diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 6990d3c7e84d..152096c2caea 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -133,6 +133,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D InstalledVersion: pkgVer, FixedVersion: createFixedVersions(adv), DataSource: adv.DataSource, + Custom: adv.Custom, } vulns = append(vulns, vuln) } diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go index 10c3ad304f29..5ec4107d71e4 100644 --- a/pkg/detector/library/driver_test.go +++ b/pkg/detector/library/driver_test.go @@ -182,6 +182,34 @@ func TestDriver_Detect(t *testing.T) { }, }, }, + { + name: "Custom data for vulnerability", + fixtures: []string{ + "testdata/fixtures/go-custom-data.yaml", + "testdata/fixtures/data-source.yaml", + }, + libType: ftypes.GoBinary, + args: args{ + pkgName: "github.com/docker/docker", + pkgVer: "23.0.14", + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "GHSA-v23v-6jw2-98fq", + PkgName: "github.com/docker/docker", + InstalledVersion: "23.0.14", + FixedVersion: "23.0.15, 26.1.5, 27.1.1, 25.0.6", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.GHSA, + Name: "GitHub Security Advisory Go", + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago", + }, + Custom: map[string]interface{}{ + "Severity": float64(2), + }, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml index eeb4a57e9637..087f960d2c58 100644 --- a/pkg/detector/library/testdata/fixtures/data-source.yaml +++ b/pkg/detector/library/testdata/fixtures/data-source.yaml @@ -25,3 +25,8 @@ ID: "ghsa" Name: "GitHub Security Advisory Pip" URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" + - key: "go::GitHub Security Advisory Go" + value: + ID: "ghsa" + Name: "GitHub Security Advisory Go" + URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago" diff --git a/pkg/detector/library/testdata/fixtures/go-custom-data.yaml b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml new file mode 100644 index 000000000000..aea7b8c7cd01 --- /dev/null +++ b/pkg/detector/library/testdata/fixtures/go-custom-data.yaml @@ -0,0 +1,18 @@ +- bucket: "go::GitHub Security Advisory Go" + pairs: + - bucket: github.com/docker/docker + pairs: + - key: "GHSA-v23v-6jw2-98fq" + value: + PatchedVersions: + - "23.0.15" + - "26.1.5" + - "27.1.1" + - "25.0.6" + VulnerableVersions: + - ">=19.03.0, <23.0.15" + - ">=26.0.0, <26.1.5" + - ">=27.0.0, <27.1.1" + - ">=24.0.0, <25.0.6" + Custom: + Severity: 2 \ No newline at end of file diff --git a/pkg/rpc/convert.go b/pkg/rpc/convert.go index 89097730111b..32ce9fc71124 100644 --- a/pkg/rpc/convert.go +++ b/pkg/rpc/convert.go @@ -71,6 +71,7 @@ func ConvertToRPCPkgs(pkgs []ftypes.Package) []*common.Package { DependsOn: pkg.DependsOn, Digest: pkg.Digest.String(), Indirect: pkg.Indirect, + Maintainer: pkg.Maintainer, }) } return rpcPkgs @@ -226,6 +227,7 @@ func ConvertFromRPCPkgs(rpcPkgs []*common.Package) []ftypes.Package { DependsOn: pkg.DependsOn, Digest: digest.Digest(pkg.Digest), Indirect: pkg.Indirect, + Maintainer: pkg.Maintainer, }) } return pkgs diff --git a/pkg/rpc/convert_test.go b/pkg/rpc/convert_test.go index 6f90c3b5cc8e..9c60a13c7337 100644 --- a/pkg/rpc/convert_test.go +++ b/pkg/rpc/convert_test.go @@ -183,6 +183,78 @@ func TestConvertFromRpcPkgs(t *testing.T) { }, }, }, + { + args: args{ + rpcPkgs: []*common.Package{ + { + Name: "binary", + Version: "4.2+dfsg", + Release: "0.1+deb7u4", + Epoch: 0, + Arch: "amd64", + SrcName: "bash", + SrcVersion: "4.2+dfsg", + SrcRelease: "0.1+deb7u4", + SrcEpoch: 0, + Licenses: []string{"GPL-3.0"}, + Locations: []*common.Location{ + { + StartLine: 10, + EndLine: 20, + }, + { + StartLine: 22, + EndLine: 32, + }, + }, + Layer: &common.Layer{ + Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4", + DiffId: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77", + }, + Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", + Indirect: false, + Identifier: &common.PkgIdentifier{ + Uid: "63f8bef824b960e3", + }, + Maintainer: "alice@example.com", + }, + }, + }, + want: []ftypes.Package{ + { + Name: "binary", + Version: "4.2+dfsg", + Release: "0.1+deb7u4", + Epoch: 0, + Arch: "amd64", + SrcName: "bash", + SrcVersion: "4.2+dfsg", + SrcRelease: "0.1+deb7u4", + SrcEpoch: 0, + Licenses: []string{"GPL-3.0"}, + Locations: []ftypes.Location{ + { + StartLine: 10, + EndLine: 20, + }, + { + StartLine: 22, + EndLine: 32, + }, + }, + Layer: ftypes.Layer{ + Digest: "sha256:8d42b73fc1ddc2e9e66c954966f144665825e69f4ed10c66342ae7c26b38d4e4", + DiffID: "sha256:745d171eb8c3d69f788da3a1b053056231ad140b80be71d6869229846a1f3a77", + }, + Digest: "SHA1:901a7b55410321c4d35543506cff2a8613ef5aa2", + Indirect: false, + Identifier: ftypes.PkgIdentifier{ + UID: "63f8bef824b960e3", + }, + Maintainer: "alice@example.com", + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/rpc/common/service.pb.go b/rpc/common/service.pb.go index c8290cc52818..1a769c877f36 100644 --- a/rpc/common/service.pb.go +++ b/rpc/common/service.pb.go @@ -465,6 +465,7 @@ type Package struct { Digest string `protobuf:"bytes,16,opt,name=digest,proto3" json:"digest,omitempty"` Dev bool `protobuf:"varint,17,opt,name=dev,proto3" json:"dev,omitempty"` Indirect bool `protobuf:"varint,18,opt,name=indirect,proto3" json:"indirect,omitempty"` + Maintainer string `protobuf:"bytes,21,opt,name=maintainer,proto3" json:"maintainer,omitempty"` } func (x *Package) Reset() { @@ -632,6 +633,13 @@ func (x *Package) GetIndirect() bool { return false } +func (x *Package) GetMaintainer() string { + if x != nil { + return x.Maintainer + } + return "" +} + type PkgIdentifier struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2428,7 +2436,7 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x66, 0x69, 0x6c, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x31, 0x0a, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x74, 0x72, 0x69, 0x76, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, - 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xc1, 0x04, 0x0a, 0x07, + 0x65, 0x52, 0x08, 0x70, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x73, 0x22, 0xe1, 0x04, 0x0a, 0x07, 0x50, 0x61, 0x63, 0x6b, 0x61, 0x67, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, @@ -2464,7 +2472,9 @@ var file_rpc_common_service_proto_rawDesc = []byte{ 0x65, 0x73, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x76, 0x18, 0x11, 0x20, 0x01, 0x28, 0x08, 0x52, 0x03, 0x64, 0x65, 0x76, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, - 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x22, + 0x12, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x69, 0x6e, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, + 0x1e, 0x0a, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x15, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x69, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x22, 0x4e, 0x0a, 0x0d, 0x50, 0x6b, 0x67, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x75, 0x72, 0x6c, 0x12, 0x17, 0x0a, 0x07, 0x62, 0x6f, 0x6d, 0x5f, 0x72, 0x65, 0x66, 0x18, diff --git a/rpc/common/service.proto b/rpc/common/service.proto index e989738c285b..dd353f004596 100644 --- a/rpc/common/service.proto +++ b/rpc/common/service.proto @@ -54,6 +54,7 @@ message Package { string digest = 16; bool dev = 17; bool indirect = 18; + string maintainer = 21; } message PkgIdentifier {