Skip to content

Commit

Permalink
Fix Trivy analyzer vulnerability matching for Go packages
Browse files Browse the repository at this point in the history
Fixes #4376

Signed-off-by: nscuro <[email protected]>
  • Loading branch information
nscuro committed Nov 20, 2024
1 parent 247c4c3 commit 36b202b
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,11 @@ public void analyze(final List<Component> components) {
var name = component.getPurl().getName();

if (component.getPurl().getNamespace() != null) {
name = component.getPurl().getNamespace() + ":" + name;
if (PackageURL.StandardTypes.GOLANG.equals(component.getPurl().getType())) {
name = component.getPurl().getNamespace() + "/" + name;
} else {
name = component.getPurl().getNamespace() + ":" + name;
}
}

if (!PurlType.UNKNOWN.getAppType().equals(appType)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ public void testWithPackageWithoutTrivyProperties() {
assertThat(qm.getAllVulnerabilities(component)).isEmpty();
}

/**
/**
* This test documents the case where Trivy is able to correlate a package with vulnerabilities
* when additional properties provided. When including libc6 in an SBOM,
* Trivy adds metadata to the component, which among other things includes alternative package names.
Expand Down Expand Up @@ -346,7 +346,7 @@ public void testWithPackageWithTrivyProperties() {
});
}

/**
/**
* This test documents the case where Trivy generates a sbom and operative system is not entirely on distro qualifier.
* <p>
* Here's an excerpt of the properties included:
Expand Down Expand Up @@ -436,4 +436,25 @@ public void testWithPackageWithTrivyPropertiesWithDistroWithoutOS() {
assertThat(vuln.getReferences()).isNotBlank();
});
}

@Test // https://github.com/DependencyTrack/dependency-track/issues/4376
public void testWithGoPackage() {
final var project = new Project();
project.setName("acme-app");
qm.persist(project);

final var component = new Component();
component.setProject(project);
component.setName("golang/github.com/nats-io/nkeys");
component.setVersion("0.4.4");
component.setClassifier(Classifier.LIBRARY);
component.setPurl("pkg:golang/github.com/nats-io/[email protected]");
qm.persist(component);

final var analysisEvent = new TrivyAnalysisEvent(List.of(component));
new TrivyAnalysisTask().inform(analysisEvent);

assertThat(qm.getAllVulnerabilities(component)).hasSizeGreaterThanOrEqualTo(1);
}

}

0 comments on commit 36b202b

Please sign in to comment.