Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid to use sync.Once inside trivy javadb Updater #1859

Merged
merged 14 commits into from
Mar 5, 2024
Merged

Avoid to use sync.Once inside trivy javadb Updater #1859

merged 14 commits into from
Mar 5, 2024

Conversation

shino
Copy link
Collaborator

@shino shino commented Mar 4, 2024
edited
Loading

Because the detector package may be used as library-like way in some places.

What did you implement:

Avoid to use sync.Once in trivy's java db Updator.
Instead, Use trivy-java-db's interface functions directly.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Manually.

Preparation: Execute vuls scan with two servers with JAR libs.

% CGO_ENABLED=0 go run cmd/vuls/main.go scan -config ./integration/int-config.toml jar jar-wrong-name-log4j-core
[Mar  4 17:12:01]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Mar  4 17:12:01]  INFO [localhost] Start scanning
[Mar  4 17:12:01]  INFO [localhost] config: ./integration/int-config.toml
[Mar  4 17:12:01]  INFO [localhost] Validating config...
[Mar  4 17:12:01]  INFO [localhost] Detecting Server/Container OS...
[Mar  4 17:12:01]  INFO [localhost] Detecting OS of servers...
[Mar  4 17:12:01]  INFO [localhost] (1/2) Detected: jar-wrong-name-log4j-core: pseudo
[Mar  4 17:12:01]  INFO [localhost] (2/2) Detected: jar: pseudo
[Mar  4 17:12:01]  INFO [localhost] Detecting OS of containers...
[Mar  4 17:12:01]  INFO [localhost] Checking Scan Modes...
[Mar  4 17:12:01]  INFO [localhost] Detecting Platforms...
[Mar  4 17:12:01]  INFO [localhost] (1/2) jar is running on other
[Mar  4 17:12:01]  INFO [localhost] (2/2) jar-wrong-name-log4j-core is running on other
[Mar  4 17:12:01]  INFO [jar-wrong-name-log4j-core] Scanning listen port...
[Mar  4 17:12:01]  INFO [jar-wrong-name-log4j-core] Using Port Scanner: Vuls built-in Scanner
[Mar  4 17:12:01]  INFO [jar-wrong-name-log4j-core] Scanning Language-specific Packages...
[Mar  4 17:12:01]  INFO [jar] Scanning listen port...
[Mar  4 17:12:01]  INFO [jar] Using Port Scanner: Vuls built-in Scanner
[Mar  4 17:12:01]  INFO [jar] Scanning Language-specific Packages...


Scan Summary
================
jar-wrong-name-log4j-core       pseudo  0 installed, 0 updatable        2 libs
jar                             pseudo  0 installed, 0 updatable        1 libs

Three patterns of report testing against the above result are done.

(1) When there exists fresh Java DB cache, no download happen.

% CGO_ENABLED=0 go run cmd/vuls/main.go report -config ./integration/int-config.toml -refresh-cve
[Mar  4 17:12:27]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Mar  4 17:12:27]  INFO [localhost] Validating config...
[Mar  4 17:12:27]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Mar  4 17:12:27]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Mar  4 17:12:27]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Mar  4 17:12:27]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Mar  4 17:12:27]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Mar  4 17:12:27]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Mar  4 17:12:27]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Mar  4 17:12:27]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-03-04T17-12-01+0900
[Mar  4 17:12:27]  INFO [localhost] Updating library db...
[Mar  4 17:12:27]  INFO [localhost] jar-wrong-name-log4j-core: 5 CVEs are detected with Library
[Mar  4 17:12:27]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:12:27]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs are detected with CPE
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: 0 PoC are detected
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: 0 exploits are detected
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:12:28]  INFO [localhost] Updating library db...
[Mar  4 17:12:28]  INFO [localhost] jar: 5 CVEs are detected with Library
[Mar  4 17:12:28]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:12:28]  INFO [localhost] jar: 0 CVEs are detected with CPE
[Mar  4 17:12:28]  INFO [localhost] jar: 0 PoC are detected
[Mar  4 17:12:28]  INFO [localhost] jar: 0 exploits are detected
[Mar  4 17:12:28]  INFO [localhost] jar: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:12:28]  INFO [localhost] jar: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: total 5 CVEs detected
[Mar  4 17:12:28]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs filtered by --confidence-over=80
[Mar  4 17:12:28]  INFO [localhost] jar: total 5 CVEs detected
[Mar  4 17:12:28]  INFO [localhost] jar: 0 CVEs filtered by --confidence-over=80
jar-wrong-name-log4j-core (pseudo)
==================================
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

jar (pseudo)
============
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

(2) When there is no Java DB cache, only one download, before detecting the first server, hpappens.

% rm -rf ~/.cache/trivy/java-db/
% CGO_ENABLED=0 go run cmd/vuls/main.go report -config ./integration/int-config.toml -refresh-cve
[Mar  4 17:12:39]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Mar  4 17:12:39]  INFO [localhost] Validating config...
[Mar  4 17:12:39]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Mar  4 17:12:39]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Mar  4 17:12:39]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Mar  4 17:12:39]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Mar  4 17:12:39]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Mar  4 17:12:39]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Mar  4 17:12:39]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Mar  4 17:12:39]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-03-04T17-12-01+0900
[Mar  4 17:12:39]  INFO [localhost] Updating library db...
[Mar  4 17:12:39]  INFO [localhost] Trivy Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
[Mar  4 17:12:39]  INFO [localhost] Downloading Trivy Java DB...
509.35 MiB / 509.35 MiB [---------------------------------------------------------------------------------] 100.00% 3.52 MiB p/s 2m25s
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: 5 CVEs are detected with Library
[Mar  4 17:15:16]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs are detected with CPE
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: 0 PoC are detected
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: 0 exploits are detected
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:15:16]  INFO [localhost] Updating library db...
[Mar  4 17:15:16]  INFO [localhost] jar: 5 CVEs are detected with Library
[Mar  4 17:15:16]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:15:16]  INFO [localhost] jar: 0 CVEs are detected with CPE
[Mar  4 17:15:16]  INFO [localhost] jar: 0 PoC are detected
[Mar  4 17:15:16]  INFO [localhost] jar: 0 exploits are detected
[Mar  4 17:15:16]  INFO [localhost] jar: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:15:16]  INFO [localhost] jar: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: total 5 CVEs detected
[Mar  4 17:15:16]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs filtered by --confidence-over=80
[Mar  4 17:15:16]  INFO [localhost] jar: total 5 CVEs detected
[Mar  4 17:15:16]  INFO [localhost] jar: 0 CVEs filtered by --confidence-over=80
jar-wrong-name-log4j-core (pseudo)
==================================
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

jar (pseudo)
============
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

(3) When there is no Java DB cache and 2nd detect is executed very loooong time after the first, TWO download happens.

To emulate "long time", NextUpdate field is faked as:

diff --git a/detector/javadb/javadb.go b/detector/javadb/javadb.go
index 9f14b64..8bae40d 100644
--- a/detector/javadb/javadb.go
+++ b/detector/javadb/javadb.go
@@ -57,6 +57,7 @@ func UpdateJavaDB(trivyOpts config.TrivyOpts, noProgress bool) error {

                // Update DownloadedAt
                meta.DownloadedAt = time.Now().UTC()
+               meta.NextUpdate = time.Now().AddDate(0, 0, -7).UTC()
                if err = metac.Update(meta); err != nil {
                        return xerrors.Errorf("Failed to update Trivy Java DB metadata. erro: %w", err)
                }

% rm -rf ~/.cache/trivy/java-db/
% CGO_ENABLED=0 go run cmd/vuls/main.go report -config ./integration/int-config.toml -refresh-cve
[Mar  4 17:33:20]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Mar  4 17:33:20]  INFO [localhost] Validating config...
[Mar  4 17:33:20]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Mar  4 17:33:20]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Mar  4 17:33:20]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Mar  4 17:33:20]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Mar  4 17:33:20]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Mar  4 17:33:20]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Mar  4 17:33:20]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Mar  4 17:33:20]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2024-03-04T17-12-01+0900
[Mar  4 17:33:20]  INFO [localhost] Updating library db...
[Mar  4 17:33:20]  INFO [localhost] Trivy Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
[Mar  4 17:33:20]  INFO [localhost] Downloading Trivy Java DB...
509.35 MiB / 509.35 MiB [----------------------------------------------------------------------------------] 100.00% 4.26 MiB p/s 2m0s
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: 5 CVEs are detected with Library
[Mar  4 17:35:32]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs are detected with CPE
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: 0 PoC are detected
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: 0 exploits are detected
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:35:32]  INFO [localhost] jar-wrong-name-log4j-core: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:35:32]  INFO [localhost] Updating library db...
[Mar  4 17:35:32]  INFO [localhost] Trivy Java DB Repository: ghcr.io/aquasecurity/trivy-java-db:1
[Mar  4 17:35:32]  INFO [localhost] Downloading Trivy Java DB...
509.35 MiB / 509.35 MiB [---------------------------------------------------------------------------------] 100.00% 4.86 MiB p/s 1m45s
[Mar  4 17:37:28]  INFO [localhost] jar: 5 CVEs are detected with Library
[Mar  4 17:37:28]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Mar  4 17:37:28]  INFO [localhost] jar: 0 CVEs are detected with CPE
[Mar  4 17:37:28]  INFO [localhost] jar: 0 PoC are detected
[Mar  4 17:37:28]  INFO [localhost] jar: 0 exploits are detected
[Mar  4 17:37:28]  INFO [localhost] jar: Known Exploited Vulnerabilities are detected for 0 CVEs
[Mar  4 17:37:28]  INFO [localhost] jar: Cyber Threat Intelligences are detected for 0 CVEs
[Mar  4 17:37:28]  INFO [localhost] jar-wrong-name-log4j-core: total 5 CVEs detected
[Mar  4 17:37:28]  INFO [localhost] jar-wrong-name-log4j-core: 0 CVEs filtered by --confidence-over=80
[Mar  4 17:37:28]  INFO [localhost] jar: total 5 CVEs detected
[Mar  4 17:37:28]  INFO [localhost] jar: 0 CVEs filtered by --confidence-over=80
jar-wrong-name-log4j-core (pseudo)
==================================
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

jar (pseudo)
============
Total: 5 (Critical:2 High:0 Medium:2 Low:1 ?:0)
5/5 Fixed, 1 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |              PACKAGES               |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44228 | 10.0 |  AV:N  | POC |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45046 | 10.0 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-44832 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2021-45105 |  6.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+
| CVE-2020-9488  |  3.9 |  AV:N  |     |           |   fixed | org.apache.logging.log4j:log4j-core |
+----------------+------+--------+-----+-----------+---------+-------------------------------------+

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@shino
Avoid to use once inside trivy javadb Updater
1071ab7 
Because detector package may be used as library-like way
@shino shino marked this pull request as ready for review March 4, 2024 08:50
@shino shino requested a review from MaineK00n March 4, 2024 08:50
MaineK00n
MaineK00n reviewed Mar 4, 2024
View reviewed changes
detector/javadb/javadb.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Mar 4, 2024
View reviewed changes
detector/javadb/javadb.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Mar 4, 2024
View reviewed changes
detector/javadb/javadb.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Mar 4, 2024
View reviewed changes
detector/javadb/javadb.go Outdated Show resolved Hide resolved
MaineK00n
MaineK00n reviewed Mar 4, 2024
View reviewed changes
detector/javadb/javadb.go Outdated Show resolved Hide resolved
@MaineK00n MaineK00n changed the title Avoid to usesync.Once inside trivy javadb Updater Avoid to use sync.Once inside trivy javadb Updater Mar 4, 2024
shino and others added 13 commits March 5, 2024 09:18
@shino @MaineK00n
Update detector/javadb/javadb.go
53d3769 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
e8a313f 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
c91fee9 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
92d6ab1 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
2c8b5bc 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
1eacb10 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
a05d2de 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
538ad51 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
2923a7c 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino @MaineK00n
Update detector/javadb/javadb.go
c9271cb 
Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>
@shino
Avoid else if, unless necessary
fb53370
@shino
go mod tidy
a118ac2
@shino
Add package comment
a126156
@shino shino requested a review from MaineK00n March 5, 2024 01:28
@shino shino merged commit d1f9233 into master Mar 5, 2024
4 checks passed
@shino shino deleted the shino/avoid-once-in-updating-javadb branch March 5, 2024 06:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shino @MaineK00n