Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #548 and #557 - RHEL's Fast Scan no longer required internet connection and root privilege (#559)

Browse Source
This commit is contained in:
Mai MISHIRO
2017-12-15 19:34:10 +09:00
committed by Kota Kanbe
parent 1214d8c14d
commit 295f6656d9
4 changed files with 53 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.ja.md
View File

@@ -917,10 +917,10 @@ configtestサブコマンドは、config.tomlで定義されたサーバ/コン
| Alpine | 3.2 and later | - |
| Ubuntu | 12, 14, 16| - |
| Debian | 7, 8, 9| reboot-notifier|
| CentOS | 6, 7| yum-utils |
| CentOS | 6, 7| - |
| Amazon | All | yum-utils |
| RHEL | 5, 6, 7 | yum-utils |
| Oracle Linux | 5, 6, 7 | yum-utils |
| RHEL | 5, 6, 7 | - |
| Oracle Linux | 5, 6, 7 | - |
| SUSE Enterprise| 11, 12 | - |
| FreeBSD | 10, 11 | - |
| Raspbian | Jessie, Stretch | - |
@@ -944,9 +944,11 @@ Deep Scan Modeでスキャンするためには、下記のパッケージが必
| CentOS | 6, 7| yum-utils, yum-plugin-changelog |
| Amazon | All | yum-utils, yum-plugin-changelog |
| RHEL | 5 | yum-utils, yum-changelog, yum-security |
| RHEL | 6, 7 | yum-utils, yum-plugin-changelog |
| RHEL | 6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
| RHEL | 7 | yum-utils, yum-plugin-changelog |
| Oracle Linux | 5 | yum-utils, yum-changelog, yum-security |
| Oracle Linux | 6, 7 | yum-utils, yum-plugin-changelog |
| Oracle Linux | 6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
| Oracle Linux | 7 | yum-utils, yum-plugin-changelog |
| SUSE Enterprise| 11, 12 | - |
| FreeBSD | 10 | - |
| Raspbian | Wheezy, Jessie | - |

12
README.md
View File

@@ -924,10 +924,10 @@ The configtest subcommand checks whether vuls is able to connect via SSH to serv
| Alpine | 3.2 and later | - |
| Ubuntu | 12, 14, 16| - |
| Debian | 7, 8, 9| reboot-notifier|
| CentOS | 6, 7| yum-utils |
| CentOS | 6, 7| - |
| Amazon | All | yum-utils |
| RHEL | 5, 6, 7 | yum-utils |
| Oracle Linux | 5, 6, 7 | yum-utils |
| RHEL | 5, 6, 7 | - |
| Oracle Linux | 5, 6, 7 | - |
| SUSE Enterprise| 11, 12 | - |
| FreeBSD | 10, 11 | - |
| Raspbian | Jessie, Stretch | - |
@@ -949,9 +949,11 @@ In order to scan with deep scan mode, the following dependencies are required, s
| CentOS | 6, 7| yum-utils, yum-plugin-changelog |
| Amazon | All | yum-utils, yum-plugin-changelog |
| RHEL | 5 | yum-utils, yum-changelog, yum-security |
| RHEL | 6, 7 | yum-utils, yum-plugin-changelog |
| RHEL | 6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
| RHEL | 7 | yum-utils, yum-plugin-changelog |
| Oracle Linux | 5 | yum-utils, yum-changelog, yum-security |
| Oracle Linux | 6, 7 | yum-utils, yum-plugin-changelog |
| Oracle Linux | 6 | yum-utils, yum-plugin-changelog, yum-plugin-security |
| Oracle Linux | 7 | yum-utils, yum-plugin-changelog |
| SUSE Enterprise| 11, 12 | - |
| FreeBSD | 10 | - |
| Raspbian | Wheezy, Jessie | - |

58
scan/redhat.go
View File

@@ -65,7 +65,7 @@ func detectRedhat(c config.ServerInfo) (itsMe bool, red osTypeInterface) {
// Need to discover Oracle Linux first, because it provides an
// /etc/redhat-release that matches the upstream distribution
if r := exec(c, "cat /etc/oracle-release", noSudo); r.isSuccess() {
re := regexp.MustCompile(`(.*) release (\d[\d.]*)`)
re := regexp.MustCompile(`(.*) release (\d[\d\.]*)`)
result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout))
if len(result) != 3 {
util.Log.Warn("Failed to parse Oracle Linux version: %s", r)
@@ -84,7 +84,7 @@ func detectRedhat(c config.ServerInfo) (itsMe bool, red osTypeInterface) {
// $ cat /etc/redhat-release
// CentOS release 6.5 (Final)
if r := exec(c, "cat /etc/redhat-release", noSudo); r.isSuccess() {
re := regexp.MustCompile(`(.*) release (\d[\d.]*)`)
re := regexp.MustCompile(`(.*) release (\d[\d\.]*)`)
result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout))
if len(result) != 3 {
util.Log.Warn("Failed to parse RedHat/CentOS version: %s", r)
@@ -173,13 +173,14 @@ func (o *redhat) checkIfSudoNoPasswd() error {
}
// - Fast scan mode
// No additional dependencies needed
// Amazon ... yum-utils
//
// - Deep scan mode
// CentOS 6, 7 ... yum-utils
// RHEL 5 ... yum-security, yum-changelog
// RHEL 6, 7 ... yum-utils, yum-plugin-changelog
// Amazon ... yum-utils
// CentOS 6,7 ... yum-utils, yum-plugin-changelog
// RHEL 5 (U1-) ... yum-utils, yum-security, yum-changelog
// RHEL 6 ... yum-utils, yum-security, yum-plugin-changelog
// RHEL 7 ... yum-utils, yum-plugin-changelog
// Amazon ... yum-utils
func (o *redhat) checkDependencies() error {
majorVersion, err := o.Distro.MajorVersion()
if err != nil {
@@ -196,16 +197,27 @@ func (o *redhat) checkDependencies() error {
}
}
packNames := []string{"yum-utils"}
if config.Conf.Deep {
packNames := []string{}
if !config.Conf.Deep {
// Fast Scan
switch o.Distro.Family {
case config.Amazon:
packNames = append(packNames, "yum-utils")
}
} else {
// Deep Scan
switch o.Distro.Family {
case config.CentOS, config.Amazon:
packNames = append(packNames, "yum-plugin-changelog")
packNames = append(packNames, "yum-utils", "yum-plugin-changelog")
case config.RedHat, config.Oracle:
if majorVersion < 6 {
packNames = append(packNames, "yum-security", "yum-changelog")
} else {
packNames = append(packNames, "yum-plugin-changelog")
switch majorVersion {
case 5:
packNames = append(packNames, "yum-utils", "yum-security", "yum-changelog")
case 6:
packNames = append(packNames, "yum-utils", "yum-plugin-security", "yum-plugin-changelog")
default:
packNames = append(packNames, "yum-utils", "yum-plugin-changelog")
}
default:
return fmt.Errorf("Not implemented yet: %s", o.Distro)
@@ -238,6 +250,16 @@ func (o *redhat) scanPackages() error {
}
o.Kernel.RebootRequired = rebootRequired
if !config.Conf.Deep {
switch o.Distro.Family {
case config.Amazon:
// nop
default:
o.Packages = installed
return nil
}
}
updatable, err := o.scanUpdatablePackages()
if err != nil {
o.log.Errorf("Failed to scan installed packages: %s", err)
@@ -246,10 +268,6 @@ func (o *redhat) scanPackages() error {
installed.MergeNewVersion(updatable)
o.Packages = installed
if !config.Conf.Deep && o.Distro.Family != config.Amazon {
return nil
}
var unsecures models.VulnInfos
if unsecures, err = o.scanUnsecurePackages(updatable); err != nil {
o.log.Errorf("Failed to scan vulnerable packages: %s", err)
@@ -455,7 +473,7 @@ func (o *redhat) getAvailableChangelogs(packNames []string) (map[string]string,
if config.Conf.SkipBroken {
yumopts += " --skip-broken"
}
cmd := `yum --color=never changelog all %s %s | grep -A 1000000 "==================== Available Packages ===================="`
cmd := `yum --color=never changelog all %s updates %s | grep -A 1000000 "==================== Updated Packages ===================="`
cmd = fmt.Sprintf(cmd, yumopts, strings.Join(packNames, " "))
r := o.exec(util.PrependProxyEnv(cmd), o.sudo())
@@ -475,7 +493,7 @@ func (o *redhat) divideChangelogsIntoEachPackages(stdout string) map[string]stri
packNameVer, contents := "", []string{}
for scanner.Scan() {
line := scanner.Text()
if strings.HasPrefix(line, "==================== Available Packages ====================") {
if strings.HasPrefix(line, "==================== Updated Packages ====================") {
continue
}
if newBlock {

2
scan/redhat_test.go
View File

@@ -1256,7 +1256,7 @@ func TestDivideChangelogsIntoEachPackages(t *testing.T) {
out map[string]string
}{
{
in: `==================== Available Packages ====================
in: `==================== Updated Packages ====================
1:NetworkManager-1.4.0-20.el7_3.x86_64 rhui-rhel-7-server-rhui-rpms
* Mon Apr 24 21:00:00 2017 Beniamino Galvani <bgalvani@redhat.com> - 1:1.4.0-20
- vlan: use parent interface mtu as default (rh#1414186)