Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(dart): add graph support #5374

Merged
merged 11 commits into from
Oct 20, 2023
Merged

feat(dart): add graph support #5374

merged 11 commits into from
Oct 20, 2023

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Oct 13, 2023
edited
Loading

Description

Cache dir contains pubspec.yaml for each dependency.
We can parse these files and use them to build dependency graph.

example of work:

➜ PUB_CACHE=/Users/work/work/temp/5366/app/cache ./trivy -d fs --dependency-tree ./pubspec.lock   
...
2023-10-16T13:24:43.488+0600	INFO	Number of language-specific files: 1
2023-10-16T13:24:43.488+0600	INFO	Detecting pub vulnerabilities...
2023-10-16T13:24:43.488+0600	DEBUG	Detecting library vulnerabilities, type: pub, path: pubspec.lock

pubspec.lock (pub)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ dio     │ CVE-2021-31402 │ HIGH     │ fixed  │ 4.0.6             │ 5.0.0         │ dio vulnerable to CRLF injection with HTTP method string │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-31402               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
pubspec.lock
└── dio@4.0.6, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    └── retrofit@2.0.0

TODO for another PR:

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Oct 13, 2023
@DmitriyLewen DmitriyLewen marked this pull request as ready for review October 16, 2023 08:49
knqyf263
knqyf263 reviewed Oct 19, 2023
View reviewed changes
docs/docs/configuration/reporting.md Outdated Show resolved Hide resolved
pkg/fanal/analyzer/language/dart/pub/pubspec.go Outdated Show resolved Hide resolved
pkg/fanal/analyzer/language/dart/pub/pubspec.go Outdated
}

deps := make(map[string][]string)
if err := filepath.WalkDir(dir, func(p string, d fs.DirEntry, err error) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we use fsutils.WalkDir?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is same case as with go.mod licenses -

trivy/pkg/fanal/analyzer/language/golang/mod/mod.go

Line 265 in 6040d9f

err := filepath.WalkDir(dir, func(path string, d fs.DirEntry, err error) error {

Some example:
User uses default cache path (~/.pub_cache).
But he scans project dir (e.g. ~/project1).
In this case we don't add pubspec.yaml files from ~/.pub_cache in FS for PostAnalyze.
=> we can't read these files from input.FS.
Correct me, if i missed something.

Perhaps we can use os.DirFS("/") (fsutils.WalkDir(os.DirFS("/"), ".", required, func(path string, d fs.DirEntry, r io.Reader) error ). But i am not sure that it make sense.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't os.DirFS(dir) work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After my suggestion about os.DirFS I didn't think of an obvious solution 😄 .
Thank you!
I used fsutils.WalkDir in 3abdc47

DmitriyLewen and others added 7 commits October 19, 2023 12:11
@DmitriyLewen
docs: add table for languages/packages supported by dependency tree
f5bbf4b
@DmitriyLewen
refactor
ffe7308
@DmitriyLewen
refactor: use fsutils.WalkDir
3abdc47
@knqyf263
refactor: use maps.Keys
6543732 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: capitalize a debug message
8a63355 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: aggregate if statements
1f58071 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: some tweaks
9c258ad 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 added this pull request to the merge queue Oct 20, 2023
Merged via the queue into aquasecurity:main with commit 1a15a3a Oct 20, 2023
16 checks passed
@DmitriyLewen DmitriyLewen deleted the feat/dart-pub-graph branch October 20, 2023 10:22
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(dart): add dependency tree support
2 participants
@DmitriyLewen @knqyf263