feat(libscan): support gradle.lockfile #1568

kotakanbe · 2022-12-16T04:16:52Z

What did you implement:

Support gradle.lockfile

Type of change

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

file	master	`febe7b5`
vuls/integration/results/2022-12-16T15:05:50+09:00/gradle.json	0	68
vuls/integration/results/2022-12-16T15:05:50+09:00/amazon_2.json	392	392
vuls/integration/results/2022-12-16T15:05:50+09:00/bundler.json	80	80
vuls/integration/results/2022-12-16T15:05:50+09:00/cargo.json	27	27
vuls/integration/results/2022-12-16T15:05:50+09:00/centos_7.json	392	392
vuls/integration/results/2022-12-16T15:05:50+09:00/composer.json	19	19
vuls/integration/results/2022-12-16T15:05:50+09:00/debian_10.json	1001	1001
vuls/integration/results/2022-12-16T15:05:50+09:00/dotnet-deps.json	1	1
vuls/integration/results/2022-12-16T15:05:50+09:00/gobinary.json	3	3
vuls/integration/results/2022-12-16T15:05:50+09:00/gomod.json	13	13
vuls/integration/results/2022-12-16T15:05:50+09:00/gosum.json	56	56
vuls/integration/results/2022-12-16T15:05:50+09:00/jar.json	4	4
vuls/integration/results/2022-12-16T15:05:50+09:00/jvn_vendor_product.json	1	1
vuls/integration/results/2022-12-16T15:05:50+09:00/jvn_vendor_product_nover.json	4	4
vuls/integration/results/2022-12-16T15:05:50+09:00/leap.json	504	504
vuls/integration/results/2022-12-16T15:05:50+09:00/npm.json	37	37
vuls/integration/results/2022-12-16T15:05:50+09:00/nuget-config.json	8	8
vuls/integration/results/2022-12-16T15:05:50+09:00/nuget-lock.json	8	8
vuls/integration/results/2022-12-16T15:05:50+09:00/nvd_exact.json	52	52
vuls/integration/results/2022-12-16T15:05:50+09:00/nvd_match_no_jvn.json	65	65
vuls/integration/results/2022-12-16T15:05:50+09:00/nvd_rough.json	26	26
vuls/integration/results/2022-12-16T15:05:50+09:00/nvd_vendor_product.json	101	101
vuls/integration/results/2022-12-16T15:05:50+09:00/oracle.json	180	180
vuls/integration/results/2022-12-16T15:05:50+09:00/pip.json	2	2
vuls/integration/results/2022-12-16T15:05:50+09:00/pipenv.json	15	15
vuls/integration/results/2022-12-16T15:05:50+09:00/pnpm.json	1	1
vuls/integration/results/2022-12-16T15:05:50+09:00/poetry.json	10	10
vuls/integration/results/2022-12-16T15:05:50+09:00/pom.json	4	4
vuls/integration/results/2022-12-16T15:05:50+09:00/rhel_71.json	1360	1360
vuls/integration/results/2022-12-16T15:05:50+09:00/rhel_8.json	648	648
vuls/integration/results/2022-12-16T15:05:50+09:00/sles12.json	339	339
vuls/integration/results/2022-12-16T15:05:50+09:00/sles15.json	513	513
vuls/integration/results/2022-12-16T15:05:50+09:00/ubuntu_1804.json	449	449
vuls/integration/results/2022-12-16T15:05:50+09:00/ubuntu_2004.json	452	452
vuls/integration/results/2022-12-16T15:05:50+09:00/yarn.json	65	65

Checklist:

Write tests
Write documentation
Check that there aren't other open pull requests for the same issue/feature
Format your source code by make fmt
Pass the test by make test
Provide verification config / commands
Enable "Allow edits from maintainers" for this PR
Update the messages below

Is this ready for review?: YES

MaineK00n

LGTM

models/library.go

kotakanbe · 2022-12-20T01:18:12Z

JSON sample

{
    "scannedCves": {
        "CVE-2017-17485": {
            "cveID": "CVE-2017-17485",
            "confidences": [
                {
                    "score": 100,
                    "detectionMethod": "TrivyMatch"
                }
            ],
            "cveContents": {
                "nvd": [
                    {
                        "type": "nvd",
                        "cveID": "CVE-2017-17485",
                        "title": "",
                        "summary": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.",
                        "cvss2Score": 7.5,
                        "cvss2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                        "cvss2Severity": "HIGH",
                        "cvss3Score": 9.8,
                        "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                        "cvss3Severity": "CRITICAL",
                        "sourceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485",
                        "references": [
                            {
                                "link": "http://www.securityfocus.com/archive/1/541652/100/0/threaded",
                                "source": "BUGTRAQ",
                                "tags": [
                                    "Third Party Advisory",
                                    "VDB Entry"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0116",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0342",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0478",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0479",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0480",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0481",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1447",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1448",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1449",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1450",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1451",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:2930",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:1782",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:1797",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:2858",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:3149",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:3892",
                                "source": "REDHAT",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://github.com/FasterXML/jackson-databind/issues/1855",
                                "source": "CONFIRM",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://github.com/irsl/jackson-rce-via-spel/",
                                "source": "MISC",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://security.netapp.com/advisory/ntap-20180201-0003/",
                                "source": "CONFIRM",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
                                "source": "CONFIRM",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://www.debian.org/security/2018/dsa-4114",
                                "source": "DEBIAN",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            },
                            {
                                "link": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                                "source": "MISC",
                                "tags": [
                                    "Third Party Advisory"
                                ]
                            }
                        ],
                        "cweIDs": [
                            "CWE-502"
                        ],
                        "published": "2018-01-10T18:29:00Z",
                        "lastModified": "2021-01-19T15:51:00Z"
                    }
                ],
                "trivy": [
                    {
                        "type": "trivy",
                        "cveID": "CVE-2017-17485",
                        "title": "jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)",
                        "summary": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.",
                        "cvss2Score": 0,
                        "cvss2Vector": "",
                        "cvss2Severity": "",
                        "cvss3Score": 0,
                        "cvss3Vector": "",
                        "cvss3Severity": "CRITICAL",
                        "sourceLink": "",
                        "references": [
                            {
                                "link": "http://www.securityfocus.com/archive/1/541652/100/0/threaded",
                                "source": "trivy"
                            },
                            {
                                "link": "http://www.securityfocus.com/archive/1/archive/1/541652/100/0/threaded",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0116",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0342",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0478",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0479",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0480",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:0481",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1447",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1448",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1449",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1450",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:1451",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2018:2930",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:1782",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:1797",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:2858",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:3149",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/errata/RHSA-2019:3892",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/security/cve/CVE-2017-17485",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/solutions/3442891",
                                "source": "trivy"
                            },
                            {
                                "link": "https://github.com/FasterXML/jackson-databind/issues/1855",
                                "source": "trivy"
                            },
                            {
                                "link": "https://github.com/advisories/GHSA-rfx6-vp9g-rh7v",
                                "source": "trivy"
                            },
                            {
                                "link": "https://github.com/irsl/jackson-rce-via-spel/",
                                "source": "trivy"
                            },
                            {
                                "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485",
                                "source": "trivy"
                            },
                            {
                                "link": "https://security.netapp.com/advisory/ntap-20180201-0003/",
                                "source": "trivy"
                            },
                            {
                                "link": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us",
                                "source": "trivy"
                            },
                            {
                                "link": "https://www.debian.org/security/2018/dsa-4114",
                                "source": "trivy"
                            },
                            {
                                "link": "https://www.oracle.com/security-alerts/cpuoct2020.html",
                                "source": "trivy"
                            }
                        ],
                        "published": "0001-01-01T00:00:00Z",
                        "lastModified": "0001-01-01T00:00:00Z"
                    }
                ]
            },
            "exploits": [
                {
                    "exploitType": "GitHub",
                    "id": "GitHub-1536834d873fbef1e6195b41a0463a41",
                    "url": "https://github.com/Al1ex/CVE-2017-17485",
                    "description": "CVE-2017-17485:Jackson-databind RCE"
                },
                {
                    "exploitType": "InTheWild",
                    "id": "InTheWild-52d8d9ebcfb23c1580cbd0abf39e006f",
                    "url": "https://github.com/Al1ex/CVE-2017-17485",
                    "description": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath."
                }
            ],
            "ctis": [
                "CAPEC-586"
            ],
            "alertDict": {
                "cisa": null,
                "jpcert": null,
                "uscert": null
            },
            "libraryFixedIns": [
                {
                    "key": "java",
                    "name": "com.fasterxml.jackson.core:jackson-databind",
                    "fixedIn": "2.8.11, 2.9.4",
                    "path": "/home/kota/go/src/github.com/future-architect/vuls/integration/data/lockfile/gradle.lockfile"
                }
            ]
        }
    },
    "packages": {},
    "libraries": [
        {
            "Libs": [
                {
                    "Name": "com.fasterxml.jackson.core:jackson-databind",
                    "Version": "2.9.1",
                    "FilePath": ""
                }
            ],
            "path": "/home/kota/go/src/github.com/future-architect/vuls/integration/data/lockfile/gradle.lockfile"
        }
    }
}

kotakanbe added 2 commits December 2, 2022 17:22

feat(libscan): support gradle.lockfile

febe7b5

add gradle.lockfile to integration test

ff7edd5

kotakanbe marked this pull request as ready for review December 16, 2022 06:53

kotakanbe requested a review from MaineK00n December 16, 2022 06:53

kotakanbe and others added 2 commits December 16, 2022 16:14

fix readme

899426b

chore: update integration

0e4cd0a

MaineK00n approved these changes Dec 17, 2022

View reviewed changes

MaineK00n reviewed Dec 17, 2022

View reviewed changes

models/library.go Outdated Show resolved Hide resolved

find *gradle.lockfile

adb5592

kotakanbe merged commit 03c5986 into master Dec 19, 2022

kotakanbe deleted the support-gradle branch December 19, 2022 23:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(libscan): support gradle.lockfile #1568

feat(libscan): support gradle.lockfile #1568

kotakanbe commented Dec 16, 2022 •

edited

Loading

MaineK00n left a comment

kotakanbe commented Dec 20, 2022

feat(libscan): support gradle.lockfile #1568

feat(libscan): support gradle.lockfile #1568

Conversation

kotakanbe commented Dec 16, 2022 • edited Loading

What did you implement:

Type of change

How Has This Been Tested?

Checklist:

MaineK00n left a comment

Choose a reason for hiding this comment

kotakanbe commented Dec 20, 2022

kotakanbe commented Dec 16, 2022 •

edited

Loading