-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vuln): include pkg identifier on detected vulnerabilities #5439
Conversation
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your great contribution! I think we should add Identifier
in Package
as well as DetectedVulnerability
since it is an attribute of the package. What do you think? It means PURLs should be generated in the analysis part.
trivy/pkg/fanal/types/artifact.go
Lines 64 to 102 in f2a12f5
type Package struct { | |
ID string `json:",omitempty"` | |
Name string `json:",omitempty"` | |
Version string `json:",omitempty"` | |
Release string `json:",omitempty"` | |
Epoch int `json:",omitempty"` | |
Arch string `json:",omitempty"` | |
Dev bool `json:",omitempty"` | |
SrcName string `json:",omitempty"` | |
SrcVersion string `json:",omitempty"` | |
SrcRelease string `json:",omitempty"` | |
SrcEpoch int `json:",omitempty"` | |
Licenses []string `json:",omitempty"` | |
Maintainer string `json:",omitempty"` | |
Modularitylabel string `json:",omitempty"` // only for Red Hat based distributions | |
BuildInfo *BuildInfo `json:",omitempty"` // only for Red Hat | |
Ref string `json:",omitempty"` // identifier which can be used to reference the component elsewhere | |
Indirect bool `json:",omitempty"` // this package is direct dependency of the project or not | |
// Dependencies of this package | |
// Note: it may have interdependencies, which may lead to infinite loops. | |
DependsOn []string `json:",omitempty"` | |
Layer Layer `json:",omitempty"` | |
// Each package metadata have the file path, while the package from lock files does not have. | |
FilePath string `json:",omitempty"` | |
// This is required when using SPDX formats. Otherwise, it will be empty. | |
Digest digest.Digest `json:",omitempty"` | |
// lines from the lock file where the dependency is written | |
Locations []Location `json:",omitempty"` | |
// Files installed by the package | |
InstalledFiles []string `json:",omitempty"` | |
} |
PURL can be generated here for language-specific packages.
trivy/pkg/fanal/analyzer/language/analyze.go
Lines 119 to 130 in 44656f2
pkgs = append(pkgs, types.Package{ | |
ID: lib.ID, | |
Name: lib.Name, | |
Version: lib.Version, | |
Dev: lib.Dev, | |
FilePath: libPath, | |
Indirect: lib.Indirect, | |
Licenses: licenses, | |
DependsOn: deps[lib.ID], | |
Locations: locs, | |
Digest: d, | |
}) |
OS packages may need to generate PURLs in each analyzer.
trivy/pkg/fanal/analyzer/pkg/apk/apk.go
Lines 65 to 67 in 5b2b4ea
if !pkg.Empty() { | |
pkgs = append(pkgs, pkg) | |
} |
@DmitriyLewen Please let me know if you have any comments.
Agree with you @knqyf263 If the package contains trivy/pkg/detector/ospkg/alpine/alpine.go Lines 126 to 136 in a1b4744
|
Thanks for your comments @DmitriyLewen @knqyf263 ! I'll update the PR moving PkgIdentifier as part of the |
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
I need advice on how to update |
|
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
I'm still finding issues with integration tests and recreating golden images ( |
Signed-off-by: juan131 <[email protected]>
Hello @juan131
About ClientServer tests: trivy/rpc/common/service.proto Line 104 in b6fafa0
Looks like your changes don't work in client-server mode. |
pkg/fanal/test/integration/testdata/goldens/vuln-image1.2.3.expectedpkgsfromcmds.golden
Show resolved
Hide resolved
Thanks for implementing the missing changes @DmitriyLewen ! I think with this the PR is ready, am I right? |
This is a big PR and i realized that I’m already confusing myself 😄 I think the PR is ready. But perhaps this code requires refactoring. I want to double check this with a clear head. |
…quasecurity#5633) Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Thanks @DmitriyLewen !! PR was updated |
@juan131 there is conflict. |
Conflict solved @DmitriyLewen |
I'm slowly starting to work this week and will review this PR shortly. |
Signed-off-by: knqyf263 <[email protected]>
90e82dc
to
4a4b37e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I changed the PURL field from string to the PURL struct, but the rest looks good.
Awesome! Thanks so much @knqyf263 @DmitriyLewen |
…ecurity#5439) Signed-off-by: juan131 <[email protected]> Signed-off-by: knqyf263 <[email protected]> Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: DmitriyLewen <[email protected]> Co-authored-by: Nikita Pivkin <[email protected]> Co-authored-by: knqyf263 <[email protected]>
Description
This PR attempt to ensure we include a package identifier on every detected vulnerability using a generated pURL when there's no package reference.
It deprecates the
Results[].Vulnerabilities[].PkgRef
(string) field on scan reports in favor ofResults[].Vulnerabilities[].PkgIdentifier
which is now an object following the struct below:... and it enhances the detector so pkg identifiers are generated when there's no package reference.
Before :
After:
Related issues
Checklist