github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/detector/ospkg/mariner/mariner.go (about) 1 package mariner 2 3 import ( 4 version "github.com/knqyf263/go-rpm-version" 5 "golang.org/x/xerrors" 6 7 "github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner" 8 osver "github.com/devseccon/trivy/pkg/detector/ospkg/version" 9 ftypes "github.com/devseccon/trivy/pkg/fanal/types" 10 "github.com/devseccon/trivy/pkg/log" 11 "github.com/devseccon/trivy/pkg/scanner/utils" 12 "github.com/devseccon/trivy/pkg/types" 13 ) 14 15 // Scanner implements the CBL-Mariner scanner 16 type Scanner struct { 17 vs mariner.VulnSrc 18 } 19 20 // NewScanner is the factory method for Scanner 21 func NewScanner() *Scanner { 22 return &Scanner{ 23 vs: mariner.NewVulnSrc(), 24 } 25 } 26 27 // Detect vulnerabilities in package using CBL-Mariner scanner 28 func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) { 29 log.Logger.Info("Detecting CBL-Mariner vulnerabilities...") 30 31 // e.g. 1.0.20210127 32 osVer = osver.Minor(osVer) 33 34 log.Logger.Debugf("CBL-Mariner: os version: %s", osVer) 35 log.Logger.Debugf("CBL-Mariner: the number of packages: %d", len(pkgs)) 36 37 var vulns []types.DetectedVulnerability 38 for _, pkg := range pkgs { 39 // CBL Mariner OVAL contains source package names only. 40 advisories, err := s.vs.Get(osVer, pkg.SrcName) 41 if err != nil { 42 return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err) 43 } 44 45 sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg)) 46 47 for _, adv := range advisories { 48 vuln := types.DetectedVulnerability{ 49 VulnerabilityID: adv.VulnerabilityID, 50 PkgName: pkg.Name, 51 InstalledVersion: utils.FormatVersion(pkg), 52 PkgRef: pkg.Ref, 53 Layer: pkg.Layer, 54 DataSource: adv.DataSource, 55 } 56 57 // Unpatched vulnerabilities 58 if adv.FixedVersion == "" { 59 vulns = append(vulns, vuln) 60 continue 61 } 62 63 // Patched vulnerabilities 64 fixedVersion := version.NewVersion(adv.FixedVersion) 65 if sourceVersion.LessThan(fixedVersion) { 66 vuln.FixedVersion = fixedVersion.String() 67 vulns = append(vulns, vuln) 68 } 69 } 70 } 71 72 return vulns, nil 73 } 74 75 // IsSupportedVersion checks if the version is supported. 76 func (s *Scanner) IsSupportedVersion(_ ftypes.OSType, _ string) bool { 77 // EOL is not in public at the moment. 78 return true 79 }