add trivy parser (#981)

* add trivy parser

* fix test

* format

* add title and summary

* add trivy parse command

* add uploader

* set args by env

* add README

* add err check

* fix

* fix

* fix

* fix test

* update trivy

* refactor

* delete require uuid

* delete uuid from trivy parser

Co-authored-by: Kota Kanbe <kotakanbe@gmail.com>

contrib/trivy/README.md

@@ -0,0 +1,35 @@
+# trivy-to-vuls
+
+## Main Features
+
+- convert trivy's results json to vuls's report json
+
+## Installation
+
+```
+git clone https://github.com/future-architect/vuls.git
+make build-trivy-to-vuls
+```
+
+## Command Reference
+
+```
+Parse trivy json to vuls results
+
+Usage:
+  trivy-to-vuls parse [flags]
+
+Flags:
+  -h, --help                          help for parse
+  -s, --stdin                         input from stdin
+  -d, --trivy-json-dir string         trivy json dir (default "./")
+  -f, --trivy-json-file-name string   trivy json file name (default "results.json")
+```
+
+## Usage
+
+- use trivy output
+
+```
+ trivy -q image -f=json python:3.4-alpine | trivy-to-vuls parse --stdin
+```

contrib/trivy/cmd/main.go

@@ -0,0 +1,73 @@
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"github.com/future-architect/vuls/contrib/trivy/parser"
+	"github.com/future-architect/vuls/models"
+	"github.com/spf13/cobra"
+)
+
+var (
+	serverUUID   string
+	stdIn        bool
+	jsonDir      string
+	jsonFileName string
+)
+
+func main() {
+	var err error
+	var cmdTrivyToVuls = &cobra.Command{
+		Use:   "parse",
+		Short: "Parse trivy json to vuls results",
+		Long:  `Parse trivy json to vuls results`,
+		Run: func(cmd *cobra.Command, args []string) {
+			jsonFilePath := filepath.Join(jsonDir, jsonFileName)
+			var trivyJSON []byte
+			if stdIn {
+				reader := bufio.NewReader(os.Stdin)
+				buf := new(bytes.Buffer)
+				if _, err = buf.ReadFrom(reader); err != nil {
+					return
+				}
+				trivyJSON = buf.Bytes()
+			} else {
+				if trivyJSON, err = ioutil.ReadFile(jsonFilePath); err != nil {
+					fmt.Println("Failed to read file", err)
+					return
+				}
+			}
+
+			scanResult := &models.ScanResult{
+				JSONVersion: models.JSONVersion,
+				ScannedCves: models.VulnInfos{},
+			}
+			if scanResult, err = parser.Parse(trivyJSON, scanResult); err != nil {
+				fmt.Println("Failed to execute command", err)
+				return
+			}
+			var resultJSON []byte
+			if resultJSON, err = json.MarshalIndent(scanResult, "", "   "); err != nil {
+				fmt.Println("Failed to create json", err)
+				return
+			}
+			fmt.Println(string(resultJSON))
+			return
+		},
+	}
+	cmdTrivyToVuls.Flags().BoolVarP(&stdIn, "stdin", "s", false, "input from stdin")
+	cmdTrivyToVuls.Flags().StringVarP(&jsonDir, "trivy-json-dir", "d", "./", "trivy json dir")
+	cmdTrivyToVuls.Flags().StringVarP(&jsonFileName, "trivy-json-file-name", "f", "results.json", "trivy json file name")
+
+	var rootCmd = &cobra.Command{Use: "trivy-to-vuls"}
+	rootCmd.AddCommand(cmdTrivyToVuls)
+	if err = rootCmd.Execute(); err != nil {
+		fmt.Println("Failed to execute command", err)
+	}
+}

contrib/trivy/parser/parser.go

@@ -0,0 +1,163 @@
+package parser
+
+import (
+	"encoding/json"
+	"sort"
+	"time"
+
+	"github.com/aquasecurity/fanal/analyzer/os"
+	"github.com/aquasecurity/trivy/pkg/report"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/future-architect/vuls/models"
+)
+
+// Parse :
+func Parse(vulnJSON []byte, scanResult *models.ScanResult) (result *models.ScanResult, err error) {
+	var trivyResults report.Results
+	if err = json.Unmarshal(vulnJSON, &trivyResults); err != nil {
+		return nil, err
+	}
+
+	pkgs := models.Packages{}
+	vulnInfos := models.VulnInfos{}
+	uniqueLibraryScannerPaths := map[string]models.LibraryScanner{}
+	for _, trivyResult := range trivyResults {
+		for _, vuln := range trivyResult.Vulnerabilities {
+			if _, ok := vulnInfos[vuln.VulnerabilityID]; !ok {
+				vulnInfos[vuln.VulnerabilityID] = models.VulnInfo{
+					CveID: vuln.VulnerabilityID,
+					Confidences: models.Confidences{
+						{
+							Score:           100,
+							DetectionMethod: models.TrivyMatchStr,
+						},
+					},
+					AffectedPackages: models.PackageFixStatuses{},
+					CveContents:      models.CveContents{},
+					LibraryFixedIns:  models.LibraryFixedIns{},
+					// VulnType : "",
+				}
+			}
+			vulnInfo := vulnInfos[vuln.VulnerabilityID]
+			var notFixedYet bool
+			fixState := ""
+			if len(vuln.FixedVersion) == 0 {
+				notFixedYet = true
+				fixState = "Affected"
+			}
+			vulnInfo.AffectedPackages = append(vulnInfo.AffectedPackages, models.PackageFixStatus{
+				Name:        vuln.PkgName,
+				NotFixedYet: notFixedYet,
+				FixState:    fixState,
+				FixedIn:     vuln.FixedVersion,
+			})
+
+			var references models.References
+			for _, reference := range vuln.References {
+				references = append(references, models.Reference{
+					Source: "trivy",
+					Link:   reference,
+				})
+			}
+
+			sort.Slice(references, func(i, j int) bool {
+				return references[i].Link < references[j].Link
+			})
+
+			vulnInfo.CveContents = models.CveContents{
+				models.Trivy: models.CveContent{
+					Cvss3Severity: vuln.Severity,
+					References:    references,
+					Title:         vuln.Title,
+					Summary:       vuln.Description,
+				},
+			}
+			// do only if image type is Vuln
+			if IsTrivySupportedOS(trivyResult.Type) {
+				pkgs[vuln.PkgName] = models.Package{
+					Name:    vuln.PkgName,
+					Version: vuln.InstalledVersion,
+				}
+				// overwrite every time if os package
+				scanResult.Family = trivyResult.Type
+				scanResult.ServerName = trivyResult.Target
+				scanResult.Optional = map[string]interface{}{
+					"trivy-target": trivyResult.Target,
+				}
+				scanResult.ScannedAt = time.Now()
+				scanResult.ScannedBy = "trivy"
+				scanResult.ScannedVia = "trivy"
+			} else {
+				// LibraryScanの結果
+				vulnInfo.LibraryFixedIns = append(vulnInfo.LibraryFixedIns, models.LibraryFixedIn{
+					Key:     trivyResult.Type,
+					Name:    vuln.PkgName,
+					FixedIn: vuln.FixedVersion,
+				})
+				libScanner := uniqueLibraryScannerPaths[trivyResult.Target]
+				libScanner.Libs = append(libScanner.Libs, types.Library{
+					Name:    vuln.PkgName,
+					Version: vuln.InstalledVersion,
+				})
+				uniqueLibraryScannerPaths[trivyResult.Target] = libScanner
+			}
+			vulnInfos[vuln.VulnerabilityID] = vulnInfo
+		}
+	}
+	// flatten and unique libraries
+	libraryScanners := make([]models.LibraryScanner, 0, len(uniqueLibraryScannerPaths))
+	for path, v := range uniqueLibraryScannerPaths {
+		uniqueLibrary := map[string]types.Library{}
+		for _, lib := range v.Libs {
+			uniqueLibrary[lib.Name+lib.Version] = lib
+		}
+
+		var libraries []types.Library
+		for _, library := range uniqueLibrary {
+			libraries = append(libraries, library)
+		}
+
+		sort.Slice(libraries, func(i, j int) bool {
+			return libraries[i].Name < libraries[j].Name
+		})
+
+		libscanner := models.LibraryScanner{
+			Path: path,
+			Libs: libraries,
+		}
+		libraryScanners = append(libraryScanners, libscanner)
+	}
+	sort.Slice(libraryScanners, func(i, j int) bool {
+		return libraryScanners[i].Path < libraryScanners[j].Path
+	})
+	scanResult.ScannedCves = vulnInfos
+	scanResult.Packages = pkgs
+	scanResult.LibraryScanners = libraryScanners
+	return scanResult, nil
+}
+
+// IsTrivySupportedOS :
+func IsTrivySupportedOS(family string) bool {
+	supportedFamilies := []string{
+		os.RedHat,
+		os.Debian,
+		os.Ubuntu,
+		os.CentOS,
+		os.Fedora,
+		os.Amazon,
+		os.Oracle,
+		os.Windows,
+		os.OpenSUSE,
+		os.OpenSUSELeap,
+		os.OpenSUSETumbleweed,
+		os.SLES,
+		os.Photon,
+		os.Alpine,
+	}
+	for _, supportedFamily := range supportedFamilies {
+		if family == supportedFamily {
+			return true
+		}
+	}
+	return false
+}