Return the correct Identifier URL for OCS vulnerabilities
Problem statement
Operational Container Scanning (OCS) is currently returning Identifier's URL in the form of:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=<ADVISORY_ID>The corresponding code can be found in the trivy-k8s-wrapper analyzer.
This can result in wrong URLs since cve.mitre.org will not contain all advisories.
Example
For advisory GHSA-m425-mq94-257g the following broken URL is returned:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=GHSA-m425-mq94-257g
Proposed solution
We should use ParseIdentifierID in order to get the right URL link
Implementation Plan
Trivy-k8s-wrapper
-
Update identifiers.go with ParseIdentifiersand related functions from reports/v3 -
Update reports_test.go -
Add a unit test for ConvertIdentifiers -
Update converter_test.go base64 expected output -
Release a new version
Gitlab-Agent
-
Update coverter.go so that the identifier type is not always CVE. -
Use the new trivy-k8s-wrapper version
Verification
-
Use a vulnerable image that has GHSA-m425-mq94-257gand verify that the identifier url is correct -
Optional: Make a demo --> https://youtu.be/-n_ZjbhEqu4
Edited by Nick Ilieskou