aquasecurity
feat(image): updated json report added package locations fields
Description
This pull request introduces a new feature to include package location indexes in the JSON report.
Changes
- Modified
pkg/scanner/local/server.goto use the location data from the detected vulnerability. - Updated
pkg/report/sarif.goto reuse the calculated location information if available. - Added a new key
LocationunderDetectedVulnerabilityinpkg/types/vulnerability.goto update the extracted location data. - Updated
integration/testdata/*.json.goldento verify Location field in json reports
Usage
$ git clone https://github.com/knqyf263/trivy-ci-test.git
$ cd trivy-ci-test
$ trivy fs --format template --format json -o trivy_report.json --scanners vuln .
Command output before this feature change
{
"SchemaVersion": 2,
"CreatedAt": "2024-03-16T21:54:44.700427+05:30",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
...
},
"Results": [
{
"Target": "Cargo.lock",
"Class": "lang-pkgs",
"Type": "cargo",
"Packages": [...],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-15542",
"PkgID": "[email protected]",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/[email protected]"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "2.1.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
"DataSource": {...},
"Title": "Uncontrolled recursion in ammonia",
"Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
"Severity": "HIGH",
"CweIDs": ["CWE-674],
"VendorSeverity": {...},
"CVSS": {...},
"References": [...],
"PublishedDate": "2019-08-26T18:15:12.467Z",
"LastModifiedDate": "2020-08-24T17:37:01.14Z"
}
]
}
]
}
Command output after introducing this feature
{
"SchemaVersion": 2,
"CreatedAt": "2024-03-16T21:54:44.700427+05:30",
"ArtifactName": ".",
"ArtifactType": "filesystem",
"Metadata": {
...
},
"Results": [
{
"Target": "Cargo.lock",
"Class": "lang-pkgs",
"Type": "cargo",
"Packages": [...],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-15542",
"PkgID": "[email protected]",
"PkgName": "ammonia",
"PkgIdentifier": {
"PURL": "pkg:cargo/[email protected]"
},
"InstalledVersion": "1.9.0",
"FixedVersion": "2.1.0",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
"Locations": [
{
"StartLine": 2,
"EndLine": 13
}
],
"DataSource": {...},
"Title": "Uncontrolled recursion in ammonia",
"Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
"Severity": "HIGH",
"CweIDs": [ "CWE-674"],
"VendorSeverity": {...},
"CVSS": {...},
"References": [...],
"PublishedDate": "2019-08-26T18:15:12.467Z",
"LastModifiedDate": "2020-08-24T17:37:01.14Z"
}
]
}
]
}
Related issues
- Close #4418
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [x] I've updated the documentation with the relevant information (if needed).
- [x] I've added usage information (if the PR introduces new options)
- [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).
Hey @DmitriyLewen, needed your opinion on this. After integrating the Location Changes, I noticed that integration_test/client_server.go started failing for the busybox_with_cargo.lock and scan pox.xml test cases. The issue from these test cases is expecting DetectedVulnerability.Location to be nil. However, the output golden files busybox-with-lockfile.json.golden and pom.json.golden are also used in other integration tests where non-nil Location data is expected. To address this, I created two duplicate files that includes Location data. Please let me know if you have a better solution for this.
@parvez0 You need to update rpc package.
Let me know when you're done making changes (to avoid conflicts) and i will update client/server part.
@parvez0 You need to update
rpcpackage. Let me know when you're done making changes (to avoid conflicts) and i will update client/server part.
Hey @DmitriyLewen what do I have to do in rpc package I haven't seen any changes that need to be made there, can you please let me know I'll try to do it as soon as possible
Hm... we don't insert Locations in client/server mode...
I created #6366 for this bug.
After merge #6366 you need to merge main branch into this PR and follow these steps:
- add locations to Vulnerabilities (use 26 number). Use Location struct.
- run
mage fmt. - run
mage:protoc. - add
LocationstoVulnerabiltiesas for Packages ( useConvertToRPCLocationsandConvertFromRPCLocationfunctions) - add Locations in testcase in
convert_test.go. - recheck that you don't need new test golden files in integration tests.
Originally, our policy was to include only minimal data in reports. It may be better to embed Package in DetectedVulnerability than to gradually add more and more attributes.
sounds logical. @parvez0 Do you have the time and opportunity to do this?
We're so sorry. We discussed this offline and found out that embedding packages will get lots of duplicate data if multiple vulnerabilities are found in one package. We need to carefully think about it.
Hey @knqyf263, I had the same question and was just about to reach out to you. Please let me know if you've settled on an approach for this and need my assistance to finalize it. In the meantime, I'll start looking into other issues that I can address.
@parvez0 Thanks for your understanding. I implemented my idea and would collect feedback from other maintainers.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}