Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions pkg/process/v5/transformers/os/test-fixtures/mariner-range.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
[
{
"Vulnerability": {
"Name": "CVE-2023-29404",
"NamespaceName": "mariner:2.0",
"Description": "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
"Severity": "Critical",
"Link": "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
"CVSS": [],
"FixedIn": [
{
"Name": "golang",
"NamespaceName": "mariner:2.0",
"VersionFormat": "rpm",
"Version": "0:1.20.7-1.cm2",
"Module": "",
"VendorAdvisory": {
"NoAdvisory": false,
"AdvisorySummary": []
},
"VulnerableRange": "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2"
}
],
"Metadata": {}
}
}
]
15 changes: 9 additions & 6 deletions pkg/process/v5/transformers/os/transform.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ func Transform(vulnerability unmarshal.OSVulnerability) ([]data.Entry, error) {
allVulns = append(allVulns, grypeDB.Vulnerability{
ID: vulnerability.Vulnerability.Name,
PackageQualifiers: buildPackageQualifiers(fixedInEntry),
VersionConstraint: enforceConstraint(fixedInEntry.Version, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
VersionConstraint: enforceConstraint(fixedInEntry.Version, fixedInEntry.VulnerableRange, fixedInEntry.VersionFormat, vulnerability.Vulnerability.Name),
VersionFormat: fixedInEntry.VersionFormat,
PackageName: grypeNamespace.Resolver().Normalize(fixedInEntry.Name),
Namespace: entryNamespace,
Expand Down Expand Up @@ -215,16 +215,19 @@ func deriveConstraintFromFix(fixVersion, vulnerabilityID string) string {
return constraint
}

func enforceConstraint(constraint, format, vulnerabilityID string) string {
constraint = common.CleanConstraint(constraint)
if len(constraint) == 0 {
func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
if len(vulnerableRange) > 0 {
return vulnerableRange
}
fixedVersion = common.CleanConstraint(fixedVersion)
if len(fixedVersion) == 0 {
return ""
}
switch strings.ToLower(format) {
case "semver":
return common.EnforceSemVerConstraint(constraint)
return common.EnforceSemVerConstraint(fixedVersion)
default:
// the passed constraint is a fixed version
return deriveConstraintFromFix(constraint, vulnerabilityID)
return deriveConstraintFromFix(fixedVersion, vulnerabilityID)
}
}
39 changes: 39 additions & 0 deletions pkg/process/v5/transformers/os/transform_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -626,6 +626,45 @@ func TestParseVulnerabilitiesEntry(t *testing.T) {
Description: "A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the search_path safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or update. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.",
},
},
{
name: "mariner entry with version range",
numEntries: 1,
fixture: "test-fixtures/mariner-range.json",
vulns: []grypeDB.Vulnerability{
{
ID: "CVE-2023-29404",
PackageName: "golang",
Namespace: "mariner:distro:mariner:2.0",
PackageQualifiers: []qualifier.Qualifier{
rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
},
},
VersionConstraint: "> 0:1.19.0.cm2, < 0:1.20.7-1.cm2",
VersionFormat: "rpm",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
{
ID: "CVE-2023-29404",
Namespace: "nvd:cpe",
},
},
Fix: grypeDB.Fix{
Versions: []string{"0:1.20.7-1.cm2"},
State: grypeDB.FixedState,
},
},
},
metadata: grypeDB.VulnerabilityMetadata{
ID: "CVE-2023-29404",
Namespace: "mariner:distro:mariner:2.0",
DataSource: "https://nvd.nist.gov/vuln/detail/CVE-2023-29404",
RecordSource: "vulnerabilities:mariner:2.0",
Severity: "Critical",
URLs: []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-29404"},
Description: "CVE-2023-29404 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
},
},
}

for _, test := range tests {
Expand Down
5 changes: 3 additions & 2 deletions pkg/provider/unmarshal/os_vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,9 @@ type OSFixedIn struct {
} `json:"AdvisorySummary"`
NoAdvisory bool `json:"NoAdvisory"`
} `json:"VendorAdvisory"`
Version string `json:"Version"`
VersionFormat string `json:"VersionFormat"`
Version string `json:"Version"`
VersionFormat string `json:"VersionFormat"`
VulnerableRange string `json:"VulnerableRange"`
}

type OSFixedIns []OSFixedIn
Expand Down