-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(bitnami): use a different comparer for detecting vulnerabilities (#…
…5633) Signed-off-by: juan131 <jariza@vmware.com>
- Loading branch information
Showing
5 changed files
with
179 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
package bitnami | ||
|
||
import ( | ||
version "github.com/bitnami/go-version/pkg/version" | ||
"golang.org/x/xerrors" | ||
|
||
dbTypes "github.com/aquasecurity/trivy-db/pkg/types" | ||
"github.com/aquasecurity/trivy/pkg/detector/library/compare" | ||
) | ||
|
||
// Comparer represents a comparer for Bitnami | ||
type Comparer struct{} | ||
|
||
// IsVulnerable checks if the package version is vulnerable to the advisory. | ||
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool { | ||
return compare.IsVulnerable(ver, advisory, n.matchVersion) | ||
} | ||
|
||
// matchVersion checks if the package version satisfies the given constraint. | ||
func (n Comparer) matchVersion(currentVersion, constraint string) (bool, error) { | ||
v, err := version.Parse(currentVersion) | ||
if err != nil { | ||
return false, xerrors.Errorf("bitnami version error (%s): %s", currentVersion, err) | ||
} | ||
|
||
c, err := version.NewConstraints(constraint) | ||
if err != nil { | ||
return false, xerrors.Errorf("bitnami constraint error (%s): %s", constraint, err) | ||
} | ||
|
||
return c.Check(v), nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
package bitnami_test | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
|
||
"github.com/aquasecurity/trivy-db/pkg/types" | ||
"github.com/aquasecurity/trivy/pkg/detector/library/compare/bitnami" | ||
) | ||
|
||
func TestBitnamiComparer_IsVulnerable(t *testing.T) { | ||
type args struct { | ||
currentVersion string | ||
advisory types.Advisory | ||
} | ||
tests := []struct { | ||
name string | ||
args args | ||
want bool | ||
}{ | ||
{ | ||
name: "not vulnerable", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
VulnerableVersions: []string{"<1.2.3"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "vulnerable", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
VulnerableVersions: []string{"<=1.2.3"}, | ||
}, | ||
}, | ||
want: true, | ||
}, | ||
{ | ||
name: "patched", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "unaffected", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
UnaffectedVersions: []string{"=1.2.3"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "vulnerable based on patched & unaffected versions", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
UnaffectedVersions: []string{"=1.2.0"}, | ||
PatchedVersions: []string{">=1.2.4"}, | ||
}, | ||
}, | ||
want: true, | ||
}, | ||
{ | ||
name: "patched with revision on current version", | ||
args: args{ | ||
currentVersion: "1.2.3-1", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "vulnerable with revision on current version", | ||
args: args{ | ||
currentVersion: "1.2.3-1", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.4"}, | ||
}, | ||
}, | ||
want: true, | ||
}, | ||
{ | ||
name: "patched with revision on patch", | ||
args: args{ | ||
currentVersion: "1.2.4", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3-1"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "vulnerable with revision on patch", | ||
args: args{ | ||
currentVersion: "1.2.3", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3-1"}, | ||
}, | ||
}, | ||
want: true, | ||
}, | ||
{ | ||
name: "patched with revisions on both current and patch", | ||
args: args{ | ||
currentVersion: "1.2.4-2", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3-1"}, | ||
}, | ||
}, | ||
want: false, | ||
}, | ||
{ | ||
name: "vulnerable with revision on both current and patch", | ||
args: args{ | ||
currentVersion: "1.2.3-0", | ||
advisory: types.Advisory{ | ||
PatchedVersions: []string{">=1.2.3-1"}, | ||
}, | ||
}, | ||
want: true, | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
b := bitnami.Comparer{} | ||
got := b.IsVulnerable(tt.args.currentVersion, tt.args.advisory) | ||
assert.Equal(t, tt.want, got) | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters