Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve ruby comparison version check. #552

Merged
merged 8 commits into from
Jul 19, 2020
Merged

improve ruby comparison version check. #552

merged 8 commits into from
Jul 19, 2020

Conversation

rahul2393
Copy link
Contributor

Issue

  • Improved version checking and added tests

@rahul2393 rahul2393 mentioned this pull request Jul 5, 2020
Closed
knqyf263
knqyf263 reviewed Jul 9, 2020
View reviewed changes
pkg/scanner/utils/utils.go Outdated Show resolved Hide resolved
pkg/scanner/utils/utils_test.go Outdated Show resolved Hide resolved
pkg/scanner/utils/utils_test.go Outdated Show resolved Hide resolved
pkg/scanner/utils/utils_test.go Show resolved Hide resolved
pkg/scanner/utils/utils_test.go Outdated Show resolved Hide resolved
pkg/scanner/utils/utils.go Outdated Show resolved Hide resolved
@knqyf263
Copy link
Collaborator

It looks like Gem has a version with 3 dot such as 1.6.7.1 and this library can't handle such a version. As you can see, it detects CVE-2015-5312 in nokogiri, but 1.10.9-java seems newer than 1.6.7.1.

$ ./trivy image --vuln-type library logstash:7.8.0
2020-07-15T09:05:38.332+0300    INFO    Detecting bundler vulnerabilities...
2020-07-15T09:05:38.334+0300    ERROR   NewConstrainterrorimproper constraint: >= 1.6.6.0
2020-07-15T09:05:38.334+0300    ERROR   NewConstrainterrorimproper constraint:  < 1.6.7.1
2020-07-15T09:05:38.334+0300    ERROR   NewConstrainterrorimproper constraint:  < 1.6.7.2
2020-07-15T09:05:38.335+0300    ERROR   NewConstrainterrorimproper constraint: ~> 1.6.6.4
2020-07-15T09:05:38.335+0300    ERROR   NewConstrainterrorimproper constraint: >= 1.6.7.1
2020-07-15T09:05:38.335+0300    ERROR   NewConstrainterrorimproper constraint: >= 1.6.7.2

usr/share/logstash/Gemfile.lock
===============================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 2, CRITICAL: 0)

+----------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| json     | CVE-2020-10663   | MEDIUM   | 1.8.6-java        | >= 2.3.0      | rubygem-json: Unsafe Object    |
|          |                  |          |                   |               | Creation Vulnerability in JSON |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| nokogiri | CVE-2015-5312    | HIGH     | 1.10.9-java       | >= 1.6.7.1    | libxml2: CPU exhaustion when   |
|          |                  |          |                   |               | processing specially crafted   |
|          |                  |          |                   |               | XML input                      |
+          +------------------+----------+                   +---------------+--------------------------------+
|          | CVE-2015-7499    | MEDIUM   |                   | >= 1.6.7.2    | libxml2: Heap-based buffer     |
|          |                  |          |                   |               | overflow in xmlGROW            |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| puma     | CVE-2020-11076   | HIGH     | 4.3.3-java        | 4.3.4, 3.12.5 | rubygem-puma: HTTP             |
|          |                  |          |                   |               | Smuggling via an invalid       |
|          |                  |          |                   |               | Transfer-Encoding Header       |
+          +------------------+----------+                   +---------------+--------------------------------+
|          | CVE-2020-11077   | MEDIUM   |                   | 4.3.5, 3.12.6 | rubygem-puma: HTTP Smuggling   |
|          |                  |          |                   |               | through a proxy via            |
|          |                  |          |                   |               | Transfer-Encoding Header       |
+----------+------------------+          +-------------------+---------------+--------------------------------+
| rack     | CVE-2020-8184    |          | 2.2.2             | 2.2.3, 2.1.4  | rubygem-rack: percent-encoded  |
|          |                  |          |                   |               | cookies can be used to         |
|          |                  |          |                   |               | overwrite existing prefixed    |
|          |                  |          |                   |               | cookie names...                |
+----------+------------------+----------+-------------------+---------------+--------------------------------+

@rahul2393
Copy link
Contributor Author

rahul2393 commented Jul 15, 2020
edited

@knqyf263 Added logic to replace all occurrences of dots with "-" in patch version since it seems like Ruby having 3 dots is language-specific, all other languages put the dash in patch versioning. After it the code working fine for Ruby gems too, check tests
https://github.com/aquasecurity/trivy/pull/552/files#diff-7dcd81704618427d55b195b1e68cffc1R72-R76

@rahul2393
Copy link
Contributor Author

Screenshot 2020-07-15 at 4 24 18 PM

knqyf263
knqyf263 reviewed Jul 16, 2020
View reviewed changes
go.mod Outdated
@@ -3,6 +3,7 @@ module github.com/aquasecurity/trivy
go 1.13

require (
github.com/Masterminds/semver v1.5.0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this version was old. You have to import semver as follows.

import "github.com/Masterminds/semver/v3"

pkg/scanner/utils/utils.go Outdated
for _, p := range rangeVersions {
c, err := version.NewConstraint(replacer.Replace(p))
func MatchVersions(currentVersion *semver.Version, rangeVersions []string) bool {
for i := range rangeVersions {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there is no reason to overwrite rangeVersions and it sometimes introduces a bug, so for _, v := range rangeVersions { looks enough in this case.

pkg/scanner/utils/utils.go Outdated
Comment on lines 21 to 24
part := strings.Split(constraintParts[j], ".")
if len(part) > 3 {
constraintParts[j] = strings.Join(part[:2], ".") + "." + strings.Join(part[2:], "-")
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you define this process as another function?

pkg/scanner/utils/utils.go Outdated
for j := range constraintParts {
part := strings.Split(constraintParts[j], ".")
if len(part) > 3 {
constraintParts[j] = strings.Join(part[:2], ".") + "." + strings.Join(part[2:], "-")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it doesn't work with a patch version including a dot such as `1.2.3-beta.1.
https://github.com/Masterminds/semver#working-with-prerelease-versions

It might work even if we replace valid dots, but I think we should keep the version in its original form as much as possible to avoid an unexpected bug.

The best way I think of at the moment is

1.2.3-beta -> 1.2.3-beta
1.2.3-beta.1 -> 1.2.3-beta.1
1.2.3.4 -> 1.2.3-4
1.2.3.4.5 -> 1.2.3-4.5
1.2.3.4-5 -> 1.2.3-4-5

Let me know your thought.

Copy link
Contributor Author

@rahul2393 rahul2393 Jul 16, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated, as suggested, I think you are right, let's see if we get any other issues later
@knqyf263

knqyf263
knqyf263 reviewed Jul 19, 2020
View reviewed changes
pkg/scanner/utils/utils.go Outdated
for _, m := range msgs {
// re-validate after removing the patch version
if strings.HasSuffix(m.Error(), "is a prerelease version and the constraint is only looking for release versions") {
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it is wide, so what if we split the line?

Suggested change
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil {
v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v",
currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch()))
if err == nil {

pkg/scanner/utils/utils.go Outdated
// re-validate after removing the patch version
if strings.HasSuffix(m.Error(), "is a prerelease version and the constraint is only looking for release versions") {
if v2, err := semver.NewVersion(fmt.Sprintf("%v.%v.%v", currentVersion.Major(), currentVersion.Minor(), currentVersion.Patch())); err == nil {
valid, msgs = c.Validate(v2)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This msgs will not be used, right? Or, does it affect the loop variable at line 37? If it is not used, we should make it easy to understand.

Suggested change
valid, msgs = c.Validate(v2)
valid, _ = c.Validate(v2)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263 Done

@knqyf263 knqyf263 merged commit 6eebed3 into aquasecurity:master Jul 19, 2020
@knqyf263 knqyf263 mentioned this pull request Aug 24, 2020
Merged
liamg pushed a commit that referenced this pull request Jun 7, 2022
@rahul2393
improve ruby comparison version check. (#552)
89207c5 
* Implemented ruby comparison version check.

* Added semver package to validate and check version

* Added more tests

* Replaced go-version with semver

* Removing go-version from dependency

* Added check for ruby gem version format

* Updated semver model and patch rewrite process

* Refactoring
liamg pushed a commit that referenced this pull request Jun 20, 2022
@DmitriyLewen @knqyf263
feat(mariner): added support for CBL-Mariner Distroless v2.0 (#552)
a54e3bf 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rahul2393 @knqyf263