Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grype Template: Can't evaluate field RelatedVulnerabilities in type models.Vulnerability #1449

Closed
0mm1n opened this issue Aug 21, 2023 · 2 comments
Closed

Grype Template: Can't evaluate field RelatedVulnerabilities in type models.Vulnerability #1449

0mm1n opened this issue Aug 21, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@0mm1n
Copy link

0mm1n commented Aug 21, 2023
edited
Loading

What happened:
I'm trying to write a template that uses the grype example csv template but with 2 extra columns of CVSSv3, CVSSv2.

To get the values out I'm first looking at .Vulnerability.Cvss.Metrics.BaseScore when it exists for the vulnerability, if not use the Vulnerability.RelatedVulnerabilities but I'm given an error:

1 error occurred:
  * unable to write result: unable to encode result: unable to execute supplied template: template: test.template:18:28: executing "test.template" at <.Vulnerability.RelatedVulnerabilities>: can't evaluate field RelatedVulnerabilities in type models.Vulnerability

What you expected to happen:
Output to look like:
CVE-2020-36518: V3: 7.5 V2: 5

How to reproduce it (as minimally and precisely as possible):
test.template:

{{- range .Matches}}
  {{ $v2Score := "" }}
  {{ $v3Score := "" }}
  {{- $vulnID := .Vulnerability.ID}}
  {{- if (gt (len .Vulnerability.Cvss) 0) }}
    {{- range .Vulnerability.Cvss }}
      {{- if and (eq .type "Primary") (ge (float64 .Version) 3.0) }}
        {{ $v3Score = .Metrics.BaseScore }}
      {{- end}}

      {{- if and (eq .type "Primary") (lt (float64 .Version) 3.0) }}
        {{ $v2Score = .Metrics.BaseScore }}
      {{- end}}
    {{- end }}
    {{$vulnID}}: V3: {{$v3Score}} V2: {{$v2Score}}

  {{else}}
    {{- range .Vulnerability.RelatedVulnerabilities}}
      {{- range .cvss}}
        {{- if and (eq .type "Primary") (ge (float64 .Version) 3.0) }}
          {{ $v3Score = .Metrics.BaseScore }}
        {{- end}}

        {{- if and (eq .type "Primary") (lt (float64 .Version) 3.0) }}
          {{ $v2Score = .Metrics.BaseScore }}
        {{- end}}
      {{- end}}
      {{$vulnID}}: V3: {{$v3Score}} V2: {{$v2Score}}
    {{- end}}
  {{- end }}
{{- end}}

grype --output template --template test.template --scope all-layers alpine:3.14.10

Anything else we need to know?:
It's very difficult to get a CVSS score for a vulnerability for reporting purposes.

Environment:

  • Output of grype version:
Application:          grype
Version:              0.65.2
Syft Version:         v0.87.1
BuildDate:            2023-08-17T20:03:30Z
GitCommit:            51223cd0b1069c7c7bbc27af1deec3e96ad3e07d
GitDescription:       v0.65.2
Platform:             linux/amd64
GoVersion:            go1.19.12
Compiler:             gc
Supported DB Schema:  5
  • OS (e.g: cat /etc/os-release or similar):
    "Ubuntu 22.04.3 LTS"
@0mm1n 0mm1n added the bug Something isn't working label Aug 21, 2023
@0mm1n
Copy link
Author

0mm1n commented Aug 21, 2023
edited
Loading

Nevermind, I'm dumb.

Here's the working template to pull out the CVSSv3/CVSS2 and store as variables $v2Score and $v3Score for use:

{{- range .Matches}}
  {{ $v2Score := "" }}
  {{ $v3Score := "" }}
  {{- $vulnID := .Vulnerability.ID}}
  {{- if (gt (len .Vulnerability.Cvss) 0) }}
    {{- range .Vulnerability.Cvss }}
      {{- if and (eq .Type "Primary") (ge (float64 .Version) 3.0) }}
        {{ $v3Score = .Metrics.BaseScore }}
      {{- end}}

      {{- if and (eq .Type "Primary") (lt (float64 .Version) 3.0) }}
        {{ $v2Score = .Metrics.BaseScore }}
      {{- end}}
    {{- end }}
    {{$vulnID}}: V3: {{$v3Score}} V2: {{$v2Score}}
  
  {{else}}
    {{- range .RelatedVulnerabilities}}
      {{- range .Cvss}}
        {{- if and (eq .Type "Primary") (ge (float64 .Version) 3.0) }}
          {{ $v3Score = .Metrics.BaseScore }}
        {{- end}}

        {{- if and (eq .Type "Primary") (lt (float64 .Version) 3.0) }}
          {{ $v2Score = .Metrics.BaseScore }}
        {{- end}}
      {{- end}}
      {{$vulnID}}: V3: {{$v3Score}} V2: {{$v2Score}}
    {{- end}}
  {{- end }}
{{- end}}

I was ranging over .Vulnerability.RelatedVulnerabilities when it should have been {{- range .RelatedVulnerabilities}}

@0mm1n 0mm1n closed this as completed Aug 21, 2023
@kzantow
Copy link
Contributor

kzantow commented Aug 21, 2023

Thanks for following up @0mm1n !

@kzantow kzantow closed this as not planned Won't fix, can't repro, duplicate, stale Aug 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kzantow @0mm1n