update trivy, and unsupport image scanning feature (#971)

* update trivy, fanal. unsupport image scanning * Update models/library.go Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp> * add -no-progress flag to report/tui cmd * Display trivy vuln info to tui/report * add detection method to vulninfo detected by trivy * fix(uuid): change uuid lib to go-uuid #929 (#969) * update trivy, fanal. unsupport image scanning * Update models/library.go Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp> * add -no-progress flag to report/tui cmd * Display trivy vuln info to tui/report * add detection method to vulninfo detected by trivy * unique ref links in TUI * download trivy DB only when lock file is specified in config.toml Co-authored-by: Teppei Fukuda <teppei@elab.ic.i.u-tokyo.ac.jp>
2020-05-08 15:24:39 +09:00
parent 9dd025437b
commit ebe5f858c8
22 changed files with 475 additions and 677 deletions
--- a/report/report.go
+++ b/report/report.go
@@ -504,7 +504,7 @@ func fillCweDict(r *models.ScanResult) {

 const reUUID = "[\\da-f]{8}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{4}-[\\da-f]{12}"

-// Scanning with the -containers-only, -images-only flag at scan time, the UUID of Container Host may not be generated,
+// Scanning with the -containers-only flag at scan time, the UUID of Container Host may not be generated,
 // so check it. Otherwise create a UUID of the Container Host and set it.
 func getOrCreateServerUUID(r models.ScanResult, server c.ServerInfo) (serverUUID string, err error) {
 	if id, ok := server.UUIDs[r.ServerName]; !ok {
@@ -549,15 +549,6 @@ func EnsureUUIDs(configPath string, results models.ScanResults) (err error) {
 			if serverUUID != "" {
 				server.UUIDs[r.ServerName] = serverUUID
 			}
-		} else if r.IsImage() {
-			name = fmt.Sprintf("%s%s@%s", r.Image.Tag, r.Image.Digest, r.ServerName)
-			serverUUID, err := getOrCreateServerUUID(r, server)
-			if err != nil {
-				return err
-			}
-			if serverUUID != "" {
-				server.UUIDs[r.ServerName] = serverUUID
-			}
 		} else {
 			name = r.ServerName
 		}
--- a/report/tui.go
+++ b/report/tui.go
@@ -622,6 +622,7 @@ func summaryLines(r models.ScanResult) string {
 		pkgNames = append(pkgNames, vinfo.CpeURIs...)
 		pkgNames = append(pkgNames, vinfo.GitHubSecurityAlerts.Names()...)
 		pkgNames = append(pkgNames, vinfo.WpPackageFixStats.Names()...)
+		pkgNames = append(pkgNames, vinfo.LibraryFixedIns.Names()...)

 		exploits := ""
 		if 0 < len(vinfo.Exploits) {
@@ -752,17 +753,11 @@ func setChangelogLayout(g *gocui.Gui) error {
 			}
 		}

-		// check library fixedin
-		for _, scanner := range r.LibraryScanners {
-			key := scanner.GetLibraryKey()
-			for _, fixedin := range vinfo.LibraryFixedIns {
-				for _, lib := range scanner.Libs {
-					if fixedin.Key == key && lib.Name == fixedin.Name {
-						lines = append(lines, fmt.Sprintf("* %s-%s, FixedIn: %s",
-							lib.Name, lib.Version, fixedin.FixedIn))
-						continue
-					}
-				}
+		for _, l := range vinfo.LibraryFixedIns {
+			libs := r.LibraryScanners.Find(l.Name)
+			for path, lib := range libs {
+				lines = append(lines, fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
+					lib.Name, lib.Version, l.FixedIn, path))
 			}
 		}

@@ -876,15 +871,24 @@ func detailLines() (string, error) {
 		links = append(links, url)
 	}

-	refs := []models.Reference{}
+	refsMap := map[string]models.Reference{}
 	for _, rr := range vinfo.CveContents.References(r.Family) {
 		for _, ref := range rr.Value {
 			if ref.Source == "" {
 				ref.Source = "-"
 			}
-			refs = append(refs, ref)
+			refsMap[ref.Link] = ref
 		}
 	}
+	if cont, found := vinfo.CveContents[models.Trivy]; found {
+		for _, ref := range cont.References {
+			refsMap[ref.Link] = ref
+		}
+	}
+	refs := []models.Reference{}
+	for _, v := range refsMap {
+		refs = append(refs, v)
+	}

 	summary := vinfo.Summaries(r.Lang, r.Family)[0]
 	mitigation := vinfo.Mitigations(r.Family)[0]
--- a/report/util.go
+++ b/report/util.go
@@ -291,6 +291,15 @@ No CVE-IDs are found in updatable packages.
 			}
 		}

+		for _, l := range vuln.LibraryFixedIns {
+			libs := r.LibraryScanners.Find(l.Name)
+			for path, lib := range libs {
+				data = append(data, []string{l.Key,
+					fmt.Sprintf("%s-%s, FixedIn: %s (%s)",
+						lib.Name, lib.Version, l.FixedIn, path)})
+			}
+		}
+
 		for _, confidence := range vuln.Confidences {
 			data = append(data, []string{"Confidence", confidence.String()})
 		}