From 2b346089d0de5f4166d61a1af6a698dab918b314 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 26 May 2025 16:34:56 +0600 Subject: [PATCH 1/3] fix(alpine): handle cases with only non-CVE-ID in vulnerability IDs --- pkg/vulnsrc/alpine/alpine.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/vulnsrc/alpine/alpine.go b/pkg/vulnsrc/alpine/alpine.go index 32a45ecb3..ec7afec32 100644 --- a/pkg/vulnsrc/alpine/alpine.go +++ b/pkg/vulnsrc/alpine/alpine.go @@ -100,7 +100,10 @@ func (vs VulnSrc) saveSecFixes(tx *bolt.Tx, platform, pkgName string, secfixes m ids := strings.Fields(vulnID) for _, cveID := range ids { cveID = strings.ReplaceAll(cveID, "CVE_", "CVE-") - if !strings.HasPrefix(cveID, "CVE-") { + // Possible cases when vulnID contains only one non-CVE-ID + // e.g. only GHSA-ID + // cf. https://github.com/aquasecurity/vuln-list/blob/a830a1cc031f51a29a1a6f1c28d8366bbb5e7b64/alpine/3.21/community/vaultwarden.json#L9-L13 + if !strings.HasPrefix(cveID, "CVE-") && len(ids) > 1 { continue } if err := vs.dbc.PutAdvisoryDetail(tx, cveID, pkgName, []string{platform}, advisory); err != nil { From dd6c1e5eb2cdae96ddc815cf83dadf0b193eeb8f Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 26 May 2025 16:35:15 +0600 Subject: [PATCH 2/3] test(alpine): add tests cases --- pkg/vulnsrc/alpine/alpine_test.go | 60 +++++++++++++++++++ .../happy/vuln-list/alpine/ansible.json | 5 +- 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/pkg/vulnsrc/alpine/alpine_test.go b/pkg/vulnsrc/alpine/alpine_test.go index 211a2db11..9f75a6d3b 100644 --- a/pkg/vulnsrc/alpine/alpine_test.go +++ b/pkg/vulnsrc/alpine/alpine_test.go @@ -41,12 +41,72 @@ func TestVulnSrc_Update(t *testing.T) { FixedVersion: "2.9.3-r0", }, }, + { + Key: []string{"advisory-detail", "CVE-2024-22195", "alpine 3.12", "ansible"}, + Value: types.Advisory{ + FixedVersion: "2.9.3-r0", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2017-2616", "alpine 3.12", "ansible"}, + Value: types.Advisory{ + FixedVersion: "2.9.3-r0", + }, + }, + { + Key: []string{"advisory-detail", "GHSA-f7r5-w49x-gxm3", "alpine 3.12", "ansible"}, + Value: types.Advisory{ + FixedVersion: "2.9.3-r0", + }, + }, { Key: []string{"advisory-detail", "CVE-2020-1737", "alpine 3.12", "ansible"}, Value: types.Advisory{ FixedVersion: "2.9.6-r0", }, }, + { + Key: []string{ + "vulnerability-id", + "CVE-2019-14904", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2019-14905", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2024-22195", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2017-2616", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "GHSA-f7r5-w49x-gxm3", + }, + Value: map[string]interface{}{}, + }, + { + Key: []string{ + "vulnerability-id", + "CVE-2020-1737", + }, + Value: map[string]interface{}{}, + }, }, }, { diff --git a/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json b/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json index 69c704c58..7bd87e952 100644 --- a/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json +++ b/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json @@ -3,7 +3,10 @@ "secfixes": { "2.9.3-r0": [ "CVE-2019-14904", - "CVE-2019-14905" + "CVE-2019-14905", + "CVE-2024-22195 GHSA-h5c8-rqwp-cp95", + "CVE-2017-2616 (+ regression fix)", + "GHSA-f7r5-w49x-gxm3" ], "2.9.6-r0": [ "CVE-2020-1737" From 83c3e1923ae8a0884f7982d28fbdd28e421c83b3 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 28 May 2025 13:21:11 +0600 Subject: [PATCH 3/3] refactor(alpine): use stricter parsing for vuln-ids --- pkg/vulnsrc/alpine/alpine.go | 37 ++++++++++++------- pkg/vulnsrc/alpine/alpine_test.go | 13 +++++++ .../happy/vuln-list/alpine/ansible.json | 3 +- 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/pkg/vulnsrc/alpine/alpine.go b/pkg/vulnsrc/alpine/alpine.go index ec7afec32..ccdd1c193 100644 --- a/pkg/vulnsrc/alpine/alpine.go +++ b/pkg/vulnsrc/alpine/alpine.go @@ -97,23 +97,32 @@ func (vs VulnSrc) saveSecFixes(tx *bolt.Tx, platform, pkgName string, secfixes m for _, vulnID := range vulnIDs { // See https://gitlab.alpinelinux.org/alpine/infra/docker/secdb/-/issues/3 // e.g. CVE-2017-2616 (+ regression fix) + // e.g. GHSA-h6cc-rc6q-23j4 (+regression fix) ids := strings.Fields(vulnID) - for _, cveID := range ids { - cveID = strings.ReplaceAll(cveID, "CVE_", "CVE-") - // Possible cases when vulnID contains only one non-CVE-ID - // e.g. only GHSA-ID - // cf. https://github.com/aquasecurity/vuln-list/blob/a830a1cc031f51a29a1a6f1c28d8366bbb5e7b64/alpine/3.21/community/vaultwarden.json#L9-L13 - if !strings.HasPrefix(cveID, "CVE-") && len(ids) > 1 { - continue - } - if err := vs.dbc.PutAdvisoryDetail(tx, cveID, pkgName, []string{platform}, advisory); err != nil { - return oops.Wrapf(err, "failed to save advisory") + // Find CVE-ID first, if not found, use GHSA-ID + var selectedID string + for _, id := range ids { + id = strings.ReplaceAll(id, "CVE_", "CVE-") + if strings.HasPrefix(id, "CVE-") { + selectedID = id + break // CVE-ID found, prioritize it + } else if strings.HasPrefix(id, "GHSA-") { + selectedID = id // Use GHSA-ID if no CVE-ID found yet } + } - // for optimization - if err := vs.dbc.PutVulnerabilityID(tx, cveID); err != nil { - return oops.Wrapf(err, "failed to save the vulnerability ID") - } + if selectedID == "" { + // No valid vulnerability ID found + continue + } + + if err := vs.dbc.PutAdvisoryDetail(tx, selectedID, pkgName, []string{platform}, advisory); err != nil { + return oops.Wrapf(err, "failed to save advisory") + } + + // for optimization + if err := vs.dbc.PutVulnerabilityID(tx, selectedID); err != nil { + return oops.Wrapf(err, "failed to save the vulnerability ID") } } } diff --git a/pkg/vulnsrc/alpine/alpine_test.go b/pkg/vulnsrc/alpine/alpine_test.go index 9f75a6d3b..58b5ab595 100644 --- a/pkg/vulnsrc/alpine/alpine_test.go +++ b/pkg/vulnsrc/alpine/alpine_test.go @@ -59,6 +59,12 @@ func TestVulnSrc_Update(t *testing.T) { FixedVersion: "2.9.3-r0", }, }, + { + Key: []string{"advisory-detail", "GHSA-h6cc-rc6q-23j4", "alpine 3.12", "ansible"}, + Value: types.Advisory{ + FixedVersion: "2.9.3-r0", + }, + }, { Key: []string{"advisory-detail", "CVE-2020-1737", "alpine 3.12", "ansible"}, Value: types.Advisory{ @@ -100,6 +106,13 @@ func TestVulnSrc_Update(t *testing.T) { }, Value: map[string]interface{}{}, }, + { + Key: []string{ + "vulnerability-id", + "GHSA-h6cc-rc6q-23j4", + }, + Value: map[string]interface{}{}, + }, { Key: []string{ "vulnerability-id", diff --git a/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json b/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json index 7bd87e952..83be130fc 100644 --- a/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json +++ b/pkg/vulnsrc/alpine/testdata/happy/vuln-list/alpine/ansible.json @@ -6,7 +6,8 @@ "CVE-2019-14905", "CVE-2024-22195 GHSA-h5c8-rqwp-cp95", "CVE-2017-2616 (+ regression fix)", - "GHSA-f7r5-w49x-gxm3" + "GHSA-f7r5-w49x-gxm3", + "GHSA-h6cc-rc6q-23j4 (+regression fix)" ], "2.9.6-r0": [ "CVE-2020-1737"