From 40c86c054fe0a13a074a58f450ba03b385ee1c9d Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Sat, 16 Mar 2024 21:51:24 +0530 Subject: [PATCH 01/12] feat(image): updated json report added package locations fields --- pkg/report/sarif.go | 22 ++-- pkg/report/sarif_test.go | 170 ++++++++++++++++++++++++++++++ pkg/scanner/local/scan.go | 24 +++++ pkg/scanner/local/scan_test.go | 183 +++++++++++++++++++++++++++++++++ pkg/types/vulnerability.go | 1 + 5 files changed, 394 insertions(+), 6 deletions(-) diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go index 2f9dd589151..c217f526ec1 100644 --- a/pkg/report/sarif.go +++ b/pkg/report/sarif.go @@ -165,7 +165,7 @@ func (sw *SarifWriter) Write(ctx context.Context, report types.Report) error { resourceClass: res.Class, artifactLocation: path, locationMessage: fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion), - locations: sw.getLocations(vuln.PkgName, vuln.InstalledVersion, path, res.Packages), + locations: sw.getLocations(vuln.PkgName, vuln.InstalledVersion, path, res.Packages, vuln.Locations), resultIndex: getRuleIndex(vuln.VulnerabilityID, ruleIndexes), shortDescription: html.EscapeString(vuln.Title), fullDescription: html.EscapeString(fullDescription), @@ -346,10 +346,20 @@ func clearURI(s string) string { return strings.ReplaceAll(strings.ReplaceAll(s, "\\", "/"), "git::https:/", "") } -func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Package) []location { +func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Package, vulnLocations []ftypes.Location) []location { id := fmt.Sprintf("%s@%s@%s", path, name, version) - locs, ok := sw.locationCache[id] - if !ok { + if locs, ok := sw.locationCache[id]; ok { + return locs + } + var locs []location + if len(vulnLocations) != 0 { + for _, loc := range vulnLocations { + locs = append(locs, location{ + startLine: loc.StartLine, + endLine: loc.EndLine, + }) + } + } else { for _, pkg := range pkgs { if name == pkg.Name && version == pkg.Version { for _, l := range pkg.Locations { @@ -359,11 +369,11 @@ func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Pa } locs = append(locs, loc) } - sw.locationCache[id] = locs - return locs + break } } } + sw.locationCache[id] = locs return locs } diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index fe46514002b..1105844ac2a 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -662,6 +662,176 @@ func TestReportWriter_Sarif(t *testing.T) { }, }, }, + { + name: "report with vulnerabilities and package locations", + input: types.Report{ + ArtifactName: "debian:9", + ArtifactType: ftypes.ArtifactContainerImage, + Metadata: types.Metadata{ + RepoTags: []string{ + "debian:9", + }, + RepoDigests: []string{ + "debian@sha256:a8cc1744bbdd5266678e3e8b3e6387e45c053218438897e86876f2eb104e5534", + }, + }, + Results: types.Results{ + { + Target: "library/test", + Class: types.ClassOSPkg, + Packages: []ftypes.Package{ + { + Name: "foo", + Version: "1.2.3", + Locations: []ftypes.Location{ + { + StartLine: 5, + EndLine: 10, + }, + { + StartLine: 15, + EndLine: 20, + }, + }, + }, + }, + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2020-0001", + PkgName: "foo", + InstalledVersion: "1.2.3", + FixedVersion: "3.4.5", + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-0001", + SeveritySource: "redhat", + Vulnerability: dbTypes.Vulnerability{ + Title: "foobar", + Description: "baz", + Severity: "HIGH", + VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{ + vulnerability.NVD: dbTypes.SeverityCritical, + vulnerability.RedHat: dbTypes.SeverityHigh, + }, + CVSS: map[dbTypes.SourceID]dbTypes.CVSS{ + vulnerability.NVD: { + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + V3Score: 9.8, + }, + vulnerability.RedHat: { + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + V3Score: 7.5, + }, + }, + }, + Locations: []ftypes.Location{ + { + StartLine: 15, + EndLine: 20, + }, + { + StartLine: 30, + EndLine: 35, + }, + }, + }, + }, + }, + }, + }, + want: &sarif.Report{ + Version: "2.1.0", + Schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + Runs: []*sarif.Run{ + { + Tool: sarif.Tool{ + Driver: &sarif.ToolComponent{ + FullName: lo.ToPtr("Trivy Vulnerability Scanner"), + Name: "Trivy", + Version: lo.ToPtr(""), + InformationURI: lo.ToPtr("https://github.com/aquasecurity/trivy"), + Rules: []*sarif.ReportingDescriptor{ + { + ID: "CVE-2020-0001", + Name: lo.ToPtr("OsPackageVulnerability"), + ShortDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("foobar")}, + FullDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("baz")}, + DefaultConfiguration: &sarif.ReportingConfiguration{ + Level: "error", + }, + HelpURI: lo.ToPtr("https://avd.aquasec.com/nvd/cve-2020-0001"), + Properties: map[string]interface{}{ + "tags": []interface{}{ + "vulnerability", + "security", + "HIGH", + }, + "precision": "very-high", + "security-severity": "7.5", + }, + Help: &sarif.MultiformatMessageString{ + Text: lo.ToPtr("Vulnerability CVE-2020-0001\nSeverity: HIGH\nPackage: foo\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)\nbaz"), + Markdown: lo.ToPtr("**Vulnerability CVE-2020-0001**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|foo|3.4.5|[CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)|\n\nbaz"), + }, + }, + }, + }, + }, + Results: []*sarif.Result{ + { + RuleID: lo.ToPtr("CVE-2020-0001"), + RuleIndex: lo.ToPtr[uint](0), + Level: lo.ToPtr("error"), + Message: sarif.Message{Text: lo.ToPtr("Package: foo\nInstalled Version: 1.2.3\nVulnerability CVE-2020-0001\nSeverity: HIGH\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)")}, + Locations: []*sarif.Location{ + { + Message: &sarif.Message{Text: lo.ToPtr("library/test: foo@1.2.3")}, + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + URI: lo.ToPtr("library/test"), + URIBaseId: lo.ToPtr("ROOTPATH"), + }, + Region: &sarif.Region{ + StartLine: lo.ToPtr(15), + EndLine: lo.ToPtr(20), + StartColumn: lo.ToPtr(1), + EndColumn: lo.ToPtr(1), + }, + }, + }, + { + Message: &sarif.Message{Text: lo.ToPtr("library/test: foo@1.2.3")}, + PhysicalLocation: &sarif.PhysicalLocation{ + ArtifactLocation: &sarif.ArtifactLocation{ + URI: lo.ToPtr("library/test"), + URIBaseId: lo.ToPtr("ROOTPATH"), + }, + Region: &sarif.Region{ + StartLine: lo.ToPtr(30), + EndLine: lo.ToPtr(35), + StartColumn: lo.ToPtr(1), + EndColumn: lo.ToPtr(1), + }, + }, + }, + }, + }, + }, + ColumnKind: "utf16CodeUnits", + OriginalUriBaseIDs: map[string]*sarif.ArtifactLocation{ + "ROOTPATH": { + URI: lo.ToPtr("file:///"), + }, + }, + PropertyBag: sarif.PropertyBag{ + Properties: map[string]interface{}{ + "imageName": "debian:9", + "repoDigests": []interface{}{"debian@sha256:a8cc1744bbdd5266678e3e8b3e6387e45c053218438897e86876f2eb104e5534"}, + "repoTags": []interface{}{"debian:9"}, + }, + }, + }, + }, + }, + }, } for _, tt := range tests { diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go index 2f64a3b7693..3a936e6a9e8 100644 --- a/pkg/scanner/local/scan.go +++ b/pkg/scanner/local/scan.go @@ -161,6 +161,9 @@ func (s Scanner) ScanTarget(ctx context.Context, target types.ScanTarget, option s.vulnClient.FillInfo(results[i].Vulnerabilities) } + // Fill package location information + fillPackageLocation(results) + // Post scanning results, err = post.Scan(ctx, results) if err != nil { @@ -486,3 +489,24 @@ func mergeSecrets(targetName string, detail ftypes.ArtifactDetail) []ftypes.Secr secret.FilePath = targetName // Set the target name to the file path as container image config is not a real file. return append(detail.Secrets, *secret) } + +// fillPackageLocation extracts location information from the packages list and populates it into the vulnerability. +func fillPackageLocation(resultSet []types.Result) { + locationMap := make(map[string][]ftypes.Location) + for _, res := range resultSet { + for i, vuln := range res.Vulnerabilities { + id := fmt.Sprintf("%s@%s@%s", vuln.PkgPath, vuln.PkgName, vuln.InstalledVersion) + locations, ok := locationMap[id] + if !ok { + for _, pkg := range res.Packages { + if pkg.Name == vuln.PkgName && pkg.Version == vuln.InstalledVersion { + locations = pkg.Locations + locationMap[id] = locations + break + } + } + } + res.Vulnerabilities[i].Locations = locations + } + } +} diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go index 3b173957cc2..d5df211a600 100644 --- a/pkg/scanner/local/scan_test.go +++ b/pkg/scanner/local/scan_test.go @@ -1358,6 +1358,189 @@ func TestScanner_Scan(t *testing.T) { Eosl: false, }, }, + { + name: "happy path with list all packages and fill location information", + args: args{ + target: "alpine:latest", + layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, + options: types.ScanOptions{ + VulnType: []string{ + types.VulnTypeOS, + types.VulnTypeLibrary, + }, + Scanners: types.Scanners{types.VulnerabilityScanner}, + ListAllPackages: true, + }, + }, + fixtures: []string{"testdata/fixtures/happy.yaml"}, + applyLayersExpectation: ApplierApplyLayersExpectation{ + Args: ApplierApplyLayersArgs{ + BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, + }, + Returns: ApplierApplyLayersReturns{ + Detail: ftypes.ArtifactDetail{ + OS: ftypes.OS{ + Family: "alpine", + Name: "3.11", + }, + Packages: []ftypes.Package{ + { + Name: "musl", + Version: "1.2.3", + SrcName: "musl", + SrcVersion: "1.2.3", + Layer: ftypes.Layer{ + DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", + }, + Locations: []ftypes.Location{ + { + StartLine: 23, + EndLine: 31, + }, + }, + }, + { + Name: "ausl", + Version: "1.2.3", + SrcName: "ausl", + SrcVersion: "1.2.3", + Layer: ftypes.Layer{ + DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", + }, + Locations: []ftypes.Location{ + { + StartLine: 54, + EndLine: 60, + }, + }, + }, + }, + Applications: []ftypes.Application{ + { + Type: "bundler", + FilePath: "/app/Gemfile.lock", + Libraries: []ftypes.Package{ + { + Name: "rails", + Version: "4.0.2", + Layer: ftypes.Layer{ + DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", + }, + }, + }, + }, + }, + }, + }, + }, + wantResults: types.Results{ + { + Target: "alpine:latest (alpine 3.11)", + Class: types.ClassOSPkg, + Type: ftypes.Alpine, + Packages: []ftypes.Package{ + { + Name: "ausl", + Version: "1.2.3", + SrcName: "ausl", + SrcVersion: "1.2.3", + Layer: ftypes.Layer{ + DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", + }, + Locations: []ftypes.Location{ + { + StartLine: 54, + EndLine: 60, + }, + }, + }, + { + Name: "musl", + Version: "1.2.3", + SrcName: "musl", + SrcVersion: "1.2.3", + Layer: ftypes.Layer{ + DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", + }, + Locations: []ftypes.Location{ + { + StartLine: 23, + EndLine: 31, + }, + }, + }, + }, + // For backward compatibility, will be removed + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2020-9999", + PkgName: "musl", + InstalledVersion: "1.2.3", + FixedVersion: "1.2.4", + Status: dbTypes.StatusFixed, + Layer: ftypes.Layer{ + DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", + }, + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-9999", + Vulnerability: dbTypes.Vulnerability{ + Title: "dos", + Description: "dos vulnerability", + Severity: "HIGH", + }, + Locations: []ftypes.Location{ + { + StartLine: 23, + EndLine: 31, + }, + }, + }, + }, + }, + { + Target: "/app/Gemfile.lock", + Class: types.ClassLangPkg, + Type: ftypes.Bundler, + Packages: []ftypes.Package{ + { + Name: "rails", + Version: "4.0.2", + Layer: ftypes.Layer{ + DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", + }, + }, + }, + // For backward compatibility, will be removed + Vulnerabilities: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2014-0081", + PkgName: "rails", + InstalledVersion: "4.0.2", + FixedVersion: "4.0.3, 3.2.17", + Status: dbTypes.StatusFixed, + Layer: ftypes.Layer{ + DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", + }, + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2014-0081", + Vulnerability: dbTypes.Vulnerability{ + Title: "xss", + Description: "xss vulnerability", + Severity: "MEDIUM", + References: []string{ + "http://example.com", + }, + LastModifiedDate: lo.ToPtr(time.Date(2020, 2, 1, 1, 1, 0, 0, time.UTC)), + PublishedDate: lo.ToPtr(time.Date(2020, 1, 1, 1, 1, 0, 0, time.UTC)), + }, + }, + }, + }, + }, + wantOS: ftypes.OS{ + Family: "alpine", + Name: "3.11", + Eosl: true, + }, + }, } for _, tt := range tests { diff --git a/pkg/types/vulnerability.go b/pkg/types/vulnerability.go index 693b212d077..0305dc343bc 100644 --- a/pkg/types/vulnerability.go +++ b/pkg/types/vulnerability.go @@ -19,6 +19,7 @@ type DetectedVulnerability struct { Layer ftypes.Layer `json:",omitempty"` SeveritySource types.SourceID `json:",omitempty"` PrimaryURL string `json:",omitempty"` + Locations []ftypes.Location `json:",omitempty"` // DataSource holds where the advisory comes from DataSource *types.DataSource `json:",omitempty"` From 87416cb60cf832473700219d397f5080bd904433 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Sun, 17 Mar 2024 05:56:03 +0530 Subject: [PATCH 02/12] test(integration): updated integration test golden output to verify location in json report --- integration/testdata/composer.lock.json.golden | 6 ++++++ integration/testdata/conan.json.golden | 6 ++++++ integration/testdata/dotnet.json.golden | 6 ++++++ integration/testdata/mix.lock.json.golden | 6 ++++++ integration/testdata/npm-with-dev.json.golden | 6 ++++++ integration/testdata/npm.json.golden | 6 ++++++ integration/testdata/nuget.json.golden | 6 ++++++ integration/testdata/pipenv.json.golden | 12 ++++++++++++ integration/testdata/swift.json.golden | 6 ++++++ integration/testdata/yarn.json.golden | 6 ++++++ 10 files changed, 66 insertions(+) diff --git a/integration/testdata/composer.lock.json.golden b/integration/testdata/composer.lock.json.golden index b2a341f96e3..d3bce9b2bd2 100644 --- a/integration/testdata/composer.lock.json.golden +++ b/integration/testdata/composer.lock.json.golden @@ -72,6 +72,12 @@ "PkgIdentifier": { "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3" }, + "Locations": [ + { + "StartLine": 130, + "EndLine": 245 + } + ], "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", "Status": "fixed", diff --git a/integration/testdata/conan.json.golden b/integration/testdata/conan.json.golden index 4de31b4c3a8..024da7fad96 100644 --- a/integration/testdata/conan.json.golden +++ b/integration/testdata/conan.json.golden @@ -159,6 +159,12 @@ "PkgIdentifier": { "PURL": "pkg:conan/pcre@8.43" }, + "Locations": [ + { + "StartLine": 26, + "EndLine": 36 + } + ], "InstalledVersion": "8.43", "FixedVersion": "8.45", "Status": "fixed", diff --git a/integration/testdata/dotnet.json.golden b/integration/testdata/dotnet.json.golden index 264b28d7534..a8f783b0287 100644 --- a/integration/testdata/dotnet.json.golden +++ b/integration/testdata/dotnet.json.golden @@ -43,6 +43,12 @@ "PkgIdentifier": { "PURL": "pkg:nuget/Newtonsoft.Json@9.0.1" }, + "Locations": [ + { + "StartLine": 8, + "EndLine": 14 + } + ], "InstalledVersion": "9.0.1", "FixedVersion": "13.0.1", "Status": "fixed", diff --git a/integration/testdata/mix.lock.json.golden b/integration/testdata/mix.lock.json.golden index 54445fbf9cf..1ab97c6450a 100644 --- a/integration/testdata/mix.lock.json.golden +++ b/integration/testdata/mix.lock.json.golden @@ -180,6 +180,12 @@ "PkgIdentifier": { "PURL": "pkg:hex/phoenix@1.6.13" }, + "Locations": [ + { + "StartLine": 4, + "EndLine": 4 + } + ], "InstalledVersion": "1.6.13", "FixedVersion": "1.6.14", "Status": "fixed", diff --git a/integration/testdata/npm-with-dev.json.golden b/integration/testdata/npm-with-dev.json.golden index fb1ecb09120..bfc31c7bd41 100644 --- a/integration/testdata/npm-with-dev.json.golden +++ b/integration/testdata/npm-with-dev.json.golden @@ -269,6 +269,12 @@ "PkgIdentifier": { "PURL": "pkg:npm/jquery@3.3.9" }, + "Locations": [ + { + "StartLine": 11, + "EndLine": 15 + } + ], "InstalledVersion": "3.3.9", "FixedVersion": "3.4.0", "Status": "fixed", diff --git a/integration/testdata/npm.json.golden b/integration/testdata/npm.json.golden index a576da82c72..127af5d7d08 100644 --- a/integration/testdata/npm.json.golden +++ b/integration/testdata/npm.json.golden @@ -250,6 +250,12 @@ "PkgIdentifier": { "PURL": "pkg:npm/jquery@3.3.9" }, + "Locations": [ + { + "StartLine": 11, + "EndLine": 15 + } + ], "InstalledVersion": "3.3.9", "FixedVersion": "3.4.0", "Status": "fixed", diff --git a/integration/testdata/nuget.json.golden b/integration/testdata/nuget.json.golden index 6c5a2f19b9a..888d8c8f3ae 100644 --- a/integration/testdata/nuget.json.golden +++ b/integration/testdata/nuget.json.golden @@ -65,6 +65,12 @@ "PkgIdentifier": { "PURL": "pkg:nuget/Newtonsoft.Json@12.0.3" }, + "Locations": [ + { + "StartLine": 5, + "EndLine": 10 + } + ], "InstalledVersion": "12.0.3", "FixedVersion": "13.0.1", "Status": "fixed", diff --git a/integration/testdata/pipenv.json.golden b/integration/testdata/pipenv.json.golden index e5076aa4571..8e9b426a590 100644 --- a/integration/testdata/pipenv.json.golden +++ b/integration/testdata/pipenv.json.golden @@ -43,6 +43,12 @@ "PkgIdentifier": { "PURL": "pkg:pypi/werkzeug@0.11.1" }, + "Locations": [ + { + "StartLine": 19, + "EndLine": 26 + } + ], "InstalledVersion": "0.11.1", "FixedVersion": "0.15.3", "Status": "fixed", @@ -99,6 +105,12 @@ "PkgIdentifier": { "PURL": "pkg:pypi/werkzeug@0.11.1" }, + "Locations": [ + { + "StartLine": 19, + "EndLine": 26 + } + ], "InstalledVersion": "0.11.1", "FixedVersion": "0.11.6", "Status": "fixed", diff --git a/integration/testdata/swift.json.golden b/integration/testdata/swift.json.golden index 0a9d1ebffb2..8d587f2c59f 100644 --- a/integration/testdata/swift.json.golden +++ b/integration/testdata/swift.json.golden @@ -60,6 +60,12 @@ "PkgIdentifier": { "PURL": "pkg:swift/github.com/apple/swift-nio@2.41.0" }, + "Locations": [ + { + "StartLine": 13, + "EndLine": 21 + } + ], "InstalledVersion": "2.41.0", "FixedVersion": "2.29.1, 2.39.1, 2.42.0", "Status": "fixed", diff --git a/integration/testdata/yarn.json.golden b/integration/testdata/yarn.json.golden index 452dcd0172a..b71d87a2dd1 100644 --- a/integration/testdata/yarn.json.golden +++ b/integration/testdata/yarn.json.golden @@ -49,6 +49,12 @@ "PkgIdentifier": { "PURL": "pkg:npm/jquery@3.2.1" }, + "Locations": [ + { + "StartLine": 10, + "EndLine": 13 + } + ], "InstalledVersion": "3.2.1", "FixedVersion": "3.4.0", "Status": "fixed", From 85cf901ac1db54d8be4d0aa5f1742edb58d928d8 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Tue, 19 Mar 2024 08:12:00 +0530 Subject: [PATCH 03/12] updated detector library to populate Locations data removed redundant code changes and updated test cases --- integration/testdata/gradle.json.golden | 12 ++++++++++++ integration/testdata/pom.json.golden | 12 ++++++++++++ pkg/detector/library/detect.go | 1 + pkg/report/sarif_test.go | 8 ++++---- pkg/scanner/local/scan.go | 24 ------------------------ 5 files changed, 29 insertions(+), 28 deletions(-) diff --git a/integration/testdata/gradle.json.golden b/integration/testdata/gradle.json.golden index 86822d526e3..af388b253ce 100644 --- a/integration/testdata/gradle.json.golden +++ b/integration/testdata/gradle.json.golden @@ -28,6 +28,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 4, + "EndLine": 4 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.4", "Status": "fixed", @@ -93,6 +99,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 4, + "EndLine": 4 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.7", "Status": "fixed", diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden index 244817f1e4c..705a178af69 100644 --- a/integration/testdata/pom.json.golden +++ b/integration/testdata/pom.json.golden @@ -28,6 +28,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.4", "Status": "fixed", @@ -93,6 +99,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.7", "Status": "fixed", diff --git a/pkg/detector/library/detect.go b/pkg/detector/library/detect.go index e85db70769b..a71cab8f833 100644 --- a/pkg/detector/library/detect.go +++ b/pkg/detector/library/detect.go @@ -42,6 +42,7 @@ func detect(ctx context.Context, driver Driver, pkgs []ftypes.Package) ([]types. vulns[i].Layer = pkg.Layer vulns[i].PkgPath = pkg.FilePath vulns[i].PkgIdentifier = pkg.Identifier + vulns[i].Locations = pkg.Locations } vulnerabilities = append(vulnerabilities, vulns...) } diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index 1105844ac2a..9d51dac112b 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -684,14 +684,14 @@ func TestReportWriter_Sarif(t *testing.T) { Name: "foo", Version: "1.2.3", Locations: []ftypes.Location{ - { - StartLine: 5, - EndLine: 10, - }, { StartLine: 15, EndLine: 20, }, + { + StartLine: 30, + EndLine: 35, + }, }, }, }, diff --git a/pkg/scanner/local/scan.go b/pkg/scanner/local/scan.go index 3a936e6a9e8..2f64a3b7693 100644 --- a/pkg/scanner/local/scan.go +++ b/pkg/scanner/local/scan.go @@ -161,9 +161,6 @@ func (s Scanner) ScanTarget(ctx context.Context, target types.ScanTarget, option s.vulnClient.FillInfo(results[i].Vulnerabilities) } - // Fill package location information - fillPackageLocation(results) - // Post scanning results, err = post.Scan(ctx, results) if err != nil { @@ -489,24 +486,3 @@ func mergeSecrets(targetName string, detail ftypes.ArtifactDetail) []ftypes.Secr secret.FilePath = targetName // Set the target name to the file path as container image config is not a real file. return append(detail.Secrets, *secret) } - -// fillPackageLocation extracts location information from the packages list and populates it into the vulnerability. -func fillPackageLocation(resultSet []types.Result) { - locationMap := make(map[string][]ftypes.Location) - for _, res := range resultSet { - for i, vuln := range res.Vulnerabilities { - id := fmt.Sprintf("%s@%s@%s", vuln.PkgPath, vuln.PkgName, vuln.InstalledVersion) - locations, ok := locationMap[id] - if !ok { - for _, pkg := range res.Packages { - if pkg.Name == vuln.PkgName && pkg.Version == vuln.InstalledVersion { - locations = pkg.Locations - locationMap[id] = locations - break - } - } - } - res.Vulnerabilities[i].Locations = locations - } - } -} From 1338fee8bba90e271ae999b9767fba2473a935d7 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Tue, 19 Mar 2024 11:28:13 +0530 Subject: [PATCH 04/12] updated report golden for busybox-with-lockfile.json.golden --- .../busybox-with-lockfile.json.golden | 12 ++ pkg/scanner/local/scan_test.go | 183 ------------------ 2 files changed, 12 insertions(+), 183 deletions(-) diff --git a/integration/testdata/busybox-with-lockfile.json.golden b/integration/testdata/busybox-with-lockfile.json.golden index 520afe2de92..0e85c1cc3f1 100644 --- a/integration/testdata/busybox-with-lockfile.json.golden +++ b/integration/testdata/busybox-with-lockfile.json.golden @@ -60,6 +60,12 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 2.1.0", "Status": "fixed", @@ -105,6 +111,12 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", "Status": "fixed", diff --git a/pkg/scanner/local/scan_test.go b/pkg/scanner/local/scan_test.go index d5df211a600..3b173957cc2 100644 --- a/pkg/scanner/local/scan_test.go +++ b/pkg/scanner/local/scan_test.go @@ -1358,189 +1358,6 @@ func TestScanner_Scan(t *testing.T) { Eosl: false, }, }, - { - name: "happy path with list all packages and fill location information", - args: args{ - target: "alpine:latest", - layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, - options: types.ScanOptions{ - VulnType: []string{ - types.VulnTypeOS, - types.VulnTypeLibrary, - }, - Scanners: types.Scanners{types.VulnerabilityScanner}, - ListAllPackages: true, - }, - }, - fixtures: []string{"testdata/fixtures/happy.yaml"}, - applyLayersExpectation: ApplierApplyLayersExpectation{ - Args: ApplierApplyLayersArgs{ - BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"}, - }, - Returns: ApplierApplyLayersReturns{ - Detail: ftypes.ArtifactDetail{ - OS: ftypes.OS{ - Family: "alpine", - Name: "3.11", - }, - Packages: []ftypes.Package{ - { - Name: "musl", - Version: "1.2.3", - SrcName: "musl", - SrcVersion: "1.2.3", - Layer: ftypes.Layer{ - DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", - }, - Locations: []ftypes.Location{ - { - StartLine: 23, - EndLine: 31, - }, - }, - }, - { - Name: "ausl", - Version: "1.2.3", - SrcName: "ausl", - SrcVersion: "1.2.3", - Layer: ftypes.Layer{ - DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", - }, - Locations: []ftypes.Location{ - { - StartLine: 54, - EndLine: 60, - }, - }, - }, - }, - Applications: []ftypes.Application{ - { - Type: "bundler", - FilePath: "/app/Gemfile.lock", - Libraries: []ftypes.Package{ - { - Name: "rails", - Version: "4.0.2", - Layer: ftypes.Layer{ - DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", - }, - }, - }, - }, - }, - }, - }, - }, - wantResults: types.Results{ - { - Target: "alpine:latest (alpine 3.11)", - Class: types.ClassOSPkg, - Type: ftypes.Alpine, - Packages: []ftypes.Package{ - { - Name: "ausl", - Version: "1.2.3", - SrcName: "ausl", - SrcVersion: "1.2.3", - Layer: ftypes.Layer{ - DiffID: "sha256:bbf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", - }, - Locations: []ftypes.Location{ - { - StartLine: 54, - EndLine: 60, - }, - }, - }, - { - Name: "musl", - Version: "1.2.3", - SrcName: "musl", - SrcVersion: "1.2.3", - Layer: ftypes.Layer{ - DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", - }, - Locations: []ftypes.Location{ - { - StartLine: 23, - EndLine: 31, - }, - }, - }, - }, - // For backward compatibility, will be removed - Vulnerabilities: []types.DetectedVulnerability{ - { - VulnerabilityID: "CVE-2020-9999", - PkgName: "musl", - InstalledVersion: "1.2.3", - FixedVersion: "1.2.4", - Status: dbTypes.StatusFixed, - Layer: ftypes.Layer{ - DiffID: "sha256:ebf12965380b39889c99a9c02e82ba465f887b45975b6e389d42e9e6a3857888", - }, - PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-9999", - Vulnerability: dbTypes.Vulnerability{ - Title: "dos", - Description: "dos vulnerability", - Severity: "HIGH", - }, - Locations: []ftypes.Location{ - { - StartLine: 23, - EndLine: 31, - }, - }, - }, - }, - }, - { - Target: "/app/Gemfile.lock", - Class: types.ClassLangPkg, - Type: ftypes.Bundler, - Packages: []ftypes.Package{ - { - Name: "rails", - Version: "4.0.2", - Layer: ftypes.Layer{ - DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", - }, - }, - }, - // For backward compatibility, will be removed - Vulnerabilities: []types.DetectedVulnerability{ - { - VulnerabilityID: "CVE-2014-0081", - PkgName: "rails", - InstalledVersion: "4.0.2", - FixedVersion: "4.0.3, 3.2.17", - Status: dbTypes.StatusFixed, - Layer: ftypes.Layer{ - DiffID: "sha256:0ea33a93585cf1917ba522b2304634c3073654062d5282c1346322967790ef33", - }, - PrimaryURL: "https://avd.aquasec.com/nvd/cve-2014-0081", - Vulnerability: dbTypes.Vulnerability{ - Title: "xss", - Description: "xss vulnerability", - Severity: "MEDIUM", - References: []string{ - "http://example.com", - }, - LastModifiedDate: lo.ToPtr(time.Date(2020, 2, 1, 1, 1, 0, 0, time.UTC)), - PublishedDate: lo.ToPtr(time.Date(2020, 1, 1, 1, 1, 0, 0, time.UTC)), - }, - }, - }, - }, - }, - wantOS: ftypes.OS{ - Family: "alpine", - Name: "3.11", - Eosl: true, - }, - }, } for _, tt := range tests { From 0c559253360df86e0f642e8634a78e238c59e0a3 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Wed, 20 Mar 2024 08:33:26 +0530 Subject: [PATCH 05/12] fixed integration test failures and rewrote sarif test case with location data --- integration/repo_test.go | 5 +- integration/standalone_tar_test.go | 5 +- ...ith-lockfile-and-location-data.json.golden | 162 ++++++++++++++++++ .../busybox-with-lockfile.json.golden | 12 -- .../pom-with-location-data.json.golden | 159 +++++++++++++++++ integration/testdata/pom.json.golden | 12 -- pkg/report/sarif_test.go | 129 ++++++-------- 7 files changed, 378 insertions(+), 106 deletions(-) create mode 100644 integration/testdata/busybox-with-lockfile-and-location-data.json.golden create mode 100644 integration/testdata/pom-with-location-data.json.golden diff --git a/integration/repo_test.go b/integration/repo_test.go index ba11aa9ccb0..471256d6515 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -4,11 +4,12 @@ package integration import ( "fmt" - "github.com/stretchr/testify/assert" "os" "strings" "testing" + "github.com/stretchr/testify/assert" + ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/types" ) @@ -143,7 +144,7 @@ func TestRepository(t *testing.T) { scanner: types.VulnerabilityScanner, input: "testdata/fixtures/repo/pom", }, - golden: "testdata/pom.json.golden", + golden: "testdata/pom-with-location-data.json.golden", }, { name: "gradle", diff --git a/integration/standalone_tar_test.go b/integration/standalone_tar_test.go index 67cd869ebf1..a7bfbfc84f8 100644 --- a/integration/standalone_tar_test.go +++ b/integration/standalone_tar_test.go @@ -3,12 +3,13 @@ package integration import ( - "github.com/aquasecurity/trivy/pkg/types" "os" "path/filepath" "strings" "testing" + "github.com/aquasecurity/trivy/pkg/types" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -344,7 +345,7 @@ func TestTar(t *testing.T) { Format: types.FormatJSON, Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz", }, - golden: "testdata/busybox-with-lockfile.json.golden", + golden: "testdata/busybox-with-lockfile-and-location-data.json.golden", }, { name: "fluentd with RubyGems", diff --git a/integration/testdata/busybox-with-lockfile-and-location-data.json.golden b/integration/testdata/busybox-with-lockfile-and-location-data.json.golden new file mode 100644 index 00000000000..0e85c1cc3f1 --- /dev/null +++ b/integration/testdata/busybox-with-lockfile-and-location-data.json.golden @@ -0,0 +1,162 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2021-08-25T12:20:30.000000005Z", + "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz", + "ArtifactType": "container_image", + "Metadata": { + "ImageID": "sha256:88702f6b6133bf06cc46af48437d0c0fc661239155548757c65916504a0e5eee", + "DiffIDs": [ + "sha256:797ac4999b67d8c38a596919efa5b7b6a4a8fd5814cb8564efa482c5d8403e6d", + "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" + ], + "ImageConfig": { + "architecture": "amd64", + "created": "2022-06-07T04:24:40.230164Z", + "docker_version": "20.10.14", + "history": [ + { + "created": "2022-03-11T20:19:46.778911455Z", + "created_by": "/bin/sh -c #(nop) ADD file:39f6523fbc03f554a59461a34850d68c31cd5822e5a6fddf2d0ea198ed9a11c4 in / " + }, + { + "created": "2022-03-11T20:19:46.866228701Z", + "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]", + "empty_layer": true + }, + { + "created": "2022-06-07T04:24:40.230164Z", + "created_by": "/bin/sh -c #(nop) COPY file:343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . " + } + ], + "os": "linux", + "rootfs": { + "type": "layers", + "diff_ids": [ + "sha256:797ac4999b67d8c38a596919efa5b7b6a4a8fd5814cb8564efa482c5d8403e6d", + "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" + ] + }, + "config": { + "Cmd": [ + "sh" + ], + "Env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ], + "Image": "sha256:2fb6fc2d97e10c79983aa10e013824cc7fc8bae50630e32159821197dda95fe3" + } + } + }, + "Results": [ + { + "Target": "Cargo.lock", + "Class": "lang-pkgs", + "Type": "cargo", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2019-15542", + "PkgID": "ammonia@1.9.0", + "PkgName": "ammonia", + "PkgIdentifier": { + "PURL": "pkg:cargo/ammonia@1.9.0" + }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], + "InstalledVersion": "1.9.0", + "FixedVersion": "\u003e= 2.1.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee", + "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542", + "DataSource": { + "Name": "RustSec Advisory Database", + "URL": "https://github.com/RustSec/advisory-db" + }, + "Title": "Uncontrolled recursion leads to abort in HTML serialization", + "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-674" + ], + "VendorSeverity": { + "nvd": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", + "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "V2Score": 5, + "V3Score": 7.5 + } + }, + "References": [ + "https://crates.io/crates/ammonia", + "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210", + "https://rustsec.org/advisories/RUSTSEC-2019-0001.html" + ], + "PublishedDate": "2019-08-26T18:15:00Z", + "LastModifiedDate": "2020-08-24T17:37:00Z" + }, + { + "VulnerabilityID": "CVE-2021-38193", + "PkgID": "ammonia@1.9.0", + "PkgName": "ammonia", + "PkgIdentifier": { + "PURL": "pkg:cargo/ammonia@1.9.0" + }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], + "InstalledVersion": "1.9.0", + "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", + "Status": "fixed", + "Layer": { + "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee", + "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" + }, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193", + "DataSource": { + "Name": "RustSec Advisory Database", + "URL": "https://github.com/RustSec/advisory-db" + }, + "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS", + "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.", + "Severity": "MEDIUM", + "CweIDs": [ + "CWE-79" + ], + "VendorSeverity": { + "nvd": 2 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "V2Score": 4.3, + "V3Score": 6.1 + } + }, + "References": [ + "https://crates.io/crates/ammonia", + "https://github.com/rust-ammonia/ammonia/pull/142", + "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md", + "https://rustsec.org/advisories/RUSTSEC-2021-0074.html" + ], + "PublishedDate": "2021-08-08T06:15:00Z", + "LastModifiedDate": "2021-08-16T16:37:00Z" + } + ] + } + ] +} diff --git a/integration/testdata/busybox-with-lockfile.json.golden b/integration/testdata/busybox-with-lockfile.json.golden index 0e85c1cc3f1..520afe2de92 100644 --- a/integration/testdata/busybox-with-lockfile.json.golden +++ b/integration/testdata/busybox-with-lockfile.json.golden @@ -60,12 +60,6 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, - "Locations": [ - { - "StartLine": 2, - "EndLine": 13 - } - ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 2.1.0", "Status": "fixed", @@ -111,12 +105,6 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, - "Locations": [ - { - "StartLine": 2, - "EndLine": 13 - } - ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", "Status": "fixed", diff --git a/integration/testdata/pom-with-location-data.json.golden b/integration/testdata/pom-with-location-data.json.golden new file mode 100644 index 00000000000..705a178af69 --- /dev/null +++ b/integration/testdata/pom-with-location-data.json.golden @@ -0,0 +1,159 @@ +{ + "SchemaVersion": 2, + "CreatedAt": "2021-08-25T12:20:30.000000005Z", + "ArtifactName": "testdata/fixtures/repo/pom", + "ArtifactType": "repository", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "pom.xml", + "Class": "lang-pkgs", + "Type": "pom", + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2020-9548", + "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", + "PkgName": "com.fasterxml.jackson.core:jackson-databind", + "PkgIdentifier": { + "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" + }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], + "InstalledVersion": "2.9.1", + "FixedVersion": "2.9.10.4", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Maven", + "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" + }, + "Title": "jackson-databind: Serialization gadgets in anteros-core", + "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", + "Severity": "CRITICAL", + "CweIDs": [ + "CWE-502" + ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 6.8, + "V3Score": 9.8 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2020-9548", + "https://github.com/FasterXML/jackson-databind/issues/2634", + "https://github.com/advisories/GHSA-p43x-xfjf-5jhr", + "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E", + "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html", + "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", + "https://nvd.nist.gov/vuln/detail/CVE-2020-9548", + "https://security.netapp.com/advisory/ntap-20200904-0006/", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" + ], + "PublishedDate": "2020-03-02T04:15:00Z", + "LastModifiedDate": "2021-12-02T21:23:00Z" + }, + { + "VulnerabilityID": "CVE-2021-20190", + "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", + "PkgName": "com.fasterxml.jackson.core:jackson-databind", + "PkgIdentifier": { + "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" + }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], + "InstalledVersion": "2.9.1", + "FixedVersion": "2.9.10.7", + "Status": "fixed", + "Layer": {}, + "SeveritySource": "nvd", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190", + "DataSource": { + "ID": "glad", + "Name": "GitLab Advisory Database Community", + "URL": "https://gitlab.com/gitlab-org/advisories-community" + }, + "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing", + "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", + "Severity": "HIGH", + "CweIDs": [ + "CWE-502" + ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, + "CVSS": { + "nvd": { + "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C", + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V2Score": 8.3, + "V3Score": 8.1 + }, + "redhat": { + "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "V3Score": 8.1 + } + }, + "References": [ + "https://access.redhat.com/security/cve/CVE-2021-20190", + "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", + "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", + "https://github.com/FasterXML/jackson-databind/issues/2854", + "https://github.com/advisories/GHSA-5949-rw7g-wx7w", + "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-20190", + "https://security.netapp.com/advisory/ntap-20210219-0008/" + ], + "PublishedDate": "2021-01-19T17:15:00Z", + "LastModifiedDate": "2021-07-20T23:15:00Z" + } + ] + } + ] +} diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden index 705a178af69..244817f1e4c 100644 --- a/integration/testdata/pom.json.golden +++ b/integration/testdata/pom.json.golden @@ -28,12 +28,6 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, - "Locations": [ - { - "StartLine": 41, - "EndLine": 45 - } - ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.4", "Status": "fixed", @@ -99,12 +93,6 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, - "Locations": [ - { - "StartLine": 41, - "EndLine": 45 - } - ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.7", "Status": "fixed", diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index 9d51dac112b..55833c3ce94 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -665,71 +665,63 @@ func TestReportWriter_Sarif(t *testing.T) { { name: "report with vulnerabilities and package locations", input: types.Report{ - ArtifactName: "debian:9", - ArtifactType: ftypes.ArtifactContainerImage, - Metadata: types.Metadata{ - RepoTags: []string{ - "debian:9", - }, - RepoDigests: []string{ - "debian@sha256:a8cc1744bbdd5266678e3e8b3e6387e45c053218438897e86876f2eb104e5534", - }, - }, + ArtifactName: "testdata/fixtures/repo/yarn", + ArtifactType: ftypes.ArtifactRepository, Results: types.Results{ { - Target: "library/test", - Class: types.ClassOSPkg, + Target: "yarn.lock", + Class: types.ClassLangPkg, Packages: []ftypes.Package{ { - Name: "foo", - Version: "1.2.3", + ID: "jquery@3.2.1", + Name: "jquery", + Version: "3.2.1", Locations: []ftypes.Location{ { - StartLine: 15, - EndLine: 20, - }, - { - StartLine: 30, - EndLine: 35, + StartLine: 10, + EndLine: 13, }, }, }, }, Vulnerabilities: []types.DetectedVulnerability{ { - VulnerabilityID: "CVE-2020-0001", - PkgName: "foo", - InstalledVersion: "1.2.3", - FixedVersion: "3.4.5", - PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-0001", - SeveritySource: "redhat", + VulnerabilityID: "CVE-2019-11358", + PkgID: "jquery@3.2.1", + PkgName: "jquery", + InstalledVersion: "3.2.1", + FixedVersion: "3.4.0", + PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-11358", + SeveritySource: "ghsa", Vulnerability: dbTypes.Vulnerability{ - Title: "foobar", - Description: "baz", - Severity: "HIGH", + Title: "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection", + Description: "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.", + Severity: "MEDIUM", VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{ - vulnerability.NVD: dbTypes.SeverityCritical, - vulnerability.RedHat: dbTypes.SeverityHigh, + vulnerability.NVD: dbTypes.SeverityMedium, + vulnerability.RedHat: dbTypes.SeverityMedium, + vulnerability.GHSA: dbTypes.SeverityMedium, + vulnerability.Alma: dbTypes.SeverityMedium, + vulnerability.NodejsSecurityWg: dbTypes.SeverityMedium, + vulnerability.RubySec: dbTypes.SeverityMedium, }, CVSS: map[dbTypes.SourceID]dbTypes.CVSS{ vulnerability.NVD: { - V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - V3Score: 9.8, + V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + V3Score: 6.1, + V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N", + V2Score: 4.3, }, vulnerability.RedHat: { - V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - V3Score: 7.5, + V3Vector: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", + V3Score: 5.6, }, }, }, Locations: []ftypes.Location{ { - StartLine: 15, - EndLine: 20, - }, - { - StartLine: 30, - EndLine: 35, + StartLine: 10, + EndLine: 13, }, }, }, @@ -750,26 +742,26 @@ func TestReportWriter_Sarif(t *testing.T) { InformationURI: lo.ToPtr("https://github.com/aquasecurity/trivy"), Rules: []*sarif.ReportingDescriptor{ { - ID: "CVE-2020-0001", - Name: lo.ToPtr("OsPackageVulnerability"), - ShortDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("foobar")}, - FullDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("baz")}, + ID: "CVE-2019-11358", + Name: lo.ToPtr("LanguageSpecificPackageVulnerability"), + ShortDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection")}, + FullDescription: &sarif.MultiformatMessageString{Text: lo.ToPtr("jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.")}, DefaultConfiguration: &sarif.ReportingConfiguration{ - Level: "error", + Level: "warning", }, - HelpURI: lo.ToPtr("https://avd.aquasec.com/nvd/cve-2020-0001"), + HelpURI: lo.ToPtr("https://avd.aquasec.com/nvd/cve-2019-11358"), Properties: map[string]interface{}{ "tags": []interface{}{ "vulnerability", "security", - "HIGH", + "MEDIUM", }, "precision": "very-high", - "security-severity": "7.5", + "security-severity": "5.5", }, Help: &sarif.MultiformatMessageString{ - Text: lo.ToPtr("Vulnerability CVE-2020-0001\nSeverity: HIGH\nPackage: foo\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)\nbaz"), - Markdown: lo.ToPtr("**Vulnerability CVE-2020-0001**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|foo|3.4.5|[CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)|\n\nbaz"), + Text: lo.ToPtr("Vulnerability CVE-2019-11358\nSeverity: MEDIUM\nPackage: jquery\nFixed Version: 3.4.0\nLink: [CVE-2019-11358](https://avd.aquasec.com/nvd/cve-2019-11358)\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype."), + Markdown: lo.ToPtr("**Vulnerability CVE-2019-11358**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|jquery|3.4.0|[CVE-2019-11358](https://avd.aquasec.com/nvd/cve-2019-11358)|\n\njQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype."), }, }, }, @@ -777,36 +769,21 @@ func TestReportWriter_Sarif(t *testing.T) { }, Results: []*sarif.Result{ { - RuleID: lo.ToPtr("CVE-2020-0001"), + RuleID: lo.ToPtr("CVE-2019-11358"), RuleIndex: lo.ToPtr[uint](0), - Level: lo.ToPtr("error"), - Message: sarif.Message{Text: lo.ToPtr("Package: foo\nInstalled Version: 1.2.3\nVulnerability CVE-2020-0001\nSeverity: HIGH\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)")}, + Level: lo.ToPtr("warning"), + Message: sarif.Message{Text: lo.ToPtr("Package: jquery\nInstalled Version: 3.2.1\nVulnerability CVE-2019-11358\nSeverity: MEDIUM\nFixed Version: 3.4.0\nLink: [CVE-2019-11358](https://avd.aquasec.com/nvd/cve-2019-11358)")}, Locations: []*sarif.Location{ { - Message: &sarif.Message{Text: lo.ToPtr("library/test: foo@1.2.3")}, - PhysicalLocation: &sarif.PhysicalLocation{ - ArtifactLocation: &sarif.ArtifactLocation{ - URI: lo.ToPtr("library/test"), - URIBaseId: lo.ToPtr("ROOTPATH"), - }, - Region: &sarif.Region{ - StartLine: lo.ToPtr(15), - EndLine: lo.ToPtr(20), - StartColumn: lo.ToPtr(1), - EndColumn: lo.ToPtr(1), - }, - }, - }, - { - Message: &sarif.Message{Text: lo.ToPtr("library/test: foo@1.2.3")}, + Message: &sarif.Message{Text: lo.ToPtr("yarn.lock: jquery@3.2.1")}, PhysicalLocation: &sarif.PhysicalLocation{ ArtifactLocation: &sarif.ArtifactLocation{ - URI: lo.ToPtr("library/test"), + URI: lo.ToPtr("yarn.lock"), URIBaseId: lo.ToPtr("ROOTPATH"), }, Region: &sarif.Region{ - StartLine: lo.ToPtr(30), - EndLine: lo.ToPtr(35), + StartLine: lo.ToPtr(10), + EndLine: lo.ToPtr(13), StartColumn: lo.ToPtr(1), EndColumn: lo.ToPtr(1), }, @@ -822,11 +799,7 @@ func TestReportWriter_Sarif(t *testing.T) { }, }, PropertyBag: sarif.PropertyBag{ - Properties: map[string]interface{}{ - "imageName": "debian:9", - "repoDigests": []interface{}{"debian@sha256:a8cc1744bbdd5266678e3e8b3e6387e45c053218438897e86876f2eb104e5534"}, - "repoTags": []interface{}{"debian:9"}, - }, + Properties: nil, }, }, }, From 595039eb30f7466cbec86f30648aa89e74d950c5 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Wed, 20 Mar 2024 11:15:11 +0530 Subject: [PATCH 06/12] updated sarif.go to use vulnerabity location --- pkg/report/sarif.go | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go index c217f526ec1..e4defe0602a 100644 --- a/pkg/report/sarif.go +++ b/pkg/report/sarif.go @@ -165,7 +165,7 @@ func (sw *SarifWriter) Write(ctx context.Context, report types.Report) error { resourceClass: res.Class, artifactLocation: path, locationMessage: fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion), - locations: sw.getLocations(vuln.PkgName, vuln.InstalledVersion, path, res.Packages, vuln.Locations), + locations: sw.getLocations(vuln.Locations), resultIndex: getRuleIndex(vuln.VulnerabilityID, ruleIndexes), shortDescription: html.EscapeString(vuln.Title), fullDescription: html.EscapeString(fullDescription), @@ -346,34 +346,14 @@ func clearURI(s string) string { return strings.ReplaceAll(strings.ReplaceAll(s, "\\", "/"), "git::https:/", "") } -func (sw *SarifWriter) getLocations(name, version, path string, pkgs []ftypes.Package, vulnLocations []ftypes.Location) []location { - id := fmt.Sprintf("%s@%s@%s", path, name, version) - if locs, ok := sw.locationCache[id]; ok { - return locs - } +func (sw *SarifWriter) getLocations(vulnLocations []ftypes.Location) []location { var locs []location - if len(vulnLocations) != 0 { - for _, loc := range vulnLocations { - locs = append(locs, location{ - startLine: loc.StartLine, - endLine: loc.EndLine, - }) - } - } else { - for _, pkg := range pkgs { - if name == pkg.Name && version == pkg.Version { - for _, l := range pkg.Locations { - loc := location{ - startLine: l.StartLine, - endLine: l.EndLine, - } - locs = append(locs, loc) - } - break - } - } + for _, loc := range vulnLocations { + locs = append(locs, location{ + startLine: loc.StartLine, + endLine: loc.EndLine, + }) } - sw.locationCache[id] = locs return locs } From 925ab6c34788dc988b9f90d03f9825964cc01da8 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Wed, 20 Mar 2024 11:23:39 +0530 Subject: [PATCH 07/12] updated sarif.go to use vulnerabity location --- pkg/report/sarif_test.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go index 55833c3ce94..0e0f35b8597 100644 --- a/pkg/report/sarif_test.go +++ b/pkg/report/sarif_test.go @@ -64,6 +64,16 @@ func TestReportWriter_Sarif(t *testing.T) { FixedVersion: "3.4.5", PrimaryURL: "https://avd.aquasec.com/nvd/cve-2020-0001", SeveritySource: "redhat", + Locations: []ftypes.Location{ + { + StartLine: 5, + EndLine: 10, + }, + { + StartLine: 15, + EndLine: 20, + }, + }, Vulnerability: dbTypes.Vulnerability{ Title: "foobar", Description: "baz", From 8dc5a918af5880843147ae601d08a969aa648583 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Thu, 21 Mar 2024 06:07:39 +0530 Subject: [PATCH 08/12] fixed integration test failures for dockerclient --- integration/docker_engine_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/integration/docker_engine_test.go b/integration/docker_engine_test.go index 35122b51c90..719e1b8f319 100644 --- a/integration/docker_engine_test.go +++ b/integration/docker_engine_test.go @@ -5,12 +5,13 @@ package integration import ( "context" - "github.com/aquasecurity/trivy/pkg/types" "io" "os" "strings" "testing" + "github.com/aquasecurity/trivy/pkg/types" + api "github.com/docker/docker/api/types" "github.com/docker/docker/client" "github.com/stretchr/testify/assert" @@ -208,7 +209,7 @@ func TestDockerEngine(t *testing.T) { name: "busybox with Cargo.lock", imageTag: "ghcr.io/aquasecurity/trivy-test-images:busybox-with-lockfile", input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz", - golden: "testdata/busybox-with-lockfile.json.golden", + golden: "testdata/busybox-with-lockfile-and-location-data.json.golden", }, { name: "sad path, invalid image", From 5fc788f08ca1e65e041a601e815b0756401ba568 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Fri, 22 Mar 2024 07:25:57 +0530 Subject: [PATCH 09/12] update rpc/client_server with location data and fix testcases --- integration/docker_engine_test.go | 2 +- integration/repo_test.go | 2 +- integration/standalone_tar_test.go | 2 +- ...ith-lockfile-and-location-data.json.golden | 162 ------------------ .../busybox-with-lockfile.json.golden | 12 ++ .../pom-with-location-data.json.golden | 159 ----------------- integration/testdata/pom.json.golden | 12 ++ integration/testdata/test-repo.json.golden | 8 + pkg/rpc/convert.go | 26 +++ pkg/rpc/convert_test.go | 70 ++++++++ rpc/common/service.proto | 1 + 11 files changed, 132 insertions(+), 324 deletions(-) delete mode 100644 integration/testdata/busybox-with-lockfile-and-location-data.json.golden delete mode 100644 integration/testdata/pom-with-location-data.json.golden diff --git a/integration/docker_engine_test.go b/integration/docker_engine_test.go index 719e1b8f319..b511efd684c 100644 --- a/integration/docker_engine_test.go +++ b/integration/docker_engine_test.go @@ -209,7 +209,7 @@ func TestDockerEngine(t *testing.T) { name: "busybox with Cargo.lock", imageTag: "ghcr.io/aquasecurity/trivy-test-images:busybox-with-lockfile", input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz", - golden: "testdata/busybox-with-lockfile-and-location-data.json.golden", + golden: "testdata/busybox-with-lockfile.json.golden", }, { name: "sad path, invalid image", diff --git a/integration/repo_test.go b/integration/repo_test.go index 471256d6515..e7a9cd72978 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -144,7 +144,7 @@ func TestRepository(t *testing.T) { scanner: types.VulnerabilityScanner, input: "testdata/fixtures/repo/pom", }, - golden: "testdata/pom-with-location-data.json.golden", + golden: "testdata/pom.json.golden", }, { name: "gradle", diff --git a/integration/standalone_tar_test.go b/integration/standalone_tar_test.go index a7bfbfc84f8..0d16990bda9 100644 --- a/integration/standalone_tar_test.go +++ b/integration/standalone_tar_test.go @@ -345,7 +345,7 @@ func TestTar(t *testing.T) { Format: types.FormatJSON, Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz", }, - golden: "testdata/busybox-with-lockfile-and-location-data.json.golden", + golden: "testdata/busybox-with-lockfile.json.golden", }, { name: "fluentd with RubyGems", diff --git a/integration/testdata/busybox-with-lockfile-and-location-data.json.golden b/integration/testdata/busybox-with-lockfile-and-location-data.json.golden deleted file mode 100644 index 0e85c1cc3f1..00000000000 --- a/integration/testdata/busybox-with-lockfile-and-location-data.json.golden +++ /dev/null @@ -1,162 +0,0 @@ -{ - "SchemaVersion": 2, - "CreatedAt": "2021-08-25T12:20:30.000000005Z", - "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz", - "ArtifactType": "container_image", - "Metadata": { - "ImageID": "sha256:88702f6b6133bf06cc46af48437d0c0fc661239155548757c65916504a0e5eee", - "DiffIDs": [ - "sha256:797ac4999b67d8c38a596919efa5b7b6a4a8fd5814cb8564efa482c5d8403e6d", - "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" - ], - "ImageConfig": { - "architecture": "amd64", - "created": "2022-06-07T04:24:40.230164Z", - "docker_version": "20.10.14", - "history": [ - { - "created": "2022-03-11T20:19:46.778911455Z", - "created_by": "/bin/sh -c #(nop) ADD file:39f6523fbc03f554a59461a34850d68c31cd5822e5a6fddf2d0ea198ed9a11c4 in / " - }, - { - "created": "2022-03-11T20:19:46.866228701Z", - "created_by": "/bin/sh -c #(nop) CMD [\"sh\"]", - "empty_layer": true - }, - { - "created": "2022-06-07T04:24:40.230164Z", - "created_by": "/bin/sh -c #(nop) COPY file:343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . " - } - ], - "os": "linux", - "rootfs": { - "type": "layers", - "diff_ids": [ - "sha256:797ac4999b67d8c38a596919efa5b7b6a4a8fd5814cb8564efa482c5d8403e6d", - "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" - ] - }, - "config": { - "Cmd": [ - "sh" - ], - "Env": [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" - ], - "Image": "sha256:2fb6fc2d97e10c79983aa10e013824cc7fc8bae50630e32159821197dda95fe3" - } - } - }, - "Results": [ - { - "Target": "Cargo.lock", - "Class": "lang-pkgs", - "Type": "cargo", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2019-15542", - "PkgID": "ammonia@1.9.0", - "PkgName": "ammonia", - "PkgIdentifier": { - "PURL": "pkg:cargo/ammonia@1.9.0" - }, - "Locations": [ - { - "StartLine": 2, - "EndLine": 13 - } - ], - "InstalledVersion": "1.9.0", - "FixedVersion": "\u003e= 2.1.0", - "Status": "fixed", - "Layer": { - "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee", - "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542", - "DataSource": { - "Name": "RustSec Advisory Database", - "URL": "https://github.com/RustSec/advisory-db" - }, - "Title": "Uncontrolled recursion leads to abort in HTML serialization", - "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-674" - ], - "VendorSeverity": { - "nvd": 3 - }, - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", - "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "V2Score": 5, - "V3Score": 7.5 - } - }, - "References": [ - "https://crates.io/crates/ammonia", - "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210", - "https://rustsec.org/advisories/RUSTSEC-2019-0001.html" - ], - "PublishedDate": "2019-08-26T18:15:00Z", - "LastModifiedDate": "2020-08-24T17:37:00Z" - }, - { - "VulnerabilityID": "CVE-2021-38193", - "PkgID": "ammonia@1.9.0", - "PkgName": "ammonia", - "PkgIdentifier": { - "PURL": "pkg:cargo/ammonia@1.9.0" - }, - "Locations": [ - { - "StartLine": 2, - "EndLine": 13 - } - ], - "InstalledVersion": "1.9.0", - "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", - "Status": "fixed", - "Layer": { - "Digest": "sha256:fd2e3bc9bccc9c677572a542d020998389de94f127ca2c252ae627fc7c241cee", - "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f" - }, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193", - "DataSource": { - "Name": "RustSec Advisory Database", - "URL": "https://github.com/RustSec/advisory-db" - }, - "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS", - "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.", - "Severity": "MEDIUM", - "CweIDs": [ - "CWE-79" - ], - "VendorSeverity": { - "nvd": 2 - }, - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "V2Score": 4.3, - "V3Score": 6.1 - } - }, - "References": [ - "https://crates.io/crates/ammonia", - "https://github.com/rust-ammonia/ammonia/pull/142", - "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md", - "https://rustsec.org/advisories/RUSTSEC-2021-0074.html" - ], - "PublishedDate": "2021-08-08T06:15:00Z", - "LastModifiedDate": "2021-08-16T16:37:00Z" - } - ] - } - ] -} diff --git a/integration/testdata/busybox-with-lockfile.json.golden b/integration/testdata/busybox-with-lockfile.json.golden index 520afe2de92..0e85c1cc3f1 100644 --- a/integration/testdata/busybox-with-lockfile.json.golden +++ b/integration/testdata/busybox-with-lockfile.json.golden @@ -60,6 +60,12 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 2.1.0", "Status": "fixed", @@ -105,6 +111,12 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [ + { + "StartLine": 2, + "EndLine": 13 + } + ], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", "Status": "fixed", diff --git a/integration/testdata/pom-with-location-data.json.golden b/integration/testdata/pom-with-location-data.json.golden deleted file mode 100644 index 705a178af69..00000000000 --- a/integration/testdata/pom-with-location-data.json.golden +++ /dev/null @@ -1,159 +0,0 @@ -{ - "SchemaVersion": 2, - "CreatedAt": "2021-08-25T12:20:30.000000005Z", - "ArtifactName": "testdata/fixtures/repo/pom", - "ArtifactType": "repository", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, - "Results": [ - { - "Target": "pom.xml", - "Class": "lang-pkgs", - "Type": "pom", - "Vulnerabilities": [ - { - "VulnerabilityID": "CVE-2020-9548", - "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", - "PkgName": "com.fasterxml.jackson.core:jackson-databind", - "PkgIdentifier": { - "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" - }, - "Locations": [ - { - "StartLine": 41, - "EndLine": 45 - } - ], - "InstalledVersion": "2.9.1", - "FixedVersion": "2.9.10.4", - "Status": "fixed", - "Layer": {}, - "SeveritySource": "ghsa", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-9548", - "DataSource": { - "ID": "ghsa", - "Name": "GitHub Security Advisory Maven", - "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven" - }, - "Title": "jackson-databind: Serialization gadgets in anteros-core", - "Description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", - "Severity": "CRITICAL", - "CweIDs": [ - "CWE-502" - ], - "VendorSeverity": { - "ghsa": 4, - "nvd": 4, - "redhat": 3 - }, - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", - "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 6.8, - "V3Score": 9.8 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 8.1 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2020-9548", - "https://github.com/FasterXML/jackson-databind/issues/2634", - "https://github.com/advisories/GHSA-p43x-xfjf-5jhr", - "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html", - "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062", - "https://nvd.nist.gov/vuln/detail/CVE-2020-9548", - "https://security.netapp.com/advisory/ntap-20200904-0006/", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "PublishedDate": "2020-03-02T04:15:00Z", - "LastModifiedDate": "2021-12-02T21:23:00Z" - }, - { - "VulnerabilityID": "CVE-2021-20190", - "PkgID": "com.fasterxml.jackson.core:jackson-databind:2.9.1", - "PkgName": "com.fasterxml.jackson.core:jackson-databind", - "PkgIdentifier": { - "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" - }, - "Locations": [ - { - "StartLine": 41, - "EndLine": 45 - } - ], - "InstalledVersion": "2.9.1", - "FixedVersion": "2.9.10.7", - "Status": "fixed", - "Layer": {}, - "SeveritySource": "nvd", - "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20190", - "DataSource": { - "ID": "glad", - "Name": "GitLab Advisory Database Community", - "URL": "https://gitlab.com/gitlab-org/advisories-community" - }, - "Title": "jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing", - "Description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", - "Severity": "HIGH", - "CweIDs": [ - "CWE-502" - ], - "VendorSeverity": { - "ghsa": 3, - "nvd": 3, - "redhat": 3 - }, - "CVSS": { - "nvd": { - "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C", - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V2Score": 8.3, - "V3Score": 8.1 - }, - "redhat": { - "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "V3Score": 8.1 - } - }, - "References": [ - "https://access.redhat.com/security/cve/CVE-2021-20190", - "https://bugzilla.redhat.com/show_bug.cgi?id=1916633", - "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a", - "https://github.com/FasterXML/jackson-databind/issues/2854", - "https://github.com/advisories/GHSA-5949-rw7g-wx7w", - "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-20190", - "https://security.netapp.com/advisory/ntap-20210219-0008/" - ], - "PublishedDate": "2021-01-19T17:15:00Z", - "LastModifiedDate": "2021-07-20T23:15:00Z" - } - ] - } - ] -} diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden index 244817f1e4c..705a178af69 100644 --- a/integration/testdata/pom.json.golden +++ b/integration/testdata/pom.json.golden @@ -28,6 +28,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.4", "Status": "fixed", @@ -93,6 +99,12 @@ "PkgIdentifier": { "PURL": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1" }, + "Locations": [ + { + "StartLine": 41, + "EndLine": 45 + } + ], "InstalledVersion": "2.9.1", "FixedVersion": "2.9.10.7", "Status": "fixed", diff --git a/integration/testdata/test-repo.json.golden b/integration/testdata/test-repo.json.golden index e1ebd91418f..7a3e9cef7cd 100644 --- a/integration/testdata/test-repo.json.golden +++ b/integration/testdata/test-repo.json.golden @@ -28,6 +28,10 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [{ + "StartLine": 2, + "EndLine": 13 + }], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 2.1.0", "Status": "fixed", @@ -70,6 +74,10 @@ "PkgIdentifier": { "PURL": "pkg:cargo/ammonia@1.9.0" }, + "Locations": [{ + "StartLine": 2, + "EndLine": 13 + }], "InstalledVersion": "1.9.0", "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0", "Status": "fixed", diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 5e21e4e1ce4..625c5cb4d9e 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package { DependsOn: pkg.DependsOn, Digest: pkg.Digest.String(), Indirect: pkg.Indirect, + Locations: ConvertToRPCLocations(pkg.Locations), }) } return rpcPkgs @@ -225,6 +226,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package { DependsOn: pkg.DependsOn, Digest: digest.Digest(pkg.Digest), Indirect: pkg.Indirect, + Locations: ConvertFromRPCLocations(pkg.Locations), }) } return pkgs @@ -325,6 +327,7 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil CustomAdvisoryData: customAdvisoryData, CustomVulnData: customVulnData, DataSource: ConvertToRPCDataSource(vuln.DataSource), + Locations: ConvertToRPCLocations(vuln.Locations), }) } return rpcVulns @@ -612,6 +615,7 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne PrimaryURL: vuln.PrimaryUrl, Custom: vuln.CustomAdvisoryData.AsInterface(), DataSource: ConvertFromRPCDataSource(vuln.DataSource), + Locations: ConvertFromRPCLocations(vuln.Locations), }) } return vulns @@ -1007,3 +1011,25 @@ func ConvertFromDeleteBlobsRequest(deleteBlobsRequest *cache.DeleteBlobsRequest) } return deleteBlobsRequest.GetBlobIds() } + +func ConvertFromRPCLocations(rpcPkgLocations *common.Locations) []ftypes.Location { + var parsedLocations []ftypes.Location + for _, loc := range rpcPkgLocations.GetLocation() { + parsedLocations = append(parsedLocations, ftypes.Location{ + StartLine: int(loc.GetStartLine()), + EndLine: int(loc.GetEndLine()), + }) + } + return parsedLocations +} + +func ConvertToRPCLocations(pkgLocations []ftypes.Location) *common.Locations { + var rpcLocations []*common.Location + for _, loc := range pkgLocations { + rpcLocations = append(rpcLocations, &common.Location{ + StartLine: int32(loc.StartLine), + EndLine: int32(loc.EndLine), + }) + } + return &common.Locations{Location: rpcLocations} +} diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go index a74f8eecb99..2506dcd97c2 100644 --- a/pkg/rpc/convert_test.go +++ b/pkg/rpc/convert_test.go @@ -53,6 +53,12 @@ func TestConvertToRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffID: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, + Locations: []ftypes.Location{ + { + StartLine: 10, + EndLine: 12, + }, + }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -84,6 +90,14 @@ func TestConvertToRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffId: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 10, + EndLine: 12, + }, + }, + }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -135,6 +149,14 @@ func TestConvertFromRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffId: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 10, + EndLine: 12, + }, + }, + }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -168,6 +190,12 @@ func TestConvertFromRpcPkgs(t *testing.T) { }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, + Locations: []ftypes.Location{ + { + StartLine: 10, + EndLine: 12, + }, + }, }, }, }, @@ -220,6 +248,12 @@ func TestConvertToRpcVulns(t *testing.T) { PublishedDate: &fixedPublishedDate, LastModifiedDate: &fixedLastModifiedDate, }, + Locations: []ftypes.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, Layer: ftypes.Layer{ Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", @@ -257,6 +291,14 @@ func TestConvertToRpcVulns(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, + }, PrimaryUrl: "https://avd.aquasec.com/nvd/CVE-2019-0001", PublishedDate: timestamppb.New(fixedPublishedDate), LastModifiedDate: timestamppb.New(fixedLastModifiedDate), @@ -286,6 +328,12 @@ func TestConvertToRpcVulns(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, + Locations: []ftypes.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, DataSource: &dbTypes.DataSource{ Name: "GitHub Security Advisory Maven", URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", @@ -309,6 +357,14 @@ func TestConvertToRpcVulns(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, + }, DataSource: &common.DataSource{ Name: "GitHub Security Advisory Maven", Url: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", @@ -374,6 +430,14 @@ func TestConvertFromRPCResults(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, + }, PrimaryUrl: "https://avd.aquasec.com/nvd/CVE-2019-0001", PublishedDate: timestamppb.New(fixedPublishedDate), LastModifiedDate: timestamppb.New(fixedLastModifiedDate), @@ -425,6 +489,12 @@ func TestConvertFromRPCResults(t *testing.T) { PublishedDate: &fixedPublishedDate, LastModifiedDate: &fixedLastModifiedDate, }, + Locations: []ftypes.Location{ + { + StartLine: 15, + EndLine: 20, + }, + }, DataSource: &dbTypes.DataSource{ Name: "GitHub Security Advisory Maven", URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", diff --git a/rpc/common/service.proto b/rpc/common/service.proto index d5c1472b4ae..9d68cd055d7 100644 --- a/rpc/common/service.proto +++ b/rpc/common/service.proto @@ -138,6 +138,7 @@ message Vulnerability { string pkg_path = 22; string pkg_id = 23; int32 status = 24; + repeated Location locations = 26; } message DataSource { From 52b84ac05c6a7a8daf17c74f2e0da360df5b3c21 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Sat, 23 Mar 2024 17:44:55 +0530 Subject: [PATCH 10/12] updated server_test.go --- pkg/rpc/server/server_test.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/pkg/rpc/server/server_test.go b/pkg/rpc/server/server_test.go index 3022ff2cdf0..c966c625122 100644 --- a/pkg/rpc/server/server_test.go +++ b/pkg/rpc/server/server_test.go @@ -81,6 +81,12 @@ func TestScanServer_Scan(t *testing.T) { LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"), PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"), }, + Locations: []ftypes.Location{ + { + StartLine: 33, + EndLine: 38, + }, + }, PrimaryURL: "https://avd.aquasec.com/nvd/cve-2019-0001", DataSource: &dbTypes.DataSource{ Name: "DOS vulnerabilities", @@ -127,6 +133,14 @@ func TestScanServer_Scan(t *testing.T) { LastModifiedDate: ×tamp.Timestamp{ Seconds: 1577840460, }, + Locations: &common.Locations{ + Location: []*common.Location{ + { + StartLine: 33, + EndLine: 38, + }, + }, + }, PublishedDate: ×tamp.Timestamp{ Seconds: 978310860, }, From 318a010051e7d82cfb32a89cae2526f551e685fd Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Mon, 25 Mar 2024 06:57:43 +0530 Subject: [PATCH 11/12] fixed integration test --- pkg/rpc/convert.go | 17 +- pkg/rpc/server/server_test.go | 10 +- rpc/common/service.pb.go | 365 ++++++++++++++++++---------------- 3 files changed, 195 insertions(+), 197 deletions(-) diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 625c5cb4d9e..852bd877280 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -71,7 +71,6 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package { DependsOn: pkg.DependsOn, Digest: pkg.Digest.String(), Indirect: pkg.Indirect, - Locations: ConvertToRPCLocations(pkg.Locations), }) } return rpcPkgs @@ -226,7 +225,6 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package { DependsOn: pkg.DependsOn, Digest: digest.Digest(pkg.Digest), Indirect: pkg.Indirect, - Locations: ConvertFromRPCLocations(pkg.Locations), }) } return pkgs @@ -1012,9 +1010,9 @@ func ConvertFromDeleteBlobsRequest(deleteBlobsRequest *cache.DeleteBlobsRequest) return deleteBlobsRequest.GetBlobIds() } -func ConvertFromRPCLocations(rpcPkgLocations *common.Locations) []ftypes.Location { +func ConvertFromRPCLocations(rpcPkgLocations []*common.Location) []ftypes.Location { var parsedLocations []ftypes.Location - for _, loc := range rpcPkgLocations.GetLocation() { + for _, loc := range rpcPkgLocations { parsedLocations = append(parsedLocations, ftypes.Location{ StartLine: int(loc.GetStartLine()), EndLine: int(loc.GetEndLine()), @@ -1022,14 +1020,3 @@ func ConvertFromRPCLocations(rpcPkgLocations *common.Locations) []ftypes.Locatio } return parsedLocations } - -func ConvertToRPCLocations(pkgLocations []ftypes.Location) *common.Locations { - var rpcLocations []*common.Location - for _, loc := range pkgLocations { - rpcLocations = append(rpcLocations, &common.Location{ - StartLine: int32(loc.StartLine), - EndLine: int32(loc.EndLine), - }) - } - return &common.Locations{Location: rpcLocations} -} diff --git a/pkg/rpc/server/server_test.go b/pkg/rpc/server/server_test.go index c966c625122..602c3f11aca 100644 --- a/pkg/rpc/server/server_test.go +++ b/pkg/rpc/server/server_test.go @@ -133,12 +133,10 @@ func TestScanServer_Scan(t *testing.T) { LastModifiedDate: ×tamp.Timestamp{ Seconds: 1577840460, }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 33, - EndLine: 38, - }, + Locations: []*common.Location{ + { + StartLine: 33, + EndLine: 38, }, }, PublishedDate: ×tamp.Timestamp{ diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go index 0174ab2c7f5..736f32be6fc 100644 --- a/rpc/common/service.pb.go +++ b/rpc/common/service.pb.go @@ -1191,6 +1191,7 @@ type Vulnerability struct { PkgPath string `protobuf:"bytes,22,opt,name=pkg_path,json=pkgPath,proto3" json:"pkg_path,omitempty"` PkgId string `protobuf:"bytes,23,opt,name=pkg_id,json=pkgId,proto3" json:"pkg_id,omitempty"` Status int32 `protobuf:"varint,24,opt,name=status,proto3" json:"status,omitempty"` + Locations []*Location `protobuf:"bytes,26,rep,name=locations,proto3" json:"locations,omitempty"` } func (x *Vulnerability) Reset() { @@ -1393,6 +1394,13 @@ func (x *Vulnerability) GetStatus() int32 { return 0 } +func (x *Vulnerability) GetLocations() []*Location { + if x != nil { + return x.Locations + } + return nil +} + type DataSource struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2547,7 +2555,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x64, 0x61, 0x74, 0x61, 0x12, 0x15, 0x0a, 0x06, 0x61, 0x76, 0x64, 0x5f, 0x69, 0x64, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x61, 0x76, 0x64, 0x49, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x71, 0x75, 0x65, 0x72, 0x79, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x71, 0x75, 0x65, 0x72, - 0x79, 0x22, 0xff, 0x09, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, + 0x79, 0x22, 0xb5, 0x0a, 0x0a, 0x0d, 0x56, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x10, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x75, 0x6c, 0x6e, 0x65, 0x72, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x49, 0x64, 0x12, 0x19, @@ -2616,163 +2624,167 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x50, 0x61, 0x74, 0x68, 0x12, 0x15, 0x0a, 0x06, 0x70, 0x6b, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x17, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x70, 0x6b, 0x67, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x18, 0x20, - 0x01, 0x28, 0x05, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x1a, 0x4b, 0x0a, 0x09, 0x43, - 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, - 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x56, 0x53, 0x53, 0x52, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x59, 0x0a, 0x13, 0x56, 0x65, 0x6e, 0x64, - 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, - 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, - 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, - 0x02, 0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, - 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x57, 0x0a, 0x05, 0x4c, 0x61, 0x79, 0x65, 0x72, - 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, 0x0a, 0x07, 0x64, 0x69, 0x66, 0x66, - 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x66, 0x66, 0x49, - 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x62, 0x79, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x42, 0x79, - 0x22, 0xc3, 0x01, 0x0a, 0x0d, 0x43, 0x61, 0x75, 0x73, 0x65, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x1a, - 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, - 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x4c, - 0x69, 0x6e, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, - 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, - 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, - 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x76, 0x0a, 0x04, 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, - 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x08, 0x76, 0x32, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, - 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x76, 0x33, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, - 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, - 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x33, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x33, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, - 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, - 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, - 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, - 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0xf3, 0x01, 0x0a, 0x04, 0x4c, 0x69, - 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, - 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, - 0x74, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, - 0x1e, 0x0a, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x1c, 0x0a, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, - 0x28, 0x08, 0x52, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x20, 0x0a, - 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69, 0x67, 0x68, 0x74, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69, 0x67, 0x68, 0x74, 0x65, 0x64, 0x12, - 0x1f, 0x0a, 0x0b, 0x66, 0x69, 0x72, 0x73, 0x74, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x07, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x66, 0x69, 0x72, 0x73, 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, - 0x12, 0x1d, 0x0a, 0x0a, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x08, - 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6c, 0x61, 0x73, 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, 0x22, - 0x30, 0x0a, 0x04, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x28, 0x0a, 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x6e, 0x65, 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x65, - 0x73, 0x22, 0x9f, 0x02, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, - 0x69, 0x6e, 0x67, 0x12, 0x17, 0x0a, 0x07, 0x72, 0x75, 0x6c, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x75, 0x6c, 0x65, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, - 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, - 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, - 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, - 0x72, 0x69, 0x74, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, - 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, + 0x01, 0x28, 0x05, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x34, 0x0a, 0x09, 0x6c, + 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x1a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, + 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x1a, 0x4b, 0x0a, 0x09, 0x43, 0x76, 0x73, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, + 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, + 0x12, 0x28, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, + 0x56, 0x53, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x59, + 0x0a, 0x13, 0x56, 0x65, 0x6e, 0x64, 0x6f, 0x72, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x42, 0x0a, 0x0a, 0x44, 0x61, 0x74, + 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, + 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x22, 0x57, 0x0a, + 0x05, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x17, + 0x0a, 0x07, 0x64, 0x69, 0x66, 0x66, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x06, 0x64, 0x69, 0x66, 0x66, 0x49, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, + 0x65, 0x64, 0x5f, 0x62, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x72, 0x65, + 0x61, 0x74, 0x65, 0x64, 0x42, 0x79, 0x22, 0xc3, 0x01, 0x0a, 0x0d, 0x43, 0x61, 0x75, 0x73, 0x65, + 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x72, 0x65, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, + 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, + 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x64, - 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, - 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x07, 0x20, 0x01, + 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, + 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, - 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74, - 0x63, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x4a, 0x04, 0x08, - 0x09, 0x10, 0x0a, 0x22, 0x5d, 0x0a, 0x06, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x1a, 0x0a, - 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x12, 0x37, 0x0a, 0x08, 0x66, 0x69, 0x6e, - 0x64, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x72, - 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, - 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x08, 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, - 0x67, 0x73, 0x22, 0x85, 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x4c, - 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, - 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, - 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, - 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, - 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, - 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, - 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, - 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, - 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, - 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, - 0x74, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, - 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, - 0x65, 0x6e, 0x63, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x02, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, - 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x07, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x22, 0xed, 0x01, 0x0a, 0x0b, 0x4c, - 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, - 0x63, 0x65, 0x6e, 0x73, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x1e, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x2e, 0x45, 0x6e, 0x75, 0x6d, - 0x52, 0x0b, 0x6c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, - 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, - 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, - 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, - 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, - 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x08, 0x66, 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x12, - 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, - 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, - 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x4c, - 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x3e, 0x0a, - 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, - 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, - 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, - 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x12, 0x0a, - 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x02, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, - 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x22, 0x95, 0x01, 0x0a, 0x0f, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, - 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x22, 0x81, 0x01, 0x0a, 0x04, 0x45, 0x6e, - 0x75, 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, - 0x44, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x4f, 0x52, 0x42, 0x49, 0x44, 0x44, 0x45, 0x4e, - 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x45, 0x44, - 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x43, 0x49, 0x50, 0x52, 0x4f, 0x43, 0x41, 0x4c, - 0x10, 0x03, 0x12, 0x0a, 0x0a, 0x06, 0x4e, 0x4f, 0x54, 0x49, 0x43, 0x45, 0x10, 0x04, 0x12, 0x0e, - 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x05, 0x12, 0x10, - 0x0a, 0x0c, 0x55, 0x4e, 0x45, 0x4e, 0x43, 0x55, 0x4d, 0x42, 0x45, 0x52, 0x45, 0x44, 0x10, 0x06, - 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x07, 0x22, 0x4e, 0x0a, - 0x0b, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, 0x65, 0x22, 0x3f, 0x0a, 0x04, - 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, - 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x50, 0x4b, 0x47, 0x10, 0x01, 0x12, - 0x0a, 0x0a, 0x06, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, 0x02, 0x12, 0x10, 0x0a, 0x0c, 0x4c, - 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x5f, 0x46, 0x49, 0x4c, 0x45, 0x10, 0x03, 0x2a, 0x44, 0x0a, - 0x08, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, - 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, - 0x0a, 0x0a, 0x06, 0x4d, 0x45, 0x44, 0x49, 0x55, 0x4d, 0x10, 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, - 0x49, 0x47, 0x48, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, - 0x4c, 0x10, 0x04, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, - 0x6d, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, - 0x72, 0x69, 0x76, 0x79, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x76, 0x0a, 0x04, + 0x43, 0x56, 0x53, 0x53, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x32, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x32, 0x56, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x33, 0x5f, 0x76, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x33, 0x56, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x19, + 0x0a, 0x08, 0x76, 0x32, 0x5f, 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x01, + 0x52, 0x07, 0x76, 0x32, 0x53, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x76, 0x33, 0x5f, + 0x73, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x01, 0x52, 0x07, 0x76, 0x33, 0x53, + 0x63, 0x6f, 0x72, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x52, + 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, + 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, + 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, + 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, + 0x79, 0x65, 0x72, 0x12, 0x2a, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, + 0xf3, 0x01, 0x0a, 0x04, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, + 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, + 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x69, 0x73, + 0x5f, 0x63, 0x61, 0x75, 0x73, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x69, 0x73, + 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6e, 0x6e, 0x6f, 0x74, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61, 0x74, + 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x74, 0x72, 0x75, 0x6e, 0x63, 0x61, + 0x74, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69, 0x67, 0x68, 0x74, + 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x68, 0x69, 0x67, 0x68, 0x6c, 0x69, + 0x67, 0x68, 0x74, 0x65, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x69, 0x72, 0x73, 0x74, 0x5f, 0x63, + 0x61, 0x75, 0x73, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x66, 0x69, 0x72, 0x73, + 0x74, 0x43, 0x61, 0x75, 0x73, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x63, + 0x61, 0x75, 0x73, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x6c, 0x61, 0x73, 0x74, + 0x43, 0x61, 0x75, 0x73, 0x65, 0x22, 0x30, 0x0a, 0x04, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x28, 0x0a, + 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, + 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x6e, 0x65, + 0x52, 0x05, 0x6c, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x9f, 0x02, 0x0a, 0x0d, 0x53, 0x65, 0x63, 0x72, + 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x12, 0x17, 0x0a, 0x07, 0x72, 0x75, 0x6c, + 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x75, 0x6c, 0x65, + 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x12, 0x1a, + 0x0a, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x69, + 0x74, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x69, 0x74, 0x6c, 0x65, + 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x74, 0x61, 0x72, 0x74, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x05, + 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x73, 0x74, 0x61, 0x72, 0x74, 0x4c, 0x69, 0x6e, 0x65, 0x12, + 0x19, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x5f, 0x6c, 0x69, 0x6e, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, + 0x05, 0x52, 0x07, 0x65, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x12, 0x26, 0x0a, 0x04, 0x63, 0x6f, + 0x64, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x63, 0x6f, + 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x08, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, + 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, + 0x79, 0x65, 0x72, 0x4a, 0x04, 0x08, 0x09, 0x10, 0x0a, 0x22, 0x5d, 0x0a, 0x06, 0x53, 0x65, 0x63, + 0x72, 0x65, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x70, 0x61, 0x74, 0x68, 0x12, + 0x37, 0x0a, 0x08, 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x1b, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x08, + 0x66, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x85, 0x02, 0x0a, 0x0f, 0x44, 0x65, 0x74, + 0x65, 0x63, 0x74, 0x65, 0x64, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x12, 0x32, 0x0a, 0x08, + 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x16, + 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x65, + 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x52, 0x08, 0x73, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, + 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, + 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, + 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, + 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, + 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a, + 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x02, + 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, + 0x6c, 0x69, 0x6e, 0x6b, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69, 0x6e, 0x6b, + 0x22, 0xed, 0x01, 0x0a, 0x0b, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6c, 0x65, + 0x12, 0x41, 0x0a, 0x0c, 0x6c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x5f, 0x74, 0x79, 0x70, 0x65, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1e, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, 0x70, + 0x65, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x0b, 0x6c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x66, 0x69, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, + 0x12, 0x19, 0x0a, 0x08, 0x70, 0x6b, 0x67, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x07, 0x70, 0x6b, 0x67, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x66, + 0x69, 0x6e, 0x67, 0x69, 0x6e, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, + 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, + 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x52, 0x08, 0x66, 0x69, 0x6e, + 0x67, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x29, 0x0a, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, 0x18, 0x05, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x61, 0x79, 0x65, 0x72, 0x52, 0x05, 0x6c, 0x61, 0x79, 0x65, 0x72, + 0x22, 0x98, 0x01, 0x0a, 0x0e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x46, 0x69, 0x6e, 0x64, + 0x69, 0x6e, 0x67, 0x12, 0x3e, 0x0a, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, + 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, + 0x67, 0x6f, 0x72, 0x79, 0x2e, 0x45, 0x6e, 0x75, 0x6d, 0x52, 0x08, 0x63, 0x61, 0x74, 0x65, 0x67, + 0x6f, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, + 0x64, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x02, 0x52, 0x0a, 0x63, 0x6f, 0x6e, + 0x66, 0x69, 0x64, 0x65, 0x6e, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x18, + 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6c, 0x69, 0x6e, 0x6b, 0x22, 0x95, 0x01, 0x0a, 0x0f, + 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x43, 0x61, 0x74, 0x65, 0x67, 0x6f, 0x72, 0x79, 0x22, + 0x81, 0x01, 0x0a, 0x04, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, + 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x46, 0x4f, 0x52, + 0x42, 0x49, 0x44, 0x44, 0x45, 0x4e, 0x10, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x53, 0x54, + 0x52, 0x49, 0x43, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x52, 0x45, 0x43, 0x49, + 0x50, 0x52, 0x4f, 0x43, 0x41, 0x4c, 0x10, 0x03, 0x12, 0x0a, 0x0a, 0x06, 0x4e, 0x4f, 0x54, 0x49, + 0x43, 0x45, 0x10, 0x04, 0x12, 0x0e, 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, + 0x56, 0x45, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x55, 0x4e, 0x45, 0x4e, 0x43, 0x55, 0x4d, 0x42, + 0x45, 0x52, 0x45, 0x44, 0x10, 0x06, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, + 0x4e, 0x10, 0x07, 0x22, 0x4e, 0x0a, 0x0b, 0x4c, 0x69, 0x63, 0x65, 0x6e, 0x73, 0x65, 0x54, 0x79, + 0x70, 0x65, 0x22, 0x3f, 0x0a, 0x04, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, + 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x44, + 0x50, 0x4b, 0x47, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x45, 0x41, 0x44, 0x45, 0x52, 0x10, + 0x02, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x49, 0x43, 0x45, 0x4e, 0x53, 0x45, 0x5f, 0x46, 0x49, 0x4c, + 0x45, 0x10, 0x03, 0x2a, 0x44, 0x0a, 0x08, 0x53, 0x65, 0x76, 0x65, 0x72, 0x69, 0x74, 0x79, 0x12, + 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, + 0x4c, 0x4f, 0x57, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x45, 0x44, 0x49, 0x55, 0x4d, 0x10, + 0x02, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x49, 0x47, 0x48, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x43, + 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x04, 0x42, 0x31, 0x5a, 0x2f, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x61, 0x71, 0x75, 0x61, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2f, 0x72, 0x70, 0x63, 0x2f, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -2849,26 +2861,27 @@ var file_rpc_common_service_proto_depIdxs = []int32{ 32, // 21: trivy.common.Vulnerability.custom_vuln_data:type_name -> google.protobuf.Value 15, // 22: trivy.common.Vulnerability.data_source:type_name -> trivy.common.DataSource 30, // 23: trivy.common.Vulnerability.vendor_severity:type_name -> trivy.common.Vulnerability.VendorSeverityEntry - 21, // 24: trivy.common.CauseMetadata.code:type_name -> trivy.common.Code - 16, // 25: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer - 32, // 26: trivy.common.CustomResource.data:type_name -> google.protobuf.Value - 20, // 27: trivy.common.Code.lines:type_name -> trivy.common.Line - 21, // 28: trivy.common.SecretFinding.code:type_name -> trivy.common.Code - 16, // 29: trivy.common.SecretFinding.layer:type_name -> trivy.common.Layer - 22, // 30: trivy.common.Secret.findings:type_name -> trivy.common.SecretFinding - 0, // 31: trivy.common.DetectedLicense.severity:type_name -> trivy.common.Severity - 1, // 32: trivy.common.DetectedLicense.category:type_name -> trivy.common.LicenseCategory.Enum - 2, // 33: trivy.common.LicenseFile.license_type:type_name -> trivy.common.LicenseType.Enum - 26, // 34: trivy.common.LicenseFile.fingings:type_name -> trivy.common.LicenseFinding - 16, // 35: trivy.common.LicenseFile.layer:type_name -> trivy.common.Layer - 1, // 36: trivy.common.LicenseFinding.category:type_name -> trivy.common.LicenseCategory.Enum - 18, // 37: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS - 0, // 38: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity - 39, // [39:39] is the sub-list for method output_type - 39, // [39:39] is the sub-list for method input_type - 39, // [39:39] is the sub-list for extension type_name - 39, // [39:39] is the sub-list for extension extendee - 0, // [0:39] is the sub-list for field type_name + 9, // 24: trivy.common.Vulnerability.locations:type_name -> trivy.common.Location + 21, // 25: trivy.common.CauseMetadata.code:type_name -> trivy.common.Code + 16, // 26: trivy.common.CustomResource.layer:type_name -> trivy.common.Layer + 32, // 27: trivy.common.CustomResource.data:type_name -> google.protobuf.Value + 20, // 28: trivy.common.Code.lines:type_name -> trivy.common.Line + 21, // 29: trivy.common.SecretFinding.code:type_name -> trivy.common.Code + 16, // 30: trivy.common.SecretFinding.layer:type_name -> trivy.common.Layer + 22, // 31: trivy.common.Secret.findings:type_name -> trivy.common.SecretFinding + 0, // 32: trivy.common.DetectedLicense.severity:type_name -> trivy.common.Severity + 1, // 33: trivy.common.DetectedLicense.category:type_name -> trivy.common.LicenseCategory.Enum + 2, // 34: trivy.common.LicenseFile.license_type:type_name -> trivy.common.LicenseType.Enum + 26, // 35: trivy.common.LicenseFile.fingings:type_name -> trivy.common.LicenseFinding + 16, // 36: trivy.common.LicenseFile.layer:type_name -> trivy.common.Layer + 1, // 37: trivy.common.LicenseFinding.category:type_name -> trivy.common.LicenseCategory.Enum + 18, // 38: trivy.common.Vulnerability.CvssEntry.value:type_name -> trivy.common.CVSS + 0, // 39: trivy.common.Vulnerability.VendorSeverityEntry.value:type_name -> trivy.common.Severity + 40, // [40:40] is the sub-list for method output_type + 40, // [40:40] is the sub-list for method input_type + 40, // [40:40] is the sub-list for extension type_name + 40, // [40:40] is the sub-list for extension extendee + 0, // [0:40] is the sub-list for field type_name } func init() { file_rpc_common_service_proto_init() } From bac7a6ca55853a67430d135f0f2fd54001607747 Mon Sep 17 00:00:00 2001 From: Syed Parvez Date: Mon, 25 Mar 2024 07:20:48 +0530 Subject: [PATCH 12/12] nit: fixed lint errors --- pkg/rpc/convert_test.go | 58 +++++++++-------------------------------- 1 file changed, 12 insertions(+), 46 deletions(-) diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go index 2506dcd97c2..ec305d7fc58 100644 --- a/pkg/rpc/convert_test.go +++ b/pkg/rpc/convert_test.go @@ -53,12 +53,6 @@ func TestConvertToRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffID: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, - Locations: []ftypes.Location{ - { - StartLine: 10, - EndLine: 12, - }, - }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -90,14 +84,6 @@ func TestConvertToRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffId: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 10, - EndLine: 12, - }, - }, - }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -149,14 +135,6 @@ func TestConvertFromRpcPkgs(t *testing.T) { Digest: "sha256:6a428f9f83b0a29f1fdd2ccccca19a9bab805a925b8eddf432a5a3d3da04afbc", DiffId: "sha256:39982b2a789afc156fff00c707d0ff1c6ab4af8f1666a8df4787714059ce24e7", }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 10, - EndLine: 12, - }, - }, - }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, }, @@ -190,12 +168,6 @@ func TestConvertFromRpcPkgs(t *testing.T) { }, Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", Indirect: true, - Locations: []ftypes.Location{ - { - StartLine: 10, - EndLine: 12, - }, - }, }, }, }, @@ -291,12 +263,10 @@ func TestConvertToRpcVulns(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 15, - EndLine: 20, - }, + Locations: []*common.Location{ + { + StartLine: 15, + EndLine: 20, }, }, PrimaryUrl: "https://avd.aquasec.com/nvd/CVE-2019-0001", @@ -357,12 +327,10 @@ func TestConvertToRpcVulns(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 15, - EndLine: 20, - }, + Locations: []*common.Location{ + { + StartLine: 15, + EndLine: 20, }, }, DataSource: &common.DataSource{ @@ -430,12 +398,10 @@ func TestConvertFromRPCResults(t *testing.T) { Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812", DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079", }, - Locations: &common.Locations{ - Location: []*common.Location{ - { - StartLine: 15, - EndLine: 20, - }, + Locations: []*common.Location{ + { + StartLine: 15, + EndLine: 20, }, }, PrimaryUrl: "https://avd.aquasec.com/nvd/CVE-2019-0001",