Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vuln): include pkg identifier on detected vulnerabilities #5439

Merged
merged 69 commits into from
Dec 27, 2023
Merged

feat(vuln): include pkg identifier on detected vulnerabilities #5439

merged 69 commits into from
Dec 27, 2023

Conversation

juan131
Copy link
Contributor

@juan131 juan131 commented Oct 24, 2023
edited

Description

This PR attempt to ensure we include a package identifier on every detected vulnerability using a generated pURL when there's no package reference.

It deprecates the Results[].Vulnerabilities[].PkgRef (string) field on scan reports in favor of Results[].Vulnerabilities[].PkgIdentifier which is now an object following the struct below:

// PkgIdentifier represents a software identifiers in one of more of the supported formats.
type PkgIdentifier struct {
	// Software identifier in PURL format
	PURL string `json:",omitempty"`
	// Software identifier in CPE format
	CPE string `json:",omitempty"`
}

... and it enhances the detector so pkg identifiers are generated when there's no package reference.

Before :

$ trivy -q i --scanners vuln library/redis:7.2.1-bookworm -f json | jq .Results[].Vulnerabilities[].PkgRef
null
null
null
(...)

After:

$ trivy -q i --scanners vuln library/redis:7.2.1-bookworm -f json | jq .Results[].Vulnerabilities[].PkgIdentifier
{
  "PURL": "pkg:dpkg/apt@2.6.1"
}
{
  "PURL": "pkg:dpkg/bsdutils@1%3A2.38.1-5%2Bb1"
}
{
  "PURL": "pkg:dpkg/coreutils@9.1-1"
}
(...)

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@juan131
feat: include pkg identifier on detected vulnerabilities
8a92c7c 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: integration tests
23665fe 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: unit tests
b6655d4 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: remove reference to deprecated PkgRef
ab66a74 
Signed-off-by: juan131 <jariza@vmware.com>
knqyf263
knqyf263 reviewed Nov 8, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your great contribution! I think we should add Identifier in Package as well as DetectedVulnerability since it is an attribute of the package. What do you think? It means PURLs should be generated in the analysis part.

trivy/pkg/fanal/types/artifact.go

Lines 64 to 102 in f2a12f5

type Package struct {
ID string `json:",omitempty"`
Name string `json:",omitempty"`
Version string `json:",omitempty"`
Release string `json:",omitempty"`
Epoch int `json:",omitempty"`
Arch string `json:",omitempty"`
Dev bool `json:",omitempty"`
SrcName string `json:",omitempty"`
SrcVersion string `json:",omitempty"`
SrcRelease string `json:",omitempty"`
SrcEpoch int `json:",omitempty"`
Licenses []string `json:",omitempty"`
Maintainer string `json:",omitempty"`
Modularitylabel string `json:",omitempty"` // only for Red Hat based distributions
BuildInfo *BuildInfo `json:",omitempty"` // only for Red Hat
Ref string `json:",omitempty"` // identifier which can be used to reference the component elsewhere
Indirect bool `json:",omitempty"` // this package is direct dependency of the project or not
// Dependencies of this package
// Note: it may have interdependencies, which may lead to infinite loops.
DependsOn []string `json:",omitempty"`
Layer Layer `json:",omitempty"`
// Each package metadata have the file path, while the package from lock files does not have.
FilePath string `json:",omitempty"`
// This is required when using SPDX formats. Otherwise, it will be empty.
Digest digest.Digest `json:",omitempty"`
// lines from the lock file where the dependency is written
Locations []Location `json:",omitempty"`
// Files installed by the package
InstalledFiles []string `json:",omitempty"`
}

PURL can be generated here for language-specific packages.

trivy/pkg/fanal/analyzer/language/analyze.go

Lines 119 to 130 in 44656f2

pkgs = append(pkgs, types.Package{
ID: lib.ID,
Name: lib.Name,
Version: lib.Version,
Dev: lib.Dev,
FilePath: libPath,
Indirect: lib.Indirect,
Licenses: licenses,
DependsOn: deps[lib.ID],
Locations: locs,
Digest: d,
})

OS packages may need to generate PURLs in each analyzer.

trivy/pkg/fanal/analyzer/pkg/apk/apk.go

Lines 65 to 67 in 5b2b4ea

if !pkg.Empty() {
pkgs = append(pkgs, pkg)
}

@DmitriyLewen Please let me know if you have any comments.

knqyf263
knqyf263 reviewed Nov 8, 2023
View reviewed changes
pkg/types/identifier.go Outdated Show resolved Hide resolved
pkg/types/vulnerability.go Outdated Show resolved Hide resolved
@DmitriyLewen
Copy link
Contributor

Agree with you @knqyf263
purl/cpe is one of the package parameters.

If the package contains PkgIdentifier, we can simply add it to DetectedVulnerability:
e.g. for alpine packages:

trivy/pkg/detector/ospkg/alpine/alpine.go

Lines 126 to 136 in a1b4744

vulns = append(vulns, types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgID: pkg.ID,
PkgName: pkg.Name,
InstalledVersion: utils.FormatVersion(pkg),
FixedVersion: adv.FixedVersion,
Layer: pkg.Layer,
PkgRef: pkg.Ref,
Custom: adv.Custom,
DataSource: adv.DataSource,
})

@juan131
Copy link
Contributor Author

juan131 commented Nov 8, 2023

Thanks for your comments @DmitriyLewen @knqyf263 ! I'll update the PR moving PkgIdentifier as part of the Package identity and generate pURL(s) at analysis.

@juan131 juan131 requested a review from knqyf263 November 9, 2023 12:14
@juan131
fix: rpm unit test
05c806a 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: vm unit test
65ff77e 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: artifact unit test
0c2499c 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
linter: skip gocyclo
a2c00b9 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
Merge branch 'main' into feat/pkg-identifier
77b8f68
@juan131
fix: linter warning
f330577 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
Copy link
Contributor Author

juan131 commented Nov 10, 2023

I need advice on how to update pkg/fanal/test/integration/testdata/goldens data automatically to fix integration tests @knqyf263

@DmitriyLewen
Copy link
Contributor

mage test:updateGolden command should update golden files for integration tests.

@juan131
fix: update golden files
1508092 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: update golden files (ii)
bd3d150 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131 juan131 marked this pull request as ready for review November 10, 2023 10:17
@juan131
Merge branch 'main' into feat/pkg-identifier
5172cd6
@juan131
fix: adapt rpm tests
c03e9f6 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
fix: revert localhost references
861a38d 
Signed-off-by: juan131 <jariza@vmware.com>
@juan131
Copy link
Contributor Author

juan131 commented Nov 15, 2023

I'm still finding issues with integration tests and recreating golden images (mage test:updateGolden threw some unauthorized errors). Could you help me with this @DmitriyLewen ?

juan131 and others added 2 commits November 15, 2023 16:37
@DmitriyLewen
Copy link
Contributor

Hello @juan131
I have fixed containerd tests (you may be using macOS or a non-AMD64 processor. In this case, we are skipping containerd tests -

trivy/pkg/fanal/test/integration/containerd_test.go

Line 1 in b6fafa0

//go:build integration && linux
,

trivy/pkg/fanal/test/integration/containerd_test.go

Line 118 in b6fafa0

if runtime.GOARCH != "amd64" {
)

About ClientServer tests:
you need to update rpc package -

trivy/rpc/common/service.proto

Line 104 in b6fafa0

message Vulnerability {

Looks like your changes don't work in client-server mode.

@juan131
Copy link
Contributor Author

juan131 commented Dec 14, 2023

Thanks for implementing the missing changes @DmitriyLewen ! I think with this the PR is ready, am I right?

@DmitriyLewen
Copy link
Contributor

This is a big PR and i realized that I’m already confusing myself 😄

I think the PR is ready. But perhaps this code requires refactoring.

I want to double check this with a clear head.
I'll do it tomorrow or Monday.

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Dec 19, 2023
edited

Hello @juan131
PR looks good.

We merged #5764
Can you merge main branch into this PR and update goldenfiles, please?

@juan131
Copy link
Contributor Author

juan131 commented Dec 19, 2023
edited

Thanks @DmitriyLewen !! PR was updated

@DmitriyLewen
Copy link
Contributor

@juan131 there is conflict.
I'm also confused - GitHub marked go.mod and go.sum files as modified - https://github.com/aquasecurity/trivy/pull/5439/files#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R16

@juan131
Copy link
Contributor Author

juan131 commented Dec 19, 2023

Conflict solved @DmitriyLewen

@knqyf263
Copy link
Collaborator

I'm slowly starting to work this week and will review this PR shortly.

@DmitriyLewen DmitriyLewen mentioned this pull request Dec 26, 2023
Merged
5 tasks
@knqyf263
refactor: use the PURL struct
4a4b37e 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
knqyf263
knqyf263 approved these changes Dec 27, 2023
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I changed the PURL field from string to the PURL struct, but the rest looks good.

@knqyf263 knqyf263 added this pull request to the merge queue Dec 27, 2023
Merged via the queue into aquasecurity:main with commit 1f0d629 Dec 27, 2023
12 checks passed
@knqyf263 knqyf263 mentioned this pull request Dec 27, 2023
Merged
6 tasks
@juan131 juan131 deleted the feat/pkg-identifier branch January 2, 2024 08:21
@juan131
Copy link
Contributor Author

juan131 commented Jan 2, 2024

Awesome! Thanks so much @knqyf263 @DmitriyLewen

@knqyf263 knqyf263 mentioned this pull request Jan 24, 2024
Merged
6 tasks
carsongee pushed a commit to datarobot/trivy that referenced this pull request Feb 15, 2024
@juan131 @DmitriyLewen
@nikpivkin @knqyf263 @carsongee
feat(vuln): include pkg identifier on detected vulnerabilities (aquas…
dff68f3 
…ecurity#5439)

Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

@chen-keinan chen-keinan Awaiting requested review from chen-keinan chen-keinan is a code owner

@simar7 simar7 Awaiting requested review from simar7

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@juan131 @DmitriyLewen @knqyf263 @nikpivkin