Add Oracle Linux support (#386)

Adding support for Oracle Linux
2017-03-16 19:07:43 +11:00
parent 6342cf79f5
commit 986762ca85
5 changed files with 188 additions and 43 deletions
--- a/scan/redhat.go
+++ b/scan/redhat.go
@@ -54,6 +54,23 @@ func detectRedhat(c config.ServerInfo) (itsMe bool, red osTypeInterface) {
 		return true, red
 	}

+	if r := exec(c, "ls /etc/oracle-release", noSudo); r.isSuccess() {
+		// Need to discover Oracle Linux first, because it provides an
+		// /etc/redhat-release that matches the upstream distribution
+		if r := exec(c, "cat /etc/oracle-release", noSudo); r.isSuccess() {
+			re := regexp.MustCompile(`(.*) release (\d[\d.]*)`)
+			result := re.FindStringSubmatch(strings.TrimSpace(r.Stdout))
+			if len(result) != 3 {
+				util.Log.Warn("Failed to parse Oracle Linux version: %s", r)
+				return true, red
+			}
+
+			release := result[2]
+			red.setDistro("oraclelinux", release)
+			return true, red
+		}
+	}
+
 	if r := exec(c, "ls /etc/redhat-release", noSudo); r.isSuccess() {
 		// https://www.rackaid.com/blog/how-to-determine-centos-or-red-hat-version/
 		// e.g.
@@ -115,7 +132,7 @@ func (o *redhat) checkIfSudoNoPasswd() error {
 			{"yum --changelog --assumeno update yum", []int{0, 1}},
 		}

-	case "rhel":
+	case "rhel", "oraclelinux":
 		majorVersion, err := o.Distro.MajorVersion()
 		if err != nil {
 			return fmt.Errorf("Not implemented yet: %s, err: %s", o.Distro, err)
@@ -187,7 +204,7 @@ func (o *redhat) checkDependencies() error {
 	switch o.Distro.Family {
 	case "centos":
 		packName = "yum-plugin-changelog"
-	case "rhel":
+	case "rhel", "oraclelinux":
 		if majorVersion < 6 {
 			packName = "yum-security"
 		} else {
@@ -265,7 +282,7 @@ func (o *redhat) parseScannedPackagesLine(line string) (models.PackageInfo, erro

 func (o *redhat) scanVulnInfos() ([]models.VulnInfo, error) {
 	if o.Distro.Family != "centos" {
-		// Amazon, RHEL has yum updateinfo as default
+		// Amazon, RHEL, Oracle Linux has yum updateinfo as default
 		// yum updateinfo can collenct vendor advisory information.
 		return o.scanUnsecurePackagesUsingYumPluginSecurity()
 	}
@@ -608,7 +625,7 @@ type distroAdvisoryCveIDs struct {
 }

 // Scaning unsecure packages using yum-plugin-security.
-// Amazon, RHEL
+// Amazon, RHEL, Oracle Linux
 func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos, error) {
 	if o.Distro.Family == "centos" {
 		// CentOS has no security channel.
@@ -623,13 +640,13 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos,
 		return nil, fmt.Errorf("Failed to SSH: %s", r)
 	}

-	// get advisoryID(RHSA, ALAS) - package name,version
+	// get advisoryID(RHSA, ALAS, ELSA) - package name,version
 	major, err := (o.Distro.MajorVersion())
 	if err != nil {
 		return nil, fmt.Errorf("Not implemented yet: %s, err: %s", o.Distro, err)
 	}

-	if o.Distro.Family == "rhel" && major == 5 {
+	if (o.Distro.Family == "rhel" || o.Distro.Family == "oraclelinux") && major == 5 {
 		cmd = "yum --color=never list-security --security"
 	} else {
 		cmd = "yum --color=never --security updateinfo list updates"
@@ -671,8 +688,8 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos,
 		dict[advIDPackNames.AdvisoryID] = packInfoList
 	}

-	// get advisoryID(RHSA, ALAS) - CVE IDs
-	if o.Distro.Family == "rhel" && major == 5 {
+	// get advisoryID(RHSA, ALAS, ELSA) - CVE IDs
+	if (o.Distro.Family == "rhel" || o.Distro.Family == "oraclelinux") && major == 5 {
 		cmd = "yum --color=never info-security"
 	} else {
 		cmd = "yum --color=never --security updateinfo updates"
@@ -772,7 +789,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
 				// So use yum check-update && parse changelog
 				return result, fmt.Errorf(
 					"yum updateinfo is not suppported on  CentOS")
-			case "rhel", "amazon":
+			case "rhel", "amazon", "oraclelinux":
 				// nop
 			}

@@ -933,14 +950,15 @@ func (o *redhat) extractPackNameVerRel(nameVerRel string) (name, ver, rel string
 	return
 }

-// parseYumUpdateinfoListAvailable collect AdvisorID(RHSA, ALAS), packages
+// parseYumUpdateinfoListAvailable collect AdvisorID(RHSA, ALAS, ELSA), packages
 func (o *redhat) parseYumUpdateinfoListAvailable(stdout string) (advisoryIDPacksList, error) {
 	result := []advisoryIDPacks{}
 	lines := strings.Split(stdout, "\n")
 	for _, line := range lines {

 		if !(strings.HasPrefix(line, "RHSA") ||
-			strings.HasPrefix(line, "ALAS")) {
+			strings.HasPrefix(line, "ALAS") ||
+			strings.HasPrefix(line, "ELSA")) {
 			continue
 		}

--- a/scan/redhat_test.go
+++ b/scan/redhat_test.go
@@ -344,6 +344,111 @@ func TestParseYumUpdateinfoToGetSeverity(t *testing.T) {
 	}
 }

+func TestParseYumUpdateinfoOL(t *testing.T) {
+	stdout := `===============================================================================
+   bind security update
+===============================================================================
+  Update ID : ELSA-2017-0276
+    Release : Oracle Linux 7
+       Type : security
+     Status : final
+     Issued : 2017-02-15
+       CVEs : CVE-2017-3135
+Description : [32:9.9.4-38.2]
+            : - Fix CVE-2017-3135 (ISC change 4557)
+            : - Fix and test caching CNAME before DNAME (ISC
+            :   change 4558)
+   Severity : Moderate
+   
+===============================================================================
+   openssl security update
+===============================================================================
+  Update ID : ELSA-2017-0286
+    Release : Oracle Linux 7
+       Type : security
+     Status : final
+     Issued : 2017-02-15
+       CVEs : CVE-2016-8610
+	    : CVE-2017-3731
+Description : [1.0.1e-48.4]
+            : - fix CVE-2017-3731 - DoS via truncated packets
+            :   with RC4-MD5 cipher
+            : - fix CVE-2016-8610 - DoS of single-threaded
+            :   servers via excessive alerts
+   Severity : Moderate
+   
+===============================================================================
+   Unbreakable Enterprise kernel security update
+===============================================================================
+  Update ID : ELSA-2017-3520
+    Release : Oracle Linux 7
+       Type : security
+     Status : final
+     Issued : 2017-02-15
+       CVEs : CVE-2017-6074
+Description : kernel-uek
+            : [4.1.12-61.1.28]
+            : - dccp: fix freeing skb too early for
+            :   IPV6_RECVPKTINFO (Andrey Konovalov)  [Orabug:
+            :   25598257]  {CVE-2017-6074}
+   Severity : Important
+
+	`
+	issued, _ := time.Parse("2006-01-02", "2017-02-15")
+
+	r := newRedhat(config.ServerInfo{})
+	r.Distro = config.Distro{Family: "oraclelinux"}
+
+	var tests = []struct {
+		in  string
+		out []distroAdvisoryCveIDs
+	}{
+		{
+			stdout,
+			[]distroAdvisoryCveIDs{
+				{
+					DistroAdvisory: models.DistroAdvisory{
+						AdvisoryID: "ELSA-2017-0276",
+						Severity:   "Moderate",
+						Issued:     issued,
+					},
+					CveIDs: []string{"CVE-2017-3135"},
+				},
+				{
+					DistroAdvisory: models.DistroAdvisory{
+						AdvisoryID: "ELSA-2017-0286",
+						Severity:   "Moderate",
+						Issued:     issued,
+					},
+					CveIDs: []string{
+						"CVE-2016-8610",
+						"CVE-2017-3731",
+					},
+				},
+				{
+					DistroAdvisory: models.DistroAdvisory{
+						AdvisoryID: "ELSA-2017-3520",
+						Severity:   "Important",
+						Issued:     issued,
+					},
+					CveIDs: []string{"CVE-2017-6074"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		actual, _ := r.parseYumUpdateinfo(tt.in)
+		for i, advisoryCveIDs := range actual {
+			if !reflect.DeepEqual(tt.out[i], advisoryCveIDs) {
+				e := pp.Sprintf("%v", tt.out[i])
+				a := pp.Sprintf("%v", advisoryCveIDs)
+				t.Errorf("[%d] Alas is not same. \nexpected: %s\nactual: %s",
+					i, e, a)
+			}
+		}
+	}
+}
+
 func TestParseYumUpdateinfoRHEL(t *testing.T) {

 	stdout := `===============================================================================