Update trivy from 0.35.0 to 0.49.1

GNUmakefile

@@ -3,7 +3,7 @@
 	install \
 	all \
 	vendor \
- 	lint \
+	lint \
 	vet \
 	fmt \
 	fmtcheck \

config/config.go

@@ -76,7 +76,6 @@ type ScanOpts struct {
 type ReportOpts struct {
 	CvssScoreOver       float64 `json:"cvssScoreOver,omitempty"`
 	ConfidenceScoreOver int     `json:"confidenceScoreOver,omitempty"`
-	TrivyCacheDBDir     string  `json:"trivyCacheDBDir,omitempty"`
 	NoProgress          bool    `json:"noProgress,omitempty"`
 	RefreshCve          bool    `json:"refreshCve,omitempty"`
 	IgnoreUnfixed       bool    `json:"ignoreUnfixed,omitempty"`
@@ -85,6 +84,15 @@ type ReportOpts struct {
 	DiffMinus           bool    `json:"diffMinus,omitempty"`
 	Diff                bool    `json:"diff,omitempty"`
 	Lang                string  `json:"lang,omitempty"`
+
+	TrivyOpts
+}
+
+// TrivyOpts is options for trivy DBs
+type TrivyOpts struct {
+	TrivyCacheDBDir       string `json:"trivyCacheDBDir,omitempty"`
+	TrivyJavaDBRepository string `json:"trivyJavaDBRepository,omitempty"`
+	TrivySkipJavaDBUpdate bool   `json:"trivySkipJavaDBUpdate,omitempty"`
 }
 
 // ValidateOnConfigtest validates

contrib/future-vuls/README.md

@@ -6,11 +6,11 @@
   - upload vuls results json to future-vuls
 
 - `future-vuls discover`
- -  Explore hosts within the CIDR range using the ping command
- -  Describe the information including CPE on the found hosts in a toml-formatted file.
- -  Exec snmp2cpe(https://github.com/future-architect/vuls/pull/1625) to active hosts to obtain CPE<br>
-Commands running internally　　`snmp2cpe v2c {IPAddr} public  | snmp2cpe convert`<br>
-   
+ -  Explores hosts within the CIDR range using the ping command
+ -  Describes the information including CPEs on the found hosts in a toml-formatted file
+ -  Executes snmp2cpe(https://github.com/future-architect/vuls/pull/1625) to active hosts to obtain CPE,
+    Commands running internally `snmp2cpe v2c {IPAddr} public  | snmp2cpe convert`
+
 Structure of toml-formatted file
 ```
 [server.{ip}]
@@ -23,12 +23,12 @@ fvuls_sync = false
 
 - `future-vuls add-cpe`
   -  Create pseudo server to Fvuls to obtain uuid and Upload CPE information on the specified(FvulsSync is true and UUID is obtained) hosts to Fvuls
-  -  Fvuls_Sync must be rewritten to true to designate it as the target of the command<br><br>
+  -  Fvuls_Sync must be rewritten to true to designate it as the target of the command
 
 
-1.　`future-vuls discover`
+1. `future-vuls discover`
 
-2.　`future-vuls add-cpe`
+2. `future-vuls add-cpe`
 
 These two commands are used to manage the CPE of network devices, and by executing the commands in the order from the top, you can manage the CPE of each device in Fvuls
 

contrib/trivy/parser/v2/parser.go

@@ -46,15 +46,13 @@ func setScanResultMeta(scanResult *models.ScanResult, report *types.Report) erro
 	scanResult.ServerName = report.ArtifactName
 	if report.ArtifactType == "container_image" {
 		matches := dockerTagPattern.FindStringSubmatch(report.ArtifactName)
-		var imageName, imageTag string
+		// initial values are for without image tag
+		var imageName = report.ArtifactName
+		var imageTag = "latest" // Complement if the tag is omitted
 		if 2 < len(matches) {
 			// including the image tag
 			imageName = matches[1]
 			imageTag = matches[2]
-		} else {
-			// no image tag
-			imageName = report.ArtifactName
-			imageTag = "latest" // Complement if the tag is omitted
 		}
 		scanResult.ServerName = fmt.Sprintf("%s:%s", imageName, imageTag)
 		if scanResult.Optional == nil {
@@ -64,11 +62,10 @@ func setScanResultMeta(scanResult *models.ScanResult, report *types.Report) erro
 		scanResult.Optional["TRIVY_IMAGE_TAG"] = imageTag
 	}
 
+	scanResult.Family = constant.ServerTypePseudo
 	if report.Metadata.OS != nil {
-		scanResult.Family = report.Metadata.OS.Family
+		scanResult.Family = string(report.Metadata.OS.Family)
 		scanResult.Release = report.Metadata.OS.Name
-	} else {
-		scanResult.Family = constant.ServerTypePseudo
 	}
 
 	scanResult.ScannedAt = time.Now()

contrib/trivy/pkg/converter.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"time"
 
-	"github.com/aquasecurity/trivy/pkg/fanal/analyzer/os"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 
 	"github.com/future-architect/vuls/models"
@@ -92,7 +92,7 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 				})
 			} else {
 				vulnInfo.LibraryFixedIns = append(vulnInfo.LibraryFixedIns, models.LibraryFixedIn{
-					Key:     trivyResult.Type,
+					Key:     string(trivyResult.Type),
 					Name:    vuln.PkgName,
 					Path:    trivyResult.Target,
 					FixedIn: vuln.FixedVersion,
@@ -190,24 +190,26 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 	return scanResult, nil
 }
 
-func isTrivySupportedOS(family string) bool {
-	supportedFamilies := map[string]struct{}{
-		os.RedHat:             {},
-		os.Debian:             {},
-		os.Ubuntu:             {},
-		os.CentOS:             {},
-		os.Rocky:              {},
-		os.Alma:               {},
-		os.Fedora:             {},
-		os.Amazon:             {},
-		os.Oracle:             {},
-		os.Windows:            {},
-		os.OpenSUSE:           {},
-		os.OpenSUSELeap:       {},
-		os.OpenSUSETumbleweed: {},
-		os.SLES:               {},
-		os.Photon:             {},
-		os.Alpine:             {},
+func isTrivySupportedOS(family ftypes.TargetType) bool {
+	supportedFamilies := map[ftypes.TargetType]struct{}{
+		ftypes.Alma:               {},
+		ftypes.Alpine:             {},
+		ftypes.Amazon:             {},
+		ftypes.CBLMariner:         {},
+		ftypes.CentOS:             {},
+		ftypes.Chainguard:         {},
+		ftypes.Debian:             {},
+		ftypes.Fedora:             {},
+		ftypes.OpenSUSE:           {},
+		ftypes.OpenSUSELeap:       {},
+		ftypes.OpenSUSETumbleweed: {},
+		ftypes.Oracle:             {},
+		ftypes.Photon:             {},
+		ftypes.RedHat:             {},
+		ftypes.Rocky:              {},
+		ftypes.SLES:               {},
+		ftypes.Ubuntu:             {},
+		ftypes.Wolfi:              {},
 	}
 	_, ok := supportedFamilies[family]
 	return ok

detector/detector.go

@@ -46,7 +46,7 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 			r.ScannedCves = models.VulnInfos{}
 		}
 
-		if err := DetectLibsCves(&r, config.Conf.TrivyCacheDBDir, config.Conf.NoProgress); err != nil {
+		if err := DetectLibsCves(&r, config.Conf.TrivyOpts, config.Conf.LogOpts, config.Conf.NoProgress); err != nil {
 			return nil, xerrors.Errorf("Failed to fill with Library dependency: %w", err)
 		}
 

detector/library.go

@@ -9,40 +9,56 @@ import (
 	trivydb "github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
 	"github.com/aquasecurity/trivy/pkg/db"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/javadb"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"golang.org/x/xerrors"
 
+	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 )
 
 // DetectLibsCves fills LibraryScanner information
-func DetectLibsCves(r *models.ScanResult, cacheDir string, noProgress bool) (err error) {
+func DetectLibsCves(r *models.ScanResult, trivyOpts config.TrivyOpts, logOpts logging.LogOpts, noProgress bool) (err error) {
 	totalCnt := 0
 	if len(r.LibraryScanners) == 0 {
 		return
 	}
 
 	// initialize trivy's logger and db
-	err = log.InitLogger(false, false)
+	err = log.InitLogger(logOpts.Debug, logOpts.Quiet)
 	if err != nil {
-		return err
+		return xerrors.Errorf("Failed to init trivy logger. err: %w", err)
 	}
 
 	logging.Log.Info("Updating library db...")
-	if err := downloadDB("", cacheDir, noProgress, false); err != nil {
-		return err
+	if err := downloadDB("", trivyOpts, noProgress, false); err != nil {
+		return xerrors.Errorf("Failed to download trivy DB. err: %w", err)
 	}
-
-	if err := trivydb.Init(cacheDir); err != nil {
-		return err
+	if err := trivydb.Init(trivyOpts.TrivyCacheDBDir); err != nil {
+		return xerrors.Errorf("Failed to init trivy DB. err: %w", err)
 	}
 	defer trivydb.Close()
 
+	var javaDBClient *javadb.DB
+	defer javaDBClient.Close()
 	for _, lib := range r.LibraryScanners {
+		if lib.Type == ftypes.Jar {
+			if javaDBClient == nil {
+				javadb.Init(trivyOpts.TrivyCacheDBDir, trivyOpts.TrivyJavaDBRepository, trivyOpts.TrivySkipJavaDBUpdate, noProgress, ftypes.RegistryOptions{})
+
+				javaDBClient, err = javadb.NewClient()
+				if err != nil {
+					return xerrors.Errorf("Failed to download or open trivy Java DB. err: %w", err)
+				}
+			}
+			lib.JavaDBClient = javaDBClient
+		}
+
 		vinfos, err := lib.Scan()
 		if err != nil {
-			return err
+			return xerrors.Errorf("Failed to scan library. err: %w", err)
 		}
 		for _, vinfo := range vinfos {
 			vinfo.Confidences.AppendIfMissing(models.TrivyMatch)
@@ -62,8 +78,8 @@ func DetectLibsCves(r *models.ScanResult, cacheDir string, noProgress bool) (err
 	return nil
 }
 
-func downloadDB(appVersion, cacheDir string, quiet, skipUpdate bool) error {
-	client := db.NewClient(cacheDir, quiet, false)
+func downloadDB(appVersion string, trivyOpts config.TrivyOpts, noProgress, skipUpdate bool) error {
+	client := db.NewClient(trivyOpts.TrivyCacheDBDir, noProgress)
 	ctx := context.Background()
 	needsUpdate, err := client.NeedsUpdate(appVersion, skipUpdate)
 	if err != nil {
@@ -73,14 +89,14 @@ func downloadDB(appVersion, cacheDir string, quiet, skipUpdate bool) error {
 	if needsUpdate {
 		logging.Log.Info("Need to update DB")
 		logging.Log.Info("Downloading DB...")
-		if err := client.Download(ctx, cacheDir); err != nil {
-			return xerrors.Errorf("failed to download vulnerability DB: %w", err)
+		if err := client.Download(ctx, trivyOpts.TrivyCacheDBDir, ftypes.RegistryOptions{}); err != nil {
+			return xerrors.Errorf("Failed to download vulnerability DB. err: %w", err)
 		}
 	}
 
 	// for debug
-	if err := showDBInfo(cacheDir); err != nil {
-		return xerrors.Errorf("failed to show database info: %w", err)
+	if err := showDBInfo(trivyOpts.TrivyCacheDBDir); err != nil {
+		return xerrors.Errorf("Failed to show database info. err: %w", err)
 	}
 	return nil
 }
@@ -89,7 +105,7 @@ func showDBInfo(cacheDir string) error {
 	m := metadata.NewClient(cacheDir)
 	meta, err := m.Get()
 	if err != nil {
-		return xerrors.Errorf("something wrong with DB: %w", err)
+		return xerrors.Errorf("Failed to get DB metadata. err: %w", err)
 	}
 	log.Logger.Debugf("DB Schema: %d, UpdatedAt: %s, NextUpdate: %s, DownloadedAt: %s",
 		meta.Version, meta.UpdatedAt, meta.NextUpdate, meta.DownloadedAt)