diff --git a/integration/testdata/pom-cyclonedx.json.golden b/integration/testdata/pom-cyclonedx.json.golden index 8e1c482e0580..3e87c28beedd 100644 --- a/integration/testdata/pom-cyclonedx.json.golden +++ b/integration/testdata/pom-cyclonedx.json.golden @@ -149,6 +149,9 @@ "description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4", "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2020-9548" + }, { "url": "https://access.redhat.com/security/cve/CVE-2020-9548" }, @@ -268,6 +271,9 @@ "description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7", "advisories": [ + { + "url": "https://avd.aquasec.com/nvd/cve-2021-20190" + }, { "url": "https://access.redhat.com/security/cve/CVE-2021-20190" }, diff --git a/pkg/sbom/cyclonedx/core/cyclonedx.go b/pkg/sbom/cyclonedx/core/cyclonedx.go index 9a2a7a14466f..dad245b5239c 100644 --- a/pkg/sbom/cyclonedx/core/cyclonedx.go +++ b/pkg/sbom/cyclonedx/core/cyclonedx.go @@ -155,7 +155,7 @@ func (c *CycloneDX) marshalVulnerability(bomRef string, vuln types.DetectedVulne Ratings: cdxRatings(vuln), CWEs: cwes(vuln.CweIDs), Description: vuln.Description, - Advisories: cdxAdvisories(vuln.References), + Advisories: cdxAdvisories(append([]string{vuln.PrimaryURL}, vuln.References...)), } if vuln.FixedVersion != "" { v.Recommendation = fmt.Sprintf("Upgrade %s to version %s", vuln.PkgName, vuln.FixedVersion) @@ -341,19 +341,18 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string { } func cdxAdvisories(refs []string) *[]cdx.Advisory { + refs = lo.Uniq(refs) + advs := lo.FilterMap(refs, func(ref string, _ int) (cdx.Advisory, bool) { + return cdx.Advisory{URL: ref}, ref != "" + }) + // cyclonedx converts link to empty `[]cdx.Advisory` to `null` // `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null` // we need to explicitly set `nil` for empty `refs` slice - if len(refs) == 0 { + if len(advs) == 0 { return nil } - var advs []cdx.Advisory - for _, ref := range refs { - advs = append(advs, cdx.Advisory{ - URL: ref, - }) - } return &advs } diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index de41d837f453..ddc68131ea0c 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -522,6 +522,11 @@ func TestMarshaler_Marshal(t *testing.T) { Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.", Published: "2018-12-31T19:29:00+00:00", Updated: "2019-10-31T01:15:00+00:00", + Advisories: &[]cdx.Advisory{ + { + URL: "https://avd.aquasec.com/nvd/cve-2018-20623", + }, + }, Affects: &[]cdx.Affects{ { Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", @@ -991,6 +996,9 @@ func TestMarshaler_Marshal(t *testing.T) { }, Description: "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.", Advisories: &[]cdx.Advisory{ + { + URL: "https://avd.aquasec.com/nvd/cve-2022-23633", + }, { URL: "http://www.openwall.com/lists/oss-security/2022/02/11/5", }, @@ -1384,6 +1392,9 @@ func TestMarshaler_Marshal(t *testing.T) { CWEs: lo.ToPtr([]int{94}), Description: "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0...", Advisories: &[]cdx.Advisory{ + { + URL: "https://avd.aquasec.com/nvd/cve-2023-34468", + }, { URL: "http://www.openwall.com/lists/oss-security/2023/06/12/3", }, diff --git a/pkg/vulnerability/vulnerability.go b/pkg/vulnerability/vulnerability.go index 2b29e632e0f6..504d9293e873 100644 --- a/pkg/vulnerability/vulnerability.go +++ b/pkg/vulnerability/vulnerability.go @@ -91,6 +91,13 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability) { if vulns[i].SeveritySource != "" { severity = vulns[i].Severity severitySource = vulns[i].SeveritySource + + // Store package-specific severity in vendor severities + if vuln.VendorSeverity == nil { + vuln.VendorSeverity = make(dbTypes.VendorSeverity) + } + s, _ := dbTypes.NewSeverity(severity) // skip error handling because `SeverityUnknown` will be returned in case of error + vuln.VendorSeverity[severitySource] = s } // Add the vulnerability detail diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go index 8caf314ae7fa..11dac691503e 100644 --- a/pkg/vulnerability/vulnerability_test.go +++ b/pkg/vulnerability/vulnerability_test.go @@ -218,9 +218,12 @@ func TestClient_FillInfo(t *testing.T) { Status: dbTypes.StatusAffected, SeveritySource: vulnerability.Debian, Vulnerability: dbTypes.Vulnerability{ - Title: "dos", - Description: "dos vulnerability", - Severity: dbTypes.SeverityLow.String(), + Title: "dos", + Description: "dos vulnerability", + Severity: dbTypes.SeverityLow.String(), + VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{ + vulnerability.Debian: dbTypes.SeverityLow, + }, References: []string{"http://example.com"}, LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"), PublishedDate: utils.MustTimeParse("2001-01-01T01:01:00Z"),