Implement HTTP access to oval-dictionary

2017-06-05 17:37:02 +09:00
parent 997dd6022f
commit 1883da3b2a
8 changed files with 277 additions and 69 deletions
--- a/oval/debian.go
+++ b/oval/debian.go
@@ -15,8 +15,8 @@ import (
 // DebianBase is the base struct of Debian and Ubuntu
 type DebianBase struct{}

-// fillCveInfoFromOvalDB returns scan result after updating CVE info by OVAL
-func (o DebianBase) fillCveInfoFromOvalDB(r *models.ScanResult) error {
+// fillFromOvalDB returns scan result after updating CVE info by OVAL
+func (o DebianBase) fillFromOvalDB(r *models.ScanResult) error {
 	ovalconf.Conf.DBType = config.Conf.OvalDBType
 	ovalconf.Conf.DBPath = config.Conf.OvalDBPath
 	util.Log.Infof("open oval-dictionary db (%s): %s",
@@ -40,7 +40,7 @@ func (o DebianBase) fillCveInfoFromOvalDB(r *models.ScanResult) error {
 				}
 				affected, _ := ver.NewVersion(p.Version)
 				if current.LessThan(affected) {
-					o.fillOvalInfo(r, &def)
+					o.update(r, &def)
 				}
 			}
 		}
@@ -48,7 +48,7 @@ func (o DebianBase) fillCveInfoFromOvalDB(r *models.ScanResult) error {
 	return nil
 }

-func (o DebianBase) fillOvalInfo(r *models.ScanResult, definition *ovalmodels.Definition) {
+func (o DebianBase) update(r *models.ScanResult, definition *ovalmodels.Definition) {
 	ovalContent := *o.convertToModel(definition)
 	ovalContent.Type = models.NewCveContentType(r.Family)
 	vinfo, ok := r.ScannedCves[definition.Debian.CveID]
@@ -103,15 +103,26 @@ type Debian struct {
 }

 // NewDebian creates OVAL client for Debian
-func NewDebian() *Debian {
-	return &Debian{}
+func NewDebian() Debian {
+	return Debian{}
 }

-// FillCveInfoFromOvalDB returns scan result after updating CVE info by OVAL
-func (o Debian) FillCveInfoFromOvalDB(r *models.ScanResult) error {
-	if err := o.fillCveInfoFromOvalDB(r); err != nil {
-		return err
+// FillWithOval returns scan result after updating CVE info by OVAL
+func (o Debian) FillWithOval(r *models.ScanResult) error {
+	if config.Conf.OvalDBURL != "" {
+		defs, err := getDefsByPackNameViaHTTP(r)
+		if err != nil {
+			return err
+		}
+		for _, def := range defs {
+			o.update(r, &def)
+		}
+	} else {
+		if err := o.fillFromOvalDB(r); err != nil {
+			return err
+		}
 	}
+
 	for _, vuln := range r.ScannedCves {
 		if cont, ok := vuln.CveContents[models.Debian]; ok {
 			cont.SourceLink = "https://security-tracker.debian.org/tracker/" + cont.CveID
@@ -127,13 +138,13 @@ type Ubuntu struct {
 }

 // NewUbuntu creates OVAL client for Debian
-func NewUbuntu() *Ubuntu {
-	return &Ubuntu{}
+func NewUbuntu() Ubuntu {
+	return Ubuntu{}
 }

-// FillCveInfoFromOvalDB returns scan result after updating CVE info by OVAL
-func (o Ubuntu) FillCveInfoFromOvalDB(r *models.ScanResult) error {
-	if err := o.fillCveInfoFromOvalDB(r); err != nil {
+// FillWithOval returns scan result after updating CVE info by OVAL
+func (o Ubuntu) FillWithOval(r *models.ScanResult) error {
+	if err := o.fillFromOvalDB(r); err != nil {
 		return err
 	}
 	for _, vuln := range r.ScannedCves {
--- a/oval/oval.go
+++ b/oval/oval.go
@@ -1,13 +1,132 @@
 package oval

 import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/cenkalti/backoff"
+	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
+	"github.com/future-architect/vuls/util"
+	ver "github.com/knqyf263/go-deb-version"
 	ovalmodels "github.com/kotakanbe/goval-dictionary/models"
+	"github.com/parnurzeal/gorequest"
 )

 // Client is the interface of OVAL client.
 type Client interface {
-	FillCveInfoFromOvalDB(r *models.ScanResult) error
+	FillWithOval(r *models.ScanResult) error
+}
+
+type request struct {
+	pack models.Package
+}
+
+type response struct {
+	pack *models.Package
+	defs []ovalmodels.Definition
+}
+
+// getDefsByPackNameViaHTTP fetches OVAL information via HTTP
+func getDefsByPackNameViaHTTP(r *models.ScanResult) (
+	relatedDefs []ovalmodels.Definition, err error) {
+
+	//TODO Health Check
+	reqChan := make(chan request, len(r.Packages))
+	resChan := make(chan response, len(r.Packages))
+	errChan := make(chan error, len(r.Packages))
+	defer close(reqChan)
+	defer close(resChan)
+	defer close(errChan)
+
+	go func() {
+		for _, pack := range r.Packages {
+			reqChan <- request{
+				pack: pack,
+			}
+		}
+	}()
+
+	concurrency := 10
+	tasks := util.GenWorkers(concurrency)
+	for range r.Packages {
+		tasks <- func() {
+			select {
+			case req := <-reqChan:
+				url, err := util.URLPathJoin(
+					config.Conf.OvalDBURL,
+					"packs",
+					r.Family,
+					r.Release,
+					req.pack.Name,
+				)
+				if err != nil {
+					errChan <- err
+				} else {
+					util.Log.Debugf("HTTP Request to %s", url)
+					httpGet(url, &req.pack, resChan, errChan)
+				}
+			}
+		}
+	}
+
+	timeout := time.After(2 * 60 * time.Second)
+	var errs []error
+	for range r.Packages {
+		select {
+		case res := <-resChan:
+			current, _ := ver.NewVersion(fmt.Sprintf("%s-%s",
+				res.pack.Version, res.pack.Release))
+			for _, def := range res.defs {
+				for _, p := range def.AffectedPacks {
+					affected, _ := ver.NewVersion(p.Version)
+					if res.pack.Name != p.Name || !current.LessThan(affected) {
+						continue
+					}
+					relatedDefs = append(relatedDefs, def)
+				}
+			}
+		case err := <-errChan:
+			errs = append(errs, err)
+		case <-timeout:
+			return nil, fmt.Errorf("Timeout Fetching OVAL")
+		}
+	}
+	if len(errs) != 0 {
+		return nil, fmt.Errorf("Failed to fetch OVAL. err: %v", errs)
+	}
+	return
+}
+
+func httpGet(url string, pack *models.Package, resChan chan<- response, errChan chan<- error) {
+	var body string
+	var errs []error
+	var resp *http.Response
+	f := func() (err error) {
+		//  resp, body, errs = gorequest.New().SetDebug(config.Conf.Debug).Get(url).End()
+		resp, body, errs = gorequest.New().Get(url).End()
+		if 0 < len(errs) || resp == nil || resp.StatusCode != 200 {
+			return fmt.Errorf("HTTP GET error: %v, url: %s, resp: %v", errs, url, resp)
+		}
+		return nil
+	}
+	notify := func(err error, t time.Duration) {
+		util.Log.Warnf("Failed to HTTP GET. retrying in %s seconds. err: %s", t, err)
+	}
+	err := backoff.RetryNotify(f, backoff.NewExponentialBackOff(), notify)
+	if err != nil {
+		errChan <- fmt.Errorf("HTTP Error %s", err)
+	}
+	defs := []ovalmodels.Definition{}
+	if err := json.Unmarshal([]byte(body), &defs); err != nil {
+		errChan <- fmt.Errorf("Failed to Unmarshall. body: %s, err: %s", body, err)
+	}
+	resChan <- response{
+		pack: pack,
+		defs: defs,
+	}
 }

 func getPackages(r *models.ScanResult, d *ovalmodels.Definition) (names []string) {
--- a/oval/redhat.go
+++ b/oval/redhat.go
@@ -17,11 +17,22 @@ import (
 // RedHatBase is the base struct for RedHat and CentOS
 type RedHatBase struct{}

-// FillCveInfoFromOvalDB returns scan result after updating CVE info by OVAL
-func (o RedHatBase) FillCveInfoFromOvalDB(r *models.ScanResult) error {
-	if err := o.fillCveInfoFromOvalDB(r); err != nil {
-		return err
+// FillWithOval returns scan result after updating CVE info by OVAL
+func (o RedHatBase) FillWithOval(r *models.ScanResult) error {
+	if config.Conf.OvalDBURL != "" {
+		defs, err := getDefsByPackNameViaHTTP(r)
+		if err != nil {
+			return err
+		}
+		for _, def := range defs {
+			o.update(r, &def)
+		}
+	} else {
+		if err := o.fillFromOvalDB(r); err != nil {
+			return err
+		}
 	}
+
 	for _, vuln := range r.ScannedCves {
 		if cont, ok := vuln.CveContents[models.RedHat]; ok {
 			cont.SourceLink = "https://access.redhat.com/security/cve/" + cont.CveID
@@ -30,8 +41,21 @@ func (o RedHatBase) FillCveInfoFromOvalDB(r *models.ScanResult) error {
 	return nil
 }

-// FillCveInfoFromOvalDB returns scan result after updating CVE info by OVAL
-func (o RedHatBase) fillCveInfoFromOvalDB(r *models.ScanResult) error {
+// fillFromOvalDB returns scan result after updating CVE info by OVAL
+func (o RedHatBase) fillFromOvalDB(r *models.ScanResult) error {
+	defs, err := o.getDefsByPackNameFromOvalDB(r.Release, r.Packages)
+	if err != nil {
+		return err
+	}
+	for _, def := range defs {
+		o.update(r, &def)
+	}
+	return nil
+}
+
+func (o RedHatBase) getDefsByPackNameFromOvalDB(osRelease string,
+	packs models.Packages) (relatedDefs []ovalmodels.Definition, err error) {
+
 	ovalconf.Conf.DBType = config.Conf.OvalDBType
 	ovalconf.Conf.DBPath = config.Conf.OvalDBPath
 	util.Log.Infof("open oval-dictionary db (%s): %s",
@@ -39,28 +63,26 @@ func (o RedHatBase) fillCveInfoFromOvalDB(r *models.ScanResult) error {

 	d := db.NewRedHat()
 	defer d.Close()
-	for _, pack := range r.Packages {
-		definitions, err := d.GetByPackName(r.Release, pack.Name)
+	for _, pack := range packs {
+		definitions, err := d.GetByPackName(osRelease, pack.Name)
 		if err != nil {
-			return fmt.Errorf("Failed to get RedHat OVAL info by package name: %v", err)
+			return nil, fmt.Errorf("Failed to get RedHat OVAL info by package name: %v", err)
 		}
-		for _, definition := range definitions {
+		for _, def := range definitions {
 			current, _ := ver.NewVersion(fmt.Sprintf("%s-%s", pack.Version, pack.Release))
-			for _, p := range definition.AffectedPacks {
-				if pack.Name != p.Name {
+			for _, p := range def.AffectedPacks {
+				affected, _ := ver.NewVersion(p.Version)
+				if pack.Name != p.Name || !current.LessThan(affected) {
 					continue
 				}
-				affected, _ := ver.NewVersion(p.Version)
-				if current.LessThan(affected) {
-					o.fillOvalInfo(r, &definition)
-				}
+				relatedDefs = append(relatedDefs, def)
 			}
 		}
 	}
-	return nil
+	return
 }

-func (o RedHatBase) fillOvalInfo(r *models.ScanResult, definition *ovalmodels.Definition) {
+func (o RedHatBase) update(r *models.ScanResult, definition *ovalmodels.Definition) {
 	for _, cve := range definition.Advisory.Cves {
 		ovalContent := *o.convertToModel(cve.CveID, definition)
 		vinfo, ok := r.ScannedCves[cve.CveID]
@@ -77,7 +99,7 @@ func (o RedHatBase) fillOvalInfo(r *models.ScanResult, definition *ovalmodels.De
 			if _, ok := vinfo.CveContents[models.RedHat]; ok {
 				util.Log.Infof("%s will be updated by OVAL", cve.CveID)
 			} else {
-				util.Log.Infof("%s is also detected by OVAL", cve.CveID)
+				util.Log.Infof("%s also detected by OVAL", cve.CveID)
 				cveContents = models.CveContents{}
 			}