Stage/vuls - vuls - Gitea: Git with a cup of tea

Stage/vuls

Author	SHA1	Message	Date
MaineK00n	878c25bf5a	feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss (#1921 )	2024-05-17 19:11:51 +09:00
MaineK00n	e4728e3881	fix(gost/debian): show all severities that appeared (#1914 )	2024-05-16 18:01:01 +09:00
MaineK00n	61c39637f2	feat(scanner/redhat): each package has modularitylabel (#1381 )	2024-05-16 02:54:02 +09:00
tk007	be7b9114cc	feat(PackageURL):add package URL for library scan result (#1862 ) * add: package url in model.Library * feat(trivy-to-vuls): add purl for library scan result * feat(scanner/library): add purl for lockfile scan result * fix: model.Library test * fix: trivy-to-vuls test data * fix: panic case to generate purl * fix: add blank line * fix: trivy-to-vuls for using Trivy version 0.49.0 or earlier * fix: remove comment * fix: remove print * fix: testcase for Package.Identifier does not exist version * fix: add blank line * fix: expected libs * fix: PackageURL -> PURL * fix: blank line	2024-03-07 16:21:15 +09:00
MaineK00n	bf14b5f61f	fix(detector): library.Scan move to detector (#1864 )	2024-03-06 16:59:06 +09:00
Shunichi Shinohara	d1f9233409	Avoid to use sync.Once inside trivy javadb Updater (#1859 ) * Avoid to use once inside trivy javadb Updater Because detector package may be used as library-like way * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/javadb/javadb.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Avoid else if, unless necessary * go mod tidy * Add package comment --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-03-05 15:23:45 +09:00
Shunichi Shinohara	351cf4f712	Update trivy from 0.35.0 to 0.49.1 (#1806 ) * Update trivy 0.35.0->0.48.0 - Specify oras-go 1.2.4 in indirect dependencies docker/docker changes a part of its API at 24.0 - registry: return concrete service type · moby/moby@7b3acdf - `7b3acdff5d (diff-8325eae896b1149bf92c826d07fc29005b1b102000b766ffa5a238d791e0849bR18-R21)` oras-go 1.2.3 uses 23.0.1 and trivy transitively depends on docker/docker 24.y.z. There is a build error between oras-go and docker/dockr. - Update disabled analyzers - Update language scanners, enable all of them * move javadb init to scan.go * Add options for java db init() * Update scanner/base.go * Remove unused codes * Add some lock file names * Typo fix * Remove space character (0x20) * Add java-db options for integration scan * Minor fomartting fix * minor fix * conda is NOT supported by Trivy for library scan * Configure trivy log in report command too * Init trivy in scanner * Use trivy's jar.go and replace client which does almost nothing * mv jar.go * Add sha1 hash to result and add filepath for report phase * Undo added 'vuls scan' options * Update oras-go to 1.2.4 * Move Java DB related config items to report side * Add java db search in detect phase * filter top level jar only * Update trivy to 0.49.1 * go mod tidy * Update to newer interface * Refine lock file list, h/t MaineK00n * Avoid else clauses if possible, h/t MaineK00n * Avoid missing word for find and lang types, h/t MaineK00n * Add missing ecosystems, h/t MaineK00n * Add comments why to use custom jar analyzer, h/t MaineK00n * Misc * Misc * Misc * Include go-dep-parser's pares.go for modification * Move digest field from LibraryScanner to Library * Use inner jars sha1 for each * Add Seek to file head before handling zip file entry * Leave Digest feild empty for entries from pom.xml * Don't import python/pkg (don't look into package.json) * Make privete where private is sufficient * Remove duplicate after Java DB lookup * misc * go mod tidy * Comment out ruby/gemspec * misc * Comment out python/packaging * misc * Use custom jar * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Missing changes in name change * Update models/github.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Don't import fanal/types at github.go * Rewrite code around java db initialization * Add comment * refactor * Close java db client * rename * Let LibraryScanner have java db client * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * inline variable * misc * Fix typo --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-02-28 14:25:58 +09:00
MaineK00n	7e91f5ef7e	fix(contrib/trivy): fix convert for src package (#1842 )	2024-02-02 15:35:05 +09:00
MaineK00n	d1224991a0	feat(models/nvd): group by source (#1805 )	2023-12-08 19:36:26 +09:00
MaineK00n	7e12e9abc4	chore(deps): bump go-cve-dictionary to 0.10.0 (#1803 )	2023-12-07 12:48:14 +09:00
MaineK00n	78b52d6a7f	feat(detector/cve): new support for fortinet data feed (#1736 )	2023-09-25 16:19:10 +09:00
Kota Kanbe	5a6980436a	feat(ubuntu): Support Ubuntu 14.04 and 16.04 ESM (#1682 ) * feat(ubuntu): Support Ubuntu ESM * Sort PackageFixStatuses to resolve the diff in integrationTest * go mod update gost	2023-05-31 09:27:43 +09:00
MaineK00n	947d668452	feat(windows): support Windows (#1581 ) * chore(deps): mod update * fix(scanner): do not attach tty because there is no need to enter ssh password * feat(windows): support Windows	2023-03-28 19:00:33 +09:00
MaineK00n	4e486dae1d	style: fix typo (#1592 ) * style: fix typo * style: add comment	2023-02-22 15:59:47 +09:00
MaineK00n	897fef24a3	feat(detector/exploitdb): mod update and add more urls (#1610 )	2023-02-22 15:58:24 +09:00
MaineK00n	73f0adad95	fix: use GetCveContentTypes instead of NewCveContentType (#1603 )	2023-02-21 11:56:26 +09:00
Sinclair	1927ed344c	fix(report): tidy dependencies for multiple repo on integration with GSA (#1593 ) * initialize dependencyGraphManifests out of loop * remove GitHubSecurityAlert.PackageName * tidy dependency map for multi repo * set repo name into SBOM components & purl for multi repo	2023-02-07 19:47:32 +09:00
kl-sinclair	ca64d7fc31	feat(report): Include dependencies into scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts (#1584 ) * feat(report): Enhance scan result and cyclondex for supply chain security on Integration with GitHub Security Alerts * derive ecosystem/version from dependency graph * fix vars name && fetch manifest info on GSA && arrange ghpkgToPURL structure * fix miscs * typo in error message * fix ecosystem equally to trivy * miscs * refactoring * recursive dependency graph pagination * change var name && update comments * omit map type of ghpkgToPURL in signatures * fix vars name * goimports * make fmt * fix comment Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2023-01-20 15:32:36 +09:00
Kota Kanbe	f6cd4d9223	feat(libscan): support conan.lock C/C++ (#1572 )	2022-12-20 11:22:36 +09:00
Kota Kanbe	03c59866d4	feat(libscan): support gradle.lockfile (#1568 ) * feat(libscan): support gradle.lockfile * add gradle.lockfile to integration test * fix readme * chore: update integration * find *gradle.lockfile Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-12-20 08:52:45 +09:00
MaineK00n	ab54266f9e	fix(library): fill libraryFixedIns{}.key in ftypes.Pnpm and ftypes.DotNetCore (#1498 ) * fix(library): fill key in ftypes.Pnpm and ftypes.DotNetCore * chore(library): change the data structure of LibraryMap	2022-07-26 13:53:50 +09:00
dependabot[bot]	139f3a81b6	chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 (#1494 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.27.1 to 0.30.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.27.1...v0.30.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump github.com/aquasecurity/trivy from 0.30.0 to 0.30.2 * fix(library): change fanal to trivy/pkg/fanal * chore: update integration Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-07-25 16:47:57 +09:00
MaineK00n	48f7597bcf	feat(ms): import gost:MaineK00n/new-windows (#1481 ) * feat(ms): import gost:MaineK00n/new-windows * chore(discover): add CTI section * feat(ms): fill KB with VulnInfo.DistroAdvisories instead of CveContent.Optional * fix(ms): Change bitSize from 32 to 64 * fix(ms): delete KB prefix * chore(ms): change logger * fix(ms): fill in correct AdvisoryID Co-authored-by: Sadayuki Matsuno <sadayuki.matsuno@gmail.com>	2022-07-04 14:26:41 +09:00
MaineK00n	5234306ded	feat(cti): add Cyber Threat Intelligence info (#1442 ) * feat(cti): add Cyber Threat Intelligence info * chore: replace io/ioutil as it is deprecated * chore: remove --format-csv in stdout writer * chore(deps): go get go-cti@v0.0.1 * feat(cti): update cti dict(support MITRE ATT&CK v11.1) * chore(deps): go get go-cti@master	2022-06-15 17:08:12 +09:00
MaineK00n	38b1d622f6	feat(cwe): update CWE dictionary (#1443 )	2022-06-09 06:36:54 +09:00
sadayuki-matsuno	1c1e40058e	feat(library) output library type when err (#1460 )	2022-05-16 09:58:58 +09:00
dependabot[bot]	c7eac4e7fe	chore(deps): bump github.com/aquasecurity/trivy from 0.25.4 to 0.27.0 (#1451 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.25.4 to 0.27.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.25.4 to 0.27.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.25.4...v0.27.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * fix(library): support go.mod scan Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-04-27 12:46:47 +09:00
MaineK00n	a1cc152e81	feat(library): add auto detect library (#1417 )	2022-03-17 18:08:40 +09:00
MaineK00n	787604de6a	fix(suse): fix openSUSE, openSUSE Leap, SLES, SLED scan (#1384 ) * fix(suse): fix openSUSE, openSUSE Leap scan * docs: update README * fix: unknown CveContent.Type * fix: tui reporting * fix: listening port was duplicated in format-full-text * fix .gitignore * fix: add EOL data for SLES12.5 Co-authored-by: Kota Kanbe <kotakanbe@gmail.com>	2022-02-15 17:11:54 +09:00
maito1201	1cfe155a3a	feat(fedora): support fedora (#1367 ) * feat(fedora): support fedora * fix(fedora): fix modular package scan * fix(fedora): check needs-restarting, oval arch, add source link Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-02-09 09:30:44 +09:00
Kota Kanbe	77049d6cbb	feat(libscan): support trivy v0.23.0 (#1377 ) * feat(libscan): support trivy v0.23.0 * fix lint err * review	2022-02-01 10:40:16 +09:00
MaineK00n	6bc4850596	fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 (#1343 ) * fix(detector/ospkg): Skip OVAL/gost search when the number of packages is 0 * chore: easy refactoring	2021-12-26 07:53:18 +09:00
MaineK00n	0c6a892893	style: fix lint (#1335 )	2021-11-19 15:46:51 +09:00
MaineK00n	89d94ad85a	feat(detector): add known exploited vulnerabilities (#1331 ) * feat(kevuln): add known exploited vulnerabilities * chore: transfer repository owner * feat: show CISA on top of CERT * chore: rename var * chore: rename var * chore: fix review * chore: fix message	2021-11-19 15:06:17 +09:00
Kota Kanbe	8659668177	fix(cpescan): bug in NvdVendorProductMatch (#1320 ) * fix(cpescan): bug in NvdVendorProductMatch * update go mod	2021-10-13 12:55:01 +09:00
Kota Kanbe	aac5ef1438	feat: update-trivy (#1316 ) * feat: update-trivy * add v2 parser * implement v2 * refactor * feat: add show version to future-vuls * add test case for v2 * trivy v0.20.0 * support --list-all-pkgs * fix lint err * add test case for jar * add a test case for gemspec in container * remove v1 parser and change Library struct * Changed the field name in the model struct LibraryScanner * add comment * fix comment * fix comment * chore * add struct tag	2021-10-08 17:22:06 +09:00
Kota Kanbe	c73ed7f32f	chore: update find-lock file type (#1309 )	2021-09-24 16:23:23 +09:00
Kota Kanbe	f047a6fe0c	breaking-change: Update vuls-dictionaries (#1307 ) * chore: udpate dictionaries * update gost * chore: update gost * chore(go-cve-dict): use v0.8.1 * chore: change linter from golint to revive * chore(linter): set revive config * chore: fix commands and update golangci-lint version * fix: lint errs * chore: update gost Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2021-09-21 05:10:29 +09:00
MaineK00n	7f15a86d6a	chore: change repository owner (#1306 )	2021-09-16 11:05:37 +09:00
MaineK00n	591786fde6	feat(oval): support new goval-dictionary model (#1280 ) * feat(oval): support new goval-dictionary model * chore: fix lint err * chore: set len of slice to 0 * fix(oval): avoid contamination of AffectedPackages by writing directly to defPacks * fix(oval): avoid contamination of AffectedPackages by writing directly to defPacks * feat(report): do not add duplicate CveContent * chore: goval-dictionary update * chore: go mod tidy * fix(oval): preload Advisory.Cves for Ubuntu https://github.com/kotakanbe/goval-dictionary/pull/152 Co-authored-by: Kota Kanbe <kotakanbe@gmail.com>	2021-09-13 10:19:59 +09:00
Kota Kanbe	4a72295de7	feat(saas): support for library-only scanning (#1300 )	2021-09-10 15:38:35 +09:00
Kota Kanbe	3e67f04fe4	breaking-change(cpescan): Improve Cpe scan (#1290 ) * chore(cpescan): enable to pass useJvn to detector.DetectCpeURIsCves() * review comment * chore: go mod update go-cve * feat(cpescan): set JvnVendorProductMatch to confidence If detected by JVN * add NvdExactVersionMatch andd NvdRoughVersionMatch * add confidence-over option to report * sort CveContetens * fix integration-test	2021-09-07 16:18:59 +09:00
Kota Kanbe	1003f62212	chore: update go-cve-dictionary (#1292 )	2021-08-26 13:45:40 +09:00
MaineK00n	96c3592db1	breaking-change(go-cve-dict): support new go-cve-dictionary (#1277 ) * feat(model): change CveContents(map[string]CveContent) to map[string][]CveContent * fix(cpescan): use CveIDSource * chore: check Nvd, Jvn data * chore: go-cve-dictionary update * chore: add to cveDetails as is, since CveID is embedded in the response	2021-08-13 18:00:55 +09:00
kazuminn	ff83cadd6e	feat(os) : support Alma Linux (#1261 ) * support Alma Linux * fix miss * feat(os) : support Rocky linux (#1260) * support rocky linux scan * fix miss * lint * fix : like #1266 and error Failed to parse CentOS * pass make test * fix miss * fix pointed out with comment * fix golangci-lint error	2021-08-02 04:36:43 +09:00
Kota Kanbe	f0b3a8b1db	feat(cpescan): Use JVN as a second DB for CPE scan (#1268 ) * feat(cpescan): Use JVN as a second DB for CPE scan * feat(tui): display score of detectionmethod * update go.mod	2021-07-08 12:39:46 +09:00
Norihiro NAKAOKA	0b9ec05181	Support scanning Ubuntu using Gost (#1243 ) * chore: add vuls binary in gitignore * feat(gost): support ubuntu * chore(debian): fix typo * feat(ubuntu): more detail on CveContent * chore: update .gitignore * chore: update gost deps * feat(ubuntu): add test in gost/ubuntu * chore: fix typo * Revert "chore: fix typo" This reverts commit `9f2f1db233`. * docs: update README	2021-07-08 08:31:46 +09:00
Norihiro NAKAOKA	0bf12412d6	fix(rocky): fix Scan in Rocky Linux (#1266 ) * fix(rocky): fix OVAL scan in Rocky Linux * chore: add FreeBSD13 EOL, fix #1245 * chore(rocky): add Rocky Linux EOL tests * feat(rocky): implement with reference to CentOS * feat(raspbian): add Raspbian to Server mode * feat(rocky): support gost scan * fix(rocky): rocky support lessThan * chore: update doc and comment	2021-07-08 05:39:48 +09:00
Norihiro NAKAOKA	b8db2e0b74	feat(report): Change the priority of CVE information in Debian (#1202 ) * fix (bug) : using ScanResults refs #1019 * feat(gost): WIP change priority of CVE Info in Debian * feat(report): change priority of CVE Info in Debian * refactor: move RemoveRaspbianPackFromResult * style: remove comment * fix: lint error * style: change coding style * feat(report): support reporting with gost alone * fix: merge error * refactor(debian): change code to be simple	2021-06-21 15:14:41 +09:00
Kota Kanbe	231c63cf62	fix(libscan): support empty LibraryFixedIn (#1252 )	2021-06-16 13:28:12 +09:00

1 2 3 4 5

216 Commits