feat(lib): support of Go (go.sum) scan

GNUmakefile

@@ -89,7 +89,7 @@ NOW=$(shell date --iso-8601=seconds)
 NOW_JSON_DIR := '${BASE_DIR}/$(NOW)'
 ONE_SEC_AFTER=$(shell date -d '+1 second' --iso-8601=seconds)
 ONE_SEC_AFTER_JSON_DIR := '${BASE_DIR}/$(ONE_SEC_AFTER)'
-LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo'
+LIBS := 'gemfile' 'pipfile' 'poetry' 'composer' 'packagelock' 'yarn' 'cargo' 'gomod'
 
 diff:
 	# git clone git@github.com:vulsio/vulsctl.git

go.mod

@@ -6,8 +6,8 @@ require (
 	github.com/Azure/azure-sdk-for-go v50.2.0+incompatible
 	github.com/BurntSushi/toml v0.3.1
 	github.com/Ullaakut/nmap/v2 v2.1.2-0.20210406060955-59a52fe80a4f
-	github.com/aquasecurity/fanal v0.0.0-20210501093021-8aaac3e8dea7
-	github.com/aquasecurity/trivy v0.17.2
+	github.com/aquasecurity/fanal v0.0.0-20210520034323-54c5a82e861f
+	github.com/aquasecurity/trivy v0.18.3
 	github.com/aquasecurity/trivy-db v0.0.0-20210429114658-ae22941a55d0
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/aws/aws-sdk-go v1.36.31
@@ -38,7 +38,6 @@ require (
 	github.com/mattn/go-runewidth v0.0.12 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
 	github.com/nlopes/slack v0.6.0
 	github.com/nsf/termbox-go v0.0.0-20200418040025-38ba6e5628f1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5

integration/int-config.toml

@@ -53,3 +53,8 @@ lockfiles = ["./integration/data/lockfile/yarn.lock"]
 [servers.cargo]
 type = "pseudo"
 lockfiles = ["./integration/data/lockfile/Cargo.lock"]
+
+[servers.gomod]
+type = "pseudo"
+lockfiles = ["./integration/data/lockfile/go.sum"]
+

integration/int-redis-config.toml

@@ -53,3 +53,8 @@ lockfiles = ["./integration/data/lockfile/yarn.lock"]
 [servers.cargo]
 type = "pseudo"
 lockfiles = ["./integration/data/lockfile/Cargo.lock"]
+
+[servers.gomod]
+type = "pseudo"
+lockfiles = ["./integration/data/lockfile/go.sum"]
+

models/library.go

@@ -129,6 +129,7 @@ var LibraryMap = map[string]string{
 	"composer.lock":     "php",
 	"Pipfile.lock":      "python",
 	"poetry.lock":       "python",
+	"go.sum":            "gomod",
 }
 
 // GetLibraryKey returns target library key

models/scanresults.go

@@ -378,57 +378,64 @@ func (r *ScanResult) CheckEOL() {
 // SortForJSONOutput sort list elements in the ScanResult to diff in integration-test
 func (r *ScanResult) SortForJSONOutput() {
 	for k, v := range r.Packages {
-		sort.SliceStable(v.AffectedProcs, func(i, j int) bool {
+		sort.Slice(v.AffectedProcs, func(i, j int) bool {
 			return v.AffectedProcs[i].PID < v.AffectedProcs[j].PID
 		})
-		sort.SliceStable(v.NeedRestartProcs, func(i, j int) bool {
+		sort.Slice(v.NeedRestartProcs, func(i, j int) bool {
 			return v.NeedRestartProcs[i].PID < v.NeedRestartProcs[j].PID
 		})
 		r.Packages[k] = v
 	}
 	for i, v := range r.LibraryScanners {
-		sort.SliceStable(v.Libs, func(i, j int) bool {
-			return v.Libs[i].Name < v.Libs[j].Name
+		sort.Slice(v.Libs, func(i, j int) bool {
+			switch strings.Compare(v.Libs[i].Name, v.Libs[j].Name) {
+			case -1:
+				return true
+			case 1:
+				return false
+			}
+			return v.Libs[i].Version < v.Libs[j].Version
+
 		})
 		r.LibraryScanners[i] = v
 	}
 
 	for k, v := range r.ScannedCves {
-		sort.SliceStable(v.AffectedPackages, func(i, j int) bool {
+		sort.Slice(v.AffectedPackages, func(i, j int) bool {
 			return v.AffectedPackages[i].Name < v.AffectedPackages[j].Name
 		})
-		sort.SliceStable(v.DistroAdvisories, func(i, j int) bool {
+		sort.Slice(v.DistroAdvisories, func(i, j int) bool {
 			return v.DistroAdvisories[i].AdvisoryID < v.DistroAdvisories[j].AdvisoryID
 		})
-		sort.SliceStable(v.Exploits, func(i, j int) bool {
+		sort.Slice(v.Exploits, func(i, j int) bool {
 			return v.Exploits[i].URL < v.Exploits[j].URL
 		})
-		sort.SliceStable(v.Metasploits, func(i, j int) bool {
+		sort.Slice(v.Metasploits, func(i, j int) bool {
 			return v.Metasploits[i].Name < v.Metasploits[j].Name
 		})
-		sort.SliceStable(v.Mitigations, func(i, j int) bool {
+		sort.Slice(v.Mitigations, func(i, j int) bool {
 			return v.Mitigations[i].URL < v.Mitigations[j].URL
 		})
 		for kk, vv := range v.CveContents {
-			sort.SliceStable(vv.References, func(i, j int) bool {
+			sort.Slice(vv.References, func(i, j int) bool {
 				return vv.References[i].Link < vv.References[j].Link
 			})
-			sort.SliceStable(vv.CweIDs, func(i, j int) bool {
+			sort.Slice(vv.CweIDs, func(i, j int) bool {
 				return vv.CweIDs[i] < vv.CweIDs[j]
 			})
 			for kkk, vvv := range vv.References {
 				// sort v.CveContents[].References[].Tags
-				sort.SliceStable(vvv.Tags, func(i, j int) bool {
+				sort.Slice(vvv.Tags, func(i, j int) bool {
 					return vvv.Tags[i] < vvv.Tags[j]
 				})
 				vv.References[kkk] = vvv
 			}
 			v.CveContents[kk] = vv
 		}
-		sort.SliceStable(v.AlertDict.En, func(i, j int) bool {
+		sort.Slice(v.AlertDict.En, func(i, j int) bool {
 			return v.AlertDict.En[i].Title < v.AlertDict.En[j].Title
 		})
-		sort.SliceStable(v.AlertDict.Ja, func(i, j int) bool {
+		sort.Slice(v.AlertDict.Ja, func(i, j int) bool {
 			return v.AlertDict.Ja[i].Title < v.AlertDict.Ja[j].Title
 		})
 		r.ScannedCves[k] = v

scanner/base.go

@@ -29,6 +29,7 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer/library/bundler"
 	_ "github.com/aquasecurity/fanal/analyzer/library/cargo"
 	_ "github.com/aquasecurity/fanal/analyzer/library/composer"
+	_ "github.com/aquasecurity/fanal/analyzer/library/gomod"
 	_ "github.com/aquasecurity/fanal/analyzer/library/npm"
 	_ "github.com/aquasecurity/fanal/analyzer/library/pipenv"
 	_ "github.com/aquasecurity/fanal/analyzer/library/poetry"