Skip to content

Commit

Permalink
feat(vuln): support dependency graph for dpkg and apk (#3093)
Browse files Browse the repository at this point in the history 
Co-authored-by: Masahiro331 <m_fujimura@r.recruit.co.jp>
  • Loading branch information
@knqyf263 @masahiro331
knqyf263 and masahiro331 committed Oct 31, 2022
1 parent 7cc83cc commit 9468056
Show file tree
Hide file tree
Showing 34 changed files with 1,744 additions and 483 deletions.
2 changes: 1 addition & 1 deletion docs/docs/vulnerability/examples/report.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ To make this task simpler Trivy can show a dependency origin tree with the `--de
This flag is only available with the `--format table` flag.

!!! note
Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.
Only OS packages, Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.

This tree is the reverse of the npm list command.
However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
Expand Down
4 changes: 4 additions & 0 deletions integration/testdata/alpine-310-registry.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -120,6 +121,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
Expand Down Expand Up @@ -189,6 +191,7 @@
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -248,6 +251,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
Expand Down
43 changes: 43 additions & 0 deletions integration/testdata/alpine-310.gsbom.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@
"alpine-baselayout": {
"package_url": "pkg:apk/alpine-baselayout@3.1.2-r0",
"relationship": "direct",
"dependencies": [
"busybox@1.30.1-r2",
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"alpine-keys": {
Expand All @@ -29,11 +33,20 @@
"apk-tools": {
"package_url": "pkg:apk/apk-tools@2.10.4-r2",
"relationship": "direct",
"dependencies": [
"libcrypto1.1@1.1.1c-r0",
"libssl1.1@1.1.1c-r0",
"musl@1.1.22-r3",
"zlib@1.2.11-r1"
],
"scope": "runtime"
},
"busybox": {
"package_url": "pkg:apk/busybox@1.30.1-r2",
"relationship": "direct",
"dependencies": [
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"ca-certificates-cacert": {
Expand All @@ -44,21 +57,37 @@
"libc-utils": {
"package_url": "pkg:apk/libc-utils@0.7.1-r0",
"relationship": "direct",
"dependencies": [
"musl-utils@1.1.22-r3"
],
"scope": "runtime"
},
"libcrypto1.1": {
"package_url": "pkg:apk/libcrypto1.1@1.1.1c-r0",
"relationship": "direct",
"dependencies": [
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"libssl1.1": {
"package_url": "pkg:apk/libssl1.1@1.1.1c-r0",
"relationship": "direct",
"dependencies": [
"libcrypto1.1@1.1.1c-r0",
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"libtls-standalone": {
"package_url": "pkg:apk/libtls-standalone@2.9.1-r0",
"relationship": "direct",
"dependencies": [
"ca-certificates-cacert@20190108-r0",
"libcrypto1.1@1.1.1c-r0",
"libssl1.1@1.1.1c-r0",
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"musl": {
Expand All @@ -69,21 +98,35 @@
"musl-utils": {
"package_url": "pkg:apk/musl-utils@1.1.22-r3",
"relationship": "direct",
"dependencies": [
"musl@1.1.22-r3",
"scanelf@1.2.3-r0"
],
"scope": "runtime"
},
"scanelf": {
"package_url": "pkg:apk/scanelf@1.2.3-r0",
"relationship": "direct",
"dependencies": [
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"ssl_client": {
"package_url": "pkg:apk/ssl_client@1.30.1-r2",
"relationship": "direct",
"dependencies": [
"libtls-standalone@2.9.1-r0",
"musl@1.1.22-r3"
],
"scope": "runtime"
},
"zlib": {
"package_url": "pkg:apk/zlib@1.2.11-r1",
"relationship": "direct",
"dependencies": [
"musl@1.1.22-r3"
],
"scope": "runtime"
}
}
Expand Down
4 changes: 4 additions & 0 deletions integration/testdata/alpine-310.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -114,6 +115,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1c-r0",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
Expand Down Expand Up @@ -183,6 +185,7 @@
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -242,6 +245,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1c-r0",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1c-r0",
"FixedVersion": "1.1.1d-r2",
Expand Down
2 changes: 2 additions & 0 deletions integration/testdata/alpine-39-high-critical.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
Expand Down Expand Up @@ -92,6 +93,7 @@
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
Expand Down
2 changes: 2 additions & 0 deletions integration/testdata/alpine-39-ignore-cveids.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
Expand Down Expand Up @@ -124,6 +125,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
Expand Down
6 changes: 6 additions & 0 deletions integration/testdata/alpine-39.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -114,6 +115,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libcrypto1.1@1.1.1b-r1",
"PkgName": "libcrypto1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
Expand Down Expand Up @@ -183,6 +185,7 @@
},
{
"VulnerabilityID": "CVE-2019-1549",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r0",
Expand Down Expand Up @@ -242,6 +245,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.1b-r1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.1b-r1",
"FixedVersion": "1.1.1d-r2",
Expand Down Expand Up @@ -311,6 +315,7 @@
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl@1.1.20-r4",
"PkgName": "musl",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
Expand Down Expand Up @@ -348,6 +353,7 @@
},
{
"VulnerabilityID": "CVE-2019-14697",
"PkgID": "musl-utils@1.1.20-r4",
"PkgName": "musl-utils",
"InstalledVersion": "1.1.20-r4",
"FixedVersion": "1.1.20-r5",
Expand Down
1 change: 1 addition & 0 deletions integration/testdata/alpine-distroless.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-24765",
"PkgID": "git@2.35.1-r2",
"PkgName": "git",
"InstalledVersion": "2.35.1-r2",
"FixedVersion": "2.35.2-r0",
Expand Down
1 change: 1 addition & 0 deletions integration/testdata/debian-buster-ignore-unfixed.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@
"VendorIDs": [
"DSA-4613-1"
],
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
Expand Down
2 changes: 2 additions & 0 deletions integration/testdata/debian-buster.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@5.0-4",
"PkgName": "bash",
"InstalledVersion": "5.0-4",
"Layer": {
Expand Down Expand Up @@ -106,6 +107,7 @@
"VendorIDs": [
"DSA-4613-1"
],
"PkgID": "libidn2-0@2.0.5-1",
"PkgName": "libidn2-0",
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",
Expand Down
5 changes: 5 additions & 0 deletions integration/testdata/debian-stretch.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-18276",
"PkgID": "bash@4.4-5",
"PkgName": "bash",
"InstalledVersion": "4.4-5",
"Layer": {
Expand Down Expand Up @@ -107,6 +108,7 @@
"VendorIDs": [
"DSA-4535-1"
],
"PkgID": "e2fslibs@1.43.4-2",
"PkgName": "e2fslibs",
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
Expand Down Expand Up @@ -166,6 +168,7 @@
"VendorIDs": [
"DSA-4535-1"
],
"PkgID": "e2fsprogs@1.43.4-2",
"PkgName": "e2fsprogs",
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
Expand Down Expand Up @@ -225,6 +228,7 @@
"VendorIDs": [
"DSA-4535-1"
],
"PkgID": "libcomerr2@1.43.4-2",
"PkgName": "libcomerr2",
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
Expand Down Expand Up @@ -284,6 +288,7 @@
"VendorIDs": [
"DSA-4535-1"
],
"PkgID": "libss2@1.43.4-2",
"PkgName": "libss2",
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
Expand Down
4 changes: 4 additions & 0 deletions integration/testdata/distroless-base.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"Layer": {
Expand Down Expand Up @@ -124,6 +125,7 @@
"VendorIDs": [
"DSA-4539-1"
],
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
Expand Down Expand Up @@ -201,6 +203,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"Layer": {
Expand Down Expand Up @@ -272,6 +275,7 @@
"VendorIDs": [
"DSA-4539-1"
],
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
Expand Down
4 changes: 4 additions & 0 deletions integration/testdata/distroless-python27.json.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"Layer": {
Expand Down Expand Up @@ -141,6 +142,7 @@
"VendorIDs": [
"DSA-4539-1"
],
"PkgID": "libssl1.1@1.1.0k-1~deb9u1",
"PkgName": "libssl1.1",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
Expand Down Expand Up @@ -218,6 +220,7 @@
},
{
"VulnerabilityID": "CVE-2019-1551",
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"Layer": {
Expand Down Expand Up @@ -289,6 +292,7 @@
"VendorIDs": [
"DSA-4539-1"
],
"PkgID": "openssl@1.1.0k-1~deb9u1",
"PkgName": "openssl",
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
Expand Down

0 comments on commit 9468056

Please sign in to comment.