Include fixed version in reports

If the package has a fixed version in the results then include this in the issue details.
CemitDigital · Feb 23, 2022 · 992cc62 · 992cc62
1 parent 1d2075a
commit 992cc62
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/tests/test_generate_report.py b/tests/test_generate_report.py
@@ -27,6 +27,9 @@ def test_generate_report1_fastapi():
         """\
 # Vulnerabilities found for poetry package `fastapi-0.63.0` in `poetry.lock`
 
+## Fixed in version
+**0.65.2**
+
 ## `CVE-2021-32677` - Skill-sdk version 1.0.6 updates its dependency "FastAPI" to v0.65.2 to include a security fix.
 
 FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. FastAPI versions lower than 0.65.2 that used cookies for authentication in path operations that received JSON payloads sent by browsers were vulnerable to a Cross-Site Request Forgery (CSRF) attack. In versions lower than 0.65.2, FastAPI would try to read the request payload as JSON even if the content-type header sent was not set to application/json or a compatible JSON media type (e.g. application/geo+json). A request with a content type of text/plain containing JSON data would be accepted and the JSON data would be extracted. Requests with content type text/plain are exempt from CORS preflights, for being considered Simple requests. The browser will execute them right away including cookies, and the text content could be a JSON string that would be parsed and accepted by the FastAPI application. This is fixed in FastAPI 0.65.2. The request data is now parsed as JSON only if the content-type header is application/json or another JSON compatible media type like application/geo+json. It's best to upgrade to the latest FastAPI, but if updating is not possible then a middleware or a dependency that checks the content-type header and aborts the request if it is not application/json or another JSON compatible content type can act as a mitigating workaround.
@@ -67,6 +70,9 @@ def test_generate_report1_numpy():
         """\
 # Vulnerabilities found for poetry package `numpy-1.21.5` in `poetry.lock`
 
+## Fixed in version
+**1.22.0**
+
 ## `CVE-2021-41496` - numpy: buffer overflow in the array_from_pyobj() in fortranobject.c
 
 ** DISPUTED ** Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values. NOTE: The vendor does not agree this is a vulnerability; the negative dimensions can only be created by an already privileged user (or internally).
@@ -99,6 +105,9 @@ def test_generate_report1_pillow():
         issue.body,
         """# Vulnerabilities found for poetry package `pillow-8.2.0` in `poetry.lock`
 
+## Fixed in version
+**8.3.0**
+
 ## `CVE-2021-34552` - python-pillow: Buffer overflow in image convert function
 
 Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c.
@@ -205,6 +214,9 @@ def test_generate_report2_fastapi():
         """\
 # Vulnerabilities found for poetry package `urllib3-1.26.4` in `poetry.lock`
 
+## Fixed in version
+**1.26.5**
+
 ## `CVE-2021-33503` - python-urllib3: ReDoS in the parsing of authority part of URL
 
 An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
@@ -248,6 +260,9 @@ def test_generate_report3_libexpat1():
         """\
 # Vulnerabilities found for debian package `libexpat1-2.2.6-2+deb10u1` in `python:latest (debian 10.11)`
 
+## Fixed in version
+**2.2.6-2+deb10u2**
+
 ## `CVE-2022-22822` - expat: Integer overflow in addBinding in xmlparse.c
 
 addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

diff --git a/tests/test_parse_report.py b/tests/test_parse_report.py
@@ -38,6 +38,7 @@ def test_parse_report1():
     report = reports["fastapi-0.63.0"]
     assert report.package_name == "fastapi"
     assert report.package_version == "0.63.0"
+    assert report.package_fixed_version == "0.65.2"
     assert report.package_type == "poetry"
     assert report.target == "poetry.lock"
     assert len(report.vulnerabilities) == 1
@@ -52,6 +53,7 @@ def test_parse_report1():
     report = reports["numpy-1.21.5"]
     assert report.package_name == "numpy"
     assert report.package_version == "1.21.5"
+    assert report.package_fixed_version == "1.22.0"
     assert report.package_type == "poetry"
     assert report.target == "poetry.lock"
     assert len(report.vulnerabilities) == 1
@@ -66,6 +68,7 @@ def test_parse_report1():
     report = reports["pillow-8.2.0"]
     assert report.package_name == "pillow"
     assert report.package_version == "8.2.0"
+    assert report.package_fixed_version == "8.3.0"
     assert report.package_type == "poetry"
     assert report.target == "poetry.lock"
     assert len(report.vulnerabilities) == 4
@@ -87,6 +90,7 @@ def test_parse_report2():
     report = reports["urllib3-1.26.4"]
     assert report.package_name == "urllib3"
     assert report.package_version == "1.26.4"
+    assert report.package_fixed_version == "1.26.5"
     assert report.package_type == "poetry"
     assert report.target == "poetry.lock"
     assert len(report.vulnerabilities) == 1
@@ -109,6 +113,7 @@ def test_parse_report3():
     assert report.package_name == "libexpat1"
     assert report.package_version == "2.2.6-2+deb10u1"
     assert report.package_type == "debian"
+    assert report.package_fixed_version == "2.2.6-2+deb10u2"
     assert report.target == "python:latest (debian 10.11)"
     assert len(report.vulnerabilities) == 10
     assert report.vulnerabilities[0]["VulnerabilityID"] == "CVE-2022-22822"

diff --git a/trivy_report/report_generator.py b/trivy_report/report_generator.py
@@ -1,6 +1,6 @@
 import collections
 from dataclasses import dataclass
-from typing import Iterator, List, OrderedDict, TypedDict
+from typing import Iterator, List, Optional, OrderedDict, TypedDict
 
 # Types for dictionaries found in JSON data
 
@@ -52,6 +52,8 @@ class Report:
     package_name: str
     # Version for package
     package_version: str
+    # Version of package the vulnerability was fixed
+    package_fixed_version: Optional[str]
     # Type of package, e.g. 'poetry' or 'debian'
     package_type: str
     # The file or image that contains the vulnerability, e.g. 'poetry.lock'
@@ -103,6 +105,7 @@ def parse_results(data: ReportDict, existing_issues: List[str]) -> Iterator[Repo
         for vulnerability in vulnerabilities:
             package_name = vulnerability["PkgName"]
             package_version = vulnerability["InstalledVersion"]
+            package_fixed_version = vulnerability["FixedVersion"]
             package = f"{package_name}-{package_version}"
             report_id = f"{package}"
             has_issue = False
@@ -126,6 +129,7 @@ def parse_results(data: ReportDict, existing_issues: List[str]) -> Iterator[Repo
                     package=package,
                     package_name=package_name,
                     package_version=package_version,
+                    package_fixed_version=package_fixed_version,
                     package_type=package_type,
                     target=result["Target"],
                     vulnerabilities=[vulnerability],
@@ -146,6 +150,12 @@ def generate_issues(reports: Iterator[Report]) -> Iterator[Issue]:
         issue_body = f"""\
 # Vulnerabilities found for {report.package_type} package `{report.package}` in `{report.target}`
 
+"""
+        if report.package_fixed_version:
+            issue_body += f"""\
+## Fixed in version
+**{report.package_fixed_version}**
+
 """
         for vulnerability_idx, vulnerability in enumerate(
             report.vulnerabilities, start=1