check Type when filling pkgs in vulns (#4776)

aquasecurity · Jul 6, 2023 · e5bee5c · e5bee5c
1 parent 4b9f310
commit e5bee5c
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 1 deletion.
diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go
@@ -205,7 +205,7 @@ func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) types.Re
 	}
 	for _, result := range pkgResults {
 		if r, found := lo.Find(vulnResults, func(r types.Result) bool {
-			return r.Class == result.Class && r.Target == result.Target
+			return r.Class == result.Class && r.Target == result.Target && r.Type == result.Type
 		}); found {
 			r.Packages = result.Packages
 			results = append(results, r)

diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go
@@ -490,6 +490,101 @@ func TestScanner_Scan(t *testing.T) {
 			},
 			wantOS: ftypes.OS{},
 		},
+		{
+			name: "happy path. Empty filePaths (e.g. Scanned SBOM)",
+			args: args{
+				target:   "./result.cdx",
+				layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				options: types.ScanOptions{
+					VulnType:        []string{types.VulnTypeLibrary},
+					Scanners:        types.Scanners{types.VulnerabilityScanner},
+					ListAllPackages: true,
+				},
+			},
+			fixtures: []string{"testdata/fixtures/happy.yaml"},
+			applyLayersExpectation: ApplierApplyLayersExpectation{
+				Args: ApplierApplyLayersArgs{
+					BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				},
+				Returns: ApplierApplyLayersReturns{
+					Detail: ftypes.ArtifactDetail{
+						Applications: []ftypes.Application{
+							{
+								Type:     "bundler",
+								FilePath: "",
+								Libraries: []ftypes.Package{
+									{
+										Name:    "rails",
+										Version: "4.0.2",
+									},
+								},
+							},
+							{
+								Type:     "composer",
+								FilePath: "",
+								Libraries: []ftypes.Package{
+									{
+										Name:    "laravel/framework",
+										Version: "6.0.0",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantResults: types.Results{
+				{
+					Target: "",
+					Class:  types.ClassLangPkg,
+					Type:   ftypes.Bundler,
+					Packages: []ftypes.Package{
+						{
+							Name:    "rails",
+							Version: "4.0.2",
+						},
+					},
+					Vulnerabilities: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2014-0081",
+							PkgName:          "rails",
+							InstalledVersion: "4.0.2",
+							FixedVersion:     "4.0.3, 3.2.17",
+							PrimaryURL:       "https://avd.aquasec.com/nvd/cve-2014-0081",
+							Vulnerability: dbTypes.Vulnerability{
+								Title:       "xss",
+								Description: "xss vulnerability",
+								Severity:    "MEDIUM",
+								References: []string{
+									"http://example.com",
+								},
+								LastModifiedDate: lo.ToPtr(time.Date(2020, 2, 1, 1, 1, 0, 0, time.UTC)),
+								PublishedDate:    lo.ToPtr(time.Date(2020, 1, 1, 1, 1, 0, 0, time.UTC)),
+							},
+						},
+					},
+				},
+				{
+					Target: "",
+					Class:  types.ClassLangPkg,
+					Type:   ftypes.Composer,
+					Packages: []ftypes.Package{
+						{
+							Name:    "laravel/framework",
+							Version: "6.0.0",
+						},
+					},
+					Vulnerabilities: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2021-21263",
+							PkgName:          "laravel/framework",
+							InstalledVersion: "6.0.0",
+							FixedVersion:     "8.22.1, 7.30.3, 6.20.12",
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "happy path with no package",
 			args: args{