Skip to content

Commit

Permalink
Merge pull request #15 from CycloneDX/fix-vuln
Browse files Browse the repository at this point in the history 
Fix column names for vulnerability command
  • Loading branch information
@mrutkows
mrutkows authored Apr 6, 2023
2 parents 4b15622 + 7e74ee2 commit 3240de6
Show file tree
Hide file tree
Showing 4 changed files with 39 additions and 13 deletions.
9 changes: 3 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -790,10 +790,7 @@ This command will extract basic vulnerability report data from an SBOM that has

#### Where flag filtering

In addition a `where` filter flag can be supplied to only include results where values match supplied regex. Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `created`
`published`, `updated`, `rejected` and `description`).

**Note**: filtering using `source.name` and `source.url` are coming soon
In addition a `where` filter flag can be supplied to only include results where values match supplied regex. Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `source-name`, `source-url`, `created`, `published`, `updated`, `rejected` and `description`).

#### Format flag

Expand All @@ -814,7 +811,7 @@ Currently, all `vulnerability list` command results are sorted by vulnerability
```

```bash
id bom-ref source.url source.name created published updated rejected description
id bom-ref source-name source-url created published updated rejected description
-- ------- ---------- ----------- ------- --------- ------- -------- -----------
CVE-2020-25649 NVD https://nvd.nist.gov/vuln/detail/CVE-2020-25649 2020-12-03T00:00:00.000Z 2020-12-03T00:00:00.000Z 2023-02-02T00:00:00.000Z com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
CVE-2022-42003 NVD https://nvd.nist.gov/vuln/detail/CVE-2022-42003 2022-10-02T00:00:00.000Z 2022-10-02T00:00:00.000Z 2022-10-02T00:00:00.000Z In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Expand All @@ -828,7 +825,7 @@ CVE-2022-42004 NVD https://nvd.nist.gov/vuln/detail/CVE-2022-4
```

```bash
id bom-ref source.url source.name created published updated rejected description
id bom-ref source-name source-url created published updated rejected description
-- ------- ---------- ----------- ------- --------- ------- -------- -----------
CVE-2020-25649 NVD https://nvd.nist.gov/vuln/detail/CVE-2020-25649 2020-12-03T00:00:00.000Z 2020-12-03T00:00:00.000Z 2023-02-02T00:00:00.000Z com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
```
Expand Down
2 changes: 1 addition & 1 deletion cmd/vulnerability.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ const (
var VULNERABILITY_LIST_TITLES = []string{
VULN_FILTER_KEY_ID,
VULN_FILTER_KEY_BOM_REF,
VULN_FILTER_KEY_SOURCE_URL,
VULN_FILTER_KEY_SOURCE_NAME,
VULN_FILTER_KEY_SOURCE_URL,
VULN_FILTER_KEY_CREATED,
VULN_FILTER_KEY_PUBLISHED,
VULN_FILTER_KEY_UPDATED,
Expand Down
32 changes: 32 additions & 0 deletions cmd/vulnerability_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,3 +326,35 @@ func TestVulnListTextCdx14WhereClauseDescContains(t *testing.T) {

innerTestVulnList(t, testInfo)
}

func TestVulnListTextCdx14WhereClauseSourceNameNVD(t *testing.T) {
TEST_INPUT_WHERE_CLAUSE := "source-name=NVD"
TEST_OUTPUT_CONTAINS := "NVD"
TEST_OUTPUT_LINES := 5

testInfo := NewVulnTestInfo(
TEST_VULN_CDX_1_3_EXAMPLE_1_BOM_VEX,
FORMAT_TEXT,
TEST_INPUT_WHERE_CLAUSE,
TEST_OUTPUT_CONTAINS,
TEST_OUTPUT_LINES,
nil)

innerTestVulnList(t, testInfo)
}

func TestVulnListTextCdx14WhereClauseSourceUrlCVE2022(t *testing.T) {
TEST_INPUT_WHERE_CLAUSE := "source-url=CVE-2022"
TEST_OUTPUT_CONTAINS := "CVE-2022"
TEST_OUTPUT_LINES := 4

testInfo := NewVulnTestInfo(
TEST_VULN_CDX_1_3_EXAMPLE_1_BOM_VEX,
FORMAT_TEXT,
TEST_INPUT_WHERE_CLAUSE,
TEST_OUTPUT_CONTAINS,
TEST_OUTPUT_LINES,
nil)

innerTestVulnList(t, testInfo)
}
9 changes: 3 additions & 6 deletions docs/demo.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -624,10 +624,7 @@ This command will extract basic vulnerability report data from an SBOM that has
#### Where flag filtering
In addition a `where` filter flag can be supplied to only include results where values match supplied regex. Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `created`
`published`, `updated`, `rejected` and `description`).
**Note**: filtering using `source.name` and `source.url` are coming soon
In addition a `where` filter flag can be supplied to only include results where values match supplied regex. Supported keys for the `where` filter include the following column names in the report (i.e., `id`, `bom-ref`, `source-name`, `source-url`, `created`, `published`, `updated`, `rejected` and `description`).
#### Format flag
Expand All @@ -648,7 +645,7 @@ Currently, all `vulnerability list` command results are sorted by vulnerability
```
```bash
id bom-ref source.url source.name created published updated rejected description
id bom-ref source-name source-url created published updated rejected description
-- ------- ---------- ----------- ------- --------- ------- -------- -----------
CVE-2020-25649 NVD https://nvd.nist.gov/vuln/detail/CVE-2020-25649 2020-12-03T00:00:00.000Z 2020-12-03T00:00:00.000Z 2023-02-02T00:00:00.000Z com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
CVE-2022-42003 NVD https://nvd.nist.gov/vuln/detail/CVE-2022-42003 2022-10-02T00:00:00.000Z 2022-10-02T00:00:00.000Z 2022-10-02T00:00:00.000Z In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Expand All @@ -662,7 +659,7 @@ CVE-2022-42004 NVD https://nvd.nist.gov/vuln/detail/CVE-2022-4
```
```bash
id bom-ref source.url source.name created published updated rejected description
id bom-ref source-name source-url created published updated rejected description
-- ------- ---------- ----------- ------- --------- ------- -------- -----------
CVE-2020-25649 NVD https://nvd.nist.gov/vuln/detail/CVE-2020-25649 2020-12-03T00:00:00.000Z 2020-12-03T00:00:00.000Z 2023-02-02T00:00:00.000Z com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
```
Expand Down

0 comments on commit 3240de6

Please sign in to comment.