From 565fd4b82f61420f95f043be47e10eaa5156a933 Mon Sep 17 00:00:00 2001 From: Kenneth Maguire Date: Wed, 10 Feb 2021 16:47:19 -0700 Subject: [PATCH 1/3] sort fix and check if duplicate --- stages/csv-output/scanners/anchore.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/stages/csv-output/scanners/anchore.py b/stages/csv-output/scanners/anchore.py index a7e6385a..07316808 100644 --- a/stages/csv-output/scanners/anchore.py +++ b/stages/csv-output/scanners/anchore.py @@ -23,7 +23,7 @@ def _vulnerability_record(fulltag, justifications, vuln): vuln_record["package_path"] = vuln["package_path"] vuln_record["package_type"] = vuln["package_type"] vuln_record["package_version"] = vuln["package_version"] - vuln_record["fix"] = vuln["fix"] + vuln_record["fix"] = vuln["fix"].sort() vuln_record["url"] = vuln["url"] vuln_record["inherited"] = vuln.get("inherited_from_base") or "no_data" vuln_record["description"] = vuln["extra"]["description"] @@ -75,12 +75,14 @@ def vulnerability_report(csv_dir, anchore_security_json, justifications): """ with open(anchore_security_json, mode="r", encoding="utf-8") as f: json_data = json.load(f) - cves = [ - _vulnerability_record( + cves = [] + for d in json_data["vulnerabilities"]: + cve = _vulnerability_record( fulltag=json_data["imageFullTag"], justifications=justifications, vuln=d ) - for d in json_data["vulnerabilities"] - ] + if cve not in cves: + cves.append(cve) + if cves: fieldnames = list(cves[0].keys()) -- GitLab From 279df35b4abd6343fee80c1e63590009e03d53c2 Mon Sep 17 00:00:00 2001 From: Kenneth Maguire Date: Wed, 10 Feb 2021 20:08:49 -0700 Subject: [PATCH 2/3] fix version parse and sort --- stages/csv-output/scanners/anchore.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/stages/csv-output/scanners/anchore.py b/stages/csv-output/scanners/anchore.py index 07316808..43b61820 100644 --- a/stages/csv-output/scanners/anchore.py +++ b/stages/csv-output/scanners/anchore.py @@ -4,6 +4,7 @@ import json import logging import os import pathlib +import re from scanners.helper import write_csv_from_dict_list @@ -11,8 +12,12 @@ from scanners.helper import write_csv_from_dict_list def _vulnerability_record(fulltag, justifications, vuln): """ Create an individual vulnerability record - + sorted_fix and fix_version_re needed for sorting fix string in case of duplicate cves with different sorts for the list of fix versions """ + fix_version_re = "([A-Za-z0-9][-.0-~]*)" + sorted_fix = re.findall(fix_version_re, vuln["fix"]) + sorted_fix.sort() + vuln_record = dict() vuln_record["tag"] = fulltag vuln_record["cve"] = vuln["vuln"] @@ -23,7 +28,7 @@ def _vulnerability_record(fulltag, justifications, vuln): vuln_record["package_path"] = vuln["package_path"] vuln_record["package_type"] = vuln["package_type"] vuln_record["package_version"] = vuln["package_version"] - vuln_record["fix"] = vuln["fix"].sort() + vuln_record["fix"] = sorted_fix vuln_record["url"] = vuln["url"] vuln_record["inherited"] = vuln.get("inherited_from_base") or "no_data" vuln_record["description"] = vuln["extra"]["description"] @@ -83,7 +88,6 @@ def vulnerability_report(csv_dir, anchore_security_json, justifications): if cve not in cves: cves.append(cve) - if cves: fieldnames = list(cves[0].keys()) else: -- GitLab From dc05e3c8df59e09008414d575c19a9048ffd1dc0 Mon Sep 17 00:00:00 2001 From: David Freeman Date: Thu, 11 Feb 2021 17:57:57 +0000 Subject: [PATCH 3/3] Apply 1 suggestion(s) to 1 file(s) --- stages/csv-output/scanners/anchore.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stages/csv-output/scanners/anchore.py b/stages/csv-output/scanners/anchore.py index 43b61820..a51795fe 100644 --- a/stages/csv-output/scanners/anchore.py +++ b/stages/csv-output/scanners/anchore.py @@ -28,7 +28,7 @@ def _vulnerability_record(fulltag, justifications, vuln): vuln_record["package_path"] = vuln["package_path"] vuln_record["package_type"] = vuln["package_type"] vuln_record["package_version"] = vuln["package_version"] - vuln_record["fix"] = sorted_fix + vuln_record["fix"] = ", ".join(sorted_fix) vuln_record["url"] = vuln["url"] vuln_record["inherited"] = vuln.get("inherited_from_base") or "no_data" vuln_record["description"] = vuln["extra"]["description"] -- GitLab