Merge branch 'main' into lint/gomodguard

aquasecurity · Jun 19, 2024 · b68b7a3 · b68b7a3
2 parents cbfa0c3 + f144e91
commit b68b7a3
Show file tree

Hide file tree

Showing 34 changed files with 931 additions and 16 deletions.
diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md
@@ -64,6 +64,7 @@ The following languages are currently supported:
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
 |          | [*gradle.lockfile][gradle-lockfile]        |
+|          | [*.sbt.lock][sbt-lockfile]                 |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -447,5 +448,6 @@ $ trivy convert --format table --severity CRITICAL result.json
 [composer-lock]: ../coverage/language/php.md#composer
 [pom-xml]: ../coverage/language/java.md#pomxml
 [gradle-lockfile]: ../coverage/language/java.md#gradlelock
+[sbt-lockfile]: ../coverage/language/java.md#sbt
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries
diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md
@@ -38,6 +38,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Java](java.md)      | JAR/WAR/PAR/EAR[^4]                                                                        |     ✅     |     ✅      |       -        |       -        |
 |                      | pom.xml                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |       ✅        |
+|                      | *.sbt.lock                                                                                 |     -     |     -      |       ✅        |       ✅        |
 | [Go](golang.md)      | Binaries built by Go                                                                       |     ✅     |     ✅      |       -        |       -        |
 |                      | go.mod                                                                                     |     -     |     -      |       ✅        |       ✅        |
 | [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |       ✅        |

diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md
@@ -1,5 +1,5 @@
 # Java
-Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*gradle.lockfile` files.
+Trivy supports four types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml`, `*gradle.lockfile` and `*.sbt.lock` files.
 
 Each artifact supports the following scanners:
 
@@ -8,6 +8,7 @@ Each artifact supports the following scanners:
 | JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
 | pom.xml          |  ✓   |       ✓       |    ✓    |
 | *gradle.lockfile |  ✓   |       ✓       |    ✓    |
+| *.sbt.lock       |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
@@ -16,6 +17,7 @@ The following table provides an outline of the features Trivy offers.
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
 | pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
 | *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
+| *.sbt.lock       |          -            |     Exclude      |                  -                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -94,6 +96,15 @@ Trity also can detect licenses for dependencies.
 
 Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 
+
+## SBT
+
+`build.sbt.lock` files only contain information about used dependencies. This requires a lockfile generated using the
+[sbt-dependency-lock][sbt-dependency-lock] plugin.
+
+!!!note
+    All necessary files are checked locally. SBT file scanning doesn't require internet access.
+
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
@@ -106,4 +117,5 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html
 [maven-central]: https://repo.maven.apache.org/maven2/
-[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
+[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
+[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
diff --git a/integration/repo_test.go b/integration/repo_test.go
@@ -153,6 +153,14 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/gradle.json.golden",
 		},
+		{
+			name: "sbt",
+			args: args{
+				scanner: types.VulnerabilityScanner,
+				input:   "testdata/fixtures/repo/sbt",
+			},
+			golden: "testdata/sbt.json.golden",
+		},
 		{
 			name: "conan",
 			args: args{

diff --git a/integration/testdata/alpine-310.sarif.golden b/integration/testdata/alpine-310.sarif.golden
@@ -184,6 +184,7 @@
         }
       },
       "properties": {
+        "imageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
         "imageName": "testdata/fixtures/images/alpine-310.tar.gz",
         "repoDigests": null,
         "repoTags": null

diff --git a/integration/testdata/fixtures/repo/sbt/build.sbt.lock b/integration/testdata/fixtures/repo/sbt/build.sbt.lock
@@ -0,0 +1,29 @@
+{
+  "lockVersion" : 1,
+  "timestamp" : "2024-06-06T11:03:09.964557Z",
+  "configurations" : [
+    "compile",
+    "optional",
+    "provided",
+    "runtime",
+    "test"
+  ],
+  "dependencies" : [
+    {
+      "org" : "com.fasterxml.jackson.core",
+      "name" : "jackson-databind",
+      "version" : "2.9.1",
+      "artifacts" : [
+        {
+          "name" : "jackson-databind.jar",
+          "hash" : "sha1:716da1830a2043f18882fc036ec26eb32cbe5aff"
+        }
+      ],
+      "configurations" : [
+        "compile",
+        "runtime",
+        "test"
+      ]
+    }
+  ]
+}
diff --git a/integration/testdata/mariner-1.0.json.golden b/integration/testdata/mariner-1.0.json.golden
@@ -42,7 +42,7 @@
           "VulnerabilityID": "CVE-2022-0261",
           "PkgName": "vim",
           "PkgIdentifier": {
-            "PURL": "pkg:cbl-mariner/[email protected]?arch=x86_64",
+            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
             "UID": "3f08cd76fa5ba73d"
           },
           "InstalledVersion": "8.2.4081-1.cm1",
@@ -79,7 +79,7 @@
           "VulnerabilityID": "CVE-2022-0158",
           "PkgName": "vim",
           "PkgIdentifier": {
-            "PURL": "pkg:cbl-mariner/[email protected]?arch=x86_64",
+            "PURL": "pkg:rpm/cbl-mariner/[email protected]?arch=x86_64\u0026distro=cbl-mariner-1.0.20220122",
             "UID": "3f08cd76fa5ba73d"
           },
           "InstalledVersion": "8.2.4081-1.cm1",

diff --git a/integration/testdata/sbt.json.golden b/integration/testdata/sbt.json.golden
@@ -0,0 +1,149 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/repo/sbt",
+  "ArtifactType": "repository",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "build.sbt.lock",
+      "Class": "lang-pkgs",
+      "Type": "sbt",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2020-9548",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
+          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
+          "PkgIdentifier": {
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+            "UID": "9ccd2eb3e03373ff"
+          },
+          "InstalledVersion": "2.9.1",
+          "FixedVersion": "2.9.10.4",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Maven",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
+          },
+          "Title": "jackson-databind: Serialization gadgets in anteros-core",
+          "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-502"
+          ],
+          "VendorSeverity": {
+            "ghsa": 4,
+            "nvd": 4,
+            "redhat": 3
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 6.8,
+              "V3Score": 9.8
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V3Score": 8.1
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2020-9548",
+            "https://github.com/FasterXML/jackson-databind/issues/2634",
+            "https://github.com/advisories/GHSA-p43x-xfjf-5jhr",
+            "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E",
+            "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html",
+            "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062",
+            "https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
+            "https://security.netapp.com/advisory/ntap-20200904-0006/",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html"
+          ],
+          "PublishedDate": "2020-03-02T04:15:00Z",
+          "LastModifiedDate": "2021-12-02T21:23:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2021-20190",
+          "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
+          "PkgName": "com.fasterxml.jackson.core:jackson-databind",
+          "PkgIdentifier": {
+            "PURL": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
+            "UID": "9ccd2eb3e03373ff"
+          },
+          "InstalledVersion": "2.9.1",
+          "FixedVersion": "2.9.10.7",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190",
+          "DataSource": {
+            "ID": "glad",
+            "Name": "GitLab Advisory Database Community",
+            "URL": "https://gitlab.com/gitlab-org/advisories-community"
+          },
+          "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing",
+          "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-502"
+          ],
+          "VendorSeverity": {
+            "ghsa": 3,
+            "nvd": 3,
+            "redhat": 3
+          },
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 8.3,
+              "V3Score": 8.1
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V3Score": 8.1
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2021-20190",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=1916633",
+            "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a",
+            "https://github.com/FasterXML/jackson-databind/issues/2854",
+            "https://github.com/advisories/GHSA-5949-rw7g-wx7w",
+            "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html",
+            "https://nvd.nist.gov/vuln/detail/CVE-2021-20190",
+            "https://security.netapp.com/advisory/ntap-20210219-0008/"
+          ],
+          "PublishedDate": "2021-01-19T17:15:00Z",
+          "LastModifiedDate": "2021-07-20T23:15:00Z"
+        }
+      ]
+    }
+  ]
+}
diff --git a/pkg/dependency/id.go b/pkg/dependency/id.go
@@ -25,7 +25,7 @@ func ID(ltype types.LangType, name, version string) string {
 		if !strings.HasPrefix(version, "v") {
 			version = "v" + version
 		}
-	case types.Jar, types.Pom, types.Gradle:
+	case types.Jar, types.Pom, types.Gradle, types.Sbt:
 		sep = ":"
 	}
 	return name + sep + version

diff --git a/pkg/dependency/id_test.go b/pkg/dependency/id_test.go
@@ -47,6 +47,15 @@ func TestID(t *testing.T) {
 			},
 			want: "test:1.0.0",
 		},
+		{
+			name: "sbt",
+			args: args{
+				ltype:   types.Sbt,
+				name:    "test",
+				version: "1.0.0",
+			},
+			want: "test:1.0.0",
+		},
 		{
 			name: "pip",
 			args: args{

diff --git a/pkg/dependency/parser/java/pom/metadata.go b/pkg/dependency/parser/java/pom/metadata.go
@@ -0,0 +1,17 @@
+package pom
+
+type Metadata struct {
+	GroupId    string     `xml:"groupId"`
+	ArtifactId string     `xml:"artifactId"`
+	Versioning Versioning `xml:"versioning"`
+	Version    string     `xml:"version"`
+}
+
+type Versioning struct {
+	SnapshotVersions []SnapshotVersion `xml:"snapshotVersions>snapshotVersion"`
+}
+
+type SnapshotVersion struct {
+	Extension string `xml:"extension"`
+	Value     string `xml:"value"`
+}