Fixes for Programming Language Vulnerabilities and SBOM Package Maint…

…ainer Details 1. It addresses an issue with programming language vulnerabilities by ensuring that the custom information is sent, which was previously causing a bug on the Aqua side. 2. For the SBOM, it adds the package maintainer details to the results, allowing to show this information.
aquasecurity · Nov 21, 2024 · 867f113 · 867f113
1 parent 01fa177
commit 867f113
Show file tree

Hide file tree

Showing 9 changed files with 563 additions and 113 deletions.
diff --git a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
 			InstalledVersion: pkgVer,
 			FixedVersion:     createFixedVersions(adv),
 			DataSource:       adv.DataSource,
+			Custom:           adv.Custom,
 		}
 		vulns = append(vulns, vuln)
 	}

diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go
@@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Custom data for vulnerability",
+			fixtures: []string{
+				"testdata/fixtures/go-custom-data.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.GoBinary,
+			args: args{
+				pkgName: "github.com/docker/docker",
+				pkgVer:  "23.0.14",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "GHSA-v23v-6jw2-98fq",
+					PkgName:          "github.com/docker/docker",
+					InstalledVersion: "23.0.14",
+					FixedVersion:     "23.0.15, 26.1.5, 27.1.1, 25.0.6",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.GHSA,
+						Name: "GitHub Security Advisory Go",
+						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
+					},
+					Custom: map[string]any{"Severity": 2.0},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -25,3 +25,8 @@
         ID: "ghsa"
         Name: "GitHub Security Advisory Pip"
         URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+    - key: "go::GitHub Security Advisory Go"
+      value:
+        ID: "ghsa"
+        Name: "GitHub Security Advisory Go"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
diff --git a/pkg/detector/library/testdata/fixtures/go-custom-data.yaml b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml
@@ -0,0 +1,18 @@
+- bucket: "go::GitHub Security Advisory Go"
+  pairs:
+    - bucket: github.com/docker/docker
+      pairs:
+        - key: "GHSA-v23v-6jw2-98fq"
+          value:
+            PatchedVersions:
+              - "23.0.15"
+              - "26.1.5"
+              - "27.1.1"
+              - "25.0.6"
+            VulnerableVersions:
+              - ">=19.03.0, <23.0.15"
+              - ">=26.0.0, <26.1.5"
+              - ">=27.0.0, <27.1.1"
+              - ">=24.0.0, <25.0.6"
+            Custom:
+              Severity: 2
diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go
@@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     pkg.Digest.String(),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return rpcPkgs
@@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
 			DependsOn:  pkg.DependsOn,
 			Digest:     digest.Digest(pkg.Digest),
 			Indirect:   pkg.Indirect,
+			Maintainer: pkg.Maintainer,
 		})
 	}
 	return pkgs

diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go
@@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) {
 				},
 			},
 		},
+		{
+			args: args{
+				rpcPkgs: []*common.Package{
+					{
+						Name:       "binary",
+						Version:    "4.2+dfsg",
+						Release:    "0.1+deb7u4",
+						Epoch:      0,
+						Arch:       "amd64",
+						SrcName:    "bash",
+						SrcVersion: "4.2+dfsg",
+						SrcRelease: "0.1+deb7u4",
+						SrcEpoch:   0,
+						Licenses:   []string{"GPL-3.0"},
+						Locations: []*common.Location{
+							{
+								StartLine: 10,
+								EndLine:   20,
+							},
+							{
+								StartLine: 22,
+								EndLine:   32,
+							},
+						},
+						Layer: &common.Layer{
+							Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+							DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+						},
+						Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+						Indirect: false,
+						Identifier: &common.PkgIdentifier{
+							Uid: "63f8bef824b960e3",
+						},
+						Maintainer: "[email protected]",
+					},
+				},
+			},
+			want: []ftypes.Package{
+				{
+					Name:       "binary",
+					Version:    "4.2+dfsg",
+					Release:    "0.1+deb7u4",
+					Epoch:      0,
+					Arch:       "amd64",
+					SrcName:    "bash",
+					SrcVersion: "4.2+dfsg",
+					SrcRelease: "0.1+deb7u4",
+					SrcEpoch:   0,
+					Licenses:   []string{"GPL-3.0"},
+					Locations: []ftypes.Location{
+						{
+							StartLine: 10,
+							EndLine:   20,
+						},
+						{
+							StartLine: 22,
+							EndLine:   32,
+						},
+					},
+					Layer: ftypes.Layer{
+						Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4",
+						DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77",
+					},
+					Digest:   "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2",
+					Indirect: false,
+					Identifier: ftypes.PkgIdentifier{
+						UID: "63f8bef824b960e3",
+					},
+					Maintainer: "[email protected]",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go
diff --git a/rpc/common/service.proto b/rpc/common/service.proto
@@ -54,6 +54,7 @@ message Package {
   string            digest      = 16;
   bool              dev         = 17;
   bool              indirect    = 18;
+  string            maintainer  = 21;
 }
 
 message PkgIdentifier {
@@ -68,11 +69,11 @@ message Location {
 }
 
 message Misconfiguration {
-  string                 file_type  = 1;
-  string                 file_path  = 2;
-  repeated MisconfResult successes  = 3;
-  repeated MisconfResult warnings   = 4;
-  repeated MisconfResult failures   = 5;
+  string                 file_type = 1;
+  string                 file_path = 2;
+  repeated MisconfResult successes = 3;
+  repeated MisconfResult warnings  = 4;
+  repeated MisconfResult failures  = 5;
 
   reserved 6;  // deprecated 'exceptions'
 }