feat(report): add package path (#1274)

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398
+	github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c
 	github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798

go.sum

@@ -202,8 +202,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398 h1:D2/7fMPN4qG54w2Baw6odXfO/Itojjl9ZWjTwegqj3A=
-github.com/aquasecurity/fanal v0.0.0-20211004144717-124d5e3ef398/go.mod h1:nXdCM1C89phZEkn/sHQ6S5IjcvxdTnXLSKcftmhFodg=
+github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c h1:pBpjKZpfpWdcotMqZ2J6hMI/lDK5pKshdj2o7+xzLkg=
+github.com/aquasecurity/fanal v0.0.0-20211005172059-69527b46560c/go.mod h1:nXdCM1C89phZEkn/sHQ6S5IjcvxdTnXLSKcftmhFodg=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305 h1:xsniAD6IrP+stY8tkytxE2tk8czkzSN3XaUvzoi1hCk=
 github.com/aquasecurity/go-dep-parser v0.0.0-20210919151457-76db061b9305/go.mod h1:Zc7Eo6tFl9l4XcqsWeabD7jHnXRBK/LdgZuu9GTSVLU=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=

integration/testdata/dockerfile-custom-policies.json.golden

@@ -33,10 +33,7 @@
           "Namespace": "user.bar",
           "Query": "data.user.bar.deny",
           "Severity": "UNKNOWN",
-          "Status": "FAIL",
-          "Layer": {
-            "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
-          }
+          "Status": "FAIL"
         },
         {
           "Type": "N/A",
@@ -46,10 +43,7 @@
           "Namespace": "user.foo",
           "Query": "data.user.foo.deny",
           "Severity": "UNKNOWN",
-          "Status": "FAIL",
-          "Layer": {
-            "DiffID": "sha256:8dc85f0b450296556c427e94db1d76a25fdce31334a4fcedac370f1aa59c86dc"
-          }
+          "Status": "FAIL"
         }
       ]
     }

integration/testdata/dockerfile.json.golden

@@ -40,10 +40,7 @@
             "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
             "https://avd.aquasec.com/appshield/ds002"
           ],
-          "Status": "FAIL",
-          "Layer": {
-            "DiffID": "sha256:2f8334a38883ba260fc9cab989110b8eea18721ee15c319b83fa3eba8d5981ca"
-          }
+          "Status": "FAIL"
         }
       ]
     }

integration/testdata/nodejs.json.golden

@@ -25,9 +25,6 @@
           "PkgName": "jquery",
           "InstalledVersion": "3.3.9",
           "FixedVersion": "3.4.0",
-          "Layer": {
-            "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-          },
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
           "Title": "js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection",
@@ -95,9 +92,6 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.12",
-          "Layer": {
-            "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-          },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
           "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
@@ -135,9 +129,6 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.11",
-          "Layer": {
-            "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-          },
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-16487",
           "Title": "lodash: Prototype pollution in utilities function",
@@ -173,9 +164,6 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.11",
-          "Layer": {
-            "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-          },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1010266",
           "Title": "Moderate severity vulnerability that affects lodash",
@@ -208,9 +196,6 @@
           "PkgName": "lodash",
           "InstalledVersion": "4.17.4",
           "FixedVersion": "4.17.5",
-          "Layer": {
-            "DiffID": "sha256:0b7517474d221ce39e6d69d41dabef6ae965464eef0d7037ba80361160c0d63c"
-          },
           "SeveritySource": "nodejs-security-wg",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2018-3721",
           "Title": "lodash: Prototype pollution in utilities function",

integration/testdata/pip.json.golden

@@ -25,9 +25,6 @@
           "PkgName": "Werkzeug",
           "InstalledVersion": "0.11",
           "FixedVersion": "0.15.3",
-          "Layer": {
-            "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
-          },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
           "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
@@ -65,9 +62,6 @@
           "PkgName": "Werkzeug",
           "InstalledVersion": "0.11",
           "FixedVersion": "0.11.11",
-          "Layer": {
-            "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
-          },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10516",
           "Title": "python-werkzeug: Cross-site scripting in render_full function in debug/tbtools.py",
@@ -103,9 +97,6 @@
           "PkgName": "Werkzeug",
           "InstalledVersion": "0.11",
           "FixedVersion": "0.11.6",
-          "Layer": {
-            "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
-          },
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
           "Title": "Werkzeug before 0.11.6 includes an open redirect vulnerability via a double slash in the URL. See CVE-2020-28724.",
           "Severity": "UNKNOWN"
@@ -115,9 +106,6 @@
           "PkgName": "Werkzeug",
           "InstalledVersion": "0.11",
           "FixedVersion": "0.12",
-          "Layer": {
-            "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
-          },
           "Title": "The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.",
           "Severity": "UNKNOWN"
         },
@@ -126,9 +114,6 @@
           "PkgName": "Werkzeug",
           "InstalledVersion": "0.11",
           "FixedVersion": "0.15.0",
-          "Layer": {
-            "DiffID": "sha256:6393f36bbbee0b53834ba0f9f585194d9e5ab56b555a2910551254fc8a2aec19"
-          },
           "Title": "Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.",
           "Severity": "UNKNOWN"
         }

pkg/detector/library/detect.go

@@ -8,7 +8,7 @@ import (
 )
 
 // Detect scans and returns vulnerabilities of library
-func Detect(libType string, pkgs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) {
+func Detect(libType string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	driver, err := NewDriver(libType)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to new driver: %w", err)
@@ -22,10 +22,10 @@ func Detect(libType string, pkgs []ftypes.LibraryInfo) ([]types.DetectedVulnerab
 	return vulns, nil
 }
 
-func detect(driver Driver, libs []ftypes.LibraryInfo) ([]types.DetectedVulnerability, error) {
+func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	var vulnerabilities []types.DetectedVulnerability
 	for _, lib := range libs {
-		vulns, err := driver.Detect(lib.Library.Name, lib.Library.Version)
+		vulns, err := driver.Detect(lib.Name, lib.Version)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err)
 		}

pkg/rpc/convert.go

@@ -60,18 +60,16 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package {
 }
 
 // ConvertFromRPCLibraries returns list of Fanal library
-func ConvertFromRPCLibraries(rpcLibs []*common.Library) []ftypes.LibraryInfo {
-	var libs []ftypes.LibraryInfo
+func ConvertFromRPCLibraries(rpcLibs []*common.Library) []ftypes.Package {
+	var pkgs []ftypes.Package
 	for _, l := range rpcLibs {
-		libs = append(libs, ftypes.LibraryInfo{
-			Library: deptypes.Library{
-				Name:    l.Name,
-				Version: l.Version,
-				License: l.License,
-			},
+		pkgs = append(pkgs, ftypes.Package{
+			Name:    l.Name,
+			Version: l.Version,
+			License: l.License,
 		})
 	}
-	return libs
+	return pkgs
 }
 
 // ConvertToRPCLibraries returns list of libraries
@@ -411,9 +409,9 @@ func ConvertToRPCBlobInfo(diffID string, blobInfo ftypes.BlobInfo) *cache.PutBlo
 		var libs []*common.Library
 		for _, lib := range app.Libraries {
 			libs = append(libs, &common.Library{
-				Name:    lib.Library.Name,
-				Version: lib.Library.Version,
-				License: lib.Library.License,
+				Name:    lib.Name,
+				Version: lib.Version,
+				License: lib.License,
 			})
 		}
 		applications = append(applications, &common.Application{

pkg/rpc/convert_test.go

@@ -141,7 +141,7 @@ func TestConvertFromRpcLibraries(t *testing.T) {
 	tests := []struct {
 		name string
 		args args
-		want []ftypes.LibraryInfo
+		want []ftypes.Package
 	}{
 		{
 			name: "happy path",
@@ -151,9 +151,9 @@ func TestConvertFromRpcLibraries(t *testing.T) {
 					{Name: "bar", Version: "4.5.6"},
 				},
 			},
-			want: []ftypes.LibraryInfo{
-				{Library: ptypes.Library{Name: "foo", Version: "1.2.3"}},
-				{Library: ptypes.Library{Name: "bar", Version: "4.5.6"}},
+			want: []ftypes.Package{
+				{Name: "foo", Version: "1.2.3"},
+				{Name: "bar", Version: "4.5.6"},
 			},
 		},
 	}

pkg/rpc/server/server_test.go

@@ -15,7 +15,6 @@ import (
 
 	"github.com/aquasecurity/fanal/cache"
 	ftypes "github.com/aquasecurity/fanal/types"
-	deptypes "github.com/aquasecurity/go-dep-parser/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/utils"
@@ -406,18 +405,14 @@ func TestCacheServer_PutBlob(t *testing.T) {
 							{
 								Type:     "composer",
 								FilePath: "php-app/composer.lock",
-								Libraries: []ftypes.LibraryInfo{
+								Libraries: []ftypes.Package{
 									{
-										Library: deptypes.Library{
-											Name:    "guzzlehttp/guzzle",
-											Version: "6.2.0",
-										},
+										Name:    "guzzlehttp/guzzle",
+										Version: "6.2.0",
 									},
 									{
-										Library: deptypes.Library{
-											Name:    "guzzlehttp/promises",
-											Version: "v1.3.1",
-										},
+										Name:    "guzzlehttp/promises",
+										Version: "v1.3.1",
 									},
 								},
 							},

pkg/scanner/local/scan.go

@@ -216,7 +216,7 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
 			Type:            app.Type,
 		}
 		if options.ListAllPackages {
-			libReport.Packages = s.listAllPkgs(app)
+			libReport.Packages = app.Libraries
 		}
 		results = append(results, libReport)
 	}
@@ -226,23 +226,6 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOption
 	return results, nil
 }
 
-func (s Scanner) listAllPkgs(app ftypes.Application) []ftypes.Package {
-	var pkgs []ftypes.Package
-	for _, lib := range app.Libraries {
-		pkgs = append(pkgs, ftypes.Package{
-			Name:    lib.Library.Name,
-			Version: lib.Library.Version,
-			License: lib.Library.License,
-			Layer:   lib.Layer,
-		})
-	}
-	sort.Slice(pkgs, func(i, j int) bool {
-		return strings.Compare(pkgs[i].Name, pkgs[j].Name) <= 0
-	})
-
-	return pkgs
-}
-
 func (s Scanner) misconfsToResults(misconfs []ftypes.Misconfiguration, options types.ScanOptions) report.Results {
 	log.Logger.Infof("Detected config files: %d", len(misconfs))
 	var results report.Results