351cf4f712
* Update trivy 0.35.0->0.48.0
- Specify oras-go 1.2.4 in indirect dependencies
docker/docker changes a part of its API at 24.0
- registry: return concrete service type · moby/moby@7b3acdf
- 7b3acdff5d (diff-8325eae896b1149bf92c826d07fc29005b1b102000b766ffa5a238d791e0849bR18-R21)
oras-go 1.2.3 uses 23.0.1 and trivy transitively depends on docker/docker 24.y.z.
There is a build error between oras-go and docker/dockr.
- Update disabled analyzers
- Update language scanners, enable all of them
* move javadb init to scan.go
* Add options for java db init()
* Update scanner/base.go
* Remove unused codes
* Add some lock file names
* Typo fix
* Remove space character (0x20)
* Add java-db options for integration scan
* Minor fomartting fix
* minor fix
* conda is NOT supported by Trivy for library scan
* Configure trivy log in report command too
* Init trivy in scanner
* Use trivy's jar.go and replace client which does almost nothing
* mv jar.go
* Add sha1 hash to result and add filepath for report phase
* Undo added 'vuls scan' options
* Update oras-go to 1.2.4
* Move Java DB related config items to report side
* Add java db search in detect phase
* filter top level jar only
* Update trivy to 0.49.1
* go mod tidy
* Update to newer interface
* Refine lock file list, h/t MaineK00n
* Avoid else clauses if possible, h/t MaineK00n
* Avoid missing word for find and lang types, h/t MaineK00n
* Add missing ecosystems, h/t MaineK00n
* Add comments why to use custom jar analyzer, h/t MaineK00n
* Misc
* Misc
* Misc
* Include go-dep-parser's pares.go for modification
* Move digest field from LibraryScanner to Library
* Use inner jars sha1 for each
* Add Seek to file head before handling zip file entry
* Leave Digest feild empty for entries from pom.xml
* Don't import python/pkg (don't look into package.json)
* Make privete where private is sufficient
* Remove duplicate after Java DB lookup
* misc
* go mod tidy
* Comment out ruby/gemspec
* misc
* Comment out python/packaging
* misc
* Use custom jar
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/jar.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update detector/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update models/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/base.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/parse.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Missing changes in name change
* Update models/github.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update models/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update models/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update models/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/base.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/base.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update scanner/trivy/jar/jar.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Don't import fanal/types at github.go
* Rewrite code around java db initialization
* Add comment
* refactor
* Close java db client
* rename
* Let LibraryScanner have java db client
* Update detector/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update detector/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update detector/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* Update detector/library.go
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
* inline variable
* misc
* Fix typo
---------
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
99 lines
3.5 KiB
Go
99 lines
3.5 KiB
Go
package models
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
)
|
|
|
|
// DependencyGraphManifests has a map of DependencyGraphManifest
|
|
// key: BlobPath
|
|
type DependencyGraphManifests map[string]DependencyGraphManifest
|
|
|
|
// DependencyGraphManifest has filename, repository, dependencies
|
|
type DependencyGraphManifest struct {
|
|
BlobPath string `json:"blobPath"`
|
|
Filename string `json:"filename"`
|
|
Repository string `json:"repository"`
|
|
Dependencies []Dependency `json:"dependencies"`
|
|
}
|
|
|
|
// RepoURLFilename should be same format with GitHubSecurityAlert.RepoURLManifestPath()
|
|
func (m DependencyGraphManifest) RepoURLFilename() string {
|
|
return fmt.Sprintf("%s/%s", m.Repository, m.Filename)
|
|
}
|
|
|
|
// Ecosystem returns a name of ecosystem(or package manager) of manifest(lock) file in trivy way
|
|
// https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems
|
|
func (m DependencyGraphManifest) Ecosystem() string {
|
|
switch {
|
|
case strings.HasSuffix(m.Filename, "Cargo.lock"),
|
|
strings.HasSuffix(m.Filename, "Cargo.toml"):
|
|
return "cargo" // Rust
|
|
case strings.HasSuffix(m.Filename, "composer.lock"),
|
|
strings.HasSuffix(m.Filename, "composer.json"):
|
|
return "composer" // PHP
|
|
case strings.HasSuffix(m.Filename, ".csproj"),
|
|
strings.HasSuffix(m.Filename, ".vbproj"),
|
|
strings.HasSuffix(m.Filename, ".nuspec"),
|
|
strings.HasSuffix(m.Filename, ".vcxproj"),
|
|
strings.HasSuffix(m.Filename, ".fsproj"),
|
|
strings.HasSuffix(m.Filename, "packages.config"):
|
|
return "nuget" // .NET languages (C#, F#, VB), C++
|
|
case strings.HasSuffix(m.Filename, "go.sum"),
|
|
strings.HasSuffix(m.Filename, "go.mod"):
|
|
return "gomod" // Go
|
|
case strings.HasSuffix(m.Filename, "pom.xml"):
|
|
return "pom" // Java, Scala
|
|
case strings.HasSuffix(m.Filename, "package-lock.json"),
|
|
strings.HasSuffix(m.Filename, "package.json"):
|
|
return "npm" // JavaScript
|
|
case strings.HasSuffix(m.Filename, "yarn.lock"):
|
|
return "yarn" // JavaScript
|
|
case strings.HasSuffix(m.Filename, "pnpm-lock.yaml"):
|
|
return "pnpm" // JavaScript
|
|
case strings.HasSuffix(m.Filename, "requirements.txt"),
|
|
strings.HasSuffix(m.Filename, "requirements-dev.txt"),
|
|
strings.HasSuffix(m.Filename, "setup.py"):
|
|
return "pip" // Python
|
|
case strings.HasSuffix(m.Filename, "Pipfile.lock"),
|
|
strings.HasSuffix(m.Filename, "Pipfile"):
|
|
return "pipenv" // Python
|
|
case strings.HasSuffix(m.Filename, "poetry.lock"),
|
|
strings.HasSuffix(m.Filename, "pyproject.toml"):
|
|
return "poetry" // Python
|
|
case strings.HasSuffix(m.Filename, "Gemfile.lock"),
|
|
strings.HasSuffix(m.Filename, "Gemfile"):
|
|
return "bundler" // Ruby
|
|
case strings.HasSuffix(m.Filename, ".gemspec"):
|
|
return "gemspec" // Ruby
|
|
case strings.HasSuffix(m.Filename, "pubspec.lock"),
|
|
strings.HasSuffix(m.Filename, "pubspec.yaml"):
|
|
return "pub" // Dart
|
|
case strings.HasSuffix(m.Filename, "Package.resolved"):
|
|
return "swift" // Swift
|
|
case strings.HasSuffix(m.Filename, ".yml"),
|
|
strings.HasSuffix(m.Filename, ".yaml"):
|
|
return "actions" // GitHub Actions workflows
|
|
default:
|
|
return "unknown"
|
|
}
|
|
}
|
|
|
|
// Dependency has dependency package information
|
|
type Dependency struct {
|
|
PackageName string `json:"packageName"`
|
|
PackageManager string `json:"packageManager"`
|
|
Repository string `json:"repository"`
|
|
Requirements string `json:"requirements"`
|
|
}
|
|
|
|
// Version returns version
|
|
func (d Dependency) Version() string {
|
|
s := strings.Split(d.Requirements, " ")
|
|
if len(s) == 2 && s[0] == "=" {
|
|
return s[1]
|
|
}
|
|
// in case of ranged version
|
|
return ""
|
|
}
|