Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(libscan): support conan.lock C/C++ #1572

Merged
merged 1 commit into from
Dec 20, 2022
Merged

feat(libscan): support conan.lock C/C++ #1572

merged 1 commit into from
Dec 20, 2022

Conversation

kotakanbe
Copy link
Member

@kotakanbe kotakanbe commented Dec 20, 2022
edited
Loading

What did you implement:

support conan.lock C/C++

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

file master bc8c562
conan.json 0 1
amazon_2.json 392 392
bundler.json 80 80
cargo.json 27 27
centos_7.json 392 392
composer.json 19 19
debian_10.json 1001 1001
dotnet-deps.json 1 1
gobinary.json 3 3
gomod.json 13 13
gosum.json 56 56
gradle.json 68 68
jar.json 4 4
jvn_vendor_product.json 1 1
jvn_vendor_product_nover.json 4 4
leap.json 504 504
npm.json 37 37
nuget-config.json 8 8
nuget-lock.json 8 8
nvd_exact.json 52 52
nvd_match_no_jvn.json 65 65
nvd_rough.json 26 26
nvd_vendor_product.json 101 101
oracle.json 180 180
pip.json 2 2
pipenv.json 15 15
pnpm.json 1 1
poetry.json 10 10
pom.json 4 4
rhel_71.json 1360 1360
rhel_8.json 648 648
sles12.json 339 339
sles15.json 513 513
ubuntu_1804.json 449 449
ubuntu_2004.json 452 452
yarn.json 65 65

Checklist:

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@kotakanbe
Copy link
Member Author

JSON Sample

{
    "jsonVersion": 4,
    "scannedCves": {
        "CVE-2020-14155": {
            "cveID": "CVE-2020-14155",
            "confidences": [
                {
                    "score": 100,
                    "detectionMethod": "TrivyMatch"
                }
            ],
            "cveContents": {
                "trivy": [
                    {
                        "type": "trivy",
                        "cveID": "CVE-2020-14155",
                        "title": "pcre: Integer overflow when parsing callout numeric arguments",
                        "summary": "libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.",
                        "cvss2Score": 0,
                        "cvss2Vector": "",
                        "cvss2Severity": "",
                        "cvss3Score": 0,
                        "cvss3Vector": "",
                        "cvss3Severity": "MEDIUM",
                        "sourceLink": "",
                        "references": [
                            {
                                "link": "http://seclists.org/fulldisclosure/2020/Dec/32",
                                "source": "trivy"
                            },
                            {
                                "link": "http://seclists.org/fulldisclosure/2021/Feb/14",
                                "source": "trivy"
                            },
                            {
                                "link": "https://about.gitlab.com/releases/2020/07/01/security-release-13-1-2-release/",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20838.json",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-14155.json",
                                "source": "trivy"
                            },
                            {
                                "link": "https://access.redhat.com/security/cve/CVE-2020-14155",
                                "source": "trivy"
                            },
                            {
                                "link": "https://bugs.gentoo.org/717920",
                                "source": "trivy"
                            },
                            {
                                "link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155",
                                "source": "trivy"
                            },
                            {
                                "link": "https://errata.almalinux.org/8/ALSA-2021-4373.html",
                                "source": "trivy"
                            },
                            {
                                "link": "https://linux.oracle.com/cve/CVE-2020-14155.html",
                                "source": "trivy"
                            },
                            {
                                "link": "https://linux.oracle.com/errata/ELSA-2021-4373.html",
                                "source": "trivy"
                            },
                            {
                                "link": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
                                "source": "trivy"
                            },
                            {
                                "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-14155",
                                "source": "trivy"
                            },
                            {
                                "link": "https://security.netapp.com/advisory/ntap-20221028-0010/",
                                "source": "trivy"
                            },
                            {
                                "link": "https://support.apple.com/kb/HT211931",
                                "source": "trivy"
                            },
                            {
                                "link": "https://support.apple.com/kb/HT212147",
                                "source": "trivy"
                            },
                            {
                                "link": "https://ubuntu.com/security/notices/USN-5425-1",
                                "source": "trivy"
                            },
                            {
                                "link": "https://www.oracle.com/security-alerts/cpuapr2022.html",
                                "source": "trivy"
                            },
                            {
                                "link": "https://www.pcre.org/original/changelog.txt",
                                "source": "trivy"
                            }
                        ],
                        "published": "0001-01-01T00:00:00Z",
                        "lastModified": "0001-01-01T00:00:00Z"
                    }
                ]
            },
            "mitigations": [
                {
                    "cveContentType": "redhat_api",
                    "mitigation": "This flaw can be mitigated by not compiling regular expressions with a callout value greater outside of 0-255 or handling the value passed to the callback within the application code.",
                    "url": "https://access.redhat.com/security/cve/CVE-2020-14155"
                }
            ],
            "ctis": [
                "CAPEC-92"
            ],
            "alertDict": {
                "cisa": null,
                "jpcert": null,
                "uscert": null
            },
            "libraryFixedIns": [
                {
                    "name": "pcre",
                    "fixedIn": "8.45",
                    "path": "/home/kota/go/src/github.com/future-architect/vuls/integration/data/lockfile/conan.lock"
                }
            ]
        }
    },
    "packages": {},
    "libraries": [
        {
            "Libs": [
                {
                    "Name": "bzip2",
                    "Version": "1.0.8",
                    "FilePath": ""
                },
                {
                    "Name": "expat",
                    "Version": "2.4.8",
                    "FilePath": ""
                },
                {
                    "Name": "openssl",
                    "Version": "1.1.1q",
                    "FilePath": ""
                },
                {
                    "Name": "pcre",
                    "Version": "8.43",
                    "FilePath": ""
                },
                {
                    "Name": "poco",
                    "Version": "1.9.4",
                    "FilePath": ""
                },
                {
                    "Name": "sqlite3",
                    "Version": "3.39.2",
                    "FilePath": ""
                },
                {
                    "Name": "zlib",
                    "Version": "1.2.12",
                    "FilePath": ""
                }
            ],
            "path": "/home/kota/go/src/github.com/future-architect/vuls/integration/data/lockfile/conan.lock"
        }
    ],
}

@kotakanbe kotakanbe merged commit f6cd4d9 into master Dec 20, 2022
@kotakanbe kotakanbe deleted the conan branch December 20, 2022 02:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kotakanbe @MaineK00n