From 9b6d84def65727fae45ad81dc649b3ba974c3365 Mon Sep 17 00:00:00 2001
From: kota kanbe <kotakanbe@gmail.com>
Date: Wed, 26 Jul 2017 16:02:09 +0900
Subject: [PATCH] Fix false positive detection on RHEL, Amazon and Oracle

---
 report/tui.go       |  1 +
 scan/redhat.go      | 29 +++++++++++++++++++++++------
 scan/redhat_test.go | 38 ++++++++++++++++++++++++++++++++------
 3 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/report/tui.go b/report/tui.go
index 36a3d635..1a5c554f 100644
--- a/report/tui.go
+++ b/report/tui.go
@@ -824,6 +824,7 @@ Summary
 --------------
  {{.Summary }}
 
+
 Links
 --------------
 {{range $link := .Links -}}
diff --git a/scan/redhat.go b/scan/redhat.go
index f1673a86..944d7b31 100644
--- a/scan/redhat.go
+++ b/scan/redhat.go
@@ -746,7 +746,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
 	cveIDsSetInThisSection := make(map[string]bool)
 
 	// use this flag to Collect CVE IDs in CVEs field.
-	var inDesctiption = false
+	inDesctiption, inCves := false, false
 
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
@@ -766,7 +766,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
 
 				// reset for next section.
 				cveIDsSetInThisSection = make(map[string]bool)
-				inDesctiption = false
+				inDesctiption, inCves = false, false
 				advisory = models.DistroAdvisory{}
 			}
 
@@ -789,7 +789,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
 
 		case Content:
 			if found := o.isDescriptionLine(line); found {
-				inDesctiption = true
+				inDesctiption, inCves = true, false
 				ss := strings.Split(line, " : ")
 				advisory.Description += fmt.Sprintf("%s\n",
 					strings.Join(ss[1:len(ss)], " : "))
@@ -811,9 +811,22 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
 				continue
 			}
 
-			cveIDs := o.parseYumUpdateinfoLineToGetCveIDs(line)
-			for _, cveID := range cveIDs {
-				cveIDsSetInThisSection[cveID] = true
+			if found := o.isCvesHeaderLine(line); found {
+				inCves = true
+				ss := strings.Split(line, "CVEs : ")
+				line = strings.Join(ss[1:len(ss)], " ")
+				cveIDs := o.parseYumUpdateinfoLineToGetCveIDs(line)
+				for _, cveID := range cveIDs {
+					cveIDsSetInThisSection[cveID] = true
+				}
+				continue
+			}
+
+			if inCves {
+				cveIDs := o.parseYumUpdateinfoLineToGetCveIDs(line)
+				for _, cveID := range cveIDs {
+					cveIDsSetInThisSection[cveID] = true
+				}
 			}
 
 			advisoryID, found := o.parseYumUpdateinfoToGetAdvisoryID(line)
@@ -855,6 +868,10 @@ func (o *redhat) changeSectionState(state int) (newState int) {
 	return newState
 }
 
+func (o *redhat) isCvesHeaderLine(line string) bool {
+	return strings.Contains(line, "CVEs : ")
+}
+
 var yumCveIDPattern = regexp.MustCompile(`(CVE-\d{4}-\d{4,})`)
 
 func (o *redhat) parseYumUpdateinfoLineToGetCveIDs(line string) []string {
diff --git a/scan/redhat_test.go b/scan/redhat_test.go
index 8c051aac..2ee03ce1 100644
--- a/scan/redhat_test.go
+++ b/scan/redhat_test.go
@@ -435,11 +435,25 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
        Type : security
      Status : final
      Issued : 2015-09-03 02:00:00
-       Bugs : 1299364 - CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c      CVEs : CVE-2015-8704
+       Bugs : 1299364 - CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c
+	   CVEs : CVE-2015-8704
 	        : CVE-2015-8705
 Description : The Berkeley Internet Name Domain (BIND) is an implementation of
+	        : CVE-2015-10000
    Severity : Moderate
 
+===============================================================================
+  Moderate: sudo security update
+===============================================================================
+  Update ID : RHSA-2017:1574
+    Release : 0
+       Type : security
+     Status : final
+     Issued : 2015-09-03 02:00:00
+       Bugs : 1459152 - CVE-2017-1000368 sudo: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)       CVEs : CVE-2017-1000368
+Description : The sudo packages contain the sudo utility which allows system
+            : administrators to provide certain users with the
+   Severity : Moderate
 	`
 	issued, _ := time.Parse("2006-01-02", "2015-09-03")
 	updated, _ := time.Parse("2006-01-02", "2015-09-04")
@@ -481,13 +495,24 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
 						AdvisoryID:  "RHSA-2016:0073",
 						Severity:    "Moderate",
 						Issued:      issued,
-						Description: "The Berkeley Internet Name Domain (BIND) is an implementation of\n",
+						Description: "The Berkeley Internet Name Domain (BIND) is an implementation of\nCVE-2015-10000\n",
 					},
 					CveIDs: []string{
 						"CVE-2015-8704",
 						"CVE-2015-8705",
 					},
 				},
+				{
+					DistroAdvisory: models.DistroAdvisory{
+						AdvisoryID:  "RHSA-2017:1574",
+						Severity:    "Moderate",
+						Issued:      issued,
+						Description: "The sudo packages contain the sudo utility which allows system\nadministrators to provide certain users with the\n",
+					},
+					CveIDs: []string{
+						"CVE-2017-1000368",
+					},
+				},
 			},
 		},
 	}
@@ -499,7 +524,7 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
 			if !reflect.DeepEqual(tt.out[i], advisoryCveIDs) {
 				e := pp.Sprintf("%v", tt.out[i])
 				a := pp.Sprintf("%v", advisoryCveIDs)
-				t.Errorf("[%d] Alas is not same. \nexpected: %s\nactual: %s",
+				t.Errorf("[%d] not same. \nexpected: %s\nactual: %s",
 					i, e, a)
 			}
 		}
@@ -512,7 +537,7 @@ func TestParseYumUpdateinfoAmazon(t *testing.T) {
 	r.Distro = config.Distro{Family: "redhat"}
 
 	issued, _ := time.Parse("2006-01-02", "2015-12-15")
-	updated, _ := time.Parse("2006-01-02", "2015-12-16")
+	// updated, _ := time.Parse("2006-01-02", "2015-12-16")
 
 	var tests = []struct {
 		in  string
@@ -529,6 +554,8 @@ func TestParseYumUpdateinfoAmazon(t *testing.T) {
      Issued : 2015-12-15 13:30
        CVEs : CVE-2016-1494
 Description : Package updates are available for Amazon Linux AMI that fix the
+            : CVE-20160-1111
+            : hogehoge
    Severity : medium
 
 ===============================================================================
@@ -553,7 +580,7 @@ Description : Package updates are available for Amazon Linux AMI that fix the
 						AdvisoryID:  "ALAS-2016-644",
 						Severity:    "medium",
 						Issued:      issued,
-						Description: "Package updates are available for Amazon Linux AMI that fix the\n",
+						Description: "Package updates are available for Amazon Linux AMI that fix the\nCVE-20160-1111\nhogehoge\n",
 					},
 					CveIDs: []string{"CVE-2016-1494"},
 				},
@@ -562,7 +589,6 @@ Description : Package updates are available for Amazon Linux AMI that fix the
 						AdvisoryID:  "ALAS-2015-614",
 						Severity:    "medium",
 						Issued:      issued,
-						Updated:     updated,
 						Description: "Package updates are available for Amazon Linux AMI that fix the\nfoo bar baz\nhoge fuga hega\n",
 					},
 					CveIDs: []string{