Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(report): support Amazon OVAL scanning (#824)

Browse Source 
* feat(report): support Amazon OVAL scanning

* add distroAdvisories

* see goval/master
This commit is contained in:
Kota Kanbe
2019-06-10 23:20:39 +09:00
committed by GitHub
parent 40492ee00a
commit 269095d034
10 changed files with 244 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
Gopkg.lock generated
View File

@@ -10,18 +10,18 @@
version = "v0.4.12"
[[projects]]
digest = "1:9f957886552b6e43a479813209d8b834a62ab49724ace6d7dcf2464e01a9beeb"
digest = "1:5d25df7e7ad3abe59af9d38e6a7c28c268e22cefdf453d68bfe8fc5920004a76"
name = "github.com/Azure/azure-sdk-for-go"
packages = [
"storage",
"version",
]
pruneopts = "UT"
revision = "77258e94d84ea36012a72c0e0a1e2faa409c6396"
version = "v29.0.0"
revision = "5cd3deb00b42ed3b9199524cd8f70b8dd8bec2f0"
version = "v30.0.0"
[[projects]]
digest = "1:28d10a9fa2e3e2d57f804c988278c9d23323d16027e9e51b59ed99d87f3c2bb4"
digest = "1:b88fe174accff6609eee9dc7e4ec9f828cbda83e3646111538dbcc7f762f1a56"
name = "github.com/Azure/go-autorest"
packages = [
"autorest",
@@ -32,8 +32,8 @@
"tracing",
]
pruneopts = "UT"
revision = "fe1ebaab71ae2a2ab8a55f62ebe54cffd842acc2"
version = "v12.0.0"
revision = "f29a2eccaa178b367df0405778cd85e0af7b4225"
version = "v12.1.0"
[[projects]]
digest = "1:9f3b30d9f8e0d7040f729b82dcbc8f0dead820a133b3147ce355fc451f32d761"
@@ -60,7 +60,7 @@
version = "v9"
[[projects]]
digest = "1:f98ff8e868ab828f6efeaeee0cbffacc493fcda42d89cbcee14cf467af14b039"
digest = "1:14155313f18932280b025613b2c8f40038757a57482e04a5e1bee7ac5700d4b9"
name = "github.com/aws/aws-sdk-go"
packages = [
"aws",
@@ -90,6 +90,7 @@
"private/protocol",
"private/protocol/eventstream",
"private/protocol/eventstream/eventstreamapi",
"private/protocol/json/jsonutil",
"private/protocol/query",
"private/protocol/query/queryutil",
"private/protocol/rest",
@@ -99,8 +100,8 @@
"service/sts",
]
pruneopts = "UT"
revision = "52cd98f1ed1857be47c069f1b27a5dbebb0c1995"
version = "v1.19.30"
revision = "36f1478b1b241bd8ba1e21424b85eeb1f74f2bb4"
version = "v1.19.46"
[[projects]]
digest = "1:0f98f59e9a2f4070d66f0c9c39561f68fcd1dc837b22a852d28d0003aebd1b1e"
@@ -166,7 +167,7 @@
version = "v1.4.7"
[[projects]]
digest = "1:33082c63746b464db3d1c2c07a1396d860484d97fe857ef9e8668a9b406db09f"
digest = "1:c950e574951c7199fb3d990d0e7a61996f40f8e646ba7cf8a557878d4c737f53"
name = "github.com/go-redis/redis"
packages = [
".",
@@ -178,8 +179,8 @@
"internal/util",
]
pruneopts = "UT"
revision = "d22fde8721cc915a55aeb6b00944a76a92bfeb6e"
version = "v6.15.2"
revision = "75795aa4236dc7341eefac3bbe945e68c99ef9df"
version = "v6.15.3"
[[projects]]
digest = "1:ec6f9bf5e274c833c911923c9193867f3f18788c461f76f05f62bb1510e0ae65"
@@ -317,6 +318,14 @@
pruneopts = "UT"
revision = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"
[[projects]]
digest = "1:89180842090b3c38430d0f311f2a514473bb77a29669d111840cfadd2fac0c7a"
name = "github.com/htcat/htcat"
packages = ["."]
pruneopts = "UT"
revision = "2e876d1aa131bd5e3a427b9bfacc5db7dc5a553d"
version = "v1.0.2"
[[projects]]
digest = "1:e96640e5b9ce93e2d7ee18f48048483080fd23e72e3c38bc17e9c8b77062031a"
name = "github.com/inconshreveable/log15"
@@ -340,11 +349,11 @@
[[projects]]
branch = "master"
digest = "1:fd97437fbb6b7dce04132cf06775bd258cce305c44add58eb55ca86c6c325160"
digest = "1:01ed62f8f4f574d8aff1d88caee113700a2b44c42351943fa73cc1808f736a50"
name = "github.com/jinzhu/inflection"
packages = ["."]
pruneopts = "UT"
revision = "04140366298a54a039076d798123ffa108fff46c"
revision = "f5c5f50e6090ae76a29240b61ae2a90dd810112e"
[[projects]]
digest = "1:bb81097a5b62634f3e9fec1014657855610c82d19b9a40c17612e32651e35dca"
@@ -383,11 +392,11 @@
[[projects]]
branch = "master"
digest = "1:a9955a589c7f6f28bd5a5f69da3f1e2cc857c23c7605c5fa7b605f065ba8f3fe"
digest = "1:4f716bd1685e2e990f23cff371823b6cfd6a24c3a986822da6b8ffa6acf6f256"
name = "github.com/knqyf263/go-deb-version"
packages = ["."]
pruneopts = "UT"
revision = "9865fe14d09b1c729188ac810466dde90f897ee3"
revision = "09fca494f03d83586ddc06a1cb3fa992626e4f79"
[[projects]]
branch = "master"
@@ -440,17 +449,19 @@
version = "v0.1.0"
[[projects]]
digest = "1:8fd95e6bab4d09a0f610bd5c02ef6ec7d0d91da5a72b7cfcbfd67254bcb72b75"
digest = "1:e5d1256691817d7f99ed824229c60d89a50301c82a1520625049c83492e88ab0"
name = "github.com/kotakanbe/goval-dictionary"
packages = [
"config",
"db",
"db/rdb",
"fetcher",
"models",
"util",
]
pruneopts = "UT"
revision = "5070051ecafdf15cbe2490e71ec038de7d25b71e"
version = "v0.1.1"
revision = "199e1232155a76746cc702947e5667547e5f725d"
version = "v0.1.2"
[[projects]]
branch = "master"
@@ -461,15 +472,15 @@
revision = "928f7356cb964637e2489a6ef37eee55181676c5"
[[projects]]
digest = "1:01eb0269028d3c2e21b5b6cd9b1ba81bc4170ab293fcffa84e3aa3a6138a92e8"
digest = "1:9bc108827ac1d8783dea294f1ef07732fa4ca7d6e20518c04888a85828eba4ce"
name = "github.com/labstack/gommon"
packages = [
"color",
"log",
]
pruneopts = "UT"
revision = "7fd9f68ece0bcb1a905fac8f1549f0083f71c51b"
version = "v0.2.8"
revision = "ab0bfd9a5eba33a8c364bf3390d809ed23c31f97"
version = "v0.2.9"
[[projects]]
digest = "1:0e06e487551e2f9e0d6967a15c42223354e37c2e9869b301b14a42e4b51ea3e0"
@@ -501,12 +512,12 @@
version = "v0.0.9"
[[projects]]
digest = "1:e150b5fafbd7607e2d638e4e5cf43aa4100124e5593385147b0a74e2733d8b0d"
digest = "1:9b90c7639a41697f3d4ad12d7d67dfacc9a7a4a6e0bbfae4fc72d0da57c28871"
name = "github.com/mattn/go-isatty"
packages = ["."]
pruneopts = "UT"
revision = "c2a7a6ca930a4cd0bc33a3f298eb71960732a3a7"
version = "v0.0.7"
revision = "1311e847b0cb909da63b5fecfb5370aa66236465"
version = "v0.0.8"
[[projects]]
digest = "1:0356f3312c9bd1cbeda81505b7fd437501d8e778ab66998ef69f00d7f9b3a0d7"
@@ -637,11 +648,11 @@
[[projects]]
branch = "master"
digest = "1:551d79f86d5dbc8154f3b97f37f59ff1f66bf639f7af92c7c382d3141a6203cf"
digest = "1:9ffd8274c90a47cb2bdf4f469722a95027ee0dce146571d86211f08f7d8e2547"
name = "github.com/sirupsen/logrus"
packages = ["."]
pruneopts = "UT"
revision = "f0375eb5b588893ff556c71dee32d98e57a9b777"
revision = "2a22dbedbad1fd454910cd1f44f210ef90c28464"
[[projects]]
digest = "1:bb495ec276ab82d3dd08504bbc0594a65de8c3b22c6f2aaa92d05b73fbf3a82e"
@@ -679,12 +690,12 @@
version = "v1.0.3"
[[projects]]
digest = "1:1b773526998f3dbde3a51a4a5881680c4d237d3600f570d900f97ac93c7ba0a8"
digest = "1:11118bd196646c6515fea3d6c43f66162833c6ae4939bfb229b9956d91c6cf17"
name = "github.com/spf13/viper"
packages = ["."]
pruneopts = "UT"
revision = "9e56dacc08fbbf8c9ee2dbc717553c758ce42bc9"
version = "v1.3.2"
revision = "b5bf975e5823809fb22c7644d008757f78a4259e"
version = "v1.4.0"
[[projects]]
digest = "1:c468422f334a6b46a19448ad59aaffdfc0a36b08fdcc1c749a0b29b6453d7e59"
@@ -739,7 +750,7 @@
[[projects]]
branch = "master"
digest = "1:2c6548bce7a4986c697700d747208f41122d6626216e11c38364d29a313aa220"
digest = "1:616f478cc557408da913c3b2d87b5c8d21ba353262a1bb19ebc51fcf519f020a"
name = "golang.org/x/crypto"
packages = [
"curve25519",
@@ -753,11 +764,11 @@
"ssh/terminal",
]
pruneopts = "UT"
revision = "22d7a77e9e5f409e934ed268692e56707cd169e5"
revision = "f99c8df09eb5bff426315721bfa5f16a99cad32c"
[[projects]]
branch = "master"
digest = "1:95f34339208666d9d0c806c50902ff1b0948c0507f92e19d1b7c380483507784"
digest = "1:2e99dfa3436481d6b77b598aeef796b04d090a572b8150c1927af2a9b1ebb334"
name = "golang.org/x/net"
packages = [
"context",
@@ -771,18 +782,18 @@
"trace",
]
pruneopts = "UT"
revision = "3ec19112720433827bbce8be9342797f5a6aaaf9"
revision = "461777fb6f67e8cb9d70cda16573678d085a74cf"
[[projects]]
branch = "master"
digest = "1:9927d6aceb89d188e21485f42a7a254e67e6fdcf4260aba375fe18e3c300dfb4"
digest = "1:8d1c112fb1679fa097e9a9255a786ee47383fa2549a3da71bcb1334a693ebcfe"
name = "golang.org/x/oauth2"
packages = [
".",
"internal",
]
pruneopts = "UT"
revision = "9f3314589c9a9136388751d9adae6b0ed400978a"
revision = "0f29369cfe4552d0e4bcddc57cc75f4d7e672a33"
[[projects]]
branch = "master"
@@ -794,7 +805,7 @@
[[projects]]
branch = "master"
digest = "1:1a1855ef6bc1338dd3870260716214046cefd69855c5a5a772d44d2791478abc"
digest = "1:8fb335850bdc86a194ee285848bb372c39ec2f3ad2b914e7448122085657dbd8"
name = "golang.org/x/sys"
packages = [
"cpu",
@@ -802,7 +813,7 @@
"windows",
]
pruneopts = "UT"
revision = "3a4b5fb9f71f5874b2374ae059bc0e0bcb52e145"
revision = "1e42afee0f762ed3d76e6dd942e4181855fd1849"
[[projects]]
digest = "1:8d8faad6b12a3a4c819a3f9618cb6ee1fa1cfc33253abeeea8b55336721e3405"
@@ -845,8 +856,8 @@
name = "google.golang.org/api"
packages = ["support/bundler"]
pruneopts = "UT"
revision = "721295fe20d585ce7e948146f82188429d14da33"
version = "v0.5.0"
revision = "aac82e61c0c8fe133c297b4b59316b9f481e1f0a"
version = "v0.6.0"
[[projects]]
digest = "1:7e8b9c5ae49011b12ae8473834ac1a7bb8ac029ba201270c723e4c280c9e4855"
@@ -862,8 +873,8 @@
"urlfetch",
]
pruneopts = "UT"
revision = "4c25cacc810c02874000e4f7071286a8e96b2515"
version = "v1.6.0"
revision = "b2f4a3cf3c67576a2ee09e1fe62656a5086ce880"
version = "v1.6.1"
[[projects]]
branch = "master"
@@ -875,10 +886,10 @@
"protobuf/field_mask",
]
pruneopts = "UT"
revision = "d00d292a067ce1aa0017b40ca75437b42461fa61"
revision = "eb0b1bdb6ae60fcfc41b8d907b50dfb346112301"
[[projects]]
digest = "1:707c3a5d10ed430ea767d73df122d9eb3dfb6312bbacc9f2e39204390686d1d0"
digest = "1:e8800ddadd6bce3bc0c5ffd7bc55dbdddc6e750956c10cc10271cade542fccbe"
name = "google.golang.org/grpc"
packages = [
".",
@@ -915,8 +926,8 @@
"tap",
]
pruneopts = "UT"
revision = "25c4f928eaa6d96443009bd842389fb4fa48664e"
version = "v1.20.1"
revision = "501c41df7f472c740d0674ff27122f3f48c80ce7"
version = "v1.21.1"
[[projects]]
digest = "1:e626376fab8608a972d47e91b3c1bbbddaecaf1d42b82be6dcc52d10a7557893"
@@ -959,12 +970,12 @@
version = "v0.0.9"
[[projects]]
digest = "1:e150b5fafbd7607e2d638e4e5cf43aa4100124e5593385147b0a74e2733d8b0d"
digest = "1:9b90c7639a41697f3d4ad12d7d67dfacc9a7a4a6e0bbfae4fc72d0da57c28871"
name = "gopkg.in/mattn/go-isatty.v0"
packages = ["."]
pruneopts = "UT"
revision = "c2a7a6ca930a4cd0bc33a3f298eb71960732a3a7"
version = "v0.0.7"
revision = "1311e847b0cb909da63b5fecfb5370aa66236465"
version = "v0.0.8"
[[projects]]
digest = "1:0356f3312c9bd1cbeda81505b7fd437501d8e778ab66998ef69f00d7f9b3a0d7"

2
Gopkg.toml
View File

@@ -45,3 +45,5 @@
[[constraint]]
branch = "master"
name = "golang.org/x/xerrors"

12
models/cvecontents.go
View File

@@ -68,6 +68,9 @@ func (v CveContents) SourceLinks(lang, myFamily, cveID string) (values []CveCont
order := CveContentTypes{Nvd, NvdXML, NewCveContentType(myFamily)}
for _, ctype := range order {
if cont, found := v[ctype]; found {
if cont.SourceLink == "" {
continue
}
values = append(values, CveContentStr{ctype, cont.SourceLink})
}
}
@@ -233,6 +236,8 @@ func NewCveContentType(name string) CveContentType {
return Microsoft
case "wordpress":
return WPVulnDB
case "amazon":
return Amazon
default:
return Unknown
}
@@ -266,6 +271,9 @@ const (
// Oracle is Oracle Linux
Oracle CveContentType = "oracle"
// Amazon is Amazon Linux
Amazon CveContentType = "amazon"
// SUSE is SUSE Linux
SUSE CveContentType = "suse"
@@ -288,9 +296,11 @@ var AllCveContetTypes = CveContentTypes{
NvdXML,
Jvn,
RedHat,
RedHatAPI,
Debian,
Ubuntu,
RedHatAPI,
Amazon,
SUSE,
DebianSecurityTracker,
WPVulnDB,
}

28
models/vulninfos.go
View File

@@ -165,7 +165,7 @@ type VulnInfo struct {
CveID string `json:"cveID,omitempty"`
Confidences Confidences `json:"confidences,omitempty"`
AffectedPackages PackageFixStatuses `json:"affectedPackages,omitempty"`
DistroAdvisories []DistroAdvisory `json:"distroAdvisories,omitempty"` // for Aamazon, RHEL, FreeBSD
DistroAdvisories DistroAdvisories `json:"distroAdvisories,omitempty"` // for Aamazon, RHEL, FreeBSD
CveContents CveContents `json:"cveContents,omitempty"`
Exploits []Exploit `json:"exploits,omitempty"`
AlertDict AlertDict `json:"alertDict,omitempty"`
@@ -349,7 +349,7 @@ func (v VulnInfo) Cvss2Scores(myFamily string) (values []CveContentCvss) {
}
for _, ctype := range order {
if cont, found := v.CveContents[ctype]; found {
if cont.Cvss2Score == 0 && cont.Cvss2Severity == "" {
if cont.Cvss2Score == 0 || cont.Cvss2Severity == "" {
continue
}
// https://nvd.nist.gov/vuln-metrics/cvss
@@ -704,8 +704,14 @@ func (v VulnInfo) VendorLinks(family string) map[string]string {
case config.Amazon:
links["RHEL-CVE"] = "https://access.redhat.com/security/cve/" + v.CveID
for _, advisory := range v.DistroAdvisories {
links[advisory.AdvisoryID] =
fmt.Sprintf("https://alas.aws.amazon.com/%s.html", advisory.AdvisoryID)
if strings.HasPrefix(advisory.AdvisoryID, "ALAS2") {
links[advisory.AdvisoryID] =
fmt.Sprintf("https://alas.aws.amazon.com/AL2/%s.html",
strings.Replace(advisory.AdvisoryID, "ALAS2", "ALAS", -1))
} else {
links[advisory.AdvisoryID] =
fmt.Sprintf("https://alas.aws.amazon.com/%s.html", advisory.AdvisoryID)
}
}
return links
case config.Ubuntu:
@@ -725,6 +731,20 @@ func (v VulnInfo) VendorLinks(family string) map[string]string {
return links
}
// DistroAdvisories is a list of DistroAdvisory
type DistroAdvisories []DistroAdvisory
// AppendIfMissing appends if missing
func (advs *DistroAdvisories) AppendIfMissing(adv *DistroAdvisory) bool {
for _, a := range *advs {
if a.AdvisoryID == adv.AdvisoryID {
return false
}
}
*advs = append(*advs, *adv)
return true
}
// DistroAdvisory has Amazon Linux, RHEL, FreeBSD Security Advisory information.
type DistroAdvisory struct {
AdvisoryID string `json:"advisoryID"`

62
models/vulninfos_test.go
View File

@@ -1034,3 +1034,65 @@ func TestSortByConfiden(t *testing.T) {
}
}
}
func TestDistroAdvisories_AppendIfMissing(t *testing.T) {
type args struct {
adv *DistroAdvisory
}
tests := []struct {
name string
advs DistroAdvisories
args args
want bool
after DistroAdvisories
}{
{
name: "duplicate no append",
advs: DistroAdvisories{
DistroAdvisory{
AdvisoryID: "ALASs-2019-1214",
}},
args: args{
adv: &DistroAdvisory{
AdvisoryID: "ALASs-2019-1214",
},
},
want: false,
after: DistroAdvisories{
DistroAdvisory{
AdvisoryID: "ALASs-2019-1214",
}},
},
{
name: "append",
advs: DistroAdvisories{
DistroAdvisory{
AdvisoryID: "ALASs-2019-1214",
}},
args: args{
adv: &DistroAdvisory{
AdvisoryID: "ALASs-2019-1215",
},
},
want: true,
after: DistroAdvisories{
{
AdvisoryID: "ALASs-2019-1214",
},
{
AdvisoryID: "ALASs-2019-1215",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := tt.advs.AppendIfMissing(tt.args.adv); got != tt.want {
t.Errorf("DistroAdvisories.AppendIfMissing() = %v, want %v", got, tt.want)
}
if !reflect.DeepEqual(tt.advs, tt.after) {
t.Errorf("\nexpected: %v\n actual: %v\n", tt.after, tt.advs)
}
})
}
}

1
oval/debian.go
View File

@@ -95,6 +95,7 @@ func (o DebianBase) convertToModel(def *ovalmodels.Definition) *models.CveConten
Title: def.Title,
Summary: def.Description,
Cvss2Severity: def.Advisory.Severity,
Cvss3Severity: def.Advisory.Severity,
References: refs,
}
}

39
oval/redhat.go
View File

@@ -133,6 +133,9 @@ func (o RedHatBase) update(r *models.ScanResult, defPacks defPacks) (nCVEs int)
vinfo.CveContents = cveContents
}
vinfo.DistroAdvisories.AppendIfMissing(
o.convertToDistroAdvisory(&defPacks.def))
// uniq(vinfo.PackNames + defPacks.actuallyAffectedPackNames)
for _, pack := range vinfo.AffectedPackages {
if nfy, ok := defPacks.actuallyAffectedPackNames[pack.Name]; !ok {
@@ -148,6 +151,21 @@ func (o RedHatBase) update(r *models.ScanResult, defPacks defPacks) (nCVEs int)
return
}
func (o RedHatBase) convertToDistroAdvisory(def *ovalmodels.Definition) *models.DistroAdvisory {
advisoryID := def.Title
if o.family == config.RedHat || o.family == config.CentOS {
ss := strings.Fields(def.Title)
advisoryID = strings.TrimSuffix(ss[0], ":")
}
return &models.DistroAdvisory{
AdvisoryID: advisoryID,
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
}
}
func (o RedHatBase) convertToModel(cveID string, def *ovalmodels.Definition) *models.CveContent {
for _, cve := range def.Advisory.Cves {
if cve.CveID != cveID {
@@ -171,10 +189,10 @@ func (o RedHatBase) convertToModel(cveID string, def *ovalmodels.Definition) *mo
}
sev2, sev3 := "", ""
if score2 != 0 {
if score2 == 0 {
sev2 = severity
}
if score3 != 0 {
if score3 == 0 {
sev3 = severity
}
@@ -276,3 +294,20 @@ func NewOracle() Oracle {
},
}
}
// Amazon is the interface for RedhatBase OVAL
type Amazon struct {
// Base
RedHatBase
}
// NewAmazon creates OVAL client for Amazon Linux
func NewAmazon() Amazon {
return Amazon{
RedHatBase{
Base{
family: config.Amazon,
},
},
}
}

41
oval/util.go
View File

@@ -78,7 +78,8 @@ func (e *ovalResult) upsert(def ovalmodels.Definition, packName string, notFixed
type request struct {
packName string
versionRelease string
NewVersionRelease string
newVersionRelease string
arch string
binaryPackNames []string
isSrcPack bool
}
@@ -105,8 +106,9 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult) (
reqChan <- request{
packName: pack.Name,
versionRelease: pack.FormatVer(),
NewVersionRelease: pack.FormatVer(),
newVersionRelease: pack.FormatVer(),
isSrcPack: false,
arch: pack.Arch,
}
}
for _, pack := range r.SrcPackages {
@@ -115,6 +117,7 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult) (
binaryPackNames: pack.BinaryNames,
versionRelease: pack.Version,
isSrcPack: true,
// arch: pack.Arch,
}
}
}()
@@ -220,7 +223,8 @@ func getDefsByPackNameFromOvalDB(driver db.DB, r *models.ScanResult) (relatedDef
requests = append(requests, request{
packName: pack.Name,
versionRelease: pack.FormatVer(),
NewVersionRelease: pack.FormatNewVer(),
newVersionRelease: pack.FormatNewVer(),
arch: pack.Arch,
isSrcPack: false,
})
}
@@ -234,7 +238,7 @@ func getDefsByPackNameFromOvalDB(driver db.DB, r *models.ScanResult) (relatedDef
}
for _, req := range requests {
definitions, err := driver.GetByPackName(r.Release, req.packName)
definitions, err := driver.GetByPackName(r.Release, req.packName, req.arch)
if err != nil {
return relatedDefs, xerrors.Errorf("Failed to get %s OVAL info by package: %#v, err: %w", r.Family, req, err)
}
@@ -315,15 +319,15 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
// `offline` or `fast` scan mode can't get a updatable version.
// In these mode, the blow field was set empty.
// Vuls can not judge fixed or unfixed.
if req.NewVersionRelease == "" {
if req.newVersionRelease == "" {
return true, false
}
// compare version: newVer vs oval
less, err := lessThan(family, req.NewVersionRelease, ovalPack)
less, err := lessThan(family, req.newVersionRelease, ovalPack)
if err != nil {
util.Log.Debugf("Failed to parse versions: %s, NewVer: %#v, OVAL: %#v, DefID: %s",
err, req.NewVersionRelease, ovalPack, def.DefinitionID)
err, req.newVersionRelease, ovalPack, def.DefinitionID)
return false, false
}
return true, less
@@ -332,9 +336,13 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
return false, false
}
var centosVerPattern = regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.centos)?`)
var esVerPattern = regexp.MustCompile(`\.el(\d+)(?:_\d+)?`)
func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, error) {
switch family {
case config.Debian, config.Ubuntu:
case config.Debian,
config.Ubuntu:
vera, err := debver.NewVersion(versionRelease)
if err != nil {
return false, err
@@ -344,16 +352,21 @@ func lessThan(family, versionRelease string, packB ovalmodels.Package) (bool, er
return false, err
}
return vera.LessThan(verb), nil
case config.Oracle, config.SUSEEnterpriseServer, config.Alpine:
case config.Oracle,
config.SUSEEnterpriseServer,
config.Alpine,
config.Amazon:
vera := rpmver.NewVersion(versionRelease)
verb := rpmver.NewVersion(packB.Version)
return vera.LessThan(verb), nil
case config.RedHat, config.CentOS: // TODO: Suport config.Scientific
rea := regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.centos)?`)
reb := regexp.MustCompile(`\.el(\d+)(?:_\d+)?`)
vera := rpmver.NewVersion(rea.ReplaceAllString(versionRelease, ".el$1"))
verb := rpmver.NewVersion(reb.ReplaceAllString(packB.Version, ".el$1"))
case config.RedHat,
config.CentOS:
vera := rpmver.NewVersion(centosVerPattern.ReplaceAllString(versionRelease, ".el$1"))
verb := rpmver.NewVersion(esVerPattern.ReplaceAllString(packB.Version, ".el$1"))
return vera.LessThan(verb), nil
default:
util.Log.Errorf("Not implemented yet: %s", family)
}

32
oval/util_test.go
View File

@@ -281,7 +281,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "1.0.0-0",
NewVersionRelease: "1.0.0-2",
newVersionRelease: "1.0.0-2",
},
},
affected: true,
@@ -313,7 +313,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "1.0.0-0",
NewVersionRelease: "1.0.0-3",
newVersionRelease: "1.0.0-3",
},
},
affected: true,
@@ -340,7 +340,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6_7.7",
NewVersionRelease: "",
newVersionRelease: "",
},
},
affected: true,
@@ -367,7 +367,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6_7.6",
NewVersionRelease: "0:1.2.3-45.el6_7.7",
newVersionRelease: "0:1.2.3-45.el6_7.7",
},
},
affected: true,
@@ -446,7 +446,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6_7.6",
NewVersionRelease: "0:1.2.3-45.el6_7.7",
newVersionRelease: "0:1.2.3-45.el6_7.7",
},
},
affected: true,
@@ -473,7 +473,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6_7.6",
NewVersionRelease: "0:1.2.3-45.el6_7.8",
newVersionRelease: "0:1.2.3-45.el6_7.8",
},
},
affected: true,
@@ -499,7 +499,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6_7.6",
NewVersionRelease: "0:1.2.3-45.el6_7.9",
newVersionRelease: "0:1.2.3-45.el6_7.9",
},
},
affected: true,
@@ -578,7 +578,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6.centos.7",
NewVersionRelease: "",
newVersionRelease: "",
},
},
affected: true,
@@ -657,7 +657,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6.centos.6",
NewVersionRelease: "0:1.2.3-45.el6.centos.7",
newVersionRelease: "0:1.2.3-45.el6.centos.7",
},
},
affected: true,
@@ -684,7 +684,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6.centos.6",
NewVersionRelease: "0:1.2.3-45.el6.centos.8",
newVersionRelease: "0:1.2.3-45.el6.centos.8",
},
},
affected: true,
@@ -711,7 +711,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.el6.centos.6",
NewVersionRelease: "0:1.2.3-45.el6.centos.9",
newVersionRelease: "0:1.2.3-45.el6.centos.9",
},
},
affected: true,
@@ -865,7 +865,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.sl6.6",
NewVersionRelease: "0:1.2.3-45.sl6.7",
newVersionRelease: "0:1.2.3-45.sl6.7",
},
},
affected: true,
@@ -891,7 +891,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.sl6.6",
NewVersionRelease: "0:1.2.3-45.sl6.8",
newVersionRelease: "0:1.2.3-45.sl6.8",
},
},
affected: true,
@@ -917,7 +917,7 @@ func TestIsOvalDefAffected(t *testing.T) {
packName: "b",
isSrcPack: false,
versionRelease: "0:1.2.3-45.sl6.6",
NewVersionRelease: "0:1.2.3-45.sl6.9",
newVersionRelease: "0:1.2.3-45.sl6.9",
},
},
affected: true,
@@ -989,7 +989,7 @@ func TestIsOvalDefAffected(t *testing.T) {
req: request{
packName: "kernel",
versionRelease: "3.0.0",
NewVersionRelease: "3.2.0",
newVersionRelease: "3.2.0",
},
kernel: models.Kernel{
Release: "3.0.0",
@@ -1013,7 +1013,7 @@ func TestIsOvalDefAffected(t *testing.T) {
req: request{
packName: "kernel",
versionRelease: "3.0.0",
NewVersionRelease: "3.2.0",
newVersionRelease: "3.2.0",
},
kernel: models.Kernel{
Release: "3.0.0",

5
report/report.go
View File

@@ -284,7 +284,10 @@ func FillWithOval(driver ovaldb.DB, r *models.ScanResult) (nCVEs int, err error)
case c.Alpine:
ovalClient = oval.NewAlpine()
ovalFamily = c.Alpine
case c.Amazon, c.Raspbian, c.FreeBSD, c.Windows:
case c.Amazon:
ovalClient = oval.NewAmazon()
ovalFamily = c.Amazon
case c.Raspbian, c.FreeBSD, c.Windows:
return 0, nil
case c.ServerTypePseudo:
return 0, nil