-
Notifications
You must be signed in to change notification settings - Fork 325
/
vulnerability_result.go
114 lines (101 loc) · 3.47 KB
/
vulnerability_result.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package osvscanner
import (
"sort"
"strings"
"github.com/google/osv-scanner/internal/output"
"github.com/google/osv-scanner/internal/sourceanalysis"
"github.com/google/osv-scanner/pkg/grouper"
"github.com/google/osv-scanner/pkg/models"
"github.com/google/osv-scanner/pkg/osv"
"github.com/google/osv-scanner/pkg/reporter"
)
// buildVulnerablityResults takes the responses from the OSV API and the deps.dev API
// and converts this into a VulnerabilityResults. As part is this, it groups
// vulnerability information by source location.
// TODO: This function is getting long, we should refactor it
func buildVulnerabilityResults(
r reporter.Reporter,
packages []scannedPackage,
vulnsResp *osv.HydratedBatchedResponse,
licensesResp [][]models.License,
actions ScannerActions,
) models.VulnerabilityResults {
results := models.VulnerabilityResults{
Results: []models.PackageSource{},
}
groupedBySource := map[models.SourceInfo][]models.PackageVulns{}
for i, rawPkg := range packages {
includePackage := actions.ShowAllPackages
var pkg models.PackageVulns
if rawPkg.Commit != "" {
pkg.Package.Commit = rawPkg.Commit
pkg.Package.Name = rawPkg.Name
} else if rawPkg.PURL != "" {
var err error
pkg.Package, err = models.PURLToPackage(rawPkg.PURL)
if err != nil {
r.Errorf("Failed to parse purl: %s, with error: %s", rawPkg.PURL, err)
continue
}
}
if rawPkg.Version != "" && rawPkg.Ecosystem != "" {
pkg.Package = models.PackageInfo{
Name: rawPkg.Name,
Version: rawPkg.Version,
Ecosystem: string(rawPkg.Ecosystem),
}
}
pkg.DepGroups = rawPkg.DepGroups
if len(vulnsResp.Results[i].Vulns) > 0 {
includePackage = true
pkg.Vulnerabilities = vulnsResp.Results[i].Vulns
pkg.Groups = grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities))
for i, group := range pkg.Groups {
pkg.Groups[i].MaxSeverity = output.MaxSeverity(group, pkg)
}
}
if len(actions.ScanLicensesAllowlist) > 0 {
pkg.Licenses = licensesResp[i]
allowlist := make(map[string]bool)
for _, license := range actions.ScanLicensesAllowlist {
allowlist[strings.ToLower(license)] = true
}
for _, license := range pkg.Licenses {
if !allowlist[strings.ToLower(string(license))] {
pkg.LicenseViolations = append(pkg.LicenseViolations, license)
}
}
if len(pkg.LicenseViolations) > 0 {
includePackage = true
}
}
if actions.ScanLicensesSummary {
pkg.Licenses = licensesResp[i]
}
if includePackage {
groupedBySource[rawPkg.Source] = append(groupedBySource[rawPkg.Source], pkg)
}
}
for source, packages := range groupedBySource {
sourceanalysis.Run(r, source, packages, actions.CallAnalysisStates)
results.Results = append(results.Results, models.PackageSource{
Source: source,
Packages: packages,
})
}
sort.Slice(results.Results, func(i, j int) bool {
if results.Results[i].Source.Path == results.Results[j].Source.Path {
return results.Results[i].Source.Type < results.Results[j].Source.Type
}
return results.Results[i].Source.Path < results.Results[j].Source.Path
})
if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {
results.ExperimentalAnalysisConfig.Licenses.Summary = actions.ScanLicensesSummary
allowlist := make([]models.License, len(actions.ScanLicensesAllowlist))
for i, l := range actions.ScanLicensesAllowlist {
allowlist[i] = models.License(l)
}
results.ExperimentalAnalysisConfig.Licenses.Allowlist = allowlist
}
return results
}