Skip to content

Commit

Permalink
fix(cyclonedx): trim non-URL info for advisory.url (#6952)
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored Jun 19, 2024
1 parent 38b35dd commit 417212e
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
16 changes: 16 additions & 0 deletions pkg/sbom/cyclonedx/marshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package cyclonedx
import (
"context"
"fmt"
"net/url"
"slices"
"sort"
"strconv"
Expand Down Expand Up @@ -332,6 +333,10 @@ func (*Marshaler) affects(ref, version string) cdx.Affects {
func (*Marshaler) advisories(refs []string) *[]cdx.Advisory {
refs = lo.Uniq(refs)
advs := lo.FilterMap(refs, func(ref string, _ int) (cdx.Advisory, bool) {
// There are cases when `ref` contains extra info
// But we need to use only URL.
// cf. https://github.com/aquasecurity/trivy/issues/6801
ref = trimNonUrlInfo(ref)
return cdx.Advisory{URL: ref}, ref != ""
})

Expand All @@ -345,6 +350,17 @@ func (*Marshaler) advisories(refs []string) *[]cdx.Advisory {
return &advs
}

// trimNonUrlInfo returns first valid URL.
func trimNonUrlInfo(ref string) string {
ss := strings.Split(ref, " ")
for _, s := range ss {
if u, err := url.Parse(s); err == nil && u.Scheme != "" && u.Host != "" {
return s
}
}
return ""
}

func (m *Marshaler) marshalVulnerability(bomRef string, vuln core.Vulnerability) *cdx.Vulnerability {
v := &cdx.Vulnerability{
ID: vuln.ID,
Expand Down
4 changes: 2 additions & 2 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -847,8 +847,8 @@ func TestMarshaler_MarshalReport(t *testing.T) {
},
},
References: []string{
"http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633",
" extraPrefix http://www.openwall.com/lists/oss-security/2022/02/11/5",
"https://access.redhat.com/security/cve/CVE-2022-23633 (extra suffix)",
},
PublishedDate: lo.ToPtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)),
LastModifiedDate: lo.ToPtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)),
Expand Down

0 comments on commit 417212e

Please sign in to comment.