Stage/vuls - vuls - Gitea: Git with a cup of tea

Stage/vuls

Author	SHA1	Message	Date
dependabot[bot]	d4f7550d66	chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 (#1984 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.52.2 to 0.53.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.52.2...v0.53.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): fixed for trivy update * fix windows --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shunichi Shinohara <shino.shun@gmail.com>	2024-07-05 09:08:36 +09:00
MaineK00n	d8173cdd42	feat(cve/mitre): support go-cve-dictionary:mitre (#1978 ) * feat(cve/mitre): support go-cve-dictionary:mitre * chore: adopt reviewer comment * refactor(models): refactor CveContents method	2024-06-29 16:35:06 +09:00
dependabot[bot]	9107d1b1bc	chore(deps): bump github.com/aquasecurity/trivy from 0.51.1 to 0.51.2 (#1928 ) * --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): go mod tidy * chore(deps): follow type name change --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shunichi Shinohara <shino.shun@gmail.com>	2024-05-23 05:13:59 +09:00
MaineK00n	878c25bf5a	feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss (#1921 )	2024-05-17 19:11:51 +09:00
dependabot[bot]	f1c384812a	chore(deps): bump github.com/aquasecurity/trivy from 0.50.1 to 0.51.1 (#1912 ) Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.50.1 to 0.51.1. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.50.1...v0.51.1) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-05-15 22:37:12 +09:00
Shunichi Shinohara	8f4025120d	(fix) Exclude dev dependencies from npm's package-lock.json and Fix Java DB download endpoint (#1893 ) * (fix) Exclude dev dependencies from npm's package-lock.json * chore(integration) update * choir(integration) add lib scan names to makefile * fix(javadb) add schema version only once	2024-04-17 17:23:57 +09:00
deferdeter	cfbe47bd99	chore: fix some typos in comments (#1897 ) Signed-off-by: deferdeter <deferdeter@outlook.com>	2024-04-16 19:14:00 +09:00
dependabot[bot]	5d5dcd5f41	chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.50.1 (#1885 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.50.1 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.49.1 to 0.50.1. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.49.1...v0.50.1) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * refactor(cmd/report): use trivy default for trivy-java-db-repository default value --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-03-28 13:09:49 +09:00
future-ryunosuketanai	50580f6e98	feat(wpscan): support enterprise feature (#1875 ) * supported the enterprise version of wpscan * remove omitempty * fix struct pointer * Update detector/wordpress.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * add exploitdb to wpscan ref * unexport WpCveInfos, WpCveInfo, and References * unexport some wpscan struct and fix poc, exploit assign * change OffensiveSecurityType to wpscan * Update detector/wordpress.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-03-22 16:17:16 +09:00
Shunichi Shinohara	99cf9dbccd	feat(detector/library): update JAR-like files' Name/Version in library list (#1874 ) * Update JAR-like files in library list * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-03-19 15:17:37 +09:00
MaineK00n	bf14b5f61f	fix(detector): library.Scan move to detector (#1864 )	2024-03-06 16:59:06 +09:00
Shunichi Shinohara	d1f9233409	Avoid to use sync.Once inside trivy javadb Updater (#1859 ) * Avoid to use once inside trivy javadb Updater Because detector package may be used as library-like way * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Avoid else if, unless necessary * go mod tidy * Add package comment --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-03-05 15:23:45 +09:00
Shunichi Shinohara	351cf4f712	Update trivy from 0.35.0 to 0.49.1 (#1806 ) * Update trivy 0.35.0->0.48.0 - Specify oras-go 1.2.4 in indirect dependencies docker/docker changes a part of its API at 24.0 - registry: return concrete service type · moby/moby@7b3acdf - `7b3acdff5d (diff-8325eae896b1149bf92c826d07fc29005b1b102000b766ffa5a238d791e0849bR18-R21)` oras-go 1.2.3 uses 23.0.1 and trivy transitively depends on docker/docker 24.y.z. There is a build error between oras-go and docker/dockr. - Update disabled analyzers - Update language scanners, enable all of them * move javadb init to scan.go * Add options for java db init() * Update scanner/base.go * Remove unused codes * Add some lock file names * Typo fix * Remove space character (0x20) * Add java-db options for integration scan * Minor fomartting fix * minor fix * conda is NOT supported by Trivy for library scan * Configure trivy log in report command too * Init trivy in scanner * Use trivy's jar.go and replace client which does almost nothing * mv jar.go * Add sha1 hash to result and add filepath for report phase * Undo added 'vuls scan' options * Update oras-go to 1.2.4 * Move Java DB related config items to report side * Add java db search in detect phase * filter top level jar only * Update trivy to 0.49.1 * go mod tidy * Update to newer interface * Refine lock file list, h/t MaineK00n * Avoid else clauses if possible, h/t MaineK00n * Avoid missing word for find and lang types, h/t MaineK00n * Add missing ecosystems, h/t MaineK00n * Add comments why to use custom jar analyzer, h/t MaineK00n * Misc * Misc * Misc * Include go-dep-parser's pares.go for modification * Move digest field from LibraryScanner to Library * Use inner jars sha1 for each * Add Seek to file head before handling zip file entry * Leave Digest feild empty for entries from pom.xml * Don't import python/pkg (don't look into package.json) * Make privete where private is sufficient * Remove duplicate after Java DB lookup * misc * go mod tidy * Comment out ruby/gemspec * misc * Comment out python/packaging * misc * Use custom jar * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Missing changes in name change * Update models/github.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Don't import fanal/types at github.go * Rewrite code around java db initialization * Add comment * refactor * Close java db client * rename * Let LibraryScanner have java db client * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * inline variable * misc * Fix typo --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-02-28 14:25:58 +09:00
MaineK00n	7e12e9abc4	chore(deps): bump go-cve-dictionary to 0.10.0 (#1803 )	2023-12-07 12:48:14 +09:00
MaineK00n	1832b4ee3a	feat(macos): support macOS (#1712 )	2023-09-25 16:51:09 +09:00
MaineK00n	78b52d6a7f	feat(detector/cve): new support for fortinet data feed (#1736 )	2023-09-25 16:19:10 +09:00
Sinclair	6271ec522e	fix(detector/github): Enhance the dependency graph API call on the big repository (#1681 ) * fix: Reduce the number of data to be fetched per page, when retrying after a timeout failure on Dependency Graph API * check rate limit on dependency graph API * comment	2023-05-26 14:39:02 +09:00
Sinclair	5c79720f56	fix(detector/github): Dependency graph API touches fewer data per page than before (#1654 ) * fix: Github dependency graph API touches fewer data per page than before * fix: logging on Github API access failure * fix: the previous errors persist upon retrying dependency graph	2023-05-15 19:41:04 +09:00
MaineK00n	7475b27f6a	chore(deps): update dictionary tools, Vuls is now CGO free (#1667 ) * chore(deps): update dictionary tools, Vuls is now CGO free * chore(integration): update commit	2023-05-11 00:28:51 +09:00
Sinclair	b91a7b75e2	fix(detector/github): Github dependency graph API request will be retried on error (#1650 ) * fix: Github dependency graph API request will be retried on error * fix: github dependency graph: error handling * github dependency graph: fix retry max	2023-04-24 12:46:29 +09:00
MaineK00n	d4d33fc81d	fix(scanner/dpkg): Fix false-negative in Debian and Ubuntu (#1646 ) * fix(scanner/dpkg): fix dpkg-query and not remove src pkgs * refactor(gost): remove unnecesary field and fix typo * refactor(detector/debian): detect using only SrcPackage	2023-04-20 11:42:53 +09:00
Sinclair	2cdfbe3bb4	fix: dependency graph using small query at once to avoid timeout (#1642 )	2023-04-14 14:46:31 +09:00
MaineK00n	947d668452	feat(windows): support Windows (#1581 ) * chore(deps): mod update * fix(scanner): do not attach tty because there is no need to enter ssh password * feat(windows): support Windows	2023-03-28 19:00:33 +09:00
sadayuki-matsuno	984debe929	fix(detector/github) change timeout 10s to 10m (#1616 )	2023-03-01 16:58:11 +09:00
MaineK00n	4e486dae1d	style: fix typo (#1592 ) * style: fix typo * style: add comment	2023-02-22 15:59:47 +09:00
MaineK00n	897fef24a3	feat(detector/exploitdb): mod update and add more urls (#1610 )	2023-02-22 15:58:24 +09:00
MaineK00n	73f0adad95	fix: use GetCveContentTypes instead of NewCveContentType (#1603 )	2023-02-21 11:56:26 +09:00
Sinclair	1927ed344c	fix(report): tidy dependencies for multiple repo on integration with GSA (#1593 ) * initialize dependencyGraphManifests out of loop * remove GitHubSecurityAlert.PackageName * tidy dependency map for multi repo * set repo name into SBOM components & purl for multi repo	2023-02-07 19:47:32 +09:00
MaineK00n	ad2edbb844	fix(ubuntu): vulnerability detection for kernel package (#1591 ) * fix(ubuntu): vulnerability detection for kernel package * feat(gost/ubuntu): update mod to treat status: deferred as unfixed * feat(ubuntu): support 22.10	2023-02-03 15:56:58 +09:00
kl-sinclair	ca64d7fc31	feat(report): Include dependencies into scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts (#1584 ) * feat(report): Enhance scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts * derive ecosystem/version from dependency graph * fix vars name && fetch manifest info on GSA && arrange ghpkgToPURL structure * fix miscs * typo in error message * fix ecosystem equally to trivy * miscs * refactoring * recursive dependency graph pagination * change var name && update comments * omit map type of ghpkgToPURL in signatures * fix vars name * goimports * make fmt * fix comment Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2023-01-20 15:32:36 +09:00
Kota Kanbe	03c59866d4	feat(libscan): support gradle.lockfile (#1568 ) * feat(libscan): support gradle.lockfile * add gradle.lockfile to integration test * fix readme * chore: update integration * find *gradle.lockfile Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-12-20 08:52:45 +09:00
Satoru Nihei	379fc8a1a1	fix: fix query (#1534 )	2022-09-28 20:51:20 +09:00
MaineK00n	947fbbb29e	fix(ms): always sets isPkgCvesDetactable to true (#1492 )	2022-09-07 12:05:16 +09:00
dependabot[bot]	139f3a81b6	chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 (#1494 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.27.1 to 0.30.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.27.1...v0.30.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump github.com/aquasecurity/trivy from 0.30.0 to 0.30.2 * fix(library): change fanal to trivy/pkg/fanal * chore: update integration Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-07-25 16:47:57 +09:00
MaineK00n	5234306ded	feat(cti): add Cyber Threat Intelligence info (#1442 ) * feat(cti): add Cyber Threat Intelligence info * chore: replace io/ioutil as it is deprecated * chore: remove --format-csv in stdout writer * chore(deps): go get go-cti@v0.0.1 * feat(cti): update cti dict(support MITRE ATT&CK v11.1) * chore(deps): go get go-cti@master	2022-06-15 17:08:12 +09:00
MaineK00n	38b1d622f6	feat(cwe): update CWE dictionary (#1443 )	2022-06-09 06:36:54 +09:00
Satoru Nihei	2158fc6cb1	fix: judge by scannedVia (#1456 )	2022-05-06 09:38:38 +09:00
Satoru Nihei	fd18df1dd4	feat: parse OS version from result of trivy-scan (#1444 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.24.2 to 0.25.4 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.24.2 to 0.25.4. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.24.2...v0.25.4) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * test: add testcase * feat: parse metadata * refactor: change detect logic * refactor: change parsing logic * refactor: refactor check logic before detect * fix: impl without reuseScannedCves * feat: complement :latest tag * Update contrib/trivy/parser/v2/parser.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-04-27 10:28:20 +09:00
MaineK00n	8775b5efdf	chore: fix lint error (#1438 ) * chore: fix lint: revive error * chore: golanci-lint uses go 1.18 * chore: refactor tasks in GNUmakefile * chore: add trivy binary in fvuls image	2022-04-15 18:12:13 +09:00
MaineK00n	7d8a24ee1a	refactor(detector): standardize db.NewDB to db.CloseDB (#1380 ) * feat(subcmds/report,server): read environment variables when configPath is "" * refactor: standardize db.NewDB to db.CloseDB * chore: clean up import * chore: error wrap * chore: update goval-dictionary * fix(oval): return Pseudo instead of nil for client * chore: fix comment * fix: lint error	2022-02-19 09:20:45 +09:00
Kota Kanbe	77049d6cbb	feat(libscan): support trivy v0.23.0 (#1377 ) * feat(libscan): support trivy v0.23.0 * fix lint err * review	2022-02-01 10:40:16 +09:00
MaineK00n	6bc4850596	fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 (#1343 ) * fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 * chore: easy refactoring	2021-12-26 07:53:18 +09:00
MaineK00n	89d94ad85a	feat(detector): add known exploited vulnerabilities (#1331 ) * feat(kevuln): add known exploited vulnerabilities * chore: transfer repository owner * feat: show CISA on top of CERT * chore: rename var * chore: rename var * chore: fix review * chore: fix message	2021-11-19 15:06:17 +09:00
sadayuki-matsuno	ffdb78962f	update dictionaries (#1326 )	2021-10-29 11:24:49 +09:00
Kota Kanbe	6bceddeeda	chore: update goval-dictionary (#1323 ) * chore: update goval-dictionary * fix errs	2021-10-20 11:10:33 +09:00
Kota Kanbe	2dcbff8cd5	chore: sponsor (#1321 ) * fix readme * chore: fix lint	2021-10-17 16:41:51 +09:00
Kota Kanbe	8659668177	fix(cpescan): bug in NvdVendorProductMatch (#1320 ) * fix(cpescan): bug in NvdVendorProductMatch * update go mod	2021-10-13 12:55:01 +09:00
Kota Kanbe	aac5ef1438	feat: update-trivy (#1316 ) * feat: update-trivy * add v2 parser * implement v2 * refactor * feat: add show version to future-vuls * add test case for v2 * trivy v0.20.0 * support --list-all-pkgs * fix lint err * add test case for jar * add a test case for gemspec in container * remove v1 parser and change Library struct * Changed the field name in the model struct LibraryScanner * add comment * fix comment * fix comment * chore * add struct tag	2021-10-08 17:22:06 +09:00
sadayuki-matsuno	d780a73297	add log json option (#1317 )	2021-10-07 16:00:01 +09:00
Kota Kanbe	77808a2c05	feat(go-cve): add error handling (#1313 )	2021-09-30 12:42:43 +09:00

1 2

82 Commits