feat: group DSA and its CVEs together (#1262)

For container scanning, we should only display DSA results and hide their related CVEs. - Add DSA's related CVEs to the same group. - Sort the group IDs with the DSA first. (DSA is more important than CVE, and one DSA contains multiple CVEs) - Don't print CVE records when there is a DSA (this reduces noise in container scanning results).
google · Sep 23, 2024 · 75a5eab · 75a5eab
1 parent 56e3a99
commit 75a5eab
Show file tree

Hide file tree

Showing 8 changed files with 127 additions and 173 deletions.
diff --git a/cmd/osv-scanner/__snapshots__/main_test.snap b/cmd/osv-scanner/__snapshots__/main_test.snap
diff --git a/internal/output/identifiers.go → internal/identifiers/identifiers.go b/internal/output/identifiers.go → internal/identifiers/identifiers.go
@@ -1,12 +1,15 @@
-package output
+package identifiers
 
 import (
 	"strings"
 )
 
 func prefixOrder(prefix string) int {
-	if prefix == "CVE" {
-		// Highest precedence
+	if prefix == "DSA" {
+		// Special case: For container scanning, DSA contains multiple CVEs and is more accurate.
+		return 3
+	} else if prefix == "CVE" {
+		// Highest precedence for normal cases
 		return 2
 	} else if prefix == "GHSA" {
 		// Lowest precedence
@@ -26,16 +29,6 @@ func prefixOrderForDescription(prefix string) int {
 	return 2
 }
 
-// idSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA
-func idSortFunc(a, b string) int {
-	return idSort(a, b, prefixOrder)
-}
-
-// idSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE
-func idSortFuncForDescription(a, b string) int {
-	return idSort(a, b, prefixOrderForDescription)
-}
-
 func idSort(a, b string, prefixOrd func(string) int) int {
 	prefixAOrd := prefixOrd(strings.Split(a, "-")[0])
 	prefixBOrd := prefixOrd(strings.Split(b, "-")[0])
@@ -48,3 +41,13 @@ func idSort(a, b string, prefixOrd func(string) int) int {
 
 	return strings.Compare(a, b)
 }
+
+// IDSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA
+func IDSortFunc(a, b string) int {
+	return idSort(a, b, prefixOrder)
+}
+
+// IDSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE
+func IDSortFuncForDescription(a, b string) int {
+	return idSort(a, b, prefixOrderForDescription)
+}
diff --git a/internal/output/identifiers_test.go → internal/identifiers/identifiers_test.go b/internal/output/identifiers_test.go → internal/identifiers/identifiers_test.go
@@ -1,4 +1,4 @@
-package output
+package identifiers
 
 import (
 	"slices"
@@ -36,7 +36,7 @@ func Test_idSortFunc(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			if got := idSortFunc(tt.args.a, tt.args.b); got != tt.want {
+			if got := IDSortFunc(tt.args.a, tt.args.b); got != tt.want {
 				t.Errorf("idSortFunc() = %v, want %v", got, tt.want)
 			}
 		})
@@ -65,12 +65,19 @@ func Test_idSortFuncUsage(t *testing.T) {
 			},
 			want: "RUSTSEC-2012-1234",
 		},
+		{
+			args: []string{
+				"CVE-2012-1234",
+				"DSA-2012-1234",
+			},
+			want: "DSA-2012-1234",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 
-			if got := slices.MinFunc(tt.args, idSortFunc); got != tt.want {
+			if got := slices.MinFunc(tt.args, IDSortFunc); got != tt.want {
 				t.Errorf("slices.MinFunc = %v, want %v", got, tt.want)
 			}
 		})

diff --git a/internal/output/result.go b/internal/output/result.go
@@ -7,6 +7,7 @@ import (
 	"slices"
 	"strings"
 
+	"github.com/google/osv-scanner/internal/identifiers"
 	"github.com/google/osv-scanner/pkg/models"
 	"golang.org/x/exp/maps"
 )
@@ -159,7 +160,7 @@ func mapIDsToGroupedSARIFFinding(vulns *models.VulnerabilityResults) map[string]
 	}
 
 	for _, gs := range results {
-		slices.SortFunc(gs.AliasedIDList, idSortFunc)
+		slices.SortFunc(gs.AliasedIDList, identifiers.IDSortFunc)
 		gs.AliasedIDList = slices.Compact(gs.AliasedIDList)
 		gs.DisplayID = gs.AliasedIDList[0]
 	}

diff --git a/internal/output/sarif.go b/internal/output/sarif.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"text/template"
 
+	"github.com/google/osv-scanner/internal/identifiers"
 	"github.com/google/osv-scanner/internal/url"
 	"github.com/google/osv-scanner/internal/utility/results"
 	"github.com/google/osv-scanner/internal/version"
@@ -191,7 +192,7 @@ func createSARIFHelpText(gv *groupedSARIFFinding) string {
 			Details: strings.ReplaceAll(v.Details, "\n", "\n> "),
 		})
 	}
-	slices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return idSortFunc(a.ID, b.ID) })
+	slices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return identifiers.IDSortFunc(a.ID, b.ID) })
 
 	helpText := strings.Builder{}
 
@@ -250,7 +251,7 @@ func PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.W
 		// or use a random long description.
 		var shortDescription, longDescription string
 		ids := slices.Clone(gv.AliasedIDList)
-		slices.SortFunc(ids, idSortFuncForDescription)
+		slices.SortFunc(ids, identifiers.IDSortFuncForDescription)
 
 		for _, id := range ids {
 			v := gv.AliasedVulns[id]

diff --git a/internal/output/table.go b/internal/output/table.go
@@ -114,6 +114,11 @@ func tableBuilderInner(vulnResult *models.VulnerabilityResults, calledVulns bool
 
 				for _, vuln := range group.IDs {
 					links = append(links, OSVBaseVulnerabilityURL+text.Bold.Sprintf("%s", vuln))
+
+					// For container scanning results, if there is a DSA, then skip printing its sub-CVEs.
+					if strings.Split(vuln, "-")[0] == "DSA" {
+						break
+					}
 				}
 
 				outputRow = append(outputRow, strings.Join(links, "\n"))

diff --git a/pkg/grouper/grouper.go b/pkg/grouper/grouper.go
@@ -6,6 +6,7 @@ import (
 
 	"golang.org/x/exp/maps"
 
+	"github.com/google/osv-scanner/internal/identifiers"
 	"github.com/google/osv-scanner/pkg/models"
 )
 
@@ -56,7 +57,7 @@ func Group(vulns []IDAliases) []models.GroupInfo {
 	result := make([]models.GroupInfo, 0, len(sortedKeys))
 	for _, key := range sortedKeys {
 		// Sort the strings so they are always in the same order
-		sort.Strings(extractedGroups[key])
+		slices.SortFunc(extractedGroups[key], identifiers.IDSortFunc)
 
 		// Add IDs to aliases
 		extractedAliases[key] = append(extractedAliases[key], extractedGroups[key]...)

diff --git a/pkg/grouper/grouper_models.go b/pkg/grouper/grouper_models.go
@@ -1,6 +1,10 @@
 package grouper
 
-import "github.com/google/osv-scanner/pkg/models"
+import (
+	"strings"
+
+	"github.com/google/osv-scanner/pkg/models"
+)
 
 type IDAliases struct {
 	ID      string
@@ -14,6 +18,14 @@ func ConvertVulnerabilityToIDAliases(c []models.Vulnerability) []IDAliases {
 			ID:      v.ID,
 			Aliases: v.Aliases,
 		}
+
+		// For Debian Security Advisory data,
+		// all related CVEs should be bundled together, as they are part of this DSA.
+		// TODO(gongh@): Revisit and provide a universal way to handle all Linux distro advisories.
+		if strings.Split(v.ID, "-")[0] == "DSA" {
+			idAliases.Aliases = append(idAliases.Aliases, v.Related...)
+		}
+
 		output = append(output, idAliases)
 	}