* Skip downloading DB if a remote DB is not updated
* Apply suggestions from code review
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* update github.com/aquasecurity/trivy-db version
* fix lint
* Use UTC datetime
* display DownloadedAt info in debug log
* refactor(db): merge isLatestDB into isNewDB
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* add linter supports
* add only minor version
* use latest version
* Fix println with format issue
* Fix test
* Fix tests
* For slice with unknown length, preallocating the array
* fix code-coverage
* Removed linter rules
* Reverting linter fixes, adding TODO for later
* Ignore linter error for import
* Remove another err var.
* Ignore shadow error
* Fixes
* Fix issue
* Add back goimports local-prefixes
* Update local prefixes
* Removed extra spaces and merge the imports
* more refactoring
* Update photon.go
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
* Implemented ruby comparison version check.
* Added semver package to validate and check version
* Added more tests
* Replaced go-version with semver
* Removing go-version from dependency
* Added check for ruby gem version format
* Updated semver model and patch rewrite process
* Refactoring
* vulnerability: Add CVSS Vectors to JSON output.
Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:
```
{
"VulnerabilityID": "CVE-2019-9923",
"PkgName": "tar",
"InstalledVersion": "1.30+dfsg-6",
"Layer": {
"Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
"DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
},
"SeveritySource": "debian",
"Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
"Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
"Severity": "LOW",
"VendorVectors": {
"nvd": {
"v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"redhat": {
"v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
}
},
"References": [
"http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
"http://savannah.gnu.org/bugs/?55369",
"https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
]
},
```
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Update to latest master of trivy-db
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test: Fix tests for new struct type
Signed-off-by: Simarpreet Singh <simar@linux.com>
* fix(standalone): add defer to close databases
* test(client/server): launch a server only once
* test(docker_engine): remove the duplicated case
* test(docker_engine): copy a database only once
* test(standalone): copy a database only once
* test(server): fix tests according to updated mock
* chore(mod): update
* chore(ci): add integration tests to GitHub Actions
* chore(ci): bump up Go to 1.14
* chore(ci): remove integration tests from CircleCI
* chore(ci): add name
* chore(ci): add new lines
* wip: Add a failing test to demo severity override
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan.go: Return osFound for use in determining vendor.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* pkg: Fix ScanImage return in case an OSFound
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Include a package-lock.json for happy path
Signed-off-by: Simarpreet Singh <simar@linux.com>
* wip: Add a test to include various reportResult types
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Makefile: Add a target to generate mocks.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Pass reportType as argument for FillInfo.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add other types of vulnerabilities.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update golden files.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* ospkg: Fix FillInfo for ospkg/server
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Add os.Family type to Response.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test.go: Add case where no vendor severity exists.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Fallback to NVD if it exists.
Also add tests for other cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Fix a few sites with reportType info and tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Remove VendorSeverity from displayed results
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add vulnerability source information.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add VendorSeverity logic for lightDB as well.
This commit also makes FillInfo logic common to both light and full DBs.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* remove some crufty TODOs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test: Add a case for light db for documentation purposes
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: update trivy-db to point to master
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Remove cruft and bring back test cases
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Add pkg Type to mock return
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: reorder err check after err
Signed-off-by: Simarpreet Singh <simar@linux.com>
* client_test: Fix import ordering
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert.go: Use result.Type
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert: Use result.Type and simplify ConvertFromRpcResults signature
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Refactor calls to getVendorSeverity
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Remove centos-7-critical.json.golden
There's no critical vulnerability in CentOS 7 anymore.
In addition this test was not adding any value that is already
not covered by existing tests cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Include severity source in tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update test db to include VendorSeverity.
Test DB is now a snapshot of full database from trivy-db.
Also update golden files to include SeveritySource.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Make centos7 use RHEL vendor severities
Signed-off-by: Simarpreet Singh <simar@linux.com>
* refactor: wrap errors
* feat(db): add the metadata file
* test(db): re-generate mocks
* fix(app): read metadata from the file in showVersion
* fix: open the database after downloading it
* fix(operation): use UpdateMetadata
* chore(mod): update dependency
* test(integration): fix tests
* fix(conf): rename TRIVY_NONSSL to TRIVY_NON_SSL
* app: Expose Trivy and VulnDB version through --version
Signed-off-by: Simarpreet Singh <simar@linux.com>
* pkg: Use time.Time as value not reference.
Based on: 64db180151
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Use various formatted outputs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Take value of --cache-dir for cacheDir
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Refactor and test showVersion
Signed-off-by: Simarpreet Singh <simar@linux.com>
* library: lighten names by remove version suffix
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Show types and add parity of table and JSON
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Switch to show using UTC time
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: Update to latest trivy-db master.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Use c.App.Writer for os.Stdout
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Replace table output with docker version style output
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Fix output to show as "Version" for Trivy version.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* app: Move VersionInfo struct out to app.go
Signed-off-by: Simarpreet Singh <simar@linux.com>
* refactor(docker_conf): rename and remove unnecessary options
* feat(rpc): define new API
* fix(cli): change default timeout
* fix(import): fix package names
* refactor(vulnerability): remove old mock
* refactor(utils): remove un-needed functions
* feat(cache): implement cache communicating with a server
* refactor(scan): separate scan function as local scanner
* test(scanner): add tests for ScanImage
* refactor(scan): remove unused options
* test(vulnerability): generate mock
* refactor(server): split a file
* feat(server): implement new RPC server
* feat(client): implement new RPC client
* fix(cache): use new cache interface
* fix(standalone): use new scanner
* fix(client): use new scanner
* fix(server): pass cache
* test(integration): make sure an error is not nil before calling the method
* fix(mod): update dependencies
* test(integration): ensure the image load finishes
* feat(docker): support DOCKER_HOST and DOCKER_CERT_PATH
* chore(mod): update dependencies
* refactor(rpc): remove old client
* feat(server): support old API for backward compatibility
* fix(server): check a schema version of JSON cache
* fix(rpc): add a version to packages
* feat(rpc): add PutImage
* test: rename expectations
* refactor(cache): rename LayerCache to ImageCache
* refactor: rename ImageInfo to ImageReference
* fix(applier): pass image_id to ApplyLayer
* feat(cache): handle image cache
* chore(mod): update dependencies
* refactor(server): pass only config
* feat(cli): add -removed-pkgs option
* refactor(err): wrap errors
* feat(client): retry HTTP request when getting an unavailable error
* fix(integration-test): use a snapshot database for Docker mode (#352)
* fix(integration): add a binary name
The first argument is used for the program name. --skip-update was
ignored.
* fix(integration): use a snapshot database
After a new vulnerability is found, this test fails
* chore(integration): add t.Run
* refactor(client): functionalize common processes
* refactor(client): remove unused const
* chore(mod): update dependencies
* fix(scanner): make scanner take a cache client as the argument
* refactor: sort imports
* refactor(cache): create a struct to clear cache
* fix(cache): use a struct to clear cache
* fix(wire): update constructor to take cache struct
* fix(cache): use the constructor generated by wire
* docs(cli): update the option description
* fix(cache): use the cache struct
* fix(cache): split Reset into ClearDB and ClearImages
* fix(github): return db size
* fix(github_mock): add size
* feat(indicator): add progress bar
* refactor(config): remove global Quiet
* fix(db): take progress bar as an argument
* fix(progress): inject progress bar
Instead of using tomoyamachi's fork we can now use the vanilla upstream
package genuinetools/reg. This package gets better maintenance and is
the same as aquasecurity/fanal uses.
Signed-off-by: Jakub Bielecki <jakub.bielecki@codilime.com>
