Skip to content

Commit

Permalink
fix(sbom): cyclonedx advisory should omit null value (#5041)
Browse files Browse the repository at this point in the history
* return nil for advisories, if len of refs == 0
add marshal test

* add integration test for cyclonedx with vulns

* use existing testcase

* test(pom): add ID for cyclondedx integration golden file

* test(integration): add sorting cyclonedx vulns
  • Loading branch information
DmitriyLewen authored Aug 31, 2023
1 parent f811ed2 commit c04f234
Show file tree
Hide file tree
Showing 5 changed files with 336 additions and 14 deletions.
3 changes: 3 additions & 0 deletions integration/integration_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,9 @@ func readCycloneDX(t *testing.T, filePath string) *cdx.BOM {
return (*(*bom.Components)[i].Properties)[ii].Name < (*(*bom.Components)[i].Properties)[jj].Name
})
}
sort.Slice(*bom.Vulnerabilities, func(i, j int) bool {
return (*bom.Vulnerabilities)[i].ID < (*bom.Vulnerabilities)[j].ID
})
}

return bom
Expand Down
10 changes: 10 additions & 0 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,16 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/conda-cyclonedx.json.golden",
},
{
name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)",
args: args{
command: "fs",
scanner: types.VulnerabilityScanner,
format: "cyclonedx",
input: "testdata/fixtures/repo/pom",
},
golden: "testdata/pom-cyclonedx.json.golden",
},
{
name: "conda generating SPDX SBOM",
args: args{
Expand Down
314 changes: 314 additions & 0 deletions integration/testdata/pom-cyclonedx.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,314 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
"version": 1,
"metadata": {
"timestamp": "2020-09-10T14:20:30+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "dev"
}
],
"component": {
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
"type": "application",
"name": "testdata/fixtures/repo/pom",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000003",
"type": "application",
"name": "pom.xml",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"type": "library",
"name": "com.example:log4shell",
"version": "1.0-SNAPSHOT",
"purl": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "com.example:log4shell:1.0-SNAPSHOT"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"type": "library",
"name": "com.fasterxml.jackson.core:jackson-databind",
"version": "2.9.1",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "com.fasterxml.jackson.core:jackson-databind:2.9.1"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
}
],
"dependencies": [
{
"ref": "3ff14136-e09f-4df9-80ea-000000000002",
"dependsOn": [
"3ff14136-e09f-4df9-80ea-000000000003"
]
},
{
"ref": "3ff14136-e09f-4df9-80ea-000000000003",
"dependsOn": [
"pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
]
},
{
"ref": "pkg:maven/com.example/log4shell@1.0-SNAPSHOT",
"dependsOn": [
"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1"
]
},
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"dependsOn": []
}
],
"vulnerabilities": [
{
"id": "CVE-2020-9548",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "critical"
},
{
"source": {
"name": "nvd"
},
"score": 6.8,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
{
"source": {
"name": "nvd"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2020-9548"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2634"
},
{
"url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr"
},
{
"url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"
},
{
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200904-0006/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2020-03-02T04:15:00+00:00",
"updated": "2021-12-02T21:23:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
},
{
"id": "CVE-2021-20190",
"source": {
"name": "glad",
"url": "https://gitlab.com/gitlab-org/advisories-community"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "high"
},
{
"source": {
"name": "nvd"
},
"score": 8.3,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2854"
},
{
"url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w"
},
{
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210219-0008/"
}
],
"published": "2021-01-19T17:15:00+00:00",
"updated": "2021-07-20T23:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.1",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
}
]
}
7 changes: 7 additions & 0 deletions pkg/sbom/cyclonedx/core/cyclonedx.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,13 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string {
}

func cdxAdvisories(refs []string) *[]cdx.Advisory {
// cyclonedx converts link to empty `[]cdx.Advisory` to `null`
// `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null`
// we need to explicitly set `nil` for empty `refs` slice
if len(refs) == 0 {
return nil
}

var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
Expand Down
16 changes: 2 additions & 14 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,6 @@ func TestMarshaler_Marshal(t *testing.T) {
V3Score: 5.3,
},
},
References: []string{
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
PublishedDate: lo.ToPtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)),
LastModifiedDate: lo.ToPtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)),
},
Expand Down Expand Up @@ -525,16 +521,8 @@ func TestMarshaler_Marshal(t *testing.T) {
416,
},
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Advisories: &[]cdx.Advisory{
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
},
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
},
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
Expand Down

0 comments on commit c04f234

Please sign in to comment.