feat(pacman): check if version is valid

aquasecurity · Jan 16, 2022 · bcd44cd · bcd44cd
1 parent 4603b6b
commit bcd44cd
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/analyzer/pkg/pacman/pacman.go b/analyzer/pkg/pacman/pacman.go
@@ -3,11 +3,14 @@ package pacman
 import (
 	"bufio"
 	"bytes"
+	"log"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 
+	pacmanVersion "github.com/MaineK00n/go-pacman-version"
+
 	"github.com/aquasecurity/fanal/analyzer"
 	"github.com/aquasecurity/fanal/types"
 	"golang.org/x/xerrors"
@@ -60,8 +63,12 @@ func (a pacmanAnalyzer) parsePacmanPkgDesc(scanner *bufio.Scanner) (types.Packag
 			}
 		} else if strings.HasPrefix(line, "%VERSION%") {
 			if scanner.Scan() {
-				var version string
-				splitted := strings.SplitN(scanner.Text(), ":", 2)
+				version := scanner.Text()
+				if !pacmanVersion.Valid(version) {
+					log.Printf("Invalid Version Found : OS %s, Package %s, Version %s", "arch", pkg.Name, version)
+					continue
+				}
+				splitted := strings.SplitN(version, ":", 2)
 				if len(splitted) == 1 {
 					pkg.Epoch = 0
 					version = splitted[0]

diff --git a/go.mod b/go.mod
@@ -5,6 +5,7 @@ go 1.16
 require (
 	github.com/BurntSushi/toml v0.4.1
 	github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0
+	github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184
 	github.com/alicebob/miniredis/v2 v2.17.0
 	github.com/aquasecurity/cfsec v0.2.2
 	github.com/aquasecurity/defsec v0.0.37

diff --git a/go.sum b/go.sum
@@ -125,6 +125,8 @@ github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
 github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184 h1:enu2psM1AcUsNx36T+X13lcy2kmFFV4kwCMmL7i4yiQ=
+github.com/MaineK00n/go-pacman-version v0.0.0-20210916231937-19e87b7d7184/go.mod h1:iMNOZ59Aouwx++SN7zGEi8yB9JTd+ZwYufdnC02mjd4=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=