From 36b202b469e8d57b5b0223dca85261c12d14c13a Mon Sep 17 00:00:00 2001 From: nscuro Date: Wed, 20 Nov 2024 13:13:00 +0100 Subject: [PATCH] Fix Trivy analyzer vulnerability matching for Go packages Fixes #4376 Signed-off-by: nscuro --- .../tasks/scanners/TrivyAnalysisTask.java | 6 ++++- .../TrivyAnalysisTaskIntegrationTest.java | 25 +++++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java index 51f7587c96..734ceaeb7c 100644 --- a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java +++ b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java @@ -204,7 +204,11 @@ public void analyze(final List components) { var name = component.getPurl().getName(); if (component.getPurl().getNamespace() != null) { - name = component.getPurl().getNamespace() + ":" + name; + if (PackageURL.StandardTypes.GOLANG.equals(component.getPurl().getType())) { + name = component.getPurl().getNamespace() + "/" + name; + } else { + name = component.getPurl().getNamespace() + ":" + name; + } } if (!PurlType.UNKNOWN.getAppType().equals(appType)) { diff --git a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java index 160c709931..b1132afe36 100644 --- a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java +++ b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java @@ -252,7 +252,7 @@ public void testWithPackageWithoutTrivyProperties() { assertThat(qm.getAllVulnerabilities(component)).isEmpty(); } - /** + /** * This test documents the case where Trivy is able to correlate a package with vulnerabilities * when additional properties provided. When including libc6 in an SBOM, * Trivy adds metadata to the component, which among other things includes alternative package names. @@ -346,7 +346,7 @@ public void testWithPackageWithTrivyProperties() { }); } - /** + /** * This test documents the case where Trivy generates a sbom and operative system is not entirely on distro qualifier. *

* Here's an excerpt of the properties included: @@ -436,4 +436,25 @@ public void testWithPackageWithTrivyPropertiesWithDistroWithoutOS() { assertThat(vuln.getReferences()).isNotBlank(); }); } + + @Test // https://github.com/DependencyTrack/dependency-track/issues/4376 + public void testWithGoPackage() { + final var project = new Project(); + project.setName("acme-app"); + qm.persist(project); + + final var component = new Component(); + component.setProject(project); + component.setName("golang/github.com/nats-io/nkeys"); + component.setVersion("0.4.4"); + component.setClassifier(Classifier.LIBRARY); + component.setPurl("pkg:golang/github.com/nats-io/nkeys@0.4.4"); + qm.persist(component); + + final var analysisEvent = new TrivyAnalysisEvent(List.of(component)); + new TrivyAnalysisTask().inform(analysisEvent); + + assertThat(qm.getAllVulnerabilities(component)).hasSizeGreaterThanOrEqualTo(1); + } + }