Skip to content

Commit

Permalink
Check nested components when parsing inspector scan results (#78)
Browse files Browse the repository at this point in the history 
Co-authored-by: Kenji Sugimura <[email protected]>
  • Loading branch information
@s-kenji
s-kenji and s-kenji authored Jul 29, 2024
1 parent 15abc66 commit a3574ba
Show file tree
Hide file tree
Showing 13 changed files with 208 additions and 50 deletions.
23 changes: 17 additions & 6 deletions entrypoint/entrypoint/pkg_vuln.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,17 +177,18 @@ def get_affected_packages(v, components) -> AffectedPackages:
if not affected_bom_refs:
return AffectedPackages()

for each_bomref in affected_bom_refs:
for each_component in components:
ref = each_component.get("bom-ref")
flattened_components = flatten_nested_components(components)
for component in flattened_components:
for bom_ref in affected_bom_refs:
ref = component.get("bom-ref")
if not ref:
continue
if ref == each_bomref["ref"]:
purl = each_component.get("purl")
if ref == bom_ref["ref"]:
purl = component.get("purl")
if purl:
purl = urllib.parse.unquote(purl)
affected_package_urls.append(purl)
pkg_path = getPropertyValueFromKey(each_component, "amazon:inspector:sbom_scanner:path")
pkg_path = getPropertyValueFromKey(component, "amazon:inspector:sbom_scanner:path")
if pkg_path:
affected_package_paths.append(pkg_path)

Expand Down Expand Up @@ -282,6 +283,16 @@ def get_epss_score(ratings):
return None


def flatten_nested_components(components):
flattened_components = []
for each_component in components:
flattened_components.append(each_component)
if "components" in each_component:
nested_components = flatten_nested_components(each_component["components"])
flattened_components.extend(nested_components)
return flattened_components


def combine_str_list_into_one_str(str_list: list[str]) -> str:
str_element = ";".join(str_list)
if str_element == "":
Expand Down
20 changes: 10 additions & 10 deletions entrypoint/tests/test_data/scan_results/amazonlinux:latest.json.scan.csv
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
"#artifact_name:null","artifact_type:null","artifact_hash:null","build_id:null"
"#critical_vulnerabilities:null","high_vulnerabilities:null","medium_vulnerabilities:null","low_vulnerabilities:null","other_vulnerabilities:null"
"ID","Severity","Source","CVSS","Installed Package","Fixed Package","Path","EPSS","Exploit Available","Exploit Last Seen","CWEs"
"CVE-2023-46218","medium","NVD","6.5","pkg:rpm/amazon/curl[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","0.00071","true","2024-05-20T13:08:30Z","null"
"CVE-2023-45918","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/ncurses-base@6.2-4.20200222.amzn2023.0.5?arch=noarch&distro=2023&epoch=0","0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6","null","0.00043","null","null","null"
"CVE-2021-35939","medium","NVD","6.7","pkg:rpm/amazon/rpm-build-[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-[email protected]?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
"CVE-2023-46218","medium","NVD","6.5","pkg:rpm/amazon/libcurl[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","0.00071","true","2024-05-20T13:08:30Z","null"
"CVE-2023-45918","untriaged","NVD","null","pkg:rpm/amazon/ncurses-base@6.2-4.20200222.amzn2023.0.5?arch=noarch&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6","null","0.00043","null","null","null"
"CVE-2021-35939","medium","NVD","6.7","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
"CVE-2024-2398","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4","null","0.00044","null","null","null"
"CVE-2024-2961","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/glibc-common@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10","null","0.00044","true","2024-05-20T21:13:25Z","CWE-787"
"CVE-2024-2961","untriaged","NVD","null","pkg:rpm/amazon/glibc-common@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10","null","0.00044","true","2024-05-20T21:13:25Z","CWE-787"
"CVE-2024-26462","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
"CVE-2024-26461","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
"CVE-2021-35938","medium","NVD","6.7","pkg:rpm/amazon/rpm-build-[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-[email protected]?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
"CVE-2021-35938","medium","NVD","6.7","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
"CVE-2024-2004","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4","null","0.00044","null","null","null"
"CVE-2024-0853","medium","NVD","5.3","pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3","null","0.00058","true","2024-05-18T20:41:40Z","CWE-295"
"CVE-2024-0853","medium","NVD","5.3","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3","null","0.00058","true","2024-05-18T20:41:40Z","CWE-295"
"CVE-2024-28757","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:2.5.0-1.amzn2023.0.4","null","0.00044","true","2024-05-17T01:55:59Z","null"
"CVE-2023-6597","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.8;0:3.9.16-1.amzn2023.0.8","null","0.00044","null","null","null"
"CVE-2024-28182","untriaged","NVD","null","pkg:rpm/amazon/nghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libnghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:1.59.0-3.amzn2023.0.1;0:1.59.0-3.amzn2023.0.1","null","0.00044","true","2024-05-20T15:47:49Z","CWE-770"
"CVE-2024-28182","untriaged","NVD","null","pkg:rpm/amazon/libnghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/nghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:1.59.0-3.amzn2023.0.1;0:1.59.0-3.amzn2023.0.1","null","0.00044","true","2024-05-20T15:47:49Z","CWE-770"
"CVE-2024-26458","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
"CVE-2021-35937","medium","NVD","6.4","pkg:rpm/amazon/rpm-build-[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-[email protected]?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00086","null","null","CWE-367;CWE-59"
"CVE-2024-0450","untriaged","NVD","null","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.7;0:3.9.16-1.amzn2023.0.7","null","0.00046","null","null","CWE-405"
"ALAS2023-2024-558","low","AMAZON_INSPECTOR","null","pkg:rpm/amazon/curl[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","null","null","null","null"
"CVE-2021-35937","medium","NVD","6.4","pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00086","null","null","CWE-367;CWE-59"
"CVE-2024-0450","untriaged","NVD","null","pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/[email protected]?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.7;0:3.9.16-1.amzn2023.0.7","null","0.00046","null","null","CWE-405"
"ALAS2023-2024-558","low","AMAZON_INSPECTOR","null","pkg:rpm/amazon/libcurl[email protected]?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","null","null","null","null"
Loading

0 comments on commit a3574ba

Please sign in to comment.