future-architect · shino · Mar 7, 2024 · Mar 5, 2024 · Mar 5, 2024 · Mar 5, 2024
diff --git a/contrib/trivy/parser/v2/parser_test.go b/contrib/trivy/parser/v2/parser_test.go
@@ -136,6 +136,9 @@ var redisTrivy = []byte(`
       "Packages": [
         {
           "Name": "adduser",
+          "Identifier": {
+            "PURL": "pkg:deb/debian/[email protected]?arch=all\u0026distro=debian-10.10"
+          },
           "Version": "3.118",
           "SrcName": "adduser",
           "SrcVersion": "3.118",
@@ -145,6 +148,9 @@ var redisTrivy = []byte(`
         },
         {
           "Name": "apt",
+          "Identifier": {
+            "PURL": "pkg:deb/debian/[email protected]?arch=amd64\u0026distro=debian-10.10"
+          },
           "Version": "1.8.2.3",
           "SrcName": "apt",
           "SrcVersion": "1.8.2.3",
@@ -154,6 +160,9 @@ var redisTrivy = []byte(`
         },
         {
           "Name": "bsdutils",
+          "Identifier": {
+            "PURL": "pkg:deb/debian/[email protected]?arch=amd64\u0026distro=debian-10.10\u0026epoch=1"
+          },
           "Version": "1:2.33.1-0.1",
           "SrcName": "util-linux",
           "SrcVersion": "2.33.1-0.1",
@@ -163,6 +172,9 @@ var redisTrivy = []byte(`
         },
         {
           "Name": "pkgA",
+          "Identifier": {
+            "PURL": "pkg:deb/debian/[email protected]?arch=amd64\u0026distro=debian-10.10\u0026epoch=1"
+          },
           "Version": "1:2.33.1-0.1",
           "SrcName": "util-linux",
           "SrcVersion": "2.33.1-0.1",
@@ -308,16 +320,25 @@ var strutsTrivy = []byte(`
       "Packages": [
         {
           "Name": "oro:oro",
+          "Identifier": {
+            "PURL": "pkg:maven/oro/[email protected]"
+          },
           "Version": "2.0.7",
           "Layer": {}
         },
         {
           "Name": "struts:struts",
+          "Identifier": {
+            "PURL": "pkg:maven/struts/[email protected]"
+          },
           "Version": "1.2.7",
           "Layer": {}
         },
         {
           "Name": "commons-beanutils:commons-beanutils",
+          "Identifier": {
+            "PURL": "pkg:maven/commons-beanutils/[email protected]"
+          },
           "Version": "1.7.0",
           "Layer": {}
         }
@@ -459,16 +480,19 @@ var strutsSR = &models.ScanResult{
 			LockfilePath: "Java",
 			Libs: []models.Library{
 				{
-					Name:    "commons-beanutils:commons-beanutils",
-					Version: "1.7.0",
+					Name:       "commons-beanutils:commons-beanutils",
+					PackageURL: "pkg:maven/commons-beanutils/[email protected]",
+					Version:    "1.7.0",
 				},
 				{
-					Name:    "oro:oro",
-					Version: "2.0.7",
+					Name:       "oro:oro",
+					PackageURL: "pkg:maven/oro/[email protected]",
+					Version:    "2.0.7",
 				},
 				{
-					Name:    "struts:struts",
-					Version: "1.2.7",
+					Name:       "struts:struts",
+					PackageURL: "pkg:maven/struts/[email protected]",
+					Version:    "1.2.7",
 				},
 			},
 		},
@@ -540,6 +564,9 @@ var osAndLibTrivy = []byte(`
       "Packages": [
         {
           "Name": "libgnutls30",
+          "Identifier": {
+            "PURL": "pkg:deb/debian/[email protected]?arch=amd64\u0026distro=debian-10.2"
+          },
           "Version": "3.6.7-4",
           "SrcName": "gnutls28",
           "SrcVersion": "3.6.7-4",
@@ -594,6 +621,9 @@ var osAndLibTrivy = []byte(`
       "Packages": [
         {
           "Name": "activesupport",
+          "Identifier": {
+            "PURL": "pkg:gem/[email protected]"
+          },
           "Version": "6.0.2.1",
           "License": "MIT",
           "Layer": {
@@ -715,9 +745,10 @@ var osAndLibSR = &models.ScanResult{
 			LockfilePath: "Ruby",
 			Libs: []models.Library{
 				{
-					Name:     "activesupport",
-					Version:  "6.0.2.1",
-					FilePath: "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+					Name:       "activesupport",
+					Version:    "6.0.2.1",
+					PackageURL: "pkg:gem/[email protected]",
+					FilePath:   "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
 				},
 			},
 		},
@@ -1010,9 +1041,10 @@ var osAndLib2SR = &models.ScanResult{
 			LockfilePath: "Ruby",
 			Libs: []models.Library{
 				{
-					Name:     "activesupport",
-					Version:  "6.0.2.1",
-					FilePath: "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
+					Name:       "activesupport",
+					Version:    "6.0.2.1",
+					PackageURL: "",
+					FilePath:   "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
 				},
 			},
 		},

diff --git a/contrib/trivy/pkg/converter.go b/contrib/trivy/pkg/converter.go
@@ -17,7 +17,6 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 		JSONVersion: models.JSONVersion,
 		ScannedCves: models.VulnInfos{},
 	}
-
 	pkgs := models.Packages{}
 	srcPkgs := models.SrcPackages{}
 	vulnInfos := models.VulnInfos{}
@@ -147,9 +146,10 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 			libScanner.Type = trivyResult.Type
 			for _, p := range trivyResult.Packages {
 				libScanner.Libs = append(libScanner.Libs, models.Library{
-					Name:     p.Name,
-					Version:  p.Version,
-					FilePath: p.FilePath,
+					Name:       p.Name,
+					Version:    p.Version,
+					PackageURL: getPURL(p),
+					FilePath:   p.FilePath,
 				})
 			}
 			uniqueLibraryScannerPaths[trivyResult.Target] = libScanner
@@ -214,3 +214,10 @@ func isTrivySupportedOS(family ftypes.TargetType) bool {
 	_, ok := supportedFamilies[family]
 	return ok
 }
+
+func getPURL(p ftypes.Package) string {
+	if p.Identifier.PURL == nil {
+		return ""
+	}
+	return p.Identifier.PURL.String()
+}
diff --git a/models/library.go b/models/library.go
@@ -56,8 +56,9 @@ type LibraryScanner struct {
 
 // Library holds the attribute of a package library
 type Library struct {
-	Name    string
-	Version string
+	Name       string
+	Version    string
+	PackageURL string
 
 	// The Path to the library in the container image. Empty string when Lockfile scan.
 	// This field is used to convert the result JSON of a `trivy image` using trivy-to-vuls.

diff --git a/models/library_test.go b/models/library_test.go
@@ -23,17 +23,19 @@ func TestLibraryScanners_Find(t *testing.T) {
 					LockfilePath: "/pathA",
 					Libs: []Library{
 						{
-							Name:    "libA",
-							Version: "1.0.0",
+							Name:       "libA",
+							Version:    "1.0.0",
+							PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 						},
 					},
 				},
 			},
 			args: args{"/pathA", "libA"},
 			want: map[string]Library{
 				"/pathA": {
-					Name:    "libA",
-					Version: "1.0.0",
+					Name:       "libA",
+					Version:    "1.0.0",
+					PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 				},
 			},
 		},
@@ -44,26 +46,29 @@ func TestLibraryScanners_Find(t *testing.T) {
 					LockfilePath: "/pathA",
 					Libs: []Library{
 						{
-							Name:    "libA",
-							Version: "1.0.0",
+							Name:       "libA",
+							Version:    "1.0.0",
+							PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 						},
 					},
 				},
 				{
 					LockfilePath: "/pathB",
 					Libs: []Library{
 						{
-							Name:    "libA",
-							Version: "1.0.5",
+							Name:       "libA",
+							Version:    "1.0.5",
+							PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 						},
 					},
 				},
 			},
 			args: args{"/pathA", "libA"},
 			want: map[string]Library{
 				"/pathA": {
-					Name:    "libA",
-					Version: "1.0.0",
+					Name:       "libA",
+					Version:    "1.0.0",
+					PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 				},
 			},
 		},
@@ -74,8 +79,9 @@ func TestLibraryScanners_Find(t *testing.T) {
 					LockfilePath: "/pathA",
 					Libs: []Library{
 						{
-							Name:    "libA",
-							Version: "1.0.0",
+							Name:       "libA",
+							Version:    "1.0.0",
+							PackageURL: "scheme/type/namespace/[email protected]?qualifiers#subpath",
 						},
 					},
 				},

diff --git a/scanner/library.go b/scanner/library.go
@@ -1,20 +1,25 @@
 package scanner
 
 import (
-	"github.com/aquasecurity/trivy/pkg/fanal/types"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
+	"github.com/aquasecurity/trivy/pkg/purl"
+	"github.com/aquasecurity/trivy/pkg/types"
+
+	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 )
 
-func convertLibWithScanner(apps []types.Application) ([]models.LibraryScanner, error) {
-	scanners := []models.LibraryScanner{}
+func convertLibWithScanner(apps []ftypes.Application) ([]models.LibraryScanner, error) {
+	scanners := make([]models.LibraryScanner, 0, len(apps))
 	for _, app := range apps {
-		libs := []models.Library{}
+		libs := make([]models.Library, 0, len(app.Libraries))
 		for _, lib := range app.Libraries {
 			libs = append(libs, models.Library{
-				Name:     lib.Name,
-				Version:  lib.Version,
-				FilePath: lib.FilePath,
-				Digest:   string(lib.Digest),
+				Name:       lib.Name,
+				Version:    lib.Version,
+				PackageURL: newPURL(app.Type, types.Metadata{}, lib),
+				FilePath:   lib.FilePath,
+				Digest:     string(lib.Digest),
 			})
 		}
 		scanners = append(scanners, models.LibraryScanner{
@@ -25,3 +30,15 @@ func convertLibWithScanner(apps []types.Application) ([]models.LibraryScanner, e
 	}
 	return scanners, nil
 }
+
+func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) string {
+	p, err := purl.New(pkgType, metadata, pkg)
+	if err != nil {
+		logging.Log.Errorf("Failed to create PackageURL: %+v", err)
+		return ""
+	}
+	if p == nil {
+		return ""
+	}
+	return p.Unwrap().ToString()
+}