fix(contrib/trivy): fix convert for src package

Author: MaineK00n

contrib/trivy/parser/v2/parser_test.go

@@ -26,6 +26,10 @@ func TestParse(t *testing.T) {
 			vulnJSON: osAndLibTrivy,
 			expected: osAndLibSR,
 		},
+		"image alma": {
+			vulnJSON: almaTrivy,
+			expected: almaSR,
+		},
 	}
 
 	for testcase, v := range cases {
@@ -257,6 +261,16 @@ var redisSR = &models.ScanResult{
 		},
 	},
 	SrcPackages: models.SrcPackages{
+		"apt": models.SrcPackage{
+			Name:        "apt",
+			Version:     "1.8.2.3",
+			BinaryNames: []string{"apt"},
+		},
+		"adduser": models.SrcPackage{
+			Name:        "adduser",
+			Version:     "3.118",
+			BinaryNames: []string{"adduser"},
+		},
 		"util-linux": models.SrcPackage{
 			Name:        "util-linux",
 			Version:     "2.33.1-0.1",
@@ -525,10 +539,35 @@ var osAndLibTrivy = []byte(`
       "Type": "debian",
       "Packages": [
         {
+          "ID": "[email protected]",
           "Name": "libgnutls30",
-          "Version": "3.6.7-4",
+          "Version": "3.6.7",
+          "Release": "4",
+          "Arch": "amd64",
           "SrcName": "gnutls28",
-          "SrcVersion": "3.6.7-4",
+          "SrcVersion": "3.6.7",
+          "SrcRelease": "4",
+          "Licenses": [
+            "LGPL-3.0",
+            "GPL-3.0",
+            "GFDL-1.3",
+            "CC0",
+            "The MIT License",
+            "LGPLv3+",
+            "GPL-2.0",
+            "Apache-2.0"
+          ],
+          "Maintainer": "Debian GnuTLS Maintainers \[email protected]\u003e",
+          "DependsOn": [
+            "[email protected]",
+            "libgmp10@2:6.1.2+dfsg-4",
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            "[email protected]",
+            "[email protected]"
+          ],
           "Layer": {
             "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
             "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
@@ -538,15 +577,22 @@ var osAndLibTrivy = []byte(`
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2021-20231",
+          "PkgID": "[email protected]",
           "PkgName": "libgnutls30",
           "InstalledVersion": "3.6.7-4",
           "FixedVersion": "3.6.7-4+deb10u7",
+          "Status": "fixed",
           "Layer": {
             "Digest": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c",
             "DiffID": "sha256:831c5620387fb9efec59fc82a42b948546c6be601e3ab34a87108ecf852aa15f"
           },
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-20231",
+          "DataSource": {
+            "ID": "debian",
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
           "Title": "gnutls: Use after free in client key_share extension",
           "Description": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.",
           "Severity": "CRITICAL",
@@ -712,6 +758,7 @@ var osAndLibSR = &models.ScanResult{
 		"libgnutls30": models.Package{
 			Name:    "libgnutls30",
 			Version: "3.6.7-4",
+			Arch:    "amd64",
 		},
 	},
 	SrcPackages: models.SrcPackages{
@@ -727,6 +774,151 @@ var osAndLibSR = &models.ScanResult{
 	},
 }
 
+var almaTrivy = []byte(`
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2024-02-01T04:48:35.451128019+09:00",
+  "ArtifactName": "almalinux:9",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alma",
+      "Name": "9.1"
+    },
+    "ImageID": "sha256:6fda3265debce36565356d0e5f9f2403c751da40f8a2538d76dfcb934661b427",
+    "DiffIDs": [
+      "sha256:f025ce333a9dc974e0ec5ff9440cc0b7404a3277b5bff4ca3d45bc10313f845b"
+    ],
+    "RepoTags": [
+      "almalinux:9"
+    ],
+    "RepoDigests": [
+      "almalinux@sha256:904f3b03a151a7970255158103578de658ca955045b9cd6b78a9ea7d13a596ef"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0711a01b461394b83799a4125a9a6490052f74a5fafb084c72abcc09b01703d5",
+      "created": "2023-02-22T18:20:30.49146312Z",
+      "docker_version": "20.10.23",
+      "history": [
+        {
+          "created": "2023-02-22T18:20:29Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:97cfcd4d2e9fb628ab2192a2c99ea93dc2b97c852191d6dda024a33def36ff98 in / "
+        },
+        {
+          "created": "2023-02-22T18:20:30Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f025ce333a9dc974e0ec5ff9440cc0b7404a3277b5bff4ca3d45bc10313f845b"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:721f6c57a6da1faf2745fe501a3940bd4597d0936f994b76a9f19fb8035b7372"
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "almalinux:9 (alma 9.1)",
+      "Class": "os-pkgs",
+      "Type": "alma",
+      "Packages": [
+        {
+          "ID": "[email protected]_64",
+          "Name": "acl",
+          "Version": "2.3.1",
+          "Release": "3.el9",
+          "Arch": "x86_64",
+          "SrcName": "acl",
+          "SrcVersion": "2.3.1",
+          "SrcRelease": "3.el9",
+          "Licenses": [
+            "GPLv2+"
+          ],
+          "Maintainer": "AlmaLinux",
+          "DependsOn": [
+            "[email protected]_1.1.x86_64",
+            "[email protected]_64"
+          ],
+          "Layer": {
+            "DiffID": "sha256:f025ce333a9dc974e0ec5ff9440cc0b7404a3277b5bff4ca3d45bc10313f845b"
+          },
+          "Digest": "md5:30ed35fe284aa1ffee4fc8cf082ab6fa",
+          "InstalledFiles": [
+            "/usr/bin/chacl",
+            "/usr/bin/getfacl",
+            "/usr/bin/setfacl",
+            "/usr/lib/.build-id",
+            "/usr/lib/.build-id/5a",
+            "/usr/lib/.build-id/5a/d6848c63ed1dcb59a88e8ed5b3f936b6561d03",
+            "/usr/lib/.build-id/88",
+            "/usr/lib/.build-id/88/95863a5e92751dbb37a43dd2939511a9f3d9b5",
+            "/usr/lib/.build-id/e6",
+            "/usr/lib/.build-id/e6/f27b5253f5ffb6b5398896c720a4cbc108efe8",
+            "/usr/share/licenses/acl",
+            "/usr/share/licenses/acl/COPYING",
+            "/usr/share/licenses/acl/COPYING.LGPL",
+            "/usr/share/locale/de/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/en@boldquot/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/en@quot/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/es/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/fr/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/gl/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/pl/LC_MESSAGES/acl.mo",
+            "/usr/share/locale/sv/LC_MESSAGES/acl.mo",
+            "/usr/share/man/man1/chacl.1.gz",
+            "/usr/share/man/man1/getfacl.1.gz",
+            "/usr/share/man/man1/setfacl.1.gz",
+            "/usr/share/man/man5/acl.5.gz"
+          ]
+        }
+      ]
+    }
+  ]
+}`)
+
+var almaSR = &models.ScanResult{
+	JSONVersion:     4,
+	ServerName:      "almalinux:9",
+	Family:          "alma",
+	Release:         "9.1",
+	ScannedBy:       "trivy",
+	ScannedVia:      "trivy",
+	ScannedCves:     models.VulnInfos{},
+	LibraryScanners: models.LibraryScanners{},
+	Packages: models.Packages{
+		"acl": models.Package{
+			Name:    "acl",
+			Version: "2.3.1",
+			Release: "3.el9",
+			Arch:    "x86_64",
+		},
+	},
+	SrcPackages: models.SrcPackages{
+		"acl": models.SrcPackage{
+			Name:        "acl",
+			Version:     "2.3.1-3.el9",
+			BinaryNames: []string{"acl"},
+		},
+	},
+	Optional: map[string]interface{}{
+		"TRIVY_IMAGE_NAME": "almalinux",
+		"TRIVY_IMAGE_TAG":  "9",
+	},
+}
+
 func TestParseError(t *testing.T) {
 	cases := map[string]struct {
 		vulnJSON []byte

contrib/trivy/pkg/converter.go

@@ -1,6 +1,7 @@
 package pkg
 
 import (
+	"fmt"
 	"sort"
 	"time"
 
@@ -111,22 +112,49 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 		// --list-all-pkgs flg of trivy will output all installed packages, so collect them.
 		if trivyResult.Class == types.ClassOSPkg {
 			for _, p := range trivyResult.Packages {
-				pkgs[p.Name] = models.Package{
-					Name:    p.Name,
-					Version: p.Version,
+				switch trivyResult.Type {
+				case os.Debian, os.Ubuntu:
+					pv := p.Version
+					if p.Release != "" {
+						pv = fmt.Sprintf("%s-%s", pv, p.Release)
+					}
+					if p.Epoch > 0 {
+						pv = fmt.Sprintf("%d:%s", p.Epoch, pv)
+					}
+					pkgs[p.Name] = models.Package{
+						Name:    p.Name,
+						Version: pv,
+						Arch:    p.Arch,
+					}
+				default:
+					pv := p.Version
+					if p.Epoch > 0 {
+						pv = fmt.Sprintf("%d:%s", p.Epoch, pv)
+					}
+					pkgs[p.Name] = models.Package{
+						Name:    p.Name,
+						Version: pv,
+						Release: p.Release,
+						Arch:    p.Arch,
+					}
 				}
-				if p.Name != p.SrcName {
-					if v, ok := srcPkgs[p.SrcName]; !ok {
-						srcPkgs[p.SrcName] = models.SrcPackage{
-							Name:        p.SrcName,
-							Version:     p.SrcVersion,
-							BinaryNames: []string{p.Name},
-						}
-					} else {
-						v.AddBinaryName(p.Name)
-						srcPkgs[p.SrcName] = v
+
+				v, ok := srcPkgs[p.SrcName]
+				if !ok {
+					sv := p.SrcVersion
+					if p.SrcRelease != "" {
+						sv = fmt.Sprintf("%s-%s", sv, p.SrcRelease)
+					}
+					if p.SrcEpoch > 0 {
+						sv = fmt.Sprintf("%d:%s", p.SrcEpoch, sv)
+					}
+					v = models.SrcPackage{
+						Name:    p.SrcName,
+						Version: sv,
 					}
 				}
+				v.AddBinaryName(p.Name)
+				srcPkgs[p.SrcName] = v
 			}
 		} else if trivyResult.Class == types.ClassLangPkg {
 			libScanner := uniqueLibraryScannerPaths[trivyResult.Target]

models/packages.go

@@ -6,6 +6,7 @@ import (
 	"regexp"
 	"strings"
 
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 )
 
@@ -234,15 +235,10 @@ type SrcPackage struct {
 
 // AddBinaryName add the name if not exists
 func (s *SrcPackage) AddBinaryName(name string) {
-	found := false
-	for _, n := range s.BinaryNames {
-		if n == name {
-			return
-		}
-	}
-	if !found {
-		s.BinaryNames = append(s.BinaryNames, name)
+	if slices.Contains(s.BinaryNames, name) {
+		return
 	}
+	s.BinaryNames = append(s.BinaryNames, name)
 }
 
 // SrcPackages is Map of SrcPackage