Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Maximum severity rating for each Group object in JSON output #805

Merged
merged 5 commits into from
Mar 4, 2024
Merged

Maximum severity rating for each Group object in JSON output #805

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fa63dd3
setting maximum severity in group
AppleGamer22 Feb 14, 2024
ccbf99e
actually setting maximum severity in group
AppleGamer22 Feb 14, 2024
1bbce46
renamed output variable to results in buildVulnerabilityResults, prev…
AppleGamer22 Feb 14, 2024
9ed601a
replace MaxSeverity function call with reference to already-generated…
AppleGamer22 Feb 14, 2024
02af4a6
added max_severity keys to json test cases
AppleGamer22 Feb 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions internal/ci/__snapshots__/vulnerability_result_diff_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,8 @@
"ids": [
"GO-2021-0053"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -243,7 +244,8 @@
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
]
],
"max_severity": "8.6"
}
]
}
Expand Down Expand Up @@ -378,7 +380,8 @@
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -537,7 +540,8 @@
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
]
],
"max_severity": "8.6"
}
]
}
Expand Down Expand Up @@ -745,7 +749,8 @@
"GHSA-m5pq-gvj9-9vr8",
"RUSTSEC-2022-0013"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -880,7 +885,8 @@
"aliases": [
"CVE-2021-3121",
"GHSA-c3h9-896r-86jm"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -1088,7 +1094,8 @@
"GHSA-m5pq-gvj9-9vr8",
"RUSTSEC-2022-0013"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
}
Expand Down
4 changes: 4 additions & 0 deletions internal/ci/vulnerability_result_diff.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package ci
import (
"slices"

"github.com/google/osv-scanner/internal/output"
"github.com/google/osv-scanner/pkg/grouper"
"github.com/google/osv-scanner/pkg/models"
)
Expand Down Expand Up @@ -55,6 +56,9 @@ func DiffVulnerabilityResults(oldRes, newRes models.VulnerabilityResults) models
}
// Rebuild the groups lost in the previous step
groups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(resultPV.Vulnerabilities))
for i, group := range groups {
groups[i].MaxSeverity = output.MaxSeverity(group, *resultPV)
}
resultPV.Groups = groups
}
if len(resultPS.Packages) == 0 {
Expand Down
2 changes: 1 addition & 1 deletion internal/output/githubannotation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func createSourceRemediationTable(source models.PackageSource, groupFixedVersion
remediationTable.AppendRow(table.Row{
pv.Package.Name,
strings.Join(vulnIDs, "\n"),
MaxSeverity(group, pv),
group.MaxSeverity,
pv.Package.Version,
strings.Join(fixedVersions, "\n")})
}
Expand Down
2 changes: 1 addition & 1 deletion internal/output/table.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ func tableBuilderInner(vulnResult *models.VulnerabilityResults, addStyling bool,
}

outputRow = append(outputRow, strings.Join(links, "\n"))
outputRow = append(outputRow, MaxSeverity(group, pkg))
outputRow = append(outputRow, group.MaxSeverity)

if pkg.Package.Ecosystem == "" && pkg.Package.Commit != "" {
pkgCommitStr := results.PkgToString(pkg.Package)
Expand Down
18 changes: 12 additions & 6 deletions internal/sourceanalysis/__snapshots__/go_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,8 @@
"GO-2021-0053": {
"called": false
}
}
},
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -314,7 +315,8 @@
"GO-2023-1558": {
"called": true
}
}
},
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -467,7 +469,8 @@
"GO-2023-1572": {
"called": false
}
}
},
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -621,7 +624,8 @@
"GHSA-c3h9-896r-86jm",
"GO-2021-0053"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -757,7 +761,8 @@
"GHSA-2h6c-j3gf-xp9r",
"GO-2023-1558"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -892,7 +897,8 @@
"GHSA-qgc7-mgm3-q253",
"GO-2023-1572"
],
"aliases": null
"aliases": null,
"max_severity": ""
}
]
}
Expand Down
1 change: 1 addition & 0 deletions pkg/models/results.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ type GroupInfo struct {
Aliases []string `json:"aliases"`
// Map of Vulnerability IDs to AnalysisInfo
ExperimentalAnalysis map[string]AnalysisInfo `json:"experimentalAnalysis,omitempty"`
MaxSeverity string `json:"max_severity"`
}

// IsCalled returns true if any analysis performed determines that the vulnerability is being called
Expand Down
36 changes: 24 additions & 12 deletions pkg/osvscanner/__snapshots__/osvscanner_internal_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,8 @@
"aliases": [
"GHSA-mc8h-8q98-g5hr",
"RUSTSEC-2023-0018"
]
],
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -414,7 +415,8 @@
"aliases": [
"GHSA-wcg3-cvx6-7396",
"RUSTSEC-2020-0071"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -889,15 +891,17 @@
"aliases": [
"GHSA-fxg5-wq6x-vr4w",
"GO-2023-1495"
]
],
"max_severity": ""
},
{
"ids": [
"GO-2022-1144"
],
"aliases": [
"GO-2022-1144"
]
],
"max_severity": ""
},
{
"ids": [
Expand All @@ -907,7 +911,8 @@
"aliases": [
"GHSA-vvpx-j8f3-3w6h",
"GO-2023-1571"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -1051,15 +1056,17 @@
],
"aliases": [
"GHSA-mrrw-grhq-86gf"
]
],
"max_severity": ""
},
{
"ids": [
"RUSTSEC-2023-0015"
],
"aliases": [
"RUSTSEC-2023-0015"
]
],
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -1209,7 +1216,8 @@
"aliases": [
"GHSA-mc8h-8q98-g5hr",
"RUSTSEC-2023-0018"
]
],
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -1457,7 +1465,8 @@
"aliases": [
"GHSA-wcg3-cvx6-7396",
"RUSTSEC-2020-0071"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -1682,7 +1691,8 @@
"aliases": [
"GHSA-vvpx-j8f3-3w6h",
"GO-2023-1571"
]
],
"max_severity": ""
}
]
}
Expand Down Expand Up @@ -1767,7 +1777,8 @@
],
"aliases": [
"GHSA-mrrw-grhq-86gf"
]
],
"max_severity": ""
}
]
},
Expand Down Expand Up @@ -2015,7 +2026,8 @@
"aliases": [
"GHSA-wcg3-cvx6-7396",
"RUSTSEC-2020-0071"
]
],
"max_severity": ""
}
]
}
Expand Down
22 changes: 13 additions & 9 deletions pkg/osvscanner/vulnerability_result.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"sort"
"strings"

"github.com/google/osv-scanner/internal/output"
"github.com/google/osv-scanner/internal/sourceanalysis"
"github.com/google/osv-scanner/pkg/grouper"
"github.com/google/osv-scanner/pkg/models"
Expand All @@ -22,7 +23,7 @@ func buildVulnerabilityResults(
licensesResp [][]models.License,
actions ScannerActions,
) models.VulnerabilityResults {
output := models.VulnerabilityResults{
results := models.VulnerabilityResults{
Results: []models.PackageSource{},
}
groupedBySource := map[models.SourceInfo][]models.PackageVulns{}
Expand Down Expand Up @@ -57,6 +58,9 @@ func buildVulnerabilityResults(
includePackage = true
pkg.Vulnerabilities = vulnsResp.Results[i].Vulns
pkg.Groups = grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities))
for i, group := range pkg.Groups {
pkg.Groups[i].MaxSeverity = output.MaxSeverity(group, pkg)
}
}
if len(actions.ScanLicensesAllowlist) > 0 {
pkg.Licenses = licensesResp[i]
Expand All @@ -83,28 +87,28 @@ func buildVulnerabilityResults(

for source, packages := range groupedBySource {
sourceanalysis.Run(r, source, packages, actions.CallAnalysisStates)
output.Results = append(output.Results, models.PackageSource{
results.Results = append(results.Results, models.PackageSource{
Source: source,
Packages: packages,
})
}

sort.Slice(output.Results, func(i, j int) bool {
if output.Results[i].Source.Path == output.Results[j].Source.Path {
return output.Results[i].Source.Type < output.Results[j].Source.Type
sort.Slice(results.Results, func(i, j int) bool {
if results.Results[i].Source.Path == results.Results[j].Source.Path {
return results.Results[i].Source.Type < results.Results[j].Source.Type
}

return output.Results[i].Source.Path < output.Results[j].Source.Path
return results.Results[i].Source.Path < results.Results[j].Source.Path
})

if len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {
output.ExperimentalAnalysisConfig.Licenses.Summary = actions.ScanLicensesSummary
results.ExperimentalAnalysisConfig.Licenses.Summary = actions.ScanLicensesSummary
allowlist := make([]models.License, len(actions.ScanLicensesAllowlist))
for i, l := range actions.ScanLicensesAllowlist {
allowlist[i] = models.License(l)
}
output.ExperimentalAnalysisConfig.Licenses.Allowlist = allowlist
results.ExperimentalAnalysisConfig.Licenses.Allowlist = allowlist
}

return output
return results
}
Loading