Fix the parsing logic of FreeBSD pkg-audit (#1334)
* fix scanUnsecurePackages for FreeBSD pkg audit output change
* Add test case TestParseBlock for FreeBSD pkg audit output change
* Fix for no CVE in a block
* fix(scan): parse logic of pkg-audit
* fix
ca761fb218
Co-authored-by: User Kurita <kurita@vuls0.digitiminimi.com>
This commit is contained in:
Kota Kanbe
@@ -1,6 +1,8 @@
|
||||
package scanner
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"fmt"
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
@@ -207,7 +209,7 @@ func (o *bsd) scanUnsecurePackages() (models.VulnInfos, error) {
|
||||
blocks := o.splitIntoBlocks(r.Stdout)
|
||||
for _, b := range blocks {
|
||||
name, cveIDs, vulnID := o.parseBlock(b)
|
||||
if len(cveIDs) == 0 {
|
||||
if name == "" || len(cveIDs) == 0 {
|
||||
continue
|
||||
}
|
||||
pack, found := o.Packages[name]
|
||||
@@ -331,20 +333,21 @@ type pkgAuditResult struct {
|
||||
}
|
||||
|
||||
func (o *bsd) splitIntoBlocks(stdout string) (blocks []string) {
|
||||
lines := strings.Split(stdout, "\n")
|
||||
block := []string{}
|
||||
for _, l := range lines {
|
||||
if len(strings.TrimSpace(l)) == 0 {
|
||||
if 0 < len(block) {
|
||||
blocks = append(blocks, strings.Join(block, "\n"))
|
||||
block = []string{}
|
||||
}
|
||||
scanner := bufio.NewScanner(strings.NewReader(stdout))
|
||||
for scanner.Scan() {
|
||||
line := strings.TrimSpace(scanner.Text())
|
||||
if strings.HasSuffix(line, " is vulnerable:") {
|
||||
blocks = append(blocks, line)
|
||||
continue
|
||||
}
|
||||
block = append(block, strings.TrimSpace(l))
|
||||
}
|
||||
if 0 < len(block) {
|
||||
blocks = append(blocks, strings.Join(block, "\n"))
|
||||
|
||||
if len(blocks) == 0 {
|
||||
continue
|
||||
}
|
||||
|
||||
last := blocks[len(blocks)-1]
|
||||
last = fmt.Sprintf("%s\n%s", last, line)
|
||||
blocks[len(blocks)-1] = last
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
@@ -107,20 +107,46 @@ func TestSplitIntoBlocks(t *testing.T) {
|
||||
expected []string
|
||||
}{
|
||||
{
|
||||
`
|
||||
block1
|
||||
`vulnxml file up-to-date
|
||||
bind95-9.6.3.2.ESV.R10_2 is vulnerable:
|
||||
bind -- denial of service vulnerability
|
||||
CVE: CVE-2014-8680
|
||||
CVE: CVE-2014-8500
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html
|
||||
|
||||
block2
|
||||
block2
|
||||
block2
|
||||
go-1.17.1,1 is vulnerable:
|
||||
go -- multiple vulnerabilities
|
||||
CVE: CVE-2021-41772
|
||||
CVE: CVE-2021-41771
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html
|
||||
|
||||
block3
|
||||
block3`,
|
||||
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
|
||||
CVE: CVE-2021-38297
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html
|
||||
|
||||
Packages that depend on go:
|
||||
|
||||
2 problem(s) in 1 installed package(s) found.`,
|
||||
[]string{
|
||||
`block1`,
|
||||
"block2\nblock2\nblock2",
|
||||
"block3\nblock3",
|
||||
},
|
||||
`bind95-9.6.3.2.ESV.R10_2 is vulnerable:
|
||||
bind -- denial of service vulnerability
|
||||
CVE: CVE-2014-8680
|
||||
CVE: CVE-2014-8500
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html
|
||||
`,
|
||||
`go-1.17.1,1 is vulnerable:
|
||||
go -- multiple vulnerabilities
|
||||
CVE: CVE-2021-41772
|
||||
CVE: CVE-2021-41771
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html
|
||||
|
||||
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
|
||||
CVE: CVE-2021-38297
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html
|
||||
|
||||
Packages that depend on go:
|
||||
|
||||
2 problem(s) in 1 installed package(s) found.`},
|
||||
},
|
||||
}
|
||||
|
||||
@@ -128,9 +154,10 @@ block3`,
|
||||
for _, tt := range tests {
|
||||
actual := d.splitIntoBlocks(tt.in)
|
||||
if !reflect.DeepEqual(tt.expected, actual) {
|
||||
e := pp.Sprintf("%v", tt.expected)
|
||||
a := pp.Sprintf("%v", actual)
|
||||
t.Errorf("expected %s, actual %s", e, a)
|
||||
pp.ColoringEnabled = false
|
||||
t.Errorf("expected %s\n, actual %s",
|
||||
pp.Sprintf("%s", tt.expected),
|
||||
pp.Sprintf("%s", actual))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -179,6 +206,39 @@ WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html
|
||||
cveIDs: []string{},
|
||||
vulnID: "",
|
||||
},
|
||||
{
|
||||
in: `vulnxml file up-to-date
|
||||
libxml2-2.9.10 is vulnerable:
|
||||
libxml -- multiple vulnerabilities
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9.html`,
|
||||
name: "libxml2",
|
||||
cveIDs: []string{},
|
||||
vulnID: "f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9",
|
||||
},
|
||||
{
|
||||
in: `go-1.17.1,1 is vulnerable:
|
||||
go -- multiple vulnerabilities
|
||||
CVE: CVE-2021-41772
|
||||
CVE: CVE-2021-41771
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html`,
|
||||
name: "go",
|
||||
cveIDs: []string{"CVE-2021-41772", "CVE-2021-41771"},
|
||||
vulnID: "930def19-3e05-11ec-9ba8-002324b2fba8",
|
||||
},
|
||||
{
|
||||
in: `go-1.17.1,1 is vulnerable:
|
||||
go -- multiple vulnerabilities
|
||||
CVE: CVE-2021-41772
|
||||
CVE: CVE-2021-41771
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html
|
||||
|
||||
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
|
||||
CVE: CVE-2021-38297
|
||||
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html`,
|
||||
name: "go",
|
||||
cveIDs: []string{"CVE-2021-41772", "CVE-2021-41771", "CVE-2021-38297"},
|
||||
vulnID: "4fce9635-28c0-11ec-9ba8-002324b2fba8",
|
||||
},
|
||||
}
|
||||
|
||||
d := newBsd(config.ServerInfo{})
|
||||
|
||||
Reference in New Issue
Block a user