From 9aa438912a7805bcc25d68035b61550f504a22cc Mon Sep 17 00:00:00 2001 From: thatipelli santhosh Date: Tue, 5 Nov 2024 15:26:34 +0530 Subject: [PATCH] Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details 1. It addresses an issue with programming language vulnerabilities by ensuring that the custom information is sent, which was previously causing a bug on the Aqua side. 2. For the SBOM, it adds the package maintainer details to the results, allowing to show this information. --- pkg/detector/library/driver.go | 1 + pkg/detector/library/driver_test.go | 26 +++++++++++++++++++ .../testdata/fixtures/data-source.yaml | 5 ++++ .../testdata/fixtures/go-custom-data.yaml | 18 +++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 pkg/detector/library/testdata/fixtures/go-custom-data.yaml diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 6990d3c7e84d..152096c2caea 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D InstalledVersion: pkgVer, FixedVersion: createFixedVersions(adv), DataSource: adv.DataSource, + Custom: adv.Custom, } vulns = append(vulns, vuln) } diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go index 10c3ad304f29..cf8af718f783 100644 --- a/pkg/detector/library/driver_test.go +++ b/pkg/detector/library/driver_test.go @@ -182,6 +182,32 @@ func TestDriver_Detect(t *testing.T) { }, }, }, + { + name: "Custom data for vulnerability", + fixtures: []string{ + "testdata/fixtures/go-custom-data.yaml", + "testdata/fixtures/data-source.yaml", + }, + libType: ftypes.GoBinary, + args: args{ + pkgName: "github.com/docker/docker", + pkgVer: "23.0.14", + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "GHSA-v23v-6jw2-98fq", + PkgName: "github.com/docker/docker", + InstalledVersion: "23.0.14", + FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Go", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago", + }, + Custom: map[string]any{"Severity": 2.0}, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml index eeb4a57e9637..087f960d2c58 100644 --- a/pkg/detector/library/testdata/fixtures/data-source.yaml +++ b/pkg/detector/library/testdata/fixtures/data-source.yaml @@ -25,3 +25,8 @@ ID: "ghsa" Name: "GitHub Security Advisory Pip" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" + - key: "go::GitHub Security Advisory Go" + value: + ID: "ghsa" + Name: "GitHub Security Advisory Go" + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" diff --git a/pkg/detector/library/testdata/fixtures/go-custom-data.yaml b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml new file mode 100644 index 000000000000..aea7b8c7cd01 --- /dev/null +++ b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml @@ -0,0 +1,18 @@ +- bucket: "go::GitHub Security Advisory Go" + pairs: + - bucket: github.com/docker/docker + pairs: + - key: "GHSA-v23v-6jw2-98fq" + value: + PatchedVersions: + - "23.0.15" + - "26.1.5" + - "27.1.1" + - "25.0.6" + VulnerableVersions: + - ">=19.03.0, <23.0.15" + - ">=26.0.0, <26.1.5" + - ">=27.0.0, <27.1.1" + - ">=24.0.0, <25.0.6" + Custom: + Severity: 2 \ No newline at end of file