From e5bee5cccd5ca3dc4b8abfdc7f91857b54ea46fb Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 6 Jul 2023 16:45:52 +0600 Subject: [PATCH] check Type when filling pkgs in vulns (#4776) --- pkg/scanner/local/scan.go | 2 +- pkg/scanner/local/scan_test.go | 95 ++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go index ec1514143f9..cc093f01a75 100644 --- a/pkg/scanner/local/scan.go +++ b/pkg/scanner/local/scan.go @@ -205,7 +205,7 @@ func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) types.Re } for _, result := range pkgResults { if r, found := lo.Find(vulnResults, func(r types.Result) bool { - return r.Class == result.Class && r.Target == result.Target + return r.Class == result.Class && r.Target == result.Target && r.Type == result.Type }); found { r.Packages = result.Packages results = append(results, r) diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go index ef2c242ca90..a6dbd7e2ad5 100644 --- a/pkg/scanner/local/scan_test.go +++ b/pkg/scanner/local/scan_test.go @@ -490,6 +490,101 @@ func TestScanner_Scan(t *testing.T) { }, wantOS: ftypes.OS{}, }, + { + name: "happy path. Empty filePaths (e.g. Scanned SBOM)", + args: args{ + target: "./result.cdx", + layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, + options: types.ScanOptions{ + VulnType: []string{types.VulnTypeLibrary}, + Scanners: types.Scanners{types.VulnerabilityScanner}, + ListAllPackages: true, + }, + }, + fixtures: []string{"testdata/fixtures/happy.yaml"}, + applyLayersExpectation: ApplierApplyLayersExpectation{ + Args: ApplierApplyLayersArgs{ + BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, + }, + Returns: ApplierApplyLayersReturns{ + Detail: ftypes.ArtifactDetail{ + Applications: []ftypes.Application{ + { + Type: "bundler", + FilePath: "", + Libraries: []ftypes.Package{ + { + Name: "rails", + Version: "4.0.2", + }, + }, + }, + { + Type: "composer", + FilePath: "", + Libraries: []ftypes.Package{ + { + Name: "laravel/framework", + Version: "6.0.0", + }, + }, + }, + }, + }, + }, + }, + wantResults: types.Results{ + { + Target: "", + Class: types.ClassLangPkg, + Type: ftypes.Bundler, + Packages: []ftypes.Package{ + { + Name: "rails", + Version: "4.0.2", + }, + }, + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2014-0081", + PkgName: "rails", + InstalledVersion: "4.0.2", + FixedVersion: "4.0.3, 3.2.17", + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2014-0081", + Vulnerability: dbTypes.Vulnerability{ + Title: "xss", + Description: "xss vulnerability", + Severity: "MEDIUM", + References: []string{ + "http://example.com", + }, + LastModifiedDate: lo.ToPtr(time.Date(2020, 2, 1, 1, 1, 0, 0, time.UTC)), + PublishedDate: lo.ToPtr(time.Date(2020, 1, 1, 1, 1, 0, 0, time.UTC)), + }, + }, + }, + }, + { + Target: "", + Class: types.ClassLangPkg, + Type: ftypes.Composer, + Packages: []ftypes.Package{ + { + Name: "laravel/framework", + Version: "6.0.0", + }, + }, + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2021-21263", + PkgName: "laravel/framework", + InstalledVersion: "6.0.0", + FixedVersion: "8.22.1, 7.30.3, 6.20.12", + }, + }, + }, + }, + }, { name: "happy path with no package", args: args{