Skip to content

Commit

Permalink
fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Pa…
Browse files Browse the repository at this point in the history
…ckage Maintainer Details (#7871)
  • Loading branch information
santhosh1729 authored Nov 21, 2024
1 parent 45d3b40 commit 461a68a
Show file tree
Hide file tree
Showing 9 changed files with 563 additions and 113 deletions.
527 changes: 421 additions & 106 deletions integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions pkg/detector/library/driver.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
InstalledVersion: pkgVer,
FixedVersion: createFixedVersions(adv),
DataSource: adv.DataSource,
Custom: adv.Custom,
}
vulns = append(vulns, vuln)
}
Expand Down
26 changes: 26 additions & 0 deletions pkg/detector/library/driver_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) {
},
},
},
{
name: "Custom data for vulnerability",
fixtures: []string{
"testdata/fixtures/go-custom-data.yaml",
"testdata/fixtures/data-source.yaml",
},
libType: ftypes.GoBinary,
args: args{
pkgName: "github.com/docker/docker",
pkgVer: "23.0.14",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "GHSA-v23v-6jw2-98fq",
PkgName: "github.com/docker/docker",
InstalledVersion: "23.0.14",
FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6",
DataSource: &dbTypes.DataSource{
ID: vulnerability.GHSA,
Name: "GitHub Security Advisory Go",
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
},
Custom: map[string]any{"Severity": 2.0},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions pkg/detector/library/testdata/fixtures/data-source.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,8 @@
ID: "ghsa"
Name: "GitHub Security Advisory Pip"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
- key: "go::GitHub Security Advisory Go"
value:
ID: "ghsa"
Name: "GitHub Security Advisory Go"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
18 changes: 18 additions & 0 deletions pkg/detector/library/testdata/fixtures/go-custom-data.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- bucket: "go::GitHub Security Advisory Go"
pairs:
- bucket: github.com/docker/docker
pairs:
- key: "GHSA-v23v-6jw2-98fq"
value:
PatchedVersions:
- "23.0.15"
- "26.1.5"
- "27.1.1"
- "25.0.6"
VulnerableVersions:
- ">=19.03.0, <23.0.15"
- ">=26.0.0, <26.1.5"
- ">=27.0.0, <27.1.1"
- ">=24.0.0, <25.0.6"
Custom:
Severity: 2
2 changes: 2 additions & 0 deletions pkg/rpc/convert.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
DependsOn: pkg.DependsOn,
Digest: pkg.Digest.String(),
Indirect: pkg.Indirect,
Maintainer: pkg.Maintainer,
})
}
return rpcPkgs
Expand Down Expand Up @@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
DependsOn: pkg.DependsOn,
Digest: digest.Digest(pkg.Digest),
Indirect: pkg.Indirect,
Maintainer: pkg.Maintainer,
})
}
return pkgs
Expand Down
72 changes: 72 additions & 0 deletions pkg/rpc/convert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
},
},
},
{
args: args{
rpcPkgs: []*common.Package{
{
Name: "binary",
Version: "4.2+dfsg",
Release: "0.1+deb7u4",
Epoch: 0,
Arch: "amd64",
SrcName: "bash",
SrcVersion: "4.2+dfsg",
SrcRelease: "0.1+deb7u4",
SrcEpoch: 0,
Licenses: []string{"GPL-3.0"},
Locations: []*common.Location{
{
StartLine: 10,
EndLine: 20,
},
{
StartLine: 22,
EndLine: 32,
},
},
Layer: &common.Layer{
Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
},
Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
Indirect: false,
Identifier: &common.PkgIdentifier{
Uid: "63f8bef824b960e3",
},
Maintainer: "[email protected]",
},
},
},
want: []ftypes.Package{
{
Name: "binary",
Version: "4.2+dfsg",
Release: "0.1+deb7u4",
Epoch: 0,
Arch: "amd64",
SrcName: "bash",
SrcVersion: "4.2+dfsg",
SrcRelease: "0.1+deb7u4",
SrcEpoch: 0,
Licenses: []string{"GPL-3.0"},
Locations: []ftypes.Location{
{
StartLine: 10,
EndLine: 20,
},
{
StartLine: 22,
EndLine: 32,
},
},
Layer: ftypes.Layer{
Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
},
Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
Indirect: false,
Identifier: ftypes.PkgIdentifier{
UID: "63f8bef824b960e3",
},
Maintainer: "[email protected]",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
14 changes: 12 additions & 2 deletions rpc/common/service.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 6 additions & 5 deletions rpc/common/service.proto
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ message Package {
string digest = 16;
bool dev = 17;
bool indirect = 18;
string maintainer = 21;
}

message PkgIdentifier {
Expand All @@ -68,11 +69,11 @@ message Location {
}

message Misconfiguration {
string file_type = 1;
string file_path = 2;
repeated MisconfResult successes = 3;
repeated MisconfResult warnings = 4;
repeated MisconfResult failures = 5;
string file_type = 1;
string file_path = 2;
repeated MisconfResult successes = 3;
repeated MisconfResult warnings = 4;
repeated MisconfResult failures = 5;

reserved 6; // deprecated 'exceptions'
}
Expand Down

0 comments on commit 461a68a

Please sign in to comment.