Skip to content

Commit

Permalink
feat(alpine): support unfixed vulnerabilities (#1235)
Browse files Browse the repository at this point in the history
  • Loading branch information
knqyf263 authored Sep 16, 2021
1 parent 3bf3a46 commit 8cd7de2
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 16 deletions.
56 changes: 43 additions & 13 deletions pkg/detector/ospkg/alpine/alpine.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"k8s.io/utils/clock"

ftypes "github.com/aquasecurity/fanal/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
Expand Down Expand Up @@ -100,26 +101,55 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
}

for _, adv := range advisories {
fixedVersion, err := version.NewVersion(adv.FixedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux fixed version: %s", err)
if !s.isVulnerable(installedVersion, adv) {
continue
}
if installedVersion.LessThan(fixedVersion) {
vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
}
vulns = append(vulns, vuln)
}
vulns = append(vulns, types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
})

}
}
return vulns, nil
}

func (s *Scanner) isVulnerable(installedVersion version.Version, adv dbTypes.Advisory) bool {
// This logic is for unfixed vulnerabilities, but Trivy DB doesn't have advisories for unfixed vulnerabilities for now
// because Alpine just provides potentially vulnerable packages. It will cause a lot of false positives.
// This is for Aqua commercial products.
if adv.AffectedVersion != "" {
// AffectedVersion means which version introduced this vulnerability.
affectedVersion, err := version.NewVersion(adv.AffectedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux affected package version: %s", err)
return false
}
if affectedVersion.GreaterThan(installedVersion) {
return false
}
}

// This logic is also for unfixed vulnerabilities.
if adv.FixedVersion == "" {
// It means the unfixed vulnerability
return true
}

// Compare versions for fixed vulnerabilities
fixedVersion, err := version.NewVersion(adv.FixedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux fixed version: %s", err)
return false
}

// It means the fixed vulnerability
return installedVersion.LessThan(fixedVersion)
}

// IsSupportedVersion checks the OSFamily can be scanned using Alpine scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 1 {
Expand Down
20 changes: 17 additions & 3 deletions pkg/detector/ospkg/alpine/alpine_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package alpine_test

import (
"sort"
"testing"
"time"

Expand Down Expand Up @@ -29,7 +30,7 @@ func TestScanner_Detect(t *testing.T) {
}{
{
name: "happy path",
fixtures: []string{"testdata/fixtures/alpine310.yaml"},
fixtures: []string{"testdata/fixtures/alpine.yaml"},
args: args{
osVer: "3.10.2",
pkgs: []ftypes.Package{
Expand Down Expand Up @@ -60,11 +61,20 @@ func TestScanner_Detect(t *testing.T) {
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
},
{
PkgName: "ansible",
VulnerabilityID: "CVE-2021-20191",
InstalledVersion: "2.6.4",
FixedVersion: "",
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
},
},
},
{
name: "contain rc",
fixtures: []string{"testdata/fixtures/alpine310.yaml"},
fixtures: []string{"testdata/fixtures/alpine.yaml"},
args: args{
osVer: "3.10",
pkgs: []ftypes.Package{
Expand All @@ -87,7 +97,7 @@ func TestScanner_Detect(t *testing.T) {
},
{
name: "contain pre",
fixtures: []string{"testdata/fixtures/alpine310.yaml"},
fixtures: []string{"testdata/fixtures/alpine.yaml"},
args: args{
osVer: "3.10",
pkgs: []ftypes.Package{
Expand Down Expand Up @@ -143,6 +153,10 @@ func TestScanner_Detect(t *testing.T) {
assert.Contains(t, err.Error(), tt.wantErr)
return
}

sort.Slice(got, func(i, j int) bool {
return got[i].VulnerabilityID < got[j].VulnerabilityID
})
assert.NoError(t, err)
assert.Equal(t, tt.want, got)
})
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,13 @@
- key: CVE-2019-10217
value:
FixedVersion: "2.8.4-r0"
- key: CVE-2020-1740
value:
FixedVersion: ""
AffectedVersion: "2.6.5"
- key: CVE-2021-20191
value:
FixedVersion: ""
- key: CVE-2019-INVALID
value:
FixedVersion: "invalid"
Expand Down

0 comments on commit 8cd7de2

Please sign in to comment.