Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(container-scanning): set unimportant vulns as uncalled #1385

Merged
merged 3 commits into from
Nov 8, 2024
Merged

feat(container-scanning): set unimportant vulns as uncalled #1385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e94a5b6
feat(container-scanning): set unimportant vulns as uncalled
hogo6002 Nov 7, 2024
dffafba
update tests
hogo6002 Nov 7, 2024
d0f2e9b
add unimportant field
hogo6002 Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 38 additions & 6 deletions cmd/osv-scanner/__snapshots__/main_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1682,12 +1682,9 @@ Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S
Loaded Debian local db from <tempdir>/osv-scanner/Debian/all.zip
Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
Loaded Go local db from <tempdir>/osv-scanner/Go/all.zip
16 unimportant vulnerabilities have been filtered out.
Filtered 16 vulnerabilities from output
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -1849,6 +1846,25 @@ Filtered 16 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+

---

Expand All @@ -1862,12 +1878,9 @@ Scanned <rootdir>/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S
Loaded Debian local db from <tempdir>/osv-scanner/Debian/all.zip
Loaded OSS-Fuzz local db from <tempdir>/osv-scanner/OSS-Fuzz/all.zip
Loaded Go local db from <tempdir>/osv-scanner/Go/all.zip
16 unimportant vulnerabilities have been filtered out.
Filtered 16 vulnerabilities from output
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
Expand Down Expand Up @@ -2029,6 +2042,25 @@ Filtered 16 vulnerabilities from output
| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| Uncalled vulnerabilities | | | | | |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
| https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-18276 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2017-18018 | 4.7 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-6829 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-1000654 | 5.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2020-24977 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2024-34459 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2011-4116 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48522 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2023-31486 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2005-2541 | | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2019-9923 | 7.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2021-20193 | 3.3 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-48303 | 5.5 | Debian | tar | 1.29b-1.1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2018-7738 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
| https://osv.dev/CVE-2022-0563 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+

---

Expand Down
39 changes: 26 additions & 13 deletions internal/output/__snapshots__/machinejson_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -879,7 +879,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -927,7 +928,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-2": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -995,7 +997,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -1224,7 +1227,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -1288,7 +1292,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2273,7 +2278,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand All @@ -2285,7 +2291,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-5": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2402,7 +2409,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-3": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2574,7 +2582,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand All @@ -2586,7 +2595,8 @@
"aliases": null,
"experimentalAnalysis": {
"GHSA-123": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2642,7 +2652,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2698,7 +2709,8 @@
"aliases": null,
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -2877,7 +2889,8 @@
],
"experimentalAnalysis": {
"OSV-1": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down
9 changes: 6 additions & 3 deletions internal/sourceanalysis/__snapshots__/go_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2021-0053": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -313,7 +314,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2023-1558": {
"called": true
"called": true,
"unimportant": false
}
},
"max_severity": ""
Expand Down Expand Up @@ -467,7 +469,8 @@
"aliases": null,
"experimentalAnalysis": {
"GO-2023-1572": {
"called": false
"called": false,
"unimportant": false
}
},
"max_severity": ""
Expand Down
7 changes: 6 additions & 1 deletion pkg/models/results.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,10 @@ func (groupInfo *GroupInfo) IsCalled() bool {
if analysis.Called {
return true
}
// TODO(gongh@): For v2, create a separate function `isGroupUnimportant()` to encapsulate this check.
if analysis.Unimportant {
return false
}
}

return false
Expand Down Expand Up @@ -164,7 +168,8 @@ func (v *Vulnerability) FixedVersions() map[Package][]string {
}

type AnalysisInfo struct {
Called bool `json:"called"`
Called bool `json:"called"`
Unimportant bool `json:"unimportant"`
}

// Specific package information
Expand Down
59 changes: 59 additions & 0 deletions pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1491,6 +1491,65 @@
"type": "lockfile"
},
"packages": [
{
"package": {
"name": "unixodbc",
"version": "2.3.11-2",
"ecosystem": "Debian:10"
},
"vulnerabilities": [
{
"modified": "2024-03-18T12:38:25Z",
"published": "2024-03-18T11:15:09Z",
"id": "CVE-2024-1013",
"details": "An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.",
"affected": [
{
"package": {
"ecosystem": "Debian:10",
"name": "unixodbc"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"ecosystem_specific": {
"urgency": "unimportant"
}
}
],
"references": [
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260823"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1013"
},
{
"type": "WEB",
"url": "https://github.com/lurcher/unixODBC/pull/157"
}
]
}
],
"groups": [
{
"ids": [
"CVE-2024-1013"
],
"aliases": null,
"max_severity": ""
}
]
},
{
"package": {
"name": "chromium",
Expand Down
Loading