Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sbom): cyclonedx advisory should omit null value #5041

Merged
10 changes: 10 additions & 0 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,16 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/conda-cyclonedx.json.golden",
},
{
name: "pom.xml generating CycloneDX SBOM (with vulnerabilities)",
args: args{
command: "fs",
scanner: types.VulnerabilityScanner,
format: "cyclonedx",
input: "testdata/fixtures/repo/pom",
},
golden: "testdata/pom-cyclonedx.json.golden",
},
{
name: "conda generating SPDX SBOM",
args: args{
Expand Down
304 changes: 304 additions & 0 deletions integration/testdata/pom-cyclonedx.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
"version": 1,
"metadata": {
"timestamp": "2020-09-10T14:20:30+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "dev"
}
],
"component": {
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
"type": "application",
"name": "testdata/fixtures/repo/pom",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "3ff14136-e09f-4df9-80ea-000000000003",
"type": "application",
"name": "pom.xml",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.example/[email protected]",
"type": "library",
"name": "com.example:log4shell",
"version": "1.0-SNAPSHOT",
"purl": "pkg:maven/com.example/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"type": "library",
"name": "com.fasterxml.jackson.core:jackson-databind",
"version": "2.9.1",
"purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
}
],
"dependencies": [
{
"ref": "3ff14136-e09f-4df9-80ea-000000000002",
"dependsOn": [
"3ff14136-e09f-4df9-80ea-000000000003"
]
},
{
"ref": "3ff14136-e09f-4df9-80ea-000000000003",
"dependsOn": [
"pkg:maven/com.example/[email protected]",
"pkg:maven/com.fasterxml.jackson.core/[email protected]"
]
},
{
"ref": "pkg:maven/com.example/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"dependsOn": []
}
],
"vulnerabilities": [
{
"id": "CVE-2020-9548",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "critical"
},
{
"source": {
"name": "nvd"
},
"score": 6.8,
"severity": "medium",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
},
{
"source": {
"name": "nvd"
},
"score": 9.8,
"severity": "critical",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2020-9548"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2634"
},
{
"url": "https://github.com/advisories/GHSA-p43x-xfjf-5jhr"
},
{
"url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E"
},
{
"url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html"
},
{
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
},
{
"url": "https://security.netapp.com/advisory/ntap-20200904-0006/"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"published": "2020-03-02T04:15:00+00:00",
"updated": "2021-12-02T21:23:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
},
{
"id": "CVE-2021-20190",
"source": {
"name": "glad",
"url": "https://gitlab.com/gitlab-org/advisories-community"
},
"ratings": [
{
"source": {
"name": "ghsa"
},
"severity": "high"
},
{
"source": {
"name": "nvd"
},
"score": 8.3,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
{
"source": {
"name": "redhat"
},
"score": 8.1,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"cwes": [
502
],
"description": "A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"recommendation": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.7",
"advisories": [
{
"url": "https://access.redhat.com/security/cve/CVE-2021-20190"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633"
},
{
"url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a"
},
{
"url": "https://github.com/FasterXML/jackson-databind/issues/2854"
},
{
"url": "https://github.com/advisories/GHSA-5949-rw7g-wx7w"
},
{
"url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html"
},
{
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190"
},
{
"url": "https://security.netapp.com/advisory/ntap-20210219-0008/"
}
],
"published": "2021-01-19T17:15:00+00:00",
"updated": "2021-07-20T23:15:00+00:00",
"affects": [
{
"ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
"versions": [
{
"version": "2.9.1",
"status": "affected"
}
]
}
]
}
]
}
7 changes: 7 additions & 0 deletions pkg/sbom/cyclonedx/core/cyclonedx.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,13 @@ func UnmarshalProperties(properties *[]cdx.Property) map[string]string {
}

func cdxAdvisories(refs []string) *[]cdx.Advisory {
// cyclonedx converts link to empty `[]cdx.Advisory` to `null`
// `bom-1.5.schema.json` doesn't support this - `Invalid type. Expected: array, given: null`
// we need to explicitly set `nil` for empty `refs` slice
if len(refs) == 0 {
return nil
}

var advs []cdx.Advisory
for _, ref := range refs {
advs = append(advs, cdx.Advisory{
Expand Down
16 changes: 2 additions & 14 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,6 @@ func TestMarshaler_Marshal(t *testing.T) {
V3Score: 5.3,
},
},
References: []string{
"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
PublishedDate: lo.ToPtr(time.Date(2018, 12, 31, 19, 29, 0, 0, time.UTC)),
LastModifiedDate: lo.ToPtr(time.Date(2019, 10, 31, 1, 15, 0, 0, time.UTC)),
},
Expand Down Expand Up @@ -525,16 +521,8 @@ func TestMarshaler_Marshal(t *testing.T) {
416,
},
Description: "In GNU Binutils 2.31.1, there is a use-after-free in the error function in elfcomm.c when called from the process_archive function in readelf.c via a crafted ELF file.",
Advisories: &[]cdx.Advisory{
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html",
},
{
URL: "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html",
},
},
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Published: "2018-12-31T19:29:00+00:00",
Updated: "2019-10-31T01:15:00+00:00",
Affects: &[]cdx.Affects{
{
Ref: "pkg:rpm/centos/[email protected]?arch=aarch64&distro=centos-8.3.2011",
Expand Down
Loading