Skip to content

Commit

Permalink
Merge branch 'main' of github.com:DmitriyLewen/trivy into fix/cyclone…
Browse files Browse the repository at this point in the history
…dx-advisory-is-null
  • Loading branch information
DmitriyLewen committed Aug 31, 2023
2 parents c4a09f0 + f811ed2 commit 5ba3b4a
Show file tree
Hide file tree
Showing 6 changed files with 71 additions and 37 deletions.
10 changes: 10 additions & 0 deletions .github/workflows/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,16 @@ jobs:
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@v7
with:
root-reserve-mb: 35840 # The Go cache (`~/.cache/go-build` and `~/go/pkg`) requires a lot of storage space.
remove-android: 'true'
remove-docker-images: 'true'
remove-dotnet: 'true'
remove-haskell: 'true'
if: matrix.operating-system == 'ubuntu-latest'

- name: Checkout
uses: actions/[email protected]

Expand Down
14 changes: 7 additions & 7 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ require (
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f
github.com/aws/aws-sdk-go v1.44.273
github.com/aws/aws-sdk-go-v2 v1.20.0
github.com/aws/aws-sdk-go-v2/config v1.18.25
Expand Down Expand Up @@ -103,7 +103,7 @@ require (
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
google.golang.org/protobuf v1.31.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.28.0
k8s.io/api v0.28.1
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
modernc.org/sqlite v1.23.1
)
Expand Down Expand Up @@ -375,14 +375,14 @@ require (
gopkg.in/yaml.v2 v2.4.0 // indirect
helm.sh/helm/v3 v3.12.3 // indirect
k8s.io/apiextensions-apiserver v0.27.3 // indirect
k8s.io/apimachinery v0.28.0 // indirect
k8s.io/apimachinery v0.28.1 // indirect
k8s.io/apiserver v0.27.3 // indirect
k8s.io/cli-runtime v0.28.0 // indirect
k8s.io/client-go v0.28.0 // indirect
k8s.io/component-base v0.28.0 // indirect
k8s.io/cli-runtime v0.28.1 // indirect
k8s.io/client-go v0.28.1 // indirect
k8s.io/component-base v0.28.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
k8s.io/kubectl v0.28.0 // indirect
k8s.io/kubectl v0.28.1 // indirect
lukechampine.com/uint128 v1.2.0 // indirect
modernc.org/cc/v3 v3.40.0 // indirect
modernc.org/ccgo/v3 v3.16.13 // indirect
Expand Down
28 changes: 14 additions & 14 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -348,8 +348,8 @@ github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321 h1:oAXkM8x6j
github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321/go.mod h1:WJ5Qnk5ZNGWvks07GOZe2IOsuXrPfSC5c8hYGOGfrsU=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b h1:0COfg0HtJm6uKJn/mMBQUgrVmrIxcktlDPR35LracKI=
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b/go.mod h1:pO5L4zYpy9h0IelEPBypvjJuTabRgZC8f7v+6xXvRMw=
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f h1:KOB3oGBjP+usI88PzDehhJ0AUWoKUCs7wBspcxBAF00=
github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230830063136-fe986af3f10f/go.mod h1:e1RaMcs2R/C+eP1Pi7JyhDB7Qn1PNRg5rTVwuJL7AiE=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
Expand Down Expand Up @@ -2516,32 +2516,32 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108=
k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg=
k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4=
k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84=
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY=
k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4=
k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA=
k8s.io/cli-runtime v0.28.0 h1:Tcz1nnccXZDNIzoH6EwjCs+7ezkUGhorzCweEvlVOFg=
k8s.io/cli-runtime v0.28.0/go.mod h1:U+ySmOKBm/JUCmebhmecXeTwNN1RzI7DW4+OM8Oryas=
k8s.io/cli-runtime v0.28.1 h1:7Njc4eD5kaO4tYdSYVJJEs54koYD/vT6gxOq8dEVf9g=
k8s.io/cli-runtime v0.28.1/go.mod h1:yIThSWkAVLqeRs74CMkq6lNFW42GyJmvMtcNn01SZho=
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM=
k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc=
k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8=
k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE=
k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
k8s.io/component-base v0.28.0 h1:HQKy1enJrOeJlTlN4a6dU09wtmXaUvThC0irImfqyxI=
k8s.io/component-base v0.28.0/go.mod h1:Yyf3+ZypLfMydVzuLBqJ5V7Kx6WwDr/5cN+dFjw1FNk=
k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg=
k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU=
k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM=
k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
Expand All @@ -2554,8 +2554,8 @@ k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
k8s.io/kubectl v0.28.0 h1:qhfju0OaU+JGeBlToPeeIg2UJUWP++QwTkpio6nlPKg=
k8s.io/kubectl v0.28.0/go.mod h1:1We+E5nSX3/TVoSQ6y5Bzld5OhTBHZHlKEYl7g/NaTk=
k8s.io/kubectl v0.28.1 h1:jAq4yKEqQL+fwkWcEsUWxhJ7uIRcOYQraJxx4SyAMTY=
k8s.io/kubectl v0.28.1/go.mod h1:a0nk/lMMeKBulp0lMTJAKbkjZg1ykqfLfz/d6dnv1ak=
k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
Expand Down
4 changes: 2 additions & 2 deletions integration/k8s_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func TestK8s(t *testing.T) {
err = json.NewDecoder(f).Decode(&got)
require.NoError(t, err)

assert.Equal(t, got.Metadata.Component.Name, "kind-kind-test")
assert.Equal(t, got.Metadata.Component.Name, "k8s.io/kubernetes")
assert.Equal(t, got.Metadata.Component.Type, cdx.ComponentType("platform"))

// Has components
Expand All @@ -109,4 +109,4 @@ func TestK8s(t *testing.T) {
}))

})
}
}
26 changes: 18 additions & 8 deletions pkg/k8s/scanner/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ import (
)

const (
k8sCoreComponentNamespace = core.Namespace + "k8s:component" + ":"
k8sCoreComponentNamespace = core.Namespace + "resource:"
k8sComponentType = "Type"
k8sComponentName = "Name"
k8sComponentNode = "node"
Expand Down Expand Up @@ -71,7 +71,7 @@ func (s *Scanner) Scan(ctx context.Context, artifactsData []*artifacts.Artifact)
}()

if s.opts.Format == types.FormatCycloneDX {
rootComponent, err := clusterInfoToReportResources(artifactsData, s.cluster)
rootComponent, err := clusterInfoToReportResources(artifactsData)
if err != nil {
return report.Report{}, err
}
Expand Down Expand Up @@ -197,12 +197,14 @@ const (
oci = "oci"
kubelet = "k8s.io/kubelet"
pod = "PodInfo"
clusterInfo = "ClusterInfo"
nodeInfo = "NodeInfo"
nodeCoreComponents = "node-core-components"
)

func clusterInfoToReportResources(allArtifact []*artifacts.Artifact, clusterName string) (*core.Component, error) {
func clusterInfoToReportResources(allArtifact []*artifacts.Artifact) (*core.Component, error) {
coreComponents := make([]*core.Component, 0)
var cInfo *core.Component
for _, artifact := range allArtifact {
switch artifact.Kind {
case pod:
Expand Down Expand Up @@ -242,6 +244,7 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact, clusterName
}
rootComponent := &core.Component{
Name: comp.Name,
Version: comp.Version,
Type: cdx.ComponentTypeApplication,
Properties: toProperties(comp.Properties, k8sCoreComponentNamespace),
Components: imageComponents,
Expand All @@ -254,13 +257,22 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact, clusterName
return nil, err
}
coreComponents = append(coreComponents, nodeComponent(nf))
case clusterInfo:
var cf bom.ClusterInfo
err := ms.Decode(artifact.RawResource, &cf)
if err != nil {
return nil, err
}
cInfo = &core.Component{Name: cf.Name, Version: cf.Version, Properties: toProperties(cf.Properties, k8sCoreComponentNamespace)}
default:
return nil, fmt.Errorf("resource kind %s is not supported", artifact.Kind)
}
}
rootComponent := &core.Component{
Name: clusterName,
Name: cInfo.Name,
Version: cInfo.Version,
Type: cdx.ComponentTypePlatform,
Properties: cInfo.Properties,
Components: coreComponents,
}
return rootComponent, nil
Expand Down Expand Up @@ -336,26 +348,24 @@ func nodeComponent(nf bom.NodeInfo) *core.Component {
},
Components: []*core.Component{
{
Type: cdx.ComponentTypeLibrary,
Type: cdx.ComponentTypeApplication,
Name: kubelet,
Version: kubeletVersion,
Properties: []core.Property{
{Name: k8sComponentType, Value: k8sComponentNode, Namespace: k8sCoreComponentNamespace},
{Name: k8sComponentName, Value: kubelet, Namespace: k8sCoreComponentNamespace},
{Name: cyc.PropertyPkgType, Value: golang},
},
PackageURL: &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(golang, "", kubelet, kubeletVersion, packageurl.Qualifiers{}, ""),
},
},
{
Type: cdx.ComponentTypeLibrary,
Type: cdx.ComponentTypeApplication,
Name: runtimeName,
Version: runtimeVersion,
Properties: []core.Property{
{Name: k8sComponentType, Value: k8sComponentNode, Namespace: k8sCoreComponentNamespace},
{Name: k8sComponentName, Value: runtimeName, Namespace: k8sCoreComponentNamespace},
{Name: cyc.PropertyPkgType, Value: golang},
},
PackageURL: &purl.PackageURL{
PackageURL: *packageurl.NewPackageURL(golang, "", runtimeName, runtimeVersion, packageurl.Qualifiers{}, ""),
Expand Down
26 changes: 20 additions & 6 deletions pkg/k8s/scanner/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,18 @@ func TestK8sClusterInfoReport(t *testing.T) {
name: "test cluster info with resources",
clusterName: "test-cluster",
artifacts: []*artifacts.Artifact{
{
Namespace: "kube-system",
Kind: "ClusterInfo",
Name: "k8s.io/kubernetes",
RawResource: map[string]interface{}{
"Properties": map[string]string{
"Name": "kube-cluster",
},
"Name": "kube-apiserver-kind-control-plane",
"Version": "1.21.1",
},
},
{
Namespace: "kube-system",
Kind: "PodInfo",
Expand Down Expand Up @@ -72,8 +84,12 @@ func TestK8sClusterInfoReport(t *testing.T) {
},
},
want: &core.Component{
Type: cdx.ComponentTypePlatform,
Name: "test-cluster",
Type: cdx.ComponentTypePlatform,
Name: "kube-apiserver-kind-control-plane",
Version: "1.21.1",
Properties: []core.Property{
{Name: "Name", Value: "kube-cluster", Namespace: k8sCoreComponentNamespace},
},
Components: []*core.Component{
{
Type: cdx.ComponentTypeApplication,
Expand Down Expand Up @@ -140,13 +156,12 @@ func TestK8sClusterInfoReport(t *testing.T) {
},
Components: []*core.Component{
{
Type: cdx.ComponentTypeLibrary,
Type: cdx.ComponentTypeApplication,
Name: "k8s.io/kubelet",
Version: "1.21.1",
Properties: []core.Property{
{Name: k8sComponentType, Value: "node", Namespace: k8sCoreComponentNamespace},
{Name: k8sComponentName, Value: "k8s.io/kubelet", Namespace: k8sCoreComponentNamespace},
{Name: "PkgType", Value: "golang", Namespace: ""},
},
PackageURL: &purl.PackageURL{
PackageURL: packageurl.PackageURL{
Expand All @@ -158,13 +173,12 @@ func TestK8sClusterInfoReport(t *testing.T) {
},
},
{
Type: cdx.ComponentTypeLibrary,
Type: cdx.ComponentTypeApplication,
Name: "github.com/containerd/containerd",
Version: "1.5.2",
Properties: []core.Property{
{Name: k8sComponentType, Value: "node", Namespace: k8sCoreComponentNamespace},
{Name: k8sComponentName, Value: "github.com/containerd/containerd", Namespace: k8sCoreComponentNamespace},
{Name: "PkgType", Value: "golang", Namespace: ""},
},
PackageURL: &purl.PackageURL{
PackageURL: packageurl.PackageURL{
Expand Down

0 comments on commit 5ba3b4a

Please sign in to comment.