Merge a980a44 into a22b567

kubescape · Mar 24, 2023 · 0c1fd40 · 0c1fd40
2 parents a22b567 + a980a44
commit 0c1fd40
Show file tree

Hide file tree

Showing 7 changed files with 214 additions and 295 deletions.
diff --git a/adapters/v1/grype_test.go b/adapters/v1/grype_test.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"context"
 	"encoding/json"
+	"net/http"
 	"testing"
 	"time"
 
@@ -16,10 +17,12 @@ import (
 
 func Test_grypeAdapter_DBVersion(t *testing.T) {
 	ctx := context.TODO()
+	go http.ListenAndServe(":8000", http.FileServer(http.Dir("testdata")))
 	g := NewGrypeAdapter()
+	g.dbConfig.ListingURL = "http://localhost:8000/listing.json"
 	g.Ready(ctx) // need to call ready to load the DB
 	version := g.DBVersion(ctx)
-	assert.Assert(t, version != "")
+	assert.Assert(t, version == "sha256:9be2df3d7d657bfb40ddcc68c9d00520ee7f5a34c7a26333f90cf89cefd5668a")
 }
 
 func fileToSBOM(path string) *v1beta1.Document {
@@ -45,13 +48,15 @@ func Test_grypeAdapter_ScanSBOM(t *testing.T) {
 			format: string(fileContent("testdata/alpine-cve.format.json")),
 		},
 	}
+	go http.ListenAndServe(":8000", http.FileServer(http.Dir("testdata")))
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx := context.TODO()
 			ctx = context.WithValue(ctx, domain.TimestampKey{}, time.Now().Unix())
 			ctx = context.WithValue(ctx, domain.ScanIDKey{}, uuid.New().String())
 			ctx = context.WithValue(ctx, domain.WorkloadKey{}, domain.ScanCommand{})
 			g := NewGrypeAdapter()
+			g.dbConfig.ListingURL = "http://localhost:8000/listing.json"
 			g.Ready(ctx) // need to call ready to load the DB
 			got, err := g.ScanSBOM(ctx, tt.sbom)
 			if (err != nil) != tt.wantErr {

diff --git a/adapters/v1/testdata/alpine-cve.format.json b/adapters/v1/testdata/alpine-cve.format.json
@@ -2,152 +2,129 @@
   "matches": [
     {
       "vulnerability": {
-        "id": "CVE-2022-28391",
-        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-28391",
-        "namespace": "nvd:cpe",
-        "severity": "High",
+        "id": "CVE-2023-0464",
+        "dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464",
+        "namespace": "alpine:distro:alpine:3.17",
+        "severity": "Unknown",
         "urls": [
-          "https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch",
-          "https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch",
-          "https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661"
-        ],
-        "description": "BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.",
-        "cvss": [
-          {
-            "version": "2.0",
-            "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
-            "metrics": {
-              "baseScore": 6.8,
-              "exploitabilityScore": 8.6,
-              "impactScore": 6.4
-            },
-            "vendorMetadata": {}
-          },
-          {
-            "version": "3.1",
-            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-            "metrics": {
-              "baseScore": 8.8,
-              "exploitabilityScore": 2.8,
-              "impactScore": 5.9
-            },
-            "vendorMetadata": {}
-          }
+          "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464"
         ],
+        "cvss": null,
         "fix": {
-          "versions": [],
-          "state": "unknown"
+          "versions": [
+            "3.0.8-r1"
+          ],
+          "state": "fixed"
         },
         "advisories": null
       },
       "relatedVulnerabilities": null,
       "matchDetails": [
         {
-          "type": "cpe-match",
-          "matcher": "stock-matcher",
+          "type": "exact-indirect-match",
+          "matcher": "apk-matcher",
           "searchedBy": {
-            "namespace": "nvd:cpe",
-            "cpes": [
-              "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*"
-            ]
+            "distro": {
+              "type": "alpine",
+              "version": "3.17.2"
+            },
+            "namespace": "alpine:distro:alpine:3.17",
+            "package": {
+              "name": "openssl",
+              "version": "3.0.8-r0"
+            }
           },
           "found": {
-            "vulnerabilityID": "CVE-2022-28391",
-            "versionConstraint": "<= 1.35.0 (unknown)",
-            "cpes": [
-              "cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*"
-            ]
+            "versionConstraint": "< 3.0.8-r1 (apk)",
+            "vulnerabilityID": "CVE-2023-0464"
           }
         }
       ],
       "artifact": {
-        "name": "busybox",
-        "version": "1.35.0",
-        "type": "",
+        "name": "libcrypto3",
+        "version": "3.0.8-r0",
+        "type": "apk",
         "locations": null,
         "language": "",
-        "licenses": [],
+        "licenses": [
+          "Apache-2.0"
+        ],
         "cpes": [
-          "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*",
-          "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*"
+          "cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libcrypto3:libcrypto:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libcrypto:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libcrypto:libcrypto:3.0.8-r0:*:*:*:*:*:*:*"
+        ],
+        "purl": "pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2",
+        "upstreams": [
+          {
+            "name": "openssl"
+          }
         ],
-        "purl": "pkg:/",
-        "upstreams": null,
         "metadata": null
       }
     },
     {
       "vulnerability": {
-        "id": "CVE-2022-30065",
-        "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-30065",
-        "namespace": "nvd:cpe",
-        "severity": "High",
+        "id": "CVE-2023-0464",
+        "dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464",
+        "namespace": "alpine:distro:alpine:3.17",
+        "severity": "Unknown",
         "urls": [
-          "https://bugs.busybox.net/show_bug.cgi?id=14781",
-          "https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf"
-        ],
-        "description": "A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.",
-        "cvss": [
-          {
-            "version": "2.0",
-            "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
-            "metrics": {
-              "baseScore": 6.8,
-              "exploitabilityScore": 8.6,
-              "impactScore": 6.4
-            },
-            "vendorMetadata": {}
-          },
-          {
-            "version": "3.1",
-            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-            "metrics": {
-              "baseScore": 7.8,
-              "exploitabilityScore": 1.8,
-              "impactScore": 5.9
-            },
-            "vendorMetadata": {}
-          }
+          "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0464"
         ],
+        "cvss": null,
         "fix": {
-          "versions": [],
-          "state": "unknown"
+          "versions": [
+            "3.0.8-r1"
+          ],
+          "state": "fixed"
         },
         "advisories": null
       },
       "relatedVulnerabilities": null,
       "matchDetails": [
         {
-          "type": "cpe-match",
-          "matcher": "stock-matcher",
+          "type": "exact-indirect-match",
+          "matcher": "apk-matcher",
           "searchedBy": {
-            "namespace": "nvd:cpe",
-            "cpes": [
-              "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*"
-            ]
+            "distro": {
+              "type": "alpine",
+              "version": "3.17.2"
+            },
+            "namespace": "alpine:distro:alpine:3.17",
+            "package": {
+              "name": "openssl",
+              "version": "3.0.8-r0"
+            }
           },
           "found": {
-            "vulnerabilityID": "CVE-2022-30065",
-            "versionConstraint": "= 1.35.0 (unknown)",
-            "cpes": [
-              "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*"
-            ]
+            "versionConstraint": "< 3.0.8-r1 (apk)",
+            "vulnerabilityID": "CVE-2023-0464"
           }
         }
       ],
       "artifact": {
-        "name": "busybox",
-        "version": "1.35.0",
-        "type": "",
+        "name": "libssl3",
+        "version": "3.0.8-r0",
+        "type": "apk",
         "locations": null,
         "language": "",
-        "licenses": [],
+        "licenses": [
+          "Apache-2.0"
+        ],
         "cpes": [
-          "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*",
-          "cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*"
+          "cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libssl3:libssl:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libssl:libssl3:3.0.8-r0:*:*:*:*:*:*:*",
+          "cpe:2.3:a:libssl:libssl:3.0.8-r0:*:*:*:*:*:*:*"
+        ],
+        "purl": "pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2",
+        "upstreams": [
+          {
+            "name": "openssl"
+          }
         ],
-        "purl": "pkg:/",
-        "upstreams": null,
         "metadata": null
       }
     }
@@ -188,4 +165,4 @@
       "error": null
     }
   }
-}
+}