feat(vuln): remove duplicates in Fixed Version (#5596)

Signed-off-by: knqyf263 <[email protected]> Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Dec 4, 2023 · a54d1e9 · a54d1e9
1 parent 99c04c4
commit a54d1e9
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 2 deletions.
diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
@@ -136,7 +137,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
 
 func createFixedVersions(advisory dbTypes.Advisory) string {
 	if len(advisory.PatchedVersions) != 0 {
-		return strings.Join(advisory.PatchedVersions, ", ")
+		return joinFixedVersions(advisory.PatchedVersions)
 	}
 
 	var fixedVersions []string
@@ -149,5 +150,9 @@ func createFixedVersions(advisory dbTypes.Advisory) string {
 			}
 		}
 	}
-	return strings.Join(fixedVersions, ", ")
+	return joinFixedVersions(fixedVersions)
+}
+
+func joinFixedVersions(fixedVersions []string) string {
+	return strings.Join(lo.Uniq(fixedVersions), ", ")
 }
diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go
@@ -157,6 +157,31 @@ func TestDriver_Detect(t *testing.T) {
 			},
 			wantErr: "failed to unmarshal advisory JSON",
 		},
+		{
+			name: "duplicated version in advisory",
+			fixtures: []string{
+				"testdata/fixtures/pip.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.PythonPkg,
+			args: args{
+				pkgName: "Django",
+				pkgVer:  "4.2.1",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2023-36053",
+					PkgName:          "Django",
+					InstalledVersion: "4.2.1",
+					FixedVersion:     "4.2.3",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.GHSA,
+						Name: "GitHub Security Advisory Pip",
+						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip",
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -20,3 +20,8 @@
         ID: "ruby-advisory-db"
         Name: "Ruby Advisory Database"
         URL:  "https://github.com/rubysec/ruby-advisory-db"
+    - key: "pip::GitHub Security Advisory Pip"
+      value:
+        ID: "ghsa"
+        Name: "GitHub Security Advisory Pip"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
diff --git a/pkg/detector/library/testdata/fixtures/pip.yaml b/pkg/detector/library/testdata/fixtures/pip.yaml
@@ -0,0 +1,18 @@
+- bucket: "pip::GitHub Security Advisory Pip"
+  pairs:
+    - bucket: Django
+      pairs:
+        - key: CVE-2023-36053
+          value:
+            PatchedVersions:
+              - 4.2.3
+            VulnerableVersions:
+              - < 4.2.3
+    - bucket: django
+      pairs:
+        - key: CVE-2023-36053
+          value:
+            PatchedVersions:
+              - 4.2.3
+            VulnerableVersions:
+              - < 4.2.3