fix(vuln): skip empty versions (#6542)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
aquasecurity · Apr 24, 2024 · 164b025 · 164b025
1 parent 5dd9bd4
commit 164b025
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 16 deletions.
diff --git a/pkg/detector/library/detect.go b/pkg/detector/library/detect.go
@@ -1,39 +1,47 @@
 package library
 
 import (
+	"context"
+
 	"golang.org/x/xerrors"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
-// Detect scans and returns vulnerabilities of library
-func Detect(libType ftypes.LangType, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
+// Detect scans language-specific packages and returns vulnerabilities.
+func Detect(ctx context.Context, libType ftypes.LangType, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	driver, ok := NewDriver(libType)
 	if !ok {
 		return nil, nil
 	}
 
-	vulns, err := detect(driver, pkgs)
+	vulns, err := detect(ctx, driver, pkgs)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to scan %s vulnerabilities: %w", driver.Type(), err)
 	}
 
 	return vulns, nil
 }
 
-func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability, error) {
+func detect(ctx context.Context, driver Driver, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	var vulnerabilities []types.DetectedVulnerability
-	for _, lib := range libs {
-		vulns, err := driver.DetectVulnerabilities(lib.ID, lib.Name, lib.Version)
+	for _, pkg := range pkgs {
+		if pkg.Version == "" {
+			log.DebugContext(ctx, "Skipping vulnerability scan as no version is detected for the package",
+				log.String("name", pkg.Name))
+			continue
+		}
+		vulns, err := driver.DetectVulnerabilities(pkg.ID, pkg.Name, pkg.Version)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", driver.Type(), err)
 		}
 
 		for i := range vulns {
-			vulns[i].Layer = lib.Layer
-			vulns[i].PkgPath = lib.FilePath
-			vulns[i].PkgIdentifier = lib.Identifier
+			vulns[i].Layer = pkg.Layer
+			vulns[i].PkgPath = pkg.FilePath
+			vulns[i].PkgIdentifier = pkg.Identifier
 		}
 		vulnerabilities = append(vulnerabilities, vulns...)
 	}

diff --git a/pkg/scanner/langpkg/scan.go b/pkg/scanner/langpkg/scan.go
@@ -1,6 +1,7 @@
 package langpkg
 
 import (
+	"context"
 	"sort"
 
 	"golang.org/x/xerrors"
@@ -24,7 +25,7 @@ var (
 
 type Scanner interface {
 	Packages(target types.ScanTarget, options types.ScanOptions) types.Results
-	Scan(target types.ScanTarget, options types.ScanOptions) (types.Results, error)
+	Scan(ctx context.Context, target types.ScanTarget, options types.ScanOptions) (types.Results, error)
 }
 
 type scanner struct{}
@@ -50,7 +51,7 @@ func (s *scanner) Packages(target types.ScanTarget, _ types.ScanOptions) types.R
 	return results
 }
 
-func (s *scanner) Scan(target types.ScanTarget, _ types.ScanOptions) (types.Results, error) {
+func (s *scanner) Scan(ctx context.Context, target types.ScanTarget, _ types.ScanOptions) (types.Results, error) {
 	apps := target.Applications
 	log.Info("Number of language-specific files", log.Int("num", len(apps)))
 	if len(apps) == 0 {
@@ -64,16 +65,16 @@ func (s *scanner) Scan(target types.ScanTarget, _ types.ScanOptions) (types.Resu
 			continue
 		}
 
-		logger := log.WithPrefix(string(app.Type))
+		ctx = log.WithContextPrefix(ctx, string(app.Type))
 
 		// Prevent the same log messages from being displayed many times for the same type.
 		if _, ok := printedTypes[app.Type]; !ok {
-			logger.Info("Detecting vulnerabilities...")
+			log.InfoContext(ctx, "Detecting vulnerabilities...")
 			printedTypes[app.Type] = struct{}{}
 		}
 
-		logger.Debug("Scanning packages from the file", log.String("file_path", app.FilePath))
-		vulns, err := library.Detect(app.Type, app.Libraries)
+		log.DebugContext(ctx, "Scanning packages from the file", log.String("file_path", app.FilePath))
+		vulns, err := library.Detect(ctx, app.Type, app.Libraries)
 		if err != nil {
 			return nil, xerrors.Errorf("failed vulnerability detection of libraries: %w", err)
 		} else if len(vulns) == 0 {

diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -186,7 +186,7 @@ func (s Scanner) scanVulnerabilities(ctx context.Context, target types.ScanTarge
 	}
 
 	if slices.Contains(options.VulnType, types.VulnTypeLibrary) {
-		vulns, err := s.langPkgScanner.Scan(target, options)
+		vulns, err := s.langPkgScanner.Scan(ctx, target, options)
 		if err != nil {
 			return nil, false, xerrors.Errorf("failed to scan application libraries: %w", err)
 		}