Skip to content

Commit

Permalink
fix(bitnami): use a different comparer for detecting vulnerabilities (#…
Browse files Browse the repository at this point in the history
…5633)

Signed-off-by: juan131 <jariza@vmware.com>
  • Loading branch information
juan131 authored Dec 17, 2023
1 parent df49ea4 commit abf227e
Show file tree
Hide file tree
Showing 5 changed files with 179 additions and 1 deletion.
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ require (
modernc.org/sqlite v1.23.1
)

require github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c

require (
cloud.google.com/go v0.110.7 // indirect
cloud.google.com/go/compute v1.23.0 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -516,6 +516,8 @@ github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1U
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c h1:C4UZIaS+HAw+X6jGUsoP2ZbM99PuqhCttjomg1yhNAI=
github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c/go.mod h1:9iglf1GG4oNRJ39bZ5AZrjgAFD2RwQbXw6Qf7Cs47wo=
github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
Expand Down
32 changes: 32 additions & 0 deletions pkg/detector/library/compare/bitnami/compare.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package bitnami

import (
version "github.com/bitnami/go-version/pkg/version"
"golang.org/x/xerrors"

dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
)

// Comparer represents a comparer for Bitnami
type Comparer struct{}

// IsVulnerable checks if the package version is vulnerable to the advisory.
func (n Comparer) IsVulnerable(ver string, advisory dbTypes.Advisory) bool {
return compare.IsVulnerable(ver, advisory, n.matchVersion)
}

// matchVersion checks if the package version satisfies the given constraint.
func (n Comparer) matchVersion(currentVersion, constraint string) (bool, error) {
v, err := version.Parse(currentVersion)
if err != nil {
return false, xerrors.Errorf("bitnami version error (%s): %s", currentVersion, err)
}

c, err := version.NewConstraints(constraint)
if err != nil {
return false, xerrors.Errorf("bitnami constraint error (%s): %s", constraint, err)
}

return c.Check(v), nil
}
141 changes: 141 additions & 0 deletions pkg/detector/library/compare/bitnami/compare_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
package bitnami_test

import (
"testing"

"github.com/stretchr/testify/assert"

"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/bitnami"
)

func TestBitnamiComparer_IsVulnerable(t *testing.T) {
type args struct {
currentVersion string
advisory types.Advisory
}
tests := []struct {
name string
args args
want bool
}{
{
name: "not vulnerable",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
VulnerableVersions: []string{"<1.2.3"},
},
},
want: false,
},
{
name: "vulnerable",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
VulnerableVersions: []string{"<=1.2.3"},
},
},
want: true,
},
{
name: "patched",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3"},
},
},
want: false,
},
{
name: "unaffected",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
UnaffectedVersions: []string{"=1.2.3"},
},
},
want: false,
},
{
name: "vulnerable based on patched & unaffected versions",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
UnaffectedVersions: []string{"=1.2.0"},
PatchedVersions: []string{">=1.2.4"},
},
},
want: true,
},
{
name: "patched with revision on current version",
args: args{
currentVersion: "1.2.3-1",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3"},
},
},
want: false,
},
{
name: "vulnerable with revision on current version",
args: args{
currentVersion: "1.2.3-1",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.4"},
},
},
want: true,
},
{
name: "patched with revision on patch",
args: args{
currentVersion: "1.2.4",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3-1"},
},
},
want: false,
},
{
name: "vulnerable with revision on patch",
args: args{
currentVersion: "1.2.3",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3-1"},
},
},
want: true,
},
{
name: "patched with revisions on both current and patch",
args: args{
currentVersion: "1.2.4-2",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3-1"},
},
},
want: false,
},
{
name: "vulnerable with revision on both current and patch",
args: args{
currentVersion: "1.2.3-0",
advisory: types.Advisory{
PatchedVersions: []string{">=1.2.3-1"},
},
},
want: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
b := bitnami.Comparer{}
got := b.IsVulnerable(tt.args.currentVersion, tt.args.advisory)
assert.Equal(t, tt.want, got)
})
}
}
3 changes: 2 additions & 1 deletion pkg/detector/library/driver.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy/pkg/detector/library/compare"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/bitnami"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/maven"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/npm"
"github.com/aquasecurity/trivy/pkg/detector/library/compare/pep440"
Expand Down Expand Up @@ -76,7 +77,7 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
return Driver{}, false
case ftypes.Bitnami:
ecosystem = vulnerability.Bitnami
comparer = compare.GenericComparer{}
comparer = bitnami.Comparer{}
case ftypes.K8sUpstream:
ecosystem = vulnerability.Kubernetes
comparer = compare.GenericComparer{}
Expand Down

0 comments on commit abf227e

Please sign in to comment.