From 2c0c83730b46a447436321f19161d19e5f99ec03 Mon Sep 17 00:00:00 2001 From: thatipelli santhosh Date: Tue, 5 Nov 2024 15:26:34 +0530 Subject: [PATCH] Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details 1. It addresses an issue with programming language vulnerabilities by ensuring that the custom information is sent, which was previously causing a bug on the Aqua side. 2. For the SBOM, it adds the package maintainer details to the results, allowing to show this information. --- ...fluentd-multiple-lockfiles.cdx.json.golden | 527 ++++++++++++++---- pkg/detector/library/driver.go | 1 + pkg/detector/library/driver_test.go | 26 + .../testdata/fixtures/data-source.yaml | 5 + .../testdata/fixtures/go-custom-data.yaml | 18 + pkg/rpc/convert.go | 2 + pkg/rpc/convert_test.go | 72 +++ rpc/common/service.pb.go | 14 +- rpc/common/service.proto | 1 + 9 files changed, 558 insertions(+), 108 deletions(-) create mode 100644 pkg/detector/library/testdata/fixtures/go-custom-data.yaml diff --git a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden index 9f23585a01da..3afc57682556 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden @@ -111,7 +111,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.118" } - ] + ], + "supplier": { + "name": "Debian Adduser Developers " + } }, { "bom-ref": "pkg:deb/debian/apt@1.8.2?arch=amd64&distro=debian-10.2", @@ -156,7 +159,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.8.2" } - ] + ], + "supplier": { + "name": "APT Development Team " + } }, { "bom-ref": "pkg:deb/debian/base-files@10.3%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -196,7 +202,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "10.3+deb10u2" } - ] + ], + "supplier": { + "name": "Santiago Vila " + } }, { "bom-ref": "pkg:deb/debian/base-passwd@3.5.46?arch=amd64&distro=debian-10.2", @@ -241,7 +250,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.5.46" } - ] + ], + "supplier": { + "name": "Colin Watson " + } }, { "bom-ref": "pkg:deb/debian/bash@5.0-4?arch=amd64&distro=debian-10.2", @@ -285,7 +297,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.0" } - ] + ], + "supplier": { + "name": "Matthias Klose " + } }, { "bom-ref": "pkg:deb/debian/bsdutils@2.33.1-0.1?arch=amd64&distro=debian-10.2&epoch=1", @@ -399,7 +414,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/ca-certificates@20190110?arch=all&distro=debian-10.2", @@ -449,7 +467,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "20190110" } - ] + ], + "supplier": { + "name": "Michael Shuler " + } }, { "bom-ref": "pkg:deb/debian/coreutils@8.30-3?arch=amd64&distro=debian-10.2", @@ -493,7 +514,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "8.30" } - ] + ], + "supplier": { + "name": "Michael Stone " + } }, { "bom-ref": "pkg:deb/debian/dash@0.5.10.2-5?arch=amd64&distro=debian-10.2", @@ -537,7 +561,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.5.10.2" } - ] + ], + "supplier": { + "name": "Andrej Shadura " + } }, { "bom-ref": "pkg:deb/debian/debconf@1.5.71?arch=all&distro=debian-10.2", @@ -577,7 +604,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.5.71" } - ] + ], + "supplier": { + "name": "Debconf Developers " + } }, { "bom-ref": "pkg:deb/debian/debian-archive-keyring@2019.1?arch=all&distro=debian-10.2", @@ -617,7 +647,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2019.1" } - ] + ], + "supplier": { + "name": "Debian Release Team " + } }, { "bom-ref": "pkg:deb/debian/debianutils@4.8.6.1?arch=amd64&distro=debian-10.2", @@ -657,7 +690,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.8.6.1" } - ] + ], + "supplier": { + "name": "Clint Adams " + } }, { "bom-ref": "pkg:deb/debian/diffutils@3.7-3?arch=amd64&distro=debian-10.2&epoch=1", @@ -710,7 +746,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.7" } - ] + ], + "supplier": { + "name": "Santiago Vila " + } }, { "bom-ref": "pkg:deb/debian/dpkg@1.19.7?arch=amd64&distro=debian-10.2", @@ -770,7 +809,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.19.7" } - ] + ], + "supplier": { + "name": "Dpkg Developers " + } }, { "bom-ref": "pkg:deb/debian/e2fsprogs@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -819,7 +861,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.44.5" } - ] + ], + "supplier": { + "name": "Theodore Y. Ts'o " + } }, { "bom-ref": "pkg:deb/debian/fdisk@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -933,7 +978,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/findutils@4.6.0%2Bgit%2B20190209-2?arch=amd64&distro=debian-10.2", @@ -982,7 +1030,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.6.0+git+20190209" } - ] + ], + "supplier": { + "name": "Andreas Metzler " + } }, { "bom-ref": "pkg:deb/debian/gcc-8-base@8.3.0-6?arch=amd64&distro=debian-10.2", @@ -1051,7 +1102,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "8.3.0" } - ] + ], + "supplier": { + "name": "Debian GCC Maintainers " + } }, { "bom-ref": "pkg:deb/debian/gpgv@2.2.12-1%2Bdeb10u1?arch=amd64&distro=debian-10.2", @@ -1150,7 +1204,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.2.12" } - ] + ], + "supplier": { + "name": "Debian GnuPG Maintainers " + } }, { "bom-ref": "pkg:deb/debian/grep@3.3-1?arch=amd64&distro=debian-10.2", @@ -1199,7 +1256,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.3" } - ] + ], + "supplier": { + "name": "Anibal Monsalve Salazar " + } }, { "bom-ref": "pkg:deb/debian/gzip@1.9-3?arch=amd64&distro=debian-10.2", @@ -1243,7 +1303,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.9" } - ] + ], + "supplier": { + "name": "Bdale Garbee " + } }, { "bom-ref": "pkg:deb/debian/hostname@3.21?arch=amd64&distro=debian-10.2", @@ -1283,7 +1346,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.21" } - ] + ], + "supplier": { + "name": "Michael Meskes " + } }, { "bom-ref": "pkg:deb/debian/init-system-helpers@1.56%2Bnmu1?arch=all&distro=debian-10.2", @@ -1333,7 +1399,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.56+nmu1" } - ] + ], + "supplier": { + "name": "Debian systemd Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libacl1@2.2.53-4?arch=amd64&distro=debian-10.2", @@ -1392,7 +1461,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.2.53" } - ] + ], + "supplier": { + "name": "Guillem Jover " + } }, { "bom-ref": "pkg:deb/debian/libapt-pkg5.0@1.8.2?arch=amd64&distro=debian-10.2", @@ -1437,7 +1509,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.8.2" } - ] + ], + "supplier": { + "name": "APT Development Team " + } }, { "bom-ref": "pkg:deb/debian/libattr1@2.4.48-4?arch=amd64&distro=debian-10.2&epoch=1", @@ -1500,7 +1575,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.4.48" } - ] + ], + "supplier": { + "name": "Guillem Jover " + } }, { "bom-ref": "pkg:deb/debian/libaudit-common@2.8.4-3?arch=all&distro=debian-10.2&epoch=1", @@ -1558,7 +1636,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8.4" } - ] + ], + "supplier": { + "name": "Laurent Bigonville " + } }, { "bom-ref": "pkg:deb/debian/libaudit1@2.8.4-3?arch=amd64&distro=debian-10.2&epoch=1", @@ -1616,7 +1697,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8.4" } - ] + ], + "supplier": { + "name": "Laurent Bigonville " + } }, { "bom-ref": "pkg:deb/debian/libblkid1@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -1730,7 +1814,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/libbz2-1.0@1.0.6-9.2~deb10u1?arch=amd64&distro=debian-10.2", @@ -1779,7 +1866,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.0.6" } - ] + ], + "supplier": { + "name": "Anibal Monsalve Salazar " + } }, { "bom-ref": "pkg:deb/debian/libc-bin@2.28-10?arch=amd64&distro=debian-10.2", @@ -1828,7 +1918,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.28" } - ] + ], + "supplier": { + "name": "GNU Libc Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libc6@2.28-10?arch=amd64&distro=debian-10.2", @@ -1877,7 +1970,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.28" } - ] + ], + "supplier": { + "name": "GNU Libc Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libcap-ng0@0.7.9-2?arch=amd64&distro=debian-10.2", @@ -1931,7 +2027,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.7.9" } - ] + ], + "supplier": { + "name": "Pierre Chifflier " + } }, { "bom-ref": "pkg:deb/debian/libcom-err2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -1968,7 +2067,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.44.5" } - ] + ], + "supplier": { + "name": "Theodore Y. Ts'o " + } }, { "bom-ref": "pkg:deb/debian/libdb5.3@5.3.28%2Bdfsg1-0.5?arch=amd64&distro=debian-10.2", @@ -2005,7 +2107,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.3.28+dfsg1" } - ] + ], + "supplier": { + "name": "Debian Berkeley DB Team " + } }, { "bom-ref": "pkg:deb/debian/libdebconfclient0@0.249?arch=amd64&distro=debian-10.2", @@ -2038,7 +2143,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.249" } - ] + ], + "supplier": { + "name": "Debian Install System Team " + } }, { "bom-ref": "pkg:deb/debian/libext2fs2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -2087,7 +2195,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.44.5" } - ] + ], + "supplier": { + "name": "Theodore Y. Ts'o " + } }, { "bom-ref": "pkg:deb/debian/libfdisk1@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -2201,7 +2312,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/libffi6@3.2.1-9?arch=amd64&distro=debian-10.2", @@ -2245,7 +2359,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.2.1" } - ] + ], + "supplier": { + "name": "Debian GCC Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libgcc1@8.3.0-6?arch=amd64&distro=debian-10.2&epoch=1", @@ -2282,7 +2399,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "8.3.0" } - ] + ], + "supplier": { + "name": "Debian GCC Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libgcrypt20@1.8.4-5?arch=amd64&distro=debian-10.2", @@ -2331,7 +2451,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.8.4" } - ] + ], + "supplier": { + "name": "Debian GnuTLS Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libgdbm-compat4@1.18.1-4?arch=amd64&distro=debian-10.2", @@ -2395,7 +2518,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.18.1" } - ] + ], + "supplier": { + "name": "Dmitry Bogatov " + } }, { "bom-ref": "pkg:deb/debian/libgdbm6@1.18.1-4?arch=amd64&distro=debian-10.2", @@ -2459,7 +2585,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.18.1" } - ] + ], + "supplier": { + "name": "Dmitry Bogatov " + } }, { "bom-ref": "pkg:deb/debian/libgmp10@6.1.2%2Bdfsg-4?arch=amd64&distro=debian-10.2&epoch=2", @@ -2522,7 +2651,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1.2+dfsg" } - ] + ], + "supplier": { + "name": "Debian Science Team " + } }, { "bom-ref": "pkg:deb/debian/libgnutls30@3.6.7-4?arch=amd64&distro=debian-10.2", @@ -2616,7 +2748,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.7" } - ] + ], + "supplier": { + "name": "Debian GnuTLS Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libgpg-error0@1.35-1?arch=amd64&distro=debian-10.2", @@ -2685,7 +2820,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.35" } - ] + ], + "supplier": { + "name": "Debian GnuPG Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libhogweed4@3.4.1-1?arch=amd64&distro=debian-10.2", @@ -2722,7 +2860,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.4.1" } - ] + ], + "supplier": { + "name": "Magnus Holmgren " + } }, { "bom-ref": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64&distro=debian-10.2", @@ -2796,7 +2937,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.0.5" } - ] + ], + "supplier": { + "name": "Debian Libidn team " + } }, { "bom-ref": "pkg:deb/debian/libjemalloc2@5.1.0-3?arch=amd64&distro=debian-10.2", @@ -2865,7 +3009,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.1.0" } - ] + ], + "supplier": { + "name": "Faidon Liambotis " + } }, { "bom-ref": "pkg:deb/debian/liblz4-1@1.8.3-1?arch=amd64&distro=debian-10.2", @@ -2919,7 +3066,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.8.3" } - ] + ], + "supplier": { + "name": "Nobuhiro Iwamatsu " + } }, { "bom-ref": "pkg:deb/debian/liblzma5@5.2.4-1?arch=amd64&distro=debian-10.2", @@ -3033,7 +3183,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.2.4" } - ] + ], + "supplier": { + "name": "Jonathan Nieder " + } }, { "bom-ref": "pkg:deb/debian/libmount1@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -3147,7 +3300,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/libncurses6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -3184,7 +3340,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1+20181013" } - ] + ], + "supplier": { + "name": "Craig Small " + } }, { "bom-ref": "pkg:deb/debian/libncursesw6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -3221,7 +3380,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1+20181013" } - ] + ], + "supplier": { + "name": "Craig Small " + } }, { "bom-ref": "pkg:deb/debian/libnettle6@3.4.1-1?arch=amd64&distro=debian-10.2", @@ -3305,7 +3467,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.4.1" } - ] + ], + "supplier": { + "name": "Magnus Holmgren " + } }, { "bom-ref": "pkg:deb/debian/libp11-kit0@0.23.15-2?arch=amd64&distro=debian-10.2", @@ -3369,7 +3534,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.23.15" } - ] + ], + "supplier": { + "name": "Debian GnuTLS Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libpam-modules-bin@1.3.1-5?arch=amd64&distro=debian-10.2", @@ -3413,7 +3581,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1" } - ] + ], + "supplier": { + "name": "Steve Langasek " + } }, { "bom-ref": "pkg:deb/debian/libpam-modules@1.3.1-5?arch=amd64&distro=debian-10.2", @@ -3457,7 +3628,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1" } - ] + ], + "supplier": { + "name": "Steve Langasek " + } }, { "bom-ref": "pkg:deb/debian/libpam-runtime@1.3.1-5?arch=all&distro=debian-10.2", @@ -3501,7 +3675,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1" } - ] + ], + "supplier": { + "name": "Steve Langasek " + } }, { "bom-ref": "pkg:deb/debian/libpam0g@1.3.1-5?arch=amd64&distro=debian-10.2", @@ -3545,7 +3722,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1" } - ] + ], + "supplier": { + "name": "Steve Langasek " + } }, { "bom-ref": "pkg:deb/debian/libpcre3@8.39-12?arch=amd64&distro=debian-10.2&epoch=2", @@ -3586,7 +3766,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "8.39" } - ] + ], + "supplier": { + "name": "Matthew Vernon " + } }, { "bom-ref": "pkg:deb/debian/libreadline7@7.0-5?arch=amd64&distro=debian-10.2", @@ -3635,7 +3818,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "7.0" } - ] + ], + "supplier": { + "name": "Matthias Klose " + } }, { "bom-ref": "pkg:deb/debian/libruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64&distro=debian-10.2", @@ -3779,7 +3965,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.5.5" } - ] + ], + "supplier": { + "name": "Debian Ruby Team " + } }, { "bom-ref": "pkg:deb/debian/libseccomp2@2.3.3-4?arch=amd64&distro=debian-10.2", @@ -3823,7 +4012,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.3.3" } - ] + ], + "supplier": { + "name": "Kees Cook " + } }, { "bom-ref": "pkg:deb/debian/libselinux1@2.8-1%2Bb1?arch=amd64&distro=debian-10.2", @@ -3872,7 +4064,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8" } - ] + ], + "supplier": { + "name": "Debian SELinux maintainers " + } }, { "bom-ref": "pkg:deb/debian/libsemanage-common@2.8-2?arch=all&distro=debian-10.2", @@ -3921,7 +4116,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8" } - ] + ], + "supplier": { + "name": "Debian SELinux maintainers " + } }, { "bom-ref": "pkg:deb/debian/libsemanage1@2.8-2?arch=amd64&distro=debian-10.2", @@ -3970,7 +4168,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8" } - ] + ], + "supplier": { + "name": "Debian SELinux maintainers " + } }, { "bom-ref": "pkg:deb/debian/libsepol1@2.8-1?arch=amd64&distro=debian-10.2", @@ -4019,7 +4220,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.8" } - ] + ], + "supplier": { + "name": "Debian SELinux maintainers " + } }, { "bom-ref": "pkg:deb/debian/libsmartcols1@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -4133,7 +4337,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/libss2@1.44.5-1%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -4170,7 +4377,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.44.5" } - ] + ], + "supplier": { + "name": "Theodore Y. Ts'o " + } }, { "bom-ref": "pkg:deb/debian/libssl1.1@1.1.1d-0%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -4207,7 +4417,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.1.1d" } - ] + ], + "supplier": { + "name": "Debian OpenSSL Team " + } }, { "bom-ref": "pkg:deb/debian/libstdc%2B%2B6@8.3.0-6?arch=amd64&distro=debian-10.2", @@ -4244,7 +4457,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "8.3.0" } - ] + ], + "supplier": { + "name": "Debian GCC Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libsystemd0@241-7~deb10u2?arch=amd64&distro=debian-10.2", @@ -4318,7 +4534,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "241" } - ] + ], + "supplier": { + "name": "Debian systemd Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libtasn1-6@4.13-3?arch=amd64&distro=debian-10.2", @@ -4377,7 +4596,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.13" } - ] + ], + "supplier": { + "name": "Debian GnuTLS Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libtinfo6@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -4414,7 +4636,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1+20181013" } - ] + ], + "supplier": { + "name": "Craig Small " + } }, { "bom-ref": "pkg:deb/debian/libudev1@241-7~deb10u2?arch=amd64&distro=debian-10.2", @@ -4488,7 +4713,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "241" } - ] + ], + "supplier": { + "name": "Debian systemd Maintainers " + } }, { "bom-ref": "pkg:deb/debian/libunistring2@0.9.10-1?arch=amd64&distro=debian-10.2", @@ -4582,7 +4810,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.9.10" } - ] + ], + "supplier": { + "name": "J\u00f6rg Frings-F\u00fcrst " + } }, { "bom-ref": "pkg:deb/debian/libuuid1@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -4696,7 +4927,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/libyaml-0-2@0.2.1-1?arch=amd64&distro=debian-10.2", @@ -4745,7 +4979,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.2.1" } - ] + ], + "supplier": { + "name": "Anders Kaseorg " + } }, { "bom-ref": "pkg:deb/debian/libzstd1@1.3.8%2Bdfsg-3?arch=amd64&distro=debian-10.2", @@ -4809,7 +5046,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.8+dfsg" } - ] + ], + "supplier": { + "name": "Debian Med Packaging Team " + } }, { "bom-ref": "pkg:deb/debian/login@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1", @@ -4857,7 +5097,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.5" } - ] + ], + "supplier": { + "name": "Shadow package maintainers " + } }, { "bom-ref": "pkg:deb/debian/mawk@1.3.3-17%2Bb3?arch=amd64&distro=debian-10.2", @@ -4901,7 +5144,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.3" } - ] + ], + "supplier": { + "name": "Steve Langasek " + } }, { "bom-ref": "pkg:deb/debian/mount@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -5015,7 +5261,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/ncurses-base@6.1%2B20181013-2%2Bdeb10u2?arch=all&distro=debian-10.2", @@ -5052,7 +5301,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1+20181013" } - ] + ], + "supplier": { + "name": "Craig Small " + } }, { "bom-ref": "pkg:deb/debian/ncurses-bin@6.1%2B20181013-2%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -5089,7 +5341,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "6.1+20181013" } - ] + ], + "supplier": { + "name": "Craig Small " + } }, { "bom-ref": "pkg:deb/debian/openssl@1.1.1d-0%2Bdeb10u2?arch=amd64&distro=debian-10.2", @@ -5126,7 +5381,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.1.1d" } - ] + ], + "supplier": { + "name": "Debian OpenSSL Team " + } }, { "bom-ref": "pkg:deb/debian/passwd@4.5-1.1?arch=amd64&distro=debian-10.2&epoch=1", @@ -5174,7 +5432,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.5" } - ] + ], + "supplier": { + "name": "Shadow package maintainers " + } }, { "bom-ref": "pkg:deb/debian/perl-base@5.28.1-6?arch=amd64&distro=debian-10.2", @@ -5211,7 +5472,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.28.1" } - ] + ], + "supplier": { + "name": "Niko Tyni " + } }, { "bom-ref": "pkg:deb/debian/rake@12.3.1-3?arch=all&distro=debian-10.2", @@ -5255,7 +5519,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "12.3.1" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/readline-common@7.0-5?arch=all&distro=debian-10.2", @@ -5304,7 +5571,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "7.0" } - ] + ], + "supplier": { + "name": "Matthias Klose " + } }, { "bom-ref": "pkg:deb/debian/ruby-did-you-mean@1.2.1-1?arch=all&distro=debian-10.2", @@ -5348,7 +5618,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.1" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby-minitest@5.11.3-1?arch=all&distro=debian-10.2", @@ -5392,7 +5665,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "5.11.3" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby-net-telnet@0.1.1-2?arch=all&distro=debian-10.2", @@ -5436,7 +5712,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.1.1" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby-power-assert@1.1.1-1?arch=all&distro=debian-10.2", @@ -5485,7 +5764,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.1.1" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby-test-unit@3.2.8-1?arch=all&distro=debian-10.2", @@ -5544,7 +5826,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "3.2.8" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby-xmlrpc@0.3.0-2?arch=all&distro=debian-10.2", @@ -5588,7 +5873,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "0.3.0" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/ruby2.5@2.5.5-3%2Bdeb10u1?arch=amd64&distro=debian-10.2", @@ -5732,7 +6020,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.5.5" } - ] + ], + "supplier": { + "name": "Debian Ruby Team " + } }, { "bom-ref": "pkg:deb/debian/ruby@2.5.1?arch=amd64&distro=debian-10.2&epoch=1", @@ -5781,7 +6072,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.5.1" } - ] + ], + "supplier": { + "name": "Antonio Terceiro " + } }, { "bom-ref": "pkg:deb/debian/rubygems-integration@1.11?arch=all&distro=debian-10.2", @@ -5821,7 +6115,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.11" } - ] + ], + "supplier": { + "name": "Debian Ruby Extras Maintainers " + } }, { "bom-ref": "pkg:deb/debian/sed@4.7-1?arch=amd64&distro=debian-10.2", @@ -5865,7 +6162,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "4.7" } - ] + ], + "supplier": { + "name": "Clint Adams " + } }, { "bom-ref": "pkg:deb/debian/sysvinit-utils@2.93-8?arch=amd64&distro=debian-10.2", @@ -5914,7 +6214,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.93" } - ] + ], + "supplier": { + "name": "Debian sysvinit maintainers " + } }, { "bom-ref": "pkg:deb/debian/tar@1.30%2Bdfsg-6?arch=amd64&distro=debian-10.2", @@ -5963,7 +6266,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.30+dfsg" } - ] + ], + "supplier": { + "name": "Bdale Garbee " + } }, { "bom-ref": "pkg:deb/debian/tzdata@2019c-0%2Bdeb10u1?arch=all&distro=debian-10.2", @@ -6000,7 +6306,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2019c" } - ] + ], + "supplier": { + "name": "GNU Libc Maintainers " + } }, { "bom-ref": "pkg:deb/debian/util-linux@2.33.1-0.1?arch=amd64&distro=debian-10.2", @@ -6114,7 +6423,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "2.33.1" } - ] + ], + "supplier": { + "name": "LaMont Jones " + } }, { "bom-ref": "pkg:deb/debian/zlib1g@1.2.11.dfsg-1?arch=amd64&distro=debian-10.2&epoch=1", @@ -6162,7 +6474,10 @@ "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.11.dfsg" } - ] + ], + "supplier": { + "name": "Mark Brown " + } }, { "bom-ref": "pkg:gem/activesupport@6.0.2.1", @@ -9325,4 +9640,4 @@ } ], "vulnerabilities": [] -} +} \ No newline at end of file diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 6990d3c7e84d..152096c2caea 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D InstalledVersion: pkgVer, FixedVersion: createFixedVersions(adv), DataSource: adv.DataSource, + Custom: adv.Custom, } vulns = append(vulns, vuln) } diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go index 10c3ad304f29..cf8af718f783 100644 --- a/pkg/detector/library/driver_test.go +++ b/pkg/detector/library/driver_test.go @@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) { }, }, }, + { + name: "Custom data for vulnerability", + fixtures: []string{ + "testdata/fixtures/go-custom-data.yaml", + "testdata/fixtures/data-source.yaml", + }, + libType: ftypes.GoBinary, + args: args{ + pkgName: "github.com/docker/docker", + pkgVer: "23.0.14", + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "GHSA-v23v-6jw2-98fq", + PkgName: "github.com/docker/docker", + InstalledVersion: "23.0.14", + FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Go", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago", + }, + Custom: map[string]any{"Severity": 2.0}, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml index eeb4a57e9637..087f960d2c58 100644 --- a/pkg/detector/library/testdata/fixtures/data-source.yaml +++ b/pkg/detector/library/testdata/fixtures/data-source.yaml @@ -25,3 +25,8 @@ ID: "ghsa" Name: "GitHub Security Advisory Pip" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" + - key: "go::GitHub Security Advisory Go" + value: + ID: "ghsa" + Name: "GitHub Security Advisory Go" + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" diff --git a/pkg/detector/library/testdata/fixtures/go-custom-data.yaml b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml new file mode 100644 index 000000000000..aea7b8c7cd01 --- /dev/null +++ b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml @@ -0,0 +1,18 @@ +- bucket: "go::GitHub Security Advisory Go" + pairs: + - bucket: github.com/docker/docker + pairs: + - key: "GHSA-v23v-6jw2-98fq" + value: + PatchedVersions: + - "23.0.15" + - "26.1.5" + - "27.1.1" + - "25.0.6" + VulnerableVersions: + - ">=19.03.0, <23.0.15" + - ">=26.0.0, <26.1.5" + - ">=27.0.0, <27.1.1" + - ">=24.0.0, <25.0.6" + Custom: + Severity: 2 \ No newline at end of file diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 89097730111b..32ce9fc71124 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package { DependsOn: pkg.DependsOn, Digest: pkg.Digest.String(), Indirect: pkg.Indirect, + Maintainer: pkg.Maintainer, }) } return rpcPkgs @@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package { DependsOn: pkg.DependsOn, Digest: digest.Digest(pkg.Digest), Indirect: pkg.Indirect, + Maintainer: pkg.Maintainer, }) } return pkgs diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go index 6f90c3b5cc8e..9c60a13c7337 100644 --- a/pkg/rpc/convert_test.go +++ b/pkg/rpc/convert_test.go @@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) { }, }, }, + { + args: args{ + rpcPkgs: []*common.Package{ + { + Name: "binary", + Version: "4.2+dfsg", + Release: "0.1+deb7u4", + Epoch: 0, + Arch: "amd64", + SrcName: "bash", + SrcVersion: "4.2+dfsg", + SrcRelease: "0.1+deb7u4", + SrcEpoch: 0, + Licenses: []string{"GPL-3.0"}, + Locations: []*common.Location{ + { + StartLine: 10, + EndLine: 20, + }, + { + StartLine: 22, + EndLine: 32, + }, + }, + Layer: &common.Layer{ + Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4", + DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77", + }, + Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", + Indirect: false, + Identifier: &common.PkgIdentifier{ + Uid: "63f8bef824b960e3", + }, + Maintainer: "alice@example.com", + }, + }, + }, + want: []ftypes.Package{ + { + Name: "binary", + Version: "4.2+dfsg", + Release: "0.1+deb7u4", + Epoch: 0, + Arch: "amd64", + SrcName: "bash", + SrcVersion: "4.2+dfsg", + SrcRelease: "0.1+deb7u4", + SrcEpoch: 0, + Licenses: []string{"GPL-3.0"}, + Locations: []ftypes.Location{ + { + StartLine: 10, + EndLine: 20, + }, + { + StartLine: 22, + EndLine: 32, + }, + }, + Layer: ftypes.Layer{ + Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4", + DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77", + }, + Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", + Indirect: false, + Identifier: ftypes.PkgIdentifier{ + UID: "63f8bef824b960e3", + }, + Maintainer: "alice@example.com", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go index c8290cc52818..1a769c877f36 100644 --- a/rpc/common/service.pb.go +++ b/rpc/common/service.pb.go @@ -465,6 +465,7 @@ type Package struct { Digest string `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"` Dev bool `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"` Indirect bool `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"` + Maintainer string `protobuf:"bytes,21,opt,name=maintainer,proto3" json:"maintainer,omitempty"` } func (x *Package) Reset() { @@ -632,6 +633,13 @@ func (x *Package) GetIndirect() bool { return false } +func (x *Package) GetMaintainer() string { + if x != nil { + return x.Maintainer + } + return "" +} + type PkgIdentifier struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2428,7 +2436,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, - 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xc1, 0x04, 0x0a, 0x07, + 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xe1, 0x04, 0x0a, 0x07, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, @@ -2464,7 +2472,9 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, - 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, + 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, + 0x1e, 0x0a, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x15, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x22, 0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18, diff --git a/rpc/common/service.proto b/rpc/common/service.proto index e989738c285b..dd353f004596 100644 --- a/rpc/common/service.proto +++ b/rpc/common/service.proto @@ -54,6 +54,7 @@ message Package { string digest = 16; bool dev = 17; bool indirect = 18; + string maintainer = 21; } message PkgIdentifier {