From fb8c5ead3c6489e46ac3c626dbe8ac393d1077bd Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 21 Jan 2025 13:24:28 +0600 Subject: [PATCH 1/3] refactor: add AllSourceIDs --- pkg/vulnsrc/vulnerability/const.go | 35 +++++++++++++++++++++- pkg/vulnsrc/vulnerability/vulnerability.go | 20 ++++--------- 2 files changed, 40 insertions(+), 15 deletions(-) diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go index cd9616c4..db5f77c5 100644 --- a/pkg/vulnsrc/vulnerability/const.go +++ b/pkg/vulnsrc/vulnerability/const.go @@ -1,6 +1,8 @@ package vulnerability -import "github.com/aquasecurity/trivy-db/pkg/types" +import ( + "github.com/aquasecurity/trivy-db/pkg/types" +) const ( // Data source @@ -70,3 +72,34 @@ var Ecosystems = []types.Ecosystem{ Bitnami, Kubernetes, } + +// AllSourceIDs is list of all supported sourceID +var AllSourceIDs = []types.SourceID{ + NVD, + RedHat, + RedHatOVAL, + Debian, + Ubuntu, + Alpine, + Amazon, + OracleOVAL, + SuseCVRF, + Photon, + ArchLinux, + Alma, + Rocky, + CBLMariner, + AzureLinux, + RubySec, + PhpSecurityAdvisories, + NodejsSecurityWg, + GHSA, + GLAD, + Aqua, + OSV, + K8sVulnDB, + Wolfi, + Chainguard, + BitnamiVulndb, + GoVulnDB, +} diff --git a/pkg/vulnsrc/vulnerability/vulnerability.go b/pkg/vulnsrc/vulnerability/vulnerability.go index ce5c0bbf..3cc3a51d 100644 --- a/pkg/vulnsrc/vulnerability/vulnerability.go +++ b/pkg/vulnsrc/vulnerability/vulnerability.go @@ -13,14 +13,6 @@ const ( rejectVulnerability = "** REJECT **" ) -var ( - sources = []types.SourceID{ - NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon, - ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, - Aqua, OSV, K8sVulnDB, - } -) - type Vulnerability struct { dbc db.Operation } @@ -98,7 +90,7 @@ func getVendorSeverity(details map[types.SourceID]types.VulnerabilityDetail) typ } func getSeverity(details map[types.SourceID]types.VulnerabilityDetail) types.Severity { - for _, source := range sources { + for _, source := range AllSourceIDs { switch d, ok := details[source]; { case !ok: continue @@ -120,7 +112,7 @@ func getSeverity(details map[types.SourceID]types.VulnerabilityDetail) types.Sev } func getTitle(details map[types.SourceID]types.VulnerabilityDetail) string { - for _, source := range sources { + for _, source := range AllSourceIDs { d, ok := details[source] if !ok { continue @@ -133,7 +125,7 @@ func getTitle(details map[types.SourceID]types.VulnerabilityDetail) string { } func getDescription(details map[types.SourceID]types.VulnerabilityDetail) string { - for _, source := range sources { + for _, source := range AllSourceIDs { d, ok := details[source] if !ok { continue @@ -146,7 +138,7 @@ func getDescription(details map[types.SourceID]types.VulnerabilityDetail) string } func getCweIDs(details map[types.SourceID]types.VulnerabilityDetail) []string { - for _, source := range sources { + for _, source := range AllSourceIDs { d, ok := details[source] if !ok { continue @@ -160,7 +152,7 @@ func getCweIDs(details map[types.SourceID]types.VulnerabilityDetail) []string { func getReferences(details map[types.SourceID]types.VulnerabilityDetail) []string { references := map[string]struct{}{} - for _, source := range sources { + for _, source := range AllSourceIDs { // Amazon contains unrelated references if source == Amazon { continue @@ -188,7 +180,7 @@ func getReferences(details map[types.SourceID]types.VulnerabilityDetail) []strin } func getRejectedStatus(details map[types.SourceID]types.VulnerabilityDetail) bool { - for _, source := range sources { + for _, source := range AllSourceIDs { d, ok := details[source] if !ok { continue From 1ed8c20e5147335f2bcd2e8bdad6b70668c26cb4 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 21 Jan 2025 14:51:50 +0600 Subject: [PATCH 2/3] chore: add comment --- pkg/vulnsrc/vulnerability/const.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go index db5f77c5..d471cbbb 100644 --- a/pkg/vulnsrc/vulnerability/const.go +++ b/pkg/vulnsrc/vulnerability/const.go @@ -73,7 +73,9 @@ var Ecosystems = []types.Ecosystem{ Kubernetes, } -// AllSourceIDs is list of all supported sourceID +// AllSourceIDs is a list of all supported sourceIDs. +// This order affects the choice of `Severity`, `Title`, `Description` and `CweIDs`. +// e.g. if `NVD` has no severity - we will keep the severity of `RedHat` (if it exists), etc. var AllSourceIDs = []types.SourceID{ NVD, RedHat, From b8f9e6de4815387de3810cdbb0f814da38b40991 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:40:30 +0600 Subject: [PATCH 3/3] chore: update comment Co-authored-by: Teppei Fukuda --- pkg/vulnsrc/vulnerability/const.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go index d471cbbb..c9591219 100644 --- a/pkg/vulnsrc/vulnerability/const.go +++ b/pkg/vulnsrc/vulnerability/const.go @@ -73,9 +73,11 @@ var Ecosystems = []types.Ecosystem{ Kubernetes, } -// AllSourceIDs is a list of all supported sourceIDs. -// This order affects the choice of `Severity`, `Title`, `Description` and `CweIDs`. -// e.g. if `NVD` has no severity - we will keep the severity of `RedHat` (if it exists), etc. +// AllSourceIDs lists all supported vulnerability source IDs in order of precedence. +// When searching for vulnerability details (Severity, Title, Description, and CWE-IDs), +// the sources are checked in this order until valid data is found. +// For example, if severity data is missing in NVD, it will check Red Hat next, +// continuing through the list until it finds a valid severity value. var AllSourceIDs = []types.SourceID{ NVD, RedHat,