Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: "override" database #258

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions override.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
- id: "CVE-2021-45708"
description: "abomonation transmutes &T to and from &[u8] without sufficient constraints"
aliases:
- "GHSA-hfxp-p695-629x"
- "RUSTSEC-2021-0120"
severity: "MEDIUM"
affected:
- "<=0.7.3"
fixed:
- "0.7.4"
5 changes: 5 additions & 0 deletions pkg/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ func (ac *AppConfig) NewApp(version string) *cli.App {
Usage: "cache directory path",
Value: utils.CacheDir(),
},
cli.StringFlag{
Name: "override-db",
Usage: "path to yaml file with overridden data",
Value: "override.yaml",
},
cli.DurationFlag{
Name: "update-interval",
Usage: "update interval",
Expand Down
5 changes: 4 additions & 1 deletion pkg/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/vulndb"
)

Expand All @@ -17,7 +18,9 @@ func build(c *cli.Context) error {
targets := c.StringSlice("only-update")
updateInterval := c.Duration("update-interval")

vdb := vulndb.New(cacheDir, updateInterval)
overriddenData := overridedb.UploadOverriddenDB(c.String("override-db"))

vdb := vulndb.New(cacheDir, updateInterval, overriddenData)
if err := vdb.Build(targets); err != nil {
return xerrors.Errorf("build error: %w", err)
}
Expand Down
34 changes: 34 additions & 0 deletions pkg/overridedb/types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package overridedb

type OverriddenData struct {
aliases map[string]string
advisories map[string]*OverriddenAdvisory
}

type OverriddenAdvisory struct {
Id string `yaml:"id"`
Description string `yaml:"description"`
Aliases []string `yaml:"aliases"`
Severity string `yaml:"severity"`
AffectedVersions []string `yaml:"affected"`
FixedVersions []string `yaml:"fixed"`

wasAdded bool
}

func (a *OverriddenAdvisory) WasAdded() bool {
return a.wasAdded
}
func (a *OverriddenAdvisory) SetAdded() {
a.wasAdded = true
}

func (db *OverriddenData) GetOverriddenAdvisory(vulnId string) *OverriddenAdvisory {
if adv, ok := db.advisories[vulnId]; ok {
return adv
}
if alias, ok := db.aliases[vulnId]; ok {
return db.advisories[alias]
}
return nil
}
33 changes: 33 additions & 0 deletions pkg/overridedb/upload.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package overridedb

import (
"log"
"os"

"gopkg.in/yaml.v2"
)

func UploadOverriddenDB(filename string) *OverriddenData {
f, err := os.Open(filename)
if err != nil {
log.Printf("override db: can't open %q: %v", filename, err)
return nil
}
defer f.Close()
overriddenAdvs := []OverriddenAdvisory{}
if err := yaml.NewDecoder(f).Decode(&overriddenAdvs); err != nil {
log.Printf("override db: can't decode data from %q: %v", filename, err)
return nil
}
result := &OverriddenData{
advisories: map[string]*OverriddenAdvisory{},
aliases: map[string]string{},
}
for _, adv := range overriddenAdvs {
result.advisories[adv.Id] = &adv
for _, alias := range adv.Aliases {
result.aliases[alias] = adv.Id
}
}
return result
}
7 changes: 5 additions & 2 deletions pkg/vulndb/db.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/metadata"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand All @@ -27,6 +28,7 @@ type TrivyDB struct {
cacheDir string
updateInterval time.Duration
clock clock.Clock
overriddenDB *overridedb.OverriddenData
}

type Option func(*TrivyDB)
Expand All @@ -43,7 +45,7 @@ func WithVulnSrcs(srcs map[types.SourceID]vulnsrc.VulnSrc) Option {
}
}

func New(cacheDir string, updateInterval time.Duration, opts ...Option) *TrivyDB {
func New(cacheDir string, updateInterval time.Duration, overriddenDB *overridedb.OverriddenData, opts ...Option) *TrivyDB {
// Initialize map
vulnSrcs := map[types.SourceID]vulnsrc.VulnSrc{}
for _, v := range vulnsrc.All {
Expand All @@ -59,6 +61,7 @@ func New(cacheDir string, updateInterval time.Duration, opts ...Option) *TrivyDB
cacheDir: cacheDir,
updateInterval: updateInterval,
clock: clock.RealClock{},
overriddenDB: overriddenDB,
}

for _, opt := range opts {
Expand All @@ -77,7 +80,7 @@ func (t TrivyDB) Insert(targets []string) error {
}
log.Printf("Updating %s data...\n", target)

if err := src.Update(t.cacheDir); err != nil {
if err := src.Update(t.cacheDir, t.overriddenDB); err != nil {
return xerrors.Errorf("%s update error: %w", target, err)
}
}
Expand Down
6 changes: 4 additions & 2 deletions pkg/vulnsrc/alma/alma.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand All @@ -33,7 +34,8 @@ var (
)

type VulnSrc struct {
dbc db.Operation
dbc db.Operation
overriddenDb *overridedb.OverriddenData
}

func NewVulnSrc() VulnSrc {
Expand All @@ -46,7 +48,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
rootDir := filepath.Join(dir, "vuln-list", almaDir)
errata := map[string][]Erratum{}
err := utils.FileWalk(rootDir, func(r io.Reader, path string) error {
Expand Down
6 changes: 4 additions & 2 deletions pkg/vulnsrc/alpine/alpine.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand All @@ -31,7 +32,8 @@ var (
)

type VulnSrc struct {
dbc db.Operation
dbc db.Operation
overriddenDb *overridedb.OverriddenData
}

func NewVulnSrc() VulnSrc {
Expand All @@ -44,7 +46,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
rootDir := filepath.Join(dir, "vuln-list", alpineDir)
var advisories []advisory
err := utils.FileWalk(rootDir, func(r io.Reader, path string) error {
Expand Down
8 changes: 5 additions & 3 deletions pkg/vulnsrc/amazon/amazon.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings"
Expand All @@ -34,8 +35,9 @@ var (
)

type VulnSrc struct {
dbc db.Operation
advisories map[string][]ALAS
dbc db.Operation
overriddenDb *overridedb.OverriddenData
advisories map[string][]ALAS
}

// ALAS has detailed data of ALAS
Expand Down Expand Up @@ -74,7 +76,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
rootDir := filepath.Join(dir, "vuln-list", amazonDir)

err := utils.FileWalk(rootDir, vs.walkFunc)
Expand Down
6 changes: 4 additions & 2 deletions pkg/vulnsrc/arch-linux/archlinux.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand All @@ -29,7 +30,8 @@ var (
)

type VulnSrc struct {
dbc db.Operation
dbc db.Operation
overriddenDb *overridedb.OverriddenData
}

func NewVulnSrc() VulnSrc {
Expand All @@ -42,7 +44,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
rootDir := filepath.Join(dir, "vuln-list", archLinuxDir)

var avgs []ArchVulnGroup
Expand Down
6 changes: 4 additions & 2 deletions pkg/vulnsrc/bundler/bundler.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
"gopkg.in/yaml.v2"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/bucket"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand Down Expand Up @@ -55,7 +56,8 @@ type Related struct {
}

type VulnSrc struct {
dbc db.Operation
dbc db.Operation
overriddenDb *overridedb.OverriddenData
}

func NewVulnSrc() VulnSrc {
Expand All @@ -68,7 +70,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
repoPath := filepath.Join(dir, bundlerDir)
if err := vs.update(repoPath); err != nil {
return xerrors.Errorf("failed to update bundler vulnerabilities: %w", err)
Expand Down
6 changes: 4 additions & 2 deletions pkg/vulnsrc/composer/composer.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"gopkg.in/yaml.v2"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/bucket"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
Expand Down Expand Up @@ -45,7 +46,8 @@ type Advisory struct {
}

type VulnSrc struct {
dbc db.Operation
dbc db.Operation
overriddenDb *overridedb.OverriddenData
}

func NewVulnSrc() VulnSrc {
Expand All @@ -58,7 +60,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) (err error) {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) (err error) {
repoPath := filepath.Join(dir, composerDir)
if err := vs.update(repoPath); err != nil {
return xerrors.Errorf("failed to update compose vulnerabilities: %w", err)
Expand Down
47 changes: 26 additions & 21 deletions pkg/vulnsrc/debian/debian.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import (
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/overridedb"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings"
Expand Down Expand Up @@ -60,8 +61,9 @@ func WithCustomPut(put db.CustomPut) Option {
}

type VulnSrc struct {
put db.CustomPut
dbc db.Operation
put db.CustomPut
dbc db.Operation
overriddenDb *overridedb.OverriddenData

// Hold a map of codenames and major versions from distributions.json
// e.g. "buster" => "10"
Expand Down Expand Up @@ -112,7 +114,7 @@ func (vs VulnSrc) Name() types.SourceID {
return source.ID
}

func (vs VulnSrc) Update(dir string) error {
func (vs VulnSrc) Update(dir string, db *overridedb.OverriddenData) error {
if err := vs.parse(dir); err != nil {
return xerrors.Errorf("parse error: %w", err)
}
Expand Down Expand Up @@ -593,28 +595,31 @@ func (vs VulnSrc) parseSources(dir string) error {
// There are 3 cases when the fixed version of each release is not stated in list files.
//
// Case 1
// When the latest version in the release is greater than the fixed version in sid,
// we can assume that the vulnerability was already fixed at the fixed version.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : "5.0-2"
// => the vulnerability was fixed at "5.0-2".
//
// When the latest version in the release is greater than the fixed version in sid,
// we can assume that the vulnerability was already fixed at the fixed version.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : "5.0-2"
// => the vulnerability was fixed at "5.0-2".
//
// Case 2
// When the latest version in the release less than the fixed version in sid,
// it means the vulnerability has not been fixed yet.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : "5.0-5"
// => the vulnerability hasn't been fixed yet.
//
// When the latest version in the release less than the fixed version in sid,
// it means the vulnerability has not been fixed yet.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : "5.0-5"
// => the vulnerability hasn't been fixed yet.
//
// Case 3
// When the fixed version in sid is empty,
// it means the vulnerability has not been fixed yet.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : ""
// => the vulnerability hasn't been fixed yet.
//
// When the fixed version in sid is empty,
// it means the vulnerability has not been fixed yet.
// e.g.
// latest version (buster) : "5.0-4"
// fixed version (sid) : ""
// => the vulnerability hasn't been fixed yet.
func hasFixedVersion(sidVer, codeVer string) (bool, error) {
// No fixed version even in sid
if sidVer == "" {
Expand Down
Loading