Fix false positive for Oracle Linux (#1227)

* fix(oracle): false-positive(handle arch of pkgs) * fix(oracle): false positive kernel-related CVEs * add a test case for ksplice1 * fix(scan): handle uek kernel for Oracle linux * fix(scan): hanlde uek kernel for reboot required * fix(oracle): false-positive for redis-backend
2021-04-27 20:38:45 +09:00
parent c36e645d9b
commit 2d369d0cfe
13 changed files with 3263 additions and 36 deletions
--- a/scanner/redhatbase.go
+++ b/scanner/redhatbase.go
@@ -210,7 +210,8 @@ func (o *redhatBase) scanPackages() (err error) {
 		return xerrors.Errorf("Failed to detect installed dnf modules: %w", err)
 	}

-	o.Kernel.RebootRequired, err = o.rebootRequired()
+	fn := func(pkgName string) execResult { return o.exec(fmt.Sprintf("rpm -q --last %s", pkgName), noSudo) }
+	o.Kernel.RebootRequired, err = o.rebootRequired(fn)
 	if err != nil {
 		err = xerrors.Errorf("Failed to detect the kernel reboot required: %w", err)
 		o.log.Warnf("err: %+v", err)
@@ -238,8 +239,13 @@ func (o *redhatBase) scanPackages() (err error) {
 	return nil
 }

-func (o *redhatBase) rebootRequired() (bool, error) {
-	r := o.exec("rpm -q --last kernel", noSudo)
+func (o *redhatBase) rebootRequired(fn func(s string) execResult) (bool, error) {
+	pkgName := "kernel"
+	if strings.Contains(o.Kernel.Release, "uek.") {
+		pkgName = "kernel-uek"
+	}
+
+	r := fn(pkgName)
 	scanner := bufio.NewScanner(strings.NewReader(r.Stdout))
 	if !r.isSuccess(0, 1) {
 		return false, xerrors.Errorf("Failed to detect the last installed kernel : %v", r)
@@ -248,7 +254,7 @@ func (o *redhatBase) rebootRequired() (bool, error) {
 		return false, nil
 	}
 	lastInstalledKernelVer := strings.Fields(scanner.Text())[0]
-	running := fmt.Sprintf("kernel-%s", o.Kernel.Release)
+	running := fmt.Sprintf("%s-%s", pkgName, o.Kernel.Release)
 	return running != lastInstalledKernelVer, nil
 }

--- a/scanner/redhatbase_test.go
+++ b/scanner/redhatbase_test.go
@@ -517,3 +517,127 @@ func Test_redhatBase_parseRpmQfLine(t *testing.T) {
 		})
 	}
 }
+
+func Test_redhatBase_rebootRequired(t *testing.T) {
+	type fields struct {
+		base base
+		sudo rootPriv
+	}
+	type args struct {
+		fn func(s string) execResult
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		want    bool
+		wantErr bool
+	}{
+		{
+			name: "uek kernel no-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "5.4.17-2102.200.13.el7uek.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-uek-5.4.17-2102.200.13.el7uek.x86_64   Mon 05 Apr 2021 04:52:06 PM UTC
+	kernel-uek-4.14.35-2047.501.2.el7uek.x86_64   Mon 05 Apr 2021 04:49:39 PM UTC
+	kernel-uek-4.14.35-1902.10.2.1.el7uek.x86_64  Wed 29 Jan 2020 05:04:52 PM UTC`,
+					}
+				},
+			},
+			want:    false,
+			wantErr: false,
+		},
+		{
+			name: "uek kernel needs-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "4.14.35-2047.501.2.el7uek.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-uek-5.4.17-2102.200.13.el7uek.x86_64   Mon 05 Apr 2021 04:52:06 PM UTC
+	kernel-uek-4.14.35-2047.501.2.el7uek.x86_64   Mon 05 Apr 2021 04:49:39 PM UTC
+	kernel-uek-4.14.35-1902.10.2.1.el7uek.x86_64  Wed 29 Jan 2020 05:04:52 PM UTC`,
+					}
+				},
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "kerne needs-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "3.10.0-1062.12.1.el7.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-3.10.0-1160.24.1.el7.x86_64            Mon 26 Apr 2021 10:13:54 AM UTC
+kernel-3.10.0-1062.12.1.el7.x86_64            Sat 29 Feb 2020 12:09:00 PM UTC`,
+					}
+				},
+			},
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name: "kerne no-reboot",
+			fields: fields{
+				base: base{
+					osPackages: osPackages{
+						Kernel: models.Kernel{
+							Release: "3.10.0-1160.24.1.el7.x86_64",
+						},
+					},
+				},
+			},
+			args: args{
+				fn: func(s string) execResult {
+					return execResult{
+						Stdout: `kernel-3.10.0-1160.24.1.el7.x86_64            Mon 26 Apr 2021 10:13:54 AM UTC
+kernel-3.10.0-1062.12.1.el7.x86_64            Sat 29 Feb 2020 12:09:00 PM UTC`,
+					}
+				},
+			},
+			want:    false,
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			o := &redhatBase{
+				base: tt.fields.base,
+				sudo: tt.fields.sudo,
+			}
+			got, err := o.rebootRequired(tt.args.fn)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("redhatBase.rebootRequired() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("redhatBase.rebootRequired() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/scanner/utils.go
+++ b/scanner/utils.go
@@ -28,7 +28,7 @@ func isRunningKernel(pack models.Package, family string, kernel models.Kernel) (

 	case constant.RedHat, constant.Oracle, constant.CentOS, constant.Amazon:
 		switch pack.Name {
-		case "kernel", "kernel-devel", "kernel-core", "kernel-modules":
+		case "kernel", "kernel-devel", "kernel-core", "kernel-modules", "kernel-uek":
 			ver := fmt.Sprintf("%s-%s.%s", pack.Version, pack.Release, pack.Arch)
 			return true, kernel.Release == ver
 		}