-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(mariner): use advisory_id
for definition file names
#271
fix(mariner): use advisory_id
for definition file names
#271
Conversation
I'm checking with the Aqua commercial team. |
Any ETA for this PR to be merged in Trivy ? |
@knqyf263 any development based on your check with Aqua commercial team ? |
I'll remind them |
@knqyf263 any update ? This is impacting AKS Image Cleaner in its ability to retire unsecure images for which CVE are found. |
I reminded them again, but they seem to be busy. If you're in a hurry, you can update your data as described below. |
@DmitriyLewen Can't we save two files named the advisory id instead of CVE-ID, like |
hm... i didn't think about this. I see 2 points:
|
It's no big deal. We already use custom advisory IDs for others. |
hm... looks like your are right.
But it doesn't have much impact. |
What do you mean? |
hm... i missed word 😞 |
Got it, you mean they use the last digit. Even |
only cbl-1.0 uses version |
If we go with this approach, what changes do we need in trivy-db compared to the current PR? |
we will only need to update names of test files to match the names in |
48b9969
to
b76577c
Compare
|
||
func (c Config) saveAdvisoryPerYear(dirName string, vulnID string, def Definition) error { | ||
vulnID := def.Metadata.Reference.RefID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about using advisory_date
field.
But this field does not always exist:
➜ cat cbl-mariner-1.0-oval.xml| grep ' <definition class="vulnerability"' | toilet -l
2252
➜ cat cbl-mariner-1.0-oval.xml| grep '<advisory_date>' | toilet -l
2070
So I'm leaving logic with year number from CVE.
@knqyf263 I updated this PR. Can you take a look? |
Even after we merge this PR, will |
right.
|
Thanks for confirming. I'll merge this PR, then. |
advisory_id
for definition file names
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left some small comments.
mariner/mariner.go
Outdated
@@ -154,8 +152,24 @@ func (c Config) update(version, path string) error { | |||
|
|||
return nil | |||
} | |||
func (c Config) saveAdvisoryPerYear(dirName string, def Definition) error { | |||
// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK, they use hyphens.
// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`. | |
// Mariner uses `<ID>-<last_number_from_version>` format for `advisory_id`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should start calling Azure Linux.
// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`. | |
// Azure Linux uses `<ID>_<last_number_from_version>` format for `advisory_id`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 995ea97
mariner/mariner.go
Outdated
// cf. https://github.com/aquasecurity/vuln-list-update/pull/271#issuecomment-2111678641 | ||
advisoryID := def.Metadata.AdvisoryID | ||
if advisoryID == "" { | ||
advisoryID = def.ID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ID is something like oval:com.microsoft.cbl-mariner:obj:31880001
. Shouldn't we extract the last digits, 31880001
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mariner/mariner.go
Outdated
advisoryID = def.ID | ||
// for `0` versions `_0` suffix is omitted. | ||
if def.Version != "" && def.Version[len(def.Version)-1:] != "0" { | ||
advisoryID = fmt.Sprintf("%s_%s", advisoryID, def.Version[len(def.Version)-1:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
advisoryID = fmt.Sprintf("%s_%s", advisoryID, def.Version[len(def.Version)-1:]) | |
advisoryID = fmt.Sprintf("%s-%s", advisoryID, def.Version[len(def.Version)-1:]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in 995ea97
mariner/mariner.go
Outdated
func (c Config) saveAdvisoryPerYear(dirName string, def Definition) error { | ||
// Mariner uses `<ID>_<last_number_from_version>` format for `advisory_id`. | ||
// But `advisory_id` is not required field. | ||
// Therefore, if `advisory_id` is not exist, we create this field independently. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
// Therefore, if `advisory_id` is not exist, we create this field independently. | |
// Therefore, if `advisory_id` does not exist, we create this field independently. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated in 995ea97
Triggered the workflow |
Description
There are times when CBL-Mariner uses multiple
definitions
for a single CVE.e.g:
To avoid overwriting - use
advisory_id
field for file names.See #271 (comment)
Related Issues