Fix false positive for Oracle Linux (#1227)

* fix(oracle): false-positive(handle arch of pkgs) * fix(oracle): false positive kernel-related CVEs * add a test case for ksplice1 * fix(scan): handle uek kernel for Oracle linux * fix(scan): hanlde uek kernel for reboot required * fix(oracle): false-positive for redis-backend
2021-04-27 20:38:45 +09:00
parent c36e645d9b
commit 2d369d0cfe
13 changed files with 3263 additions and 36 deletions
--- a/oval/redhat.go
+++ b/oval/redhat.go
@@ -92,6 +92,7 @@ var kernelRelatedPackNames = map[string]bool{
 	"kernel-tools":            true,
 	"kernel-tools-libs":       true,
 	"kernel-tools-libs-devel": true,
+	"kernel-uek":              true,
 	"perf":                    true,
 	"python-perf":             true,
 }
--- a/oval/util.go
+++ b/oval/util.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"regexp"
 	"sort"
+	"strings"
 	"time"

 	"github.com/cenkalti/backoff"
@@ -295,6 +296,15 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 			continue
 		}

+		if ovalPack.Arch != "" && req.arch != ovalPack.Arch {
+			continue
+		}
+
+		// https://github.com/aquasecurity/trivy/pull/745
+		if strings.Contains(req.versionRelease, ".ksplice1.") != strings.Contains(ovalPack.Version, ".ksplice1.") {
+			continue
+		}
+
 		isModularityLabelEmptyOrSame := false
 		if ovalPack.ModularityLabel != "" {
 			for _, mod := range enabledMods {
@@ -312,7 +322,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru

 		if running.Release != "" {
 			switch family {
-			case constant.RedHat, constant.CentOS:
+			case constant.RedHat, constant.CentOS, constant.Oracle:
 				// For kernel related packages, ignore OVAL information with different major versions
 				if _, ok := kernelRelatedPackNames[ovalPack.Name]; ok {
 					if util.Major(ovalPack.Version) != util.Major(running.Release) {
--- a/oval/util_test.go
+++ b/oval/util_test.go
@@ -1153,6 +1153,45 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		// .ksplice1.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice1.el7_2.4",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-107",
+				},
+			},
+			affected: false,
+		},
+		// .ksplice1.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice1.el7_2.4",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-105.0.1.ksplice1.el7_2.4",
+				},
+			},
+			affected: true,
+			fixedIn:  "2:2.17-106.0.1.ksplice1.el7_2.4",
+		},
 	}
 	for i, tt := range tests {
 		affected, notFixedYet, fixedIn := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.kernel, tt.in.mods)