Fix false positive for Oracle Linux (#1227)

* fix(oracle): false-positive(handle arch of pkgs) * fix(oracle): false positive kernel-related CVEs * add a test case for ksplice1 * fix(scan): handle uek kernel for Oracle linux * fix(scan): hanlde uek kernel for reboot required * fix(oracle): false-positive for redis-backend
2021-04-27 20:38:45 +09:00
parent c36e645d9b
commit 2d369d0cfe
13 changed files with 3263 additions and 36 deletions
--- a/oval/util.go
+++ b/oval/util.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"regexp"
 	"sort"
+	"strings"
 	"time"

 	"github.com/cenkalti/backoff"
@@ -295,6 +296,15 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 			continue
 		}

+		if ovalPack.Arch != "" && req.arch != ovalPack.Arch {
+			continue
+		}
+
+		// https://github.com/aquasecurity/trivy/pull/745
+		if strings.Contains(req.versionRelease, ".ksplice1.") != strings.Contains(ovalPack.Version, ".ksplice1.") {
+			continue
+		}
+
 		isModularityLabelEmptyOrSame := false
 		if ovalPack.ModularityLabel != "" {
 			for _, mod := range enabledMods {
@@ -312,7 +322,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru

 		if running.Release != "" {
 			switch family {
-			case constant.RedHat, constant.CentOS:
+			case constant.RedHat, constant.CentOS, constant.Oracle:
 				// For kernel related packages, ignore OVAL information with different major versions
 				if _, ok := kernelRelatedPackNames[ovalPack.Name]; ok {
 					if util.Major(ovalPack.Version) != util.Major(running.Release) {