Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ubuntu): Expose Ubuntu fix status. #7020

Closed
Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/community/contribute/pr.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ Your PR must pass all the integration tests. You can test it as below.

```
$ mage test:integration
$ mage test:vm
```

### Documentation
Expand Down
1 change: 1 addition & 0 deletions docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ Some statuses are supported in limited distributions.
|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
| Debian | ✓ | ✓ | | | ✓ | ✓ |
| RHEL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Ubuntu | ✓ | | | ✓ | ✓ | |
| Other OSes | ✓ | ✓ | | | | |


Expand Down
6 changes: 3 additions & 3 deletions docs/docs/coverage/os/ubuntu.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,10 @@ Trivy supports the following [vulnerability statuses] for Ubuntu.
| Status | Supported |
| :-----------------: | :-------: |
| Fixed | ✓ |
| Affected | |
| Affected | |
| Under Investigation | |
| Will Not Fix | |
| Fix Deferred | |
| Will Not Fix | |
| Fix Deferred | |
| End of Life | |

## License
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -414,5 +414,7 @@ require (
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
)

replace github.com/aquasecurity/trivy-db => github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe

// cf. https://github.com/openvex/discovery/pull/40
replace github.com/openvex/discovery => github.com/knqyf263/discovery v0.1.1-0.20240726113521-97873005fd03
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -350,8 +350,6 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v0.13.0 h1:na6PTdY4U0uK/fjz3HNRYBxvYSJ8vgTb57a5T8Y5t9w=
github.com/aquasecurity/trivy-checks v0.13.0/go.mod h1:Xec/SMVGV66I7RgUqOX9MEr+YxBqHXDVLTYmpspPi3E=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04 h1:6/T8sFdNVG/AwOGoK6X55h7hF7LYqK8bsuPz8iEz8jM=
github.com/aquasecurity/trivy-db v0.0.0-20240718084044-d23a6ca8ba04/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20240707095038-0300bc49b68b h1:h7gsIzHyrxpQnayOuQI0kX7+8rVcqhV6G5bM3KVFyJU=
Expand Down Expand Up @@ -1281,6 +1279,8 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe h1:x2jymeiRckVLJOsluMeSihdq8uY5R1Pl78xVZkXe4TU=
github.com/skahn007gl/trivy-db v0.0.0-20240723121440-a488d7f107fe/go.mod h1:0T6oy2t1Iedt+yi3Ml5cpOYp5FZT4MI1/mx+3p+PIs8=
github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
Expand Down
11 changes: 9 additions & 2 deletions integration/testdata/fixtures/db/ubuntu.yaml
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,22 @@
value:
FixedVersion: 4.4-5ubuntu1
- key: CVE-2019-18276
value: {}
value:
Status: 5
- bucket: e2fsprogs
pairs:
- key: CVE-2019-5094
value:
FixedVersion: 1.44.1-1ubuntu1.2
- bucket: coreutils
pairs:
- key: CVE-2016-2781
value:
Status: 5
- bucket: ubuntu 22.04
pairs:
- bucket: bash
pairs:
- key: CVE-2022-3715
value: {}
value:
Status: 5
18 changes: 18 additions & 0 deletions integration/testdata/fixtures/db/vulnerability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1400,6 +1400,24 @@
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
PublishedDate: "2020-06-15T17:15:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"
- key: CVE-2016-2781
value:
Title: ""
Description: "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal’s input buffer."
Severity: UNKNOWN
CVSS:
nvd:
V3Vector: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"
V3Score: 6.5
References:
- "http://seclists.org/oss-sec/2016/q1/452"
- "https://lore.kernel.org/patchwork/patch/793178/"
- "https://www.cve.org/CVERecord?id=CVE-2016-2781"
- "https://nvd.nist.gov/vuln/detail/CVE-2016-2781"
- "https://launchpad.net/bugs/cve/CVE-2016-2781"
- "https://security-tracker.debian.org/tracker/CVE-2016-2781"
PublishedDate: "2024-07-09T17:15:00Z"
LastModifiedDate: "2024-07-09T16:06:00Z"
- key: CVE-2022-40897
value:
Title: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py"
Expand Down
41 changes: 40 additions & 1 deletion integration/testdata/ubuntu-1804.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@
"UID": "da318bd19a304cc0"
},
"InstalledVersion": "4.4.18-2ubuntu1.2",
"Status": "affected",
"Status": "will_not_fix",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
Expand Down Expand Up @@ -134,6 +134,45 @@
"PublishedDate": "2019-11-28T01:15:00Z",
"LastModifiedDate": "2021-05-26T12:15:00Z"
},
{
"VulnerabilityID": "CVE-2016-2781",
"PkgID": "coreutils@8.28-1ubuntu1",
"PkgName": "coreutils",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/coreutils@8.28-1ubuntu1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "87f56d9cd92819fc"
},
"InstalledVersion": "8.28-1ubuntu1",
"Status": "will_not_fix",
"Layer": {
"Digest": "sha256:35c102085707f703de2d9eaad8752d6fe1b8f02b5d2149f1d8357c9cc7fb7d0a",
"DiffID": "sha256:6cebf3abed5fac58d2e792ce8461454e92c245d5312c42118f02e231a73b317f"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-2781",
"DataSource": {
"ID": "ubuntu",
"Name": "Ubuntu CVE Tracker",
"URL": "https://git.launchpad.net/ubuntu-cve-tracker"
},
"Description": "chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal’s input buffer.",
"Severity": "UNKNOWN",
"CVSS": {
"nvd": {
"V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"V3Score": 6.5
}
},
"References": [
"http://seclists.org/oss-sec/2016/q1/452",
"https://lore.kernel.org/patchwork/patch/793178/",
"https://www.cve.org/CVERecord?id=CVE-2016-2781",
"https://nvd.nist.gov/vuln/detail/CVE-2016-2781",
"https://launchpad.net/bugs/cve/CVE-2016-2781",
"https://security-tracker.debian.org/tracker/CVE-2016-2781"
],
"PublishedDate": "2024-07-09T17:15:00Z",
"LastModifiedDate": "2024-07-09T16:06:00Z"
},
{
"VulnerabilityID": "CVE-2019-5094",
"PkgID": "e2fsprogs@1.44.1-1ubuntu1.1",
Expand Down
4 changes: 2 additions & 2 deletions pkg/detector/ospkg/ubuntu/testdata/fixtures/ubuntu.yaml
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
pairs:
- key: CVE-2019-9243
value:
FixedVersion: ""
Status: 0
- bucket: ubuntu 20.04
pairs:
- bucket: wpa
Expand All @@ -14,7 +14,7 @@
FixedVersion: "2:2.9-1ubuntu4.3"
- key: CVE-2019-9243
value:
FixedVersion: ""
Status: 6 #this is the code for deferred
- key: CVE-2016-4476
value:
FixedVersion: "2.4-0ubuntu10"
1 change: 1 addition & 0 deletions pkg/detector/ospkg/ubuntu/ubuntu.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
PkgName: pkg.Name,
InstalledVersion: utils.FormatVersion(pkg),
FixedVersion: adv.FixedVersion,
Status: adv.Status,
PkgIdentifier: pkg.Identifier,
Layer: pkg.Layer,
Custom: adv.Custom,
Expand Down
2 changes: 2 additions & 0 deletions pkg/detector/ospkg/ubuntu/ubuntu_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ func TestScanner_Detect(t *testing.T) {
VulnerabilityID: "CVE-2019-9243",
InstalledVersion: "2.9",
FixedVersion: "",
Status: dbTypes.StatusFixDeferred,
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
Expand Down Expand Up @@ -108,6 +109,7 @@ func TestScanner_Detect(t *testing.T) {
VulnerabilityID: "CVE-2019-9243",
InstalledVersion: "2.9",
FixedVersion: "",
Status: dbTypes.StatusFixDeferred,
Layer: ftypes.Layer{
DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
},
Expand Down
Loading