Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): check Type when filling pkgs in vulns #4776

Merged
merged 1 commit into from
Jul 6, 2023
Merged

fix(sbom): check Type when filling pkgs in vulns #4776

merged 1 commit into from
Jul 6, 2023

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 5, 2023
edited
Loading

Description

If cyclonedx file doesn't have Components.Property.Filepath field and has 2(or more) language packages - Trivy skips 1 language package.
See #3492
This happens because pkgs have same Filepath(Target):

trivy/pkg/scanner/local/scan.go

Lines 201 to 217 in 8e7fb7c

func (s Scanner) fillPkgsInVulns(pkgResults, vulnResults types.Results) types.Results {
var results types.Results
if len(pkgResults) == 0 { // '--list-all-pkgs' == false or packages not found
return vulnResults
}
for _, result := range pkgResults {
if r, found := lo.Find(vulnResults, func(r types.Result) bool {
return r.Class == result.Class && r.Target == result.Target
}); found {
r.Packages = result.Packages
results = append(results, r)
} else { // when package result has no vulnerabilities we still need to add it to result(for 'list-all-pkgs')
results = append(results, result)
}
}
return results
}

We need to compare pkg.Types to avoid these cases.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 5, 2023

I think Target should not be empty and that is what we should fix.

We should fill the target here somehow. But I don't want to make a list of all package types here.

trivy/pkg/scanner/langpkg/scan.go

Lines 41 to 45 in 45d5edb

target := app.FilePath
if t, ok := PkgTargets[app.Type]; ok && target == "" {
// When the file path is empty, we will overwrite it with the pre-defined value.
target = t
}

Any ideas?

@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Jul 5, 2023
edited
Loading

We can use bom filepath + prefix/suffix.
I mean use purl like logic.
e.g. golang:path/to/sbom/file or path/to/sbom/file:golang

@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 6, 2023

We should think about the target, but I don't think comparing type has any side effects. We can add this change anyway.
@DmitriyLewen Any leftovers? Or ready for review?

@DmitriyLewen DmitriyLewen marked this pull request as ready for review July 6, 2023 09:31
@DmitriyLewen
Copy link
Contributor Author

@DmitriyLewen Any leftovers? Or ready for review?

@knqyf263 you can review this PR.

@knqyf263 knqyf263 added this pull request to the merge queue Jul 6, 2023
Merged via the queue into aquasecurity:main with commit e5bee5c Jul 6, 2023
13 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/sbom-skips-vulns branch July 7, 2023 03:22
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
@DmitriyLewen @AnaisUrlichs
check Type when filling pkgs in vulns (aquasecurity#4776)
6c27b65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Duplicate entries in the affects field of vulnerabilities when outputting CycloneDX
2 participants
@DmitriyLewen @knqyf263