-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
Copy pathartifact.go
281 lines (234 loc) · 7.95 KB
/
artifact.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
package types
import (
"time"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/samber/lo"
aos "github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
)
type OS struct {
Family string
Name string
Eosl bool `json:"EOSL,omitempty"`
// This field is used for enhanced security maintenance programs such as Ubuntu ESM, Debian Extended LTS.
Extended bool `json:"extended,omitempty"`
}
func (o *OS) Detected() bool {
return o.Family != ""
}
// Merge merges OS version and enhanced security maintenance programs
func (o *OS) Merge(new OS) {
if lo.IsEmpty(new) {
return
}
switch {
// OLE also has /etc/redhat-release and it detects OLE as RHEL by mistake.
// In that case, OS must be overwritten with the content of /etc/oracle-release.
// There is the same problem between Debian and Ubuntu.
case o.Family == aos.RedHat, o.Family == aos.Debian:
*o = new
default:
if o.Family == "" {
o.Family = new.Family
}
if o.Name == "" {
o.Name = new.Name
}
// Ubuntu has ESM program: https://ubuntu.com/security/esm
// OS version and esm status are stored in different files.
// We have to merge OS version after parsing these files.
if o.Extended || new.Extended {
o.Extended = true
}
}
}
type Repository struct {
Family string `json:",omitempty"`
Release string `json:",omitempty"`
}
type Layer struct {
Digest string `json:",omitempty"`
DiffID string `json:",omitempty"`
CreatedBy string `json:",omitempty"`
}
type Package struct {
ID string `json:",omitempty"`
Name string `json:",omitempty"`
Version string `json:",omitempty"`
Release string `json:",omitempty"`
Epoch int `json:",omitempty"`
Arch string `json:",omitempty"`
SrcName string `json:",omitempty"`
SrcVersion string `json:",omitempty"`
SrcRelease string `json:",omitempty"`
SrcEpoch int `json:",omitempty"`
Licenses []string `json:",omitempty"`
Maintainer string `json:",omitempty"`
Modularitylabel string `json:",omitempty"` // only for Red Hat based distributions
BuildInfo *BuildInfo `json:",omitempty"` // only for Red Hat
Ref string `json:",omitempty"` // identifier which can be used to reference the component elsewhere
Indirect bool `json:",omitempty"` // this package is direct dependency of the project or not
// Dependencies of this package
// Note: it may have interdependencies, which may lead to infinite loops.
DependsOn []string `json:",omitempty"`
Layer Layer `json:",omitempty"`
// Each package metadata have the file path, while the package from lock files does not have.
FilePath string `json:",omitempty"`
// lines from the lock file where the dependency is written
Locations []Location `json:",omitempty"`
}
type Location struct {
StartLine int `json:",omitempty"`
EndLine int `json:",omitempty"`
}
// BuildInfo represents information under /root/buildinfo in RHEL
type BuildInfo struct {
ContentSets []string `json:",omitempty"`
Nvr string `json:",omitempty"`
Arch string `json:",omitempty"`
}
func (pkg *Package) Empty() bool {
return pkg.Name == "" || pkg.Version == ""
}
type Packages []Package
func (pkgs Packages) Len() int {
return len(pkgs)
}
func (pkgs Packages) Swap(i, j int) {
pkgs[i], pkgs[j] = pkgs[j], pkgs[i]
}
func (pkgs Packages) Less(i, j int) bool {
switch {
case pkgs[i].Name != pkgs[j].Name:
return pkgs[i].Name < pkgs[j].Name
case pkgs[i].Version != pkgs[j].Version:
return pkgs[i].Version < pkgs[j].Version
}
return pkgs[i].FilePath < pkgs[j].FilePath
}
type SrcPackage struct {
Name string `json:"name"`
Version string `json:"version"`
BinaryNames []string `json:"binaryNames"`
}
type PackageInfo struct {
FilePath string
Packages Packages
}
type Application struct {
// e.g. bundler and pipenv
Type string
// Lock files have the file path here, while each package metadata do not have
FilePath string `json:",omitempty"`
// Libraries is a list of lang-specific packages
Libraries []Package
}
type File struct {
Type string
Path string
Content []byte
}
// ArtifactType represents a type of artifact
type ArtifactType string
const (
ArtifactContainerImage ArtifactType = "container_image"
ArtifactFilesystem ArtifactType = "filesystem"
ArtifactRemoteRepository ArtifactType = "repository"
ArtifactCycloneDX ArtifactType = "cyclonedx"
ArtifactSPDX ArtifactType = "spdx"
ArtifactAWSAccount ArtifactType = "aws_account"
ArtifactVM ArtifactType = "vm"
)
// ArtifactReference represents a reference of container image, local filesystem and repository
type ArtifactReference struct {
Name string // image name, tar file name, directory or repository name
Type ArtifactType
ID string
BlobIDs []string
ImageMetadata ImageMetadata
// SBOM
CycloneDX *CycloneDX
}
type ImageMetadata struct {
ID string // image ID
DiffIDs []string // uncompressed layer IDs
RepoTags []string
RepoDigests []string
ConfigFile v1.ConfigFile
}
// ArtifactInfo is stored in cache
type ArtifactInfo struct {
SchemaVersion int
Architecture string
Created time.Time
DockerVersion string
OS string
// HistoryPackages are packages extracted from RUN instructions
HistoryPackages []Package `json:",omitempty"`
}
// BlobInfo is stored in cache
type BlobInfo struct {
SchemaVersion int
// Layer information
Digest string `json:",omitempty"`
DiffID string `json:",omitempty"`
CreatedBy string `json:",omitempty"`
OpaqueDirs []string `json:",omitempty"`
WhiteoutFiles []string `json:",omitempty"`
// Analysis result
OS OS `json:",omitempty"`
Repository *Repository `json:",omitempty"`
PackageInfos []PackageInfo `json:",omitempty"`
Applications []Application `json:",omitempty"`
Misconfigurations []Misconfiguration `json:",omitempty"`
Secrets []Secret `json:",omitempty"`
Licenses []LicenseFile `json:",omitempty"`
// Red Hat distributions have build info per layer.
// This information will be embedded into packages when applying layers.
// ref. https://redhat-connect.gitbook.io/partner-guide-for-adopting-red-hat-oval-v2/determining-common-platform-enumeration-cpe
BuildInfo *BuildInfo `json:",omitempty"`
// CustomResources hold analysis results from custom analyzers.
// It is for extensibility and not used in OSS.
CustomResources []CustomResource `json:",omitempty"`
}
// ArtifactDetail is generated by applying blobs
type ArtifactDetail struct {
OS OS `json:",omitempty"`
Repository *Repository `json:",omitempty"`
Packages Packages `json:",omitempty"`
Applications []Application `json:",omitempty"`
Misconfigurations []Misconfiguration `json:",omitempty"`
Secrets []Secret `json:",omitempty"`
Licenses []LicenseFile `json:",omitempty"`
// HistoryPackages are packages extracted from RUN instructions
HistoryPackages []Package `json:",omitempty"`
// CustomResources hold analysis results from custom analyzers.
// It is for extensibility and not used in OSS.
CustomResources []CustomResource `json:",omitempty"`
}
// ToBlobInfo is used to store a merged layer in cache.
func (a *ArtifactDetail) ToBlobInfo() BlobInfo {
return BlobInfo{
SchemaVersion: BlobJSONSchemaVersion,
OS: a.OS,
Repository: a.Repository,
PackageInfos: []PackageInfo{
{
FilePath: "merged", // Set a dummy file path
Packages: a.Packages,
},
},
Applications: a.Applications,
Misconfigurations: a.Misconfigurations,
Secrets: a.Secrets,
Licenses: a.Licenses,
CustomResources: a.CustomResources,
}
}
// CustomResource holds the analysis result from a custom analyzer.
// It is for extensibility and not used in OSS.
type CustomResource struct {
Type string
FilePath string
Layer Layer
Data interface{}
}