Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Prevent grouped vulnerability entries by including target and package path #2140

Merged
merged 3 commits into from
Jun 17, 2024
Merged

fix: Prevent grouped vulnerability entries by including target and package path #2140

merged 3 commits into from
Jun 17, 2024

Conversation

kersten
Copy link
Contributor

@kersten kersten commented Jun 13, 2024
edited
Loading

Description

This PR addresses an issue in the collectVulnerabilityIdReports method where only one metric was being reported for multiple binaries with the same Vulnerability ID within the same image. The root cause was that the method only considered the VulnerabilityID when determining uniqueness, causing subsequent findings with the same ID to be ignored.

Changes Made:

  • Updated the key used for tracking vulnerabilities in the collectVulnerabilityIdReports method to include additional attributes (Target and PkgPath), ensuring each vulnerability is uniquely identified based on its ID, target, and package path.
  • Modified the vulnList map to use the concatenated string of VulnerabilityID, Target, and PkgPath as the key.
  • Ensured that all occurrences of vulnerabilities in different binaries or paths are correctly reported in the metrics.

This change improves the accuracy of the vulnerability metrics reported, especially for images containing multiple binaries and applications with numerous dependencies, such as Java applications, where a CVE could be present in multiple libraries.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.

@kersten kersten changed the title Prevent grouped vulnerability entries by including target and package path fix: Prevent grouped vulnerability entries by including target and package path Jun 13, 2024
@github-actions github-actions bot added the bug label Jun 13, 2024
@kersten kersten marked this pull request as ready for review June 13, 2024 15:17
chen-keinan
chen-keinan approved these changes Jun 17, 2024
View reviewed changes
Copy link
Collaborator

@chen-keinan chen-keinan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kersten lgtm 🚀 thanks for the contribution

@chen-keinan chen-keinan merged commit ec93a42 into aquasecurity:main Jun 17, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chen-keinan chen-keinan chen-keinan approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Metrics Report Only One Finding for Multiple Binaries with Same Vulnerability ID
2 participants
@kersten @chen-keinan