-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Packagesprops support #5605
Merged
knqyf263
merged 10 commits into
aquasecurity:main
from
yuriShafet:packagesprops_support
Nov 28, 2023
Merged
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
9c0752a
Adding support for *.packages.props
yuriShafet 77cf02f
Adding documentation for *.packages.props
yuriShafet b898bb2
running go mod tidy
yuriShafet 29a40e8
Fixing linter error
yuriShafet 2044f2a
Moving packages props support into separate packages
yuriShafet 1e0f03a
Better documentation
yuriShafet faf83f4
Adding integration test
yuriShafet d769af5
Merge branch 'main' into packagesprops_support
yuriShafet f7e0c58
refactor
DmitriyLewen c60fdf2
refactor: revert lower case for file names
DmitriyLewen File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 8 additions & 0 deletions
8
integration/testdata/fixtures/repo/packagesprops/Directory.Packages.props
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
<Project> | ||
|
||
<ItemGroup> | ||
|
||
<PackageVersion Include="Newtonsoft.Json" Version="9.0.1" /> | ||
|
||
</ItemGroup> | ||
</Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
{ | ||
"SchemaVersion": 2, | ||
"CreatedAt": "2021-08-25T12:20:30.000000005Z", | ||
"ArtifactName": "testdata/fixtures/repo/packagesprops", | ||
"ArtifactType": "repository", | ||
"Metadata": { | ||
"ImageConfig": { | ||
"architecture": "", | ||
"created": "0001-01-01T00:00:00Z", | ||
"os": "", | ||
"rootfs": { | ||
"type": "", | ||
"diff_ids": null | ||
}, | ||
"config": {} | ||
} | ||
}, | ||
"Results": [ | ||
{ | ||
"Target": "Directory.Packages.props", | ||
"Class": "lang-pkgs", | ||
"Type": "packages-props", | ||
"Packages": [ | ||
{ | ||
"ID": "Newtonsoft.Json@9.0.1", | ||
"Name": "Newtonsoft.Json", | ||
"Version": "9.0.1", | ||
"Layer": {} | ||
} | ||
], | ||
"Vulnerabilities": [ | ||
{ | ||
"VulnerabilityID": "GHSA-5crp-9r3c-p9vr", | ||
"PkgID": "Newtonsoft.Json@9.0.1", | ||
"PkgName": "Newtonsoft.Json", | ||
"InstalledVersion": "9.0.1", | ||
"FixedVersion": "13.0.1", | ||
"Status": "fixed", | ||
"Layer": {}, | ||
"SeveritySource": "ghsa", | ||
"PrimaryURL": "https://github.com/advisories/GHSA-5crp-9r3c-p9vr", | ||
"DataSource": { | ||
"ID": "ghsa", | ||
"Name": "GitHub Security Advisory Nuget", | ||
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget" | ||
}, | ||
"Title": "Improper Handling of Exceptional Conditions in Newtonsoft.Json", | ||
"Description": "Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage.", | ||
"Severity": "HIGH", | ||
"CweIDs": [ | ||
"CWE-755" | ||
], | ||
"CVSS": { | ||
"ghsa": { | ||
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", | ||
"V3Score": 7.5 | ||
} | ||
}, | ||
"References": [ | ||
"https://alephsecurity.com/2018/10/22/StackOverflowException/", | ||
"https://alephsecurity.com/vulns/aleph-2018004" | ||
], | ||
"PublishedDate": "2022-06-22T15:08:47Z", | ||
"LastModifiedDate": "2022-06-27T18:37:23Z" | ||
} | ||
] | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
pkg/fanal/analyzer/language/dotnet/packagesprops/packagesprops.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
package packagesprops | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"strings" | ||
|
||
"golang.org/x/xerrors" | ||
|
||
props "github.com/aquasecurity/go-dep-parser/pkg/nuget/packagesprops" | ||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer" | ||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" | ||
"github.com/aquasecurity/trivy/pkg/fanal/types" | ||
) | ||
|
||
func init() { | ||
analyzer.RegisterAnalyzer(&packagesPropsAnalyzer{}) | ||
} | ||
|
||
const ( | ||
version = 1 | ||
packagesPropsSuffix = "packages.props" // https://github.com/dotnet/roslyn-tools/blob/b4c5220f5dfc4278847b6d38eff91cc1188f8066/src/RoslynInsertionTool/RoslynInsertionTool/CoreXT.cs#L39-L40 | ||
) | ||
|
||
type packagesPropsAnalyzer struct{} | ||
|
||
func (a packagesPropsAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { | ||
parser := props.NewParser() | ||
res, err := language.Analyze(types.PackagesProps, input.FilePath, input.Content, parser) | ||
if err != nil { | ||
return nil, xerrors.Errorf("*Packages.props dependencies analysis error: %w", err) | ||
} | ||
|
||
return res, nil | ||
} | ||
|
||
func (a packagesPropsAnalyzer) Required(filePath string, _ os.FileInfo) bool { | ||
// There is no information about this in the documentation, | ||
// but NuGet works correctly with lowercase filenames | ||
return strings.HasSuffix(strings.ToLower(filePath), packagesPropsSuffix) | ||
} | ||
|
||
func (a packagesPropsAnalyzer) Type() analyzer.Type { | ||
return analyzer.TypePackagesProps | ||
} | ||
|
||
func (a packagesPropsAnalyzer) Version() int { | ||
return version | ||
} |
134 changes: 134 additions & 0 deletions
134
pkg/fanal/analyzer/language/dotnet/packagesprops/packagesprops_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
package packagesprops | ||
|
||
import ( | ||
"context" | ||
"os" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
|
||
"github.com/aquasecurity/trivy/pkg/fanal/analyzer" | ||
"github.com/aquasecurity/trivy/pkg/fanal/types" | ||
) | ||
|
||
func Test_packagesPropsAnalyzer_Analyze(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
inputFile string | ||
want *analyzer.AnalysisResult | ||
wantErr string | ||
}{ | ||
{ | ||
name: "happy path packages props", | ||
inputFile: "testdata/Packages.props", | ||
want: &analyzer.AnalysisResult{ | ||
Applications: []types.Application{ | ||
{ | ||
Type: types.PackagesProps, | ||
FilePath: "testdata/Packages.props", | ||
Libraries: types.Packages{ | ||
{ | ||
ID: "Package1@22.1.4", | ||
Name: "Package1", | ||
Version: "22.1.4", | ||
}, | ||
{ | ||
ID: "Package2@2.3.0", | ||
Name: "Package2", | ||
Version: "2.3.0", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
name: "happy path directory packages props", | ||
inputFile: "testdata/Directory.Packages.props", | ||
want: &analyzer.AnalysisResult{ | ||
Applications: []types.Application{ | ||
{ | ||
Type: types.PackagesProps, | ||
FilePath: "testdata/Directory.Packages.props", | ||
Libraries: types.Packages{ | ||
{ | ||
ID: "Package1@4.2.1", | ||
Name: "Package1", | ||
Version: "4.2.1", | ||
}, | ||
{ | ||
ID: "Package2@8.2.0", | ||
Name: "Package2", | ||
Version: "8.2.0", | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
}, | ||
{ | ||
name: "sad path", | ||
inputFile: "testdata/invalid.txt", | ||
wantErr: "*Packages.props dependencies analysis error", | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
f, err := os.Open(tt.inputFile) | ||
require.NoError(t, err) | ||
defer f.Close() | ||
|
||
a := packagesPropsAnalyzer{} | ||
ctx := context.Background() | ||
got, err := a.Analyze(ctx, analyzer.AnalysisInput{ | ||
FilePath: tt.inputFile, | ||
Content: f, | ||
}) | ||
|
||
if tt.wantErr != "" { | ||
assert.ErrorContains(t, err, tt.wantErr) | ||
return | ||
} | ||
|
||
assert.NoError(t, err) | ||
assert.Equal(t, tt.want, got) | ||
}) | ||
} | ||
} | ||
|
||
func Test_packagesPropsAnalyzer_Required(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
filePath string | ||
want bool | ||
}{ | ||
{ | ||
name: "directory packages props", | ||
filePath: "test/Directory.Packages.props", | ||
want: true, | ||
}, | ||
{ | ||
name: "packages props", | ||
filePath: "test/Packages.props", | ||
want: true, | ||
}, | ||
{ | ||
name: "packages props lower case", | ||
filePath: "test/packages.props", | ||
want: true, | ||
}, | ||
{ | ||
name: "zip", | ||
filePath: "test.zip", | ||
want: false, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
a := packagesPropsAnalyzer{} | ||
got := a.Required(tt.filePath, nil) | ||
assert.Equal(t, tt.want, got) | ||
}) | ||
} | ||
} |
7 changes: 7 additions & 0 deletions
7
pkg/fanal/analyzer/language/dotnet/packagesprops/testdata/Directory.Packages.props
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
<Project> | ||
|
||
<ItemGroup> | ||
<PackageVersion Include="Package1" Version="4.2.1" /> | ||
<PackageVersion Include="Package2" Version="8.2.0" /> | ||
</ItemGroup> | ||
</Project> |
9 changes: 9 additions & 0 deletions
9
pkg/fanal/analyzer/language/dotnet/packagesprops/testdata/Packages.props
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
<Project> | ||
|
||
<ItemGroup> | ||
|
||
<PackageVersion Include="Package1" Version="22.1.4" /> | ||
<PackageVersion Include="Package2" Version="2.3.0" /> | ||
|
||
</ItemGroup> | ||
</Project> |
1 change: 1 addition & 0 deletions
1
pkg/fanal/analyzer/language/dotnet/packagesprops/testdata/invalid.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
test |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We divide all language files into
pre-build
andpost-build
- https://aquasecurity.github.io/trivy/v0.47/docs/coverage/language/#supported-languagesPerhaps we should only scan Packages.props files in fs/repo mode?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is unlikely that
packages.props
will appear in post build phase, but I expect frompackages.config
would show the same behavior.If we support
packages.config
in post-build phase, we should also supportpackages.props
in post-build phase.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By the way, same thing could be said about
packages.lock.json
. I think there will be mostly .dll files in post-build.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, If I use my image for development purposes (For example I pre-build an image with the source code to run unit tests or some static code analysis), it is actually make sense to look for these artifacts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right.
Looks like we need to use pre-build for all supported NuGet files.
But then NuGet packages will not be scanned in
image
mode.Okay, let's use same logic for
*Packages.props
.