feat(rust): add dependency graph from Rust binaries (aquasecurity#2771)

BenjaminHerbert · Aug 30, 2022 · 9d018d4 · 9d018d4
1 parent db67f16
commit 9d018d4
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 10 deletions.
diff --git a/docs/docs/vulnerability/examples/report.md b/docs/docs/vulnerability/examples/report.md
@@ -15,7 +15,10 @@ Modern software development relies on the use of third-party libraries.
 Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph.
 In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree.
 To make this task simpler Trivy can show a dependency origin tree with the `--dependency-tree` flag.
-This flag is only available with the `fs` or `repo` commands and the `--format table` flag.
+This flag is only available with the `--format table` flag.
+
+!!! note
+    Only Node.js (package-lock.json) and Rust Binaries built with [cargo-auditable][cargo-auditable] are supported at the moment.
 
 This tree is the reverse of the npm list command.
 However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.
@@ -60,9 +63,6 @@ Also, **[email protected]** with some vulnerabilities is included through chain
 
 Then, you can try to update **[email protected]** and **[email protected]** to resolve vulnerabilities in **[email protected]** and **[email protected]**.
 
-!!! note
-    Only Node.js (package-lock.json) is supported at the moment.
-
 ## JSON
 
 ```
@@ -273,7 +273,7 @@ The following example shows use of default HTML template when Trivy is installed
 $ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
 ```
 
-
+[cargo-auditable]: https://github.com/rust-secure-code/cargo-auditable/
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: https://github.com/aquasecurity/trivy/blob/main/docs/docs/integrations/aws-security-hub.md

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.22.0
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220819065825-29e1e04fb7ae
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220824115155-600849a106bd
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

diff --git a/go.sum b/go.sum
@@ -206,8 +206,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.71.9 h1:eo244v1RQzziClY9xXyVftPibE0fddXbTtkvH52/slU=
 github.com/aquasecurity/defsec v0.71.9/go.mod h1:2jYgkIi3UFbkrbtpnr3Cu49JZ3MGuLMJAhyh63jV1I4=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220819065825-29e1e04fb7ae h1:1WdRZrDTkXHC5deeJhatiP3IUHHqdIo/dZlagTtlU8g=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220819065825-29e1e04fb7ae/go.mod h1:6G1Y5nht5TL9kr1SzmrdE8PrmbNXo9nHx3qFR3qURg0=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220824115155-600849a106bd h1:jgYzIraCXhabEhYOmQRb73/YlyWGaGOktA5ZsZ7+6RE=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220824115155-600849a106bd/go.mod h1:6G1Y5nht5TL9kr1SzmrdE8PrmbNXo9nHx3qFR3qURg0=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20220726154943-99847deb62b0 h1:tihCUjLWkF0b1SAjAKcFltUs3SpsqGrLtI+Frye0D10=

diff --git a/pkg/fanal/analyzer/language/rust/binary/binary_test.go b/pkg/fanal/analyzer/language/rust/binary/binary_test.go
@@ -27,8 +27,13 @@ func Test_rustBinaryLibraryAnalyzer_Analyze(t *testing.T) {
 						Type:     types.RustBinary,
 						FilePath: "testdata/executable_rust",
 						Libraries: []types.Package{
-							{Name: "crate_with_features", Version: "0.1.0"},
-							{Name: "library_crate", Version: "0.1.0", Indirect: true},
+							{
+								ID:        "[email protected]",
+								Name:      "crate_with_features",
+								Version:   "0.1.0",
+								DependsOn: []string{"[email protected]"},
+							},
+							{ID: "[email protected]", Name: "library_crate", Version: "0.1.0", Indirect: true},
 						},
 					},
 				},