feat(db): add support for vuln-list-aqua (#478)

aquasecurity · Dec 19, 2024 · 996f556 · 996f556
1 parent 8c398f1
commit 996f556
Show file tree

Hide file tree

Showing 8 changed files with 236 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -104,3 +104,5 @@ db-fetch-vuln-list:
 	wget -qO - https://github.com/$(REPO_OWNER)/vuln-list-debian/archive/main.tar.gz | tar xz -C $(CACHE_DIR)/vuln-list-debian --strip-components=1
 	mkdir -p $(CACHE_DIR)/vuln-list-nvd
 	wget -qO - https://github.com/$(REPO_OWNER)/vuln-list-nvd/archive/main.tar.gz | tar xz -C $(CACHE_DIR)/vuln-list-nvd --strip-components=1
+	mkdir -p $(CACHE_DIR)/vuln-list-aqua
+	wget -qO - https://github.com/$(REPO_OWNER)/vuln-list-aqua/archive/main.tar.gz | tar xz -C $(CACHE_DIR)/vuln-list-aqua --strip-components=1
diff --git a/pkg/vulnsrc/aqua/aqua.go b/pkg/vulnsrc/aqua/aqua.go
@@ -0,0 +1,38 @@
+package aqua
+
+import (
+	"path/filepath"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+)
+
+const (
+	sourceID = vulnerability.Aqua
+)
+
+var vulnsDir = filepath.Join("vuln-list-aqua", "vulns")
+
+type VulnSrc struct{}
+
+func NewVulnSrc() VulnSrc {
+	return VulnSrc{}
+}
+
+func (VulnSrc) Name() types.SourceID {
+	return sourceID
+}
+
+func (VulnSrc) Update(root string) error {
+	dataSources := map[types.Ecosystem]types.DataSource{}
+	for _, ecosystem := range vulnerability.Ecosystems {
+		dataSources[ecosystem] = types.DataSource{
+			ID:   sourceID,
+			Name: "The Aqua Security Vulnerability Database",
+			URL:  "https://github.com/aquasecurity/vuln-list-aqua",
+		}
+	}
+
+	return osv.New(vulnsDir, sourceID, dataSources, nil).Update(root)
+}
diff --git a/pkg/vulnsrc/aqua/aqua_test.go b/pkg/vulnsrc/aqua/aqua_test.go
@@ -0,0 +1,117 @@
+package aqua_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/aqua"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
+)
+
+func TestVulnSrc_Update(t *testing.T) {
+	tests := []struct {
+		name       string
+		dir        string
+		wantValues []vulnsrctest.WantValues
+		noBuckets  [][]string
+		wantErr    string
+	}{
+		{
+			name: "happy path",
+			dir:  filepath.Join("testdata", "happy"),
+			wantValues: []vulnsrctest.WantValues{
+				{
+					Key: []string{
+						"data-source",
+						"pip::The Aqua Security Vulnerability Database",
+					},
+					Value: types.DataSource{
+						ID:   vulnerability.Aqua,
+						Name: "The Aqua Security Vulnerability Database",
+						URL:  "https://github.com/aquasecurity/vuln-list-aqua",
+					},
+				},
+				{
+					Key: []string{
+						"advisory-detail",
+						"AQUA-2024-0001",
+						"pip::The Aqua Security Vulnerability Database",
+						"ultralytics",
+					},
+					Value: types.Advisory{
+						PatchedVersions: []string{
+							"8.3.43",
+							"8.3.47",
+						},
+						VulnerableVersions: []string{
+							">=8.3.41, <8.3.43",
+							">=8.3.45, <8.3.47",
+						},
+					},
+				},
+				{
+					Key: []string{
+						"vulnerability-detail",
+						"AQUA-2024-0001",
+						"aqua",
+					},
+					Value: types.VulnerabilityDetail{
+						Title:       "Vulnerable app versions contains xmrig cryptominer",
+						Description: "Affected versions of this package are vulnerable to Malicious Embedded Code. These versions have been compromised to install an xmrig cryptominer when installed from PyPI (e.g. via default pip options, without specifying a git URL).",
+						References: []string{
+							"https://github.com/ultralytics/ultralytics/issues/18027",
+							"https://github.com/ultralytics/ultralytics/issues/18030",
+						},
+						CvssScoreV3:  9.8,
+						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+					},
+				},
+				{
+					Key: []string{
+						"vulnerability-id",
+						"AQUA-2024-0001",
+					},
+					Value: map[string]interface{}{},
+				},
+			},
+			noBuckets: [][]string{
+				// We should save only stdlib packages
+				{
+					"advisory-detail",
+					"CVE-2021-41803",
+				},
+				{
+					"vulnerability-detail",
+					"CVE-2021-41803",
+				},
+				{
+					"vulnerability-id",
+					"CVE-2021-41803",
+				},
+			},
+		},
+		{
+			name:    "sad path (dir doesn't exist)",
+			dir:     filepath.Join("testdata", "badPath"),
+			wantErr: "no such file or directory",
+		},
+		{
+			name:    "sad path (failed to decode)",
+			dir:     filepath.Join("testdata", "sad"),
+			wantErr: "JSON decode error",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			vs := aqua.NewVulnSrc()
+			vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{
+				Dir:        tt.dir,
+				WantValues: tt.wantValues,
+				WantErr:    tt.wantErr,
+				NoBuckets:  tt.noBuckets,
+			})
+		})
+	}
+}
diff --git a/pkg/vulnsrc/aqua/testdata/happy/vuln-list-aqua/vulns/AQUA-2024-0001.json b/pkg/vulnsrc/aqua/testdata/happy/vuln-list-aqua/vulns/AQUA-2024-0001.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.6.7",
+  "id": "AQUA-2024-0001",
+  "modified": "2024-12-18T12:00:00Z",
+  "published": "2024-12-18T12:00:00Z",
+  "summary": "Vulnerable app versions contains xmrig cryptominer",
+  "details": "Affected versions of this package are vulnerable to Malicious Embedded Code. These versions have been compromised to install an xmrig cryptominer when installed from PyPI (e.g. via default pip options, without specifying a git URL).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "ultralytics",
+        "purl": "pkg:pypi/ultralytics"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.3.41"
+            },
+            {
+              "fixed": "8.3.43"
+            },
+            {
+              "introduced": "8.3.45"
+            },
+            {
+              "fixed": "8.3.47"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "REPORT",
+      "url": "https://github.com/ultralytics/ultralytics/issues/18027"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/ultralytics/ultralytics/issues/18030"
+    }
+  ]
+}
diff --git a/pkg/vulnsrc/aqua/testdata/sad/vuln-list-aqua/vulns/AQUA-2024-0001.json b/pkg/vulnsrc/aqua/testdata/sad/vuln-list-aqua/vulns/AQUA-2024-0001.json
@@ -0,0 +1 @@
+{
diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go
@@ -32,6 +32,7 @@ const (
 	BitnamiVulndb         types.SourceID = "bitnami"
 	K8sVulnDB             types.SourceID = "k8s"
 	GoVulnDB              types.SourceID = "govulndb"
+	Aqua                  types.SourceID = "aqua"
 
 	// Ecosystem
 	Unknown    types.Ecosystem = "unknown"
@@ -51,3 +52,21 @@ const (
 	Bitnami    types.Ecosystem = "bitnami"
 	Kubernetes types.Ecosystem = "k8s"
 )
+
+var Ecosystems = []types.Ecosystem{
+	Npm,
+	Composer,
+	Pip,
+	RubyGems,
+	Cargo,
+	NuGet,
+	Maven,
+	Go,
+	Conan,
+	Erlang,
+	Pub,
+	Swift,
+	Cocoapods,
+	Bitnami,
+	Kubernetes,
+}
diff --git a/pkg/vulnsrc/vulnerability/vulnerability.go b/pkg/vulnsrc/vulnerability/vulnerability.go
@@ -14,8 +14,10 @@ const (
 )
 
 var (
-	sources = []types.SourceID{NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
-		ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB,
+	sources = []types.SourceID{
+		NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
+		ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD,
+		Aqua, OSV, K8sVulnDB,
 	}
 )
 

diff --git a/pkg/vulnsrc/vulnsrc.go b/pkg/vulnsrc/vulnsrc.go
@@ -5,6 +5,7 @@ import (
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alma"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/alpine"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/amazon"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/aqua"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/bitnami"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/bundler"
@@ -66,5 +67,7 @@ var (
 		ghsa.NewVulnSrc(),
 		glad.NewVulnSrc(),
 		govulndb.NewVulnSrc(), // For Go stdlib packages
+
+		aqua.NewVulnSrc(),
 	}
 )