feat(ubuntu): Expose Ubuntu fix status.

docs/docs/configuration/filtering.md

@@ -184,6 +184,7 @@ Some statuses are supported in limited distributions.
 |:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
 |   Debian   |   ✓   |    ✓     |                     |              |      ✓       |      ✓      |
 |    RHEL    |   ✓   |    ✓     |          ✓          |      ✓       |      ✓       |      ✓      |
+|   Ubuntu   |   ✓   |          |                     |      ✓       |      ✓       |             |
 | Other OSes |   ✓   |    ✓     |                     |              |              |             |
 
 

docs/docs/coverage/os/ubuntu.md

@@ -44,10 +44,10 @@ Trivy supports the following [vulnerability statuses] for Ubuntu.
 |       Status        | Supported |
 | :-----------------: | :-------: |
 |        Fixed        |     ✓     |
-|      Affected       |     ✓     |
+|      Affected       |           |
 | Under Investigation |           |
-|    Will Not Fix     |           |
-|    Fix Deferred     |           |
+|    Will Not Fix     |     ✓     |
+|    Fix Deferred     |     ✓     |
 |     End of Life     |           |
 
 ## License

go.mod

@@ -393,3 +393,5 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 )
+
+replace github.com/aquasecurity/trivy-db => github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe

go.sum

@@ -771,8 +771,6 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
 github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
-github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
-github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=
@@ -1941,6 +1939,8 @@ github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/sirupsen/logrus v1.9.1/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe h1:x2jymeiRckVLJOsluMeSihdq8uY5R1Pl78xVZkXe4TU=
+github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
 github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
 github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=

integration/testdata/fixtures/db/ubuntu.yaml

@@ -6,15 +6,22 @@
           value:
             FixedVersion: 4.4-5ubuntu1
         - key: CVE-2019-18276
-          value: {}
+          value:
+            Status: 2
     - bucket: e2fsprogs
       pairs:
         - key: CVE-2019-5094
           value:
             FixedVersion: 1.44.1-1ubuntu1.2
+    - bucket: coreutils
+      pairs:
+        - key: CVE-2016-2781
+          value: 
+            Status: 2
 - bucket: ubuntu 22.04
   pairs:
     - bucket: bash
       pairs:
         - key: CVE-2022-3715
-          value: {}
+          value: 
+            Status: 2

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1399,4 +1399,22 @@
         - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
         - "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
       PublishedDate: "2020-06-15T17:15:00Z"
-      LastModifiedDate: "2022-04-28T15:06:00Z"
+      LastModifiedDate: "2022-04-28T15:06:00Z"
+  - key: CVE-2016-2781
+    value:
+      Title: ""
+      Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal’s input buffer."
+      Severity: UNKNOWN
+      CVSS:
+        nvd:
+          V3Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"
+          V3Score: 6.5
+      References:
+        - "http://seclists.org/oss-sec/2016/q1/452"
+        - "https://lore.kernel.org/patchwork/patch/793178/"
+        - "https://www.cve.org/CVERecord?id=CVE-2016-2781"
+        - "https://nvd.nist.gov/vuln/detail/CVE-2016-2781"
+        - "https://launchpad.net/bugs/cve/CVE-2016-2781"
+        - "https://security-tracker.debian.org/tracker/CVE-2016-2781"
+      PublishedDate: "2024-07-09T17:15:00Z"
+      LastModifiedDate: "2024-07-09T16:06:00Z"

integration/testdata/ubuntu-1804.json.golden

@@ -134,6 +134,50 @@
           "PublishedDate": "2019-11-28T01:15:00Z",
           "LastModifiedDate": "2021-05-26T12:15:00Z"
         },
+        {
+          "VulnerabilityID": "CVE-2016-2781",
+          "PkgID": "coreutils@8.28-1ubuntu1",
+          "PkgName": "coreutils",
+          "PkgIdentifier": {
+            "PURL": "pkg:deb/ubuntu/coreutils@8.28-1ubuntu1?arch=amd64\u0026distro=ubuntu-18.04",
+            "UID": "87f56d9cd92819fc"
+          },
+          "InstalledVersion": "8.28-1ubuntu1",
+          "FixedVersion": "",
+          "Status": "affected",
+          "Layer": {
+            "Digest": "",
+            "DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
+          },
+          "SeveritySource": "",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781",
+          "DataSource": {
+            "ID": "ubuntu",
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
+          "Title": "",
+          "Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal’s input buffer.",
+          "Severity": "UNKNOWN",
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "",
+              "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
+              "V2Score": 0,
+              "V3Score": 6.5
+            }
+          },
+          "References": [
+            "http://seclists.org/oss-sec/2016/q1/452",
+            "https://lore.kernel.org/patchwork/patch/793178/",
+            "https://www.cve.org/CVERecord?id=CVE-2016-2781",
+            "https://nvd.nist.gov/vuln/detail/CVE-2016-2781",
+            "https://launchpad.net/bugs/cve/CVE-2016-2781",
+            "https://security-tracker.debian.org/tracker/CVE-2016-2781"
+          ],
+          "PublishedDate": "2024-07-09T17:15:00Z",
+          "LastModifiedDate": "2024-07-09T16:06:00Z"
+        },
         {
           "VulnerabilityID": "CVE-2019-5094",
           "PkgID": "e2fsprogs@1.44.1-1ubuntu1.1",
@@ -421,4 +465,4 @@
       ]
     }
   ]
-}
+}

pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml

@@ -4,7 +4,7 @@
       pairs:
         - key: CVE-2019-9243
           value:
-            FixedVersion: ""
+            Status: 0
 - bucket: ubuntu 20.04
   pairs:
     - bucket: wpa
@@ -14,7 +14,7 @@
             FixedVersion: "2:2.9-1ubuntu4.3"
         - key: CVE-2019-9243
           value:
-            FixedVersion: ""
+            Status: 6 #this is the code for deferred
         - key: CVE-2016-4476
           value:
             FixedVersion: "2.4-0ubuntu10"

pkg/detector/ospkg/ubuntu/ubuntu.go

@@ -103,6 +103,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 				PkgName:          pkg.Name,
 				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
+				Status:           adv.Status,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,

pkg/detector/ospkg/ubuntu/ubuntu_test.go

@@ -57,6 +57,7 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2019-9243",
 					InstalledVersion: "2.9",
 					FixedVersion:     "",
+					Status:           dbTypes.StatusFixDeferred,
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
@@ -108,6 +109,7 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2019-9243",
 					InstalledVersion: "2.9",
 					FixedVersion:     "",
+					Status:           dbTypes.StatusFixDeferred,
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},