From 5eed7e8542549bde3f184676b567c9d92d086a3f Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Thu, 23 May 2024 13:45:05 +1000 Subject: [PATCH] Fix snapshots and alpine version (#990) This updates busybox to 1.36.1-r27 to resolve all current vulnerabilities, and then updates the snapshots to match. This is a bit odd as 1.36.1-r27 doesn't actually exist on the distro this SBOM is created for (alpine 3.17) , where the highest version is 1.35.0-r30. However, as 3.17 is now out of support, no more fixes are being backported for 1.35.0. The *ideal(?)* behavior would not show the 3.19/3.20 vulnerabilities on 1.36.1 when scanning Alpine 3.17, but because of distro in purls still being undefined, all alpine advisories are returned. When this is eventually implemented, we should revert this PR. --- cmd/osv-scanner/__snapshots__/main_test.snap | 21 +++----- .../fixtures/locks-many/alpine.cdx.xml | 54 +++++++++---------- .../fixtures/sbom-insecure/alpine.cdx.xml | 54 +++++++++---------- 3 files changed, 62 insertions(+), 67 deletions(-) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 702d56f85e..7fb239f189 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -222,9 +222,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output No issues found --- @@ -252,7 +251,6 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ -| https://osv.dev/CVE-2022-48174 | 9.8 | Alpine | busybox | 1.35.0-r29 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -371,12 +369,11 @@ No issues found [TestRun/one_specific_supported_sbom_with_vulns - 1] Scanned /fixtures/sbom-insecure/alpine.cdx.xml as CycloneDX SBOM and found 15 packages -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ -| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ -| https://osv.dev/CVE-2022-48174 | 9.8 | Alpine | busybox | 1.35.0-r29 | fixtures/sbom-insecure/alpine.cdx.xml | -| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | -+--------------------------------+------+-----------+---------+------------+---------------------------------------+ ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ +| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ +| https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r2 | fixtures/sbom-insecure/alpine.cdx.xml | ++--------------------------------+------+-----------+---------+-----------+---------------------------------------+ --- @@ -762,9 +759,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output +------------+-------------------------+ | LICENSE | NO. OF PACKAGE VERSIONS | +------------+-------------------------+ @@ -787,9 +783,8 @@ Scanned /fixtures/locks-many/composer.lock file and found 1 package Scanned /fixtures/locks-many/package-lock.json file and found 1 package Scanned /fixtures/locks-many/yarn.lock file and found 1 package Loaded filter from: /fixtures/locks-many/osv-scanner.toml -CVE-2022-48174 has been filtered out because: Test manifest file (alpine.cdx.xml) GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: Test manifest file -Filtered 2 vulnerabilities from output +Filtered 1 vulnerability from output | License | No. of package versions | | --- | ---:| | Apache-2.0 | 1 | diff --git a/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml b/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml index 6a0e162114..1e8f20cf88 100644 --- a/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml +++ b/cmd/osv-scanner/fixtures/locks-many/alpine.cdx.xml @@ -182,18 +182,18 @@ /bin/busybox - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox - 1.35.0-r29 + 1.36.1-r27 Size optimized toolbox of many common UNIX utilities GPL-2.0-only - cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox:busybox:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -208,24 +208,24 @@ 1dbf7a793afae640ea643a055b6dd4f430ac116b 962560 busybox - cmd:busybox=1.35.0-r29 + cmd:busybox=1.36.1-r27 Q1NN3sp0yr99btRysqty3nQUrWHaY= so:libc.musl-x86_64.so.1 509600 - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh - 1.35.0-r29 + 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only - cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -235,20 +235,20 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh - cmd:sh=1.35.0-r29 + cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= - busybox=1.35.0-r29 + busybox=1.36.1-r27 1547 @@ -510,18 +510,18 @@ 37687 - + Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client - 1.35.0-r29 + 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only - cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -531,17 +531,17 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox - cmd:ssl_client=1.35.0-r29 + cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 @@ -601,4 +601,4 @@ - \ No newline at end of file + diff --git a/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml index f70df0c6df..1b81355989 100644 --- a/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml +++ b/cmd/osv-scanner/fixtures/sbom-insecure/alpine.cdx.xml @@ -182,18 +182,18 @@ /bin/busybox - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox - 1.35.0-r29 + 1.36.1-r27 Size optimized toolbox of many common UNIX utilities GPL-2.0-only - cpe:2.3:a:busybox:busybox:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox:busybox:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -208,24 +208,24 @@ 1dbf7a793afae640ea643a055b6dd4f430ac116b 962560 busybox - cmd:busybox=1.35.0-r29 + cmd:busybox=1.36.1-r27 Q1NN3sp0yr99btRysqty3nQUrWHaY= so:libc.musl-x86_64.so.1 509600 - + Sören Tempel <soeren+alpine@soeren-tempel.net> busybox-binsh - 1.35.0-r29 + 1.36.1-r27 busybox ash /bin/sh GPL-2.0-only - cpe:2.3:a:busybox-binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/busybox-binsh@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -235,20 +235,20 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:busybox-binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox_binsh:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox-binsh:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:busybox:busybox_binsh:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 8192 busybox /bin/sh - cmd:sh=1.35.0-r29 + cmd:sh=1.36.1-r27 Q1miWwyhWKXVEiRYLhmArV1TKMs6A= - busybox=1.35.0-r29 + busybox=1.36.1-r27 1547 @@ -510,18 +510,18 @@ 37687 - + Sören Tempel <soeren+alpine@soeren-tempel.net> ssl_client - 1.35.0-r29 + 1.36.1-r27 EXternal ssl_client for busybox wget GPL-2.0-only - cpe:2.3:a:ssl-client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - pkg:apk/alpine/ssl_client@1.35.0-r29?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 + cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2 https://busybox.net/ @@ -531,17 +531,17 @@ apkdb-cataloger ApkMetadata apk - cpe:2.3:a:ssl-client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl_client:ssl_client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl-client:1.35.0-r29:*:*:*:*:*:*:* - cpe:2.3:a:ssl:ssl_client:1.35.0-r29:*:*:*:*:*:*:* + cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:* + cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:* sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39 /lib/apk/db/installed 1dbf7a793afae640ea643a055b6dd4f430ac116b 28672 busybox - cmd:ssl_client=1.35.0-r29 + cmd:ssl_client=1.36.1-r27 Q1QuqZjeP6XG85I29tOiCWofL8Cj0= so:libc.musl-x86_64.so.1 so:libcrypto.so.3 @@ -601,4 +601,4 @@ - \ No newline at end of file +