Display advisory information (#2)

* Use fork tablewriter * Display advisory information * Update README
aquasecurity · May 7, 2019 · 1291b9a · 1291b9a
1 parent 4a0b8c5
commit 1291b9a
Show file tree

Hide file tree

Showing 13 changed files with 193 additions and 32 deletions.
diff --git a/README.md b/README.md
@@ -1,10 +1,12 @@
-# trivy
+<img src="imgs/logo.png" width="300">
 
 [![GitHub release](https://img.shields.io/github/release/knqyf263/trivy.svg)](https://github.com/knqyf263/trivy/releases/latest)
 [![CircleCI](https://circleci.com/gh/knqyf263/trivy.svg?style=svg)](https://circleci.com/gh/knqyf263/trivy)
 [![Go Report Card](https://goreportcard.com/badge/github.com/knqyf263/trivy)](https://goreportcard.com/report/github.com/knqyf263/trivy)
 [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/knqyf263/trivy/blob/master/LICENSE)
 
+A Simple and Comprehensive Vulnerability Scanner for Containers
+
 # Abstract
 Scan containers
 

diff --git a/go.mod b/go.mod
@@ -37,3 +37,5 @@ require (
 )
 
 replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55
+
+replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2
diff --git a/go.sum b/go.sum
@@ -128,6 +128,8 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
+github.com/knqyf263/tablewriter v0.0.2 h1:lGaBruL/oJt8FAlMVy9KU0oQ/6NXAJjvK7wBgZyc+Og=
+github.com/knqyf263/tablewriter v0.0.2/go.mod h1:NDOJQAZxabBL3e13jQVktkvbr6bxXXPon8Lyh7fRPPc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=

diff --git a/imgs/logo.png b/imgs/logo.png
diff --git a/pkg/scanner/library/bundler/advisory.go b/pkg/scanner/library/bundler/advisory.go
@@ -1,10 +1,16 @@
 package bundler
 
 import (
+ "fmt"
  "io/ioutil"
  "os"
  "path/filepath"
 
+ "github.com/etcd-io/bbolt"
+
+ "github.com/knqyf263/trivy/pkg/db"
+ "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+
  "golang.org/x/xerrors"
 
  "github.com/knqyf263/trivy/pkg/git"
@@ -28,6 +34,9 @@ type Advisory struct {
  Osvdb string
  Title string
  Url string
+ Description string
+ CvssV2 float64 `yaml:"cvss_v2"`
+ CvssV3 float64 `yaml:"cvss_v3"`
  PatchedVersions []string `yaml:"patched_versions"`
  UnaffectedVersions []string `yaml:"unaffected_versions"`
  Related Related
@@ -42,14 +51,15 @@ func (s *Scanner) UpdateDB() (err error) {
  if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
  return xerrors.Errorf("error in %s security DB update: %w", s.Type(), err)
  }
- s.db, err = walk()
+ s.db, err = s.walk()
  return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
  advisoryDB := AdvisoryDB{}
  root := filepath.Join(repoPath, "gems")
 
+ var vulns []vulnerability.Vulnerability
  err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
  if info.IsDir() {
  return nil
@@ -65,16 +75,48 @@ func walk() (AdvisoryDB, error) {
  return xerrors.Errorf("failed to unmarshal YAML: %w", err)
  }
 
+ // for detecting vulnerabilities
  advisories, ok := advisoryDB[advisory.Gem]
  if !ok {
  advisories = []Advisory{}
  }
  advisoryDB[advisory.Gem] = append(advisories, advisory)
 
+ // for displaying vulnerability detail
+ var vulnerabilityID string
+ if advisory.Cve != "" {
+ vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
+ } else if advisory.Osvdb != "" {
+ vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
+ }
+ vulns = append(vulns, vulnerability.Vulnerability{
+ ID: vulnerabilityID,
+ CvssScore: advisory.CvssV2,
+ CvssScoreV3: advisory.CvssV3,
+ References: append([]string{advisory.Url}, advisory.Related.Url...),
+ Title: advisory.Title,
+ Description: advisory.Description,
+ })
+
  return nil
  })
  if err != nil {
- return nil, xerrors.Errorf("error in file wakl: %w", err)
+ return nil, xerrors.Errorf("error in file walk: %w", err)
+ }
+
+ if err = s.saveVulnerabilities(vulns); err != nil {
+ return nil, err
  }
  return advisoryDB, nil
 }
+
+func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+ return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+ for _, vuln := range vulns {
+ if err := db.Put(b, vuln.ID, vulnerability.RubySec, vuln); err != nil {
+ return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+ }
+ }
+ return nil
+ })
+}
diff --git a/pkg/scanner/library/composer/advisory.go b/pkg/scanner/library/composer/advisory.go
@@ -6,7 +6,13 @@ import (
  "path/filepath"
  "strings"
 
+ "github.com/etcd-io/bbolt"
+
+ "github.com/knqyf263/trivy/pkg/db"
+ "golang.org/x/xerrors"
+
  "github.com/knqyf263/trivy/pkg/utils"
+ "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
  "github.com/knqyf263/trivy/pkg/git"
  "gopkg.in/yaml.v2"
@@ -38,12 +44,13 @@ func (s *Scanner) UpdateDB() (err error) {
  if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
  return err
  }
- s.db, err = walk()
+ s.db, err = s.walk()
  return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
  advisoryDB := AdvisoryDB{}
+ var vulns []vulnerability.Vulnerability
  err := filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
  if info.IsDir() || !strings.HasPrefix(info.Name(), "CVE-") {
  return nil
@@ -58,16 +65,39 @@ func walk() (AdvisoryDB, error) {
  if err != nil {
  return err
  }
+
+ // for detecting vulnerabilities
  advisories, ok := advisoryDB[advisory.Reference]
  if !ok {
  advisories = []Advisory{}
  }
  advisoryDB[advisory.Reference] = append(advisories, advisory)
 
+ // for displaying vulnerability detail
+ vulns = append(vulns, vulnerability.Vulnerability{
+ ID: advisory.Cve,
+ References: []string{advisory.Link},
+ Title: advisory.Title,
+ })
+
  return nil
  })
  if err != nil {
+ return nil, xerrors.Errorf("error in file walk: %w", err)
+ }
+ if err = s.saveVulnerabilities(vulns); err != nil {
  return nil, err
  }
  return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+ return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+ for _, vuln := range vulns {
+ if err := db.Put(b, vuln.ID, vulnerability.PhpSecurityAdvisories, vuln); err != nil {
+ return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+ }
+ }
+ return nil
+ })
+}
diff --git a/pkg/scanner/library/npm/advisory.go b/pkg/scanner/library/npm/advisory.go
@@ -2,12 +2,19 @@ package npm
 
 import (
  "encoding/json"
+ "fmt"
  "os"
  "path/filepath"
  "strconv"
  "strings"
 
+ "github.com/etcd-io/bbolt"
+
+ "github.com/knqyf263/trivy/pkg/db"
+ "golang.org/x/xerrors"
+
  "github.com/knqyf263/trivy/pkg/utils"
+ "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
  "github.com/knqyf263/trivy/pkg/git"
 )
@@ -29,6 +36,7 @@ type Advisory struct {
  Cves []string
  VulnerableVersions string `json:"vulnerable_versions"`
  PatchedVersions string `json:"patched_versions"`
+ Overview string
  Recommendation string
  References []string
  CvssScoreNumber json.Number `json:"cvss_score"`
@@ -39,12 +47,13 @@ func (s *Scanner) UpdateDB() (err error) {
  if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
  return err
  }
- s.db, err = walk()
+ s.db, err = s.walk()
  return err
 }
 
-func walk() (AdvisoryDB, error) {
+func (s *Scanner) walk() (AdvisoryDB, error) {
  advisoryDB := AdvisoryDB{}
+ var vulns []vulnerability.Vulnerability
  err := filepath.Walk(filepath.Join(repoPath, "vuln"), func(path string, info os.FileInfo, err error) error {
  if info.IsDir() || !strings.HasSuffix(info.Name(), ".json") {
  return nil
@@ -68,16 +77,46 @@ func walk() (AdvisoryDB, error) {
  advisory.CvssScore = -1
  }
 
+ // for detecting vulnerabilities
  advisories, ok := advisoryDB[advisory.ModuleName]
  if !ok {
  advisories = []Advisory{}
  }
  advisoryDB[advisory.ModuleName] = append(advisories, advisory)
 
+ // for displaying vulnerability detail
+ vulnerabilityIDs := advisory.Cves
+ if len(vulnerabilityIDs) == 0 {
+ vulnerabilityIDs = []string{fmt.Sprintf("NSWG-ECO-%d", advisory.ID)}
+ }
+ for _, vulnID := range vulnerabilityIDs {
+ vulns = append(vulns, vulnerability.Vulnerability{
+ ID: vulnID,
+ CvssScore: advisory.CvssScore,
+ References: advisory.References,
+ Title: advisory.Title,
+ Description: advisory.Overview,
+ })
+ }
+
  return nil
  })
  if err != nil {
+ return nil, xerrors.Errorf("error in file walk: %w", err)
+ }
+ if err = s.saveVulnerabilities(vulns); err != nil {
  return nil, err
  }
  return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+ return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+ for _, vuln := range vulns {
+ if err := db.Put(b, vuln.ID, vulnerability.NodejsSecurityWg, vuln); err != nil {
+ return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+ }
+ }
+ return nil
+ })
+}
diff --git a/pkg/scanner/library/pipenv/advisory.go b/pkg/scanner/library/pipenv/advisory.go
@@ -5,9 +5,14 @@ import (
  "os"
  "path/filepath"
 
+ "github.com/etcd-io/bbolt"
+
+ "github.com/knqyf263/trivy/pkg/db"
+
  "golang.org/x/xerrors"
 
  "github.com/knqyf263/trivy/pkg/utils"
+ "github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 
  "github.com/knqyf263/trivy/pkg/git"
 )
@@ -34,24 +39,54 @@ func (s *Scanner) UpdateDB() (err error) {
  if _, err := git.CloneOrPull(dbURL, repoPath); err != nil {
  return err
  }
- s.db, err = parse()
+ s.db, err = s.parse()
  if err != nil {
  return xerrors.Errorf("failed to parse python safety-db: %w", err)
  }
  return nil
 }
 
-func parse() (AdvisoryDB, error) {
+func (s *Scanner) parse() (AdvisoryDB, error) {
  advisoryDB := AdvisoryDB{}
  f, err := os.Open(filepath.Join(repoPath, "data", "insecure_full.json"))
  if err != nil {
  return nil, err
  }
  defer f.Close()
 
+ // for detecting vulnerabilities
  if err = json.NewDecoder(f).Decode(&advisoryDB); err != nil {
  return nil, err
  }
 
+ // for displaying vulnerability detail
+ var vulns []vulnerability.Vulnerability
+ for _, advisories := range advisoryDB {
+ for _, advisory := range advisories {
+ vulnerabilityID := advisory.Cve
+ if vulnerabilityID == "" {
+ vulnerabilityID = advisory.ID
+ }
+ vulns = append(vulns, vulnerability.Vulnerability{
+ ID: vulnerabilityID,
+ Title: advisory.Advisory,
+ })
+ }
+ }
+ if err = s.saveVulnerabilities(vulns); err != nil {
+ return nil, err
+ }
+
  return advisoryDB, nil
 }
+
+func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
+ return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+ for _, vuln := range vulns {
+ if err := db.Put(b, vuln.ID, vulnerability.PythonSafetyDB, vuln); err != nil {
+ return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)
+ }
+ }
+ return nil
+ })
+}
diff --git a/pkg/scanner/library/scan.go b/pkg/scanner/library/scan.go
@@ -96,7 +96,7 @@ func scan(scanner Scanner, pkgs []ptypes.Library) ([]types.Vulnerability, error)
  return nil, xerrors.Errorf("failed to update %s advisories: %w", scanner.Type(), err)
  }
 
- log.Logger.Infof("Detect %s vulnerabilities", scanner.Type())
+ log.Logger.Infof("Detecting %s vulnerabilities...", scanner.Type())
  var vulnerabilities []types.Vulnerability
  for _, pkg := range pkgs {
  v, err := version.NewVersion(pkg.Version)

diff --git a/pkg/scanner/scan.go b/pkg/scanner/scan.go
@@ -25,6 +25,12 @@ import (
  "github.com/knqyf263/fanal/extractor"
 )
 
+var (
+ sources = []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
+ vulnerability.DebianOVAL, vulnerability.Alpine, vulnerability.RubySec, vulnerability.PhpSecurityAdvisories,
+ vulnerability.NodejsSecurityWg, vulnerability.PythonSafetyDB}
+)
+
 func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
  var results report.Results
  var err error
@@ -134,8 +140,7 @@ func getDetail(vulnID string) (vulnerability.Severity, string) {
 }
 
 func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
- for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
- vulnerability.DebianOVAL, vulnerability.Alpine} {
+ for _, source := range sources {
  d, ok := details[source]
  if !ok {
  continue
@@ -154,8 +159,7 @@ func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.S
 }
 
 func getTitle(details map[string]vulnerability.Vulnerability) string {
- for _, source := range []string{vulnerability.Nvd, vulnerability.RedHat, vulnerability.Debian,
- vulnerability.DebianOVAL, vulnerability.Alpine} {
+ for _, source := range sources {
  d, ok := details[source]
  if !ok {
  continue