aquasecurity · knqyf263 · May 7, 2019 · May 7, 2019 · May 7, 2019 · May 7, 2019
diff --git a/README.md b/README.md
@@ -1,10 +1,12 @@
-# trivy
+<img src="imgs/logo.png" width="300">
 
 [![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
 [![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
 [![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
 [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
 
+A Simple and Comprehensive Vulnerability Scanner for Containers
+
 # Abstract
 Scan containers
 

diff --git a/go.mod b/go.mod
@@ -37,3 +37,5 @@ require (
 )
 
 replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55
+
+replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2
diff --git a/go.sum b/go.sum
@@ -128,6 +128,8 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
+github.com/knqyf263/tablewriter v0.0.2 h1:lGaBruL/oJt8FAlMVy9KU0oQ/6NXAJjvK7wBgZyc+Og=
+github.com/knqyf263/tablewriter v0.0.2/go.mod h1:NDOJQAZxabBL3e13jQVktkvbr6bxXXPon8Lyh7fRPPc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=

diff --git a/imgs/logo.png b/imgs/logo.png
diff --git a/pkg/scanner/library/bundler/advisory.go b/pkg/scanner/library/bundler/advisory.go
@@ -1,10 +1,16 @@
 package bundler
 
 import (
+	"fmt"
 	"io/ioutil"
 	"os"
 	"path/filepath"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/trivy/pkg/git"
@@ -28,6 +34,9 @@ type Advisory struct {
 	Osvdb              string
 	Title              string
 	Url                string
+	Description        string
+	CvssV2             float64  `yaml:"cvss_v2"`
+	CvssV3             float64  `yaml:"cvss_v3"`
 	PatchedVersions    []string `yaml:"patched_versions"`
 	UnaffectedVersions []string `yaml:"unaffected_versions"`
 	Related            Related
@@ -42,14 +51,15 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err)
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	root := filepath.Join(repoPath, "gems")
 
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() {
 			return nil
@@ -65,16 +75,48 @@ func walk() (AdvisoryDB, error) {
 			return xerrors.Errorf("failed to unmarshal YAML: %w", err)
 		}
 
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Gem]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Gem] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		var vulnerabilityID string
+		if advisory.Cve != "" {
+			vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
+		} else if advisory.Osvdb != "" {
+			vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
+		}
+		vulns = append(vulns, vulnerability.Vulnerability{
+			ID:          vulnerabilityID,
+			CvssScore:   advisory.CvssV2,
+			CvssScoreV3: advisory.CvssV3,
+			References:  append([]string{advisory.Url}, advisory.Related.Url...),
+			Title:       advisory.Title,
+			Description: advisory.Description,
+		})
+
 		return nil
 	})
 	if err != nil {
-		return nil, xerrors.Errorf("error in file wakl: %w", err)
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+
+	if err = s.saveVulnerabilities(vulns); err != nil {
+		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.RubySec, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}
diff --git a/pkg/scanner/library/composer/advisory.go b/pkg/scanner/library/composer/advisory.go
@@ -6,7 +6,13 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"golang.org/x/xerrors"
+
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 	"gopkg.in/yaml.v2"
@@ -38,12 +44,13 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") {
 			return nil
@@ -58,16 +65,39 @@ func walk() (AdvisoryDB, error) {
 		if err != nil {
 			return err
 		}
+
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.Reference]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.Reference] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		vulns = append(vulns, vulnerability.Vulnerability{
+			ID:         advisory.Cve,
+			References: []string{advisory.Link},
+			Title:      advisory.Title,
+		})
+
 		return nil
 	})
 	if err != nil {
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.PhpSecurityAdvisories, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}
diff --git a/pkg/scanner/library/npm/advisory.go b/pkg/scanner/library/npm/advisory.go
@@ -2,12 +2,19 @@ package npm
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"golang.org/x/xerrors"
+
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -29,6 +36,7 @@ type Advisory struct {
 	Cves               []string
 	VulnerableVersions string `json:"vulnerable_versions"`
 	PatchedVersions    string `json:"patched_versions"`
+	Overview           string
 	Recommendation     string
 	References         []string
 	CvssScoreNumber    json.Number `json:"cvss_score"`
@@ -39,12 +47,13 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = walk()
+	s.db, err = s.walk()
 	return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
+	var vulns []vulnerability.Vulnerability
 	err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error {
 		if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
 			return nil
@@ -68,16 +77,46 @@ func walk() (AdvisoryDB, error) {
 			advisory.CvssScore = -1
 		}
 
+		// for detecting vulnerabilities
 		advisories, ok := advisoryDB[advisory.ModuleName]
 		if !ok {
 			advisories = []Advisory{}
 		}
 		advisoryDB[advisory.ModuleName] = append(advisories, advisory)
 
+		// for displaying vulnerability detail
+		vulnerabilityIDs := advisory.Cves
+		if len(vulnerabilityIDs) == 0 {
+			vulnerabilityIDs = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)}
+		}
+		for _, vulnID := range vulnerabilityIDs {
+			vulns = append(vulns, vulnerability.Vulnerability{
+				ID:          vulnID,
+				CvssScore:   advisory.CvssScore,
+				References:  advisory.References,
+				Title:       advisory.Title,
+				Description: advisory.Overview,
+			})
+		}
+
 		return nil
 	})
 	if err != nil {
+		return nil, xerrors.Errorf("error in file walk: %w", err)
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
 		return nil, err
 	}
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.NodejsSecurityWg, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}
diff --git a/pkg/scanner/library/pipenv/advisory.go b/pkg/scanner/library/pipenv/advisory.go
@@ -5,9 +5,14 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/etcd-io/bbolt"
+
+	"github.com/knqyf263/trivy/pkg/db"
+
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
 	"github.com/knqyf263/trivy/pkg/git"
 )
@@ -34,24 +39,54 @@ func (s *Scanner) UpdateDB() (err error) {
 	if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
 		return err
 	}
-	s.db, err = parse()
+	s.db, err = s.parse()
 	if err != nil {
 		return xerrors.Errorf("failed to parse python safety-db: %w", err)
 	}
 	return nil
 }
 
-func parse() (AdvisoryDB, error) {
+func (s *Scanner) parse() (AdvisoryDB, error) {
 	advisoryDB := AdvisoryDB{}
 	f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json"))
 	if err != nil {
 		return nil, err
 	}
 	defer f.Close()
 
+	// for detecting vulnerabilities
 	if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil {
 		return nil, err
 	}
 
+	// for displaying vulnerability detail
+	var vulns []vulnerability.Vulnerability
+	for _, advisories := range advisoryDB {
+		for _, advisory := range advisories {
+			vulnerabilityID := advisory.Cve
+			if vulnerabilityID == "" {
+				vulnerabilityID = advisory.ID
+			}
+			vulns = append(vulns, vulnerability.Vulnerability{
+				ID:    vulnerabilityID,
+				Title: advisory.Advisory,
+			})
+		}
+	}
+	if err = s.saveVulnerabilities(vulns); err != nil {
+		return nil, err
+	}
+
 	return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+		for _, vuln := range vulns {
+			if err := db.Put(b, vuln.ID, vulnerability.PythonSafetyDB, vuln); err != nil {
+				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+			}
+		}
+		return nil
+	})
+}
diff --git a/pkg/scanner/library/scan.go b/pkg/scanner/library/scan.go
@@ -96,7 +96,7 @@ func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error)
 		return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
 	}
 
-	log.Logger.Infof("Detect %s vulnerabilities", scanner.Type())
+	log.Logger.Infof("Detecting %s vulnerabilities...", scanner.Type())
 	var vulnerabilities []types.Vulnerability
 	for _, pkg := range pkgs {
 		v, err := version.NewVersion(pkg.Version)

diff --git a/pkg/scanner/scan.go b/pkg/scanner/scan.go
@@ -25,6 +25,12 @@ import (
 	"github.com/knqyf263/fanal/extractor"
 )
 
+var (
+	sources = []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
+		vulnerability.DebianOVAL, vulnerability.Alpine, vulnerability.RubySec, vulnerability.PhpSecurityAdvisories,
+		vulnerability.NodejsSecurityWg, vulnerability.PythonSafetyDB}
+)
+
 func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
 	var results report.Results
 	var err error
@@ -134,8 +140,7 @@ func getDetail(vulnID string) (vulnerability.Severity, string) {
 }
 
 func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
-	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
-		vulnerability.DebianOVAL, vulnerability.Alpine} {
+	for _, source := range sources {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -154,8 +159,7 @@ func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.S
 }
 
 func getTitle(details map[string]vulnerability.Vulnerability) string {
-	for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
-		vulnerability.DebianOVAL, vulnerability.Alpine} {
+	for _, source := range sources {
 		d, ok := details[source]
 		if !ok {
 			continue
Original file line number	Diff line number	Diff line change
Expand Up		@@ -37,3 +37,5 @@ require (
		)

		replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55

		replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2