From 2a577a7bae37e5731dceaea8740683573b6b70a5 Mon Sep 17 00:00:00 2001 From: guoguangwu Date: Mon, 15 Jul 2024 21:05:42 +0800 Subject: [PATCH 01/16] fix: close file when failed to open gzip (#7164) Signed-off-by: guoguangwu --- pkg/fanal/image/docker.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/fanal/image/docker.go b/pkg/fanal/image/docker.go index 54096099761f..ea1549b0f910 100644 --- a/pkg/fanal/image/docker.go +++ b/pkg/fanal/image/docker.go @@ -35,6 +35,7 @@ func fileOpener(fileName string) func() (io.ReadCloser, error) { if utils.IsGzip(br) { r, err = gzip.NewReader(br) if err != nil { + _ = f.Close() return nil, xerrors.Errorf("failed to open gzip: %w", err) } } From d1ec89d1db4b039f0e31076ccd1ca969fb15628e Mon Sep 17 00:00:00 2001 From: Adam Bloom Date: Mon, 15 Jul 2024 20:05:34 -0700 Subject: [PATCH 02/16] feat(misconf): enabled China configuration for ACRs (#7156) --- pkg/fanal/image/registry/azure/azure.go | 33 ++++++++++++++------ pkg/fanal/image/registry/azure/azure_test.go | 4 +++ 2 files changed, 28 insertions(+), 9 deletions(-) diff --git a/pkg/fanal/image/registry/azure/azure.go b/pkg/fanal/image/registry/azure/azure.go index fe348eaac9f5..3203829f3d3d 100644 --- a/pkg/fanal/image/registry/azure/azure.go +++ b/pkg/fanal/image/registry/azure/azure.go @@ -8,6 +8,8 @@ import ( "strings" "github.com/Azure/azure-sdk-for-go/profiles/preview/preview/containerregistry/runtime/containerregistry" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "golang.org/x/xerrors" @@ -17,28 +19,41 @@ import ( type Registry struct { domain string + scope string + cloud cloud.Configuration } const ( - azureURL = ".azurecr.io" - scope = "https://management.azure.com/.default" - scheme = "https" + azureURL = ".azurecr.io" + chinaAzureURL = ".azurecr.cn" + scope = "https://management.azure.com/.default" + chinaScope = "https://management.chinacloudapi.cn/.default" + scheme = "https" ) func (r *Registry) CheckOptions(domain string, _ types.RegistryOptions) error { - if !strings.HasSuffix(domain, azureURL) { - return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern) + if strings.HasSuffix(domain, azureURL) { + r.domain = domain + r.scope = scope + r.cloud = cloud.AzurePublic + return nil + } else if strings.HasSuffix(domain, chinaAzureURL) { + r.domain = domain + r.scope = chinaScope + r.cloud = cloud.AzureChina + return nil } - r.domain = domain - return nil + + return xerrors.Errorf("Azure registry: %w", types.InvalidURLPattern) } func (r *Registry) GetCredential(ctx context.Context) (string, string, error) { - cred, err := azidentity.NewDefaultAzureCredential(nil) + opts := azcore.ClientOptions{Cloud: r.cloud} + cred, err := azidentity.NewDefaultAzureCredential(&azidentity.DefaultAzureCredentialOptions{ClientOptions: opts}) if err != nil { return "", "", xerrors.Errorf("unable to generate acr credential error: %w", err) } - aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{scope}}) + aadToken, err := cred.GetToken(ctx, policy.TokenRequestOptions{Scopes: []string{r.scope}}) if err != nil { return "", "", xerrors.Errorf("unable to get an access token: %w", err) } diff --git a/pkg/fanal/image/registry/azure/azure_test.go b/pkg/fanal/image/registry/azure/azure_test.go index c8c48574b61b..0fb4839e8fee 100644 --- a/pkg/fanal/image/registry/azure/azure_test.go +++ b/pkg/fanal/image/registry/azure/azure_test.go @@ -20,6 +20,10 @@ func TestRegistry_CheckOptions(t *testing.T) { name: "happy path", domain: "test.azurecr.io", }, + { + name: "china happy path", + domain: "test.azurecr.cn", + }, { name: "invalidURL", domain: "not-azurecr.io", From 7066f5e674e469d09b81a4e3381c19cdd240ae81 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Jul 2024 07:15:08 +0400 Subject: [PATCH 03/16] chore(deps): bump the aws group with 6 updates (#7166) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 26 +++++++++++++------------- go.sum | 52 ++++++++++++++++++++++++++-------------------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index 6ff9ddf6e50a..98dab8d4fff2 100644 --- a/go.mod +++ b/go.mod @@ -29,13 +29,13 @@ require ( github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b - github.com/aws/aws-sdk-go-v2 v1.30.1 - github.com/aws/aws-sdk-go-v2/config v1.27.24 - github.com/aws/aws-sdk-go-v2/credentials v1.17.24 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.168.0 - github.com/aws/aws-sdk-go-v2/service/ecr v1.30.1 - github.com/aws/aws-sdk-go-v2/service/s3 v1.58.0 - github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.3 + github.com/aws/aws-sdk-go-v2/config v1.27.26 + github.com/aws/aws-sdk-go-v2/credentials v1.17.26 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.170.0 + github.com/aws/aws-sdk-go-v2/service/ecr v1.30.3 + github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect github.com/aws/smithy-go v1.20.3 github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c github.com/bmatcuk/doublestar/v4 v4.6.1 @@ -169,15 +169,15 @@ require ( github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/aws/aws-sdk-go v1.54.6 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/briandowns/spinner v1.23.0 // indirect diff --git a/go.sum b/go.sum index 8dabdd85f5e4..114f8585b370 100644 --- a/go.sum +++ b/go.sum @@ -789,38 +789,38 @@ github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.30.1 h1:4y/5Dvfrhd1MxRDD77SrfsDaj8kUkkljU7XE83NPV+o= -github.com/aws/aws-sdk-go-v2 v1.30.1/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= -github.com/aws/aws-sdk-go-v2/config v1.27.24 h1:NM9XicZ5o1CBU/MZaHwFtimRpWx9ohAUAqkG6AqSqPo= -github.com/aws/aws-sdk-go-v2/config v1.27.24/go.mod h1:aXzi6QJTuQRVVusAO8/NxpdTeTyr/wRcybdDtfUwJSs= -github.com/aws/aws-sdk-go-v2/credentials v1.17.24 h1:YclAsrnb1/GTQNt2nzv+756Iw4mF8AOzcDfweWwwm/M= -github.com/aws/aws-sdk-go-v2/credentials v1.17.24/go.mod h1:Hld7tmnAkoBQdTMNYZGzztzKRdA4fCdn9L83LOoigac= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 h1:Aznqksmd6Rfv2HQN9cpqIV/lQRMaIpJkLLaJ1ZI76no= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9/go.mod h1:WQr3MY7AxGNxaqAtsDWn+fBxmd4XvLkzeqQ8P1VM0/w= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 h1:5SAoZ4jYpGH4721ZNoS1znQrhOfZinOhc4XuTXx/nVc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13/go.mod h1:+rdA6ZLpaSeM7tSg/B0IEDinCIBJGmW8rKDFkYpP04g= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 h1:WIijqeaAO7TYFLbhsZmi2rgLEAtWOC1LhxCAVTJlSKw= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13/go.mod h1:i+kbfa76PQbWw/ULoWnp51EYVWH4ENln76fLQE3lXT8= +github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY= +github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= +github.com/aws/aws-sdk-go-v2/config v1.27.26 h1:T1kAefbKuNum/AbShMsZEro6eRkeOT8YILfE9wyjAYQ= +github.com/aws/aws-sdk-go-v2/config v1.27.26/go.mod h1:ivWHkAWFrw/nxty5Fku7soTIVdqZaZ7dw+tc5iGW3GA= +github.com/aws/aws-sdk-go-v2/credentials v1.17.26 h1:tsm8g/nJxi8+/7XyJJcP2dLrnK/5rkFp6+i2nhmz5fk= +github.com/aws/aws-sdk-go-v2/credentials v1.17.26/go.mod h1:3vAM49zkIa3q8WT6o9Ve5Z0vdByDMwmdScO0zvThTgI= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7 h1:CRzzXjmgx9p362yO39D6hbZULdMI23gaKqSxijJCXHM= github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7/go.mod h1:wnsHqpi3RgDwklS5SPHUgjcUUpontGPKJ+GJYOdV7pY= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.168.0 h1:xOPq0agGC1WMZvFpSZCKEjDVAQnLPZJZGvjuPVF2t9M= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.168.0/go.mod h1:CtLD6CPq9z9dyMxV+H6/M5d9+/ea3dO80um029GXqV0= -github.com/aws/aws-sdk-go-v2/service/ecr v1.30.1 h1:zV3FlyuyPzfyFOXKu6mJW9JBGzdtOgpdlj3va+naOD8= -github.com/aws/aws-sdk-go-v2/service/ecr v1.30.1/go.mod h1:l0zC7cSb2vAH1fr8+BRlolWT9cwlKpbRC8PjW6tyyIU= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.170.0 h1:zPwhEYn3Y83mnnr9QG+i6NTiAbVbcJe6RpCSJKHIQNE= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.170.0/go.mod h1:9KdiRVKTZyPRTlbX3i41FxTV+5OatZ7xOJCN4lleX7g= +github.com/aws/aws-sdk-go-v2/service/ecr v1.30.3 h1:+v2hv29pWaVDASIScHuUhDC93nqJGVlGf6cujrJMHZE= +github.com/aws/aws-sdk-go-v2/service/ecr v1.30.3/go.mod h1:RhaP7Wil0+uuuhiE4FzOOEFZwkmFAk1ZflXzK+O3ptU= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 h1:I9zMeF107l0rJrpnHpjEiiTSCKYAIw8mALiXcPsGBiA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15/go.mod h1:9xWJ3Q/S6Ojusz1UIkfycgD1mGirJfLLKqq3LPT7WN8= -github.com/aws/aws-sdk-go-v2/service/s3 v1.58.0 h1:4rhV0Hn+bf8IAIUphRX1moBcEvKJipCPmswMCl6Q5mw= -github.com/aws/aws-sdk-go-v2/service/s3 v1.58.0/go.mod h1:hdV0NTYd0RwV4FvNKhKUNbPLZoq9CTr/lke+3I7aCAI= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 h1:p1GahKIjyMDZtiKoIn0/jAj/TkMzfzndDv5+zi2Mhgc= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.1/go.mod h1:/vWdhoIoYA5hYoPZ6fm7Sv4d8701PiG5VKe8/pPJL60= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2 h1:ORnrOK0C4WmYV/uYt3koHEWBLYsRDwk2Np+eEoyV4Z0= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.2/go.mod h1:xyFHA4zGxgYkdD73VeezHt3vSKEG9EmFnGwoKlP00u4= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 h1:+woJ607dllHJQtsnJLi52ycuqHMwlW+Wqm2Ppsfp4nQ= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.1/go.mod h1:jiNR3JqT15Dm+QWq2SRgh0x0bCNSRP2L25+CqPNpJlQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII= +github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 h1:sZXIzO38GZOU+O0C+INqbH7C2yALwfMWpd64tONS/NE= +github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2/go.mod h1:Lcxzg5rojyVPU/0eFwLtcyTaek/6Mtic5B1gJo7e/zE= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.3 h1:Fv1vD2L65Jnp5QRsdiM64JvUM4Xe+E0JyVsRQKv6IeA= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.3/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ= github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE= github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= From c8a7abd3b508975fcf10c254d13d1a2cd42da657 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 16 Jul 2024 12:20:13 +0700 Subject: [PATCH 04/16] fix: add missing platform and type to spec (#7149) Signed-off-by: nikpivkin --- pkg/iac/types/compliance.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/iac/types/compliance.go b/pkg/iac/types/compliance.go index 42636fffe544..5bb0fa346975 100644 --- a/pkg/iac/types/compliance.go +++ b/pkg/iac/types/compliance.go @@ -21,7 +21,9 @@ type Spec struct { Title string `yaml:"title"` Description string `yaml:"description"` Version string `yaml:"version"` - RelatedResources []string `yaml:"relatedResources"` + Platform string `yaml:"platform"` + Type string `yaml:"type"` + RelatedResources []string `yaml:"relatedResources,omitempty"` Controls []Control `yaml:"controls"` } @@ -30,8 +32,8 @@ type Control struct { ID string `yaml:"id"` Name string `yaml:"name"` Description string `yaml:"description,omitempty"` - Checks []SpecCheck `yaml:"checks"` - Commands []Command `yaml:"commands"` + Checks []SpecCheck `yaml:"checks,omitempty"` + Commands []Command `yaml:"commands,omitempty"` Severity Severity `yaml:"severity"` DefaultStatus ControlStatus `yaml:"defaultStatus,omitempty"` } From b76a7250912cfc028cfef743f0f98cd81b39f8aa Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Tue, 16 Jul 2024 13:44:10 +0600 Subject: [PATCH 05/16] chore(deps): bump goreleaser from `v2.0.0` to `v2.1.0` (#7162) --- .github/workflows/reusable-release.yaml | 2 +- .github/workflows/test.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index e308aba0a2db..0f7064ee18e1 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -91,7 +91,7 @@ jobs: - name: GoReleaser uses: goreleaser/goreleaser-action@v6 with: - version: v2.0.0 + version: v2.1.0 args: release -f=${{ inputs.goreleaser_config}} ${{ inputs.goreleaser_options}} env: GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }} diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 441d37e735ab..2ff471be1c7d 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -178,5 +178,5 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: - version: v2.0.0 + version: v2.1.0 args: build --snapshot --clean --timeout 90m ${{ steps.goreleaser_id.outputs.id }} From 5bc662be9a8f072599f90abfd3b400c8ab055ed6 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Mon, 22 Jul 2024 08:44:44 +0500 Subject: [PATCH 06/16] fix(dotnet): don't include non-runtime libraries into report for `*.deps.json` files (#7039) --- docs/docs/coverage/language/dotnet.md | 3 + integration/testdata/dotnet.json.golden | 6 +- pkg/dependency/id.go | 3 +- .../parser/dotnet/core_deps/parse.go | 68 ++++++++-- .../parser/dotnet/core_deps/parse_test.go | 68 ++++++++-- ...{ExampleApp1.deps.json => happy.deps.json} | 0 ...nvalidJson.deps.json => invalid.deps.json} | 0 ...aries.deps.json => no-libraries.deps.json} | 0 .../testdata/without-runtime.deps.json | 116 ++++++++++++++++++ .../language/dotnet/deps/deps_test.go | 1 + 10 files changed, 244 insertions(+), 21 deletions(-) rename pkg/dependency/parser/dotnet/core_deps/testdata/{ExampleApp1.deps.json => happy.deps.json} (100%) rename pkg/dependency/parser/dotnet/core_deps/testdata/{InvalidJson.deps.json => invalid.deps.json} (100%) rename pkg/dependency/parser/dotnet/core_deps/testdata/{NoLibraries.deps.json => no-libraries.deps.json} (100%) create mode 100644 pkg/dependency/parser/dotnet/core_deps/testdata/without-runtime.deps.json diff --git a/docs/docs/coverage/language/dotnet.md b/docs/docs/coverage/language/dotnet.md index 0a05454365e9..311e5c010b2d 100644 --- a/docs/docs/coverage/language/dotnet.md +++ b/docs/docs/coverage/language/dotnet.md @@ -21,6 +21,9 @@ The following table provides an outline of the features Trivy offers. ## *.deps.json Trivy parses `*.deps.json` files. Trivy currently excludes dev dependencies from the report. +!!! note + Trivy only includes runtime dependencies in the report. + ## packages.config Trivy only finds dependency names and versions from `packages.config` files. To build dependency graph, it is better to use `packages.lock.json` files. diff --git a/integration/testdata/dotnet.json.golden b/integration/testdata/dotnet.json.golden index 778b1270fcf2..4c76a08fc300 100644 --- a/integration/testdata/dotnet.json.golden +++ b/integration/testdata/dotnet.json.golden @@ -22,10 +22,11 @@ "Type": "dotnet-core", "Packages": [ { + "ID": "Newtonsoft.Json/9.0.1", "Name": "Newtonsoft.Json", "Identifier": { "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1", - "UID": "19955f480b8a6340" + "UID": "e678401f5d07418a" }, "Version": "9.0.1", "Layer": {}, @@ -40,10 +41,11 @@ "Vulnerabilities": [ { "VulnerabilityID": "GHSA-5crp-9r3c-p9vr", + "PkgID": "Newtonsoft.Json/9.0.1", "PkgName": "Newtonsoft.Json", "PkgIdentifier": { "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1", - "UID": "19955f480b8a6340" + "UID": "e678401f5d07418a" }, "InstalledVersion": "9.0.1", "FixedVersion": "13.0.1", diff --git a/pkg/dependency/id.go b/pkg/dependency/id.go index 577ed5d0ac41..77dd85bed3e0 100644 --- a/pkg/dependency/id.go +++ b/pkg/dependency/id.go @@ -20,7 +20,8 @@ func ID(ltype types.LangType, name, version string) string { sep := "@" switch ltype { - case types.Conan: + // cf. https://github.com/dotnet/sdk/blob/529132850841a6bcfce96799262ce688e3851875/documentation/specs/runtime-configuration-file.md#targets-section-depsjson + case types.Conan, types.DotNetCore: sep = "/" case types.GoModule, types.GoBinary: // Return a module ID according the Go way. diff --git a/pkg/dependency/parser/dotnet/core_deps/parse.go b/pkg/dependency/parser/dotnet/core_deps/parse.go index 4314e9af9b3d..7fc8d3df5d5e 100644 --- a/pkg/dependency/parser/dotnet/core_deps/parse.go +++ b/pkg/dependency/parser/dotnet/core_deps/parse.go @@ -2,23 +2,51 @@ package core_deps import ( "io" + "sort" "strings" + "sync" "github.com/liamg/jfather" + "github.com/samber/lo" "golang.org/x/xerrors" + "github.com/aquasecurity/trivy/pkg/dependency" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/log" xio "github.com/aquasecurity/trivy/pkg/x/io" ) +type dotNetDependencies struct { + Libraries map[string]dotNetLibrary `json:"libraries"` + RuntimeTarget RuntimeTarget `json:"runtimeTarget"` + Targets map[string]map[string]TargetLib `json:"targets"` +} + +type dotNetLibrary struct { + Type string `json:"type"` + StartLine int + EndLine int +} + +type RuntimeTarget struct { + Name string `json:"name"` +} + +type TargetLib struct { + Runtime any `json:"runtime"` + RuntimeTargets any `json:"runtimeTargets"` + Native any `json:"native"` +} + type Parser struct { logger *log.Logger + once sync.Once } func NewParser() *Parser { return &Parser{ logger: log.WithPrefix("dotnet"), + once: sync.Once{}, } } @@ -29,11 +57,11 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc if err != nil { return nil, nil, xerrors.Errorf("read error: %w", err) } - if err := jfather.Unmarshal(input, &depsFile); err != nil { + if err = jfather.Unmarshal(input, &depsFile); err != nil { return nil, nil, xerrors.Errorf("failed to decode .deps.json file: %w", err) } - var pkgs []ftypes.Package + var pkgs ftypes.Packages for nameVer, lib := range depsFile.Libraries { if !strings.EqualFold(lib.Type, "package") { continue @@ -46,7 +74,20 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc continue } + // Take target libraries for RuntimeTarget + if targetLibs, ok := depsFile.Targets[depsFile.RuntimeTarget.Name]; !ok { + // If the target is not found, take all dependencies + p.once.Do(func() { + p.logger.Debug("Unable to find `Target` for Runtime Target Name. All dependencies from `libraries` section will be included in the report", log.String("Runtime Target Name", depsFile.RuntimeTarget.Name)) + }) + } else if !p.isRuntimeLibrary(targetLibs, nameVer) { + // Skip non-runtime libraries + // cf. https://github.com/aquasecurity/trivy/pull/7039#discussion_r1674566823 + continue + } + pkgs = append(pkgs, ftypes.Package{ + ID: dependency.ID(ftypes.DotNetCore, split[0], split[1]), Name: split[0], Version: split[1], Locations: []ftypes.Location{ @@ -58,17 +99,24 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc }) } + sort.Sort(pkgs) return pkgs, nil, nil } -type dotNetDependencies struct { - Libraries map[string]dotNetLibrary `json:"libraries"` -} - -type dotNetLibrary struct { - Type string `json:"type"` - StartLine int - EndLine int +// isRuntimeLibrary returns true if library contains `runtime`, `runtimeTarget` or `native` sections, or if the library is missing from `targetLibs`. +// See https://github.com/aquasecurity/trivy/discussions/4282#discussioncomment-8830365 for more details. +func (p *Parser) isRuntimeLibrary(targetLibs map[string]TargetLib, library string) bool { + lib, ok := targetLibs[library] + // Selected target doesn't contain library + // Mark these libraries as runtime to avoid mistaken omission + if !ok { + p.once.Do(func() { + p.logger.Debug("Unable to determine that this is runtime library. Library not found in `Target` section.", log.String("Library", library)) + }) + return true + } + // Check that `runtime`, `runtimeTarget` and `native` sections are not empty + return !lo.IsEmpty(lib) } // UnmarshalJSONWithMetadata needed to detect start and end lines of deps diff --git a/pkg/dependency/parser/dotnet/core_deps/parse_test.go b/pkg/dependency/parser/dotnet/core_deps/parse_test.go index a495fe0d61fe..82bf0e0a1d47 100644 --- a/pkg/dependency/parser/dotnet/core_deps/parse_test.go +++ b/pkg/dependency/parser/dotnet/core_deps/parse_test.go @@ -2,7 +2,6 @@ package core_deps import ( "os" - "path" "sort" "testing" @@ -13,29 +12,82 @@ import ( ) func TestParse(t *testing.T) { - vectors := []struct { + tests := []struct { + name string file string // Test input file want []ftypes.Package wantErr string }{ { - file: "testdata/ExampleApp1.deps.json", + name: "happy path", + file: "testdata/happy.deps.json", want: []ftypes.Package{ - {Name: "Newtonsoft.Json", Version: "13.0.1", Locations: []ftypes.Location{{StartLine: 33, EndLine: 39}}}, + { + ID: "Newtonsoft.Json/13.0.1", + Name: "Newtonsoft.Json", + Version: "13.0.1", + Locations: []ftypes.Location{ + { + StartLine: 33, + EndLine: 39, + }, + }, + }, }, }, { - file: "testdata/NoLibraries.deps.json", + name: "happy path with skipped libs", + file: "testdata/without-runtime.deps.json", + want: []ftypes.Package{ + { + ID: "JsonDiffPatch/2.0.61", + Name: "JsonDiffPatch", + Version: "2.0.61", + Locations: []ftypes.Location{ + { + StartLine: 66, + EndLine: 72, + }, + }, + }, + { + ID: "Libuv/1.9.1", + Name: "Libuv", + Version: "1.9.1", + Locations: []ftypes.Location{ + { + StartLine: 73, + EndLine: 79, + }, + }, + }, + { + ID: "System.Collections.Immutable/1.3.0", + Name: "System.Collections.Immutable", + Version: "1.3.0", + Locations: []ftypes.Location{ + { + StartLine: 101, + EndLine: 107, + }, + }, + }, + }, + }, + { + name: "happy path without libs", + file: "testdata/no-libraries.deps.json", want: nil, }, { - file: "testdata/InvalidJson.deps.json", + name: "sad path", + file: "testdata/invalid.deps.json", wantErr: "failed to decode .deps.json file: EOF", }, } - for _, tt := range vectors { - t.Run(path.Base(tt.file), func(t *testing.T) { + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { f, err := os.Open(tt.file) require.NoError(t, err) diff --git a/pkg/dependency/parser/dotnet/core_deps/testdata/ExampleApp1.deps.json b/pkg/dependency/parser/dotnet/core_deps/testdata/happy.deps.json similarity index 100% rename from pkg/dependency/parser/dotnet/core_deps/testdata/ExampleApp1.deps.json rename to pkg/dependency/parser/dotnet/core_deps/testdata/happy.deps.json diff --git a/pkg/dependency/parser/dotnet/core_deps/testdata/InvalidJson.deps.json b/pkg/dependency/parser/dotnet/core_deps/testdata/invalid.deps.json similarity index 100% rename from pkg/dependency/parser/dotnet/core_deps/testdata/InvalidJson.deps.json rename to pkg/dependency/parser/dotnet/core_deps/testdata/invalid.deps.json diff --git a/pkg/dependency/parser/dotnet/core_deps/testdata/NoLibraries.deps.json b/pkg/dependency/parser/dotnet/core_deps/testdata/no-libraries.deps.json similarity index 100% rename from pkg/dependency/parser/dotnet/core_deps/testdata/NoLibraries.deps.json rename to pkg/dependency/parser/dotnet/core_deps/testdata/no-libraries.deps.json diff --git a/pkg/dependency/parser/dotnet/core_deps/testdata/without-runtime.deps.json b/pkg/dependency/parser/dotnet/core_deps/testdata/without-runtime.deps.json new file mode 100644 index 000000000000..ba882c61cb5f --- /dev/null +++ b/pkg/dependency/parser/dotnet/core_deps/testdata/without-runtime.deps.json @@ -0,0 +1,116 @@ +{ + "runtimeTarget": { + "name": ".NETCoreApp,Version=v6.0", + "signature": "" + }, + "compilationOptions": {}, + "targets": { + ".NETCoreApp,Version=v6.0": { + "hello2/1.0.0": { + "dependencies": { + "JsonDiffPatch": "2.0.61" + }, + "runtime": { + "hello2.dll": {} + } + }, + "JsonDiffPatch/2.0.61": { + "dependencies": { + "Microsoft.NETCore.App": "1.1.2" + }, + "runtime": { + "lib/netcoreapp1.1/JsonDiffPatch.dll": { + "assemblyVersion": "1.0.0.0", + "fileVersion": "1.0.0.0" + } + } + }, + "Libuv/1.9.1": { + "dependencies": { + "Microsoft.NETCore.Platforms": "1.1.0" + }, + "runtimeTargets": { + "runtimes/debian-x64/native/libuv.so": { + "rid": "debian-x64", + "assetType": "native", + "fileVersion": "0.0.0.0" + }, + "runtimes/fedora-x64/native/libuv.so": { + "rid": "fedora-x64", + "assetType": "native", + "fileVersion": "0.0.0.0" + } + } + }, + "Microsoft.NETCore.App/1.1.2": { + "dependencies": { + "Libuv": "1.9.1", + "System.Collections.Immutable": "1.3.0" + } + }, + "Microsoft.NETCore.Platforms/1.1.0": {}, + "NETStandard.Library/1.6.0": { + "dependencies": { + "System.Net.Http": "4.1.0" + } + }, + "System.Net.Http/4.1.0": {} + } + }, + "libraries": { + "hello2/1.0.0": { + "type": "project", + "serviceable": false, + "sha512": "" + }, + "JsonDiffPatch/2.0.61": { + "type": "package", + "serviceable": true, + "sha512": "sha512-nZ4QtcU3jR+CBT69qcJBvCcWi5uKgPRrrvSMm4V8Z76ljJ/MFo1P55qXk/nQY0q0WC4v94m5qH4SDhovFfci+Q==", + "path": "jsondiffpatch/2.0.61", + "hashPath": "jsondiffpatch.2.0.61.nupkg.sha512" + }, + "Libuv/1.9.1": { + "type": "package", + "serviceable": true, + "sha512": "sha512-uqX2Frwf9PW8MaY7PRNY6HM5BpW1D8oj1EdqzrmbEFD5nH63Yat3aEjN/tws6Tw6Fk7LwmLBvtUh32tTeTaHiA==", + "path": "libuv/1.9.1", + "hashPath": "libuv.1.9.1.nupkg.sha512" + }, + "Microsoft.NETCore.App/1.1.2": { + "type": "package", + "serviceable": true, + "sha512": "sha512-fcN0Ob6rjY7Zu0770cA5l9wRJvj7+ltJPPdryUidejkkhao+y2AYrtezBTlP9nCSFXLmYR9BtaknORT17x8reA==", + "path": "microsoft.netcore.app/1.1.2", + "hashPath": "microsoft.netcore.app.1.1.2.nupkg.sha512" + }, + "Microsoft.NETCore.Platforms/1.1.0": { + "type": "package", + "serviceable": true, + "sha512": "sha512-kz0PEW2lhqygehI/d6XsPCQzD7ff7gUJaVGPVETX611eadGsA3A877GdSlU0LRVMCTH/+P3o2iDTak+S08V2+A==", + "path": "microsoft.netcore.platforms/1.1.0", + "hashPath": "microsoft.netcore.platforms.1.1.0.nupkg.sha512" + }, + "NETStandard.Library/1.6.0": { + "type": "package", + "serviceable": true, + "sha512": "sha512-ypsCvIdCZ4IoYASJHt6tF2fMo7N30NLgV1EbmC+snO490OMl9FvVxmumw14rhReWU3j3g7BYudG6YCrchwHJlA==", + "path": "netstandard.library/1.6.0", + "hashPath": "netstandard.library.1.6.0.nupkg.sha512" + }, + "System.Collections.Immutable/1.3.0": { + "type": "package", + "serviceable": true, + "sha512": "sha512-zukBRPUuNxwy9m4TGWLxKAnoiMc9+B+8VXeXVyPiBPvOd7yLgAlZ1DlsRWJjMx4VsvhhF2+6q6kO2GRbPja6hA==", + "path": "system.collections.immutable/1.3.0", + "hashPath": "system.collections.immutable.1.3.0.nupkg.sha512" + }, + "System.Net.Http/4.1.0": { + "type": "package", + "serviceable": true, + "sha512": "sha512-ULq9g3SOPVuupt+Y3U+A37coXzdNisB1neFCSKzBwo182u0RDddKJF8I5+HfyXqK6OhJPgeoAwWXrbiUXuRDsg==", + "path": "system.net.http/4.1.0", + "hashPath": "system.net.http.4.1.0.nupkg.sha512" + } + } +} \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/dotnet/deps/deps_test.go b/pkg/fanal/analyzer/language/dotnet/deps/deps_test.go index c91d4467320e..d6a86c78084e 100644 --- a/pkg/fanal/analyzer/language/dotnet/deps/deps_test.go +++ b/pkg/fanal/analyzer/language/dotnet/deps/deps_test.go @@ -29,6 +29,7 @@ func Test_depsLibraryAnalyzer_Analyze(t *testing.T) { FilePath: "testdata/datacollector.deps.json", Packages: types.Packages{ { + ID: "Newtonsoft.Json/9.0.1", Name: "Newtonsoft.Json", Version: "9.0.1", Locations: []types.Location{ From 5f78ea4aee9631e08a12492be91a9fd4ef8b384e Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 22 Jul 2024 13:57:28 +0700 Subject: [PATCH 07/16] refactor(fs): remove unused field for CompositeFS (#7195) Signed-off-by: nikpivkin --- pkg/fanal/analyzer/analyzer.go | 2 +- pkg/fanal/analyzer/analyzer_test.go | 2 +- pkg/fanal/analyzer/fs.go | 4 +--- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/fanal/analyzer/analyzer.go b/pkg/fanal/analyzer/analyzer.go index 119a589190a2..d2d07ffcc733 100644 --- a/pkg/fanal/analyzer/analyzer.go +++ b/pkg/fanal/analyzer/analyzer.go @@ -504,7 +504,7 @@ func (ag AnalyzerGroup) PostAnalyze(ctx context.Context, compositeFS *CompositeF // PostAnalyzerFS returns a composite filesystem that contains multiple filesystems for each post-analyzer func (ag AnalyzerGroup) PostAnalyzerFS() (*CompositeFS, error) { - return NewCompositeFS(ag) + return NewCompositeFS() } func (ag AnalyzerGroup) filePatternMatch(analyzerType Type, filePath string) bool { diff --git a/pkg/fanal/analyzer/analyzer_test.go b/pkg/fanal/analyzer/analyzer_test.go index 671c1050837f..313fccda7e94 100644 --- a/pkg/fanal/analyzer/analyzer_test.go +++ b/pkg/fanal/analyzer/analyzer_test.go @@ -614,7 +614,7 @@ func TestAnalyzerGroup_PostAnalyze(t *testing.T) { require.NoError(t, err) // Create a virtual filesystem - composite, err := analyzer.NewCompositeFS(analyzer.AnalyzerGroup{}) + composite, err := analyzer.NewCompositeFS() require.NoError(t, err) mfs := mapfs.New() diff --git a/pkg/fanal/analyzer/fs.go b/pkg/fanal/analyzer/fs.go index 28880b6b0339..4fec721e3cf6 100644 --- a/pkg/fanal/analyzer/fs.go +++ b/pkg/fanal/analyzer/fs.go @@ -15,19 +15,17 @@ import ( // CompositeFS contains multiple filesystems for post-analyzers type CompositeFS struct { - group AnalyzerGroup dir string files *sync.Map[Type, *mapfs.FS] } -func NewCompositeFS(group AnalyzerGroup) (*CompositeFS, error) { +func NewCompositeFS() (*CompositeFS, error) { tmpDir, err := os.MkdirTemp("", "analyzer-fs-*") if err != nil { return nil, xerrors.Errorf("unable to create temporary directory: %w", err) } return &CompositeFS{ - group: group, dir: tmpDir, files: new(sync.Map[Type, *mapfs.FS]), }, nil From 5f780450ff19156079172e625dd850c3b03a7280 Mon Sep 17 00:00:00 2001 From: oliverrr <32515201+this-oliver@users.noreply.github.com> Date: Mon, 22 Jul 2024 08:57:50 +0200 Subject: [PATCH 08/16] docs: updates config file (#7188) --- docs/docs/references/configuration/config-file.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index f3c0006bfe07..d90ae7b26384 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -352,9 +352,9 @@ rego: # Default is false trace: false - # Same as '--skip-policy-update' + # Same as '--skip-check-update' # Default is false - skip-policy-update: false + skip-check-update: false # Same as '--config-policy' # Default is empty From 5cbc452a09822d1bf300ead88f0d613d4cf0349a Mon Sep 17 00:00:00 2001 From: Tom Fay Date: Mon, 22 Jul 2024 07:58:53 +0100 Subject: [PATCH 09/16] feat(mariner): Add support for Azure Linux (#7186) Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: DmitriyLewen --- docs/community/contribute/pr.md | 2 +- .../coverage/os/{cbl-mariner.md => azure.md} | 23 ++++--- docs/docs/coverage/os/index.md | 38 +++++------ docs/docs/scanner/vulnerability.md | 34 +++++----- go.mod | 2 +- go.sum | 4 +- integration/testdata/mariner-1.0.json.golden | 8 +-- mkdocs.yml | 2 +- .../{mariner/mariner.go => azure/azure.go} | 22 ++++-- .../mariner_test.go => azure/azure_test.go} | 60 +++++++++++++++-- .../testdata/fixtures/azure.yaml} | 8 +++ .../azure/testdata/fixtures/data-source.yaml | 21 ++++++ .../testdata/fixtures/invalid.yaml | 0 pkg/detector/ospkg/detect.go | 5 +- .../testdata/fixtures/data-source.yaml | 14 ---- pkg/fanal/analyzer/all/import.go | 1 - pkg/fanal/analyzer/const.go | 1 + pkg/fanal/analyzer/os/mariner/mariner.go | 67 ------------------- pkg/fanal/analyzer/os/mariner/mariner_test.go | 60 ----------------- .../os/mariner/testdata/1.0/mariner-release | 2 - .../os/mariner/testdata/sad/mariner-release | 1 - pkg/fanal/analyzer/os/release/release.go | 4 ++ pkg/fanal/analyzer/os/release/release_test.go | 30 +++++++++ .../os/release/testdata/azurelinux-3.0 | 9 +++ .../analyzer/os/release/testdata/mariner-1.0 | 9 +++ .../analyzer/os/release/testdata/mariner-2.0 | 9 +++ pkg/fanal/types/const.go | 1 + pkg/purl/purl.go | 2 +- 28 files changed, 224 insertions(+), 215 deletions(-) rename docs/docs/coverage/os/{cbl-mariner.md => azure.md} (70%) rename pkg/detector/ospkg/{mariner/mariner.go => azure/azure.go} (81%) rename pkg/detector/ospkg/{mariner/mariner_test.go => azure/azure_test.go} (69%) rename pkg/detector/ospkg/{mariner/testdata/fixtures/mariner.yaml => azure/testdata/fixtures/azure.yaml} (68%) create mode 100644 pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml rename pkg/detector/ospkg/{mariner => azure}/testdata/fixtures/invalid.yaml (100%) delete mode 100644 pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml delete mode 100644 pkg/fanal/analyzer/os/mariner/mariner.go delete mode 100644 pkg/fanal/analyzer/os/mariner/mariner_test.go delete mode 100644 pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release delete mode 100644 pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release create mode 100644 pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 create mode 100644 pkg/fanal/analyzer/os/release/testdata/mariner-1.0 create mode 100644 pkg/fanal/analyzer/os/release/testdata/mariner-2.0 diff --git a/docs/community/contribute/pr.md b/docs/community/contribute/pr.md index 584f502b9fb9..e60b3d987c08 100644 --- a/docs/community/contribute/pr.md +++ b/docs/community/contribute/pr.md @@ -121,7 +121,7 @@ os: - redhat - alma - rocky -- mariner +- azure - oracle - debian - ubuntu diff --git a/docs/docs/coverage/os/cbl-mariner.md b/docs/docs/coverage/os/azure.md similarity index 70% rename from docs/docs/coverage/os/cbl-mariner.md rename to docs/docs/coverage/os/azure.md index 0ca42bbb9993..9b4151a0be3c 100644 --- a/docs/docs/coverage/os/cbl-mariner.md +++ b/docs/docs/coverage/os/azure.md @@ -1,4 +1,7 @@ -# CBL-Mariner +# Azure Linux (CBL-Mariner) + +*CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.* + Trivy supports the following scanners for OS packages. | Version | SBOM | Vulnerability | License | @@ -7,6 +10,8 @@ Trivy supports the following scanners for OS packages. | 1.0 (Distroless) | ✔ | ✔ | | | 2.0 | ✔ | ✔ | ✔ | | 2.0 (Distroless) | ✔ | ✔ | | +| 3.0 | ✔ | ✔ | ✔ | +| 3.0 (Distroless) | ✔ | ✔ | | The following table provides an outline of the targets Trivy supports. @@ -15,6 +20,7 @@ The following table provides an outline of the targets Trivy supports. | ------- | :-------------: | :-------------: | :----------: | | 1.0 | ✔ | ✔ | amd64, arm64 | | 2.0 | ✔ | ✔ | amd64, arm64 | +| 3.0 | ✔ | ✔ | amd64, arm64 | The table below outlines the features offered by Trivy. @@ -24,22 +30,22 @@ The table below outlines the features offered by Trivy. | [Dependency graph][dependency-graph] | ✓ | ## SBOM -Trivy detects packages that have been installed through package managers such as `dnf` and `yum`. +Trivy detects packages that have been installed through package managers such as `tdnf`, `dnf` and `yum`. ## Vulnerability -CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities. +Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities. ### Data Source See [here](../../scanner/vulnerability.md#data-sources). ### Fixed Version -Trivy takes fixed versions from [CBL-Mariner OVAL][oval]. +Trivy takes fixed versions from [Azure Linux OVAL][oval]. ### Severity -Trivy calculates the severity of an issue based on the severity provided in [CBL-Mariner OVAL][oval]. +Trivy calculates the severity of an issue based on the severity provided in [Azure Linux OVAL][oval]. ### Status -Trivy supports the following [vulnerability statuses] for CBL-Mariner. +Trivy supports the following [vulnerability statuses] for Azure Linux. | Status | Supported | | :-----------------: | :-------: | @@ -55,12 +61,11 @@ Trivy supports the following [vulnerability statuses] for CBL-Mariner. Trivy identifies licenses by examining the metadata of RPM packages. !!! note - License detection is not supported for CBL-Mariner Distroless. + License detection is not supported for Azure Linux Distroless images. [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies -[cbl-mariner]: https://github.com/microsoft/CBL-Mariner -[oval]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/ +[oval]: https://github.com/microsoft/AzureLinuxVulnerabilityData/ [vulnerability statuses]: ../../configuration/filtering.md#by-status diff --git a/docs/docs/coverage/os/index.md b/docs/docs/coverage/os/index.md index 49982b1b2d69..a28e113f07c9 100644 --- a/docs/docs/coverage/os/index.md +++ b/docs/docs/coverage/os/index.md @@ -9,25 +9,25 @@ Trivy supports operating systems for ## Supported OS -| OS | Supported Versions | Package Managers | -|--------------------------------------|-------------------------------------|------------------| -| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk | -| [Wolfi Linux](wolfi.md) | (n/a) | apk | -| [Chainguard](chainguard.md) | (n/a) | apk | -| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm | -| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm | -| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm | -| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm | -| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm | -| [CBL-Mariner](cbl-mariner.md) | 1.0, 2.0 | dnf/yum/rpm | -| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | -| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | -| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | -| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | -| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | -| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | -| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg | -| [OSs with installed Conda](conda.md) | - | conda | +| OS | Supported Versions | Package Managers | +|---------------------------------------|-------------------------------------|------------------| +| [Alpine Linux](alpine.md) | 2.2 - 2.7, 3.0 - 3.20, edge | apk | +| [Wolfi Linux](wolfi.md) | (n/a) | apk | +| [Chainguard](chainguard.md) | (n/a) | apk | +| [Red Hat Enterprise Linux](rhel.md) | 6, 7, 8 | dnf/yum/rpm | +| [CentOS](centos.md)[^1] | 6, 7, 8 | dnf/yum/rpm | +| [AlmaLinux](alma.md) | 8, 9 | dnf/yum/rpm | +| [Rocky Linux](rocky.md) | 8, 9 | dnf/yum/rpm | +| [Oracle Linux](oracle.md) | 5, 6, 7, 8 | dnf/yum/rpm | +| [Azure Linux (CBL-Mariner)](azure.md) | 1.0, 2.0, 3.0 | tdnf/dnf/yum/rpm | +| [Amazon Linux](amazon.md) | 1, 2, 2023 | dnf/yum/rpm | +| [openSUSE Leap](suse.md) | 42, 15 | zypper/rpm | +| [openSUSE Tumbleweed](suse.md) | (n/a) | zypper/rpm | +| [SUSE Enterprise Linux](suse.md) | 11, 12, 15 | zypper/rpm | +| [Photon OS](photon.md) | 1.0, 2.0, 3.0, 4.0 | tndf/yum/rpm | +| [Debian GNU/Linux](debian.md) | 7, 8, 9, 10, 11, 12 | apt/dpkg | +| [Ubuntu](ubuntu.md) | All versions supported by Canonical | apt/dpkg | +| [OSs with installed Conda](conda.md) | - | conda | ## Supported container images diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index ef233b4db4da..ba612ee06b28 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -19,22 +19,22 @@ See [here](../coverage/os/index.md#supported-os) for the supported OSes. ### Data Sources -| OS | Source | -| ------------- | ------------------------------------------------------------ | -| Arch Linux | [Vulnerable Issues][arch] | -| Alpine Linux | [secdb][alpine] | -| Wolfi Linux | [secdb][wolfi] | -| Chainguard | [secdb][chainguard] | -| Amazon Linux | [Amazon Linux Security Center][amazon] | -| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] | -| Ubuntu | [Ubuntu CVE Tracker][ubuntu] | -| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] | -| AlmaLinux | [AlmaLinux Product Errata][alma] | -| Rocky Linux | [Rocky Linux UpdateInfo][rocky] | -| Oracle Linux | [OVAL][oracle] | -| CBL-Mariner | [OVAL][mariner] | -| OpenSUSE/SLES | [CVRF][suse] | -| Photon OS | [Photon Security Advisory][photon] | +| OS | Source | +|---------------------------|--------------------------------------------------------------| +| Arch Linux | [Vulnerable Issues][arch] | +| Alpine Linux | [secdb][alpine] | +| Wolfi Linux | [secdb][wolfi] | +| Chainguard | [secdb][chainguard] | +| Amazon Linux | [Amazon Linux Security Center][amazon] | +| Debian | [Security Bug Tracker][debian-tracker] / [OVAL][debian-oval] | +| Ubuntu | [Ubuntu CVE Tracker][ubuntu] | +| RHEL/CentOS | [OVAL][rhel-oval] / [Security Data][rhel-api] | +| AlmaLinux | [AlmaLinux Product Errata][alma] | +| Rocky Linux | [Rocky Linux UpdateInfo][rocky] | +| Oracle Linux | [OVAL][oracle] | +| Azure Linux (CBL-Mariner) | [OVAL][azure] | +| OpenSUSE/SLES | [CVRF][suse] | +| Photon OS | [Photon Security Advisory][photon] | #### Data Source Selection Trivy **only** consumes security advisories from the sources listed in the above table. @@ -288,7 +288,7 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2) [oracle]: https://linux.oracle.com/security/oval/ [suse]: http://ftp.suse.com/pub/projects/security/cvrf/ [photon]: https://packages.vmware.com/photon/photon_cve_metadata/ -[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/ +[azure]: https://github.com/microsoft/AzureLinuxVulnerabilityData/ [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip diff --git a/go.mod b/go.mod index 98dab8d4fff2..b01cd7c01e22 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/aquasecurity/testdocker v0.0.0-20240613070307-2c3868d658ac github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/trivy-checks v0.13.0 - github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab + github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b github.com/aws/aws-sdk-go-v2 v1.30.3 diff --git a/go.sum b/go.sum index 114f8585b370..0770f06bb8f2 100644 --- a/go.sum +++ b/go.sum @@ -771,8 +771,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w= github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E= -github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab h1:EmpLGFgRJOstPWDpL4KW+Xap4zRYxyctXDTj5luMQdE= -github.com/aquasecurity/trivy-db v0.0.0-20240701103400-8e907467e9ab/go.mod h1:f+wSW9D5txv8S+tw4D4WNOibaUJYwvNnQuQlGQ8gO6c= +github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM= +github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU= diff --git a/integration/testdata/mariner-1.0.json.golden b/integration/testdata/mariner-1.0.json.golden index 7325bf74f6e6..8805f104c60c 100644 --- a/integration/testdata/mariner-1.0.json.golden +++ b/integration/testdata/mariner-1.0.json.golden @@ -6,7 +6,7 @@ "Metadata": { "OS": { "Family": "cbl-mariner", - "Name": "1.0.20220122" + "Name": "1.0" }, "ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767", "DiffIDs": [ @@ -34,7 +34,7 @@ }, "Results": [ { - "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)", + "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0)", "Class": "os-pkgs", "Type": "cbl-mariner", "Vulnerabilities": [ @@ -42,7 +42,7 @@ "VulnerabilityID": "CVE-2022-0261", "PkgName": "vim", "PkgIdentifier": { - "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122", + "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0", "UID": "3f08cd76fa5ba73d" }, "InstalledVersion": "8.2.4081-1.cm1", @@ -79,7 +79,7 @@ "VulnerabilityID": "CVE-2022-0158", "PkgName": "vim", "PkgIdentifier": { - "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122", + "PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0", "UID": "3f08cd76fa5ba73d" }, "InstalledVersion": "8.2.4081-1.cm1", diff --git a/mkdocs.yml b/mkdocs.yml index 2222a30220fb..deddf4a896e4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -75,7 +75,7 @@ nav: - AlmaLinux: docs/coverage/os/alma.md - Alpine Linux: docs/coverage/os/alpine.md - Amazon Linux: docs/coverage/os/amazon.md - - CBL-Mariner: docs/coverage/os/cbl-mariner.md + - Azure Linux (CBL-Mariner): docs/coverage/os/azure.md - CentOS: docs/coverage/os/centos.md - Chainguard: docs/coverage/os/chainguard.md - Conda: docs/coverage/os/conda.md diff --git a/pkg/detector/ospkg/mariner/mariner.go b/pkg/detector/ospkg/azure/azure.go similarity index 81% rename from pkg/detector/ospkg/mariner/mariner.go rename to pkg/detector/ospkg/azure/azure.go index ae9d80157381..98f235353a2d 100644 --- a/pkg/detector/ospkg/mariner/mariner.go +++ b/pkg/detector/ospkg/azure/azure.go @@ -1,4 +1,4 @@ -package mariner +package azure import ( "context" @@ -6,7 +6,7 @@ import ( version "github.com/knqyf263/go-rpm-version" "golang.org/x/xerrors" - "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" + "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" osver "github.com/aquasecurity/trivy/pkg/detector/ospkg/version" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/log" @@ -16,16 +16,24 @@ import ( // Scanner implements the CBL-Mariner scanner type Scanner struct { - vs mariner.VulnSrc + vs azure.VulnSrc } // NewScanner is the factory method for Scanner -func NewScanner() *Scanner { +func newScanner(distribution azure.Distribution) *Scanner { return &Scanner{ - vs: mariner.NewVulnSrc(), + vs: azure.NewVulnSrc(distribution), } } +func NewAzureScanner() *Scanner { + return newScanner(azure.Azure) +} + +func NewMarinerScanner() *Scanner { + return newScanner(azure.Mariner) +} + // Detect vulnerabilities in package using CBL-Mariner scanner func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) { // e.g. 1.0.20210127 @@ -36,10 +44,10 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - // CBL Mariner OVAL contains source package names only. + // Azure Linux OVAL contains source package names only. advisories, err := s.vs.Get(osVer, pkg.SrcName) if err != nil { - return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err) + return nil, xerrors.Errorf("failed to get Azure Linux advisories: %w", err) } sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg)) diff --git a/pkg/detector/ospkg/mariner/mariner_test.go b/pkg/detector/ospkg/azure/azure_test.go similarity index 69% rename from pkg/detector/ospkg/mariner/mariner_test.go rename to pkg/detector/ospkg/azure/azure_test.go index 6e1ee9a37583..cc9f0a92d2af 100644 --- a/pkg/detector/ospkg/mariner/mariner_test.go +++ b/pkg/detector/ospkg/azure/azure_test.go @@ -1,4 +1,4 @@ -package mariner_test +package azure_test import ( "testing" @@ -8,15 +8,17 @@ import ( "github.com/aquasecurity/trivy-db/pkg/db" dbTypes "github.com/aquasecurity/trivy-db/pkg/types" + azurevs "github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" "github.com/aquasecurity/trivy/internal/dbtest" - "github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner" + "github.com/aquasecurity/trivy/pkg/detector/ospkg/azure" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/types" ) func TestScanner_Detect(t *testing.T) { type args struct { + dist azurevs.Distribution osVer string pkgs []ftypes.Package } @@ -30,10 +32,11 @@ func TestScanner_Detect(t *testing.T) { { name: "happy path 1.0 SrcName and Name are different", fixtures: []string{ - "testdata/fixtures/mariner.yaml", + "testdata/fixtures/azure.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "1.0", pkgs: []ftypes.Package{ { @@ -69,10 +72,11 @@ func TestScanner_Detect(t *testing.T) { { name: "happy path 2.0", fixtures: []string{ - "testdata/fixtures/mariner.yaml", + "testdata/fixtures/azure.yaml", "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "2.0", pkgs: []ftypes.Package{ { @@ -104,6 +108,46 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "happy path 3.0", + fixtures: []string{ + "testdata/fixtures/azure.yaml", + "testdata/fixtures/data-source.yaml", + }, + args: args{ + dist: azurevs.Azure, + osVer: "3.0", + pkgs: []ftypes.Package{ + { + Name: "php", + Epoch: 0, + Version: "8.3.6", + Release: "1.azl3", + Arch: "aarch64", + SrcName: "php", + SrcEpoch: 0, + SrcVersion: "8.3.6", + SrcRelease: "1.azl3", + Licenses: []string{"Php"}, + Layer: ftypes.Layer{}, + }, + }, + }, + want: []types.DetectedVulnerability{ + { + PkgName: "php", + VulnerabilityID: "CVE-2024-2408", + InstalledVersion: "8.3.6-1.azl3", + FixedVersion: "8.3.8-1.azl3", + Layer: ftypes.Layer{}, + DataSource: &dbTypes.DataSource{ + ID: vulnerability.AzureLinux, + Name: "Azure Linux Vulnerability Data", + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData", + }, + }, + }, + }, { name: "broken advisory", fixtures: []string{ @@ -111,6 +155,7 @@ func TestScanner_Detect(t *testing.T) { "testdata/fixtures/data-source.yaml", }, args: args{ + dist: azurevs.Mariner, osVer: "1.0", pkgs: []ftypes.Package{ { @@ -128,7 +173,7 @@ func TestScanner_Detect(t *testing.T) { }, }, }, - wantErr: "failed to get CBL-Mariner advisories", + wantErr: "failed to get Azure Linux advisories", }, } for _, tt := range tests { @@ -136,7 +181,10 @@ func TestScanner_Detect(t *testing.T) { _ = dbtest.InitDB(t, tt.fixtures) defer db.Close() - s := mariner.NewScanner() + s := azure.NewAzureScanner() + if tt.args.dist == azurevs.Mariner { + s = azure.NewMarinerScanner() + } got, err := s.Detect(nil, tt.args.osVer, nil, tt.args.pkgs) if tt.wantErr != "" { require.Error(t, err) diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml similarity index 68% rename from pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml rename to pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml index 7f044d1a8b1a..f9829e17ad41 100644 --- a/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml +++ b/pkg/detector/ospkg/azure/testdata/fixtures/azure.yaml @@ -14,3 +14,11 @@ - bucket: vim pairs: - key: CVE-2022-0261 + +- bucket: Azure Linux 3.0 + pairs: + - bucket: php + pairs: + - key: CVE-2024-2408 + value: + FixedVersion: 8.3.8-1.azl3 diff --git a/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml new file mode 100644 index 000000000000..7c9f386f157d --- /dev/null +++ b/pkg/detector/ospkg/azure/testdata/fixtures/data-source.yaml @@ -0,0 +1,21 @@ +- bucket: data-source + pairs: + - key: CBL-Mariner 1.0 + value: + ID: "cbl-mariner" + Name: "CBL-Mariner Vulnerability Data" + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" +- bucket: data-source + pairs: + - key: CBL-Mariner 2.0 + value: + ID: "cbl-mariner" + Name: "CBL-Mariner Vulnerability Data" + URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" +- bucket: data-source + pairs: + - key: Azure Linux 3.0 + value: + ID: "azure" + Name: "Azure Linux Vulnerability Data" + URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData" diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml b/pkg/detector/ospkg/azure/testdata/fixtures/invalid.yaml similarity index 100% rename from pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml rename to pkg/detector/ospkg/azure/testdata/fixtures/invalid.yaml diff --git a/pkg/detector/ospkg/detect.go b/pkg/detector/ospkg/detect.go index e05b590107ca..0f4a1df2a9d3 100644 --- a/pkg/detector/ospkg/detect.go +++ b/pkg/detector/ospkg/detect.go @@ -10,9 +10,9 @@ import ( "github.com/aquasecurity/trivy/pkg/detector/ospkg/alma" "github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine" "github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon" + "github.com/aquasecurity/trivy/pkg/detector/ospkg/azure" "github.com/aquasecurity/trivy/pkg/detector/ospkg/chainguard" "github.com/aquasecurity/trivy/pkg/detector/ospkg/debian" - "github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner" "github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle" "github.com/aquasecurity/trivy/pkg/detector/ospkg/photon" "github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat" @@ -33,7 +33,8 @@ var ( ftypes.Alpine: alpine.NewScanner(), ftypes.Alma: alma.NewScanner(), ftypes.Amazon: amazon.NewScanner(), - ftypes.CBLMariner: mariner.NewScanner(), + ftypes.Azure: azure.NewAzureScanner(), + ftypes.CBLMariner: azure.NewMarinerScanner(), ftypes.Debian: debian.NewScanner(), ftypes.Ubuntu: ubuntu.NewScanner(), ftypes.RedHat: redhat.NewScanner(), diff --git a/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml deleted file mode 100644 index 57ce67b2ecd8..000000000000 --- a/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- bucket: data-source - pairs: - - key: CBL-Mariner 1.0 - value: - ID: "cbl-mariner" - Name: "CBL-Mariner Vulnerability Data" - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" -- bucket: data-source - pairs: - - key: CBL-Mariner 2.0 - value: - ID: "cbl-mariner" - Name: "CBL-Mariner Vulnerability Data" - URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData" diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go index 1849bcebf682..5345073fd3cf 100644 --- a/pkg/fanal/analyzer/all/import.go +++ b/pkg/fanal/analyzer/all/import.go @@ -41,7 +41,6 @@ import ( _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/alpine" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/amazonlinux" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/debian" - _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/redhatbase" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/release" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/ubuntu" diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 6e9d0332eb61..681f8b9987cc 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -13,6 +13,7 @@ const ( TypeOSRelease Type = "os-release" TypeAlpine Type = "alpine" TypeAmazon Type = "amazon" + TypeAzure Type = "azurelinux" TypeCBLMariner Type = "cbl-mariner" TypeDebian Type = "debian" TypePhoton Type = "photon" diff --git a/pkg/fanal/analyzer/os/mariner/mariner.go b/pkg/fanal/analyzer/os/mariner/mariner.go deleted file mode 100644 index f24a8b1886b3..000000000000 --- a/pkg/fanal/analyzer/os/mariner/mariner.go +++ /dev/null @@ -1,67 +0,0 @@ -package mariner - -import ( - "bufio" - "context" - "io" - "os" - "path/filepath" - "strings" - - "golang.org/x/xerrors" - - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - fos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os" - "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -func init() { - analyzer.RegisterAnalyzer(&marinerOSAnalyzer{}) -} - -const ( - version = 1 - requiredFile = "etc/mariner-release" -) - -type marinerOSAnalyzer struct{} - -func (a marinerOSAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - foundOS, err := a.parseRelease(input.Content) - if err != nil { - return nil, xerrors.Errorf("release parse error: %w", err) - } - return &analyzer.AnalysisResult{ - OS: foundOS, - }, nil -} - -func (a marinerOSAnalyzer) parseRelease(r io.Reader) (types.OS, error) { - scanner := bufio.NewScanner(r) - for scanner.Scan() { - line := scanner.Text() - fields := strings.Fields(line) - if len(fields) != 2 { - continue - } - if strings.EqualFold(fields[0], "cbl-mariner") { - return types.OS{ - Family: types.CBLMariner, - Name: fields[1], - }, nil - } - } - return types.OS{}, xerrors.Errorf("cbl-mariner: %w", fos.AnalyzeOSError) -} - -func (a marinerOSAnalyzer) Required(filePath string, _ os.FileInfo) bool { - return filepath.ToSlash(filePath) == requiredFile -} - -func (a marinerOSAnalyzer) Type() analyzer.Type { - return analyzer.TypeCBLMariner -} - -func (a marinerOSAnalyzer) Version() int { - return version -} diff --git a/pkg/fanal/analyzer/os/mariner/mariner_test.go b/pkg/fanal/analyzer/os/mariner/mariner_test.go deleted file mode 100644 index e13730a021cb..000000000000 --- a/pkg/fanal/analyzer/os/mariner/mariner_test.go +++ /dev/null @@ -1,60 +0,0 @@ -package mariner - -import ( - "context" - "os" - "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" - - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -func Test_marinerOSAnalyzer_Analyze(t *testing.T) { - tests := []struct { - name string - inputFile string - want *analyzer.AnalysisResult - wantErr string - }{ - { - name: "happy path with CBL Mariner 1.0", - inputFile: "testdata/1.0/mariner-release", - want: &analyzer.AnalysisResult{ - OS: types.OS{ - Family: types.CBLMariner, - Name: "1.0.20220122", - }, - }, - }, - { - name: "sad path", - inputFile: "testdata/sad/mariner-release", - wantErr: "cbl-mariner: unable to analyze OS information", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - a := marinerOSAnalyzer{} - f, err := os.Open(tt.inputFile) - require.NoError(t, err) - defer f.Close() - - ctx := context.Background() - got, err := a.Analyze(ctx, analyzer.AnalysisInput{ - FilePath: "etc/mariner-release", - Content: f, - }) - if tt.wantErr != "" { - require.Error(t, err) - assert.Contains(t, err.Error(), tt.wantErr) - return - } - - require.NoError(t, err) - assert.Equal(t, tt.want, got) - }) - } -} diff --git a/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release b/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release deleted file mode 100644 index 1a8769674acf..000000000000 --- a/pkg/fanal/analyzer/os/mariner/testdata/1.0/mariner-release +++ /dev/null @@ -1,2 +0,0 @@ -CBL-Mariner 1.0.20220122 -MARINER_BUILD_NUMBER=7da4f23 diff --git a/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release b/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release deleted file mode 100644 index 4fda2bc57d30..000000000000 --- a/pkg/fanal/analyzer/os/mariner/testdata/sad/mariner-release +++ /dev/null @@ -1 +0,0 @@ -MARINER_BUILD_NUMBER=7da4f23 diff --git a/pkg/fanal/analyzer/os/release/release.go b/pkg/fanal/analyzer/os/release/release.go index 229c13c932aa..8da24644d5f7 100644 --- a/pkg/fanal/analyzer/os/release/release.go +++ b/pkg/fanal/analyzer/os/release/release.go @@ -61,6 +61,10 @@ func (a osReleaseAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInp family = types.Wolfi case "chainguard": family = types.Chainguard + case "azurelinux": + family = types.Azure + case "mariner": + family = types.CBLMariner } if family != "" && versionID != "" { diff --git a/pkg/fanal/analyzer/os/release/release_test.go b/pkg/fanal/analyzer/os/release/release_test.go index 862f39f4cf17..3b534ad7b14d 100644 --- a/pkg/fanal/analyzer/os/release/release_test.go +++ b/pkg/fanal/analyzer/os/release/release_test.go @@ -90,6 +90,36 @@ func Test_osReleaseAnalyzer_Analyze(t *testing.T) { }, }, }, + { + name: "Azure Linux", + inputFile: "testdata/azurelinux-3.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.Azure, + Name: "3.0", + }, + }, + }, + { + name: "Mariner 2.0", + inputFile: "testdata/mariner-2.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.CBLMariner, + Name: "2.0", + }, + }, + }, + { + name: "Mariner 1.0", + inputFile: "testdata/mariner-1.0", + want: &analyzer.AnalysisResult{ + OS: types.OS{ + Family: types.CBLMariner, + Name: "1.0", + }, + }, + }, { name: "Unknown OS", inputFile: "testdata/unknown", diff --git a/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 b/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 new file mode 100644 index 000000000000..a033cb09377e --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/azurelinux-3.0 @@ -0,0 +1,9 @@ +NAME="Microsoft Azure Linux" +VERSION="3.0.20240624" +ID=azurelinux +VERSION_ID="3.0" +PRETTY_NAME="Microsoft Azure Linux 3.0" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/azurelinux" +BUG_REPORT_URL="https://aka.ms/azurelinux" +SUPPORT_URL="https://aka.ms/azurelinux" diff --git a/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 b/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 new file mode 100644 index 000000000000..aef312e77294 --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/mariner-1.0 @@ -0,0 +1,9 @@ +NAME="Common Base Linux Mariner" +VERSION="1.0.20230713" +ID=mariner +VERSION_ID="1.0" +PRETTY_NAME="CBL-Mariner/Linux" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/cbl-mariner" +BUG_REPORT_URL="https://aka.ms/cbl-mariner" +SUPPORT_URL="https://aka.ms/cbl-mariner" diff --git a/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 b/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 new file mode 100644 index 000000000000..c8a70bc4464c --- /dev/null +++ b/pkg/fanal/analyzer/os/release/testdata/mariner-2.0 @@ -0,0 +1,9 @@ +NAME="Common Base Linux Mariner" +VERSION="2.0.20240123" +ID=mariner +VERSION_ID="2.0" +PRETTY_NAME="CBL-Mariner/Linux" +ANSI_COLOR="1;34" +HOME_URL="https://aka.ms/cbl-mariner" +BUG_REPORT_URL="https://aka.ms/cbl-mariner" +SUPPORT_URL="https://aka.ms/cbl-mariner" diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index 7253404c0be1..c257154e24ea 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -24,6 +24,7 @@ const ( Alma OSType = "alma" Alpine OSType = "alpine" Amazon OSType = "amazon" + Azure OSType = "azurelinux" CBLMariner OSType = "cbl-mariner" CentOS OSType = "centos" Chainguard OSType = "chainguard" diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index 12b27e6290e6..ba19d40c26a9 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -477,7 +477,7 @@ func purlType(t ftypes.TargetType) string { case ftypes.RedHat, ftypes.CentOS, ftypes.Rocky, ftypes.Alma, ftypes.Amazon, ftypes.Fedora, ftypes.Oracle, ftypes.OpenSUSE, ftypes.OpenSUSELeap, ftypes.OpenSUSETumbleweed, ftypes.SLES, ftypes.Photon, - ftypes.CBLMariner: + ftypes.Azure, ftypes.CBLMariner: return packageurl.TypeRPM case TypeOCI: return packageurl.TypeOCI From 9d5201808da89607ae43570bdf1f335b482a6b79 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Mon, 22 Jul 2024 14:01:45 +0700 Subject: [PATCH 10/16] fix(server): pass license categories to options (#7203) Signed-off-by: nikpivkin --- pkg/rpc/server/server.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/rpc/server/server.go b/pkg/rpc/server/server.go index 25b43b2afd92..b0e58f87c0e9 100644 --- a/pkg/rpc/server/server.go +++ b/pkg/rpc/server/server.go @@ -9,6 +9,7 @@ import ( "google.golang.org/protobuf/types/known/emptypb" "github.com/aquasecurity/trivy/pkg/cache" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/log" "github.com/aquasecurity/trivy/pkg/rpc" "github.com/aquasecurity/trivy/pkg/scanner" @@ -46,10 +47,17 @@ func (s *ScanServer) Scan(ctx context.Context, in *rpcScanner.ScanRequest) (*rpc scanners := lo.Map(in.Options.Scanners, func(s string, index int) types.Scanner { return types.Scanner(s) }) + + licenseCategories := lo.MapEntries(in.Options.LicenseCategories, + func(k string, v *rpcScanner.Licenses) (ftypes.LicenseCategory, []string) { + return ftypes.LicenseCategory(k), v.Names + }) + options := types.ScanOptions{ - PkgTypes: in.Options.PkgTypes, - Scanners: scanners, - IncludeDevDeps: in.Options.IncludeDevDeps, + PkgTypes: in.Options.PkgTypes, + Scanners: scanners, + IncludeDevDeps: in.Options.IncludeDevDeps, + LicenseCategories: licenseCategories, } results, os, err := s.localScanner.Scan(ctx, in.Target, in.ArtifactId, in.BlobIds, options) if err != nil { From 92695630c04398a5e8b763a7da14160de9e41a5d Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Mon, 22 Jul 2024 11:31:26 +0400 Subject: [PATCH 11/16] chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201) Signed-off-by: knqyf263 --- .vex/oci.openvex.json | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/.vex/oci.openvex.json b/.vex/oci.openvex.json index 6a58df8cdf41..b689d43afac1 100644 --- a/.vex/oci.openvex.json +++ b/.vex/oci.openvex.json @@ -14,21 +14,24 @@ "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] } ], @@ -45,22 +48,24 @@ "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy", "subcomponents": [ - { - "@id": "pkg:apk/alpine/busybox" - } + {"@id": "pkg:apk/alpine/busybox"}, + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] } ], @@ -77,21 +82,24 @@ "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] } ], @@ -108,21 +116,24 @@ "@id": "pkg:oci/trivy?repository_url=index.docker.io%2Faquasec%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=public.ecr.aws%2Faquasecurity%2Ftrivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] }, { "@id": "pkg:oci/trivy?repository_url=ghcr.io/aquasecurity/trivy", "subcomponents": [ {"@id": "pkg:apk/alpine/busybox"}, - {"@id": "pkg:apk/alpine/busybox-binsh"} + {"@id": "pkg:apk/alpine/busybox-binsh"}, + {"@id": "pkg:apk/alpine/ssl_client"} ] } ], From 92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 23 Jul 2024 16:59:39 +0600 Subject: [PATCH 12/16] fix(secret): trim excessively long lines (#7192) --- pkg/fanal/secret/scanner.go | 14 ++++++-- pkg/fanal/secret/scanner_test.go | 46 ++++++++++++++++++++----- pkg/fanal/secret/testdata/obfuscated.js | 1 + 3 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 pkg/fanal/secret/testdata/obfuscated.js diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go index cc022bb82db4..c006a38b63a1 100644 --- a/pkg/fanal/secret/scanner.go +++ b/pkg/fanal/secret/scanner.go @@ -476,7 +476,10 @@ func toFinding(rule Rule, loc Location, content []byte) types.SecretFinding { } } -const secretHighlightRadius = 2 // number of lines above + below each secret to include in code output +const ( + secretHighlightRadius = 2 // number of lines above + below each secret to include in code output + maxLineLength = 100 // all lines longer will be cut off +) func findLocation(start, end int, content []byte) (int, int, types.Code, string) { startLineNum := bytes.Count(content[:start], lineSep) @@ -511,9 +514,16 @@ func findLocation(start, end int, content []byte) (int, int, types.Code, string) rawLines := lines[codeStart:codeEnd] var foundFirst bool for i, rawLine := range rawLines { - strRawLine := string(rawLine) realLine := codeStart + i inCause := realLine >= startLineNum && realLine <= endLineNum + + var strRawLine string + if len(rawLine) > maxLineLength { + strRawLine = lo.Ternary(inCause, matchLine, string(rawLine[:maxLineLength])) + } else { + strRawLine = string(rawLine) + } + code.Lines = append(code.Lines, types.Line{ Number: codeStart + i + 1, Content: strRawLine, diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 04f1f08fc1b2..e5b8f68f943d 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -353,8 +353,8 @@ func TestSecretScanner(t *testing.T) { Lines: []types.Line{ { Number: 1, - Content: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", - Highlighted: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", + Content: "aaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbb", + Highlighted: "aaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbb", IsCause: true, FirstCause: true, LastCause: true, @@ -462,8 +462,8 @@ func TestSecretScanner(t *testing.T) { Lines: []types.Line{ { Number: 1, - Content: "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}", - Highlighted: "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}", + Content: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE", + Highlighted: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE", IsCause: true, FirstCause: true, LastCause: true, @@ -483,8 +483,8 @@ func TestSecretScanner(t *testing.T) { Lines: []types.Line{ { Number: 1, - Content: "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----", - Highlighted: "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----", + Content: "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE", + Highlighted: "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE", IsCause: true, FirstCause: true, LastCause: true, @@ -504,8 +504,8 @@ func TestSecretScanner(t *testing.T) { Lines: []types.Line{ { Number: 1, - Content: "-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----", - Highlighted: "-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----", + Content: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", + Highlighted: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE", IsCause: true, FirstCause: true, LastCause: true, @@ -667,6 +667,27 @@ func TestSecretScanner(t *testing.T) { }, }, } + wantFindingTokenInsideJs := types.SecretFinding{ + RuleID: "stripe-publishable-token", + Category: "Stripe", + Title: "Stripe Publishable Key", + Severity: "LOW", + StartLine: 1, + EndLine: 1, + Match: "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas", + Code: types.Code{ + Lines: []types.Line{ + { + Number: 1, + Content: "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas", + Highlighted: "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas", + IsCause: true, + FirstCause: true, + LastCause: true, + }, + }, + }, + } tests := []struct { name string @@ -982,6 +1003,15 @@ func TestSecretScanner(t *testing.T) { Findings: []types.SecretFinding{wantMultiLine}, }, }, + { + name: "long obfuscated js code with secrets", + configPath: filepath.Join("testdata", "skip-test.yaml"), + inputFilePath: filepath.Join("testdata", "obfuscated.js"), + want: types.Secret{ + FilePath: filepath.Join("testdata", "obfuscated.js"), + Findings: []types.SecretFinding{wantFindingTokenInsideJs}, + }, + }, } for _, tt := range tests { diff --git a/pkg/fanal/secret/testdata/obfuscated.js b/pkg/fanal/secret/testdata/obfuscated.js new file mode 100644 index 000000000000..f3e1c53be227 --- /dev/null +++ b/pkg/fanal/secret/testdata/obfuscated.js @@ -0,0 +1 @@ +"use strict";(self.webpackChunkmattermost_webapp=self.webpackChunkmattermost_webapp||[]).push([[8055],{59713:(e,t,n)=>{n.d(t,{$d:()=>b,DF:()=>G,Du:()=>B,GA:()=>F,Is:()=>M,JJ:()=>J,K6:()=>re,KB:()=>f,KO:()=>x,Md:()=>ae,NB:()=>ce,O$:()=>E,OT:()=>ee,QQ:()=>oe,SP:()=>K,Sm:()=>se,T8:()=>Y,UV:()=>pe,W3:()=>C,X$:()=>X,_9:()=>de,a6:()=>Q,d1:()=>ne,d5:()=>$,dA:()=>te,gY:()=>ie,go:()=>T,h5:()=>z,iB:,n(61418);var a=n(17554),s=n(98644),i=n(80139),r=n(23712);function o(e){return{type:r.MF.NEEDS_LOGGED_IN_LIMIT_REACHED_CHECK,data:e}}function l(e).func,onInputChange:s().func,onInputBlur:s().func,buttonFooter:s().element},M.defaultProps={className:""};const T=M},30736:(e,t,n)=>{n.d(t,{Z:()=>u});var a=n(23615),s=n.n(a),i=(n(48410),n(84390)),r=n.n(i),o=n(72060),l=n(80623),c=n(83398);const d=[{code:"AL",name:"Alabama"},{code:"AK",name:"Alaska"},{code:"AZ",name:"Arizona"},{code:"AR",name:"Arkansas"},{code:"CA",name:"California"},{code:"CO",name:"Colorado"},{code:"CT",name:"Connecticut"},{code:"DE",name:"Delaware"},{code:"DC",name:"District of Columbia"},{code:"FL",name:"Florida"},{code:"GA",name:"Georgia"},{code:"HI",name:"Hawaii"},{code:"ID",name:"Idaho"},{code:"IL",name:"Illinois"},{code:"IN",name:"Indiana"},{code:"IA",name:"Iowa"},{code:"KS",name:"Kansas"},{code:"KY",name:"Kentucky"},{code:"LA",name:"Louisiana"},{code:"ME",name:"Maine"},{code:"MD",name:"Maryland"},{code:"MA",name:"Massachusetts"},{code:"MI",name:"Michigan"},{code:"MN",name:"Minnesota"},{code:"MS",name:"Mississippi"},{code:"MO",name:"Missouri"},{code:"MT",name:"Montana"},{code:"NE",name:"Nebraska"},{code:"NV",name:"Nevada"},{code:"NH",name:"New Hampshire"},{code:"NJ",name:"New Jersey"},{code:"NM",name:"New Mexico"},{code:"NY",name:"New York"},{code:"NC",name:"North Carolina"},{code:"ND",name:"North Dakota"},{code:"OH",name:"Ohio"},{code:"OK",name:"Oklahoma"},{code:"OR",name:"Oregon"},{code:"PA",name:"Pennsylvania"},{code:"PR",name:"Puerto Rico"},{code:"RI",name:"Rhode Island"},{code:"SC",name:"South Carolina"},{code:"SD",name:"South Dakota"},{code:"TN",name:"Tennessee"},{code:"TX",name:"Texas"},{code:"UT",name:"Utah"},{code:"VT",name:"Vermont"},{code:"VA",name:"Virginia"},{code:"WA",name:"Washington"},{code:"WV",name:"West Virginia"},{code:"WI",name:"Wisconsin"},{code:"WY",name:"Wyoming"}],m=[{code:"AB",name:"Alberta"},{code:"BC",name:"British Columbia"},{code:"MB",name:"Manitoba"},{code:"NB",name:"New Brunswick"},{code:"NL",name:"Newfoundland and Labrador"},{code:"NT",name:"Northwest Territories"},{code:"NS",name:"Nova Scotia"},{code:"NU",name:"Nunavut"},{code:"ON",name:"Ontario"},{code:"PE",name:"Prince Edward Island"},{code:"QC",name:"Quebec"},{code:"SK",name:"Saskatchewan"},{code:"YT",name:"Yukon Territory"}];function u(e){const{formatMessage:t}=(0,o.useIntl)(),n=t=>{e.onChange(t.value)};let a=[];if("US"===e.country?a=d:"CA"===e.country&&(a=m),a.length>0){const s={};return e.testId&&(s.testId=e.testId),r().createElement(l.Z,Object.assign({},s,{onChange:n,value:e.state?{value:e.state,label:e.state}:void 0,options:a.map((e=>({value:e.code,label:e.name}))),legend:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),placeholder:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),name:"country_dropdown"}))}return r().createElement(c.Z,{name:"state",type:"text",value:e.state,onChange:t=>{e.onChange(t.target.value)},onBlur:e.onBlur,placeholder:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),required:!0})}u.propTypes={country:s().string.isRequired,state:s().string.isRequired,testId:s().string,onChange:s().func.isRequired,onBlur:s().func}},35154:(e,t,n)=>{n.d(t,{li:()=>r,tt:()=>l,wW:()=>o}),n(61418);var a=n(2507);function s(e){return e}function i(e){return async(e,t,n)=>({setupIntent:{id:"testid",status:"succeeded"}})}const r=e=>e?i:s,o="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,600,600i&display=swap",l=e=>{switch(e.entities.general.config.ServiceEnvironment){case a.ez.PRODUCTION:return"pk_live_xXX1xXXXx1xXxXxxx11x1XXX";case a.ez.TEST:case a.ez.DEV:return""}return""}},21500:(e,t,n)=>{n.r(t),n.d(t,{default:()=>h});var a=n(23615),s=n.n(a),i=(n(61418),n(14078),n(48410),n(92189),n(66726)),r=n.n(i),o=n(84390),l=n.n(o),c=n(47407),d=n(83765),m=n(26337),u=n(41894);function p(e,t,n){return(t=function(e){var t=function(e,t){if("object"!=typeof e||null===e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var a=n.call(e,"string");if("object"!=typeof a)return a;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==typeof t?t:String(t)}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}class h extends l().PureComponent{constructor(e){super(e),p(this,"parentNode",null),p(this,"pdfCanvasRef",{}),p(this,"downloadFile",(e=>{const t=this.props.fileInfo.link||(0,c.gN)(this.props.fileInfo.id);e.preventDefault(),window.location.href=t})),p(this,"isInViewport",(e=>{var t,n,a,s;const i=e.getBoundingClientRect(),r=null!==(t=null===(n=this.container.current)||void 0===n?void 0:n.scrollTop)&&void 0!==t?t:0,o=r+(null!==(a=null===(s=this.parentNode)||void 0===s?void 0:s.clientHeight)&&void 0!==a?a:0);return i.top>=r&&i.top<=o||i.bottom>=r&&i.bottom<=o||i.top<=r&&i.bottom>=o})),p(this,"renderPDFPage",(async e=>{const t=this.pdfCanvasRef["pdfCanvasRef-".concat(e)].current;if(!t)return;if(e>=3&&!this.isInViewport(t))return;if(this.pdfPagesRendered[e])return;const n=await this.loadPage(this.state.pdf,e),a=t.getContext("2d"),s=n.getViewport({scale:this.props.scale});t.height=s.height,t.width=s.width;const i={canvasContext:a,viewport:s};await n.render(i).promise,this.pdfPagesRendered[e]=!0})),p(this,"getPdfDocument",(async()=>{try{const e=await Promise.all([n.e(7803),n.e(9707)]).then(n.t.bind(n,47803,23)),t=await n.e(5456).then(n.t.bind(n,65456,23));e.GlobalWorkerOptions.workerSrc=t;const a=await e.getDocument({url:this.props.fileUrl,cMapUrl:(0,u.fO)()+"/static/cmaps/",cMapPacked:!0}).promise;this.onDocumentLoad(a)}catch(e){this.onDocumentLoadError(e)}})),p(this,"onDocumentLoad",(e=>{this.setState({pdf:e,numPages:e.numPages});for(let t=0;t{console.log("Unable to load PDF preview: "+e),this.setState({loading:!1,success:!1})})),p(this,"loadPage",(async(e,t)=>{if(this.state.pdfPagesLoaded[t])return this.state.pdfPages[t];const n=await e.getPage(t+1),a=Object.assign({},this.state.pdfPages);a[t]=n;) \ No newline at end of file From 051ac3901fee8136f54c6fc9b1a541240a44e8aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 10:48:26 +0400 Subject: [PATCH 13/16] chore(deps): bump the docker group across 1 directory with 2 updates (#7208) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: DmitriyLewen --- go.mod | 18 +++---- go.sum | 38 ++++++++------- pkg/fanal/analyzer/buildinfo/dockerfile.go | 55 +++++++++++++++------- 3 files changed, 69 insertions(+), 42 deletions(-) diff --git a/go.mod b/go.mod index b01cd7c01e22..798ea8fa96d6 100644 --- a/go.mod +++ b/go.mod @@ -43,7 +43,7 @@ require ( github.com/cheggaaa/pb/v3 v3.1.5 github.com/containerd/containerd v1.7.19 github.com/csaf-poc/csaf_distribution/v3 v3.0.0 - github.com/docker/docker v27.0.3+incompatible + github.com/docker/docker v27.1.0+incompatible github.com/docker/go-connections v0.5.0 github.com/fatih/color v1.17.0 github.com/go-git/go-git/v5 v5.12.0 @@ -74,7 +74,6 @@ require ( github.com/liamg/iamgo v0.0.9 github.com/liamg/jfather v0.0.7 github.com/liamg/memoryfs v1.6.0 - github.com/magefile/mage v1.15.0 github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323 github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4 @@ -86,7 +85,7 @@ require ( github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/mitchellh/mapstructure v1.5.0 - github.com/moby/buildkit v0.14.1 + github.com/moby/buildkit v0.15.0 github.com/open-policy-agent/opa v0.66.0 github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0 @@ -133,6 +132,8 @@ require ( sigs.k8s.io/yaml v1.4.0 ) +require github.com/magefile/mage v1.14.0 + require ( cloud.google.com/go v0.112.1 // indirect cloud.google.com/go/compute/metadata v0.3.0 // indirect @@ -201,9 +202,9 @@ require ( github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect github.com/distribution/reference v0.6.0 // indirect github.com/dlclark/regexp2 v1.4.0 // indirect - github.com/docker/cli v26.1.4+incompatible // indirect + github.com/docker/cli v27.0.3+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.0 // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/docker/go-units v0.5.0 // indirect @@ -268,7 +269,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect - github.com/klauspost/compress v1.17.7 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -301,7 +302,7 @@ require ( github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/oklog/ulid v1.3.1 // indirect - github.com/opencontainers/runtime-spec v1.1.0 // indirect + github.com/opencontainers/runtime-spec v1.2.0 // indirect github.com/opencontainers/selinux v1.11.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect @@ -314,7 +315,7 @@ require ( github.com/prometheus/client_golang v1.19.1 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.48.0 // indirect - github.com/prometheus/procfs v0.12.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/rivo/uniseg v0.2.0 // indirect @@ -336,6 +337,7 @@ require ( github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/tklauser/go-sysconf v0.3.13 // indirect github.com/tklauser/numcpus v0.7.0 // indirect + github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect github.com/ulikunitz/xz v0.5.11 // indirect github.com/vbatts/tar-split v0.11.5 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect diff --git a/go.sum b/go.sum index 0770f06bb8f2..9f2aaaed05ed 100644 --- a/go.sum +++ b/go.sum @@ -1064,8 +1064,8 @@ github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= -github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8= -github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.0.3+incompatible h1:usGs0/BoBW8MWxGeEtqPMkzOY56jZ6kYlSN5BLDioCQ= +github.com/docker/cli v27.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY= github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -1074,11 +1074,11 @@ github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBi github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE= -github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v27.1.0+incompatible h1:rEHVQc4GZ0MIQKifQPHSFGV/dVgaZafgRf8fCPtDYBs= +github.com/docker/docker v27.1.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= -github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= -github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= @@ -1385,8 +1385,8 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo= -github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= @@ -1554,8 +1554,8 @@ github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHU github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= -github.com/klauspost/compress v1.17.7 h1:ehO88t2UGzQK66LMdE8tibEd1ErmzZjNEqWkjLAKQQg= -github.com/klauspost/compress v1.17.7/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg= @@ -1611,8 +1611,8 @@ github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6w github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA= github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o= -github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= -github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= +github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= @@ -1693,8 +1693,8 @@ github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQ github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/moby/buildkit v0.14.1 h1:2epLCZTkn4CikdImtsLtIa++7DzCimrrZCT1sway+oI= -github.com/moby/buildkit v0.14.1/go.mod h1:1XssG7cAqv5Bz1xcGMxJL123iCv5TYN4Z/qf647gfuk= +github.com/moby/buildkit v0.15.0 h1:vnZLThPr9JU6SvItctKoa6NfgPZ8oUApg/TCOaa/SVs= +github.com/moby/buildkit v0.15.0/go.mod h1:oN9S+8I7wF26vrqn9NuAF6dFSyGTfXvtiu9o1NlnnH4= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= @@ -1787,8 +1787,8 @@ github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/ github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg= -github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk= +github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE= github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo= @@ -1873,8 +1873,8 @@ github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+Gx github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= -github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE= github.com/quasilyte/go-ruleguard/dsl v0.3.22/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU= @@ -2029,6 +2029,8 @@ github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8= +github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE= github.com/twitchtv/twirp v8.1.3+incompatible h1:+F4TdErPgSUbMZMwp13Q/KgDVuI7HJXP61mNV3/7iuU= github.com/twitchtv/twirp v8.1.3+incompatible/go.mod h1:RRJoFSAmTEh2weEqWtpPE3vFK5YBhA6bqp2l1kfCC5A= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= diff --git a/pkg/fanal/analyzer/buildinfo/dockerfile.go b/pkg/fanal/analyzer/buildinfo/dockerfile.go index f17e5987b1b8..10ae20b4a4c9 100644 --- a/pkg/fanal/analyzer/buildinfo/dockerfile.go +++ b/pkg/fanal/analyzer/buildinfo/dockerfile.go @@ -9,6 +9,7 @@ import ( "github.com/moby/buildkit/frontend/dockerfile/instructions" "github.com/moby/buildkit/frontend/dockerfile/parser" "github.com/moby/buildkit/frontend/dockerfile/shell" + "github.com/samber/lo" "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" @@ -25,7 +26,7 @@ const dockerfileAnalyzerVersion = 1 type dockerfileAnalyzer struct{} func (a dockerfileAnalyzer) Analyze(_ context.Context, target analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - // ported from https://github.com/moby/buildkit/blob/b33357bcd2e3319b0323037c900c13b45a228df1/frontend/dockerfile/dockerfile2llb/convert.go#L73 + // ported from https://github.com/moby/buildkit/blob/e83d79a51fb49aeb921d8a2348ae14a58701c98c/frontend/dockerfile/dockerfile2llb/convert.go#L88-L89 dockerfile, err := parser.Parse(target.Content) if err != nil { return nil, xerrors.Errorf("dockerfile parse error: %w", err) @@ -44,28 +45,27 @@ func (a dockerfileAnalyzer) Analyze(_ context.Context, target analyzer.AnalysisI } shlex := shell.NewLex(dockerfile.EscapeToken) - env := metaArgsToMap(args) - + envs := metaArgsToEnvGetter(args) var component, arch string for _, st := range stages { for _, cmd := range st.Commands { switch c := cmd.(type) { case *instructions.EnvCommand: - for _, kvp := range c.Env { - env[kvp.Key] = kvp.Value - } + envs.addKeyValuePairsToEnvGetter(c.Env) case *instructions.LabelCommand: for _, kvp := range c.Labels { - key, err := shlex.ProcessWordWithMap(kvp.Key, env) + workResult, err := shlex.ProcessWordWithMatches(kvp.Key, envs) if err != nil { return nil, xerrors.Errorf("unable to evaluate the label '%s': %w", kvp.Key, err) } - key = strings.ToLower(key) + key := strings.ToLower(workResult.Result) if key == "com.redhat.component" || key == "bzcomponent" { - component, err = shlex.ProcessWordWithMap(kvp.Value, env) + workResult, err = shlex.ProcessWordWithMatches(kvp.Value, envs) + component = workResult.Result } else if key == "architecture" { - arch, err = shlex.ProcessWordWithMap(kvp.Value, env) + workResult, err = shlex.ProcessWordWithMatches(kvp.Value, envs) + arch = workResult.Result } if err != nil { @@ -117,15 +117,38 @@ func parseVersion(nvr string) string { return version } -// https://github.com/moby/buildkit/blob/b33357bcd2e3319b0323037c900c13b45a228df1/frontend/dockerfile/dockerfile2llb/convert.go#L474-L482 -func metaArgsToMap(metaArgs []instructions.KeyValuePairOptional) map[string]string { - m := make(map[string]string) +type envGetter struct { + m map[string]string +} - for _, arg := range metaArgs { - m[arg.Key] = arg.ValueString() +func (e *envGetter) addKeyValuePairsToEnvGetter(kvp instructions.KeyValuePairs) { + if e.m == nil { + e.m = make(map[string]string) } - return m + for _, kv := range kvp { + e.m[kv.Key] = kv.Value + } +} + +func metaArgsToEnvGetter(metaArgs []instructions.KeyValuePairOptional) *envGetter { + env := &envGetter{ + m: make(map[string]string), + } + + for _, kv := range metaArgs { + env.m[kv.Key] = kv.ValueString() + } + return env +} + +func (e *envGetter) Get(key string) (string, bool) { + v, ok := e.m[key] + return v, ok +} + +func (e *envGetter) Keys() []string { + return lo.Keys(e.m) } func setKVValue(kvpo instructions.KeyValuePairOptional, values map[string]string) instructions.KeyValuePairOptional { From 0e286f074f5bc584b05132f5b4652858da35df17 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 25 Jul 2024 10:22:20 +0500 Subject: [PATCH 14/16] ci: use free runner for all tests except `build tests` (#7215) --- .github/workflows/bypass-test.yaml | 4 ++-- .github/workflows/test.yaml | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bypass-test.yaml b/.github/workflows/bypass-test.yaml index eafff9769a1d..3a3102e3e574 100644 --- a/.github/workflows/bypass-test.yaml +++ b/.github/workflows/bypass-test.yaml @@ -22,12 +22,12 @@ jobs: runs-on: ${{ matrix.operating-system }} strategy: matrix: - operating-system: [ubuntu-latest-m, windows-latest, macos-latest] + operating-system: [ubuntu-latest, windows-latest, macos-latest] steps: - run: 'echo "No test required"' integration: name: Integration Test - runs-on: ubuntu-latest-m + runs-on: ubuntu-latest steps: - run: 'echo "No test required"' \ No newline at end of file diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 2ff471be1c7d..70a21462b29a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -16,7 +16,7 @@ jobs: runs-on: ${{ matrix.operating-system }} strategy: matrix: - operating-system: [ubuntu-latest-m, windows-latest, macos-latest] + operating-system: [ubuntu-latest, windows-latest, macos-latest] steps: - uses: actions/checkout@v4.1.6 @@ -31,7 +31,7 @@ jobs: echo "Run 'go mod tidy' and push it" exit 1 fi - if: matrix.operating-system == 'ubuntu-latest-m' + if: matrix.operating-system == 'ubuntu-latest' - name: Lint id: lint @@ -39,7 +39,7 @@ jobs: with: version: v1.59 args: --verbose --out-format=line-number - if: matrix.operating-system == 'ubuntu-latest-m' + if: matrix.operating-system == 'ubuntu-latest' - name: Check if linter failed run: | @@ -60,14 +60,14 @@ jobs: echo "Run 'mage docs:generate' and push it" exit 1 fi - if: matrix.operating-system == 'ubuntu-latest-m' + if: matrix.operating-system == 'ubuntu-latest' - name: Run unit tests run: mage test:unit integration: name: Integration Test - runs-on: ubuntu-latest-m + runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory uses: actions/checkout@v4.1.6 @@ -87,7 +87,7 @@ jobs: k8s-integration: name: K8s Integration Test - runs-on: ubuntu-latest-m + runs-on: ubuntu-latest steps: - name: Check out code into the Go module directory uses: actions/checkout@v4.1.6 @@ -129,7 +129,7 @@ jobs: vm-test: name: VM Integration Test - runs-on: ubuntu-latest-m + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4.1.6 From efb1f6938321eec3529ef4fea6608261f6771ae0 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:49:20 +0500 Subject: [PATCH 15/16] feat(sbom): add vulnerability support for SPDX formats (#7213) --- pkg/flag/options.go | 9 +-- pkg/sbom/spdx/marshal.go | 18 ++++++ pkg/sbom/spdx/marshal_test.go | 106 ++++++++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+), 7 deletions(-) diff --git a/pkg/flag/options.go b/pkg/flag/options.go index 33190fb76fbe..b485b74ef677 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -410,15 +410,10 @@ func (o *Options) enableSBOM() { o.Scanners.Enable(types.SBOMScanner) } - if o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON { - log.Info(`"--format spdx" and "--format spdx-json" disable security scanning`) - o.Scanners = types.Scanners{types.SBOMScanner} - } - - if o.Format == types.FormatCycloneDX { + if o.Format == types.FormatCycloneDX || o.Format == types.FormatSPDX || o.Format == types.FormatSPDXJSON { // Vulnerability scanning is disabled by default for CycloneDX. if !viper.IsSet(ScannersFlag.ConfigName) { - log.Info(`"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.`) + log.Info(fmt.Sprintf(`"--format %[1]s" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "%[1]s" report.`, o.Format)) o.Scanners = nil } o.Scanners.Enable(types.SBOMScanner) diff --git a/pkg/sbom/spdx/marshal.go b/pkg/sbom/spdx/marshal.go index 1c4a84d60109..35bd0448aa5d 100644 --- a/pkg/sbom/spdx/marshal.go +++ b/pkg/sbom/spdx/marshal.go @@ -147,6 +147,15 @@ func (m *Marshaler) Marshal(ctx context.Context, bom *core.BOM) (*spdx.Document, if err != nil { return nil, xerrors.Errorf("spdx package error: %w", err) } + + // Add advisories for package + // cf. https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k1-including-security-information-in-a-spdx-document + if vulns, ok := bom.Vulnerabilities()[c.ID()]; ok { + for _, v := range vulns { + spdxPackage.PackageExternalReferences = append(spdxPackage.PackageExternalReferences, m.advisoryExternalReference(v.PrimaryURL)) + } + } + packages = append(packages, &spdxPackage) packageIDs[c.ID()] = spdxPackage.PackageSPDXIdentifier @@ -184,6 +193,7 @@ func (m *Marshaler) Marshal(ctx context.Context, bom *core.BOM) (*spdx.Document, relationShips = append(relationShips, m.spdxRelationShip(refA, refB, m.spdxRelationshipType(rel.Type))) } } + sortPackages(packages) sortRelationships(relationShips) sortFiles(files) @@ -268,6 +278,14 @@ func (m *Marshaler) purlExternalReference(packageURL string) *spdx.PackageExtern } } +func (m *Marshaler) advisoryExternalReference(primaryURL string) *spdx.PackageExternalReference { + return &spdx.PackageExternalReference{ + Category: common.CategorySecurity, + RefType: common.TypeSecurityAdvisory, + Locator: primaryURL, + } +} + func (m *Marshaler) spdxPackage(c *core.Component, pkgDownloadLocation string) (spdx.Package, error) { pkgID, err := calcPkgID(m.hasher, c) if err != nil { diff --git a/pkg/sbom/spdx/marshal_test.go b/pkg/sbom/spdx/marshal_test.go index 122e529c14d5..4ed35b7fc08c 100644 --- a/pkg/sbom/spdx/marshal_test.go +++ b/pkg/sbom/spdx/marshal_test.go @@ -821,6 +821,112 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, }, + { + name: "happy path with vulnerability", + inputReport: types.Report{ + SchemaVersion: report.SchemaVersion, + ArtifactName: "log4j-core-2.17.0.jar", + ArtifactType: artifact.TypeFilesystem, + Results: types.Results{ + { + Target: "Java", + Class: types.ClassLangPkg, + Type: ftypes.Jar, + Packages: []ftypes.Package{ + { + Name: "org.apache.logging.log4j:log4j-core", + Version: "2.17.0", + Identifier: ftypes.PkgIdentifier{ + PURL: &packageurl.PackageURL{ + Type: packageurl.TypeMaven, + Namespace: "org.apache.logging.log4j", + Name: "log4j-core", + Version: "2.17.0", + }, + }, + }, + }, + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2021-44832", + PkgName: "org.apache.logging.log4j:log4j-core", + InstalledVersion: "2.17.0", + FixedVersion: "2.3.2, 2.12.4, 2.17.1", + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2021-44832", + }, + }, + }, + }, + }, + wantSBOM: &spdx.Document{ + SPDXVersion: spdx.Version, + DataLicense: spdx.DataLicense, + SPDXIdentifier: "DOCUMENT", + DocumentName: "log4j-core-2.17.0.jar", + DocumentNamespace: "http://aquasecurity.github.io/trivy/filesystem/log4j-core-2.17.0.jar-3ff14136-e09f-4df9-80ea-000000000003", + CreationInfo: &spdx.CreationInfo{ + Creators: []common.Creator{ + { + Creator: "aquasecurity", + CreatorType: "Organization", + }, + { + Creator: "trivy-0.38.1", + CreatorType: "Tool", + }, + }, + Created: "2021-08-25T12:20:30Z", + }, + Packages: []*spdx.Package{ + { + PackageSPDXIdentifier: spdx.ElementID("Package-4ee6f197f4811213"), + PackageDownloadLocation: "NONE", + PackageName: "org.apache.logging.log4j:log4j-core", + PackageVersion: "2.17.0", + PackageLicenseConcluded: "NONE", + PackageLicenseDeclared: "NONE", + PackageExternalReferences: []*spdx.PackageExternalReference{ + { + Category: tspdx.CategoryPackageManager, + RefType: tspdx.RefTypePurl, + Locator: "pkg:maven/org.apache.logging.log4j/log4j-core@2.17.0", + }, + { + Category: "SECURITY", + RefType: "advisory", + Locator: "https://avd.aquasec.com/nvd/cve-2021-44832", + }, + }, + PrimaryPackagePurpose: tspdx.PackagePurposeLibrary, + PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion}, + PackageAttributionTexts: []string{ + "PkgType: jar", + }, + }, + { + PackageSPDXIdentifier: spdx.ElementID("Filesystem-121e7e7a43f02ab"), + PackageDownloadLocation: "NONE", + PackageName: "log4j-core-2.17.0.jar", + PackageAttributionTexts: []string{ + "SchemaVersion: 2", + }, + PrimaryPackagePurpose: tspdx.PackagePurposeSource, + }, + }, + Relationships: []*spdx.Relationship{ + { + RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-121e7e7a43f02ab"}, + Relationship: "DESCRIBES", + }, + { + RefA: spdx.DocElementID{ElementRefID: "Filesystem-121e7e7a43f02ab"}, + RefB: spdx.DocElementID{ElementRefID: "Package-4ee6f197f4811213"}, + Relationship: "CONTAINS", + }, + }, + }, + }, { name: "happy path aggregate results", inputReport: types.Report{ From 8c87194f0a6b194bc5d340c8a65bd99a3132d973 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 25 Jul 2024 12:49:55 +0500 Subject: [PATCH 16/16] fix(secret): update length of `hugging-face-access-token` (#7216) --- pkg/fanal/secret/builtin-rules.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index 6d0c0eacfdcd..cada98d6681a 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -165,7 +165,7 @@ var builtinRules = []Rule{ Category: CategoryHuggingFace, Severity: "CRITICAL", Title: "Hugging Face Access Token", - Regex: MustCompile(`hf_[A-Za-z0-9]{39}`), + Regex: MustCompile(`hf_[A-Za-z0-9]{34,40}`), Keywords: []string{"hf_"}, }, {