github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/detector/ospkg/mariner/mariner.go (about)

     1  package mariner
     2  
     3  import (
     4  	version "github.com/knqyf263/go-rpm-version"
     5  	"golang.org/x/xerrors"
     6  
     7  	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
     8  	osver "github.com/devseccon/trivy/pkg/detector/ospkg/version"
     9  	ftypes "github.com/devseccon/trivy/pkg/fanal/types"
    10  	"github.com/devseccon/trivy/pkg/log"
    11  	"github.com/devseccon/trivy/pkg/scanner/utils"
    12  	"github.com/devseccon/trivy/pkg/types"
    13  )
    14  
    15  // Scanner implements the CBL-Mariner scanner
    16  type Scanner struct {
    17  	vs mariner.VulnSrc
    18  }
    19  
    20  // NewScanner is the factory method for Scanner
    21  func NewScanner() *Scanner {
    22  	return &Scanner{
    23  		vs: mariner.NewVulnSrc(),
    24  	}
    25  }
    26  
    27  // Detect vulnerabilities in package using CBL-Mariner scanner
    28  func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
    29  	log.Logger.Info("Detecting CBL-Mariner vulnerabilities...")
    30  
    31  	// e.g. 1.0.20210127
    32  	osVer = osver.Minor(osVer)
    33  
    34  	log.Logger.Debugf("CBL-Mariner: os version: %s", osVer)
    35  	log.Logger.Debugf("CBL-Mariner: the number of packages: %d", len(pkgs))
    36  
    37  	var vulns []types.DetectedVulnerability
    38  	for _, pkg := range pkgs {
    39  		// CBL Mariner OVAL contains source package names only.
    40  		advisories, err := s.vs.Get(osVer, pkg.SrcName)
    41  		if err != nil {
    42  			return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
    43  		}
    44  
    45  		sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))
    46  
    47  		for _, adv := range advisories {
    48  			vuln := types.DetectedVulnerability{
    49  				VulnerabilityID:  adv.VulnerabilityID,
    50  				PkgName:          pkg.Name,
    51  				InstalledVersion: utils.FormatVersion(pkg),
    52  				PkgRef:           pkg.Ref,
    53  				Layer:            pkg.Layer,
    54  				DataSource:       adv.DataSource,
    55  			}
    56  
    57  			// Unpatched vulnerabilities
    58  			if adv.FixedVersion == "" {
    59  				vulns = append(vulns, vuln)
    60  				continue
    61  			}
    62  
    63  			// Patched vulnerabilities
    64  			fixedVersion := version.NewVersion(adv.FixedVersion)
    65  			if sourceVersion.LessThan(fixedVersion) {
    66  				vuln.FixedVersion = fixedVersion.String()
    67  				vulns = append(vulns, vuln)
    68  			}
    69  		}
    70  	}
    71  
    72  	return vulns, nil
    73  }
    74  
    75  // IsSupportedVersion checks if the version is supported.
    76  func (s *Scanner) IsSupportedVersion(_ ftypes.OSType, _ string) bool {
    77  	// EOL is not in public at the moment.
    78  	return true
    79  }