Skip to content

Commit

Permalink
fix: check unescaped BomRef when matching PkgIdentifier (aquasecu…
Browse files Browse the repository at this point in the history
…rity#6025)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
DmitriyLewen and knqyf263 authored Feb 6, 2024
1 parent 458c5d9 commit 6ccc0a5
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pkg/fanal/types/artifact.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package types

import (
"encoding/json"
"strings"
"time"

v1 "github.com/google/go-containerregistry/pkg/v1"
Expand Down Expand Up @@ -156,6 +157,13 @@ func (id *PkgIdentifier) Empty() bool {
}

func (id *PkgIdentifier) Match(s string) bool {
// Encode string as PURL
if strings.HasPrefix(s, "pkg:") {
if p, err := packageurl.FromString(s); err == nil {
s = p.String()
}
}

switch {
case id.BOMRef == s:
return true
Expand Down
21 changes: 21 additions & 0 deletions pkg/vex/testdata/cyclonedx.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,27 @@
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.8.0"
}
]
},
{
"id": "CVE-2022-27943",
"source": {
"name": "ubuntu",
"url": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"affects": [
{
"ref": "urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?arch=amd64&distro=ubuntu-22.04",
"versions": [
{
"version": "12.3.0-1ubuntu1~22.04",
"status": "affected"
}
]
}
],
"analysis": {
"state": "not_affected"
}
}
]
}
25 changes: 25 additions & 0 deletions pkg/vex/vex_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,31 @@ func TestVEX_Filter(t *testing.T) {
},
},
},
{
VulnerabilityID: "CVE-2022-27943",
PkgID: "libstdc++6@12.3.0-1ubuntu1~22.04",
PkgName: "libstdc++6",
InstalledVersion: "12.3.0-1ubuntu1~22.04",
PkgIdentifier: ftypes.PkgIdentifier{
BOMRef: "pkg:deb/ubuntu/libstdc%2B%2B6@12.3.0-1ubuntu1~22.04?distro=ubuntu-22.04&arch=amd64",
PURL: &packageurl.PackageURL{
Type: packageurl.TypeDebian,
Namespace: "ubuntu",
Name: "libstdc++6",
Version: "12.3.0-1ubuntu1~22.04",
Qualifiers: []packageurl.Qualifier{
{
Key: "arch",
Value: "amd64",
},
{
Key: "distro",
Value: "ubuntu-22.04",
},
},
},
},
},
},
},
want: []types.DetectedVulnerability{
Expand Down

0 comments on commit 6ccc0a5

Please sign in to comment.