.cm1", - }, - }, - }, - { - name: "happy path non fixed version", - release: "2.0", - pkgName: "bind", - fixtures: []string{"testdata/fixtures/happy.yaml"}, - want: []types.Advisory{ - { - VulnerabilityID: "CVE-2019-6470", - }, - }, - }, - { - name: "unknown package", - release: "2.0", - pkgName: "unknown-package", - fixtures: []string{"testdata/fixtures/happy.yaml"}, - want: []types.Advisory(nil), - }, - { - name: "broken bucket", - release: "1.0", - pkgName: "clamav", - fixtures: []string{"testdata/fixtures/broken.yaml"}, - wantErr: "failed to unmarshal advisory JSON", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - vs := cbl.NewVulnSrc() - vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ - Fixtures: tt.fixtures, - WantValues: tt.want, - Release: tt.release, - PkgName: tt.pkgName, - WantErr: tt.wantErr, - }) - }) - } -} diff --git a/pkg/vulnsrc/mariner/testdata/fixtures/happy.yaml b/pkg/vulnsrc/mariner/testdata/fixtures/happy.yaml deleted file mode 100644 index 3c2693b4..00000000 --- a/pkg/vulnsrc/mariner/testdata/fixtures/happy.yaml +++ /dev/null @@ -1,12 +0,0 @@ -- bucket: CBL-Mariner 1.0 - pairs: - - bucket: clamav - pairs: - - key: CVE-2008-3914 - value: - FixedVersion: 0:0.103.2-1.cm1 -- bucket: CBL-Mariner 2.0 - pairs: - - bucket: bind - pairs: - - key: CVE-2019-6470 diff --git a/pkg/vulnsrc/vulnsrc.go b/pkg/vulnsrc/vulnsrc.go index 8a27c531..b941ee5e 100644 --- a/pkg/vulnsrc/vulnsrc.go +++ b/pkg/vulnsrc/vulnsrc.go @@ -5,6 +5,7 @@ import ( "github.com/aquasecurity/trivy-db/pkg/vulnsrc/alma" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/bitnami" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/bundler" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/chainguard" @@ -14,7 +15,6 @@ import ( "github.com/aquasecurity/trivy-db/pkg/vulnsrc/glad" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/govulndb" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/k8svulndb" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/node" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/nvd" oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval" @@ -51,7 +51,8 @@ var ( susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinux), susecvrf.NewVulnSrc(susecvrf.OpenSUSE), photon.NewVulnSrc(), - mariner.NewVulnSrc(), + azure.NewVulnSrc(), + azure.NewMarinerVulnSrc(), wolfi.NewVulnSrc(), chainguard.NewVulnSrc(), bitnami.NewVulnSrc(), From f8c2bb0fcd9e0709f3afbd125221fa39ef47f116 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 16 Jul 2024 09:15:08 +0600 Subject: [PATCH 3/4] refactor: merge azure and mariner into one file --- pkg/vulnsrc/azure/azure.go | 86 ++++++--- pkg/vulnsrc/azure/azure_test.go | 321 ++++++++++++++++++-------------- pkg/vulnsrc/azure/mariner.go | 22 --- 3 files changed, 244 insertions(+), 185 deletions(-) delete mode 100644 pkg/vulnsrc/azure/mariner.go diff --git a/pkg/vulnsrc/azure/azure.go b/pkg/vulnsrc/azure/azure.go index 21d31ec3..fc499d43 100644 --- a/pkg/vulnsrc/azure/azure.go +++ b/pkg/vulnsrc/azure/azure.go @@ -16,8 +16,33 @@ import ( "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" ) +type Distribution int + +const ( + Azure Distribution = iota + Mariner + + azureDir = "azure" + azurePlatformFormat = "Azure Linux %s" + + marinerDir = "mariner" + marinerPlatformFormat = "CBL-Mariner %s" +) + var ( ErrNotSupported = xerrors.New("format not supported") + + azureSource = types.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + } + + marinerSource = types.DataSource{ + ID: vulnerability.CBLMariner, + Name: "CBL-Mariner Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + } ) type resolvedTest struct { @@ -27,31 +52,44 @@ type resolvedTest struct { } type VulnSrc struct { - Dbc db.Operation - AzureDir string - Source types.DataSource - PlatformFormat string + dbc db.Operation + azureDir string + source types.DataSource + platformFormat string +} + +func NewVulnSrc(dist Distribution) VulnSrc { + vulnSrc := azureVulnSrc() + if dist == Mariner { + vulnSrc = marinerVulnSrc() + } + return vulnSrc +} + +func azureVulnSrc() VulnSrc { + return VulnSrc{ + dbc: db.Config{}, + azureDir: azureDir, + source: azureSource, + platformFormat: azurePlatformFormat, + } } -func NewVulnSrc() VulnSrc { +func marinerVulnSrc() VulnSrc { return VulnSrc{ - Dbc: db.Config{}, - AzureDir: filepath.Join("azure"), - Source: types.DataSource{ - ID: vulnerability.AzureLinux, - Name: "Azure Linux Vulnerability Data", - URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", - }, - PlatformFormat: "Azure Linux %s", + dbc: db.Config{}, + azureDir: marinerDir, + source: marinerSource, + platformFormat: marinerPlatformFormat, } } func (vs VulnSrc) Name() types.SourceID { - return vs.Source.ID + return vs.source.ID } func (vs VulnSrc) Update(dir string) error { - rootDir := filepath.Join(dir, "vuln-list", vs.AzureDir) + rootDir := filepath.Join(dir, "vuln-list", vs.azureDir) versions, err := os.ReadDir(rootDir) if err != nil { return xerrors.Errorf("unable to list directory entries (%s): %w", rootDir, err) @@ -186,9 +224,9 @@ func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map } func (vs VulnSrc) save(majorVer string, entries []Entry) error { - err := vs.Dbc.BatchUpdate(func(tx *bolt.Tx) error { - platformName := fmt.Sprintf(vs.PlatformFormat, majorVer) - if err := vs.Dbc.PutDataSource(tx, platformName, vs.Source); err != nil { + err := vs.dbc.BatchUpdate(func(tx *bolt.Tx) error { + platformName := fmt.Sprintf(vs.platformFormat, majorVer) + if err := vs.dbc.PutDataSource(tx, platformName, vs.source); err != nil { return xerrors.Errorf("failed to put data source: %w", err) } @@ -216,7 +254,7 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro continue } - if err := vs.Dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { + if err := vs.dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil { return xerrors.Errorf("failed to save %s advisory detail: %w", platformName, err) } @@ -227,11 +265,11 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro Description: entry.Metadata.Description, References: []string{entry.Metadata.Reference.RefURL}, } - if err := vs.Dbc.PutVulnerabilityDetail(tx, cveID, vs.Source.ID, vuln); err != nil { + if err := vs.dbc.PutVulnerabilityDetail(tx, cveID, vs.source.ID, vuln); err != nil { return xerrors.Errorf("failed to save %s vulnerability detail: %w", platformName, err) } - if err := vs.Dbc.PutVulnerabilityID(tx, cveID); err != nil { + if err := vs.dbc.PutVulnerabilityID(tx, cveID); err != nil { return xerrors.Errorf("failed to save the vulnerability ID: %w", err) } } @@ -239,10 +277,10 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro } func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) { - bucket := fmt.Sprintf(vs.PlatformFormat, release) - advisories, err := vs.Dbc.GetAdvisories(bucket, pkgName) + bucket := fmt.Sprintf(vs.platformFormat, release) + advisories, err := vs.dbc.GetAdvisories(bucket, pkgName) if err != nil { - return nil, xerrors.Errorf("failed to get %s advisories: %w", bucket, err) + return nil, xerrors.Errorf("failed to get %s advisories: %w", bucket, vs.source.ID, err) } return advisories, nil } diff --git a/pkg/vulnsrc/azure/azure_test.go b/pkg/vulnsrc/azure/azure_test.go index 0630d9f7..f0a8bbc7 100644 --- a/pkg/vulnsrc/azure/azure_test.go +++ b/pkg/vulnsrc/azure/azure_test.go @@ -10,60 +10,172 @@ import ( "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" ) -func TestMarinerVulnSrc_Update(t *testing.T) { +func TestVulnSrc_Update(t *testing.T) { tests := []struct { name string dir string + dist azure.Distribution wantValues []vulnsrctest.WantValues wantErr string noBuckets [][]string }{ { - name: "happy path", + name: "happy path azure", + dist: azure.Azure, dir: filepath.Join("testdata", "happy"), wantValues: []vulnsrctest.WantValues{ { - Key: []string{"data-source", "CBL-Mariner 1.0"}, + Key: []string{ + "data-source", + "Azure Linux 3.0", + }, + Value: types.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + }, + }, + { + Key: []string{ + "advisory-detail", + "CVE-2018-1999023", + "Azure Linux 3.0", + "ceph", + }, + Value: types.Advisory{ + FixedVersion: "0:18.2.1-1.azl3", + }, + }, + { + Key: []string{ + "advisory-detail", + "CVE-2023-27534", + "Azure Linux 3.0", + "tensorflow", + }, + Value: types.Advisory{ + FixedVersion: "0:2.16.1-1.azl3", + }, + }, + { + Key: []string{ + "vulnerability-detail", + "CVE-2023-27534", + "azure", + }, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityHigh, + Title: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1", + Description: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1. An upgraded version of the package is available that resolves this issue.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"}, + }, + }, + { + Key: []string{ + "vulnerability-detail", + "CVE-2018-1999023", + "azure", + }, + Value: types.VulnerabilityDetail{ + Severity: types.SeverityHigh, + Title: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1", + Description: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1. An upgraded version of the package is available that resolves this issue.", + References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2018-1999023"}, + }, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2023-27534", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2018-1999023", + }, + Value: map[string]interface{}{}, + }, + }, + }, + { + name: "happy path mariner", + dir: filepath.Join("testdata", "happy"), + dist: azure.Mariner, + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{ + "data-source", + "CBL-Mariner 1.0", + }, Value: types.DataSource{ ID: vulnerability.CBLMariner, Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", }, }, { - Key: []string{"data-source", "CBL-Mariner 2.0"}, + Key: []string{ + "data-source", + "CBL-Mariner 2.0", + }, Value: types.DataSource{ ID: vulnerability.CBLMariner, Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", }, }, { - Key: []string{"advisory-detail", "CVE-2008-3914", "CBL-Mariner 1.0", "clamav"}, + Key: []string{ + "advisory-detail", + "CVE-2008-3914", + "CBL-Mariner 1.0", + "clamav", + }, Value: types.Advisory{ FixedVersion: "0:0.103.2-1.cm1", }, }, { - Key: []string{"advisory-detail", "CVE-2021-39924", "CBL-Mariner 2.0", "wireshark"}, + Key: []string{ + "advisory-detail", + "CVE-2021-39924", + "CBL-Mariner 2.0", + "wireshark", + }, Value: types.Advisory{ FixedVersion: "", }, }, { - Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "openssl"}, + Key: []string{ + "advisory-detail", + "CVE-2023-5678", + "CBL-Mariner 2.0", + "openssl", + }, Value: types.Advisory{ FixedVersion: "0:1.1.1k-28.cm2", }, }, { - Key: []string{"advisory-detail", "CVE-2023-5678", "CBL-Mariner 2.0", "edk2"}, + Key: []string{ + "advisory-detail", + "CVE-2023-5678", + "CBL-Mariner 2.0", + "edk2", + }, Value: types.Advisory{ FixedVersion: "0:20230301gitf80f052277c8-38.cm2", }, }, { - Key: []string{"vulnerability-detail", "CVE-2008-3914", "cbl-mariner"}, + Key: []string{ + "vulnerability-detail", + "CVE-2008-3914", + "cbl-mariner", + }, Value: types.VulnerabilityDetail{ Severity: types.SeverityCritical, Title: "CVE-2008-3914 affecting package clamav 0.101.2", @@ -72,7 +184,11 @@ func TestMarinerVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-detail", "CVE-2021-39924", "cbl-mariner"}, + Key: []string{ + "vulnerability-detail", + "CVE-2021-39924", + "cbl-mariner", + }, Value: types.VulnerabilityDetail{ Severity: types.SeverityHigh, Title: "CVE-2021-39924 affecting package wireshark 3.4.4", @@ -81,7 +197,11 @@ func TestMarinerVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-detail", "CVE-2023-5678", "cbl-mariner"}, + Key: []string{ + "vulnerability-detail", + "CVE-2023-5678", + "cbl-mariner", + }, Value: types.VulnerabilityDetail{ Severity: types.SeverityMedium, Title: "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28", @@ -90,21 +210,31 @@ func TestMarinerVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-id", "CVE-2008-3914"}, + Key: []string{ + "vulnerability-id", + "CVE-2008-3914", + }, Value: map[string]interface{}{}, }, { - Key: []string{"vulnerability-id", "CVE-2021-39924"}, + Key: []string{ + "vulnerability-id", + "CVE-2021-39924", + }, Value: map[string]interface{}{}, }, { - Key: []string{"vulnerability-id", "CVE-2023-5678"}, + Key: []string{ + "vulnerability-id", + "CVE-2023-5678", + }, Value: map[string]interface{}{}, }, }, }, { name: "happy path not applicable", + dist: azure.Mariner, dir: filepath.Join("testdata", "not-applicable-definition"), noBuckets: [][]string{ {"advisory-detail"}, @@ -114,107 +244,38 @@ func TestMarinerVulnSrc_Update(t *testing.T) { }, { name: "sad path invalid objects", + dist: azure.Mariner, dir: filepath.Join("testdata", "sad", "invalid-objects"), wantErr: "failed to parse objects", }, { name: "sad path invalid states", + dist: azure.Mariner, dir: filepath.Join("testdata", "sad", "invalid-states"), wantErr: "failed to parse states", }, { name: "sad path invalid tests", + dist: azure.Mariner, dir: filepath.Join("testdata", "sad", "invalid-tests"), wantErr: "failed to parse tests", }, { name: "sad path empty test ref definition", + dist: azure.Mariner, dir: filepath.Join("testdata", "sad", "empty-testref-definition"), wantErr: "", }, { name: "sad path empty state ref tests", + dist: azure.Mariner, dir: filepath.Join("testdata", "sad", "empty-stateref-tests"), wantErr: "unable to follow test refs: invalid test, no state ref", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - vs := azure.NewMarinerVulnSrc() - vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ - Dir: tt.dir, - WantValues: tt.wantValues, - WantErr: tt.wantErr, - NoBuckets: tt.noBuckets, - }) - }) - } -} - -func TestVulnSrc_Update(t *testing.T) { - tests := []struct { - name string - dir string - wantValues []vulnsrctest.WantValues - wantErr string - noBuckets [][]string - }{ - { - name: "happy path", - dir: filepath.Join("testdata", "happy"), - wantValues: []vulnsrctest.WantValues{ - { - Key: []string{"data-source", "Azure Linux 3.0"}, - Value: types.DataSource{ - ID: vulnerability.AzureLinux, - Name: "Azure Linux Vulnerability Data", - URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2018-1999023", "Azure Linux 3.0", "ceph"}, - Value: types.Advisory{ - FixedVersion: "0:18.2.1-1.azl3", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2023-27534", "Azure Linux 3.0", "tensorflow"}, - Value: types.Advisory{ - FixedVersion: "0:2.16.1-1.azl3", - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2023-27534", "azure"}, - Value: types.VulnerabilityDetail{ - Severity: types.SeverityHigh, - Title: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1", - Description: "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1. An upgraded version of the package is available that resolves this issue.", - References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-27534"}, - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2018-1999023", "azure"}, - Value: types.VulnerabilityDetail{ - Severity: types.SeverityHigh, - Title: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1", - Description: "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1. An upgraded version of the package is available that resolves this issue.", - References: []string{"https://nvd.nist.gov/vuln/detail/CVE-2018-1999023"}, - }, - }, - { - Key: []string{"vulnerability-id", "CVE-2023-27534"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2018-1999023"}, - Value: map[string]interface{}{}, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - vs := azure.NewVulnSrc() + vs := azure.NewVulnSrc(tt.dist) vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ Dir: tt.dir, WantValues: tt.wantValues, @@ -225,9 +286,10 @@ func TestVulnSrc_Update(t *testing.T) { } } -func TestMarinerVulnSrc_Get(t *testing.T) { +func TestVulnSrc_Get(t *testing.T) { tests := []struct { name string + dist azure.Distribution release string pkgName string fixtures []string @@ -235,7 +297,21 @@ func TestMarinerVulnSrc_Get(t *testing.T) { wantErr string }{ { - name: "happy path", + name: "happy path azure 3.0", + dist: azure.Azure, + release: "3.0", + pkgName: "ceph", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2018-1999023", + FixedVersion: "0:18.2.1-1.azl3", + }, + }, + }, + { + name: "happy path mariner", + dist: azure.Mariner, release: "1.0", pkgName: "clamav", fixtures: []string{"testdata/fixtures/happy.yaml"}, @@ -248,6 +324,7 @@ func TestMarinerVulnSrc_Get(t *testing.T) { }, { name: "happy path non fixed version", + dist: azure.Mariner, release: "2.0", pkgName: "bind", fixtures: []string{"testdata/fixtures/happy.yaml"}, @@ -258,14 +335,24 @@ func TestMarinerVulnSrc_Get(t *testing.T) { }, }, { - name: "unknown package", + name: "unknown mariner package", + dist: azure.Mariner, release: "2.0", pkgName: "unknown-package", fixtures: []string{"testdata/fixtures/happy.yaml"}, want: []types.Advisory(nil), }, + { + name: "unknown azure package", + dist: azure.Azure, + release: "3.0", + pkgName: "unknown-package", + fixtures: []string{"testdata/fixtures/happy.yaml"}, + want: []types.Advisory(nil), + }, { name: "broken bucket", + dist: azure.Mariner, release: "1.0", pkgName: "clamav", fixtures: []string{"testdata/fixtures/broken.yaml"}, @@ -274,51 +361,7 @@ func TestMarinerVulnSrc_Get(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - vs := azure.NewMarinerVulnSrc() - vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ - Fixtures: tt.fixtures, - WantValues: tt.want, - Release: tt.release, - PkgName: tt.pkgName, - WantErr: tt.wantErr, - }) - }) - } -} - -func TestVulnSrc_Get(t *testing.T) { - tests := []struct { - name string - release string - pkgName string - fixtures []string - want []types.Advisory - wantErr string - }{ - - { - name: "happy path", - release: "3.0", - pkgName: "ceph", - fixtures: []string{"testdata/fixtures/happy.yaml"}, - want: []types.Advisory{ - { - VulnerabilityID: "CVE-2018-1999023", - FixedVersion: "0:18.2.1-1.azl3", - }, - }, - }, - { - name: "unknown package", - release: "3.0", - pkgName: "unknown-package", - fixtures: []string{"testdata/fixtures/happy.yaml"}, - want: []types.Advisory(nil), - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - vs := azure.NewVulnSrc() + vs := azure.NewVulnSrc(tt.dist) vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ Fixtures: tt.fixtures, WantValues: tt.want, diff --git a/pkg/vulnsrc/azure/mariner.go b/pkg/vulnsrc/azure/mariner.go deleted file mode 100644 index 8866eabe..00000000 --- a/pkg/vulnsrc/azure/mariner.go +++ /dev/null @@ -1,22 +0,0 @@ -package azure - -import ( - "path/filepath" - - "github.com/aquasecurity/trivy-db/pkg/db" - "github.com/aquasecurity/trivy-db/pkg/types" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" -) - -func NewMarinerVulnSrc() VulnSrc { - return VulnSrc{ - Dbc: db.Config{}, - AzureDir: filepath.Join("mariner"), - Source: types.DataSource{ - ID: vulnerability.CBLMariner, - Name: "CBL-Mariner Vulnerability Data", - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData", - }, - PlatformFormat: "CBL-Mariner %s", - } -} From 4df8cffab01ad198c1863fee096f5a4946e1e19d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 16 Jul 2024 09:35:04 +0600 Subject: [PATCH 4/4] fix: linter errors --- pkg/vulnsrc/azure/azure.go | 2 +- pkg/vulnsrc/vulnsrc.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/vulnsrc/azure/azure.go b/pkg/vulnsrc/azure/azure.go index fc499d43..09b5c8a7 100644 --- a/pkg/vulnsrc/azure/azure.go +++ b/pkg/vulnsrc/azure/azure.go @@ -280,7 +280,7 @@ func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) { bucket := fmt.Sprintf(vs.platformFormat, release) advisories, err := vs.dbc.GetAdvisories(bucket, pkgName) if err != nil { - return nil, xerrors.Errorf("failed to get %s advisories: %w", bucket, vs.source.ID, err) + return nil, xerrors.Errorf("failed to get %s advisories: %w", bucket, err) } return advisories, nil } diff --git a/pkg/vulnsrc/vulnsrc.go b/pkg/vulnsrc/vulnsrc.go index b941ee5e..eafb82c1 100644 --- a/pkg/vulnsrc/vulnsrc.go +++ b/pkg/vulnsrc/vulnsrc.go @@ -51,8 +51,8 @@ var ( susecvrf.NewVulnSrc(susecvrf.SUSEEnterpriseLinux), susecvrf.NewVulnSrc(susecvrf.OpenSUSE), photon.NewVulnSrc(), - azure.NewVulnSrc(), - azure.NewMarinerVulnSrc(), + azure.NewVulnSrc(azure.Azure), + azure.NewVulnSrc(azure.Mariner), wolfi.NewVulnSrc(), chainguard.NewVulnSrc(), bitnami.NewVulnSrc(),