trivy
trivy copied to clipboard
Published
20 hours ago •
aquasecurity
aquasecurity
fix(cyclonedx): fix work when there are same pkgs from different dirs
Description
Fixes for cases when same packages are found in different directories:
➜ tree dir
dir
├── dir1
│ └── jackson-databind-2.13.4.jar
└── dir2
└── jackson-databind-2.13.4.jar
- return all found packages: before:
"components": [
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir1%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir1/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
after:
"components": [
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir1%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir1/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
},
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir2%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
- show correct ref's for
vulnerabilities.affects. before(dir2 and dir2):
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir2%2Fjackson-databind-2.13.4.jar",
"versions": [
{
"version": "2.13.4",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir2%2Fjackson-databind-2.13.4.jar",
"versions": [
{
"version": "2.13.4",
"status": "affected"
}
]
}
]
after(dir1 + dir2):
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir1%2Fjackson-databind-2.13.4.jar",
"versions": [
{
"version": "2.13.4",
"status": "affected"
}
]
},
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=dir2%2Fjackson-databind-2.13.4.jar",
"versions": [
{
"version": "2.13.4",
"status": "affected"
}
]
}
]
Related issues
- Close #5796
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [x] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
