Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): cyclonedx advisory should omit null value #5041

Merged
merged 7 commits into from
Aug 31, 2023
Merged

fix(sbom): cyclonedx advisory should omit null value #5041

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
b10621d
return nil for advisories, if len of refs == 0
DmitriyLewen Aug 25, 2023
8b7e27c
add integration test for cyclonedx with vulns
DmitriyLewen Aug 25, 2023
af908f3
use existing testcase
DmitriyLewen Aug 28, 2023
9618171
Merge branch 'main' of github.com:DmitriyLewen/trivy into fix/cyclone…
DmitriyLewen Aug 31, 2023
fc28e6e
test(pom): add ID for cyclondedx integration golden file
DmitriyLewen Aug 31, 2023
c4a09f0
test(integration): add sorting cyclonedx vulns
DmitriyLewen Aug 31, 2023
5ba3b4a
Merge branch 'main' of github.com:DmitriyLewen/trivy into fix/cyclone…
DmitriyLewen Aug 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions integration/integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,9 @@ func readCycloneDX(t *testing.T, filePath string) *cdx.BOM {
return (*(*bom.Components)[i].Properties)[ii].Name < (*(*bom.Components)[i].Properties)[jj].Name
})
}
sort.Slice(*bom.Vulnerabilities, func(i, j int) bool {
return (*bom.Vulnerabilities)[i].ID < (*bom.Vulnerabilities)[j].ID
})
}

return bom
Expand Down
10 changes: 10 additions & 0 deletions integration/repo_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,16 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/conda-cyclonedx.json.golden",
},
{
name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)",
args: args{
command: "fs",
scanner: types.VulnerabilityScanner,
format: "cyclonedx",
input: "testdata/fixtures/repo/pom",
},
golden: "testdata/pom-cyclonedx.json.golden",
},
{
name: "conda generating SPDX SBOM",
args: args{
Expand Down
314 changes: 314 additions & 0 deletions integration/testdata/pom-cyclonedx.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,314 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
"version": 1,
"metadata": {
"timestamp": "2020-09-10T14:20:30+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "dev"
}
],
"component": {
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
"type": "application",
"name": "testdata/fixtures/repo/pom",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000003",
"type": "application",
"name": "pom.xml",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"type": "library",
"name": "com.example:log4shell",
"version": "1.0-SNAPSHOT",
"purl": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "com.example:log4shell:1.0-SNAPSHOT"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"type": "library",
"name": "com.fasterxml.jackson.core:jackson-databind",
"version": "2.9.1",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "com.fasterxml.jackson.core:jackson-databind:2.9.1"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
}
],
"dependencies": [
{
"ref": "3ff14136-e09f-4df9-80ea-000000000002",
"dependsOn": [
"3ff14136-e09f-4df9-80ea-000000000003"
]
},
{
"ref": "3ff14136-e09f-4df9-80ea-000000000003",
"dependsOn": [
"pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
]
},
{
"ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"dependsOn": [
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
]
},
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"dependsOn": []
}
],
"vulnerabilities": [
{
"id": "CVE-2020-9548",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "critical"
},
{
"source": {
"name": "nvd"
},
"score": 6.8,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
{
"source": {
"name": "nvd"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2020-9548"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2634"
},
{
"url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr"
},
{
"url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"
},
{
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200904-0006/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2020-03-02T04:15:00+00:00",
"updated": "2021-12-02T21:23:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
},
{
"id": "CVE-2021-20190",
"source": {
"name": "glad",
"url": "https://gitlab.com/gitlab-org/advisories-community"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "high"
},
{
"source": {
"name": "nvd"
},
"score": 8.3,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2854"
},
{
"url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w"
},
{
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210219-0008/"
}
],
"published": "2021-01-19T17:15:00+00:00",
"updated": "2021-07-20T23:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
}
]
}
7 changes: 7 additions & 0 deletions pkg/sbom/cyclonedx/core/cyclonedx.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,13 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string {
}

func cdxAdvisories(refs []string) *[]cdx.Advisory {
// cyclonedx converts link to empty `[]cdx.Advisory` to `null`
// `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null`
// we need to explicitly set `nil` for empty `refs` slice
if len(refs) == 0 {
return nil
}

var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
Expand Down
16 changes: 2 additions & 14 deletions pkg/sbom/cyclonedx/marshal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,6 @@ func TestMarshaler_Marshal(t *testing.T) {
V3Score: 5.3,
},
},
References: []string{
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
PublishedDate: lo.ToPtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)),
LastModifiedDate: lo.ToPtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)),
},
Expand Down Expand Up @@ -525,16 +521,8 @@ func TestMarshaler_Marshal(t *testing.T) {
416,
},
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Advisories: &[]cdx.Advisory{
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
},
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
},
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Expand Down