Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
2a00339da1 | ||
|
|
2d959b3af8 | ||
|
|
595e26db41 | ||
|
|
1e457320c5 | ||
|
|
a06e689502 | ||
|
|
ca3f6b1dbf | ||
|
|
f1c78e42a2 | ||
|
|
2f3b8bf3cc | ||
|
|
ab54266f9e | ||
|
|
d79d138440 | ||
|
|
139f3a81b6 | ||
|
|
d1a617cfff |
@@ -88,7 +88,7 @@ NOW=$(shell date --iso-8601=seconds)
|
||||
NOW_JSON_DIR := '${BASE_DIR}/$(NOW)'
|
||||
ONE_SEC_AFTER=$(shell date -d '+1 second' --iso-8601=seconds)
|
||||
ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)'
|
||||
LIBS := 'bundler' 'pip' 'pipenv' 'poetry' 'composer' 'npm' 'yarn' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'pom' 'nuget-lock' 'nuget-config' 'nvd_exact' 'nvd_rough' 'nvd_vendor_product' 'nvd_match_no_jvn' 'jvn_vendor_product' 'jvn_vendor_product_nover'
|
||||
LIBS := 'bundler' 'pip' 'pipenv' 'poetry' 'composer' 'npm' 'yarn' 'pnpm' 'cargo' 'gomod' 'gosum' 'gobinary' 'jar' 'pom' 'nuget-lock' 'nuget-config' 'dotnet-deps' 'nvd_exact' 'nvd_rough' 'nvd_vendor_product' 'nvd_match_no_jvn' 'jvn_vendor_product' 'jvn_vendor_product_nover'
|
||||
|
||||
diff:
|
||||
# git clone git@github.com:vulsio/vulsctl.git
|
||||
|
||||
14
config/os.go
14
config/os.go
@@ -41,8 +41,8 @@ func GetEOL(family, release string) (eol EOL, found bool) {
|
||||
case constant.Amazon:
|
||||
eol, found = map[string]EOL{
|
||||
"1": {StandardSupportUntil: time.Date(2023, 6, 30, 23, 59, 59, 0, time.UTC)},
|
||||
"2": {},
|
||||
"2022": {},
|
||||
"2": {StandardSupportUntil: time.Date(2024, 6, 30, 23, 59, 59, 0, time.UTC)},
|
||||
"2022": {StandardSupportUntil: time.Date(2026, 6, 30, 23, 59, 59, 0, time.UTC)},
|
||||
}[getAmazonLinuxVersion(release)]
|
||||
case constant.RedHat:
|
||||
// https://access.redhat.com/support/policy/updates/errata
|
||||
@@ -87,7 +87,7 @@ func GetEOL(family, release string) (eol EOL, found bool) {
|
||||
case constant.Rocky:
|
||||
eol, found = map[string]EOL{
|
||||
"8": {StandardSupportUntil: time.Date(2029, 5, 31, 23, 59, 59, 0, time.UTC)},
|
||||
// "9": {StandardSupportUntil: time.Date(2032, 5, 31, 23, 59, 59, 0, time.UTC)},
|
||||
"9": {StandardSupportUntil: time.Date(2032, 5, 31, 23, 59, 59, 0, time.UTC)},
|
||||
}[major(release)]
|
||||
case constant.Oracle:
|
||||
eol, found = map[string]EOL{
|
||||
@@ -99,13 +99,19 @@ func GetEOL(family, release string) (eol EOL, found bool) {
|
||||
"5": {Ended: true},
|
||||
"6": {
|
||||
StandardSupportUntil: time.Date(2021, 3, 1, 23, 59, 59, 0, time.UTC),
|
||||
ExtendedSupportUntil: time.Date(2024, 3, 1, 23, 59, 59, 0, time.UTC),
|
||||
ExtendedSupportUntil: time.Date(2024, 6, 1, 23, 59, 59, 0, time.UTC),
|
||||
},
|
||||
"7": {
|
||||
StandardSupportUntil: time.Date(2024, 7, 1, 23, 59, 59, 0, time.UTC),
|
||||
ExtendedSupportUntil: time.Date(2026, 6, 1, 23, 59, 59, 0, time.UTC),
|
||||
},
|
||||
"8": {
|
||||
StandardSupportUntil: time.Date(2029, 7, 1, 23, 59, 59, 0, time.UTC),
|
||||
ExtendedSupportUntil: time.Date(2031, 7, 1, 23, 59, 59, 0, time.UTC),
|
||||
},
|
||||
"9": {
|
||||
StandardSupportUntil: time.Date(2032, 6, 1, 23, 59, 59, 0, time.UTC),
|
||||
ExtendedSupportUntil: time.Date(2034, 6, 1, 23, 59, 59, 0, time.UTC),
|
||||
},
|
||||
}[major(release)]
|
||||
case constant.Debian:
|
||||
|
||||
@@ -53,6 +53,14 @@ func TestEOL_IsStandardSupportEnded(t *testing.T) {
|
||||
extEnded: false,
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "amazon linux 2024 not found",
|
||||
fields: fields{family: Amazon, release: "2024 (Amazon Linux)"},
|
||||
now: time.Date(2023, 7, 1, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
found: false,
|
||||
},
|
||||
//RHEL
|
||||
{
|
||||
name: "RHEL6 eol",
|
||||
@@ -178,14 +186,30 @@ func TestEOL_IsStandardSupportEnded(t *testing.T) {
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "Rocky Linux 9 Not Found",
|
||||
name: "Rocky Linux 9 supported",
|
||||
fields: fields{family: Rocky, release: "9"},
|
||||
now: time.Date(2021, 7, 2, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "Rocky Linux 10 Not Found",
|
||||
fields: fields{family: Rocky, release: "10"},
|
||||
now: time.Date(2021, 7, 2, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
found: false,
|
||||
},
|
||||
//Oracle
|
||||
{
|
||||
name: "Oracle Linux 6 eol",
|
||||
fields: fields{family: Oracle, release: "6"},
|
||||
now: time.Date(2021, 1, 6, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "Oracle Linux 7 supported",
|
||||
fields: fields{family: Oracle, release: "7"},
|
||||
@@ -203,16 +227,16 @@ func TestEOL_IsStandardSupportEnded(t *testing.T) {
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "Oracle Linux 6 eol",
|
||||
fields: fields{family: Oracle, release: "6"},
|
||||
name: "Oracle Linux 9 supported",
|
||||
fields: fields{family: Oracle, release: "9"},
|
||||
now: time.Date(2021, 1, 6, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
found: true,
|
||||
},
|
||||
{
|
||||
name: "Oracle Linux 9 not found",
|
||||
fields: fields{family: Oracle, release: "9"},
|
||||
name: "Oracle Linux 10 not found",
|
||||
fields: fields{family: Oracle, release: "10"},
|
||||
now: time.Date(2021, 1, 6, 23, 59, 59, 0, time.UTC),
|
||||
stdEnded: false,
|
||||
extEnded: false,
|
||||
|
||||
@@ -4,7 +4,7 @@ import (
|
||||
"sort"
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer/os"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
|
||||
"github.com/future-architect/vuls/models"
|
||||
|
||||
30
cwe/cwe.go
30
cwe/cwe.go
@@ -5,6 +5,7 @@ var CweTopTwentyfives = map[string]map[string]string{
|
||||
"2019": cweTopTwentyfive2019,
|
||||
"2020": cweTopTwentyfive2020,
|
||||
"2021": cweTopTwentyfive2021,
|
||||
"2022": cweTopTwentyfive2022,
|
||||
}
|
||||
|
||||
var cweTopTwentyfive2019 = map[string]string{
|
||||
@@ -91,9 +92,38 @@ var cweTopTwentyfive2021 = map[string]string{
|
||||
"77": "25",
|
||||
}
|
||||
|
||||
var cweTopTwentyfive2022 = map[string]string{
|
||||
"787": "1",
|
||||
"79": "2",
|
||||
"89": "3",
|
||||
"20": "4",
|
||||
"125": "5",
|
||||
"78": "6",
|
||||
"416": "7",
|
||||
"22": "8",
|
||||
"352": "9",
|
||||
"434": "10",
|
||||
"476": "11",
|
||||
"502": "12",
|
||||
"190": "13",
|
||||
"287": "14",
|
||||
"798": "16",
|
||||
"862": "16",
|
||||
"77": "17",
|
||||
"306": "18",
|
||||
"119": "19",
|
||||
"276": "20",
|
||||
"918": "21",
|
||||
"362": "22",
|
||||
"400": "23",
|
||||
"611": "24",
|
||||
"94": "25",
|
||||
}
|
||||
|
||||
// CweTopTwentyfiveURLs has CWE Top25 links
|
||||
var CweTopTwentyfiveURLs = map[string]string{
|
||||
"2019": "https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html",
|
||||
"2020": "https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html",
|
||||
"2021": "https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html",
|
||||
"2022": "https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html",
|
||||
}
|
||||
|
||||
@@ -63,7 +63,7 @@ func DetectLibsCves(r *models.ScanResult, cacheDir string, noProgress bool) (err
|
||||
}
|
||||
|
||||
func downloadDB(appVersion, cacheDir string, quiet, skipUpdate bool) error {
|
||||
client := db.NewClient(cacheDir, quiet)
|
||||
client := db.NewClient(cacheDir, quiet, false)
|
||||
ctx := context.Background()
|
||||
needsUpdate, err := client.NeedsUpdate(appVersion, skipUpdate)
|
||||
if err != nil {
|
||||
|
||||
101
go.mod
101
go.mod
@@ -3,15 +3,14 @@ module github.com/future-architect/vuls
|
||||
go 1.18
|
||||
|
||||
require (
|
||||
github.com/Azure/azure-sdk-for-go v63.0.0+incompatible
|
||||
github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
|
||||
github.com/BurntSushi/toml v1.1.0
|
||||
github.com/Ullaakut/nmap/v2 v2.1.2-0.20210406060955-59a52fe80a4f
|
||||
github.com/aquasecurity/fanal v0.0.0-20220426115253-1d75fc0c7219
|
||||
github.com/aquasecurity/go-dep-parser v0.0.0-20220422134844-880747206031
|
||||
github.com/aquasecurity/trivy v0.27.1
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20220327074450-74195d9604b2
|
||||
github.com/aquasecurity/go-dep-parser v0.0.0-20220626060741-179d0b167e5f
|
||||
github.com/aquasecurity/trivy v0.30.4
|
||||
github.com/aquasecurity/trivy-db v0.0.0-20220627104749-930461748b63
|
||||
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
|
||||
github.com/aws/aws-sdk-go v1.43.31
|
||||
github.com/aws/aws-sdk-go v1.44.46
|
||||
github.com/c-robinson/iplib v1.0.3
|
||||
github.com/cenkalti/backoff v2.2.1+incompatible
|
||||
github.com/d4l3k/messagediff v1.2.2-0.20190829033028-7e0a312ae40b
|
||||
@@ -19,14 +18,14 @@ require (
|
||||
github.com/emersion/go-smtp v0.14.0
|
||||
github.com/google/subcommands v1.2.0
|
||||
github.com/gosuri/uitable v0.0.4
|
||||
github.com/hashicorp/go-uuid v1.0.2
|
||||
github.com/hashicorp/go-uuid v1.0.3
|
||||
github.com/hashicorp/go-version v1.6.0
|
||||
github.com/jesseduffield/gocui v0.3.0
|
||||
github.com/k0kubun/pp v3.0.1+incompatible
|
||||
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
|
||||
github.com/knqyf263/go-cpe v0.0.0-20201213041631-54f6ab28673f
|
||||
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
|
||||
github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
|
||||
github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
|
||||
github.com/kotakanbe/go-pingscanner v0.1.0
|
||||
github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
|
||||
github.com/mitchellh/go-homedir v1.1.0
|
||||
@@ -34,7 +33,7 @@ require (
|
||||
github.com/olekukonko/tablewriter v0.0.5
|
||||
github.com/parnurzeal/gorequest v0.2.16
|
||||
github.com/rifflock/lfshook v0.0.0-20180920164130-b9218ef580f5
|
||||
github.com/sirupsen/logrus v1.8.1
|
||||
github.com/sirupsen/logrus v1.9.0
|
||||
github.com/spf13/cobra v1.5.0
|
||||
github.com/vulsio/go-cti v0.0.2-0.20220613013115-8c7e57a6aa86
|
||||
github.com/vulsio/go-cve-dictionary v0.8.2-0.20211028094424-0a854f8e8f85
|
||||
@@ -42,11 +41,11 @@ require (
|
||||
github.com/vulsio/go-kev v0.1.1-0.20220118062020-5f69b364106f
|
||||
github.com/vulsio/go-msfdb v0.2.1-0.20211028071756-4a9759bd9f14
|
||||
github.com/vulsio/gost v0.4.2-0.20220630181607-2ed593791ec3
|
||||
github.com/vulsio/goval-dictionary v0.7.3
|
||||
github.com/vulsio/goval-dictionary v0.8.0
|
||||
go.etcd.io/bbolt v1.3.6
|
||||
golang.org/x/exp v0.0.0-20220613132600-b0d781184e0d
|
||||
golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
|
||||
golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
|
||||
golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
|
||||
golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f
|
||||
)
|
||||
|
||||
@@ -56,14 +55,17 @@ require (
|
||||
cloud.google.com/go/iam v0.3.0 // indirect
|
||||
cloud.google.com/go/storage v1.14.0 // indirect
|
||||
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.25 // indirect
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
|
||||
github.com/Azure/go-autorest/autorest v0.11.27 // indirect
|
||||
github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect
|
||||
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
|
||||
github.com/Azure/go-autorest/autorest/to v0.3.0 // indirect
|
||||
github.com/Azure/go-autorest/logger v0.2.1 // indirect
|
||||
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
|
||||
github.com/Microsoft/go-winio v0.5.2 // indirect
|
||||
github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
|
||||
github.com/PuerkitoBio/goquery v1.6.1 // indirect
|
||||
github.com/VividCortex/ewma v1.2.0 // indirect
|
||||
github.com/acomagu/bufpipe v1.0.3 // indirect
|
||||
github.com/andybalholm/cascadia v1.2.0 // indirect
|
||||
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce // indirect
|
||||
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 // indirect
|
||||
@@ -71,17 +73,24 @@ require (
|
||||
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
|
||||
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
|
||||
github.com/briandowns/spinner v1.18.1 // indirect
|
||||
github.com/caarlos0/env/v6 v6.9.1 // indirect
|
||||
github.com/caarlos0/env/v6 v6.9.3 // indirect
|
||||
github.com/cespare/xxhash/v2 v2.1.2 // indirect
|
||||
github.com/cheggaaa/pb/v3 v3.0.8 // indirect
|
||||
github.com/cheggaaa/pb/v3 v3.1.0 // indirect
|
||||
github.com/davecgh/go-spew v1.1.1 // indirect
|
||||
github.com/dgryski/go-minhash v0.0.0-20170608043002-7fe510aff544 // indirect
|
||||
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
|
||||
github.com/docker/cli v20.10.12+incompatible // indirect
|
||||
github.com/docker/distribution v2.7.1+incompatible // indirect
|
||||
github.com/docker/docker v20.10.14+incompatible // indirect
|
||||
github.com/docker/cli v20.10.17+incompatible // indirect
|
||||
github.com/docker/distribution v2.8.1+incompatible // indirect
|
||||
github.com/docker/docker v20.10.17+incompatible // indirect
|
||||
github.com/docker/docker-credential-helpers v0.6.4 // indirect
|
||||
github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
|
||||
github.com/emirpasic/gods v1.12.0 // indirect
|
||||
github.com/fatih/color v1.13.0 // indirect
|
||||
github.com/fsnotify/fsnotify v1.5.4 // indirect
|
||||
github.com/go-enry/go-license-detector/v4 v4.3.0 // indirect
|
||||
github.com/go-git/gcfg v1.5.0 // indirect
|
||||
github.com/go-git/go-billy/v5 v5.3.1 // indirect
|
||||
github.com/go-git/go-git/v5 v5.4.2 // indirect
|
||||
github.com/go-redis/redis/v8 v8.11.5 // indirect
|
||||
github.com/go-sql-driver/mysql v1.6.0 // indirect
|
||||
github.com/go-stack/stack v1.8.1 // indirect
|
||||
@@ -90,15 +99,18 @@ require (
|
||||
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
|
||||
github.com/golang/protobuf v1.5.2 // indirect
|
||||
github.com/google/go-containerregistry v0.8.0 // indirect
|
||||
github.com/google/licenseclassifier/v2 v2.0.0-pre5 // indirect
|
||||
github.com/googleapis/gax-go/v2 v2.4.0 // indirect
|
||||
github.com/gorilla/websocket v1.4.2 // indirect
|
||||
github.com/hashicorp/errwrap v1.1.0 // indirect
|
||||
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
|
||||
github.com/hashicorp/go-getter v1.5.11 // indirect
|
||||
github.com/hashicorp/go-getter v1.6.2 // indirect
|
||||
github.com/hashicorp/go-multierror v1.1.1 // indirect
|
||||
github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
|
||||
github.com/hashicorp/go-safetemp v1.0.0 // indirect
|
||||
github.com/hashicorp/hcl v1.0.0 // indirect
|
||||
github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
|
||||
github.com/imdario/mergo v0.3.13 // indirect
|
||||
github.com/inconshreveable/log15 v0.0.0-20201112154412-8562bdadbbac // indirect
|
||||
github.com/inconshreveable/mousetrap v1.0.0 // indirect
|
||||
github.com/jackc/chunkreader/v2 v2.0.1 // indirect
|
||||
@@ -109,10 +121,13 @@ require (
|
||||
github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
|
||||
github.com/jackc/pgtype v1.11.0 // indirect
|
||||
github.com/jackc/pgx/v4 v4.16.1 // indirect
|
||||
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
|
||||
github.com/jdkato/prose v1.1.0 // indirect
|
||||
github.com/jinzhu/inflection v1.0.0 // indirect
|
||||
github.com/jinzhu/now v1.1.5 // indirect
|
||||
github.com/jmespath/go-jmespath v0.4.0 // indirect
|
||||
github.com/klauspost/compress v1.14.2 // indirect
|
||||
github.com/kevinburke/ssh_config v1.1.0 // indirect
|
||||
github.com/klauspost/compress v1.15.6 // indirect
|
||||
github.com/lib/pq v1.10.5 // indirect
|
||||
github.com/magiconair/properties v1.8.6 // indirect
|
||||
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 // indirect
|
||||
@@ -123,47 +138,59 @@ require (
|
||||
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
|
||||
github.com/mitchellh/go-testing-interface v1.0.0 // indirect
|
||||
github.com/mitchellh/mapstructure v1.5.0 // indirect
|
||||
github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
|
||||
github.com/nsf/termbox-go v1.1.1 // indirect
|
||||
github.com/opencontainers/go-digest v1.0.0 // indirect
|
||||
github.com/opencontainers/image-spec v1.0.2 // indirect
|
||||
github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 // indirect
|
||||
github.com/pelletier/go-toml v1.9.5 // indirect
|
||||
github.com/pelletier/go-toml/v2 v2.0.2 // indirect
|
||||
github.com/pkg/errors v0.9.1 // indirect
|
||||
github.com/pmezard/go-difflib v1.0.0 // indirect
|
||||
github.com/rivo/uniseg v0.2.0 // indirect
|
||||
github.com/rivo/uniseg v0.3.1 // indirect
|
||||
github.com/rogpeppe/go-internal v1.8.1 // indirect
|
||||
github.com/spf13/afero v1.8.2 // indirect
|
||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||
github.com/sergi/go-diff v1.2.0 // indirect
|
||||
github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
|
||||
github.com/spf13/afero v1.9.2 // indirect
|
||||
github.com/spf13/cast v1.5.0 // indirect
|
||||
github.com/spf13/jwalterweatherman v1.1.0 // indirect
|
||||
github.com/spf13/pflag v1.0.5 // indirect
|
||||
github.com/spf13/viper v1.12.0 // indirect
|
||||
github.com/stretchr/objx v0.3.0 // indirect
|
||||
github.com/stretchr/testify v1.7.2 // indirect
|
||||
github.com/stretchr/objx v0.4.0 // indirect
|
||||
github.com/stretchr/testify v1.8.0 // indirect
|
||||
github.com/subosito/gotenv v1.4.0 // indirect
|
||||
github.com/ulikunitz/xz v0.5.10 // indirect
|
||||
github.com/xanzy/ssh-agent v0.3.0 // indirect
|
||||
go.opencensus.io v0.23.0 // indirect
|
||||
go.uber.org/atomic v1.7.0 // indirect
|
||||
go.uber.org/goleak v1.1.12 // indirect
|
||||
go.uber.org/multierr v1.6.0 // indirect
|
||||
go.uber.org/multierr v1.7.0 // indirect
|
||||
go.uber.org/zap v1.21.0 // indirect
|
||||
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
|
||||
golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa // indirect
|
||||
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
|
||||
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
|
||||
golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b // indirect
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
|
||||
golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect
|
||||
golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
|
||||
golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
|
||||
golang.org/x/text v0.3.7 // indirect
|
||||
golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
|
||||
gonum.org/v1/gonum v0.7.0 // indirect
|
||||
google.golang.org/api v0.81.0 // indirect
|
||||
google.golang.org/appengine v1.6.7 // indirect
|
||||
google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
|
||||
google.golang.org/grpc v1.46.2 // indirect
|
||||
google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f // indirect
|
||||
google.golang.org/grpc v1.47.0 // indirect
|
||||
google.golang.org/protobuf v1.28.0 // indirect
|
||||
gopkg.in/ini.v1 v1.66.6 // indirect
|
||||
gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
|
||||
gopkg.in/warnings.v0 v0.1.2 // indirect
|
||||
gopkg.in/yaml.v2 v2.4.0 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
gorm.io/driver/mysql v1.3.4 // indirect
|
||||
gorm.io/driver/postgres v1.3.7 // indirect
|
||||
gorm.io/driver/sqlite v1.3.4 // indirect
|
||||
gorm.io/gorm v1.23.5 // indirect
|
||||
k8s.io/utils v0.0.0-20201110183641-67b214c5f920 // indirect
|
||||
gorm.io/driver/mysql v1.3.5 // indirect
|
||||
gorm.io/driver/postgres v1.3.8 // indirect
|
||||
gorm.io/driver/sqlite v1.3.6 // indirect
|
||||
gorm.io/gorm v1.23.8 // indirect
|
||||
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
|
||||
moul.io/http2curl v1.0.0 // indirect
|
||||
)
|
||||
|
||||
// See https://github.com/moby/moby/issues/42939#issuecomment-1114255529
|
||||
replace github.com/docker/docker => github.com/docker/docker v20.10.3-0.20220224222438-c78f6963a1c0+incompatible
|
||||
|
||||
@@ -130,19 +130,23 @@ func (ms Microsoft) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err err
|
||||
|
||||
for cveID, cve := range cves {
|
||||
cveCont, mitigations := ms.ConvertToModel(&cve)
|
||||
advisories := []models.DistroAdvisory{}
|
||||
uniqKB := map[string]struct{}{}
|
||||
for _, p := range cve.Products {
|
||||
for _, kb := range p.KBs {
|
||||
adv := models.DistroAdvisory{
|
||||
AdvisoryID: kb.Article,
|
||||
Description: "Microsoft Knowledge Base",
|
||||
}
|
||||
if _, err := strconv.Atoi(kb.Article); err == nil {
|
||||
adv.AdvisoryID = fmt.Sprintf("KB%s", kb.Article)
|
||||
uniqKB[fmt.Sprintf("KB%s", kb.Article)] = struct{}{}
|
||||
} else {
|
||||
uniqKB[kb.Article] = struct{}{}
|
||||
}
|
||||
advisories = append(advisories, adv)
|
||||
}
|
||||
}
|
||||
advisories := []models.DistroAdvisory{}
|
||||
for kb := range uniqKB {
|
||||
advisories = append(advisories, models.DistroAdvisory{
|
||||
AdvisoryID: kb,
|
||||
Description: "Microsoft Knowledge Base",
|
||||
})
|
||||
}
|
||||
|
||||
r.ScannedCves[cveID] = models.VulnInfo{
|
||||
CveID: cveID,
|
||||
|
||||
Submodule integration updated: d97bf53114...b40375c4df
@@ -1,12 +1,10 @@
|
||||
package models
|
||||
|
||||
import (
|
||||
"path/filepath"
|
||||
|
||||
ftypes "github.com/aquasecurity/fanal/types"
|
||||
"github.com/aquasecurity/trivy-db/pkg/db"
|
||||
trivyDBTypes "github.com/aquasecurity/trivy-db/pkg/types"
|
||||
"github.com/aquasecurity/trivy/pkg/detector/library"
|
||||
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
"github.com/aquasecurity/trivy/pkg/types"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
@@ -65,7 +63,7 @@ func (s LibraryScanner) Scan() ([]VulnInfo, error) {
|
||||
}
|
||||
var vulnerabilities = []VulnInfo{}
|
||||
for _, pkg := range s.Libs {
|
||||
tvulns, err := scanner.DetectVulnerabilities(pkg.Name, pkg.Version)
|
||||
tvulns, err := scanner.DetectVulnerabilities("", pkg.Name, pkg.Version)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("failed to detect %s vulnerabilities: %w", scanner.Type(), err)
|
||||
}
|
||||
@@ -131,25 +129,24 @@ func getCveContents(cveID string, vul trivyDBTypes.Vulnerability) (contents map[
|
||||
return contents
|
||||
}
|
||||
|
||||
// LibraryMap is filename and library type
|
||||
var LibraryMap = map[string]string{
|
||||
ftypes.NpmPkgLock: "node",
|
||||
ftypes.YarnLock: "node",
|
||||
ftypes.GemfileLock: "ruby",
|
||||
ftypes.CargoLock: "rust",
|
||||
ftypes.ComposerLock: "php",
|
||||
ftypes.PipRequirements: "python",
|
||||
ftypes.PipfileLock: "python",
|
||||
ftypes.PoetryLock: "python",
|
||||
ftypes.NuGetPkgsLock: ".net",
|
||||
ftypes.NuGetPkgsConfig: ".net",
|
||||
ftypes.GoMod: "gomod",
|
||||
ftypes.GoSum: "gomod",
|
||||
ftypes.MavenPom: "java",
|
||||
"*.jar": "java",
|
||||
"*.war": "java",
|
||||
"*.ear": "java",
|
||||
"*.par": "java",
|
||||
// FindLockFiles is a list of filenames that is the target of findLock
|
||||
var FindLockFiles = []string{
|
||||
// node
|
||||
ftypes.NpmPkgLock, ftypes.YarnLock, ftypes.PnpmLock,
|
||||
// ruby
|
||||
ftypes.GemfileLock,
|
||||
// rust
|
||||
ftypes.CargoLock,
|
||||
// php
|
||||
ftypes.ComposerLock,
|
||||
// python
|
||||
ftypes.PipRequirements, ftypes.PipfileLock, ftypes.PoetryLock,
|
||||
// .net
|
||||
ftypes.NuGetPkgsLock, ftypes.NuGetPkgsConfig, "*.deps.json",
|
||||
// gomod
|
||||
ftypes.GoMod, ftypes.GoSum,
|
||||
// java
|
||||
ftypes.MavenPom, "*.jar", "*.war", "*.ear", "*.par",
|
||||
}
|
||||
|
||||
// GetLibraryKey returns target library key
|
||||
@@ -165,20 +162,14 @@ func (s LibraryScanner) GetLibraryKey() string {
|
||||
return "gomod"
|
||||
case ftypes.Jar, ftypes.Pom:
|
||||
return "java"
|
||||
case ftypes.Npm, ftypes.Yarn, ftypes.NodePkg, ftypes.JavaScript:
|
||||
case ftypes.Npm, ftypes.Yarn, ftypes.Pnpm, ftypes.NodePkg, ftypes.JavaScript:
|
||||
return "node"
|
||||
case ftypes.NuGet:
|
||||
case ftypes.NuGet, ftypes.DotNetCore:
|
||||
return ".net"
|
||||
case ftypes.Pipenv, ftypes.Poetry, ftypes.Pip, ftypes.PythonPkg:
|
||||
return "python"
|
||||
default:
|
||||
filename := filepath.Base(s.LockfilePath)
|
||||
switch filepath.Ext(filename) {
|
||||
case ".jar", ".war", ".ear", ".par":
|
||||
return "java"
|
||||
default:
|
||||
return LibraryMap[filename]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
89
oval/util.go
89
oval/util.go
@@ -93,6 +93,7 @@ type request struct {
|
||||
binaryPackNames []string
|
||||
isSrcPack bool
|
||||
modularityLabel string // RHEL 8 or later only
|
||||
repository string // Amazon Linux 2 Only
|
||||
}
|
||||
|
||||
type response struct {
|
||||
@@ -102,6 +103,25 @@ type response struct {
|
||||
|
||||
// getDefsByPackNameViaHTTP fetches OVAL information via HTTP
|
||||
func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ovalResult, err error) {
|
||||
ovalFamily, err := GetFamilyInOval(r.Family)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to GetFamilyInOval. err: %w", err)
|
||||
}
|
||||
ovalRelease := r.Release
|
||||
switch r.Family {
|
||||
case constant.CentOS:
|
||||
ovalRelease = strings.TrimPrefix(r.Release, "stream")
|
||||
case constant.Amazon:
|
||||
switch strings.Fields(r.Release)[0] {
|
||||
case "2022":
|
||||
ovalRelease = "2022"
|
||||
case "2":
|
||||
ovalRelease = "2"
|
||||
default:
|
||||
ovalRelease = "1"
|
||||
}
|
||||
}
|
||||
|
||||
nReq := len(r.Packages) + len(r.SrcPackages)
|
||||
reqChan := make(chan request, nReq)
|
||||
resChan := make(chan response, nReq)
|
||||
@@ -112,13 +132,18 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
|
||||
|
||||
go func() {
|
||||
for _, pack := range r.Packages {
|
||||
reqChan <- request{
|
||||
req := request{
|
||||
packName: pack.Name,
|
||||
versionRelease: pack.FormatVer(),
|
||||
newVersionRelease: pack.FormatVer(),
|
||||
newVersionRelease: pack.FormatNewVer(),
|
||||
isSrcPack: false,
|
||||
arch: pack.Arch,
|
||||
repository: pack.Repository,
|
||||
}
|
||||
if ovalFamily == constant.Amazon && ovalRelease == "2" && req.repository == "" {
|
||||
req.repository = "amzn2-core"
|
||||
}
|
||||
reqChan <- req
|
||||
}
|
||||
for _, pack := range r.SrcPackages {
|
||||
reqChan <- request{
|
||||
@@ -131,14 +156,6 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
|
||||
}
|
||||
}()
|
||||
|
||||
ovalFamily, err := GetFamilyInOval(r.Family)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to GetFamilyInOval. err: %w", err)
|
||||
}
|
||||
ovalRelease := r.Release
|
||||
if r.Family == constant.CentOS {
|
||||
ovalRelease = strings.TrimPrefix(r.Release, "stream")
|
||||
}
|
||||
concurrency := 10
|
||||
tasks := util.GenWorkers(concurrency)
|
||||
for i := 0; i < nReq; i++ {
|
||||
@@ -168,7 +185,7 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
|
||||
select {
|
||||
case res := <-resChan:
|
||||
for _, def := range res.defs {
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, res.request, ovalFamily, r.RunningKernel, r.EnabledDnfModules)
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, res.request, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
|
||||
if err != nil {
|
||||
errs = append(errs, err)
|
||||
continue
|
||||
@@ -248,15 +265,39 @@ func httpGet(url string, req request, resChan chan<- response, errChan chan<- er
|
||||
}
|
||||
|
||||
func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relatedDefs ovalResult, err error) {
|
||||
ovalFamily, err := GetFamilyInOval(r.Family)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to GetFamilyInOval. err: %w", err)
|
||||
}
|
||||
ovalRelease := r.Release
|
||||
switch r.Family {
|
||||
case constant.CentOS:
|
||||
ovalRelease = strings.TrimPrefix(r.Release, "stream")
|
||||
case constant.Amazon:
|
||||
switch strings.Fields(r.Release)[0] {
|
||||
case "2022":
|
||||
ovalRelease = "2022"
|
||||
case "2":
|
||||
ovalRelease = "2"
|
||||
default:
|
||||
ovalRelease = "1"
|
||||
}
|
||||
}
|
||||
|
||||
requests := []request{}
|
||||
for _, pack := range r.Packages {
|
||||
requests = append(requests, request{
|
||||
req := request{
|
||||
packName: pack.Name,
|
||||
versionRelease: pack.FormatVer(),
|
||||
newVersionRelease: pack.FormatNewVer(),
|
||||
arch: pack.Arch,
|
||||
repository: pack.Repository,
|
||||
isSrcPack: false,
|
||||
})
|
||||
}
|
||||
if ovalFamily == constant.Amazon && ovalRelease == "2" && req.repository == "" {
|
||||
req.repository = "amzn2-core"
|
||||
}
|
||||
requests = append(requests, req)
|
||||
}
|
||||
for _, pack := range r.SrcPackages {
|
||||
requests = append(requests, request{
|
||||
@@ -267,22 +308,13 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
|
||||
isSrcPack: true,
|
||||
})
|
||||
}
|
||||
|
||||
ovalFamily, err := GetFamilyInOval(r.Family)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to GetFamilyInOval. err: %w", err)
|
||||
}
|
||||
ovalRelease := r.Release
|
||||
if r.Family == constant.CentOS {
|
||||
ovalRelease = strings.TrimPrefix(r.Release, "stream")
|
||||
}
|
||||
for _, req := range requests {
|
||||
definitions, err := driver.GetByPackName(ovalFamily, ovalRelease, req.packName, req.arch)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to get %s OVAL info by package: %#v, err: %w", r.Family, req, err)
|
||||
}
|
||||
for _, def := range definitions {
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, req, ovalFamily, r.RunningKernel, r.EnabledDnfModules)
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, req, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
|
||||
if err != nil {
|
||||
return relatedDefs, xerrors.Errorf("Failed to exec isOvalAffected. err: %w", err)
|
||||
}
|
||||
@@ -314,7 +346,16 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
|
||||
|
||||
var modularVersionPattern = regexp.MustCompile(`.+\.module(?:\+el|_f)\d{1,2}.*`)
|
||||
|
||||
func isOvalDefAffected(def ovalmodels.Definition, req request, family string, running models.Kernel, enabledMods []string) (affected, notFixedYet bool, fixedIn string, err error) {
|
||||
func isOvalDefAffected(def ovalmodels.Definition, req request, family, release string, running models.Kernel, enabledMods []string) (affected, notFixedYet bool, fixedIn string, err error) {
|
||||
if family == constant.Amazon && release == "2" {
|
||||
if def.Advisory.AffectedRepository == "" {
|
||||
def.Advisory.AffectedRepository = "amzn2-core"
|
||||
}
|
||||
if req.repository != def.Advisory.AffectedRepository {
|
||||
return false, false, "", nil
|
||||
}
|
||||
}
|
||||
|
||||
for _, ovalPack := range def.AffectedPacks {
|
||||
if req.packName != ovalPack.Name {
|
||||
continue
|
||||
|
||||
@@ -199,11 +199,12 @@ func TestDefpacksToPackStatuses(t *testing.T) {
|
||||
|
||||
func TestIsOvalDefAffected(t *testing.T) {
|
||||
type in struct {
|
||||
def ovalmodels.Definition
|
||||
req request
|
||||
family string
|
||||
kernel models.Kernel
|
||||
mods []string
|
||||
def ovalmodels.Definition
|
||||
req request
|
||||
family string
|
||||
release string
|
||||
kernel models.Kernel
|
||||
mods []string
|
||||
}
|
||||
var tests = []struct {
|
||||
in in
|
||||
@@ -1856,10 +1857,63 @@ func TestIsOvalDefAffected(t *testing.T) {
|
||||
wantErr: false,
|
||||
fixedIn: "",
|
||||
},
|
||||
// amazon linux 2 repository
|
||||
{
|
||||
in: in{
|
||||
family: constant.Amazon,
|
||||
release: "2",
|
||||
def: ovalmodels.Definition{
|
||||
Advisory: ovalmodels.Advisory{
|
||||
AffectedRepository: "amzn2-core",
|
||||
},
|
||||
AffectedPacks: []ovalmodels.Package{
|
||||
{
|
||||
Name: "nginx",
|
||||
Version: "2.17-106.0.1",
|
||||
Arch: "x86_64",
|
||||
},
|
||||
},
|
||||
},
|
||||
req: request{
|
||||
packName: "nginx",
|
||||
versionRelease: "2.17-105.0.1",
|
||||
arch: "x86_64",
|
||||
repository: "amzn2-core",
|
||||
},
|
||||
},
|
||||
affected: true,
|
||||
fixedIn: "2.17-106.0.1",
|
||||
},
|
||||
{
|
||||
in: in{
|
||||
family: constant.Amazon,
|
||||
release: "2",
|
||||
def: ovalmodels.Definition{
|
||||
Advisory: ovalmodels.Advisory{
|
||||
AffectedRepository: "amzn2-core",
|
||||
},
|
||||
AffectedPacks: []ovalmodels.Package{
|
||||
{
|
||||
Name: "nginx",
|
||||
Version: "2.17-106.0.1",
|
||||
Arch: "x86_64",
|
||||
},
|
||||
},
|
||||
},
|
||||
req: request{
|
||||
packName: "nginx",
|
||||
versionRelease: "2.17-105.0.1",
|
||||
arch: "x86_64",
|
||||
repository: "amzn2extra-nginx",
|
||||
},
|
||||
},
|
||||
affected: false,
|
||||
fixedIn: "",
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range tests {
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.kernel, tt.in.mods)
|
||||
affected, notFixedYet, fixedIn, err := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.release, tt.in.kernel, tt.in.mods)
|
||||
if tt.wantErr != (err != nil) {
|
||||
t.Errorf("[%d] err\nexpected: %t\n actual: %s\n", i, tt.wantErr, err)
|
||||
}
|
||||
|
||||
118
scanner/base.go
118
scanner/base.go
@@ -15,8 +15,8 @@ import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/aquasecurity/fanal/analyzer"
|
||||
dio "github.com/aquasecurity/go-dep-parser/pkg/io"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
|
||||
debver "github.com/knqyf263/go-deb-version"
|
||||
|
||||
"github.com/future-architect/vuls/config"
|
||||
@@ -28,23 +28,25 @@ import (
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
// Import library scanner
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/dotnet/nuget"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/golang/binary"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/golang/mod"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/java/jar"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/java/pom"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/nodejs/npm"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/nodejs/yarn"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/php/composer"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/pip"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/pipenv"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/poetry"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/ruby/bundler"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/rust/cargo"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/deps"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/binary"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/mod"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/composer"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pip"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pipenv"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/poetry"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/bundler"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/cargo"
|
||||
|
||||
// _ "github.com/aquasecurity/fanal/analyzer/language/ruby/gemspec"
|
||||
// _ "github.com/aquasecurity/fanal/analyzer/language/nodejs/pkg"
|
||||
// _ "github.com/aquasecurity/fanal/analyzer/language/python/packaging"
|
||||
// _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/gemspec"
|
||||
// _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pkg"
|
||||
// _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/packaging"
|
||||
|
||||
nmap "github.com/Ullaakut/nmap/v2"
|
||||
)
|
||||
@@ -396,10 +398,24 @@ func (l *base) detectRunningOnAws() (ok bool, instanceID string, err error) {
|
||||
r := l.exec(cmd, noSudo)
|
||||
if r.isSuccess() {
|
||||
id := strings.TrimSpace(r.Stdout)
|
||||
if !l.isAwsInstanceID(id) {
|
||||
return false, "", nil
|
||||
if l.isAwsInstanceID(id) {
|
||||
return true, id, nil
|
||||
}
|
||||
}
|
||||
|
||||
cmd = "curl -X PUT --max-time 1 --noproxy 169.254.169.254 -H \"X-aws-ec2-metadata-token-ttl-seconds: 300\" http://169.254.169.254/latest/api/token"
|
||||
r = l.exec(cmd, noSudo)
|
||||
if r.isSuccess() {
|
||||
token := strings.TrimSpace(r.Stdout)
|
||||
cmd = fmt.Sprintf("curl -H \"X-aws-ec2-metadata-token: %s\" --max-time 1 --noproxy 169.254.169.254 http://169.254.169.254/latest/meta-data/instance-id", token)
|
||||
r = l.exec(cmd, noSudo)
|
||||
if r.isSuccess() {
|
||||
id := strings.TrimSpace(r.Stdout)
|
||||
if !l.isAwsInstanceID(id) {
|
||||
return false, "", nil
|
||||
}
|
||||
return true, id, nil
|
||||
}
|
||||
return true, id, nil
|
||||
}
|
||||
|
||||
switch r.ExitStatus {
|
||||
@@ -587,17 +603,22 @@ func (l *base) scanLibraries() (err error) {
|
||||
libFilemap := map[string]LibFile{}
|
||||
detectFiles := l.ServerInfo.Lockfiles
|
||||
|
||||
priv := noSudo
|
||||
if l.getServerInfo().Mode.IsFastRoot() || l.getServerInfo().Mode.IsDeep() {
|
||||
priv = sudo
|
||||
}
|
||||
|
||||
// auto detect lockfile
|
||||
if l.ServerInfo.FindLock {
|
||||
findopt := ""
|
||||
for filename := range models.LibraryMap {
|
||||
for _, filename := range models.FindLockFiles {
|
||||
findopt += fmt.Sprintf("-name %q -o ", filename)
|
||||
}
|
||||
|
||||
// delete last "-o "
|
||||
// find / -type f -and \( -name "package-lock.json" -o -name "yarn.lock" ... \) 2>&1 | grep -v "find: "
|
||||
cmd := fmt.Sprintf(`find / -type f -and \( ` + findopt[:len(findopt)-3] + ` \) 2>&1 | grep -v "find: "`)
|
||||
r := exec(l.ServerInfo, cmd, noSudo)
|
||||
r := exec(l.ServerInfo, cmd, priv)
|
||||
if r.ExitStatus != 0 && r.ExitStatus != 1 {
|
||||
return xerrors.Errorf("Failed to find lock files")
|
||||
}
|
||||
@@ -632,7 +653,7 @@ func (l *base) scanLibraries() (err error) {
|
||||
}
|
||||
default:
|
||||
cmd := fmt.Sprintf(`stat -c "%%a" %s`, path)
|
||||
r := exec(l.ServerInfo, cmd, noSudo)
|
||||
r := exec(l.ServerInfo, cmd, priv)
|
||||
if !r.isSuccess() {
|
||||
return xerrors.Errorf("Failed to get target file permission: %s, filepath: %s", r, path)
|
||||
}
|
||||
@@ -644,7 +665,7 @@ func (l *base) scanLibraries() (err error) {
|
||||
f.Filemode = os.FileMode(perm)
|
||||
|
||||
cmd = fmt.Sprintf("cat %s", path)
|
||||
r = exec(l.ServerInfo, cmd, noSudo)
|
||||
r = exec(l.ServerInfo, cmd, priv)
|
||||
if !r.isSuccess() {
|
||||
return xerrors.Errorf("Failed to get target file contents: %s, filepath: %s", r, path)
|
||||
}
|
||||
@@ -663,29 +684,66 @@ func (l *base) scanLibraries() (err error) {
|
||||
|
||||
// AnalyzeLibraries : detects libs defined in lockfile
|
||||
func AnalyzeLibraries(ctx context.Context, libFilemap map[string]LibFile, isOffline bool) (libraryScanners []models.LibraryScanner, err error) {
|
||||
// https://github.com/aquasecurity/trivy/blob/84677903a6fa1b707a32d0e8b2bffc23dde52afa/pkg/fanal/analyzer/const.go
|
||||
disabledAnalyzers := []analyzer.Type{
|
||||
// ======
|
||||
// OS
|
||||
// ======
|
||||
analyzer.TypeOSRelease,
|
||||
analyzer.TypeAlpine,
|
||||
analyzer.TypeAlma,
|
||||
analyzer.TypeAmazon,
|
||||
analyzer.TypeCBLMariner,
|
||||
analyzer.TypeDebian,
|
||||
analyzer.TypePhoton,
|
||||
analyzer.TypeCentOS,
|
||||
analyzer.TypeRocky,
|
||||
analyzer.TypeAlma,
|
||||
analyzer.TypeFedora,
|
||||
analyzer.TypeOracle,
|
||||
analyzer.TypeRedHatBase,
|
||||
analyzer.TypeRocky,
|
||||
analyzer.TypeSUSE,
|
||||
analyzer.TypeUbuntu,
|
||||
|
||||
// OS Package
|
||||
analyzer.TypeApk,
|
||||
analyzer.TypeDpkg,
|
||||
analyzer.TypeDpkgLicense,
|
||||
analyzer.TypeRpm,
|
||||
analyzer.TypeRpmqa,
|
||||
|
||||
// OS Package Repository
|
||||
analyzer.TypeApkRepo,
|
||||
|
||||
// ============
|
||||
// Image Config
|
||||
// ============
|
||||
analyzer.TypeApkCommand,
|
||||
|
||||
// =================
|
||||
// Structured Config
|
||||
// =================
|
||||
analyzer.TypeYaml,
|
||||
analyzer.TypeTOML,
|
||||
analyzer.TypeJSON,
|
||||
analyzer.TypeDockerfile,
|
||||
analyzer.TypeHCL,
|
||||
analyzer.TypeTerraform,
|
||||
analyzer.TypeCloudFormation,
|
||||
analyzer.TypeHelm,
|
||||
|
||||
// ========
|
||||
// License
|
||||
// ========
|
||||
analyzer.TypeLicenseFile,
|
||||
|
||||
// ========
|
||||
// Secrets
|
||||
// ========
|
||||
analyzer.TypeSecret,
|
||||
|
||||
// =======
|
||||
// Red Hat
|
||||
// =======
|
||||
analyzer.TypeRedHatContentManifestType,
|
||||
analyzer.TypeRedHatDockerfileType,
|
||||
}
|
||||
anal := analyzer.NewAnalyzerGroup(analyzer.GroupBuiltin, disabledAnalyzers)
|
||||
|
||||
@@ -732,13 +790,13 @@ func (d *DummyFileInfo) Size() int64 { return d.size }
|
||||
// Mode is
|
||||
func (d *DummyFileInfo) Mode() os.FileMode { return d.filemode }
|
||||
|
||||
//ModTime is
|
||||
// ModTime is
|
||||
func (d *DummyFileInfo) ModTime() time.Time { return time.Now() }
|
||||
|
||||
// IsDir is
|
||||
func (d *DummyFileInfo) IsDir() bool { return false }
|
||||
|
||||
//Sys is
|
||||
// Sys is
|
||||
func (d *DummyFileInfo) Sys() interface{} { return nil }
|
||||
|
||||
func (l *base) scanWordPress() error {
|
||||
|
||||
@@ -4,18 +4,21 @@ import (
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/dotnet/nuget"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/golang/binary"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/golang/mod"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/java/jar"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/nodejs/npm"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/nodejs/yarn"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/php/composer"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/pip"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/pipenv"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/python/poetry"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/ruby/bundler"
|
||||
_ "github.com/aquasecurity/fanal/analyzer/language/rust/cargo"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/deps"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/dotnet/nuget"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/binary"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/golang/mod"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/composer"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pip"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pipenv"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/poetry"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/ruby/bundler"
|
||||
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/rust/cargo"
|
||||
"github.com/future-architect/vuls/config"
|
||||
"github.com/future-architect/vuls/models"
|
||||
)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
package scanner
|
||||
|
||||
import (
|
||||
"github.com/aquasecurity/fanal/types"
|
||||
"github.com/aquasecurity/trivy/pkg/fanal/types"
|
||||
"github.com/future-architect/vuls/models"
|
||||
)
|
||||
|
||||
|
||||
@@ -448,13 +448,28 @@ func (o *redhatBase) scanInstalledPackages() (models.Packages, error) {
|
||||
Version: version,
|
||||
}
|
||||
|
||||
r := o.exec(o.rpmQa(), noSudo)
|
||||
var r execResult
|
||||
switch o.getDistro().Family {
|
||||
case constant.Amazon:
|
||||
switch strings.Fields(o.getDistro().Release)[0] {
|
||||
case "2":
|
||||
if o.exec("rpm -q yum-utils", noSudo).isSuccess() {
|
||||
r = o.exec("repoquery --all --pkgnarrow=installed --qf='%{NAME} %{EPOCH} %{VERSION} %{RELEASE} %{ARCH} %{UI_FROM_REPO}'", o.sudo.repoquery())
|
||||
} else {
|
||||
r = o.exec(o.rpmQa(), noSudo)
|
||||
}
|
||||
default:
|
||||
r = o.exec(o.rpmQa(), noSudo)
|
||||
}
|
||||
default:
|
||||
r = o.exec(o.rpmQa(), noSudo)
|
||||
}
|
||||
if !r.isSuccess() {
|
||||
return nil, xerrors.Errorf("Scan packages failed: %s", r)
|
||||
}
|
||||
installed, _, err := o.parseInstalledPackages(r.Stdout)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return nil, xerrors.Errorf("Failed to parse installed packages. err: %w", err)
|
||||
}
|
||||
return installed, nil
|
||||
}
|
||||
@@ -469,7 +484,29 @@ func (o *redhatBase) parseInstalledPackages(stdout string) (models.Packages, mod
|
||||
if trimmed := strings.TrimSpace(line); trimmed == "" {
|
||||
continue
|
||||
}
|
||||
pack, err := o.parseInstalledPackagesLine(line)
|
||||
|
||||
var (
|
||||
pack *models.Package
|
||||
err error
|
||||
)
|
||||
switch o.getDistro().Family {
|
||||
case constant.Amazon:
|
||||
switch strings.Fields(o.getDistro().Release)[0] {
|
||||
case "2":
|
||||
switch len(strings.Fields(line)) {
|
||||
case 5:
|
||||
pack, err = o.parseInstalledPackagesLine(line)
|
||||
case 6:
|
||||
pack, err = o.parseInstalledPackagesLineFromRepoquery(line)
|
||||
default:
|
||||
return nil, nil, xerrors.Errorf("Failed to parse package line: %s", line)
|
||||
}
|
||||
default:
|
||||
pack, err = o.parseInstalledPackagesLine(line)
|
||||
}
|
||||
default:
|
||||
pack, err = o.parseInstalledPackagesLine(line)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
@@ -522,6 +559,34 @@ func (o *redhatBase) parseInstalledPackagesLine(line string) (*models.Package, e
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (o *redhatBase) parseInstalledPackagesLineFromRepoquery(line string) (*models.Package, error) {
|
||||
fields := strings.Fields(line)
|
||||
if len(fields) != 6 {
|
||||
return nil, xerrors.Errorf("Failed to parse package line: %s", line)
|
||||
}
|
||||
|
||||
ver := ""
|
||||
epoch := fields[1]
|
||||
if epoch == "0" || epoch == "(none)" {
|
||||
ver = fields[2]
|
||||
} else {
|
||||
ver = fmt.Sprintf("%s:%s", epoch, fields[2])
|
||||
}
|
||||
|
||||
repo := strings.TrimPrefix(fields[5], "@")
|
||||
if repo == "installed" {
|
||||
repo = "amzn2-core"
|
||||
}
|
||||
|
||||
return &models.Package{
|
||||
Name: fields[0],
|
||||
Version: ver,
|
||||
Release: fields[3],
|
||||
Arch: fields[4],
|
||||
Repository: repo,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (o *redhatBase) parseRpmQfLine(line string) (pkg *models.Package, ignored bool, err error) {
|
||||
for _, suffix := range []string{
|
||||
"Permission denied",
|
||||
|
||||
@@ -17,10 +17,10 @@ import (
|
||||
|
||||
func TestParseInstalledPackagesLinesRedhat(t *testing.T) {
|
||||
r := newRHEL(config.ServerInfo{})
|
||||
r.Distro = config.Distro{Family: constant.RedHat}
|
||||
|
||||
var packagetests = []struct {
|
||||
in string
|
||||
distro config.Distro
|
||||
kernel models.Kernel
|
||||
packages models.Packages
|
||||
}{
|
||||
@@ -30,6 +30,7 @@ Percona-Server-shared-56 1 5.6.19 rel67.0.el6 x84_64
|
||||
kernel 0 2.6.32 696.20.1.el6 x86_64
|
||||
kernel 0 2.6.32 696.20.3.el6 x86_64
|
||||
kernel 0 2.6.32 695.20.3.el6 x86_64`,
|
||||
distro: config.Distro{Family: constant.RedHat},
|
||||
kernel: models.Kernel{},
|
||||
packages: models.Packages{
|
||||
"openssl": models.Package{
|
||||
@@ -58,6 +59,7 @@ kernel 0 2.6.32 695.20.3.el6 x86_64
|
||||
kernel-devel 0 2.6.32 696.20.1.el6 x86_64
|
||||
kernel-devel 0 2.6.32 696.20.3.el6 x86_64
|
||||
kernel-devel 0 2.6.32 695.20.3.el6 x86_64`,
|
||||
distro: config.Distro{Family: constant.RedHat},
|
||||
kernel: models.Kernel{Release: "2.6.32-696.20.3.el6.x86_64"},
|
||||
packages: models.Packages{
|
||||
"openssl": models.Package{
|
||||
@@ -91,6 +93,7 @@ kernel 0 2.6.32 695.20.3.el6 x86_64
|
||||
kernel-devel 0 2.6.32 696.20.1.el6 x86_64
|
||||
kernel-devel 0 2.6.32 696.20.3.el6 x86_64
|
||||
kernel-devel 0 2.6.32 695.20.3.el6 x86_64`,
|
||||
distro: config.Distro{Family: constant.RedHat},
|
||||
kernel: models.Kernel{Release: "2.6.32-695.20.3.el6.x86_64"},
|
||||
packages: models.Packages{
|
||||
"openssl": models.Package{
|
||||
@@ -115,9 +118,65 @@ kernel-devel 0 2.6.32 695.20.3.el6 x86_64`,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
in: `openssl 0 1.0.1e 30.el6.11 x86_64
|
||||
Percona-Server-shared-56 1 5.6.19 rel67.0.el6 x84_64
|
||||
kernel 0 2.6.32 696.20.1.el6 x86_64
|
||||
kernel 0 2.6.32 696.20.3.el6 x86_64
|
||||
kernel 0 2.6.32 695.20.3.el6 x86_64`,
|
||||
distro: config.Distro{Family: constant.Amazon, Release: "2 (Karoo)"},
|
||||
kernel: models.Kernel{},
|
||||
packages: models.Packages{
|
||||
"openssl": models.Package{
|
||||
Name: "openssl",
|
||||
Version: "1.0.1e",
|
||||
Release: "30.el6.11",
|
||||
},
|
||||
"Percona-Server-shared-56": models.Package{
|
||||
Name: "Percona-Server-shared-56",
|
||||
Version: "1:5.6.19",
|
||||
Release: "rel67.0.el6",
|
||||
},
|
||||
"kernel": models.Package{
|
||||
Name: "kernel",
|
||||
Version: "2.6.32",
|
||||
Release: "696.20.3.el6",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
in: `yum-utils 0 1.1.31 46.amzn2.0.1 noarch @amzn2-core
|
||||
zlib 0 1.2.7 19.amzn2.0.1 x86_64 installed
|
||||
java-1.8.0-amazon-corretto 1 1.8.0_192.b12 1.amzn2 x86_64 @amzn2extra-corretto8`,
|
||||
distro: config.Distro{Family: constant.Amazon, Release: "2 (Karoo)"},
|
||||
packages: models.Packages{
|
||||
"yum-utils": models.Package{
|
||||
Name: "yum-utils",
|
||||
Version: "1.1.31",
|
||||
Release: "46.amzn2.0.1",
|
||||
Arch: "noarch",
|
||||
Repository: "amzn2-core",
|
||||
},
|
||||
"zlib": models.Package{
|
||||
Name: "zlib",
|
||||
Version: "1.2.7",
|
||||
Release: "19.amzn2.0.1",
|
||||
Arch: "x86_64",
|
||||
Repository: "amzn2-core",
|
||||
},
|
||||
"java-1.8.0-amazon-corretto": models.Package{
|
||||
Name: "java-1.8.0-amazon-corretto",
|
||||
Version: "1:1.8.0_192.b12",
|
||||
Release: "1.amzn2",
|
||||
Arch: "x86_64",
|
||||
Repository: "amzn2extra-corretto8",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range packagetests {
|
||||
r.Distro = tt.distro
|
||||
r.Kernel = tt.kernel
|
||||
packages, _, err := r.parseInstalledPackages(tt.in)
|
||||
if err != nil {
|
||||
@@ -184,6 +243,72 @@ func TestParseInstalledPackagesLine(t *testing.T) {
|
||||
t.Errorf("release: expected %s, actual %s", tt.pack.Release, p.Release)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestParseInstalledPackagesLineFromRepoquery(t *testing.T) {
|
||||
r := newRHEL(config.ServerInfo{})
|
||||
|
||||
var packagetests = []struct {
|
||||
in string
|
||||
pack models.Package
|
||||
err bool
|
||||
}{
|
||||
{
|
||||
in: "yum-utils 0 1.1.31 46.amzn2.0.1 noarch @amzn2-core",
|
||||
pack: models.Package{
|
||||
Name: "yum-utils",
|
||||
Version: "1.1.31",
|
||||
Release: "46.amzn2.0.1",
|
||||
Arch: "noarch",
|
||||
Repository: "amzn2-core",
|
||||
},
|
||||
},
|
||||
{
|
||||
in: "zlib 0 1.2.7 19.amzn2.0.1 x86_64 installed",
|
||||
pack: models.Package{
|
||||
Name: "zlib",
|
||||
Version: "1.2.7",
|
||||
Release: "19.amzn2.0.1",
|
||||
Arch: "x86_64",
|
||||
Repository: "amzn2-core",
|
||||
},
|
||||
},
|
||||
{
|
||||
in: "java-1.8.0-amazon-corretto 1 1.8.0_192.b12 1.amzn2 x86_64 @amzn2extra-corretto8",
|
||||
pack: models.Package{
|
||||
Name: "java-1.8.0-amazon-corretto",
|
||||
Version: "1:1.8.0_192.b12",
|
||||
Release: "1.amzn2",
|
||||
Arch: "x86_64",
|
||||
Repository: "amzn2extra-corretto8",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for i, tt := range packagetests {
|
||||
p, err := r.parseInstalledPackagesLineFromRepoquery(tt.in)
|
||||
if err == nil && tt.err {
|
||||
t.Errorf("Expected err not occurred: %d", i)
|
||||
}
|
||||
if err != nil && !tt.err {
|
||||
t.Errorf("UnExpected err not occurred: %d", i)
|
||||
}
|
||||
if p.Name != tt.pack.Name {
|
||||
t.Errorf("name: expected %s, actual %s", tt.pack.Name, p.Name)
|
||||
}
|
||||
if p.Version != tt.pack.Version {
|
||||
t.Errorf("version: expected %s, actual %s", tt.pack.Version, p.Version)
|
||||
}
|
||||
if p.Release != tt.pack.Release {
|
||||
t.Errorf("release: expected %s, actual %s", tt.pack.Release, p.Release)
|
||||
}
|
||||
if p.Arch != tt.pack.Arch {
|
||||
t.Errorf("arch: expected %s, actual %s", tt.pack.Arch, p.Arch)
|
||||
}
|
||||
if p.Repository != tt.pack.Repository {
|
||||
t.Errorf("repository: expected %s, actual %s", tt.pack.Repository, p.Repository)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user