add Library Scan (with image scan) (#829)
* add static container image scan * server has many staticContainers * use go module * for staticContainer * fix typo * fix setErrs error * change name : StaticContainer -> Image * add scan -images-only flag * fix makefile * fix makefile for go module * use rpmcmd instead of rpm * add scrutinizer.yml * change scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * fix scrutinizer.yml * delete scrutinizer * add report test * add sourcePackages and Arch * fix for sider * fix staticContainer -> image * init scan library * add library scan for servers * fix tui bug * fix lint error * divide WpPackageFixStats and LibraryPackageFixedIns * fix error * Delete libManager_test.go * stop use alpine os if err occurred in container * merge upstream/master * Delete libManager.go * update goval-dictionary * fix go.mod * update Readme * add feature : auto detect lockfiles
This commit is contained in:
Tomoya Amachi
committed by
Kota Kanbe
Kota Kanbe
parent
10942f7c08
commit
abcea1a14d
@@ -28,6 +28,8 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/future-architect/vuls/libmanager"
|
||||
|
||||
"github.com/BurntSushi/toml"
|
||||
"github.com/future-architect/vuls/config"
|
||||
c "github.com/future-architect/vuls/config"
|
||||
@@ -64,6 +66,8 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
|
||||
r.ScannedCves = models.VulnInfos{}
|
||||
}
|
||||
cpeURIs := []string{}
|
||||
|
||||
// runningContainer
|
||||
if len(r.Container.ContainerID) == 0 {
|
||||
cpeURIs = c.Conf.Servers[r.ServerName].CpeNames
|
||||
owaspDCXMLPath := c.Conf.Servers[r.ServerName].OwaspDCXMLPath
|
||||
@@ -161,7 +165,15 @@ func FillCveInfos(dbclient DBClient, rs []models.ScanResult, dir string) ([]mode
|
||||
func FillCveInfo(dbclient DBClient, r *models.ScanResult, cpeURIs []string, integrations ...Integration) error {
|
||||
util.Log.Debugf("need to refresh")
|
||||
|
||||
nCVEs, err := FillWithOval(dbclient.OvalDB, r)
|
||||
nCVEs, err := libmanager.FillLibrary(r)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("Failed to fill with Library dependency: %w", err)
|
||||
}
|
||||
util.Log.Infof("%s: %d CVEs are detected with Library",
|
||||
r.FormatServerName(), nCVEs)
|
||||
|
||||
nCVEs, err = FillWithOval(dbclient.OvalDB, r)
|
||||
|
||||
if err != nil {
|
||||
return xerrors.Errorf("Failed to fill with OVAL: %w", err)
|
||||
}
|
||||
@@ -483,6 +495,20 @@ func fillAlerts(r *models.ScanResult) (enCnt int, jaCnt int) {
|
||||
|
||||
const reUUID = "[\\da-f]{8}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{12}"
|
||||
|
||||
// Scanning with the -containers-only, -images-only flag at scan time, the UUID of Container Host may not be generated,
|
||||
// so check it. Otherwise create a UUID of the Container Host and set it.
|
||||
func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string) {
|
||||
if id, ok := server.UUIDs[r.ServerName]; !ok {
|
||||
serverUUID = uuid.GenerateUUID()
|
||||
} else {
|
||||
matched, err := regexp.MatchString(reUUID, id)
|
||||
if !matched || err != nil {
|
||||
serverUUID = uuid.GenerateUUID()
|
||||
}
|
||||
}
|
||||
return serverUUID
|
||||
}
|
||||
|
||||
// EnsureUUIDs generate a new UUID of the scan target server if UUID is not assigned yet.
|
||||
// And then set the generated UUID to config.toml and scan results.
|
||||
func EnsureUUIDs(configPath string, results models.ScanResults) error {
|
||||
@@ -503,20 +529,13 @@ func EnsureUUIDs(configPath string, results models.ScanResults) error {
|
||||
name := ""
|
||||
if r.IsContainer() {
|
||||
name = fmt.Sprintf("%s@%s", r.Container.Name, r.ServerName)
|
||||
|
||||
// Scanning with the -containers-only flag at scan time, the UUID of Container Host may not be generated,
|
||||
// so check it. Otherwise create a UUID of the Container Host and set it.
|
||||
serverUUID := ""
|
||||
if id, ok := server.UUIDs[r.ServerName]; !ok {
|
||||
serverUUID = uuid.GenerateUUID()
|
||||
} else {
|
||||
matched, err := regexp.MatchString(reUUID, id)
|
||||
if !matched || err != nil {
|
||||
serverUUID = uuid.GenerateUUID()
|
||||
}
|
||||
if uuid := getOrCreateServerUUID(r, server); uuid != "" {
|
||||
server.UUIDs[r.ServerName] = uuid
|
||||
}
|
||||
if serverUUID != "" {
|
||||
server.UUIDs[r.ServerName] = serverUUID
|
||||
} else if r.IsImage() {
|
||||
name = fmt.Sprintf("%s:%s@%s", r.Image.Name, r.Image.Tag, r.ServerName)
|
||||
if uuid := getOrCreateServerUUID(r, server); uuid != "" {
|
||||
server.UUIDs[r.ServerName] = uuid
|
||||
}
|
||||
} else {
|
||||
name = r.ServerName
|
||||
|
||||
@@ -1 +1,51 @@
|
||||
package report
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/future-architect/vuls/config"
|
||||
|
||||
"github.com/future-architect/vuls/models"
|
||||
)
|
||||
|
||||
const defaultUUID = "11111111-1111-1111-1111-111111111111"
|
||||
|
||||
func TestGetOrCreateServerUUID(t *testing.T) {
|
||||
|
||||
cases := map[string]struct {
|
||||
scanResult models.ScanResult
|
||||
server config.ServerInfo
|
||||
isDefault bool
|
||||
}{
|
||||
"baseServer": {
|
||||
scanResult: models.ScanResult{
|
||||
ServerName: "hoge",
|
||||
},
|
||||
server: config.ServerInfo{
|
||||
UUIDs: map[string]string{
|
||||
"hoge": defaultUUID,
|
||||
},
|
||||
},
|
||||
isDefault: false,
|
||||
},
|
||||
"onlyContainers": {
|
||||
scanResult: models.ScanResult{
|
||||
ServerName: "hoge",
|
||||
},
|
||||
server: config.ServerInfo{
|
||||
UUIDs: map[string]string{
|
||||
"fuga": defaultUUID,
|
||||
},
|
||||
},
|
||||
isDefault: false,
|
||||
},
|
||||
}
|
||||
|
||||
for testcase, v := range cases {
|
||||
uuid := getOrCreateServerUUID(v.scanResult, v.server)
|
||||
if (uuid == defaultUUID) != v.isDefault {
|
||||
t.Errorf("%s : expected isDefault %t got %s", testcase, v.isDefault, uuid)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -750,18 +750,35 @@ func setChangelogLayout(g *gocui.Gui) error {
|
||||
}
|
||||
|
||||
r := currentScanResult
|
||||
for _, wp := range vinfo.WpPackageFixStats {
|
||||
if p, ok := r.WordPressPackages.Find(wp.Name); ok {
|
||||
if p.Type == models.WPCore {
|
||||
lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
|
||||
wp.Name, p.Version, wp.FixedIn))
|
||||
// check wordpress fixedin
|
||||
if r.WordPressPackages != nil {
|
||||
for _, wp := range vinfo.WpPackageFixStats {
|
||||
if p, ok := r.WordPressPackages.Find(wp.Name); ok {
|
||||
if p.Type == models.WPCore {
|
||||
lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
|
||||
wp.Name, p.Version, wp.FixedIn))
|
||||
} else {
|
||||
lines = append(lines,
|
||||
fmt.Sprintf("* %s-%s, Update: %s, FixedIn: %s, %s",
|
||||
wp.Name, p.Version, p.Update, wp.FixedIn, p.Status))
|
||||
}
|
||||
} else {
|
||||
lines = append(lines,
|
||||
fmt.Sprintf("* %s-%s, Update: %s, FixedIn: %s, %s",
|
||||
wp.Name, p.Version, p.Update, wp.FixedIn, p.Status))
|
||||
lines = append(lines, fmt.Sprintf("* %s", wp.Name))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// check library fixedin
|
||||
for _, scanner := range r.LibraryScanners {
|
||||
key := scanner.GetLibraryKey()
|
||||
for _, fixedin := range vinfo.LibraryFixedIns {
|
||||
for _, lib := range scanner.Libs {
|
||||
if fixedin.Key == key && lib.Name == fixedin.Name {
|
||||
lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
|
||||
lib.Name, lib.Version, fixedin.FixedIn))
|
||||
continue
|
||||
}
|
||||
}
|
||||
} else {
|
||||
lines = append(lines, fmt.Sprintf("* %s", wp.Name))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user