Skip to content

Commit a3574ba

Browse files
s-kenjis-kenji
authored
Check nested components when parsing inspector scan results (#78)
Co-authored-by: Kenji Sugimura <kensugim@amazon.co.jp>
1 parent 15abc66 commit a3574ba

13 files changed

+208
-50
lines changed

entrypoint/entrypoint/pkg_vuln.py

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -177,17 +177,18 @@ def get_affected_packages(v, components) -> AffectedPackages:
177177
if not affected_bom_refs:
178178
return AffectedPackages()
179179

180-
for each_bomref in affected_bom_refs:
181-
for each_component in components:
182-
ref = each_component.get("bom-ref")
180+
flattened_components = flatten_nested_components(components)
181+
for component in flattened_components:
182+
for bom_ref in affected_bom_refs:
183+
ref = component.get("bom-ref")
183184
if not ref:
184185
continue
185-
if ref == each_bomref["ref"]:
186-
purl = each_component.get("purl")
186+
if ref == bom_ref["ref"]:
187+
purl = component.get("purl")
187188
if purl:
188189
purl = urllib.parse.unquote(purl)
189190
affected_package_urls.append(purl)
190-
pkg_path = getPropertyValueFromKey(each_component, "amazon:inspector:sbom_scanner:path")
191+
pkg_path = getPropertyValueFromKey(component, "amazon:inspector:sbom_scanner:path")
191192
if pkg_path:
192193
affected_package_paths.append(pkg_path)
193194

@@ -282,6 +283,16 @@ def get_epss_score(ratings):
282283
return None
283284

284285

286+
def flatten_nested_components(components):
287+
flattened_components = []
288+
for each_component in components:
289+
flattened_components.append(each_component)
290+
if "components" in each_component:
291+
nested_components = flatten_nested_components(each_component["components"])
292+
flattened_components.extend(nested_components)
293+
return flattened_components
294+
295+
285296
def combine_str_list_into_one_str(str_list: list[str]) -> str:
286297
str_element = ";".join(str_list)
287298
if str_element == "":

entrypoint/tests/test_data/scan_results/amazonlinux:latest.json.scan.csv

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,20 @@
11
"#artifact_name:null","artifact_type:null","artifact_hash:null","build_id:null"
22
"#critical_vulnerabilities:null","high_vulnerabilities:null","medium_vulnerabilities:null","low_vulnerabilities:null","other_vulnerabilities:null"
33
"ID","Severity","Source","CVSS","Installed Package","Fixed Package","Path","EPSS","Exploit Available","Exploit Last Seen","CWEs"
4-
"CVE-2023-46218","medium","NVD","6.5","pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","0.00071","true","2024-05-20T13:08:30Z","null"
5-
"CVE-2023-45918","untriaged","NVD","null","pkg:rpm/amazon/ncurses@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/ncurses-libs@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/ncurses-base@6.2-4.20200222.amzn2023.0.5?arch=noarch&distro=2023&epoch=0","0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6","null","0.00043","null","null","null"
6-
"CVE-2021-35939","medium","NVD","6.7","pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
4+
"CVE-2023-46218","medium","NVD","6.5","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","0.00071","true","2024-05-20T13:08:30Z","null"
5+
"CVE-2023-45918","untriaged","NVD","null","pkg:rpm/amazon/ncurses-base@6.2-4.20200222.amzn2023.0.5?arch=noarch&distro=2023&epoch=0;pkg:rpm/amazon/ncurses-libs@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/ncurses@6.2-4.20200222.amzn2023.0.5?arch=x86_64&distro=2023&epoch=0","0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6;0:6.2-4.20200222.amzn2023.0.6","null","0.00043","null","null","null"
6+
"CVE-2021-35939","medium","NVD","6.7","pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
77
"CVE-2024-2398","untriaged","NVD","null","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4","null","0.00044","null","null","null"
8-
"CVE-2024-2961","untriaged","NVD","null","pkg:rpm/amazon/glibc@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/glibc-common@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/glibc-minimal-langpack@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0","0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10","null","0.00044","true","2024-05-20T21:13:25Z","CWE-787"
8+
"CVE-2024-2961","untriaged","NVD","null","pkg:rpm/amazon/glibc-common@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/glibc@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/glibc-minimal-langpack@2.34-52.amzn2023.0.7?arch=x86_64&distro=2023&epoch=0","0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10;0:2.34-52.amzn2023.0.10","null","0.00044","true","2024-05-20T21:13:25Z","CWE-787"
99
"CVE-2024-26462","untriaged","NVD","null","pkg:rpm/amazon/krb5-libs@1.21-3.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
1010
"CVE-2024-26461","untriaged","NVD","null","pkg:rpm/amazon/krb5-libs@1.21-3.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
11-
"CVE-2021-35938","medium","NVD","6.7","pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
11+
"CVE-2021-35938","medium","NVD","6.7","pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00075","null","null","CWE-59"
1212
"CVE-2024-2004","untriaged","NVD","null","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4;0:8.5.0-1.amzn2023.0.4","null","0.00044","null","null","null"
13-
"CVE-2024-0853","medium","NVD","5.3","pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3","null","0.00058","true","2024-05-18T20:41:40Z","CWE-295"
13+
"CVE-2024-0853","medium","NVD","5.3","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3;0:8.5.0-1.amzn2023.0.3","null","0.00058","true","2024-05-18T20:41:40Z","CWE-295"
1414
"CVE-2024-28757","untriaged","NVD","null","pkg:rpm/amazon/expat@2.5.0-1.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0","0:2.5.0-1.amzn2023.0.4","null","0.00044","true","2024-05-17T01:55:59Z","null"
1515
"CVE-2023-6597","untriaged","NVD","null","pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.8;0:3.9.16-1.amzn2023.0.8","null","0.00044","null","null","null"
16-
"CVE-2024-28182","untriaged","NVD","null","pkg:rpm/amazon/nghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libnghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:1.59.0-3.amzn2023.0.1;0:1.59.0-3.amzn2023.0.1","null","0.00044","true","2024-05-20T15:47:49Z","CWE-770"
16+
"CVE-2024-28182","untriaged","NVD","null","pkg:rpm/amazon/libnghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/nghttp2@1.57.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:1.59.0-3.amzn2023.0.1;0:1.59.0-3.amzn2023.0.1","null","0.00044","true","2024-05-20T15:47:49Z","CWE-770"
1717
"CVE-2024-26458","untriaged","NVD","null","pkg:rpm/amazon/krb5-libs@1.21-3.amzn2023.0.3?arch=x86_64&distro=2023&epoch=0","0:1.21-3.amzn2023.0.4","null","0.00043","null","null","null"
18-
"CVE-2021-35937","medium","NVD","6.4","pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00086","null","null","CWE-367;CWE-59"
19-
"CVE-2024-0450","untriaged","NVD","null","pkg:rpm/amazon/python3@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.7;0:3.9.16-1.amzn2023.0.7","null","0.00046","null","null","CWE-405"
20-
"ALAS2023-2024-558","low","AMAZON_INSPECTOR","null","pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","null","null","null","null"
18+
"CVE-2021-35937","medium","NVD","6.4","pkg:rpm/amazon/rpm-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-sign-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3-rpm@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/rpm-build-libs@4.16.1.3-12.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6;0:4.16.1.3-29.amzn2023.0.6","null","0.00086","null","null","CWE-367;CWE-59"
19+
"CVE-2024-0450","untriaged","NVD","null","pkg:rpm/amazon/python3-libs@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/python3@3.9.16-1.amzn2023.0.6?arch=x86_64&distro=2023&epoch=0","0:3.9.16-1.amzn2023.0.7;0:3.9.16-1.amzn2023.0.7","null","0.00046","null","null","CWE-405"
20+
"ALAS2023-2024-558","low","AMAZON_INSPECTOR","null","pkg:rpm/amazon/libcurl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0;pkg:rpm/amazon/curl-minimal@8.5.0-1.amzn2023.0.1?arch=x86_64&distro=2023&epoch=0","0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2;0:8.5.0-1.amzn2023.0.2","null","null","null","null","null"

0 commit comments

Comments
 (0)