From 7e2977814b368c76e7f9533ca3b7c26c8d23234a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jul 2023 16:16:01 +0600 Subject: [PATCH 01/19] add new analyzer --- pkg/fanal/analyzer/all/import.go | 1 + pkg/fanal/analyzer/const.go | 4 +- .../language/php/installed/installed.go | 49 +++++++ .../language/php/installed/installed_test.go | 122 ++++++++++++++++ .../installed/testdata/happy/installed.json | 131 ++++++++++++++++++ .../php/installed/testdata/sad/installed.json | 1 + pkg/fanal/types/const.go | 5 +- 7 files changed, 310 insertions(+), 3 deletions(-) create mode 100644 pkg/fanal/analyzer/language/php/installed/installed.go create mode 100644 pkg/fanal/analyzer/language/php/installed/installed_test.go create mode 100644 pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json create mode 100644 pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go index 16e24195da3b..571f34231e74 100644 --- a/pkg/fanal/analyzer/all/import.go +++ b/pkg/fanal/analyzer/all/import.go @@ -23,6 +23,7 @@ import ( _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/composer" + _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/installed" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/packaging" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pip" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pipenv" diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 0eac3c37babb..9e04665427c0 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -47,7 +47,8 @@ const ( TypeCargo Type = "cargo" // PHP - TypeComposer Type = "composer" + TypeComposer Type = "composer" + TypeComposerInstalled Type = "composer-installed" // Java TypeJar Type = "jar" @@ -211,6 +212,7 @@ var ( TypeGoBinary, TypeJar, TypeRustBinary, + TypeComposerInstalled, } // TypeConfigFiles has all config file analyzers diff --git a/pkg/fanal/analyzer/language/php/installed/installed.go b/pkg/fanal/analyzer/language/php/installed/installed.go new file mode 100644 index 000000000000..187c0a5e223d --- /dev/null +++ b/pkg/fanal/analyzer/language/php/installed/installed.go @@ -0,0 +1,49 @@ +package installed + +import ( + "context" + "os" + "path/filepath" + "strings" + + "golang.org/x/xerrors" + + "github.com/aquasecurity/go-dep-parser/pkg/php/composer" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" + "github.com/aquasecurity/trivy/pkg/fanal/types" +) + +func init() { + analyzer.RegisterAnalyzer(&composerInstalledAnalyzer{}) +} + +const ( + version = 1 +) + +// composerInstalledAnalyzer analyzes 'installed.json' +type composerInstalledAnalyzer struct{} + +func (a composerInstalledAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { + p := composer.NewParser() + res, err := language.Analyze(types.Composer, input.FilePath, input.Content, p) + if err != nil { + return nil, xerrors.Errorf("%s parse error: %w", input.FilePath, err) + } + return res, nil +} + +func (a composerInstalledAnalyzer) Required(filePath string, _ os.FileInfo) bool { + // installed.json has `path_to_app/vendor/composer/installed.json` file path + dir, fileName := filepath.Split(filePath) + return strings.HasSuffix(dir, "vendor/composer/") && fileName == types.ComposerInstalled +} + +func (a composerInstalledAnalyzer) Type() analyzer.Type { + return analyzer.TypeComposerInstalled +} + +func (a composerInstalledAnalyzer) Version() int { + return version +} diff --git a/pkg/fanal/analyzer/language/php/installed/installed_test.go b/pkg/fanal/analyzer/language/php/installed/installed_test.go new file mode 100644 index 000000000000..71c4352c2ce3 --- /dev/null +++ b/pkg/fanal/analyzer/language/php/installed/installed_test.go @@ -0,0 +1,122 @@ +package installed + +import ( + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" + "github.com/aquasecurity/trivy/pkg/fanal/types" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "os" + "testing" +) + +func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { + tests := []struct { + name string + inputFile string + want *analyzer.AnalysisResult + wantErr string + }{ + { + name: "happy path", + inputFile: "testdata/happy/installed.json", + want: &analyzer.AnalysisResult{ + Applications: []types.Application{ + { + Type: types.Composer, + FilePath: "testdata/happy/installed.json", + Libraries: []types.Package{ + { + ID: "pear/log@1.13.3", + Name: "pear/log", + Version: "1.13.3", + Indirect: false, + Licenses: []string{"MIT"}, + Locations: []types.Location{ + { + StartLine: 3, + EndLine: 65, + }, + }, + DependsOn: []string{"pear/pear_exception@v1.0.2"}, + }, + { + ID: "pear/pear_exception@v1.0.2", + Name: "pear/pear_exception", + Version: "v1.0.2", + Indirect: false, + Licenses: []string{"BSD-2-Clause"}, + Locations: []types.Location{ + { + StartLine: 66, + EndLine: 127, + }, + }, + }, + }, + }, + }, + }, + }, + { + name: "broken installed.lock", + inputFile: "testdata/sad/installed.json", + wantErr: "decode error", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + f, err := os.Open(tt.inputFile) + require.NoError(t, err) + defer func() { + err = f.Close() + assert.NoError(t, err) + }() + + a := composerInstalledAnalyzer{} + got, err := a.Analyze(nil, analyzer.AnalysisInput{ + FilePath: tt.inputFile, + Content: f, + }) + + if tt.wantErr != "" { + assert.ErrorContains(t, err, tt.wantErr) + return + } + + assert.NoError(t, err) + assert.Equal(t, tt.want, got) + }) + } +} + +func Test_composerInstalledAnalyzer_Required(t *testing.T) { + tests := []struct { + name string + filePath string + want bool + }{ + { + name: "happy path", + filePath: "app/vendor/composer/installed.json", + want: true, + }, + { + name: "without `vendor/composer` dir", + filePath: "installed.json", + want: false, + }, + { + name: "sad path", + filePath: "composer.json", + want: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + a := composerInstalledAnalyzer{} + got := a.Required(tt.filePath, nil) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json b/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json new file mode 100644 index 000000000000..e44e60d9050a --- /dev/null +++ b/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json @@ -0,0 +1,131 @@ +{ + "packages": [ + { + "name": "pear/log", + "version": "1.13.3", + "version_normalized": "1.13.3.0", + "source": { + "type": "git", + "url": "https://github.com/pear/Log.git", + "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/pear/Log/zipball/21af0be11669194d72d88b5ee9d5f176dc75d9a3", + "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3", + "shasum": "" + }, + "require": { + "pear/pear_exception": "1.0.1 || 1.0.2", + "php": ">5.2" + }, + "require-dev": { + "phpunit/phpunit": "*" + }, + "suggest": { + "pear/db": "Install optionally via your project's composer.json" + }, + "time": "2021-05-04T23:51:30+00:00", + "type": "library", + "installation-source": "dist", + "autoload": { + "psr-0": { + "Log": "./" + }, + "exclude-from-classmap": [ + "/examples/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "" + ], + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jon Parise", + "email": "jon@php.net", + "homepage": "http://www.indelible.org", + "role": "Developer" + } + ], + "description": "PEAR Logging Framework", + "homepage": "http://pear.github.io/Log/", + "keywords": [ + "log", + "logging" + ], + "support": { + "issues": "https://github.com/pear/Log/issues", + "source": "https://github.com/pear/Log" + }, + "install-path": "../pear/log" + }, + { + "name": "pear/pear_exception", + "version": "v1.0.2", + "version_normalized": "1.0.2.0", + "source": { + "type": "git", + "url": "https://github.com/pear/PEAR_Exception.git", + "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", + "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "<9" + }, + "time": "2021-03-21T15:43:46+00:00", + "type": "class", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "installation-source": "dist", + "autoload": { + "classmap": [ + "PEAR/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "." + ], + "license": [ + "BSD-2-Clause" + ], + "authors": [ + { + "name": "Helgi Thormar", + "email": "dufuz@php.net" + }, + { + "name": "Greg Beaver", + "email": "cellog@php.net" + } + ], + "description": "The PEAR Exception base class.", + "homepage": "https://github.com/pear/PEAR_Exception", + "keywords": [ + "exception" + ], + "support": { + "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception", + "source": "https://github.com/pear/PEAR_Exception" + }, + "install-path": "../pear/pear_exception" + } + ], + "dev": true, + "dev-package-names": [] +} diff --git a/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json b/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json new file mode 100644 index 000000000000..81750b96f9d8 --- /dev/null +++ b/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json @@ -0,0 +1 @@ +{ \ No newline at end of file diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index aea49b4d0fb4..b011bd97575b 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -64,8 +64,9 @@ const ( YarnLock = "yarn.lock" PnpmLock = "pnpm-lock.yaml" - ComposerLock = "composer.lock" - ComposerJson = "composer.json" + ComposerLock = "composer.lock" + ComposerJson = "composer.json" + ComposerInstalled = "installed.json" PyProject = "pyproject.toml" PipRequirements = "requirements.txt" From bf9ac0955beeac47960a6c420af375e0afbd3d06 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 06:55:06 +0600 Subject: [PATCH 02/19] add composer-installed to driver --- pkg/detector/library/driver.go | 2 +- pkg/fanal/types/const.go | 59 +++++++++++++++++----------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index 1b0c57e40de7..c09a3c808a1a 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -31,7 +31,7 @@ func NewDriver(libType string) (Driver, bool) { case ftypes.RustBinary, ftypes.Cargo: ecosystem = vulnerability.Cargo comparer = compare.GenericComparer{} - case ftypes.Composer: + case ftypes.Composer, ftypes.ComposerInstalled: ecosystem = vulnerability.Composer comparer = compare.GenericComparer{} case ftypes.GoBinary, ftypes.GoModule: diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index b011bd97575b..640c0b14cb31 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -7,32 +7,33 @@ const ( const ( // Programming language dependencies - Bundler = "bundler" - GemSpec = "gemspec" - Cargo = "cargo" - Composer = "composer" - Npm = "npm" - NuGet = "nuget" - DotNetCore = "dotnet-core" - Pip = "pip" - Pipenv = "pipenv" - Poetry = "poetry" - CondaPkg = "conda-pkg" - PythonPkg = "python-pkg" - NodePkg = "node-pkg" - Yarn = "yarn" - Pnpm = "pnpm" - Jar = "jar" - Pom = "pom" - Gradle = "gradle" - GoBinary = "gobinary" - GoModule = "gomod" - JavaScript = "javascript" - RustBinary = "rustbinary" - Conan = "conan" - Cocoapods = "cocoapods" - Pub = "pub" - Hex = "hex" + Bundler = "bundler" + GemSpec = "gemspec" + Cargo = "cargo" + Composer = "composer" + ComposerInstalled = "composer-installed" + Npm = "npm" + NuGet = "nuget" + DotNetCore = "dotnet-core" + Pip = "pip" + Pipenv = "pipenv" + Poetry = "poetry" + CondaPkg = "conda-pkg" + PythonPkg = "python-pkg" + NodePkg = "node-pkg" + Yarn = "yarn" + Pnpm = "pnpm" + Jar = "jar" + Pom = "pom" + Gradle = "gradle" + GoBinary = "gobinary" + GoModule = "gomod" + JavaScript = "javascript" + RustBinary = "rustbinary" + Conan = "conan" + Cocoapods = "cocoapods" + Pub = "pub" + Hex = "hex" // Config files YAML = "yaml" @@ -64,9 +65,9 @@ const ( YarnLock = "yarn.lock" PnpmLock = "pnpm-lock.yaml" - ComposerLock = "composer.lock" - ComposerJson = "composer.json" - ComposerInstalled = "installed.json" + ComposerLock = "composer.lock" + ComposerJson = "composer.json" + ComposerInstalledJson = "installed.json" PyProject = "pyproject.toml" PipRequirements = "requirements.txt" From 717eaf9d0fe5e47fbca94d5fa32c2755dda8f3bf Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 06:55:17 +0600 Subject: [PATCH 03/19] use AnalyzePackage --- .../language/php/installed/installed.go | 14 +--- .../language/php/installed/installed_test.go | 65 ++++++++++++++++--- 2 files changed, 57 insertions(+), 22 deletions(-) diff --git a/pkg/fanal/analyzer/language/php/installed/installed.go b/pkg/fanal/analyzer/language/php/installed/installed.go index 187c0a5e223d..49b65a285b62 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed.go +++ b/pkg/fanal/analyzer/language/php/installed/installed.go @@ -4,9 +4,6 @@ import ( "context" "os" "path/filepath" - "strings" - - "golang.org/x/xerrors" "github.com/aquasecurity/go-dep-parser/pkg/php/composer" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" @@ -26,18 +23,11 @@ const ( type composerInstalledAnalyzer struct{} func (a composerInstalledAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - p := composer.NewParser() - res, err := language.Analyze(types.Composer, input.FilePath, input.Content, p) - if err != nil { - return nil, xerrors.Errorf("%s parse error: %w", input.FilePath, err) - } - return res, nil + return language.AnalyzePackage(types.ComposerInstalled, input.FilePath, input.Content, composer.NewParser(), input.Options.FileChecksum) } func (a composerInstalledAnalyzer) Required(filePath string, _ os.FileInfo) bool { - // installed.json has `path_to_app/vendor/composer/installed.json` file path - dir, fileName := filepath.Split(filePath) - return strings.HasSuffix(dir, "vendor/composer/") && fileName == types.ComposerInstalled + return filepath.Base(filePath) == types.ComposerInstalledJson } func (a composerInstalledAnalyzer) Type() analyzer.Type { diff --git a/pkg/fanal/analyzer/language/php/installed/installed_test.go b/pkg/fanal/analyzer/language/php/installed/installed_test.go index 71c4352c2ce3..873b85a41590 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed_test.go +++ b/pkg/fanal/analyzer/language/php/installed/installed_test.go @@ -11,10 +11,11 @@ import ( func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - inputFile string - want *analyzer.AnalysisResult - wantErr string + name string + inputFile string + includeChecksum bool + want *analyzer.AnalysisResult + wantErr string }{ { name: "happy path", @@ -22,7 +23,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { want: &analyzer.AnalysisResult{ Applications: []types.Application{ { - Type: types.Composer, + Type: types.ComposerInstalled, FilePath: "testdata/happy/installed.json", Libraries: []types.Package{ { @@ -31,6 +32,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { Version: "1.13.3", Indirect: false, Licenses: []string{"MIT"}, + FilePath: "testdata/happy/installed.json", Locations: []types.Location{ { StartLine: 3, @@ -45,6 +47,53 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { Version: "v1.0.2", Indirect: false, Licenses: []string{"BSD-2-Clause"}, + FilePath: "testdata/happy/installed.json", + Locations: []types.Location{ + { + StartLine: 66, + EndLine: 127, + }, + }, + }, + }, + }, + }, + }, + }, + { + name: "happy path with digest", + inputFile: "testdata/happy/installed.json", + includeChecksum: true, + want: &analyzer.AnalysisResult{ + Applications: []types.Application{ + { + Type: types.ComposerInstalled, + FilePath: "testdata/happy/installed.json", + Libraries: []types.Package{ + { + ID: "pear/log@1.13.3", + Name: "pear/log", + Version: "1.13.3", + Indirect: false, + Licenses: []string{"MIT"}, + FilePath: "testdata/happy/installed.json", + Digest: "sha1:2d78baf5784998fcaebf94928bc74d41d83f58b3", + Locations: []types.Location{ + { + StartLine: 3, + EndLine: 65, + }, + }, + DependsOn: []string{"pear/pear_exception@v1.0.2"}, + }, + { + ID: "pear/pear_exception@v1.0.2", + Name: "pear/pear_exception", + Version: "v1.0.2", + Indirect: false, + Licenses: []string{"BSD-2-Clause"}, + FilePath: "testdata/happy/installed.json", + Digest: "sha1:2d78baf5784998fcaebf94928bc74d41d83f58b3", Locations: []types.Location{ { StartLine: 66, @@ -77,6 +126,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { got, err := a.Analyze(nil, analyzer.AnalysisInput{ FilePath: tt.inputFile, Content: f, + Options: analyzer.AnalysisOptions{FileChecksum: tt.includeChecksum}, }) if tt.wantErr != "" { @@ -101,11 +151,6 @@ func Test_composerInstalledAnalyzer_Required(t *testing.T) { filePath: "app/vendor/composer/installed.json", want: true, }, - { - name: "without `vendor/composer` dir", - filePath: "installed.json", - want: false, - }, { name: "sad path", filePath: "composer.json", From ce26e25c705ec7a4d7e451d140bf2a56933fbcc8 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 06:55:24 +0600 Subject: [PATCH 04/19] add integration test --- integration/fs_test.go | 10 + .../testdata/composer.installed.json.golden | 110 +++++++++ .../fs/composer-installed/installed.json | 222 ++++++++++++++++++ 3 files changed, 342 insertions(+) create mode 100644 integration/testdata/composer.installed.json.golden create mode 100644 integration/testdata/fixtures/fs/composer-installed/installed.json diff --git a/integration/fs_test.go b/integration/fs_test.go index 61a1cf49ac85..eeaa434e38d5 100644 --- a/integration/fs_test.go +++ b/integration/fs_test.go @@ -207,6 +207,16 @@ func TestFilesystem(t *testing.T) { }, golden: "testdata/composer.lock.json.golden", }, + { + name: "installed.json", + args: args{ + command: "rootfs", + scanner: types.VulnerabilityScanner, + listAllPkgs: true, + input: "testdata/fixtures/fs/composer-installed", + }, + golden: "testdata/composer.installed.json.golden", + }, { name: "dockerfile", args: args{ diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden new file mode 100644 index 000000000000..906bbc7f7b7b --- /dev/null +++ b/integration/testdata/composer.installed.json.golden @@ -0,0 +1,110 @@ +{ + "SchemaVersion": 2, + "ArtifactName": "testdata/fixtures/fs/composer-installed", + "ArtifactType": "filesystem", + "Metadata": { + "ImageConfig": { + "architecture": "", + "created": "0001-01-01T00:00:00Z", + "os": "", + "rootfs": { + "type": "", + "diff_ids": null + }, + "config": {} + } + }, + "Results": [ + { + "Target": "installed.json", + "Class": "lang-pkgs", + "Type": "composer-installed", + "Packages": [ + { + "ID": "guzzlehttp/psr7@1.8.3", + "Name": "guzzlehttp/psr7", + "Version": "1.8.3", + "Licenses": [ + "MIT" + ], + "DependsOn": [ + "psr/http-message@1.1", + "ralouphie/getallheaders@3.0.3" + ], + "Layer": {}, + "Locations": [ + { + "StartLine": 3, + "EndLine": 115 + } + ] + }, + { + "ID": "psr/http-message@1.1", + "Name": "psr/http-message", + "Version": "1.1", + "Licenses": [ + "MIT" + ], + "Layer": {}, + "Locations": [ + { + "StartLine": 116, + "EndLine": 171 + } + ] + }, + { + "ID": "ralouphie/getallheaders@3.0.3", + "Name": "ralouphie/getallheaders", + "Version": "3.0.3", + "Licenses": [ + "MIT" + ], + "Layer": {}, + "Locations": [ + { + "StartLine": 172, + "EndLine": 218 + } + ] + } + ], + "Vulnerabilities": [ + { + "VulnerabilityID": "CVE-2022-24775", + "PkgID": "guzzlehttp/psr7@1.8.3", + "PkgName": "guzzlehttp/psr7", + "InstalledVersion": "1.8.3", + "FixedVersion": "1.8.4", + "Layer": {}, + "SeveritySource": "ghsa", + "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775", + "DataSource": { + "ID": "ghsa", + "Name": "GitHub Security Advisory Composer", + "URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer" + }, + "Title": "Improper Input Validation in guzzlehttp/psr7", + "Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n", + "Severity": "HIGH", + "CweIDs": [ + "CWE-20" + ], + "CVSS": { + "ghsa": { + "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "V3Score": 7.5 + } + }, + "References": [ + "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24775" + ], + "PublishedDate": "2022-03-25T19:26:33Z", + "LastModifiedDate": "2022-06-14T20:02:29Z" + } + ] + } + ] +} diff --git a/integration/testdata/fixtures/fs/composer-installed/installed.json b/integration/testdata/fixtures/fs/composer-installed/installed.json new file mode 100644 index 000000000000..532876cd7ff5 --- /dev/null +++ b/integration/testdata/fixtures/fs/composer-installed/installed.json @@ -0,0 +1,222 @@ +{ + "packages": [ + { + "name": "guzzlehttp/psr7", + "version": "1.8.3", + "version_normalized": "1.8.3.0", + "source": { + "type": "git", + "url": "https://github.com/guzzle/psr7.git", + "reference": "1afdd860a2566ed3c2b0b4a3de6e23434a79ec85" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/1afdd860a2566ed3c2b0b4a3de6e23434a79ec85", + "reference": "1afdd860a2566ed3c2b0b4a3de6e23434a79ec85", + "shasum": "" + }, + "require": { + "php": ">=5.4.0", + "psr/http-message": "~1.0", + "ralouphie/getallheaders": "^2.0.5 || ^3.0.0" + }, + "provide": { + "psr/http-message-implementation": "1.0" + }, + "require-dev": { + "ext-zlib": "*", + "phpunit/phpunit": "~4.8.36 || ^5.7.27 || ^6.5.14 || ^7.5.20 || ^8.5.8 || ^9.3.10" + }, + "suggest": { + "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses" + }, + "time": "2021-10-05T13:56:00+00:00", + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.7-dev" + } + }, + "installation-source": "dist", + "autoload": { + "files": [ + "src/functions_include.php" + ], + "psr-4": { + "GuzzleHttp\\Psr7\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Graham Campbell", + "email": "hello@gjcampbell.co.uk", + "homepage": "https://github.com/GrahamCampbell" + }, + { + "name": "Michael Dowling", + "email": "mtdowling@gmail.com", + "homepage": "https://github.com/mtdowling" + }, + { + "name": "George Mponos", + "email": "gmponos@gmail.com", + "homepage": "https://github.com/gmponos" + }, + { + "name": "Tobias Nyholm", + "email": "tobias.nyholm@gmail.com", + "homepage": "https://github.com/Nyholm" + }, + { + "name": "Márk Sági-Kazár", + "email": "mark.sagikazar@gmail.com", + "homepage": "https://github.com/sagikazarmark" + }, + { + "name": "Tobias Schultze", + "email": "webmaster@tubo-world.de", + "homepage": "https://github.com/Tobion" + } + ], + "description": "PSR-7 message implementation that also provides common utility methods", + "keywords": [ + "http", + "message", + "psr-7", + "request", + "response", + "stream", + "uri", + "url" + ], + "support": { + "issues": "https://github.com/guzzle/psr7/issues", + "source": "https://github.com/guzzle/psr7/tree/1.8.3" + }, + "funding": [ + { + "url": "https://github.com/GrahamCampbell", + "type": "github" + }, + { + "url": "https://github.com/Nyholm", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/guzzlehttp/psr7", + "type": "tidelift" + } + ], + "install-path": "../guzzlehttp/psr7" + }, + { + "name": "psr/http-message", + "version": "1.1", + "version_normalized": "1.1.0.0", + "source": { + "type": "git", + "url": "https://github.com/php-fig/http-message.git", + "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/http-message/zipball/cb6ce4845ce34a8ad9e68117c10ee90a29919eba", + "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba", + "shasum": "" + }, + "require": { + "php": "^7.2 || ^8.0" + }, + "time": "2023-04-04T09:50:52+00:00", + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.1.x-dev" + } + }, + "installation-source": "dist", + "autoload": { + "psr-4": { + "Psr\\Http\\Message\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "http://www.php-fig.org/" + } + ], + "description": "Common interface for HTTP messages", + "homepage": "https://github.com/php-fig/http-message", + "keywords": [ + "http", + "http-message", + "psr", + "psr-7", + "request", + "response" + ], + "support": { + "source": "https://github.com/php-fig/http-message/tree/1.1" + }, + "install-path": "../psr/http-message" + }, + { + "name": "ralouphie/getallheaders", + "version": "3.0.3", + "version_normalized": "3.0.3.0", + "source": { + "type": "git", + "url": "https://github.com/ralouphie/getallheaders.git", + "reference": "120b605dfeb996808c31b6477290a714d356e822" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ralouphie/getallheaders/zipball/120b605dfeb996808c31b6477290a714d356e822", + "reference": "120b605dfeb996808c31b6477290a714d356e822", + "shasum": "" + }, + "require": { + "php": ">=5.6" + }, + "require-dev": { + "php-coveralls/php-coveralls": "^2.1", + "phpunit/phpunit": "^5 || ^6.5" + }, + "time": "2019-03-08T08:55:37+00:00", + "type": "library", + "installation-source": "dist", + "autoload": { + "files": [ + "src/getallheaders.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Ralph Khattar", + "email": "ralph.khattar@gmail.com" + } + ], + "description": "A polyfill for getallheaders.", + "support": { + "issues": "https://github.com/ralouphie/getallheaders/issues", + "source": "https://github.com/ralouphie/getallheaders/tree/develop" + }, + "install-path": "../ralouphie/getallheaders" + } + ], + "dev": true, + "dev-package-names": [] +} From 8ed7fc467c406a68854848ca9b55fb6347850ceb Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 07:05:31 +0600 Subject: [PATCH 05/19] fix test --- integration/testdata/composer.installed.json.golden | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden index 906bbc7f7b7b..3341627a068e 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.installed.json.golden @@ -32,6 +32,7 @@ "ralouphie/getallheaders@3.0.3" ], "Layer": {}, + "FilePath": "installed.json", "Locations": [ { "StartLine": 3, @@ -47,6 +48,7 @@ "MIT" ], "Layer": {}, + "FilePath": "installed.json", "Locations": [ { "StartLine": 116, @@ -62,6 +64,7 @@ "MIT" ], "Layer": {}, + "FilePath": "installed.json", "Locations": [ { "StartLine": 172, @@ -75,6 +78,7 @@ "VulnerabilityID": "CVE-2022-24775", "PkgID": "guzzlehttp/psr7@1.8.3", "PkgName": "guzzlehttp/psr7", + "PkgPath": "installed.json", "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", "Layer": {}, From a63ad684a2a94e1c87e0df0ee0abe3bd68e81267 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 07:05:38 +0600 Subject: [PATCH 06/19] update docs --- docs/docs/scanner/vulnerability/language/index.md | 1 + docs/docs/scanner/vulnerability/language/php.md | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/docs/scanner/vulnerability/language/index.md b/docs/docs/scanner/vulnerability/language/index.md index 7190bc2b01f1..bf86c409fc92 100644 --- a/docs/docs/scanner/vulnerability/language/index.md +++ b/docs/docs/scanner/vulnerability/language/index.md @@ -14,6 +14,7 @@ | | egg package[^1] | ✅ | ✅ | - | - | excluded | - | | | wheel package[^2] | ✅ | ✅ | - | - | excluded | - | | [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ | +| | installed.json | ✅ | ✅ | - | - | excluded | ✅ | | [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ | [excluded](./nodejs.md#npm) | ✅ | | | yarn.lock | - | - | ✅ | ✅ | [excluded](./nodejs.md#yarn) | ✅ | | | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded | - | diff --git a/docs/docs/scanner/vulnerability/language/php.md b/docs/docs/scanner/vulnerability/language/php.md index 129e91b4c233..ddd5754999fc 100644 --- a/docs/docs/scanner/vulnerability/language/php.md +++ b/docs/docs/scanner/vulnerability/language/php.md @@ -4,15 +4,19 @@ Trivy supports [Composer][composer], which is a tool for dependency management i The following table provides an outline of the features Trivy offers. -| Package Manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License | -|-----------------|---------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:| -| Composer | composer.lock | ✅ | Excluded | ✅ | ✅ | ✅ | +| Package Manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License | +|-----------------|----------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:| +| Composer | composer.lock | ✅ | Excluded | ✅ | ✅ | ✅ | +| Composer | installed.json | ✅ | Excluded | - | ✅ | ✅ | -## Composer +## composer.lock In order to detect dependencies, Trivy searches for `composer.lock`. Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project. Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`. If you want to see the dependency tree, please ensure that `composer.json` is present. +## installed.json +Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`. + [composer]: https://getcomposer.org/ \ No newline at end of file From e7eeb0dd9d24043774fde8252ff53da78c6d5452 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 26 Jul 2023 07:37:33 +0600 Subject: [PATCH 07/19] refactor --- .../testdata/composer.installed.json.golden | 4 -- .../language/php/installed/installed.go | 2 +- .../language/php/installed/installed_test.go | 60 ++----------------- 3 files changed, 6 insertions(+), 60 deletions(-) diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden index 3341627a068e..906bbc7f7b7b 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.installed.json.golden @@ -32,7 +32,6 @@ "ralouphie/getallheaders@3.0.3" ], "Layer": {}, - "FilePath": "installed.json", "Locations": [ { "StartLine": 3, @@ -48,7 +47,6 @@ "MIT" ], "Layer": {}, - "FilePath": "installed.json", "Locations": [ { "StartLine": 116, @@ -64,7 +62,6 @@ "MIT" ], "Layer": {}, - "FilePath": "installed.json", "Locations": [ { "StartLine": 172, @@ -78,7 +75,6 @@ "VulnerabilityID": "CVE-2022-24775", "PkgID": "guzzlehttp/psr7@1.8.3", "PkgName": "guzzlehttp/psr7", - "PkgPath": "installed.json", "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", "Layer": {}, diff --git a/pkg/fanal/analyzer/language/php/installed/installed.go b/pkg/fanal/analyzer/language/php/installed/installed.go index 49b65a285b62..3e1c1633442e 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed.go +++ b/pkg/fanal/analyzer/language/php/installed/installed.go @@ -23,7 +23,7 @@ const ( type composerInstalledAnalyzer struct{} func (a composerInstalledAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - return language.AnalyzePackage(types.ComposerInstalled, input.FilePath, input.Content, composer.NewParser(), input.Options.FileChecksum) + return language.Analyze(types.ComposerInstalled, input.FilePath, input.Content, composer.NewParser()) } func (a composerInstalledAnalyzer) Required(filePath string, _ os.FileInfo) bool { diff --git a/pkg/fanal/analyzer/language/php/installed/installed_test.go b/pkg/fanal/analyzer/language/php/installed/installed_test.go index 873b85a41590..ef5d38c74a26 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed_test.go +++ b/pkg/fanal/analyzer/language/php/installed/installed_test.go @@ -11,11 +11,10 @@ import ( func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { tests := []struct { - name string - inputFile string - includeChecksum bool - want *analyzer.AnalysisResult - wantErr string + name string + inputFile string + want *analyzer.AnalysisResult + wantErr string }{ { name: "happy path", @@ -32,7 +31,6 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { Version: "1.13.3", Indirect: false, Licenses: []string{"MIT"}, - FilePath: "testdata/happy/installed.json", Locations: []types.Location{ { StartLine: 3, @@ -47,7 +45,6 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { Version: "v1.0.2", Indirect: false, Licenses: []string{"BSD-2-Clause"}, - FilePath: "testdata/happy/installed.json", Locations: []types.Location{ { StartLine: 66, @@ -61,53 +58,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { }, }, { - name: "happy path with digest", - inputFile: "testdata/happy/installed.json", - includeChecksum: true, - want: &analyzer.AnalysisResult{ - Applications: []types.Application{ - { - Type: types.ComposerInstalled, - FilePath: "testdata/happy/installed.json", - Libraries: []types.Package{ - { - ID: "pear/log@1.13.3", - Name: "pear/log", - Version: "1.13.3", - Indirect: false, - Licenses: []string{"MIT"}, - FilePath: "testdata/happy/installed.json", - Digest: "sha1:2d78baf5784998fcaebf94928bc74d41d83f58b3", - Locations: []types.Location{ - { - StartLine: 3, - EndLine: 65, - }, - }, - DependsOn: []string{"pear/pear_exception@v1.0.2"}, - }, - { - ID: "pear/pear_exception@v1.0.2", - Name: "pear/pear_exception", - Version: "v1.0.2", - Indirect: false, - Licenses: []string{"BSD-2-Clause"}, - FilePath: "testdata/happy/installed.json", - Digest: "sha1:2d78baf5784998fcaebf94928bc74d41d83f58b3", - Locations: []types.Location{ - { - StartLine: 66, - EndLine: 127, - }, - }, - }, - }, - }, - }, - }, - }, - { - name: "broken installed.lock", + name: "sad path", inputFile: "testdata/sad/installed.json", wantErr: "decode error", }, @@ -126,7 +77,6 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { got, err := a.Analyze(nil, analyzer.AnalysisInput{ FilePath: tt.inputFile, Content: f, - Options: analyzer.AnalysisOptions{FileChecksum: tt.includeChecksum}, }) if tt.wantErr != "" { From d62765a6b1b41b7cae1393c0af02f508be7fd89e Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Jul 2023 10:33:58 +0600 Subject: [PATCH 08/19] scan composer.lock only in fs and repo modes --- docs/docs/scanner/vulnerability/language/index.md | 2 +- pkg/fanal/analyzer/const.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/docs/scanner/vulnerability/language/index.md b/docs/docs/scanner/vulnerability/language/index.md index bf86c409fc92..83eaafc7de5d 100644 --- a/docs/docs/scanner/vulnerability/language/index.md +++ b/docs/docs/scanner/vulnerability/language/index.md @@ -13,7 +13,7 @@ | | requirements.txt | - | - | ✅ | ✅ | included | - | | | egg package[^1] | ✅ | ✅ | - | - | excluded | - | | | wheel package[^2] | ✅ | ✅ | - | - | excluded | - | -| [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ | +| [PHP](php.md) | composer.lock | - | - | ✅ | ✅ | excluded | ✅ | | | installed.json | ✅ | ✅ | - | - | excluded | ✅ | | [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ | [excluded](./nodejs.md#npm) | ✅ | | | yarn.lock | - | - | ✅ | ✅ | [excluded](./nodejs.md#yarn) | ✅ | diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 9e04665427c0..144e1697fca8 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -201,6 +201,7 @@ var ( TypeCocoaPods, TypePubSpecLock, TypeMixLock, + TypeComposer, } // TypeIndividualPkgs has all analyzers for individual packages From 46084c312319fe519a843bd26d2f43d62282f6ed Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 27 Jul 2023 11:35:36 +0600 Subject: [PATCH 09/19] update test installed golden file --- integration/testdata/composer.installed.json.golden | 1 + 1 file changed, 1 insertion(+) diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden index 906bbc7f7b7b..2e698aa0483c 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.installed.json.golden @@ -77,6 +77,7 @@ "PkgName": "guzzlehttp/psr7", "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", + "Status": "fixed", "Layer": {}, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775", From a7a7b764f612854e39241c5627c9177a335d35f9 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 23 Aug 2023 11:41:54 +0600 Subject: [PATCH 10/19] docs: update language overview page after merge main branch --- docs/docs/coverage/language/index.md | 5 +++-- docs/docs/scanner/vulnerability/language/index.md | 0 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 docs/docs/scanner/vulnerability/language/index.md diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md index ef45c8d25b1e..c82b15d690ed 100644 --- a/docs/docs/coverage/language/index.md +++ b/docs/docs/coverage/language/index.md @@ -17,7 +17,7 @@ If the target is a pre-build project, like a code repository, Trivy will analyze On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on. | Language | File | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] | -| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :------------: | +|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:| | [Ruby](ruby.md) | Gemfile.lock | - | - | ✅ | ✅ | | | gemspec | ✅ | ✅ | - | - | | [Python](python.md) | Pipfile.lock | - | - | ✅ | ✅ | @@ -26,7 +26,8 @@ On the other hand, when the target is a post-build artifact, like a container im | | egg package[^1] | ✅ | ✅ | - | - | | | wheel package[^2] | ✅ | ✅ | - | - | | | conda package[^3] | ✅ | ✅ | - | - | -| [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ | +| [PHP](php.md) | composer.lock | - | - | ✅ | ✅ | +| | installed.json | ✅ | ✅ | - | - | | [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ | | | yarn.lock | - | - | ✅ | ✅ | | | pnpm-lock.yaml | - | - | ✅ | ✅ | diff --git a/docs/docs/scanner/vulnerability/language/index.md b/docs/docs/scanner/vulnerability/language/index.md deleted file mode 100644 index e69de29bb2d1..000000000000 From 7d4aeeadd8012f87595d94219cd4197aef18de7d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 29 Aug 2023 16:26:44 +0600 Subject: [PATCH 11/19] move integration test fixture from fs to repo --- integration/repo_test.go | 2 +- integration/testdata/composer.installed.json.golden | 2 +- .../fixtures/{fs => repo}/composer-installed/installed.json | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename integration/testdata/fixtures/{fs => repo}/composer-installed/installed.json (100%) diff --git a/integration/repo_test.go b/integration/repo_test.go index 091b5e7aacb9..c0c7bbd104cd 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -226,7 +226,7 @@ func TestRepository(t *testing.T) { command: "rootfs", scanner: types.VulnerabilityScanner, listAllPkgs: true, - input: "testdata/fixtures/fs/composer-installed", + input: "testdata/fixtures/repo/composer-installed", }, golden: "testdata/composer.installed.json.golden", }, diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden index 2e698aa0483c..58b522ce6a1e 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.installed.json.golden @@ -1,6 +1,6 @@ { "SchemaVersion": 2, - "ArtifactName": "testdata/fixtures/fs/composer-installed", + "ArtifactName": "testdata/fixtures/repo/composer-installed", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { diff --git a/integration/testdata/fixtures/fs/composer-installed/installed.json b/integration/testdata/fixtures/repo/composer-installed/installed.json similarity index 100% rename from integration/testdata/fixtures/fs/composer-installed/installed.json rename to integration/testdata/fixtures/repo/composer-installed/installed.json From db74b905b28f8e4c19fd535d93ebdee6b42e9b51 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 30 Oct 2023 09:54:54 +0600 Subject: [PATCH 12/19] fix: add missed `ComposerInstalled` const --- pkg/fanal/types/const.go | 57 ++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index b9d4888f8887..bb292ff700bd 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -43,34 +43,35 @@ const ( // Programming language dependencies const ( - Bundler LangType = "bundler" - GemSpec LangType = "gemspec" - Cargo LangType = "cargo" - Composer LangType = "composer" - Npm LangType = "npm" - NuGet LangType = "nuget" - DotNetCore LangType = "dotnet-core" - Pip LangType = "pip" - Pipenv LangType = "pipenv" - Poetry LangType = "poetry" - CondaPkg LangType = "conda-pkg" - PythonPkg LangType = "python-pkg" - NodePkg LangType = "node-pkg" - Yarn LangType = "yarn" - Pnpm LangType = "pnpm" - Jar LangType = "jar" - Pom LangType = "pom" - Gradle LangType = "gradle" - GoBinary LangType = "gobinary" - GoModule LangType = "gomod" - JavaScript LangType = "javascript" - RustBinary LangType = "rustbinary" - Conan LangType = "conan" - Cocoapods LangType = "cocoapods" - Swift LangType = "swift" - Pub LangType = "pub" - Hex LangType = "hex" - Bitnami LangType = "bitnami" + Bundler LangType = "bundler" + GemSpec LangType = "gemspec" + Cargo LangType = "cargo" + Composer LangType = "composer" + ComposerInstalled LangType = "composer-installed" + Npm LangType = "npm" + NuGet LangType = "nuget" + DotNetCore LangType = "dotnet-core" + Pip LangType = "pip" + Pipenv LangType = "pipenv" + Poetry LangType = "poetry" + CondaPkg LangType = "conda-pkg" + PythonPkg LangType = "python-pkg" + NodePkg LangType = "node-pkg" + Yarn LangType = "yarn" + Pnpm LangType = "pnpm" + Jar LangType = "jar" + Pom LangType = "pom" + Gradle LangType = "gradle" + GoBinary LangType = "gobinary" + GoModule LangType = "gomod" + JavaScript LangType = "javascript" + RustBinary LangType = "rustbinary" + Conan LangType = "conan" + Cocoapods LangType = "cocoapods" + Swift LangType = "swift" + Pub LangType = "pub" + Hex LangType = "hex" + Bitnami LangType = "bitnami" K8sUpstream LangType = "kubernetes" EKS LangType = "eks" // Amazon Elastic Kubernetes Service From 21e3707ccbd836a8073d35f9933d1a8ab020ff0e Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 30 Oct 2023 09:59:59 +0600 Subject: [PATCH 13/19] update purl --- pkg/purl/purl.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index a7bbbbfef6b3..01ba2b6fa377 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -428,6 +428,8 @@ func purlType(t ftypes.TargetType) string { return packageurl.TypeHex case ftypes.Conan: return packageurl.TypeConan + case ftypes.Composer, ftypes.ComposerInstalled: + return packageurl.TypeComposer case ftypes.Pub: return TypeDart // TODO: replace with packageurl.TypeDart once they add it. case ftypes.RustBinary, ftypes.Cargo: From d9a108a0f4038af5815928620f646b6e40107efe Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 26 Mar 2024 11:25:03 +0600 Subject: [PATCH 14/19] fix import --- pkg/fanal/analyzer/language/php/installed/installed.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/fanal/analyzer/language/php/installed/installed.go b/pkg/fanal/analyzer/language/php/installed/installed.go index 3e1c1633442e..261e7e5d50e3 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed.go +++ b/pkg/fanal/analyzer/language/php/installed/installed.go @@ -5,7 +5,7 @@ import ( "os" "path/filepath" - "github.com/aquasecurity/go-dep-parser/pkg/php/composer" + "github.com/aquasecurity/trivy/pkg/dependency/parser/php/composer" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" "github.com/aquasecurity/trivy/pkg/fanal/types" From c2650afba0e9381a03e9a0c4d776bceea620d335 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 26 Mar 2024 11:25:14 +0600 Subject: [PATCH 15/19] test(integration): update golden file --- .../testdata/composer.installed.json.golden | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.installed.json.golden index 58b522ce6a1e..f5b4547dcfd7 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.installed.json.golden @@ -1,5 +1,6 @@ { "SchemaVersion": 2, + "CreatedAt": "2021-08-25T12:20:30.000000005Z", "ArtifactName": "testdata/fixtures/repo/composer-installed", "ArtifactType": "filesystem", "Metadata": { @@ -23,6 +24,9 @@ { "ID": "guzzlehttp/psr7@1.8.3", "Name": "guzzlehttp/psr7", + "Identifier": { + "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3" + }, "Version": "1.8.3", "Licenses": [ "MIT" @@ -42,6 +46,9 @@ { "ID": "psr/http-message@1.1", "Name": "psr/http-message", + "Identifier": { + "PURL": "pkg:composer/psr/http-message@1.1" + }, "Version": "1.1", "Licenses": [ "MIT" @@ -57,6 +64,9 @@ { "ID": "ralouphie/getallheaders@3.0.3", "Name": "ralouphie/getallheaders", + "Identifier": { + "PURL": "pkg:composer/ralouphie/getallheaders@3.0.3" + }, "Version": "3.0.3", "Licenses": [ "MIT" @@ -75,6 +85,9 @@ "VulnerabilityID": "CVE-2022-24775", "PkgID": "guzzlehttp/psr7@1.8.3", "PkgName": "guzzlehttp/psr7", + "PkgIdentifier": { + "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3" + }, "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", "Status": "fixed", @@ -92,6 +105,9 @@ "CweIDs": [ "CWE-20" ], + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", From fc5c30629c13e70c433cad1b763baa7e90214cf7 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jun 2024 16:02:57 +0600 Subject: [PATCH 16/19] fix: add required changes after rebase --- .../scanner/vulnerability/language/index.md | 0 pkg/fanal/types/const.go | 66 +++++++++---------- pkg/purl/purl.go | 2 + 3 files changed, 35 insertions(+), 33 deletions(-) delete mode 100644 docs/docs/scanner/vulnerability/language/index.md diff --git a/docs/docs/scanner/vulnerability/language/index.md b/docs/docs/scanner/vulnerability/language/index.md deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index c668d2bf9a40..f83e5433c01c 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -14,7 +14,7 @@ type ( ConfigType = TargetType ) - const ( +const ( ArtifactJSONSchemaVersion = 1 BlobJSONSchemaVersion = 2 ) @@ -43,39 +43,39 @@ const ( // Programming language dependencies const ( - Bundler LangType = "bundler" - GemSpec LangType = "gemspec" - Cargo LangType = "cargo" - Composer LangType = "composer" + Bundler LangType = "bundler" + GemSpec LangType = "gemspec" + Cargo LangType = "cargo" + Composer LangType = "composer" ComposerInstalled LangType = "composer-installed" - Npm LangType = "npm" - NuGet LangType = "nuget" - DotNetCore LangType = "dotnet-core" - PackagesProps LangType = "packages-props" - Pip LangType = "pip" - Pipenv LangType = "pipenv" - Poetry LangType = "poetry" - CondaPkg LangType = "conda-pkg" - CondaEnv LangType = "conda-environment" - PythonPkg LangType = "python-pkg" - NodePkg LangType = "node-pkg" - Yarn LangType = "yarn" - Pnpm LangType = "pnpm" - Jar LangType = "jar" - Pom LangType = "pom" - Gradle LangType = "gradle" - Sbt LangType = "sbt" - GoBinary LangType = "gobinary" - GoModule LangType = "gomod" - JavaScript LangType = "javascript" - RustBinary LangType = "rustbinary" - Conan LangType = "conan" - Cocoapods LangType = "cocoapods" - Swift LangType = "swift" - Pub LangType = "pub" - Hex LangType = "hex" - Bitnami LangType = "bitnami" - Julia LangType = "julia" + Npm LangType = "npm" + NuGet LangType = "nuget" + DotNetCore LangType = "dotnet-core" + PackagesProps LangType = "packages-props" + Pip LangType = "pip" + Pipenv LangType = "pipenv" + Poetry LangType = "poetry" + CondaPkg LangType = "conda-pkg" + CondaEnv LangType = "conda-environment" + PythonPkg LangType = "python-pkg" + NodePkg LangType = "node-pkg" + Yarn LangType = "yarn" + Pnpm LangType = "pnpm" + Jar LangType = "jar" + Pom LangType = "pom" + Gradle LangType = "gradle" + Sbt LangType = "sbt" + GoBinary LangType = "gobinary" + GoModule LangType = "gomod" + JavaScript LangType = "javascript" + RustBinary LangType = "rustbinary" + Conan LangType = "conan" + Cocoapods LangType = "cocoapods" + Swift LangType = "swift" + Pub LangType = "pub" + Hex LangType = "hex" + Bitnami LangType = "bitnami" + Julia LangType = "julia" K8sUpstream LangType = "kubernetes" EKS LangType = "eks" // Amazon Elastic Kubernetes Service diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index 1ccf39c8530a..c9692504b29b 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -448,6 +448,8 @@ func purlType(t ftypes.TargetType) string { return packageurl.TypeGem case ftypes.NuGet, ftypes.DotNetCore, ftypes.PackagesProps: return packageurl.TypeNuget + case ftypes.Composer, ftypes.ComposerInstalled: + return packageurl.TypeComposer case ftypes.CondaPkg, ftypes.CondaEnv: return packageurl.TypeConda case ftypes.PythonPkg, ftypes.Pip, ftypes.Pipenv, ftypes.Poetry: From c84e523e16db53dc6653fc51061011ebdf5eb93d Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jun 2024 16:33:06 +0600 Subject: [PATCH 17/19] refactor: use `composer` pkg + rename to `vendor` --- integration/repo_test.go | 4 +- ...son.golden => composer.vendor.json.golden} | 16 ++- .../installed.json | 0 pkg/detector/library/driver.go | 2 +- pkg/fanal/analyzer/all/import.go | 1 - pkg/fanal/analyzer/const.go | 6 +- .../language/php/composer/composer.go | 4 +- .../language/php/composer/composer_test.go | 8 +- .../{ => composer}/happy/composer.json | 0 .../{ => composer}/happy/composer.lock | 0 .../no-composer-json/composer.lock | 0 .../testdata/{ => composer}/sad/composer.lock | 0 .../wrong-composer-json/composer.json | 0 .../wrong-composer-json/composer.lock | 0 .../analyzer/language/php/composer/vendor.go | 39 ++++++ .../vendor_test.go} | 36 ++--- .../language/php/installed/installed.go | 39 ------ .../installed/testdata/happy/installed.json | 131 ------------------ .../php/installed/testdata/sad/installed.json | 1 - pkg/fanal/types/const.go | 66 ++++----- pkg/purl/purl.go | 2 +- 21 files changed, 114 insertions(+), 241 deletions(-) rename integration/testdata/{composer.installed.json.golden => composer.vendor.json.golden} (88%) rename integration/testdata/fixtures/repo/{composer-installed => composer-vendor}/installed.json (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/happy/composer.json (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/happy/composer.lock (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/no-composer-json/composer.lock (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/sad/composer.lock (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/wrong-composer-json/composer.json (100%) rename pkg/fanal/analyzer/language/php/composer/testdata/{ => composer}/wrong-composer-json/composer.lock (100%) create mode 100644 pkg/fanal/analyzer/language/php/composer/vendor.go rename pkg/fanal/analyzer/language/php/{installed/installed_test.go => composer/vendor_test.go} (70%) delete mode 100644 pkg/fanal/analyzer/language/php/installed/installed.go delete mode 100644 pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json delete mode 100644 pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json diff --git a/integration/repo_test.go b/integration/repo_test.go index bd850b22f1e4..e07b48b950b7 100644 --- a/integration/repo_test.go +++ b/integration/repo_test.go @@ -256,9 +256,9 @@ func TestRepository(t *testing.T) { command: "rootfs", scanner: types.VulnerabilityScanner, listAllPkgs: true, - input: "testdata/fixtures/repo/composer-installed", + input: "testdata/fixtures/repo/composer-vendor", }, - golden: "testdata/composer.installed.json.golden", + golden: "testdata/composer.vendor.json.golden", }, { name: "dockerfile", diff --git a/integration/testdata/composer.installed.json.golden b/integration/testdata/composer.vendor.json.golden similarity index 88% rename from integration/testdata/composer.installed.json.golden rename to integration/testdata/composer.vendor.json.golden index f5b4547dcfd7..ebb1f65a0824 100644 --- a/integration/testdata/composer.installed.json.golden +++ b/integration/testdata/composer.vendor.json.golden @@ -1,7 +1,7 @@ { "SchemaVersion": 2, "CreatedAt": "2021-08-25T12:20:30.000000005Z", - "ArtifactName": "testdata/fixtures/repo/composer-installed", + "ArtifactName": "testdata/fixtures/repo/composer-vendor", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { @@ -19,13 +19,14 @@ { "Target": "installed.json", "Class": "lang-pkgs", - "Type": "composer-installed", + "Type": "composer-vendor", "Packages": [ { "ID": "guzzlehttp/psr7@1.8.3", "Name": "guzzlehttp/psr7", "Identifier": { - "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3" + "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3", + "UID": "25fca97fe23aa7b1" }, "Version": "1.8.3", "Licenses": [ @@ -47,7 +48,8 @@ "ID": "psr/http-message@1.1", "Name": "psr/http-message", "Identifier": { - "PURL": "pkg:composer/psr/http-message@1.1" + "PURL": "pkg:composer/psr/http-message@1.1", + "UID": "299d8ff4461e894" }, "Version": "1.1", "Licenses": [ @@ -65,7 +67,8 @@ "ID": "ralouphie/getallheaders@3.0.3", "Name": "ralouphie/getallheaders", "Identifier": { - "PURL": "pkg:composer/ralouphie/getallheaders@3.0.3" + "PURL": "pkg:composer/ralouphie/getallheaders@3.0.3", + "UID": "c383e94d979a209c" }, "Version": "3.0.3", "Licenses": [ @@ -86,7 +89,8 @@ "PkgID": "guzzlehttp/psr7@1.8.3", "PkgName": "guzzlehttp/psr7", "PkgIdentifier": { - "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3" + "PURL": "pkg:composer/guzzlehttp/psr7@1.8.3", + "UID": "25fca97fe23aa7b1" }, "InstalledVersion": "1.8.3", "FixedVersion": "1.8.4", diff --git a/integration/testdata/fixtures/repo/composer-installed/installed.json b/integration/testdata/fixtures/repo/composer-vendor/installed.json similarity index 100% rename from integration/testdata/fixtures/repo/composer-installed/installed.json rename to integration/testdata/fixtures/repo/composer-vendor/installed.json diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go index c5cc832dddaa..6990d3c7e84d 100644 --- a/pkg/detector/library/driver.go +++ b/pkg/detector/library/driver.go @@ -33,7 +33,7 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) { case ftypes.RustBinary, ftypes.Cargo: ecosystem = vulnerability.Cargo comparer = compare.GenericComparer{} - case ftypes.Composer, ftypes.ComposerInstalled: + case ftypes.Composer, ftypes.ComposerVendor: ecosystem = vulnerability.Composer comparer = compare.GenericComparer{} case ftypes.GoBinary, ftypes.GoModule: diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go index 133deeec79eb..1849bcebf682 100644 --- a/pkg/fanal/analyzer/all/import.go +++ b/pkg/fanal/analyzer/all/import.go @@ -27,7 +27,6 @@ import ( _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/yarn" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/composer" - _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/php/installed" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/packaging" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pip" _ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/python/pipenv" diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go index 9f2e8e3bf12a..6e9d0332eb61 100644 --- a/pkg/fanal/analyzer/const.go +++ b/pkg/fanal/analyzer/const.go @@ -49,8 +49,8 @@ const ( TypeCargo Type = "cargo" // PHP - TypeComposer Type = "composer" - TypeComposerInstalled Type = "composer-installed" + TypeComposer Type = "composer" + TypeComposerVendor Type = "composer-vendor" // Java TypeJar Type = "jar" @@ -231,7 +231,7 @@ var ( TypeGoBinary, TypeJar, TypeRustBinary, - TypeComposerInstalled, + TypeComposerVendor, } // TypeConfigFiles has all config file analyzers diff --git a/pkg/fanal/analyzer/language/php/composer/composer.go b/pkg/fanal/analyzer/language/php/composer/composer.go index 1c0e14a1881a..15d2a2e8ec27 100644 --- a/pkg/fanal/analyzer/language/php/composer/composer.go +++ b/pkg/fanal/analyzer/language/php/composer/composer.go @@ -26,7 +26,7 @@ func init() { analyzer.RegisterPostAnalyzer(analyzer.TypeComposer, newComposerAnalyzer) } -const version = 1 +const composerAnalyzerVersion = 1 var requiredFiles = []string{ types.ComposerLock, @@ -96,7 +96,7 @@ func (a composerAnalyzer) Type() analyzer.Type { } func (a composerAnalyzer) Version() int { - return version + return composerAnalyzerVersion } func (a composerAnalyzer) parseComposerLock(path string, r io.Reader) (*types.Application, error) { diff --git a/pkg/fanal/analyzer/language/php/composer/composer_test.go b/pkg/fanal/analyzer/language/php/composer/composer_test.go index ea963d94dcf2..67ed0a0daa6e 100644 --- a/pkg/fanal/analyzer/language/php/composer/composer_test.go +++ b/pkg/fanal/analyzer/language/php/composer/composer_test.go @@ -20,7 +20,7 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) { }{ { name: "happy path", - dir: "testdata/happy", + dir: "testdata/composer/happy", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -63,7 +63,7 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) { }, { name: "no composer.json", - dir: "testdata/no-composer-json", + dir: "testdata/composer/no-composer-json", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -106,7 +106,7 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) { }, { name: "wrong composer.json", - dir: "testdata/wrong-composer-json", + dir: "testdata/composer/wrong-composer-json", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { @@ -149,7 +149,7 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) { }, { name: "broken composer.lock", - dir: "testdata/sad", + dir: "testdata/composer/sad", want: &analyzer.AnalysisResult{}, }, } diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/happy/composer.json b/pkg/fanal/analyzer/language/php/composer/testdata/composer/happy/composer.json similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/happy/composer.json rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/happy/composer.json diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/happy/composer.lock b/pkg/fanal/analyzer/language/php/composer/testdata/composer/happy/composer.lock similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/happy/composer.lock rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/happy/composer.lock diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/no-composer-json/composer.lock b/pkg/fanal/analyzer/language/php/composer/testdata/composer/no-composer-json/composer.lock similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/no-composer-json/composer.lock rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/no-composer-json/composer.lock diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/sad/composer.lock b/pkg/fanal/analyzer/language/php/composer/testdata/composer/sad/composer.lock similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/sad/composer.lock rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/sad/composer.lock diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/wrong-composer-json/composer.json b/pkg/fanal/analyzer/language/php/composer/testdata/composer/wrong-composer-json/composer.json similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/wrong-composer-json/composer.json rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/wrong-composer-json/composer.json diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/wrong-composer-json/composer.lock b/pkg/fanal/analyzer/language/php/composer/testdata/composer/wrong-composer-json/composer.lock similarity index 100% rename from pkg/fanal/analyzer/language/php/composer/testdata/wrong-composer-json/composer.lock rename to pkg/fanal/analyzer/language/php/composer/testdata/composer/wrong-composer-json/composer.lock diff --git a/pkg/fanal/analyzer/language/php/composer/vendor.go b/pkg/fanal/analyzer/language/php/composer/vendor.go new file mode 100644 index 000000000000..423de2b7a352 --- /dev/null +++ b/pkg/fanal/analyzer/language/php/composer/vendor.go @@ -0,0 +1,39 @@ +package composer + +import ( + "context" + "os" + "path/filepath" + + "github.com/aquasecurity/trivy/pkg/dependency/parser/php/composer" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer" + "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" + "github.com/aquasecurity/trivy/pkg/fanal/types" +) + +func init() { + analyzer.RegisterAnalyzer(&composerVendorAnalyzer{}) +} + +const ( + composerInstalledAnalyzerVersion = 1 +) + +// composerVendorAnalyzer analyzes 'installed.json' +type composerVendorAnalyzer struct{} + +func (a composerVendorAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { + return language.Analyze(types.ComposerVendor, input.FilePath, input.Content, composer.NewParser()) +} + +func (a composerVendorAnalyzer) Required(filePath string, _ os.FileInfo) bool { + return filepath.Base(filePath) == types.ComposerInstalledJson +} + +func (a composerVendorAnalyzer) Type() analyzer.Type { + return analyzer.TypeComposerVendor +} + +func (a composerVendorAnalyzer) Version() int { + return composerInstalledAnalyzerVersion +} diff --git a/pkg/fanal/analyzer/language/php/installed/installed_test.go b/pkg/fanal/analyzer/language/php/composer/vendor_test.go similarity index 70% rename from pkg/fanal/analyzer/language/php/installed/installed_test.go rename to pkg/fanal/analyzer/language/php/composer/vendor_test.go index a088612d2ba3..d0a13a8b8f98 100644 --- a/pkg/fanal/analyzer/language/php/installed/installed_test.go +++ b/pkg/fanal/analyzer/language/php/composer/vendor_test.go @@ -1,4 +1,4 @@ -package installed +package composer import ( "os" @@ -19,19 +19,20 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { }{ { name: "happy path", - inputFile: "testdata/happy/installed.json", + inputFile: "testdata/composer-vendor/happy/installed.json", want: &analyzer.AnalysisResult{ Applications: []types.Application{ { - Type: types.ComposerInstalled, - FilePath: "testdata/happy/installed.json", + Type: types.ComposerVendor, + FilePath: "testdata/composer-vendor/happy/installed.json", Packages: []types.Package{ { - ID: "pear/log@1.13.3", - Name: "pear/log", - Version: "1.13.3", - Indirect: false, - Licenses: []string{"MIT"}, + ID: "pear/log@1.13.3", + Name: "pear/log", + Version: "1.13.3", + Indirect: false, + Relationship: types.RelationshipUnknown, + Licenses: []string{"MIT"}, Locations: []types.Location{ { StartLine: 3, @@ -41,11 +42,12 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { DependsOn: []string{"pear/pear_exception@v1.0.2"}, }, { - ID: "pear/pear_exception@v1.0.2", - Name: "pear/pear_exception", - Version: "v1.0.2", - Indirect: false, - Licenses: []string{"BSD-2-Clause"}, + ID: "pear/pear_exception@v1.0.2", + Name: "pear/pear_exception", + Version: "v1.0.2", + Indirect: false, + Relationship: types.RelationshipUnknown, + Licenses: []string{"BSD-2-Clause"}, Locations: []types.Location{ { StartLine: 66, @@ -60,7 +62,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { }, { name: "sad path", - inputFile: "testdata/sad/installed.json", + inputFile: "testdata/composer-vendor/sad/installed.json", wantErr: "decode error", }, } @@ -74,7 +76,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { require.NoError(t, err) }() - a := composerInstalledAnalyzer{} + a := composerVendorAnalyzer{} got, err := a.Analyze(nil, analyzer.AnalysisInput{ FilePath: tt.inputFile, Content: f, @@ -110,7 +112,7 @@ func Test_composerInstalledAnalyzer_Required(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - a := composerInstalledAnalyzer{} + a := composerVendorAnalyzer{} got := a.Required(tt.filePath, nil) require.Equal(t, tt.want, got) }) diff --git a/pkg/fanal/analyzer/language/php/installed/installed.go b/pkg/fanal/analyzer/language/php/installed/installed.go deleted file mode 100644 index 261e7e5d50e3..000000000000 --- a/pkg/fanal/analyzer/language/php/installed/installed.go +++ /dev/null @@ -1,39 +0,0 @@ -package installed - -import ( - "context" - "os" - "path/filepath" - - "github.com/aquasecurity/trivy/pkg/dependency/parser/php/composer" - "github.com/aquasecurity/trivy/pkg/fanal/analyzer" - "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language" - "github.com/aquasecurity/trivy/pkg/fanal/types" -) - -func init() { - analyzer.RegisterAnalyzer(&composerInstalledAnalyzer{}) -} - -const ( - version = 1 -) - -// composerInstalledAnalyzer analyzes 'installed.json' -type composerInstalledAnalyzer struct{} - -func (a composerInstalledAnalyzer) Analyze(_ context.Context, input analyzer.AnalysisInput) (*analyzer.AnalysisResult, error) { - return language.Analyze(types.ComposerInstalled, input.FilePath, input.Content, composer.NewParser()) -} - -func (a composerInstalledAnalyzer) Required(filePath string, _ os.FileInfo) bool { - return filepath.Base(filePath) == types.ComposerInstalledJson -} - -func (a composerInstalledAnalyzer) Type() analyzer.Type { - return analyzer.TypeComposerInstalled -} - -func (a composerInstalledAnalyzer) Version() int { - return version -} diff --git a/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json b/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json deleted file mode 100644 index e44e60d9050a..000000000000 --- a/pkg/fanal/analyzer/language/php/installed/testdata/happy/installed.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "packages": [ - { - "name": "pear/log", - "version": "1.13.3", - "version_normalized": "1.13.3.0", - "source": { - "type": "git", - "url": "https://github.com/pear/Log.git", - "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/pear/Log/zipball/21af0be11669194d72d88b5ee9d5f176dc75d9a3", - "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3", - "shasum": "" - }, - "require": { - "pear/pear_exception": "1.0.1 || 1.0.2", - "php": ">5.2" - }, - "require-dev": { - "phpunit/phpunit": "*" - }, - "suggest": { - "pear/db": "Install optionally via your project's composer.json" - }, - "time": "2021-05-04T23:51:30+00:00", - "type": "library", - "installation-source": "dist", - "autoload": { - "psr-0": { - "Log": "./" - }, - "exclude-from-classmap": [ - "/examples/" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "include-path": [ - "" - ], - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Jon Parise", - "email": "jon@php.net", - "homepage": "http://www.indelible.org", - "role": "Developer" - } - ], - "description": "PEAR Logging Framework", - "homepage": "http://pear.github.io/Log/", - "keywords": [ - "log", - "logging" - ], - "support": { - "issues": "https://github.com/pear/Log/issues", - "source": "https://github.com/pear/Log" - }, - "install-path": "../pear/log" - }, - { - "name": "pear/pear_exception", - "version": "v1.0.2", - "version_normalized": "1.0.2.0", - "source": { - "type": "git", - "url": "https://github.com/pear/PEAR_Exception.git", - "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", - "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", - "shasum": "" - }, - "require": { - "php": ">=5.2.0" - }, - "require-dev": { - "phpunit/phpunit": "<9" - }, - "time": "2021-03-21T15:43:46+00:00", - "type": "class", - "extra": { - "branch-alias": { - "dev-master": "1.0.x-dev" - } - }, - "installation-source": "dist", - "autoload": { - "classmap": [ - "PEAR/" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "include-path": [ - "." - ], - "license": [ - "BSD-2-Clause" - ], - "authors": [ - { - "name": "Helgi Thormar", - "email": "dufuz@php.net" - }, - { - "name": "Greg Beaver", - "email": "cellog@php.net" - } - ], - "description": "The PEAR Exception base class.", - "homepage": "https://github.com/pear/PEAR_Exception", - "keywords": [ - "exception" - ], - "support": { - "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception", - "source": "https://github.com/pear/PEAR_Exception" - }, - "install-path": "../pear/pear_exception" - } - ], - "dev": true, - "dev-package-names": [] -} diff --git a/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json b/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json deleted file mode 100644 index 81750b96f9d8..000000000000 --- a/pkg/fanal/analyzer/language/php/installed/testdata/sad/installed.json +++ /dev/null @@ -1 +0,0 @@ -{ \ No newline at end of file diff --git a/pkg/fanal/types/const.go b/pkg/fanal/types/const.go index f83e5433c01c..7253404c0be1 100644 --- a/pkg/fanal/types/const.go +++ b/pkg/fanal/types/const.go @@ -43,39 +43,39 @@ const ( // Programming language dependencies const ( - Bundler LangType = "bundler" - GemSpec LangType = "gemspec" - Cargo LangType = "cargo" - Composer LangType = "composer" - ComposerInstalled LangType = "composer-installed" - Npm LangType = "npm" - NuGet LangType = "nuget" - DotNetCore LangType = "dotnet-core" - PackagesProps LangType = "packages-props" - Pip LangType = "pip" - Pipenv LangType = "pipenv" - Poetry LangType = "poetry" - CondaPkg LangType = "conda-pkg" - CondaEnv LangType = "conda-environment" - PythonPkg LangType = "python-pkg" - NodePkg LangType = "node-pkg" - Yarn LangType = "yarn" - Pnpm LangType = "pnpm" - Jar LangType = "jar" - Pom LangType = "pom" - Gradle LangType = "gradle" - Sbt LangType = "sbt" - GoBinary LangType = "gobinary" - GoModule LangType = "gomod" - JavaScript LangType = "javascript" - RustBinary LangType = "rustbinary" - Conan LangType = "conan" - Cocoapods LangType = "cocoapods" - Swift LangType = "swift" - Pub LangType = "pub" - Hex LangType = "hex" - Bitnami LangType = "bitnami" - Julia LangType = "julia" + Bundler LangType = "bundler" + GemSpec LangType = "gemspec" + Cargo LangType = "cargo" + Composer LangType = "composer" + ComposerVendor LangType = "composer-vendor" + Npm LangType = "npm" + NuGet LangType = "nuget" + DotNetCore LangType = "dotnet-core" + PackagesProps LangType = "packages-props" + Pip LangType = "pip" + Pipenv LangType = "pipenv" + Poetry LangType = "poetry" + CondaPkg LangType = "conda-pkg" + CondaEnv LangType = "conda-environment" + PythonPkg LangType = "python-pkg" + NodePkg LangType = "node-pkg" + Yarn LangType = "yarn" + Pnpm LangType = "pnpm" + Jar LangType = "jar" + Pom LangType = "pom" + Gradle LangType = "gradle" + Sbt LangType = "sbt" + GoBinary LangType = "gobinary" + GoModule LangType = "gomod" + JavaScript LangType = "javascript" + RustBinary LangType = "rustbinary" + Conan LangType = "conan" + Cocoapods LangType = "cocoapods" + Swift LangType = "swift" + Pub LangType = "pub" + Hex LangType = "hex" + Bitnami LangType = "bitnami" + Julia LangType = "julia" K8sUpstream LangType = "kubernetes" EKS LangType = "eks" // Amazon Elastic Kubernetes Service diff --git a/pkg/purl/purl.go b/pkg/purl/purl.go index c9692504b29b..12b27e6290e6 100644 --- a/pkg/purl/purl.go +++ b/pkg/purl/purl.go @@ -448,7 +448,7 @@ func purlType(t ftypes.TargetType) string { return packageurl.TypeGem case ftypes.NuGet, ftypes.DotNetCore, ftypes.PackagesProps: return packageurl.TypeNuget - case ftypes.Composer, ftypes.ComposerInstalled: + case ftypes.Composer, ftypes.ComposerVendor: return packageurl.TypeComposer case ftypes.CondaPkg, ftypes.CondaEnv: return packageurl.TypeConda From 39a34dbfe7c1ad3d2654af39df054e8b0c73440a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jun 2024 17:02:19 +0600 Subject: [PATCH 18/19] test: add missed test files --- docs/docs/coverage/language/php.md | 2 +- .../composer-vendor/happy/installed.json | 131 ++++++++++++++++++ .../composer-vendor/sad/installed.json | 1 + .../language/php/composer/vendor_test.go | 4 +- 4 files changed, 135 insertions(+), 3 deletions(-) create mode 100644 pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/happy/installed.json create mode 100644 pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/sad/installed.json diff --git a/docs/docs/coverage/language/php.md b/docs/docs/coverage/language/php.md index 1c806ec1de4d..9fe38bf4990d 100644 --- a/docs/docs/coverage/language/php.md +++ b/docs/docs/coverage/language/php.md @@ -14,7 +14,7 @@ The following table provides an outline of the features Trivy offers. | Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | |-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:| | Composer | composer.lock | ✓ | Excluded | ✓ | ✓ | -| Composer | installed.json | ✅ | Excluded | - | ✓ | +| Composer | installed.json | ✓ | Excluded | - | ✓ | ## composer.lock In order to detect dependencies, Trivy searches for `composer.lock`. diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/happy/installed.json b/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/happy/installed.json new file mode 100644 index 000000000000..e44e60d9050a --- /dev/null +++ b/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/happy/installed.json @@ -0,0 +1,131 @@ +{ + "packages": [ + { + "name": "pear/log", + "version": "1.13.3", + "version_normalized": "1.13.3.0", + "source": { + "type": "git", + "url": "https://github.com/pear/Log.git", + "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/pear/Log/zipball/21af0be11669194d72d88b5ee9d5f176dc75d9a3", + "reference": "21af0be11669194d72d88b5ee9d5f176dc75d9a3", + "shasum": "" + }, + "require": { + "pear/pear_exception": "1.0.1 || 1.0.2", + "php": ">5.2" + }, + "require-dev": { + "phpunit/phpunit": "*" + }, + "suggest": { + "pear/db": "Install optionally via your project's composer.json" + }, + "time": "2021-05-04T23:51:30+00:00", + "type": "library", + "installation-source": "dist", + "autoload": { + "psr-0": { + "Log": "./" + }, + "exclude-from-classmap": [ + "/examples/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "" + ], + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jon Parise", + "email": "jon@php.net", + "homepage": "http://www.indelible.org", + "role": "Developer" + } + ], + "description": "PEAR Logging Framework", + "homepage": "http://pear.github.io/Log/", + "keywords": [ + "log", + "logging" + ], + "support": { + "issues": "https://github.com/pear/Log/issues", + "source": "https://github.com/pear/Log" + }, + "install-path": "../pear/log" + }, + { + "name": "pear/pear_exception", + "version": "v1.0.2", + "version_normalized": "1.0.2.0", + "source": { + "type": "git", + "url": "https://github.com/pear/PEAR_Exception.git", + "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", + "reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "<9" + }, + "time": "2021-03-21T15:43:46+00:00", + "type": "class", + "extra": { + "branch-alias": { + "dev-master": "1.0.x-dev" + } + }, + "installation-source": "dist", + "autoload": { + "classmap": [ + "PEAR/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "include-path": [ + "." + ], + "license": [ + "BSD-2-Clause" + ], + "authors": [ + { + "name": "Helgi Thormar", + "email": "dufuz@php.net" + }, + { + "name": "Greg Beaver", + "email": "cellog@php.net" + } + ], + "description": "The PEAR Exception base class.", + "homepage": "https://github.com/pear/PEAR_Exception", + "keywords": [ + "exception" + ], + "support": { + "issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception", + "source": "https://github.com/pear/PEAR_Exception" + }, + "install-path": "../pear/pear_exception" + } + ], + "dev": true, + "dev-package-names": [] +} diff --git a/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/sad/installed.json b/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/sad/installed.json new file mode 100644 index 000000000000..81750b96f9d8 --- /dev/null +++ b/pkg/fanal/analyzer/language/php/composer/testdata/composer-vendor/sad/installed.json @@ -0,0 +1 @@ +{ \ No newline at end of file diff --git a/pkg/fanal/analyzer/language/php/composer/vendor_test.go b/pkg/fanal/analyzer/language/php/composer/vendor_test.go index d0a13a8b8f98..887c5d404039 100644 --- a/pkg/fanal/analyzer/language/php/composer/vendor_test.go +++ b/pkg/fanal/analyzer/language/php/composer/vendor_test.go @@ -10,7 +10,7 @@ import ( "github.com/aquasecurity/trivy/pkg/fanal/types" ) -func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { +func Test_composerVendorAnalyzer_Analyze(t *testing.T) { tests := []struct { name string inputFile string @@ -93,7 +93,7 @@ func Test_composerInstalledAnalyzer_Analyze(t *testing.T) { } } -func Test_composerInstalledAnalyzer_Required(t *testing.T) { +func Test_composerVendorAnalyzer_Required(t *testing.T) { tests := []struct { name string filePath string From 4418adec0a8704102f01b02aeb7da5a2d992c350 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 24 Jun 2024 17:24:49 +0600 Subject: [PATCH 19/19] test: update image_test.go --- pkg/fanal/artifact/image/image_test.go | 110 ++++++++++++------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/pkg/fanal/artifact/image/image_test.go b/pkg/fanal/artifact/image/image_test.go index 6ce36846868a..cd7fea2df1e2 100644 --- a/pkg/fanal/artifact/image/image_test.go +++ b/pkg/fanal/artifact/image/image_test.go @@ -352,17 +352,17 @@ func TestArtifact_Inspect(t *testing.T) { missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + BlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingArtifact: true, - MissingBlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + MissingBlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0", + BlobID: "sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -429,7 +429,7 @@ func TestArtifact_Inspect(t *testing.T) { Name: "../../test/testdata/alpine-311.tar.gz", Type: artifact.TypeContainerImage, ID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + BlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, ImageMetadata: artifact.ImageMetadata{ ID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72", DiffIDs: []string{ @@ -488,25 +488,25 @@ func TestArtifact_Inspect(t *testing.T) { Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", BlobIDs: []string{ - "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", - "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", - "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", - "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", + "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", + "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", + "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", }, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingBlobIDs: []string{ - "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", - "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", - "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", - "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", + "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", + "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", + "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", }, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", + BlobID: "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -594,7 +594,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", + BlobID: "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -690,7 +690,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", + BlobID: "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -898,7 +898,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + BlobID: "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1761,10 +1761,10 @@ func TestArtifact_Inspect(t *testing.T) { Type: artifact.TypeContainerImage, ID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", BlobIDs: []string{ - "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", - "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", - "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", - "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", + "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", + "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", + "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", }, ImageMetadata: artifact.ImageMetadata{ ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4", @@ -1858,25 +1858,25 @@ func TestArtifact_Inspect(t *testing.T) { Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", BlobIDs: []string{ - "sha256:e1187118cdbe8893fc2fd4b345f813d195ee6aaeb4820d4576694199f8c10350", - "sha256:12c266a627dc4014c3ee96936058ba98209056f4ffe0081bb5fca7ff91592cdb", - "sha256:47adac0e28b12338e99dedbd7e8b0ef1f7aaa28e646f637ab2db8908b80704c8", - "sha256:dd1082b33b17401fdc31bcbf60eaaecb9ce29e23956c50db6f34b2cc6cfa13c8", + "sha256:f46989447d5a1357f6b2427b86ca2af827dd380dbd7fbf392d2abf9a5d457323", + "sha256:487a6fb0914825c8fb9f3a0662a608039bd5a8b6488d76b9de2eb1a684e908e1", + "sha256:a23b05a9c95939a0d30d6b4f6c25393473252bde47b2daa03258c27461367509", + "sha256:47226d3c41a3ffd99dacdbcd2b197a7394ee8948270710ee035181427f88dfab", }, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingBlobIDs: []string{ - "sha256:e1187118cdbe8893fc2fd4b345f813d195ee6aaeb4820d4576694199f8c10350", - "sha256:12c266a627dc4014c3ee96936058ba98209056f4ffe0081bb5fca7ff91592cdb", - "sha256:47adac0e28b12338e99dedbd7e8b0ef1f7aaa28e646f637ab2db8908b80704c8", - "sha256:dd1082b33b17401fdc31bcbf60eaaecb9ce29e23956c50db6f34b2cc6cfa13c8", + "sha256:f46989447d5a1357f6b2427b86ca2af827dd380dbd7fbf392d2abf9a5d457323", + "sha256:487a6fb0914825c8fb9f3a0662a608039bd5a8b6488d76b9de2eb1a684e908e1", + "sha256:a23b05a9c95939a0d30d6b4f6c25393473252bde47b2daa03258c27461367509", + "sha256:47226d3c41a3ffd99dacdbcd2b197a7394ee8948270710ee035181427f88dfab", }, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:e1187118cdbe8893fc2fd4b345f813d195ee6aaeb4820d4576694199f8c10350", + BlobID: "sha256:f46989447d5a1357f6b2427b86ca2af827dd380dbd7fbf392d2abf9a5d457323", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1887,7 +1887,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:12c266a627dc4014c3ee96936058ba98209056f4ffe0081bb5fca7ff91592cdb", + BlobID: "sha256:487a6fb0914825c8fb9f3a0662a608039bd5a8b6488d76b9de2eb1a684e908e1", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1898,7 +1898,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:47adac0e28b12338e99dedbd7e8b0ef1f7aaa28e646f637ab2db8908b80704c8", + BlobID: "sha256:a23b05a9c95939a0d30d6b4f6c25393473252bde47b2daa03258c27461367509", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1910,7 +1910,7 @@ func TestArtifact_Inspect(t *testing.T) { }, { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:dd1082b33b17401fdc31bcbf60eaaecb9ce29e23956c50db6f34b2cc6cfa13c8", + BlobID: "sha256:47226d3c41a3ffd99dacdbcd2b197a7394ee8948270710ee035181427f88dfab", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -1926,10 +1926,10 @@ func TestArtifact_Inspect(t *testing.T) { Type: artifact.TypeContainerImage, ID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", BlobIDs: []string{ - "sha256:e1187118cdbe8893fc2fd4b345f813d195ee6aaeb4820d4576694199f8c10350", - "sha256:12c266a627dc4014c3ee96936058ba98209056f4ffe0081bb5fca7ff91592cdb", - "sha256:47adac0e28b12338e99dedbd7e8b0ef1f7aaa28e646f637ab2db8908b80704c8", - "sha256:dd1082b33b17401fdc31bcbf60eaaecb9ce29e23956c50db6f34b2cc6cfa13c8", + "sha256:f46989447d5a1357f6b2427b86ca2af827dd380dbd7fbf392d2abf9a5d457323", + "sha256:487a6fb0914825c8fb9f3a0662a608039bd5a8b6488d76b9de2eb1a684e908e1", + "sha256:a23b05a9c95939a0d30d6b4f6c25393473252bde47b2daa03258c27461367509", + "sha256:47226d3c41a3ffd99dacdbcd2b197a7394ee8948270710ee035181427f88dfab", }, ImageMetadata: artifact.ImageMetadata{ ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4", @@ -2012,7 +2012,7 @@ func TestArtifact_Inspect(t *testing.T) { missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + BlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ Err: xerrors.New("MissingBlobs failed"), @@ -2026,16 +2026,16 @@ func TestArtifact_Inspect(t *testing.T) { missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + BlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ - MissingBlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + MissingBlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0", + BlobID: "sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "", @@ -2095,18 +2095,18 @@ func TestArtifact_Inspect(t *testing.T) { Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650", BlobIDs: []string{ - "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", - "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", - "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", - "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", + "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", + "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", + "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", }, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingBlobIDs: []string{ - "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", - "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", - "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", - "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", + "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", + "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", + "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", }, }, }, @@ -2114,7 +2114,7 @@ func TestArtifact_Inspect(t *testing.T) { { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:dd0a4f4754bf4590327be34f4266f63c92184352afadb72e4c9b162f76224000", + BlobID: "sha256:a3eb0f92862bc742ea1e7ee875dd5623568ee17213ae7d29f05960eb1135fa6d", BlobInfoAnything: true, }, @@ -2125,7 +2125,7 @@ func TestArtifact_Inspect(t *testing.T) { { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:f9e6a3065bb47f810916e90249076950a4b70785a27d3bcb90406d0ab342fa67", + BlobID: "sha256:05b96a707dab6e1fcd9543f0df6a0e4cdf5c7e26272d7f6bc7ed2e1cf23afa9f", BlobInfoAnything: true, }, @@ -2136,7 +2136,7 @@ func TestArtifact_Inspect(t *testing.T) { { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:b6be0de11c6090f71dea119f43dd360335643420058e317baffb089f0dff4001", + BlobID: "sha256:677cd3a664e4923227de2c2571c40b9956d99e4775b2e11ce8aa207842123119", BlobInfoAnything: true, }, @@ -2147,7 +2147,7 @@ func TestArtifact_Inspect(t *testing.T) { { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:37c561c19b169f5f9832f4b0060bf74ebc8d1c9e01662ad4fa21c394da159440", + BlobID: "sha256:e870ba0421bc71c046819f809c8369e98f59a2cde34961fdd429a2102da33c0c", BlobInfoAnything: true, }, @@ -2164,17 +2164,17 @@ func TestArtifact_Inspect(t *testing.T) { missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{ Args: cache.ArtifactCacheMissingBlobsArgs{ ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313", - BlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + BlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, Returns: cache.ArtifactCacheMissingBlobsReturns{ MissingArtifact: true, - MissingBlobIDs: []string{"sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0"}, + MissingBlobIDs: []string{"sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638"}, }, }, putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{ { Args: cache.ArtifactCachePutBlobArgs{ - BlobID: "sha256:1fd280c63e1416a2261e76454caa19a5b77c6bddedd48309c9687c4fe72b34c0", + BlobID: "sha256:d4e6142cda465c55c8adf5b6c3148f3417a2c5582a76f933836738206e01b638", BlobInfo: types.BlobInfo{ SchemaVersion: types.BlobJSONSchemaVersion, Digest: "",