Fix false positive for Oracle Linux (#1227)

* fix(oracle): false-positive(handle arch of pkgs)

* fix(oracle): false positive kernel-related CVEs

* add a test case for ksplice1

* fix(scan): handle uek kernel for Oracle linux

* fix(scan): hanlde uek kernel for reboot required

* fix(oracle): false-positive for redis-backend

GNUmakefile

@@ -183,10 +183,14 @@ build-integration:
 	make build
 	mv -f ./vuls ./vuls.${prev}
 
-	git checkout ${branch}
-	git stash apply stash@\{0\}
+	# master
+	git checkout master
+	make build
+	mv -f ./vuls ./vuls.master
 
 	# working tree
+	git checkout ${branch}
+	git stash apply stash@\{0\}
 	make build
 
 	# for integration testing, vuls.new and vuls.old needed.
@@ -196,4 +200,4 @@ build-integration:
 	# or 
 	# $ ln -s ./vuls.${prev} ./vuls.old
 	# $ make int 
-	# $ make int-redis
+	# $ make int-redis

go.mod

@@ -30,9 +30,9 @@ require (
 	github.com/knqyf263/gost v0.1.10
 	github.com/kotakanbe/go-cve-dictionary v0.5.12
 	github.com/kotakanbe/go-pingscanner v0.1.0
-	github.com/kotakanbe/goval-dictionary v0.3.3
+	github.com/kotakanbe/goval-dictionary v0.3.5
 	github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96
-	github.com/lib/pq v1.10.0 // indirect
+	github.com/lib/pq v1.10.1 // indirect
 	github.com/magiconair/properties v1.8.4 // indirect
 	github.com/mattn/go-runewidth v0.0.12 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
@@ -51,12 +51,11 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/takuzoo3868/go-msfdb v0.1.5
 	github.com/vulsio/go-exploitdb v0.1.7
-	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
+	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b // indirect
 	golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect
-	golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c // indirect
+	golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6 // indirect
 	golang.org/x/oauth2 v0.0.0-20210125201302-af13f521f196
-	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 // indirect
-	golang.org/x/text v0.3.6 // indirect
+	golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	k8s.io/utils v0.0.0-20210111153108-fddb29f9d009

go.sum

@@ -480,8 +480,8 @@ github.com/kotakanbe/go-cve-dictionary v0.5.12 h1:pJZsty83I/kSO5cmU24xWqeBYOrtiT
 github.com/kotakanbe/go-cve-dictionary v0.5.12/go.mod h1:E/CipfNDV31W39MH9QtgkA12JFBMe/3CELxXVvPRphQ=
 github.com/kotakanbe/go-pingscanner v0.1.0 h1:VG4/9l0i8WeToXclj7bIGoAZAu7a07Z3qmQiIfU0gT0=
 github.com/kotakanbe/go-pingscanner v0.1.0/go.mod h1:/761QZzuZFcfN8h/1QuawUA+pKukp3qcNj5mxJCOiAk=
-github.com/kotakanbe/goval-dictionary v0.3.3 h1:b9o1ZPFGmk0WZV0nnk4mWl5vTKINequ+QVW6w9m+8RI=
-github.com/kotakanbe/goval-dictionary v0.3.3/go.mod h1:69e5kFTZEAcT5Lqq8NRlKUjXm0ZNxvT8d3yS/iqFJjs=
+github.com/kotakanbe/goval-dictionary v0.3.5 h1:PcQEOKBrjCLc+dte54b4FlFkIbbKJQ1Sv1ND4YmF+xM=
+github.com/kotakanbe/goval-dictionary v0.3.5/go.mod h1:69e5kFTZEAcT5Lqq8NRlKUjXm0ZNxvT8d3yS/iqFJjs=
 github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96 h1:xNVK0mQJdQjw+QYeaMM4G6fvucWr8rTGGIhlPakx1wU=
 github.com/kotakanbe/logrus-prefixed-formatter v0.0.0-20180123152602-928f7356cb96/go.mod h1:ljq48H1V+0Vh0u7ucA3LjR4AfkAeCpxrf7LaaCk8Vmo=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
@@ -505,8 +505,8 @@ github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lib/pq v1.10.0 h1:Zx5DJFEYQXio93kgXnQ09fXNiUKsqv4OUEu2UtGcB1E=
-github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.1 h1:6VXZrLU0jHBYyAqrSPa+MgPfnSvTPuMgK+k0o5kVFWo=
+github.com/lib/pq v1.10.1/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.4 h1:8KGKTcQQGm0Kv7vEbKFErAoAOFyyacLStRtQSeYtvkY=
@@ -819,8 +819,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b h1:7mWr3k41Qtv8XlltBkDkl8LoP3mpSgBW8BUoxtEdbXg=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -903,8 +903,8 @@ golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c h1:KHUzaHIpjWVlVVNh65G3hhuj3KB1HnjY6Cq5cTvRQT8=
-golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6 h1:0PC75Fz/kyMGhL0e1QnypqK2kQMqKt9csD1GnMJR+Zk=
+golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -983,9 +983,9 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210113181707-4bcb84eeeb78/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887 h1:dXfMednGJh/SUUFjTLsWJz3P+TQt9qnR11GgeI3vWKs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

gost/gost.go

@@ -29,6 +29,7 @@ type Base struct {
 	DBDriver DBDriver
 }
 
+// CloseDB close a DB connection
 func (b Base) CloseDB() error {
 	if b.DBDriver.DB == nil {
 		return nil

models/scanresults.go

@@ -395,18 +395,30 @@ func (r *ScanResult) SortForJSONOutput() {
 			return v.DistroAdvisories[i].AdvisoryID < v.DistroAdvisories[j].AdvisoryID
 		})
 		sort.SliceStable(v.Exploits, func(i, j int) bool {
-			return v.Exploits[i].ID < v.Exploits[j].ID
+			return v.Exploits[i].URL < v.Exploits[j].URL
 		})
 		sort.SliceStable(v.Metasploits, func(i, j int) bool {
 			return v.Metasploits[i].Name < v.Metasploits[j].Name
 		})
+		sort.SliceStable(v.Mitigations, func(i, j int) bool {
+			return v.Mitigations[i].URL < v.Mitigations[j].URL
+		})
 		for kk, vv := range v.CveContents {
 			sort.SliceStable(vv.References, func(i, j int) bool {
 				return vv.References[i].Link < vv.References[j].Link
 			})
+			sort.SliceStable(vv.CweIDs, func(i, j int) bool {
+				return vv.CweIDs[i] < vv.CweIDs[j]
+			})
+			for kkk, vvv := range vv.References {
+				// sort v.CveContents[].References[].Tags
+				sort.SliceStable(vvv.Tags, func(i, j int) bool {
+					return vvv.Tags[i] < vvv.Tags[j]
+				})
+				vv.References[kkk] = vvv
+			}
 			v.CveContents[kk] = vv
 		}
-
 		sort.SliceStable(v.AlertDict.En, func(i, j int) bool {
 			return v.AlertDict.En[i].Title < v.AlertDict.En[j].Title
 		})

models/scanresults_test.go

@@ -131,8 +131,8 @@ func TestScanResult_Sort(t *testing.T) {
 							{AdvisoryID: "adv-2"},
 						},
 						Exploits: []Exploit{
-							{ID: "a"},
-							{ID: "b"},
+							{URL: "a"},
+							{URL: "b"},
 						},
 						Metasploits: []Metasploit{
 							{Name: "a"},
@@ -190,8 +190,8 @@ func TestScanResult_Sort(t *testing.T) {
 							{AdvisoryID: "adv-2"},
 						},
 						Exploits: []Exploit{
-							{ID: "a"},
-							{ID: "b"},
+							{URL: "a"},
+							{URL: "b"},
 						},
 						Metasploits: []Metasploit{
 							{Name: "a"},
@@ -252,8 +252,8 @@ func TestScanResult_Sort(t *testing.T) {
 							{AdvisoryID: "adv-1"},
 						},
 						Exploits: []Exploit{
-							{ID: "b"},
-							{ID: "a"},
+							{URL: "b"},
+							{URL: "a"},
 						},
 						Metasploits: []Metasploit{
 							{Name: "b"},
@@ -311,8 +311,8 @@ func TestScanResult_Sort(t *testing.T) {
 							{AdvisoryID: "adv-2"},
 						},
 						Exploits: []Exploit{
-							{ID: "a"},
-							{ID: "b"},
+							{URL: "a"},
+							{URL: "b"},
 						},
 						Metasploits: []Metasploit{
 							{Name: "a"},

oval/redhat.go

@@ -92,6 +92,7 @@ var kernelRelatedPackNames = map[string]bool{
 	"kernel-tools":            true,
 	"kernel-tools-libs":       true,
 	"kernel-tools-libs-devel": true,
+	"kernel-uek":              true,
 	"perf":                    true,
 	"python-perf":             true,
 }

oval/util.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"regexp"
 	"sort"
+	"strings"
 	"time"
 
 	"github.com/cenkalti/backoff"
@@ -295,6 +296,15 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 			continue
 		}
 
+		if ovalPack.Arch != "" && req.arch != ovalPack.Arch {
+			continue
+		}
+
+		// https://github.com/aquasecurity/trivy/pull/745
+		if strings.Contains(req.versionRelease, ".ksplice1.") != strings.Contains(ovalPack.Version, ".ksplice1.") {
+			continue
+		}
+
 		isModularityLabelEmptyOrSame := false
 		if ovalPack.ModularityLabel != "" {
 			for _, mod := range enabledMods {
@@ -312,7 +322,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 
 		if running.Release != "" {
 			switch family {
-			case constant.RedHat, constant.CentOS:
+			case constant.RedHat, constant.CentOS, constant.Oracle:
 				// For kernel related packages, ignore OVAL information with different major versions
 				if _, ok := kernelRelatedPackNames[ovalPack.Name]; ok {
 					if util.Major(ovalPack.Version) != util.Major(running.Release) {

oval/util_test.go

@@ -1153,6 +1153,45 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		// .ksplice1.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice1.el7_2.4",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-107",
+				},
+			},
+			affected: false,
+		},
+		// .ksplice1.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice1.el7_2.4",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-105.0.1.ksplice1.el7_2.4",
+				},
+			},
+			affected: true,
+			fixedIn:  "2:2.17-106.0.1.ksplice1.el7_2.4",
+		},
 	}
 	for i, tt := range tests {
 		affected, notFixedYet, fixedIn := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.kernel, tt.in.mods)

scanner/redhatbase.go

@@ -210,7 +210,8 @@ func (o *redhatBase) scanPackages() (err error) {
 		return xerrors.Errorf("Failed to detect installed dnf modules: %w", err)
 	}
 
-	o.Kernel.RebootRequired, err = o.rebootRequired()
+	fn := func(pkgName string) execResult { return o.exec(fmt.Sprintf("rpm -q --last %s", pkgName), noSudo) }
+	o.Kernel.RebootRequired, err = o.rebootRequired(fn)
 	if err != nil {
 		err = xerrors.Errorf("Failed to detect the kernel reboot required: %w", err)
 		o.log.Warnf("err: %+v", err)
@@ -238,8 +239,13 @@ func (o *redhatBase) scanPackages() (err error) {
 	return nil
 }
 
-func (o *redhatBase) rebootRequired() (bool, error) {
-	r := o.exec("rpm -q --last kernel", noSudo)
+func (o *redhatBase) rebootRequired(fn func(s string) execResult) (bool, error) {
+	pkgName := "kernel"
+	if strings.Contains(o.Kernel.Release, "uek.") {
+		pkgName = "kernel-uek"
+	}
+
+	r := fn(pkgName)
 	scanner := bufio.NewScanner(strings.NewReader(r.Stdout))
 	if !r.isSuccess(0, 1) {
 		return false, xerrors.Errorf("Failed to detect the last installed kernel : %v", r)
@@ -248,7 +254,7 @@ func (o *redhatBase) rebootRequired() (bool, error) {
 		return false, nil
 	}
 	lastInstalledKernelVer := strings.Fields(scanner.Text())[0]
-	running := fmt.Sprintf("kernel-%s", o.Kernel.Release)
+	running := fmt.Sprintf("%s-%s", pkgName, o.Kernel.Release)
 	return running != lastInstalledKernelVer, nil
 }
 

scanner/redhatbase_test.go

@@ -517,3 +517,127 @@ func Test_redhatBase_parseRpmQfLine(t *testing.T) {
 		})
 	}
 }
+
+func Test_redhatBase_rebootRequired(t *testing.T) {
+	type fields struct {
+		base base
+		sudo rootPriv
+	}
+	type args struct {
+		fn func(s string) execResult
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "uek kernel no-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "5.4.17-2102.200.13.el7uek.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-uek-5.4.17-2102.200.13.el7uek.x86_64   Mon 05 Apr 2021 04:52:06 PM UTC
+	kernel-uek-4.14.35-2047.501.2.el7uek.x86_64   Mon 05 Apr 2021 04:49:39 PM UTC
+	kernel-uek-4.14.35-1902.10.2.1.el7uek.x86_64  Wed 29 Jan 2020 05:04:52 PM UTC`,
+					}
+				},
+			},
+			want:    false,
+			wantErr: false,
+		},
+		{
+			name: "uek kernel needs-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "4.14.35-2047.501.2.el7uek.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-uek-5.4.17-2102.200.13.el7uek.x86_64   Mon 05 Apr 2021 04:52:06 PM UTC
+	kernel-uek-4.14.35-2047.501.2.el7uek.x86_64   Mon 05 Apr 2021 04:49:39 PM UTC
+	kernel-uek-4.14.35-1902.10.2.1.el7uek.x86_64  Wed 29 Jan 2020 05:04:52 PM UTC`,
+					}
+				},
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "kerne needs-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "3.10.0-1062.12.1.el7.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-3.10.0-1160.24.1.el7.x86_64            Mon 26 Apr 2021 10:13:54 AM UTC
+kernel-3.10.0-1062.12.1.el7.x86_64            Sat 29 Feb 2020 12:09:00 PM UTC`,
+					}
+				},
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "kerne no-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "3.10.0-1160.24.1.el7.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-3.10.0-1160.24.1.el7.x86_64            Mon 26 Apr 2021 10:13:54 AM UTC
+kernel-3.10.0-1062.12.1.el7.x86_64            Sat 29 Feb 2020 12:09:00 PM UTC`,
+					}
+				},
+			},
+			want:    false,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &redhatBase{
+				base: tt.fields.base,
+				sudo: tt.fields.sudo,
+			}
+			got, err := o.rebootRequired(tt.args.fn)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("redhatBase.rebootRequired() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("redhatBase.rebootRequired() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

scanner/utils.go

@@ -28,7 +28,7 @@ func isRunningKernel(pack models.Package, family string, kernel models.Kernel) (
 
 	case constant.RedHat, constant.Oracle, constant.CentOS, constant.Amazon:
 		switch pack.Name {
-		case "kernel", "kernel-devel", "kernel-core", "kernel-modules":
+		case "kernel", "kernel-devel", "kernel-core", "kernel-modules", "kernel-uek":
 			ver := fmt.Sprintf("%s-%s.%s", pack.Version, pack.Release, pack.Arch)
 			return true, kernel.Release == ver
 		}