Skip to content

Commit

Permalink
fix(sbom): add missed primaryURL and source severity for CycloneDX (
Browse files Browse the repository at this point in the history
#5399)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
DmitriyLewen and knqyf263 authored Oct 19, 2023
1 parent e5317c7 commit 6040d9f
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 11 deletions.
6 changes: 6 additions & 0 deletions integration/testdata/pom-cyclonedx.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,9 @@
"description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2020-9548"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2020-9548"
},
Expand Down Expand Up @@ -268,6 +271,9 @@
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://avd.aquasec.com/nvd/cve-2021-20190"
},
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
Expand Down
15 changes: 7 additions & 8 deletions pkg/sbom/cyclonedx/core/cyclonedx.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ func (c *CycloneDX) marshalVulnerability(bomRef string, vuln types.DetectedVulne
Ratings: cdxRatings(vuln),
CWEs: cwes(vuln.CweIDs),
Description: vuln.Description,
Advisories: cdxAdvisories(vuln.References),
Advisories: cdxAdvisories(append([]string{vuln.PrimaryURL}, vuln.References...)),
}
if vuln.FixedVersion != "" {
v.Recommendation = fmt.Sprintf("Upgrade %s to version %s", vuln.PkgName, vuln.FixedVersion)
Expand Down Expand Up @@ -341,19 +341,18 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string {
}

func cdxAdvisories(refs []string) *[]cdx.Advisory {
refs = lo.Uniq(refs)
advs := lo.FilterMap(refs, func(ref string, _ int) (cdx.Advisory, bool) {
return cdx.Advisory{URL: ref}, ref != ""
})

// cyclonedx converts link to empty `[]cdx.Advisory` to `null`
// `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null`
// we need to explicitly set `nil` for empty `refs` slice
if len(refs) == 0 {
if len(advs) == 0 {
return nil
}

var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
URL: ref,
})
}
return &advs
}

Expand Down
11 changes: 11 additions & 0 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,11 @@ func TestMarshaler_Marshal(t *testing.T) {
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Advisories: &[]cdx.Advisory{
{
URL: "https://avd.aquasec.com/nvd/cve-2018-20623",
},
},
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Expand Down Expand Up @@ -991,6 +996,9 @@ func TestMarshaler_Marshal(t *testing.T) {
},
Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
Advisories: &[]cdx.Advisory{
{
URL: "https://avd.aquasec.com/nvd/cve-2022-23633",
},
{
URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5",
},
Expand Down Expand Up @@ -1384,6 +1392,9 @@ func TestMarshaler_Marshal(t *testing.T) {
CWEs: lo.ToPtr([]int{94}),
Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...",
Advisories: &[]cdx.Advisory{
{
URL: "https://avd.aquasec.com/nvd/cve-2023-34468",
},
{
URL: "http://www.openwall.com/lists/oss-security/2023/06/12/3",
},
Expand Down
7 changes: 7 additions & 0 deletions pkg/vulnerability/vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,13 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability) {
if vulns[i].SeveritySource != "" {
severity = vulns[i].Severity
severitySource = vulns[i].SeveritySource

// Store package-specific severity in vendor severities
if vuln.VendorSeverity == nil {
vuln.VendorSeverity = make(dbTypes.VendorSeverity)
}
s, _ := dbTypes.NewSeverity(severity) // skip error handling because `SeverityUnknown` will be returned in case of error
vuln.VendorSeverity[severitySource] = s
}

// Add the vulnerability detail
Expand Down
9 changes: 6 additions & 3 deletions pkg/vulnerability/vulnerability_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -218,9 +218,12 @@ func TestClient_FillInfo(t *testing.T) {
Status: dbTypes.StatusAffected,
SeveritySource: vulnerability.Debian,
Vulnerability: dbTypes.Vulnerability{
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
Title: "dos",
Description: "dos vulnerability",
Severity: dbTypes.SeverityLow.String(),
VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
vulnerability.Debian: dbTypes.SeverityLow,
},
References: []string{"http://example.com"},
LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),
Expand Down

0 comments on commit 6040d9f

Please sign in to comment.