From 75a5eab8dff2dc88bdbdac095089e5389a814df4 Mon Sep 17 00:00:00 2001 From: Holly Gong <39108850+hogo6002@users.noreply.github.com> Date: Mon, 23 Sep 2024 11:57:55 +1000 Subject: [PATCH] feat: group DSA and its CVEs together (#1262) For container scanning, we should only display DSA results and hide their related CVEs. - Add DSA's related CVEs to the same group. - Sort the group IDs with the DSA first. (DSA is more important than CVE, and one DSA contains multiple CVEs) - Don't print CVE records when there is a DSA (this reduces noise in container scanning results). --- cmd/osv-scanner/__snapshots__/main_test.snap | 228 ++++++------------ .../{output => identifiers}/identifiers.go | 29 ++- .../identifiers_test.go | 13 +- internal/output/result.go | 3 +- internal/output/sarif.go | 5 +- internal/output/table.go | 5 + pkg/grouper/grouper.go | 3 +- pkg/grouper/grouper_models.go | 14 +- 8 files changed, 127 insertions(+), 173 deletions(-) rename internal/{output => identifiers}/identifiers.go (61%) rename internal/{output => identifiers}/identifiers_test.go (80%) diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap index 37c088facdf..61801309001 100755 --- a/cmd/osv-scanner/__snapshots__/main_test.snap +++ b/cmd/osv-scanner/__snapshots__/main_test.snap @@ -547,22 +547,22 @@ Scanned /fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX S | https://osv.dev/CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | fixtures/sbom-insecure/alpine.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2022-0274 | | | | | | -| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2022-0452 | | | | | | -| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2023-1683 | | | | | | -| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2023-1682 | | | | | | -| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2023-1627 | | | | | | -| https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2024-2491 | | | | | | -| https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2024-3110 | | | | | | -| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/GO-2022-0493 | | | | | | +| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | +| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | +| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | +| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | +| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | +| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | +| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | +| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | | https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3008-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -741,8 +741,8 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ -| https://osv.dev/GHSA-2h6c-j3gf-xp9r | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-1558 | | | | | | +| https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | | | https://osv.dev/GO-2023-2375 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2023-2102 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2023-2185 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | @@ -754,16 +754,16 @@ Scanned /fixtures/call-analysis-go-project/go.mod file and found 4 pack +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ | Uncalled vulnerabilities | | | | | | +-------------------------------------+------+-----------+-----------------------------+---------+------------------------------------------+ -| https://osv.dev/GHSA-c3h9-896r-86jm | 8.6 | Go | github.com/gogo/protobuf | 1.3.1 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2021-0053 | | | | | | -| https://osv.dev/GHSA-qgc7-mgm3-q253 | 5.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-1572 | | | | | | -| https://osv.dev/GHSA-j3p8-6mrq-6g7h | 6.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-1990 | | | | | | -| https://osv.dev/GHSA-x92r-3vfx-4cv3 | 6.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2023-1989 | | | | | | -| https://osv.dev/GHSA-9phm-fm57-rhg8 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | -| https://osv.dev/GO-2024-2937 | | | | | | +| https://osv.dev/GO-2021-0053 | 8.6 | Go | github.com/gogo/protobuf | 1.3.1 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-c3h9-896r-86jm | | | | | | +| https://osv.dev/GO-2023-1572 | 5.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-qgc7-mgm3-q253 | | | | | | +| https://osv.dev/GO-2023-1990 | 6.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-j3p8-6mrq-6g7h | | | | | | +| https://osv.dev/GO-2023-1989 | 6.5 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-x92r-3vfx-4cv3 | | | | | | +| https://osv.dev/GO-2024-2937 | 8.7 | Go | golang.org/x/image | 0.4.0 | fixtures/call-analysis-go-project/go.mod | +| https://osv.dev/GHSA-9phm-fm57-rhg8 | | | | | | | https://osv.dev/GO-2023-2041 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2023-2043 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | | https://osv.dev/GO-2023-2186 | | Go | stdlib | 1.19 | fixtures/call-analysis-go-project/go.mod | @@ -1377,21 +1377,17 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-27350 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-3810 | 5.5 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4685-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4808-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1664 | 9.8 | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5147-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-5094 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4535-1 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4535-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1400,8 +1396,7 @@ Filtered 16 vulnerabilities from output | https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1271 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5122-1 | | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1440,62 +1435,46 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-2309 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-29824 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-40303 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-40304 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-28484 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-29469 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-25062 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3878-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5142-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5271-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5391-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1547 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1551 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1563 | 3.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-1967 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-1971 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-23840 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-23841 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3449 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3711 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3712 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-4160 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1292 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-2068 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-2097 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5103-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5139-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5169-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-4304 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-4450 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0215 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0286 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0464 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0465 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0466 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-2650 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-3817 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-5363 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-5678 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1503,25 +1482,12 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2024-2511 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-5535 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2024-6119 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5764-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3008-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3325-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3449-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3530-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4539-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4661-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4807-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4855-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4875-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4963-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5103-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5139-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5169-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5343-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5417-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5532-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5764-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1559,15 +1525,11 @@ Filtered 16 vulnerabilities from output | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3995 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3996 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2024-28085 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5055-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1271 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5123-1 | | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ --- @@ -1590,21 +1552,17 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2011-3374 | 3.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-27350 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-3810 | 5.5 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4685-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4808-1 | | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1664 | 9.8 | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3022-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5147-1 | | Debian | dpkg | 1.18.25 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-5094 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4535-1 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4535-1 | | Debian | e2fsprogs | 1.43.4-2+deb9u2 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-jfvp-7x6p-h2pv | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1613,8 +1571,7 @@ Filtered 16 vulnerabilities from output | https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-xr7r-f8xq-vfvv | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1271 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5122-1 | | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1653,62 +1610,46 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-2309 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-29824 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-40303 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-40304 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-28484 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-29469 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-25062 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3012-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3172-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3405-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3878-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5142-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5271-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5391-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1547 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1551 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2019-1563 | 3.7 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-1967 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2020-1971 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-23840 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-23841 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3449 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3711 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3712 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-4160 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1292 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-2068 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-2097 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5103-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5139-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5169-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-4304 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-4450 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0215 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0286 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0464 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0465 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-0466 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-2650 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-3817 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2023-5363 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-5678 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2023-6237 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1716,25 +1657,12 @@ Filtered 16 vulnerabilities from output | https://osv.dev/CVE-2024-2511 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-4603 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-5535 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2024-6119 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5764-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3008-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3325-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3449-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3530-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4539-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4661-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4807-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4855-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4875-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-4963-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5103-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5139-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5169-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5343-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5417-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5532-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5764-1 | | Debian | openssl | 1.1.0l-1~deb9u5 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | @@ -1772,15 +1700,11 @@ Filtered 16 vulnerabilities from output | https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3995 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2021-3996 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2024-28085 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5055-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/DSA-5650-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/CVE-2022-1271 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DLA-3782-1 | | Debian | util-linux | 2.29.2-1+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | | https://osv.dev/CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | -| https://osv.dev/DSA-5123-1 | | Debian | xz-utils | 5.2.2-1.2+deb9u1 | fixtures/sbom-insecure/postgres-stretch.cdx.xml | +-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+ --- diff --git a/internal/output/identifiers.go b/internal/identifiers/identifiers.go similarity index 61% rename from internal/output/identifiers.go rename to internal/identifiers/identifiers.go index 35ad3c33bfc..91e92739cf7 100644 --- a/internal/output/identifiers.go +++ b/internal/identifiers/identifiers.go @@ -1,12 +1,15 @@ -package output +package identifiers import ( "strings" ) func prefixOrder(prefix string) int { - if prefix == "CVE" { - // Highest precedence + if prefix == "DSA" { + // Special case: For container scanning, DSA contains multiple CVEs and is more accurate. + return 3 + } else if prefix == "CVE" { + // Highest precedence for normal cases return 2 } else if prefix == "GHSA" { // Lowest precedence @@ -26,16 +29,6 @@ func prefixOrderForDescription(prefix string) int { return 2 } -// idSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA -func idSortFunc(a, b string) int { - return idSort(a, b, prefixOrder) -} - -// idSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE -func idSortFuncForDescription(a, b string) int { - return idSort(a, b, prefixOrderForDescription) -} - func idSort(a, b string, prefixOrd func(string) int) int { prefixAOrd := prefixOrd(strings.Split(a, "-")[0]) prefixBOrd := prefixOrd(strings.Split(b, "-")[0]) @@ -48,3 +41,13 @@ func idSort(a, b string, prefixOrd func(string) int) int { return strings.Compare(a, b) } + +// IDSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA +func IDSortFunc(a, b string) int { + return idSort(a, b, prefixOrder) +} + +// IDSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE +func IDSortFuncForDescription(a, b string) int { + return idSort(a, b, prefixOrderForDescription) +} diff --git a/internal/output/identifiers_test.go b/internal/identifiers/identifiers_test.go similarity index 80% rename from internal/output/identifiers_test.go rename to internal/identifiers/identifiers_test.go index 1ebd4ddb0e8..6458d3e019e 100644 --- a/internal/output/identifiers_test.go +++ b/internal/identifiers/identifiers_test.go @@ -1,4 +1,4 @@ -package output +package identifiers import ( "slices" @@ -36,7 +36,7 @@ func Test_idSortFunc(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - if got := idSortFunc(tt.args.a, tt.args.b); got != tt.want { + if got := IDSortFunc(tt.args.a, tt.args.b); got != tt.want { t.Errorf("idSortFunc() = %v, want %v", got, tt.want) } }) @@ -65,12 +65,19 @@ func Test_idSortFuncUsage(t *testing.T) { }, want: "RUSTSEC-2012-1234", }, + { + args: []string{ + "CVE-2012-1234", + "DSA-2012-1234", + }, + want: "DSA-2012-1234", + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { t.Parallel() - if got := slices.MinFunc(tt.args, idSortFunc); got != tt.want { + if got := slices.MinFunc(tt.args, IDSortFunc); got != tt.want { t.Errorf("slices.MinFunc = %v, want %v", got, tt.want) } }) diff --git a/internal/output/result.go b/internal/output/result.go index 272440b310b..907187d789f 100644 --- a/internal/output/result.go +++ b/internal/output/result.go @@ -7,6 +7,7 @@ import ( "slices" "strings" + "github.com/google/osv-scanner/internal/identifiers" "github.com/google/osv-scanner/pkg/models" "golang.org/x/exp/maps" ) @@ -159,7 +160,7 @@ func mapIDsToGroupedSARIFFinding(vulns *models.VulnerabilityResults) map[string] } for _, gs := range results { - slices.SortFunc(gs.AliasedIDList, idSortFunc) + slices.SortFunc(gs.AliasedIDList, identifiers.IDSortFunc) gs.AliasedIDList = slices.Compact(gs.AliasedIDList) gs.DisplayID = gs.AliasedIDList[0] } diff --git a/internal/output/sarif.go b/internal/output/sarif.go index c3a069f8e57..a533a89b3f4 100644 --- a/internal/output/sarif.go +++ b/internal/output/sarif.go @@ -9,6 +9,7 @@ import ( "strings" "text/template" + "github.com/google/osv-scanner/internal/identifiers" "github.com/google/osv-scanner/internal/url" "github.com/google/osv-scanner/internal/utility/results" "github.com/google/osv-scanner/internal/version" @@ -191,7 +192,7 @@ func createSARIFHelpText(gv *groupedSARIFFinding) string { Details: strings.ReplaceAll(v.Details, "\n", "\n> "), }) } - slices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return idSortFunc(a.ID, b.ID) }) + slices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return identifiers.IDSortFunc(a.ID, b.ID) }) helpText := strings.Builder{} @@ -250,7 +251,7 @@ func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.W // or use a random long description. var shortDescription, longDescription string ids := slices.Clone(gv.AliasedIDList) - slices.SortFunc(ids, idSortFuncForDescription) + slices.SortFunc(ids, identifiers.IDSortFuncForDescription) for _, id := range ids { v := gv.AliasedVulns[id] diff --git a/internal/output/table.go b/internal/output/table.go index 8b085c9dce7..39734e960a6 100644 --- a/internal/output/table.go +++ b/internal/output/table.go @@ -114,6 +114,11 @@ func tableBuilderInner(vulnResult *models.VulnerabilityResults, calledVulns bool for _, vuln := range group.IDs { links = append(links, OSVBaseVulnerabilityURL+text.Bold.Sprintf("%s", vuln)) + + // For container scanning results, if there is a DSA, then skip printing its sub-CVEs. + if strings.Split(vuln, "-")[0] == "DSA" { + break + } } outputRow = append(outputRow, strings.Join(links, "\n")) diff --git a/pkg/grouper/grouper.go b/pkg/grouper/grouper.go index a385e23ce13..d81159d7856 100644 --- a/pkg/grouper/grouper.go +++ b/pkg/grouper/grouper.go @@ -6,6 +6,7 @@ import ( "golang.org/x/exp/maps" + "github.com/google/osv-scanner/internal/identifiers" "github.com/google/osv-scanner/pkg/models" ) @@ -56,7 +57,7 @@ func Group(vulns []IDAliases) []models.GroupInfo { result := make([]models.GroupInfo, 0, len(sortedKeys)) for _, key := range sortedKeys { // Sort the strings so they are always in the same order - sort.Strings(extractedGroups[key]) + slices.SortFunc(extractedGroups[key], identifiers.IDSortFunc) // Add IDs to aliases extractedAliases[key] = append(extractedAliases[key], extractedGroups[key]...) diff --git a/pkg/grouper/grouper_models.go b/pkg/grouper/grouper_models.go index bbd9fa61f66..b713aafaa16 100644 --- a/pkg/grouper/grouper_models.go +++ b/pkg/grouper/grouper_models.go @@ -1,6 +1,10 @@ package grouper -import "github.com/google/osv-scanner/pkg/models" +import ( + "strings" + + "github.com/google/osv-scanner/pkg/models" +) type IDAliases struct { ID string @@ -14,6 +18,14 @@ func ConvertVulnerabilityToIDAliases(c []models.Vulnerability) []IDAliases { ID: v.ID, Aliases: v.Aliases, } + + // For Debian Security Advisory data, + // all related CVEs should be bundled together, as they are part of this DSA. + // TODO(gongh@): Revisit and provide a universal way to handle all Linux distro advisories. + if strings.Split(v.ID, "-")[0] == "DSA" { + idAliases.Aliases = append(idAliases.Aliases, v.Related...) + } + output = append(output, idAliases) }