-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
alpine.go
166 lines (145 loc) · 5.07 KB
/
alpine.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package alpine
import (
"strings"
"time"
version "github.com/knqyf263/go-apk-version"
"golang.org/x/xerrors"
"k8s.io/utils/clock"
ftypes "github.com/aquasecurity/fanal/types"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types"
)
var (
eolDates = map[string]time.Time{
"2.0": time.Date(2012, 4, 1, 23, 59, 59, 0, time.UTC),
"2.1": time.Date(2012, 11, 1, 23, 59, 59, 0, time.UTC),
"2.2": time.Date(2013, 5, 1, 23, 59, 59, 0, time.UTC),
"2.3": time.Date(2013, 11, 1, 23, 59, 59, 0, time.UTC),
"2.4": time.Date(2014, 5, 1, 23, 59, 59, 0, time.UTC),
"2.5": time.Date(2014, 11, 1, 23, 59, 59, 0, time.UTC),
"2.6": time.Date(2015, 5, 1, 23, 59, 59, 0, time.UTC),
"2.7": time.Date(2015, 11, 1, 23, 59, 59, 0, time.UTC),
"3.0": time.Date(2016, 5, 1, 23, 59, 59, 0, time.UTC),
"3.1": time.Date(2016, 11, 1, 23, 59, 59, 0, time.UTC),
"3.2": time.Date(2017, 5, 1, 23, 59, 59, 0, time.UTC),
"3.3": time.Date(2017, 11, 1, 23, 59, 59, 0, time.UTC),
"3.4": time.Date(2018, 5, 1, 23, 59, 59, 0, time.UTC),
"3.5": time.Date(2018, 11, 1, 23, 59, 59, 0, time.UTC),
"3.6": time.Date(2019, 5, 1, 23, 59, 59, 0, time.UTC),
"3.7": time.Date(2019, 11, 1, 23, 59, 59, 0, time.UTC),
"3.8": time.Date(2020, 5, 1, 23, 59, 59, 0, time.UTC),
"3.9": time.Date(2020, 11, 1, 23, 59, 59, 0, time.UTC),
"3.10": time.Date(2021, 5, 1, 23, 59, 59, 0, time.UTC),
"3.11": time.Date(2021, 11, 1, 23, 59, 59, 0, time.UTC),
"3.12": time.Date(2022, 5, 1, 23, 59, 59, 0, time.UTC),
"3.13": time.Date(2022, 11, 1, 23, 59, 59, 0, time.UTC),
"3.14": time.Date(2023, 5, 1, 23, 59, 59, 0, time.UTC),
}
)
type options struct {
clock clock.Clock
}
type option func(*options)
func WithClock(clock clock.Clock) option {
return func(opts *options) {
opts.clock = clock
}
}
// Scanner implements the Alpine scanner
type Scanner struct {
vs alpine.VulnSrc
*options
}
// NewScanner is the factory method for Scanner
func NewScanner(opts ...option) *Scanner {
o := &options{
clock: clock.RealClock{},
}
for _, opt := range opts {
opt(o)
}
return &Scanner{
vs: alpine.NewVulnSrc(),
options: o,
}
}
// Detect vulnerabilities in package using Alpine scanner
func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Alpine vulnerabilities...")
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
log.Logger.Debugf("alpine: os version: %s", osVer)
log.Logger.Debugf("alpine: the number of packages: %d", len(pkgs))
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get alpine advisories: %w", err)
}
installed := utils.FormatSrcVersion(pkg)
installedVersion, err := version.NewVersion(installed)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux installed package version: %s", err)
continue
}
for _, adv := range advisories {
if !s.isVulnerable(installedVersion, adv) {
continue
}
vulns = append(vulns, types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
Custom: adv.Custom,
})
}
}
return vulns, nil
}
func (s *Scanner) isVulnerable(installedVersion version.Version, adv dbTypes.Advisory) bool {
// This logic is for unfixed vulnerabilities, but Trivy DB doesn't have advisories for unfixed vulnerabilities for now
// because Alpine just provides potentially vulnerable packages. It will cause a lot of false positives.
// This is for Aqua commercial products.
if adv.AffectedVersion != "" {
// AffectedVersion means which version introduced this vulnerability.
affectedVersion, err := version.NewVersion(adv.AffectedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux affected package version: %s", err)
return false
}
if affectedVersion.GreaterThan(installedVersion) {
return false
}
}
// This logic is also for unfixed vulnerabilities.
if adv.FixedVersion == "" {
// It means the unfixed vulnerability
return true
}
// Compare versions for fixed vulnerabilities
fixedVersion, err := version.NewVersion(adv.FixedVersion)
if err != nil {
log.Logger.Debugf("failed to parse Alpine Linux fixed version: %s", err)
return false
}
// It means the fixed vulnerability
return installedVersion.LessThan(fixedVersion)
}
// IsSupportedVersion checks the OSFamily can be scanned using Alpine scanner
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 1 {
osVer = osVer[:strings.LastIndex(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
}