github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/pkg/sbom/cyclonedx/marshal_test.go (about) 1 package cyclonedx_test 2 3 import ( 4 "testing" 5 "time" 6 7 cdx "github.com/CycloneDX/cyclonedx-go" 8 v1 "github.com/google/go-containerregistry/pkg/v1" 9 "github.com/samber/lo" 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 13 dtypes "github.com/aquasecurity/trivy-db/pkg/types" 14 "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" 15 "github.com/devseccon/trivy/pkg/clock" 16 ftypes "github.com/devseccon/trivy/pkg/fanal/types" 17 "github.com/devseccon/trivy/pkg/report" 18 "github.com/devseccon/trivy/pkg/sbom/cyclonedx" 19 "github.com/devseccon/trivy/pkg/types" 20 "github.com/devseccon/trivy/pkg/uuid" 21 ) 22 23 func TestMarshaler_Marshal(t *testing.T) { 24 tests := []struct { 25 name string 26 inputReport types.Report 27 want *cdx.BOM 28 }{ 29 { 30 name: "happy path for container scan", 31 inputReport: types.Report{ 32 SchemaVersion: report.SchemaVersion, 33 ArtifactName: "rails:latest", 34 ArtifactType: ftypes.ArtifactContainerImage, 35 Metadata: types.Metadata{ 36 Size: 1024, 37 OS: &ftypes.OS{ 38 Family: ftypes.CentOS, 39 Name: "8.3.2011", 40 Eosl: true, 41 }, 42 ImageID: "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6", 43 RepoTags: []string{"rails:latest"}, 44 DiffIDs: []string{"sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a"}, 45 RepoDigests: []string{"rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177"}, 46 ImageConfig: v1.ConfigFile{ 47 Architecture: "arm64", 48 }, 49 }, 50 Results: types.Results{ 51 { 52 Target: "rails:latest (centos 8.3.2011)", 53 Class: types.ClassOSPkg, 54 Type: ftypes.CentOS, 55 Packages: []ftypes.Package{ 56 { 57 ID: "binutils@2.30-93.el8", 58 Name: "binutils", 59 Version: "2.30", 60 Release: "93.el8", 61 Epoch: 0, 62 Arch: "aarch64", 63 SrcName: "binutils", 64 SrcVersion: "2.30", 65 SrcRelease: "93.el8", 66 SrcEpoch: 0, 67 Modularitylabel: "", 68 Licenses: []string{"GPLv3+"}, 69 Maintainer: "CentOS", 70 Digest: "md5:7459cec61bb4d1b0ca8107e25e0dd005", 71 }, 72 }, 73 Vulnerabilities: []types.DetectedVulnerability{ 74 { 75 VulnerabilityID: "CVE-2018-20623", 76 PkgID: "binutils@2.30-93.el8", 77 PkgName: "binutils", 78 InstalledVersion: "2.30-93.el8", 79 Layer: ftypes.Layer{ 80 DiffID: "sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a", 81 }, 82 SeveritySource: vulnerability.RedHatOVAL, 83 PrimaryURL: "https://avd.aquasec.com/nvd/cve-2018-20623", 84 DataSource: &dtypes.DataSource{ 85 ID: vulnerability.RedHatOVAL, 86 Name: "Red Hat OVAL v2", 87 URL: "https://www.redhat.com/security/data/oval/v2/", 88 }, 89 Vulnerability: dtypes.Vulnerability{ 90 Title: "binutils: Use-after-free in the error function", 91 Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.", 92 Severity: dtypes.SeverityMedium.String(), 93 VendorSeverity: dtypes.VendorSeverity{ 94 vulnerability.NVD: dtypes.SeverityMedium, 95 vulnerability.RedHatOVAL: dtypes.SeverityMedium, 96 }, 97 CweIDs: []string{"CWE-416"}, 98 CVSS: dtypes.VendorCVSS{ 99 vulnerability.NVD: dtypes.CVSS{ 100 V2Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P", 101 V3Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 102 V2Score: 4.3, 103 V3Score: 5.5, 104 }, 105 vulnerability.RedHatOVAL: dtypes.CVSS{ 106 V3Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", 107 V3Score: 5.3, 108 }, 109 }, 110 PublishedDate: lo.ToPtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)), 111 LastModifiedDate: lo.ToPtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)), 112 }, 113 }, 114 }, 115 }, 116 { 117 Target: "app/subproject/Gemfile.lock", 118 Class: types.ClassLangPkg, 119 Type: ftypes.Bundler, 120 Packages: []ftypes.Package{ 121 { 122 ID: "actionpack@7.0.0", 123 Name: "actionpack", 124 Version: "7.0.0", 125 Indirect: false, 126 }, 127 { 128 ID: "actioncontroller@7.0.0", 129 Name: "actioncontroller", 130 Version: "7.0.0", 131 Indirect: false, 132 DependsOn: []string{ 133 "actionpack@7.0.0", 134 }, 135 }, 136 }, 137 }, 138 { 139 Target: "app/Gemfile.lock", 140 Class: types.ClassLangPkg, 141 Type: ftypes.Bundler, 142 Packages: []ftypes.Package{ 143 { 144 ID: "actionpack@7.0.0", 145 Name: "actionpack", 146 Version: "7.0.0", 147 }, 148 }, 149 }, 150 { 151 Target: "app/datacollector.deps.json", 152 Class: types.ClassLangPkg, 153 Type: ftypes.DotNetCore, 154 Packages: []ftypes.Package{ 155 { 156 ID: "Newtonsoft.Json@9.0.1", 157 Name: "Newtonsoft.Json", 158 Version: "9.0.1", 159 }, 160 }, 161 }, 162 { 163 Target: "usr/local/bin/tfsec", 164 Class: types.ClassLangPkg, 165 Type: ftypes.GoBinary, 166 Packages: []ftypes.Package{ 167 { 168 Name: "golang.org/x/crypto", 169 Version: "v0.0.0-20210421170649-83a5a9bb288b", 170 }, 171 // dependency has been replaced with local directory 172 { 173 Name: "./api", 174 Version: "(devel)", 175 }, 176 }, 177 }, 178 }, 179 }, 180 want: &cdx.BOM{ 181 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 182 BOMFormat: "CycloneDX", 183 SpecVersion: cdx.SpecVersion1_5, 184 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 185 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 186 Version: 1, 187 Metadata: &cdx.Metadata{ 188 Timestamp: "2021-08-25T12:20:30+00:00", 189 Tools: &[]cdx.Tool{ 190 { 191 Name: "trivy", 192 Vendor: "aquasecurity", 193 Version: "dev", 194 }, 195 }, 196 Component: &cdx.Component{ 197 Type: cdx.ComponentTypeContainer, 198 BOMRef: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", 199 PackageURL: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", 200 Name: "rails:latest", 201 Properties: &[]cdx.Property{ 202 { 203 Name: "aquasecurity:trivy:DiffID", 204 Value: "sha256:d871dadfb37b53ef1ca45be04fc527562b91989991a8f545345ae3be0b93f92a", 205 }, 206 { 207 Name: "aquasecurity:trivy:ImageID", 208 Value: "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6", 209 }, 210 { 211 Name: "aquasecurity:trivy:RepoDigest", 212 Value: "rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177", 213 }, 214 { 215 Name: "aquasecurity:trivy:RepoTag", 216 Value: "rails:latest", 217 }, 218 { 219 Name: "aquasecurity:trivy:SchemaVersion", 220 Value: "2", 221 }, 222 { 223 Name: "aquasecurity:trivy:Size", 224 Value: "1024", 225 }, 226 }, 227 }, 228 }, 229 Components: &[]cdx.Component{ 230 { 231 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 232 Type: cdx.ComponentTypeOS, 233 Name: "centos", 234 Version: "8.3.2011", 235 Properties: &[]cdx.Property{ 236 { 237 Name: "aquasecurity:trivy:Class", 238 Value: "os-pkgs", 239 }, 240 { 241 Name: "aquasecurity:trivy:Type", 242 Value: "centos", 243 }, 244 }, 245 }, 246 { 247 BOMRef: "3ff14136-e09f-4df9-80ea-000000000003", 248 Type: cdx.ComponentTypeApplication, 249 Name: "app/subproject/Gemfile.lock", 250 Version: "", 251 Properties: &[]cdx.Property{ 252 { 253 Name: "aquasecurity:trivy:Class", 254 Value: "lang-pkgs", 255 }, 256 { 257 Name: "aquasecurity:trivy:Type", 258 Value: "bundler", 259 }, 260 }, 261 }, 262 { 263 BOMRef: "3ff14136-e09f-4df9-80ea-000000000004", 264 Type: cdx.ComponentTypeApplication, 265 Name: "app/Gemfile.lock", 266 Version: "", 267 Properties: &[]cdx.Property{ 268 { 269 Name: "aquasecurity:trivy:Class", 270 Value: "lang-pkgs", 271 }, 272 { 273 Name: "aquasecurity:trivy:Type", 274 Value: "bundler", 275 }, 276 }, 277 }, 278 { 279 BOMRef: "3ff14136-e09f-4df9-80ea-000000000005", 280 Type: cdx.ComponentTypeApplication, 281 Name: "app/datacollector.deps.json", 282 Version: "", 283 Properties: &[]cdx.Property{ 284 { 285 Name: "aquasecurity:trivy:Class", 286 Value: "lang-pkgs", 287 }, 288 { 289 Name: "aquasecurity:trivy:Type", 290 Value: "dotnet-core", 291 }, 292 }, 293 }, 294 { 295 BOMRef: "3ff14136-e09f-4df9-80ea-000000000006", 296 Type: cdx.ComponentTypeApplication, 297 Name: "usr/local/bin/tfsec", 298 Version: "", 299 Properties: &[]cdx.Property{ 300 { 301 Name: "aquasecurity:trivy:Class", 302 Value: "lang-pkgs", 303 }, 304 { 305 Name: "aquasecurity:trivy:Type", 306 Value: "gobinary", 307 }, 308 }, 309 }, 310 { 311 // Use UUID for local Go packages 312 BOMRef: "3ff14136-e09f-4df9-80ea-000000000007", 313 Type: cdx.ComponentTypeLibrary, 314 Name: "./api", 315 Version: "(devel)", 316 Properties: &[]cdx.Property{ 317 { 318 Name: "aquasecurity:trivy:PkgType", 319 Value: "gobinary", 320 }, 321 }, 322 }, 323 { 324 BOMRef: "pkg:gem/actioncontroller@7.0.0", 325 Type: cdx.ComponentTypeLibrary, 326 Name: "actioncontroller", 327 Version: "7.0.0", 328 PackageURL: "pkg:gem/actioncontroller@7.0.0", 329 Properties: &[]cdx.Property{ 330 { 331 Name: "aquasecurity:trivy:PkgID", 332 Value: "actioncontroller@7.0.0", 333 }, 334 { 335 Name: "aquasecurity:trivy:PkgType", 336 Value: "bundler", 337 }, 338 }, 339 }, 340 { 341 BOMRef: "pkg:gem/actionpack@7.0.0", 342 Type: cdx.ComponentTypeLibrary, 343 Name: "actionpack", 344 Version: "7.0.0", 345 PackageURL: "pkg:gem/actionpack@7.0.0", 346 Properties: &[]cdx.Property{ 347 { 348 Name: "aquasecurity:trivy:PkgID", 349 Value: "actionpack@7.0.0", 350 }, 351 { 352 Name: "aquasecurity:trivy:PkgType", 353 Value: "bundler", 354 }, 355 }, 356 }, 357 { 358 BOMRef: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", 359 Type: cdx.ComponentTypeLibrary, 360 Name: "golang.org/x/crypto", 361 Version: "v0.0.0-20210421170649-83a5a9bb288b", 362 PackageURL: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", 363 Properties: &[]cdx.Property{ 364 { 365 Name: "aquasecurity:trivy:PkgType", 366 Value: "gobinary", 367 }, 368 }, 369 }, 370 { 371 BOMRef: "pkg:nuget/Newtonsoft.Json@9.0.1", 372 Type: cdx.ComponentTypeLibrary, 373 Name: "Newtonsoft.Json", 374 Version: "9.0.1", 375 PackageURL: "pkg:nuget/Newtonsoft.Json@9.0.1", 376 Properties: &[]cdx.Property{ 377 { 378 Name: "aquasecurity:trivy:PkgID", 379 Value: "Newtonsoft.Json@9.0.1", 380 }, 381 { 382 Name: "aquasecurity:trivy:PkgType", 383 Value: "dotnet-core", 384 }, 385 }, 386 }, 387 { 388 BOMRef: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", 389 Type: cdx.ComponentTypeLibrary, 390 Name: "binutils", 391 Version: "2.30-93.el8", 392 Licenses: &cdx.Licenses{ 393 cdx.LicenseChoice{ 394 License: &cdx.License{ 395 Name: "GPLv3+", 396 }, 397 }, 398 }, 399 PackageURL: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", 400 Supplier: &cdx.OrganizationalEntity{ 401 Name: "CentOS", 402 }, 403 Properties: &[]cdx.Property{ 404 { 405 Name: "aquasecurity:trivy:PkgID", 406 Value: "binutils@2.30-93.el8", 407 }, 408 { 409 Name: "aquasecurity:trivy:PkgType", 410 Value: "centos", 411 }, 412 { 413 Name: "aquasecurity:trivy:SrcName", 414 Value: "binutils", 415 }, 416 { 417 Name: "aquasecurity:trivy:SrcRelease", 418 Value: "93.el8", 419 }, 420 { 421 Name: "aquasecurity:trivy:SrcVersion", 422 Value: "2.30", 423 }, 424 }, 425 Hashes: &[]cdx.Hash{ 426 { 427 Algorithm: cdx.HashAlgoMD5, 428 Value: "7459cec61bb4d1b0ca8107e25e0dd005", 429 }, 430 }, 431 }, 432 }, 433 Dependencies: &[]cdx.Dependency{ 434 { 435 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 436 Dependencies: &[]string{ 437 "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", 438 }, 439 }, 440 { 441 Ref: "3ff14136-e09f-4df9-80ea-000000000003", 442 Dependencies: &[]string{ 443 "pkg:gem/actioncontroller@7.0.0", 444 "pkg:gem/actionpack@7.0.0", 445 }, 446 }, 447 { 448 Ref: "3ff14136-e09f-4df9-80ea-000000000004", 449 Dependencies: &[]string{ 450 "pkg:gem/actionpack@7.0.0", 451 }, 452 }, 453 { 454 Ref: "3ff14136-e09f-4df9-80ea-000000000005", 455 Dependencies: &[]string{ 456 "pkg:nuget/Newtonsoft.Json@9.0.1", 457 }, 458 }, 459 { 460 Ref: "3ff14136-e09f-4df9-80ea-000000000006", 461 Dependencies: &[]string{ 462 "3ff14136-e09f-4df9-80ea-000000000007", 463 "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", 464 }, 465 }, 466 { 467 Ref: "3ff14136-e09f-4df9-80ea-000000000007", 468 Dependencies: lo.ToPtr([]string{}), 469 }, 470 { 471 Ref: "pkg:gem/actioncontroller@7.0.0", 472 Dependencies: &[]string{ 473 "pkg:gem/actionpack@7.0.0", 474 }, 475 }, 476 { 477 Ref: "pkg:gem/actionpack@7.0.0", 478 Dependencies: lo.ToPtr([]string{}), 479 }, 480 { 481 Ref: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", 482 Dependencies: lo.ToPtr([]string{}), 483 }, 484 { 485 Ref: "pkg:nuget/Newtonsoft.Json@9.0.1", 486 Dependencies: lo.ToPtr([]string{}), 487 }, 488 { 489 Ref: "pkg:oci/rails@sha256%3Aa27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?arch=arm64&repository_url=index.docker.io%2Flibrary%2Frails", 490 Dependencies: &[]string{ 491 "3ff14136-e09f-4df9-80ea-000000000002", 492 "3ff14136-e09f-4df9-80ea-000000000003", 493 "3ff14136-e09f-4df9-80ea-000000000004", 494 "3ff14136-e09f-4df9-80ea-000000000005", 495 "3ff14136-e09f-4df9-80ea-000000000006", 496 }, 497 }, 498 { 499 Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", 500 Dependencies: lo.ToPtr([]string{}), 501 }, 502 }, 503 Vulnerabilities: &[]cdx.Vulnerability{ 504 { 505 ID: "CVE-2018-20623", 506 Source: &cdx.Source{ 507 Name: string(vulnerability.RedHatOVAL), 508 URL: "https://www.redhat.com/security/data/oval/v2/", 509 }, 510 Ratings: &[]cdx.VulnerabilityRating{ 511 { 512 Source: &cdx.Source{ 513 Name: string(vulnerability.NVD), 514 URL: "", 515 }, 516 Score: lo.ToPtr(4.3), 517 Severity: cdx.SeverityMedium, 518 Method: cdx.ScoringMethodCVSSv2, 519 Vector: "AV:N/AC:M/Au:N/C:N/I:N/A:P", 520 }, 521 { 522 Source: &cdx.Source{ 523 Name: string(vulnerability.NVD), 524 URL: "", 525 }, 526 Score: lo.ToPtr(5.5), 527 Severity: cdx.SeverityMedium, 528 Method: cdx.ScoringMethodCVSSv3, 529 Vector: "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 530 }, 531 { 532 Source: &cdx.Source{ 533 Name: string(vulnerability.RedHatOVAL), 534 URL: "", 535 }, 536 Score: lo.ToPtr(5.3), 537 Severity: cdx.SeverityMedium, 538 Method: cdx.ScoringMethodCVSSv3, 539 Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", 540 }, 541 }, 542 CWEs: &[]int{ 543 416, 544 }, 545 Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.", 546 Published: "2018-12-31T19:29:00+00:00", 547 Updated: "2019-10-31T01:15:00+00:00", 548 Advisories: &[]cdx.Advisory{ 549 { 550 URL: "https://avd.aquasec.com/nvd/cve-2018-20623", 551 }, 552 }, 553 Affects: &[]cdx.Affects{ 554 { 555 Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", 556 Range: &[]cdx.AffectedVersions{ 557 { 558 Version: "2.30-93.el8", 559 Status: cdx.VulnerabilityStatusAffected, 560 }, 561 }, 562 }, 563 }, 564 }, 565 }, 566 }, 567 }, 568 { 569 name: "happy path for local container scan", 570 inputReport: types.Report{ 571 SchemaVersion: report.SchemaVersion, 572 ArtifactName: "centos:latest", 573 ArtifactType: ftypes.ArtifactContainerImage, 574 Metadata: types.Metadata{ 575 Size: 1024, 576 OS: &ftypes.OS{ 577 Family: ftypes.CentOS, 578 Name: "8.3.2011", 579 Eosl: true, 580 }, 581 ImageID: "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6", 582 RepoTags: []string{"centos:latest"}, 583 RepoDigests: []string{}, 584 ImageConfig: v1.ConfigFile{ 585 Architecture: "arm64", 586 }, 587 }, 588 Results: types.Results{ 589 { 590 Target: "centos:latest (centos 8.3.2011)", 591 Class: types.ClassOSPkg, 592 Type: ftypes.CentOS, 593 Packages: []ftypes.Package{ 594 { 595 ID: "acl@2.2.53-1.el8", 596 Name: "acl", 597 Version: "2.2.53", 598 Release: "1.el8", 599 Epoch: 1, 600 Arch: "aarch64", 601 SrcName: "acl", 602 SrcVersion: "2.2.53", 603 SrcRelease: "1.el8", 604 SrcEpoch: 1, 605 Modularitylabel: "", 606 Licenses: []string{"GPLv2+"}, 607 DependsOn: []string{ 608 "glibc@2.28-151.el8", 609 }, 610 Digest: "md5:483792b8b5f9eb8be7dc4407733118d0", 611 }, 612 { 613 ID: "glibc@2.28-151.el8", 614 Name: "glibc", 615 Version: "2.28", 616 Release: "151.el8", 617 Epoch: 0, 618 Arch: "aarch64", 619 SrcName: "glibc", 620 SrcVersion: "2.28", 621 SrcRelease: "151.el8", 622 SrcEpoch: 0, 623 Modularitylabel: "", 624 Licenses: []string{"GPLv2+"}, 625 Digest: "md5:969b3c9231627022f8bf7ac70de807a1", 626 }, 627 }, 628 }, 629 { 630 Target: "Ruby", 631 Class: types.ClassLangPkg, 632 Type: ftypes.GemSpec, 633 Packages: []ftypes.Package{ 634 { 635 ID: "actionpack@7.0.0", 636 Name: "actionpack", 637 Version: "7.0.0", 638 Layer: ftypes.Layer{ 639 DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488", 640 }, 641 FilePath: "tools/project-john/specifications/actionpack.gemspec", 642 }, 643 { 644 ID: "actionpack@7.0.1", 645 Name: "actionpack", 646 Version: "7.0.1", 647 Layer: ftypes.Layer{ 648 DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488", 649 }, 650 FilePath: "tools/project-doe/specifications/actionpack.gemspec", 651 }, 652 }, 653 Vulnerabilities: []types.DetectedVulnerability{ 654 { 655 VulnerabilityID: "CVE-2022-23633", 656 PkgID: "actionpack@7.0.0", 657 PkgName: "actionpack", 658 PkgPath: "tools/project-john/specifications/actionpack.gemspec", 659 InstalledVersion: "7.0.0", 660 FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2", 661 SeveritySource: vulnerability.RubySec, 662 PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633", 663 DataSource: &dtypes.DataSource{ 664 ID: vulnerability.RubySec, 665 Name: "Ruby Advisory Database", 666 URL: "https://github.com/rubysec/ruby-advisory-db", 667 }, 668 Vulnerability: dtypes.Vulnerability{ 669 Title: "rubygem-actionpack: information leak between requests", 670 Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.", 671 Severity: dtypes.SeverityMedium.String(), 672 VendorSeverity: dtypes.VendorSeverity{ 673 vulnerability.NVD: dtypes.SeverityMedium, 674 vulnerability.RedHat: dtypes.SeverityLow, 675 vulnerability.RubySec: dtypes.SeverityHigh, 676 }, 677 CVSS: dtypes.VendorCVSS{ 678 vulnerability.NVD: dtypes.CVSS{ 679 V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C", 680 V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 681 V2Score: 9.7, 682 V3Score: 5.9, 683 }, 684 vulnerability.RedHat: dtypes.CVSS{ 685 V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 686 V3Score: 5.9, 687 }, 688 }, 689 References: []string{ 690 "http://www.openwall.com/lists/oss-security/2022/02/11/5", 691 "https://access.redhat.com/security/cve/CVE-2022-23633", 692 }, 693 PublishedDate: lo.ToPtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)), 694 LastModifiedDate: lo.ToPtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)), 695 }, 696 }, 697 { 698 VulnerabilityID: "CVE-2022-23633", 699 PkgID: "actionpack@7.0.1", 700 PkgName: "actionpack", 701 PkgPath: "tools/project-doe/specifications/actionpack.gemspec", 702 InstalledVersion: "7.0.1", 703 FixedVersion: "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2", 704 SeveritySource: vulnerability.RubySec, 705 PrimaryURL: "https://avd.aquasec.com/nvd/cve-2022-23633", 706 DataSource: &dtypes.DataSource{ 707 ID: vulnerability.RubySec, 708 Name: "Ruby Advisory Database", 709 URL: "https://github.com/rubysec/ruby-advisory-db", 710 }, 711 Vulnerability: dtypes.Vulnerability{ 712 Title: "rubygem-actionpack: information leak between requests", 713 Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.", 714 Severity: dtypes.SeverityMedium.String(), 715 VendorSeverity: dtypes.VendorSeverity{ 716 vulnerability.NVD: dtypes.SeverityMedium, 717 vulnerability.RedHat: dtypes.SeverityLow, 718 vulnerability.RubySec: dtypes.SeverityHigh, 719 }, 720 CVSS: dtypes.VendorCVSS{ 721 vulnerability.NVD: dtypes.CVSS{ 722 V2Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C", 723 V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 724 V2Score: 9.7, 725 V3Score: 5.9, 726 }, 727 vulnerability.RedHat: dtypes.CVSS{ 728 V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 729 V3Score: 5.9, 730 }, 731 }, 732 References: []string{ 733 "http://www.openwall.com/lists/oss-security/2022/02/11/5", 734 "https://access.redhat.com/security/cve/CVE-2022-23633", 735 }, 736 PublishedDate: lo.ToPtr(time.Date(2022, 2, 11, 21, 15, 0, 0, time.UTC)), 737 LastModifiedDate: lo.ToPtr(time.Date(2022, 2, 22, 21, 47, 0, 0, time.UTC)), 738 }, 739 }, 740 }, 741 }, 742 }, 743 }, 744 want: &cdx.BOM{ 745 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 746 BOMFormat: "CycloneDX", 747 SpecVersion: cdx.SpecVersion1_5, 748 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 749 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 750 Version: 1, 751 Metadata: &cdx.Metadata{ 752 Timestamp: "2021-08-25T12:20:30+00:00", 753 Tools: &[]cdx.Tool{ 754 { 755 Name: "trivy", 756 Vendor: "aquasecurity", 757 Version: "dev", 758 }, 759 }, 760 Component: &cdx.Component{ 761 Type: cdx.ComponentTypeContainer, 762 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 763 PackageURL: "", 764 Name: "centos:latest", 765 Properties: &[]cdx.Property{ 766 { 767 Name: "aquasecurity:trivy:ImageID", 768 Value: "sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6", 769 }, 770 { 771 Name: "aquasecurity:trivy:RepoTag", 772 Value: "centos:latest", 773 }, 774 { 775 Name: "aquasecurity:trivy:SchemaVersion", 776 Value: "2", 777 }, 778 { 779 Name: "aquasecurity:trivy:Size", 780 Value: "1024", 781 }, 782 }, 783 }, 784 }, 785 Components: &[]cdx.Component{ 786 { 787 BOMRef: "3ff14136-e09f-4df9-80ea-000000000003", 788 Type: cdx.ComponentTypeOS, 789 Name: string(ftypes.CentOS), 790 Version: "8.3.2011", 791 Properties: &[]cdx.Property{ 792 { 793 Name: "aquasecurity:trivy:Class", 794 Value: "os-pkgs", 795 }, 796 { 797 Name: "aquasecurity:trivy:Type", 798 Value: "centos", 799 }, 800 }, 801 }, 802 { 803 BOMRef: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", 804 Type: cdx.ComponentTypeLibrary, 805 Name: "actionpack", 806 Version: "7.0.0", 807 PackageURL: "pkg:gem/actionpack@7.0.0", 808 Properties: &[]cdx.Property{ 809 { 810 Name: "aquasecurity:trivy:FilePath", 811 Value: "tools/project-john/specifications/actionpack.gemspec", 812 }, 813 { 814 Name: "aquasecurity:trivy:LayerDiffID", 815 Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488", 816 }, 817 { 818 Name: "aquasecurity:trivy:PkgID", 819 Value: "actionpack@7.0.0", 820 }, 821 { 822 Name: "aquasecurity:trivy:PkgType", 823 Value: "gemspec", 824 }, 825 }, 826 }, 827 { 828 BOMRef: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", 829 Type: cdx.ComponentTypeLibrary, 830 Name: "actionpack", 831 Version: "7.0.1", 832 PackageURL: "pkg:gem/actionpack@7.0.1", 833 Properties: &[]cdx.Property{ 834 { 835 Name: "aquasecurity:trivy:FilePath", 836 Value: "tools/project-doe/specifications/actionpack.gemspec", 837 }, 838 { 839 Name: "aquasecurity:trivy:LayerDiffID", 840 Value: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488", 841 }, 842 { 843 Name: "aquasecurity:trivy:PkgID", 844 Value: "actionpack@7.0.1", 845 }, 846 { 847 Name: "aquasecurity:trivy:PkgType", 848 Value: "gemspec", 849 }, 850 }, 851 }, 852 { 853 BOMRef: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", 854 Type: cdx.ComponentTypeLibrary, 855 Name: "acl", 856 Version: "2.2.53-1.el8", 857 Licenses: &cdx.Licenses{ 858 cdx.LicenseChoice{ 859 License: &cdx.License{ 860 Name: "GPLv2+", 861 }, 862 }, 863 }, 864 PackageURL: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", 865 Properties: &[]cdx.Property{ 866 { 867 Name: "aquasecurity:trivy:PkgID", 868 Value: "acl@2.2.53-1.el8", 869 }, 870 { 871 Name: "aquasecurity:trivy:PkgType", 872 Value: "centos", 873 }, 874 { 875 Name: "aquasecurity:trivy:SrcEpoch", 876 Value: "1", 877 }, 878 { 879 Name: "aquasecurity:trivy:SrcName", 880 Value: "acl", 881 }, 882 { 883 Name: "aquasecurity:trivy:SrcRelease", 884 Value: "1.el8", 885 }, 886 { 887 Name: "aquasecurity:trivy:SrcVersion", 888 Value: "2.2.53", 889 }, 890 }, 891 Hashes: &[]cdx.Hash{ 892 { 893 Algorithm: cdx.HashAlgoMD5, 894 Value: "483792b8b5f9eb8be7dc4407733118d0", 895 }, 896 }, 897 }, 898 { 899 BOMRef: "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", 900 Type: cdx.ComponentTypeLibrary, 901 Name: "glibc", 902 Version: "2.28-151.el8", 903 Licenses: &cdx.Licenses{ 904 cdx.LicenseChoice{ 905 License: &cdx.License{ 906 Name: "GPLv2+", 907 }, 908 }, 909 }, 910 PackageURL: "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", 911 Properties: &[]cdx.Property{ 912 { 913 Name: "aquasecurity:trivy:PkgID", 914 Value: "glibc@2.28-151.el8", 915 }, 916 { 917 Name: "aquasecurity:trivy:PkgType", 918 Value: "centos", 919 }, 920 { 921 Name: "aquasecurity:trivy:SrcName", 922 Value: "glibc", 923 }, 924 { 925 Name: "aquasecurity:trivy:SrcRelease", 926 Value: "151.el8", 927 }, 928 { 929 Name: "aquasecurity:trivy:SrcVersion", 930 Value: "2.28", 931 }, 932 }, 933 Hashes: &[]cdx.Hash{ 934 { 935 Algorithm: cdx.HashAlgoMD5, 936 Value: "969b3c9231627022f8bf7ac70de807a1", 937 }, 938 }, 939 }, 940 }, 941 Dependencies: &[]cdx.Dependency{ 942 { 943 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 944 Dependencies: &[]string{ 945 "3ff14136-e09f-4df9-80ea-000000000003", 946 "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", 947 "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", 948 }, 949 }, 950 { 951 Ref: "3ff14136-e09f-4df9-80ea-000000000003", 952 Dependencies: &[]string{ 953 "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", 954 // Trivy is unable to identify the direct OS packages as of today. 955 "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", 956 }, 957 }, 958 { 959 Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", 960 Dependencies: lo.ToPtr([]string{}), 961 }, 962 { 963 Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", 964 Dependencies: lo.ToPtr([]string{}), 965 }, 966 { 967 Ref: "pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1", 968 Dependencies: &[]string{ 969 "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", 970 }, 971 }, 972 { 973 Ref: "pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011", 974 Dependencies: lo.ToPtr([]string{}), 975 }, 976 }, 977 Vulnerabilities: &[]cdx.Vulnerability{ 978 { 979 ID: "CVE-2022-23633", 980 Source: &cdx.Source{ 981 Name: string(vulnerability.RubySec), 982 URL: "https://github.com/rubysec/ruby-advisory-db", 983 }, 984 Recommendation: "Upgrade actionpack to version ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2", 985 Ratings: &[]cdx.VulnerabilityRating{ 986 { 987 Source: &cdx.Source{ 988 Name: string(vulnerability.NVD), 989 }, 990 Score: lo.ToPtr(9.7), 991 Severity: cdx.SeverityHigh, 992 Method: cdx.ScoringMethodCVSSv2, 993 Vector: "AV:N/AC:L/Au:N/C:C/I:P/A:C", 994 }, 995 { 996 Source: &cdx.Source{ 997 Name: string(vulnerability.NVD), 998 }, 999 Score: lo.ToPtr(5.9), 1000 Severity: cdx.SeverityMedium, 1001 Method: cdx.ScoringMethodCVSSv31, 1002 Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 1003 }, 1004 { 1005 Source: &cdx.Source{ 1006 Name: string(vulnerability.RedHat), 1007 }, 1008 Score: lo.ToPtr(5.9), 1009 Severity: cdx.SeverityLow, 1010 Method: cdx.ScoringMethodCVSSv31, 1011 Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 1012 }, 1013 { 1014 Source: &cdx.Source{ 1015 Name: string(vulnerability.RubySec), 1016 }, 1017 Severity: cdx.SeverityHigh, 1018 }, 1019 }, 1020 Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.", 1021 Advisories: &[]cdx.Advisory{ 1022 { 1023 URL: "https://avd.aquasec.com/nvd/cve-2022-23633", 1024 }, 1025 { 1026 URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5", 1027 }, 1028 { 1029 URL: "https://access.redhat.com/security/cve/CVE-2022-23633", 1030 }, 1031 }, 1032 Published: "2022-02-11T21:15:00+00:00", 1033 Updated: "2022-02-22T21:47:00+00:00", 1034 Affects: &[]cdx.Affects{ 1035 { 1036 Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", 1037 Range: &[]cdx.AffectedVersions{ 1038 { 1039 Version: "7.0.0", 1040 Status: cdx.VulnerabilityStatusAffected, 1041 }, 1042 }, 1043 }, 1044 { 1045 Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", 1046 Range: &[]cdx.AffectedVersions{ 1047 { 1048 Version: "7.0.1", 1049 Status: cdx.VulnerabilityStatusAffected, 1050 }, 1051 }, 1052 }, 1053 }, 1054 }, 1055 }, 1056 }, 1057 }, 1058 { 1059 name: "happy path for fs scan", 1060 inputReport: types.Report{ 1061 SchemaVersion: report.SchemaVersion, 1062 ArtifactName: "masahiro331/CVE-2021-41098", 1063 ArtifactType: ftypes.ArtifactFilesystem, 1064 Results: types.Results{ 1065 { 1066 Target: "Gemfile.lock", 1067 Class: types.ClassLangPkg, 1068 Type: ftypes.Bundler, 1069 Packages: []ftypes.Package{ 1070 { 1071 Name: "actioncable", 1072 Version: "6.1.4.1", 1073 }, 1074 }, 1075 }, 1076 { 1077 Target: "Java", 1078 Class: types.ClassLangPkg, 1079 Type: ftypes.Jar, 1080 Packages: []ftypes.Package{ 1081 { 1082 Name: "org.springframework:spring-web", 1083 Version: "5.3.22", 1084 FilePath: "spring-web-5.3.22.jar", 1085 }, 1086 }, 1087 }, 1088 }, 1089 }, 1090 want: &cdx.BOM{ 1091 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 1092 BOMFormat: "CycloneDX", 1093 SpecVersion: cdx.SpecVersion1_5, 1094 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 1095 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 1096 Version: 1, 1097 Metadata: &cdx.Metadata{ 1098 Timestamp: "2021-08-25T12:20:30+00:00", 1099 Tools: &[]cdx.Tool{ 1100 { 1101 Name: "trivy", 1102 Vendor: "aquasecurity", 1103 Version: "dev", 1104 }, 1105 }, 1106 Component: &cdx.Component{ 1107 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 1108 Type: cdx.ComponentTypeApplication, 1109 Name: "masahiro331/CVE-2021-41098", 1110 Properties: &[]cdx.Property{ 1111 { 1112 Name: "aquasecurity:trivy:SchemaVersion", 1113 Value: "2", 1114 }, 1115 }, 1116 }, 1117 }, 1118 Components: &[]cdx.Component{ 1119 { 1120 BOMRef: "3ff14136-e09f-4df9-80ea-000000000003", 1121 Type: cdx.ComponentTypeApplication, 1122 Name: "Gemfile.lock", 1123 Properties: &[]cdx.Property{ 1124 { 1125 Name: "aquasecurity:trivy:Class", 1126 Value: "lang-pkgs", 1127 }, 1128 { 1129 Name: "aquasecurity:trivy:Type", 1130 Value: "bundler", 1131 }, 1132 }, 1133 }, 1134 { 1135 BOMRef: "pkg:gem/actioncable@6.1.4.1", 1136 Type: "library", 1137 Name: "actioncable", 1138 Version: "6.1.4.1", 1139 PackageURL: "pkg:gem/actioncable@6.1.4.1", 1140 Properties: &[]cdx.Property{ 1141 { 1142 Name: "aquasecurity:trivy:PkgType", 1143 Value: "bundler", 1144 }, 1145 }, 1146 }, 1147 { 1148 BOMRef: "pkg:maven/org.springframework/spring-web@5.3.22?file_path=spring-web-5.3.22.jar", 1149 Type: "library", 1150 Name: "spring-web", 1151 Group: "org.springframework", 1152 Version: "5.3.22", 1153 PackageURL: "pkg:maven/org.springframework/spring-web@5.3.22", 1154 Properties: &[]cdx.Property{ 1155 { 1156 Name: "aquasecurity:trivy:FilePath", 1157 Value: "spring-web-5.3.22.jar", 1158 }, 1159 { 1160 Name: "aquasecurity:trivy:PkgType", 1161 Value: "jar", 1162 }, 1163 }, 1164 }, 1165 }, 1166 Vulnerabilities: &[]cdx.Vulnerability{}, 1167 Dependencies: &[]cdx.Dependency{ 1168 { 1169 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 1170 Dependencies: &[]string{ 1171 "3ff14136-e09f-4df9-80ea-000000000003", 1172 "pkg:maven/org.springframework/spring-web@5.3.22?file_path=spring-web-5.3.22.jar", 1173 }, 1174 }, 1175 { 1176 Ref: "3ff14136-e09f-4df9-80ea-000000000003", 1177 Dependencies: &[]string{ 1178 "pkg:gem/actioncable@6.1.4.1", 1179 }, 1180 }, 1181 { 1182 Ref: "pkg:gem/actioncable@6.1.4.1", 1183 Dependencies: lo.ToPtr([]string{}), 1184 }, 1185 { 1186 Ref: "pkg:maven/org.springframework/spring-web@5.3.22?file_path=spring-web-5.3.22.jar", 1187 Dependencies: lo.ToPtr([]string{}), 1188 }, 1189 }, 1190 }, 1191 }, 1192 { 1193 name: "happy path. 2 packages for 1 CVE", 1194 inputReport: types.Report{ 1195 SchemaVersion: report.SchemaVersion, 1196 ArtifactName: "CVE-2023-34468", 1197 ArtifactType: ftypes.ArtifactFilesystem, 1198 Results: types.Results{ 1199 { 1200 Target: "Java", 1201 Class: types.ClassLangPkg, 1202 Type: ftypes.Jar, 1203 Packages: []ftypes.Package{ 1204 { 1205 Name: "org.apache.nifi:nifi-dbcp-base", 1206 Version: "1.20.0", 1207 FilePath: "nifi-dbcp-base-1.20.0.jar", 1208 }, 1209 { 1210 Name: "org.apache.nifi:nifi-hikari-dbcp-service", 1211 Version: "1.20.0", 1212 FilePath: "nifi-hikari-dbcp-service-1.20.0.jar", 1213 }, 1214 }, 1215 Vulnerabilities: []types.DetectedVulnerability{ 1216 { 1217 VulnerabilityID: "CVE-2023-34468", 1218 PkgName: "org.apache.nifi:nifi-dbcp-base", 1219 PkgPath: "nifi-dbcp-base-1.20.0.jar", 1220 InstalledVersion: "1.20.0", 1221 FixedVersion: "1.22.0", 1222 SeveritySource: vulnerability.GHSA, 1223 PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-34468", 1224 DataSource: &dtypes.DataSource{ 1225 ID: vulnerability.GHSA, 1226 Name: "GitHub Security Advisory Maven", 1227 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", 1228 }, 1229 Vulnerability: dtypes.Vulnerability{ 1230 Title: "Apache NiFi vulnerable to Code Injection", 1231 Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", 1232 Severity: dtypes.SeverityHigh.String(), 1233 CweIDs: []string{ 1234 "CWE-94", 1235 }, 1236 VendorSeverity: dtypes.VendorSeverity{ 1237 vulnerability.GHSA: dtypes.SeverityHigh, 1238 vulnerability.NVD: dtypes.SeverityHigh, 1239 }, 1240 CVSS: dtypes.VendorCVSS{ 1241 vulnerability.GHSA: dtypes.CVSS{ 1242 V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1243 V3Score: 8.8, 1244 }, 1245 vulnerability.NVD: dtypes.CVSS{ 1246 V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1247 V3Score: 8.8, 1248 }, 1249 }, 1250 References: []string{ 1251 "http://www.openwall.com/lists/oss-security/2023/06/12/3", 1252 "https://github.com/advisories/GHSA-xm2m-2q6h-22jw", 1253 }, 1254 PublishedDate: lo.ToPtr(time.Date(2023, 6, 12, 16, 15, 0, 0, time.UTC)), 1255 LastModifiedDate: lo.ToPtr(time.Date(2023, 6, 21, 02, 20, 0, 0, time.UTC)), 1256 }, 1257 }, 1258 { 1259 VulnerabilityID: "CVE-2023-34468", 1260 PkgName: "org.apache.nifi:nifi-hikari-dbcp-service", 1261 PkgPath: "nifi-hikari-dbcp-service-1.20.0.jar", 1262 InstalledVersion: "1.20.0", 1263 FixedVersion: "1.22.0", 1264 SeveritySource: vulnerability.GHSA, 1265 PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-34468", 1266 DataSource: &dtypes.DataSource{ 1267 ID: vulnerability.GHSA, 1268 Name: "GitHub Security Advisory Maven", 1269 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", 1270 }, 1271 Vulnerability: dtypes.Vulnerability{ 1272 Title: "Apache NiFi vulnerable to Code Injection", 1273 Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", 1274 Severity: dtypes.SeverityHigh.String(), 1275 CweIDs: []string{ 1276 "CWE-94", 1277 }, 1278 VendorSeverity: dtypes.VendorSeverity{ 1279 vulnerability.GHSA: dtypes.SeverityHigh, 1280 vulnerability.NVD: dtypes.SeverityHigh, 1281 }, 1282 CVSS: dtypes.VendorCVSS{ 1283 vulnerability.GHSA: dtypes.CVSS{ 1284 V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1285 V3Score: 8.8, 1286 }, 1287 vulnerability.NVD: dtypes.CVSS{ 1288 V3Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1289 V3Score: 8.8, 1290 }, 1291 }, 1292 References: []string{ 1293 "http://www.openwall.com/lists/oss-security/2023/06/12/3", 1294 "https://github.com/advisories/GHSA-xm2m-2q6h-22jw", 1295 }, 1296 PublishedDate: lo.ToPtr(time.Date(2023, 6, 12, 16, 15, 0, 0, time.UTC)), 1297 LastModifiedDate: lo.ToPtr(time.Date(2023, 6, 21, 02, 20, 0, 0, time.UTC)), 1298 }, 1299 }, 1300 }, 1301 }, 1302 }, 1303 }, 1304 want: &cdx.BOM{ 1305 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 1306 BOMFormat: "CycloneDX", 1307 SpecVersion: cdx.SpecVersion1_5, 1308 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 1309 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 1310 Version: 1, 1311 Metadata: &cdx.Metadata{ 1312 Timestamp: "2021-08-25T12:20:30+00:00", 1313 Tools: &[]cdx.Tool{ 1314 { 1315 Name: "trivy", 1316 Vendor: "aquasecurity", 1317 Version: "dev", 1318 }, 1319 }, 1320 Component: &cdx.Component{ 1321 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 1322 Type: cdx.ComponentTypeApplication, 1323 Name: "CVE-2023-34468", 1324 Properties: &[]cdx.Property{ 1325 { 1326 Name: "aquasecurity:trivy:SchemaVersion", 1327 Value: "2", 1328 }, 1329 }, 1330 }, 1331 }, 1332 Components: &[]cdx.Component{ 1333 { 1334 BOMRef: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", 1335 Type: "library", 1336 Name: "nifi-dbcp-base", 1337 Group: "org.apache.nifi", 1338 Version: "1.20.0", 1339 PackageURL: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0", 1340 Properties: &[]cdx.Property{ 1341 { 1342 Name: "aquasecurity:trivy:FilePath", 1343 Value: "nifi-dbcp-base-1.20.0.jar", 1344 }, 1345 { 1346 Name: "aquasecurity:trivy:PkgType", 1347 Value: "jar", 1348 }, 1349 }, 1350 }, 1351 { 1352 BOMRef: "pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.20.0?file_path=nifi-hikari-dbcp-service-1.20.0.jar", 1353 Type: "library", 1354 Name: "nifi-hikari-dbcp-service", 1355 Group: "org.apache.nifi", 1356 Version: "1.20.0", 1357 PackageURL: "pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.20.0", 1358 Properties: &[]cdx.Property{ 1359 { 1360 Name: "aquasecurity:trivy:FilePath", 1361 Value: "nifi-hikari-dbcp-service-1.20.0.jar", 1362 }, 1363 { 1364 Name: "aquasecurity:trivy:PkgType", 1365 Value: "jar", 1366 }, 1367 }, 1368 }, 1369 }, 1370 Dependencies: &[]cdx.Dependency{ 1371 { 1372 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 1373 Dependencies: &[]string{ 1374 "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", 1375 "pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.20.0?file_path=nifi-hikari-dbcp-service-1.20.0.jar", 1376 }, 1377 }, 1378 { 1379 Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", 1380 Dependencies: lo.ToPtr([]string{}), 1381 }, 1382 { 1383 Ref: "pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.20.0?file_path=nifi-hikari-dbcp-service-1.20.0.jar", 1384 Dependencies: lo.ToPtr([]string{}), 1385 }, 1386 }, 1387 Vulnerabilities: &[]cdx.Vulnerability{ 1388 { 1389 ID: "CVE-2023-34468", 1390 Source: &cdx.Source{ 1391 Name: string(vulnerability.GHSA), 1392 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", 1393 }, 1394 Recommendation: "Upgrade org.apache.nifi:nifi-dbcp-base to version 1.22.0; Upgrade org.apache.nifi:nifi-hikari-dbcp-service to version 1.22.0", 1395 Ratings: &[]cdx.VulnerabilityRating{ 1396 { 1397 Source: &cdx.Source{ 1398 Name: string(vulnerability.GHSA), 1399 }, 1400 Score: lo.ToPtr(8.8), 1401 Severity: cdx.SeverityHigh, 1402 Method: cdx.ScoringMethodCVSSv31, 1403 Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1404 }, 1405 { 1406 Source: &cdx.Source{ 1407 Name: string(vulnerability.NVD), 1408 }, 1409 Score: lo.ToPtr(8.8), 1410 Severity: cdx.SeverityHigh, 1411 Method: cdx.ScoringMethodCVSSv31, 1412 Vector: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 1413 }, 1414 }, 1415 CWEs: lo.ToPtr([]int{94}), 1416 Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", 1417 Advisories: &[]cdx.Advisory{ 1418 { 1419 URL: "https://avd.aquasec.com/nvd/cve-2023-34468", 1420 }, 1421 { 1422 URL: "http://www.openwall.com/lists/oss-security/2023/06/12/3", 1423 }, 1424 { 1425 URL: "https://github.com/advisories/GHSA-xm2m-2q6h-22jw", 1426 }, 1427 }, 1428 Published: "2023-06-12T16:15:00+00:00", 1429 Updated: "2023-06-21T02:20:00+00:00", 1430 Affects: &[]cdx.Affects{ 1431 { 1432 Ref: "pkg:maven/org.apache.nifi/nifi-dbcp-base@1.20.0?file_path=nifi-dbcp-base-1.20.0.jar", 1433 Range: &[]cdx.AffectedVersions{ 1434 { 1435 Version: "1.20.0", 1436 Status: cdx.VulnerabilityStatusAffected, 1437 }, 1438 }, 1439 }, 1440 { 1441 Ref: "pkg:maven/org.apache.nifi/nifi-hikari-dbcp-service@1.20.0?file_path=nifi-hikari-dbcp-service-1.20.0.jar", 1442 Range: &[]cdx.AffectedVersions{ 1443 { 1444 Version: "1.20.0", 1445 Status: cdx.VulnerabilityStatusAffected, 1446 }, 1447 }, 1448 }, 1449 }, 1450 }, 1451 }, 1452 }, 1453 }, 1454 { 1455 name: "happy path aggregate results", 1456 inputReport: types.Report{ 1457 SchemaVersion: report.SchemaVersion, 1458 ArtifactName: "test-aggregate", 1459 ArtifactType: ftypes.ArtifactRepository, 1460 Results: types.Results{ 1461 { 1462 Target: "Node.js", 1463 Class: types.ClassLangPkg, 1464 Type: ftypes.NodePkg, 1465 Packages: []ftypes.Package{ 1466 { 1467 ID: "ruby-typeprof@0.20.1", 1468 Name: "ruby-typeprof", 1469 Version: "0.20.1", 1470 Licenses: []string{"MIT"}, 1471 Layer: ftypes.Layer{ 1472 DiffID: "sha256:661c3fd3cc16b34c070f3620ca6b03b6adac150f9a7e5d0e3c707a159990f88e", 1473 }, 1474 FilePath: "usr/local/lib/ruby/gems/3.1.0/gems/typeprof-0.21.1/vscode/package.json", 1475 }, 1476 }, 1477 }, 1478 }, 1479 }, 1480 want: &cdx.BOM{ 1481 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 1482 BOMFormat: "CycloneDX", 1483 SpecVersion: cdx.SpecVersion1_5, 1484 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 1485 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 1486 Version: 1, 1487 Metadata: &cdx.Metadata{ 1488 Timestamp: "2021-08-25T12:20:30+00:00", 1489 Tools: &[]cdx.Tool{ 1490 { 1491 Name: "trivy", 1492 Vendor: "aquasecurity", 1493 Version: "dev", 1494 }, 1495 }, 1496 Component: &cdx.Component{ 1497 Type: cdx.ComponentTypeApplication, 1498 Name: "test-aggregate", 1499 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 1500 Properties: &[]cdx.Property{ 1501 { 1502 Name: "aquasecurity:trivy:SchemaVersion", 1503 Value: "2", 1504 }, 1505 }, 1506 }, 1507 }, 1508 Components: &[]cdx.Component{ 1509 { 1510 BOMRef: "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json", 1511 Type: "library", 1512 Name: "ruby-typeprof", 1513 Version: "0.20.1", 1514 PackageURL: "pkg:npm/ruby-typeprof@0.20.1", 1515 Licenses: &cdx.Licenses{ 1516 cdx.LicenseChoice{ 1517 License: &cdx.License{ 1518 Name: "MIT", 1519 }, 1520 }, 1521 }, 1522 Properties: &[]cdx.Property{ 1523 { 1524 Name: "aquasecurity:trivy:FilePath", 1525 Value: "usr/local/lib/ruby/gems/3.1.0/gems/typeprof-0.21.1/vscode/package.json", 1526 }, 1527 { 1528 Name: "aquasecurity:trivy:LayerDiffID", 1529 Value: "sha256:661c3fd3cc16b34c070f3620ca6b03b6adac150f9a7e5d0e3c707a159990f88e", 1530 }, 1531 { 1532 Name: "aquasecurity:trivy:PkgID", 1533 Value: "ruby-typeprof@0.20.1", 1534 }, 1535 { 1536 Name: "aquasecurity:trivy:PkgType", 1537 Value: "node-pkg", 1538 }, 1539 }, 1540 }, 1541 }, 1542 Vulnerabilities: &[]cdx.Vulnerability{}, 1543 Dependencies: &[]cdx.Dependency{ 1544 { 1545 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 1546 Dependencies: &[]string{ 1547 "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json", 1548 }, 1549 }, 1550 { 1551 Ref: "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json", 1552 Dependencies: lo.ToPtr([]string{}), 1553 }, 1554 }, 1555 }, 1556 }, 1557 { 1558 name: "happy path empty", 1559 inputReport: types.Report{ 1560 SchemaVersion: report.SchemaVersion, 1561 ArtifactName: "empty/path", 1562 ArtifactType: ftypes.ArtifactFilesystem, 1563 Results: types.Results{}, 1564 }, 1565 want: &cdx.BOM{ 1566 XMLNS: "http://cyclonedx.org/schema/bom/1.5", 1567 BOMFormat: "CycloneDX", 1568 SpecVersion: cdx.SpecVersion1_5, 1569 JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json", 1570 SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", 1571 Version: 1, 1572 Metadata: &cdx.Metadata{ 1573 Timestamp: "2021-08-25T12:20:30+00:00", 1574 Tools: &[]cdx.Tool{ 1575 { 1576 Name: "trivy", 1577 Vendor: "aquasecurity", 1578 Version: "dev", 1579 }, 1580 }, 1581 Component: &cdx.Component{ 1582 Type: cdx.ComponentTypeApplication, 1583 Name: "empty/path", 1584 BOMRef: "3ff14136-e09f-4df9-80ea-000000000002", 1585 Properties: &[]cdx.Property{ 1586 { 1587 Name: "aquasecurity:trivy:SchemaVersion", 1588 Value: "2", 1589 }, 1590 }, 1591 }, 1592 }, 1593 Components: lo.ToPtr([]cdx.Component{}), 1594 Vulnerabilities: &[]cdx.Vulnerability{}, 1595 Dependencies: &[]cdx.Dependency{ 1596 { 1597 Ref: "3ff14136-e09f-4df9-80ea-000000000002", 1598 Dependencies: lo.ToPtr([]string{}), 1599 }, 1600 }, 1601 }, 1602 }, 1603 } 1604 1605 for _, tt := range tests { 1606 t.Run(tt.name, func(t *testing.T) { 1607 clock.SetFakeTime(t, time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC)) 1608 uuid.SetFakeUUID(t, "3ff14136-e09f-4df9-80ea-%012d") 1609 1610 marshaler := cyclonedx.NewMarshaler("dev") 1611 got, err := marshaler.Marshal(tt.inputReport) 1612 require.NoError(t, err) 1613 assert.Equal(t, tt.want, got) 1614 }) 1615 } 1616 }