Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use PkgName and InstalledVersion to support non-OS targets #34

Merged
merged 4 commits into from
Oct 30, 2024
Merged

fix: use PkgName and InstalledVersion to support non-OS targets #34

merged 4 commits into from
Oct 30, 2024

Conversation

hutomosaleh
Copy link
Collaborator

@hutomosaleh hutomosaleh commented Oct 29, 2024
edited
Loading

Description

When running a trivy scan for https://gitlab.opencode.de/opencode-analyzer/occmd-public, I receive the following error:

ERROR de.fraunhofer.iem.podmanager.rabbitmq.Consumer - Field 'PkgID' is required for type with serial name 'de.fraunhofer.iem.spha.model.adapter.trivy.TrivyVulnerabilityDto', but it was missing at path: $.Results[0].Vulnerabilities[1]

This happened because the output of the Trivy scan contains Python packages without any PkgID, for example:

    {
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-22190",
          "PkgName": "GitPython",
          "PkgPath": "home/redacted/.local/lib/python3.11/site-packages/GitPython-3.1.37.dist-info/METADATA",
          "PkgIdentifier": {
            "PURL": "pkg:pypi/[email protected]",
            "UID": "5591a0dc57c78b2"
          },
          "InstalledVersion": "3.1.37",
          "FixedVersion": "3.1.41",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:13b0acb9b68e8a74b8e6152932c5bd6c6968e13fa32feba83cc2310346a9b7f9",
            "DiffID": "sha256:feea6321b4864eb2cb16188d1619323db7c8738adaca6982c8005da9fe227961"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-22190",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "Untrusted search path under some conditions on Windows allows arbitrary code execution",
          "Description": "GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-426"
          ],
          "VendorSeverity": {
            "ghsa": 3,
            "nvd": 3
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            }
          },
          "References": [
            "https://github.com/gitpython-developers/GitPython"
          ],
          "PublishedDate": "2024-01-11T02:15:48.25Z",
          "LastModifiedDate": "2024-01-18T13:48:07.553Z"
        }
      ]
    }

Changes

This PR changes the Trivy Vulnerability Dto to get PkgName and InstalledVersion instead of PkgID, because these fields are always available regardless of scan target types. Tests are updated with this PR too.

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

TestsPassed ✅Skipped ⏭️Failed ❌
JUnit Test Report53 ran53 passed0 skipped0 failed

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 29, 2024
edited
Loading

Code Coverage

Overall Project 80.62% 🍏
Files changed 100% 🍏

Module Coverage
adapter 74.06% 🍏
Files
Module File Coverage
adapter TrivyAdapter.kt 94.2% 🍏

@janniclas janniclas self-requested a review October 29, 2024 16:49
@janniclas janniclas added the bug Something isn't working label Oct 29, 2024
@janniclas
Copy link
Contributor

I just checked the official documentation and it seems like PkgIdentifier is also not mandatory, will your change work if it is missing?
See https://aquasecurity.github.io/trivy/v0.56/docs/configuration/reporting/ for the format description
@AnakinRaW did you check this documentation when you implemented the initial version?

@janniclas janniclas added this to the 0.0.3 milestone Oct 29, 2024
@hutomosaleh
Copy link
Collaborator Author

hutomosaleh commented Oct 29, 2024
edited
Loading

VulnerabilityID, PkgName, InstalledVersion, and Severity in Vulnerabilities are always filled with values, but other fields might be empty.

Since these values are always there, I'll use PkgName & InstalledVersion instead of PkgIdentifier, which basically contains the same info.

@hutomosaleh hutomosaleh changed the title fix: use PkgIdentifier and PURL to support non-OS targets fix: use PkgName and InstalledVersion to support non-OS targets Oct 30, 2024
@janniclas janniclas merged commit a64f48a into main Oct 30, 2024
2 checks passed
@janniclas janniclas deleted the fix/handle-missing-pkgid branch October 30, 2024 08:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janniclas janniclas janniclas approved these changes

Assignees

@hutomosaleh hutomosaleh

Labels
bug Something isn't working
Projects
None yet
Milestone
0.0.3
Development

Successfully merging this pull request may close these issues.
2 participants
@hutomosaleh @janniclas