-
Notifications
You must be signed in to change notification settings - Fork 151
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(db): add support for
vuln-list-aqua
(#478)
- Loading branch information
1 parent
8c398f1
commit 996f556
Showing
8 changed files
with
236 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package aqua | ||
|
||
import ( | ||
"path/filepath" | ||
|
||
"github.com/aquasecurity/trivy-db/pkg/types" | ||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv" | ||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" | ||
) | ||
|
||
const ( | ||
sourceID = vulnerability.Aqua | ||
) | ||
|
||
var vulnsDir = filepath.Join("vuln-list-aqua", "vulns") | ||
|
||
type VulnSrc struct{} | ||
|
||
func NewVulnSrc() VulnSrc { | ||
return VulnSrc{} | ||
} | ||
|
||
func (VulnSrc) Name() types.SourceID { | ||
return sourceID | ||
} | ||
|
||
func (VulnSrc) Update(root string) error { | ||
dataSources := map[types.Ecosystem]types.DataSource{} | ||
for _, ecosystem := range vulnerability.Ecosystems { | ||
dataSources[ecosystem] = types.DataSource{ | ||
ID: sourceID, | ||
Name: "The Aqua Security Vulnerability Database", | ||
URL: "https://github.com/aquasecurity/vuln-list-aqua", | ||
} | ||
} | ||
|
||
return osv.New(vulnsDir, sourceID, dataSources, nil).Update(root) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
package aqua_test | ||
|
||
import ( | ||
"path/filepath" | ||
"testing" | ||
|
||
"github.com/aquasecurity/trivy-db/pkg/types" | ||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/aqua" | ||
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" | ||
"github.com/aquasecurity/trivy-db/pkg/vulnsrctest" | ||
) | ||
|
||
func TestVulnSrc_Update(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
dir string | ||
wantValues []vulnsrctest.WantValues | ||
noBuckets [][]string | ||
wantErr string | ||
}{ | ||
{ | ||
name: "happy path", | ||
dir: filepath.Join("testdata", "happy"), | ||
wantValues: []vulnsrctest.WantValues{ | ||
{ | ||
Key: []string{ | ||
"data-source", | ||
"pip::The Aqua Security Vulnerability Database", | ||
}, | ||
Value: types.DataSource{ | ||
ID: vulnerability.Aqua, | ||
Name: "The Aqua Security Vulnerability Database", | ||
URL: "https://github.com/aquasecurity/vuln-list-aqua", | ||
}, | ||
}, | ||
{ | ||
Key: []string{ | ||
"advisory-detail", | ||
"AQUA-2024-0001", | ||
"pip::The Aqua Security Vulnerability Database", | ||
"ultralytics", | ||
}, | ||
Value: types.Advisory{ | ||
PatchedVersions: []string{ | ||
"8.3.43", | ||
"8.3.47", | ||
}, | ||
VulnerableVersions: []string{ | ||
">=8.3.41, <8.3.43", | ||
">=8.3.45, <8.3.47", | ||
}, | ||
}, | ||
}, | ||
{ | ||
Key: []string{ | ||
"vulnerability-detail", | ||
"AQUA-2024-0001", | ||
"aqua", | ||
}, | ||
Value: types.VulnerabilityDetail{ | ||
Title: "Vulnerable app versions contains xmrig cryptominer", | ||
Description: "Affected versions of this package are vulnerable to Malicious Embedded Code. These versions have been compromised to install an xmrig cryptominer when installed from PyPI (e.g. via default pip options, without specifying a git URL).", | ||
References: []string{ | ||
"https://github.com/ultralytics/ultralytics/issues/18027", | ||
"https://github.com/ultralytics/ultralytics/issues/18030", | ||
}, | ||
CvssScoreV3: 9.8, | ||
CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", | ||
}, | ||
}, | ||
{ | ||
Key: []string{ | ||
"vulnerability-id", | ||
"AQUA-2024-0001", | ||
}, | ||
Value: map[string]interface{}{}, | ||
}, | ||
}, | ||
noBuckets: [][]string{ | ||
// We should save only stdlib packages | ||
{ | ||
"advisory-detail", | ||
"CVE-2021-41803", | ||
}, | ||
{ | ||
"vulnerability-detail", | ||
"CVE-2021-41803", | ||
}, | ||
{ | ||
"vulnerability-id", | ||
"CVE-2021-41803", | ||
}, | ||
}, | ||
}, | ||
{ | ||
name: "sad path (dir doesn't exist)", | ||
dir: filepath.Join("testdata", "badPath"), | ||
wantErr: "no such file or directory", | ||
}, | ||
{ | ||
name: "sad path (failed to decode)", | ||
dir: filepath.Join("testdata", "sad"), | ||
wantErr: "JSON decode error", | ||
}, | ||
} | ||
for _, tt := range tests { | ||
t.Run(tt.name, func(t *testing.T) { | ||
vs := aqua.NewVulnSrc() | ||
vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ | ||
Dir: tt.dir, | ||
WantValues: tt.wantValues, | ||
WantErr: tt.wantErr, | ||
NoBuckets: tt.noBuckets, | ||
}) | ||
}) | ||
} | ||
} |
52 changes: 52 additions & 0 deletions
52
pkg/vulnsrc/aqua/testdata/happy/vuln-list-aqua/vulns/AQUA-2024-0001.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
{ | ||
"schema_version": "1.6.7", | ||
"id": "AQUA-2024-0001", | ||
"modified": "2024-12-18T12:00:00Z", | ||
"published": "2024-12-18T12:00:00Z", | ||
"summary": "Vulnerable app versions contains xmrig cryptominer", | ||
"details": "Affected versions of this package are vulnerable to Malicious Embedded Code. These versions have been compromised to install an xmrig cryptominer when installed from PyPI (e.g. via default pip options, without specifying a git URL).", | ||
"severity": [ | ||
{ | ||
"type": "CVSS_V3", | ||
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" | ||
} | ||
], | ||
"affected": [ | ||
{ | ||
"package": { | ||
"ecosystem": "PyPI", | ||
"name": "ultralytics", | ||
"purl": "pkg:pypi/ultralytics" | ||
}, | ||
"ranges": [ | ||
{ | ||
"type": "ECOSYSTEM", | ||
"events": [ | ||
{ | ||
"introduced": "8.3.41" | ||
}, | ||
{ | ||
"fixed": "8.3.43" | ||
}, | ||
{ | ||
"introduced": "8.3.45" | ||
}, | ||
{ | ||
"fixed": "8.3.47" | ||
} | ||
] | ||
} | ||
] | ||
} | ||
], | ||
"references": [ | ||
{ | ||
"type": "REPORT", | ||
"url": "https://github.com/ultralytics/ultralytics/issues/18027" | ||
}, | ||
{ | ||
"type": "FIX", | ||
"url": "https://github.com/ultralytics/ultralytics/issues/18030" | ||
} | ||
] | ||
} |
1 change: 1 addition & 0 deletions
1
pkg/vulnsrc/aqua/testdata/sad/vuln-list-aqua/vulns/AQUA-2024-0001.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters