fix(ubuntu): vulnerability detection for kernel package (#1591)

* fix(ubuntu): vulnerability detection for kernel package * feat(gost/ubuntu): update mod to treat status: deferred as unfixed * feat(ubuntu): support 22.10
2023-02-03 15:56:58 +09:00
parent bfe0db77b4
commit ad2edbb844
10 changed files with 600 additions and 780 deletions
--- a/gost/redhat.go
+++ b/gost/redhat.go
@@ -32,7 +32,7 @@ func (red RedHat) DetectCVEs(r *models.ScanResult, ignoreWillNotFix bool) (nCVEs
 		if err != nil {
 			return 0, xerrors.Errorf("Failed to join URLPath. err: %w", err)
 		}
-		responses, err := getAllUnfixedCvesViaHTTP(r, prefix)
+		responses, err := getCvesWithFixStateViaHTTP(r, prefix, "unfixed-cves")
 		if err != nil {
 			return 0, xerrors.Errorf("Failed to get Unfixed CVEs via HTTP. err: %w", err)
 		}
--- a/gost/ubuntu.go
+++ b/gost/ubuntu.go
@@ -5,6 +5,8 @@ package gost

 import (
 	"encoding/json"
+	"fmt"
+	"regexp"
 	"strings"

 	"golang.org/x/xerrors"
@@ -22,19 +24,52 @@ type Ubuntu struct {

 func (ubu Ubuntu) supported(version string) bool {
 	_, ok := map[string]string{
+		"606":  "dapper",
+		"610":  "edgy",
+		"704":  "feisty",
+		"710":  "gutsy",
+		"804":  "hardy",
+		"810":  "intrepid",
+		"904":  "jaunty",
+		"910":  "karmic",
+		"1004": "lucid",
+		"1010": "maverick",
+		"1104": "natty",
+		"1110": "oneiric",
+		"1204": "precise",
+		"1210": "quantal",
+		"1304": "raring",
+		"1310": "saucy",
 		"1404": "trusty",
+		"1410": "utopic",
+		"1504": "vivid",
+		"1510": "wily",
 		"1604": "xenial",
+		"1610": "yakkety",
+		"1704": "zesty",
+		"1710": "artful",
 		"1804": "bionic",
+		"1810": "cosmic",
+		"1904": "disco",
 		"1910": "eoan",
 		"2004": "focal",
 		"2010": "groovy",
 		"2104": "hirsute",
 		"2110": "impish",
 		"2204": "jammy",
+		"2210": "kinetic",
+		// "2304": "lunar",
 	}[version]
 	return ok
 }

+type cveContent struct {
+	cveContent  models.CveContent
+	fixStatuses models.PackageFixStatuses
+}
+
+var kernelSourceNamePattern = regexp.MustCompile(`^linux((-(ti-omap4|armadaxp|mako|manta|flo|goldfish|joule|raspi2?|snapdragon|aws|azure|bluefield|dell300x|gcp|gke(op)?|ibm|intel|lowlatency|kvm|oem|oracle|euclid|lts-xenial|hwe|riscv))?(-(edge|fde|iotg|hwe|osp1))?(-[\d\.]+)?)?$`)
+
 // DetectCVEs fills cve information that has in Gost
 func (ubu Ubuntu) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err error) {
 	ubuReleaseVer := strings.Replace(r.Release, ".", "", 1)
@@ -43,133 +78,225 @@ func (ubu Ubuntu) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err error
 		return 0, nil
 	}

-	linuxImage := "linux-image-" + r.RunningKernel.Release
-	// Add linux and set the version of running kernel to search Gost.
-	if r.Container.ContainerID == "" {
-		newVer := ""
-		if p, ok := r.Packages[linuxImage]; ok {
-			newVer = p.NewVersion
-		}
-		r.Packages["linux"] = models.Package{
-			Name:       "linux",
-			Version:    r.RunningKernel.Version,
-			NewVersion: newVer,
-		}
-	}
-
-	packCvesList := []packCves{}
+	detects := map[string]cveContent{}
 	if ubu.driver == nil {
-		url, err := util.URLPathJoin(ubu.baseURL, "ubuntu", ubuReleaseVer, "pkgs")
+		urlPrefix, err := util.URLPathJoin(ubu.baseURL, "ubuntu", ubuReleaseVer, "pkgs")
 		if err != nil {
 			return 0, xerrors.Errorf("Failed to join URLPath. err: %w", err)
 		}
-		responses, err := getAllUnfixedCvesViaHTTP(r, url)
+		responses, err := getCvesWithFixStateViaHTTP(r, urlPrefix, "fixed-cves")
 		if err != nil {
-			return 0, xerrors.Errorf("Failed to get Unfixed CVEs via HTTP. err: %w", err)
+			return 0, xerrors.Errorf("Failed to get fixed CVEs via HTTP. err: %w", err)
 		}

 		for _, res := range responses {
-			ubuCves := map[string]gostmodels.UbuntuCVE{}
-			if err := json.Unmarshal([]byte(res.json), &ubuCves); err != nil {
+			if !res.request.isSrcPack {
+				continue
+			}
+
+			n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(res.request.packName)
+
+			if kernelSourceNamePattern.MatchString(n) {
+				isDetect := false
+				for _, bn := range r.SrcPackages[res.request.packName].BinaryNames {
+					if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
+						isDetect = true
+						break
+					}
+				}
+				if !isDetect {
+					continue
+				}
+			}
+
+			fixeds := map[string]gostmodels.UbuntuCVE{}
+			if err := json.Unmarshal([]byte(res.json), &fixeds); err != nil {
 				return 0, xerrors.Errorf("Failed to unmarshal json. err: %w", err)
 			}
-			cves := []models.CveContent{}
-			for _, ubucve := range ubuCves {
-				cves = append(cves, *ubu.ConvertToModel(&ubucve))
+			for _, content := range detect(fixeds, true, models.SrcPackage{Name: res.request.packName, Version: r.SrcPackages[res.request.packName].Version, BinaryNames: r.SrcPackages[res.request.packName].BinaryNames}, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
+				c, ok := detects[content.cveContent.CveID]
+				if ok {
+					content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
+				}
+				detects[content.cveContent.CveID] = content
 			}
-			packCvesList = append(packCvesList, packCves{
-				packName:  res.request.packName,
-				isSrcPack: res.request.isSrcPack,
-				cves:      cves,
-			})
-		}
-	} else {
-		for _, pack := range r.Packages {
-			ubuCves, err := ubu.driver.GetUnfixedCvesUbuntu(ubuReleaseVer, pack.Name)
-			if err != nil {
-				return 0, xerrors.Errorf("Failed to get Unfixed CVEs For Package. err: %w", err)
-			}
-			cves := []models.CveContent{}
-			for _, ubucve := range ubuCves {
-				cves = append(cves, *ubu.ConvertToModel(&ubucve))
-			}
-			packCvesList = append(packCvesList, packCves{
-				packName:  pack.Name,
-				isSrcPack: false,
-				cves:      cves,
-			})
 		}

-		// SrcPack
+		responses, err = getCvesWithFixStateViaHTTP(r, urlPrefix, "unfixed-cves")
+		if err != nil {
+			return 0, xerrors.Errorf("Failed to get unfixed CVEs via HTTP. err: %w", err)
+		}
+		for _, res := range responses {
+			if !res.request.isSrcPack {
+				continue
+			}
+
+			n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(res.request.packName)
+
+			if kernelSourceNamePattern.MatchString(n) {
+				isDetect := false
+				for _, bn := range r.SrcPackages[res.request.packName].BinaryNames {
+					if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
+						isDetect = true
+						break
+					}
+				}
+				if !isDetect {
+					continue
+				}
+			}
+
+			unfixeds := map[string]gostmodels.UbuntuCVE{}
+			if err := json.Unmarshal([]byte(res.json), &unfixeds); err != nil {
+				return 0, xerrors.Errorf("Failed to unmarshal json. err: %w", err)
+			}
+			for _, content := range detect(unfixeds, false, models.SrcPackage{Name: res.request.packName, Version: r.SrcPackages[res.request.packName].Version, BinaryNames: r.SrcPackages[res.request.packName].BinaryNames}, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
+				c, ok := detects[content.cveContent.CveID]
+				if ok {
+					content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
+				}
+				detects[content.cveContent.CveID] = content
+			}
+		}
+	} else {
 		for _, pack := range r.SrcPackages {
-			ubuCves, err := ubu.driver.GetUnfixedCvesUbuntu(ubuReleaseVer, pack.Name)
+			n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(pack.Name)
+
+			if kernelSourceNamePattern.MatchString(n) {
+				isDetect := false
+				for _, bn := range pack.BinaryNames {
+					if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
+						isDetect = true
+						break
+					}
+				}
+				if !isDetect {
+					continue
+				}
+			}
+
+			fixeds, err := ubu.driver.GetFixedCvesUbuntu(ubuReleaseVer, n)
 			if err != nil {
-				return 0, xerrors.Errorf("Failed to get Unfixed CVEs For SrcPackage. err: %w", err)
+				return 0, xerrors.Errorf("Failed to get fixed CVEs for SrcPackage. err: %w", err)
 			}
-			cves := []models.CveContent{}
-			for _, ubucve := range ubuCves {
-				cves = append(cves, *ubu.ConvertToModel(&ubucve))
+			for _, content := range detect(fixeds, true, pack, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
+				c, ok := detects[content.cveContent.CveID]
+				if ok {
+					content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
+				}
+				detects[content.cveContent.CveID] = content
+			}
+
+			unfixeds, err := ubu.driver.GetUnfixedCvesUbuntu(ubuReleaseVer, n)
+			if err != nil {
+				return 0, xerrors.Errorf("Failed to get unfixed CVEs for SrcPackage. err: %w", err)
+			}
+			for _, content := range detect(unfixeds, false, pack, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
+				c, ok := detects[content.cveContent.CveID]
+				if ok {
+					content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
+				}
+				detects[content.cveContent.CveID] = content
 			}
-			packCvesList = append(packCvesList, packCves{
-				packName:  pack.Name,
-				isSrcPack: true,
-				cves:      cves,
-			})
 		}
 	}

-	delete(r.Packages, "linux")
-
-	for _, p := range packCvesList {
-		for _, cve := range p.cves {
-			v, ok := r.ScannedCves[cve.CveID]
-			if ok {
-				if v.CveContents == nil {
-					v.CveContents = models.NewCveContents(cve)
-				} else {
-					v.CveContents[models.UbuntuAPI] = []models.CveContent{cve}
-				}
+	for _, content := range detects {
+		v, ok := r.ScannedCves[content.cveContent.CveID]
+		if ok {
+			if v.CveContents == nil {
+				v.CveContents = models.NewCveContents(content.cveContent)
 			} else {
-				v = models.VulnInfo{
-					CveID:       cve.CveID,
-					CveContents: models.NewCveContents(cve),
-					Confidences: models.Confidences{models.UbuntuAPIMatch},
-				}
-				nCVEs++
+				v.CveContents[models.UbuntuAPI] = []models.CveContent{content.cveContent}
+				v.Confidences = models.Confidences{models.UbuntuAPIMatch}
 			}
+		} else {
+			v = models.VulnInfo{
+				CveID:       content.cveContent.CveID,
+				CveContents: models.NewCveContents(content.cveContent),
+				Confidences: models.Confidences{models.UbuntuAPIMatch},
+			}
+		}

-			names := []string{}
-			if p.isSrcPack {
-				if srcPack, ok := r.SrcPackages[p.packName]; ok {
-					for _, binName := range srcPack.BinaryNames {
-						if _, ok := r.Packages[binName]; ok {
-							names = append(names, binName)
+		for _, s := range content.fixStatuses {
+			v.AffectedPackages = v.AffectedPackages.Store(s)
+		}
+		r.ScannedCves[content.cveContent.CveID] = v
+	}
+
+	return len(detects), nil
+}
+
+func detect(cves map[string]gostmodels.UbuntuCVE, fixed bool, srcPkg models.SrcPackage, runningKernelBinaryPkgName string) []cveContent {
+	n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(srcPkg.Name)
+
+	var contents []cveContent
+	for _, cve := range cves {
+		c := cveContent{
+			cveContent: *convertToModel(&cve),
+		}
+
+		if fixed {
+			for _, p := range cve.Patches {
+				for _, rp := range p.ReleasePatches {
+					installedVersion := srcPkg.Version
+					patchedVersion := rp.Note
+
+					// https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/generate-oval#n384
+					if kernelSourceNamePattern.MatchString(n) && strings.HasPrefix(srcPkg.Name, "linux-meta") {
+						// 5.15.0.1026.30~20.04.16 -> 5.15.0.1026
+						ss := strings.Split(installedVersion, ".")
+						if len(ss) >= 4 {
+							installedVersion = strings.Join(ss[:4], ".")
+						}
+
+						// 5.15.0-1026.30~20.04.16 -> 5.15.0.1026
+						lhs, rhs, ok := strings.Cut(patchedVersion, "-")
+						if ok {
+							patchedVersion = fmt.Sprintf("%s.%s", lhs, strings.Split(rhs, ".")[0])
+						}
+					}
+
+					affected, err := isGostDefAffected(installedVersion, patchedVersion)
+					if err != nil {
+						logging.Log.Debugf("Failed to parse versions: %s, Ver: %s, Gost: %s", err, installedVersion, patchedVersion)
+						continue
+					}
+
+					if affected {
+						for _, bn := range srcPkg.BinaryNames {
+							if kernelSourceNamePattern.MatchString(n) && bn != runningKernelBinaryPkgName {
+								continue
+							}
+							c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
+								Name:    bn,
+								FixedIn: patchedVersion,
+							})
 						}
 					}
 				}
-			} else {
-				if p.packName == "linux" {
-					names = append(names, linuxImage)
-				} else {
-					names = append(names, p.packName)
-				}
 			}
-
-			for _, name := range names {
-				v.AffectedPackages = v.AffectedPackages.Store(models.PackageFixStatus{
-					Name:        name,
+		} else {
+			for _, bn := range srcPkg.BinaryNames {
+				if kernelSourceNamePattern.MatchString(n) && bn != runningKernelBinaryPkgName {
+					continue
+				}
+				c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
+					Name:        bn,
 					FixState:    "open",
 					NotFixedYet: true,
 				})
 			}
-			r.ScannedCves[cve.CveID] = v
+		}
+
+		if len(c.fixStatuses) > 0 {
+			contents = append(contents, c)
 		}
 	}
-	return nCVEs, nil
+	return contents
 }

-// ConvertToModel converts gost model to vuls model
-func (ubu Ubuntu) ConvertToModel(cve *gostmodels.UbuntuCVE) *models.CveContent {
+func convertToModel(cve *gostmodels.UbuntuCVE) *models.CveContent {
 	references := []models.Reference{}
 	for _, r := range cve.References {
 		if strings.Contains(r.Reference, "https://cve.mitre.org/cgi-bin/cvename.cgi?name=") {
--- a/gost/ubuntu_test.go
+++ b/gost/ubuntu_test.go
@@ -127,11 +127,171 @@ func TestUbuntuConvertToModel(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ubu := Ubuntu{}
-			got := ubu.ConvertToModel(&tt.input)
-			if !reflect.DeepEqual(got, &tt.expected) {
+			if got := convertToModel(&tt.input); !reflect.DeepEqual(got, &tt.expected) {
 				t.Errorf("Ubuntu.ConvertToModel() = %#v, want %#v", got, &tt.expected)
 			}
 		})
 	}
 }
+
+func Test_detect(t *testing.T) {
+	type args struct {
+		cves                       map[string]gostmodels.UbuntuCVE
+		fixed                      bool
+		srcPkg                     models.SrcPackage
+		runningKernelBinaryPkgName string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []cveContent
+	}{
+		{
+			name: "fixed",
+			args: args{
+				cves: map[string]gostmodels.UbuntuCVE{
+					"CVE-0000-0000": {
+						Candidate: "CVE-0000-0000",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "pkg",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-0"}},
+							},
+						},
+					},
+					"CVE-0000-0001": {
+						Candidate: "CVE-0000-0001",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "pkg",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-2"}},
+							},
+						},
+					},
+				},
+				fixed:                      true,
+				srcPkg:                     models.SrcPackage{Name: "pkg", Version: "0.0.0-1", BinaryNames: []string{"pkg"}},
+				runningKernelBinaryPkgName: "",
+			},
+			want: []cveContent{
+				{
+					cveContent: models.CveContent{Type: models.UbuntuAPI, CveID: "CVE-0000-0001", SourceLink: "https://ubuntu.com/security/CVE-0000-0001", References: []models.Reference{}},
+					fixStatuses: models.PackageFixStatuses{{
+						Name:    "pkg",
+						FixedIn: "0.0.0-2",
+					}},
+				},
+			},
+		},
+		{
+			name: "unfixed",
+			args: args{
+				cves: map[string]gostmodels.UbuntuCVE{
+					"CVE-0000-0000": {
+						Candidate: "CVE-0000-0000",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "pkg",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "open"}},
+							},
+						},
+					},
+				},
+				fixed:                      false,
+				srcPkg:                     models.SrcPackage{Name: "pkg", Version: "0.0.0-1", BinaryNames: []string{"pkg"}},
+				runningKernelBinaryPkgName: "",
+			},
+			want: []cveContent{
+				{
+					cveContent: models.CveContent{Type: models.UbuntuAPI, CveID: "CVE-0000-0000", SourceLink: "https://ubuntu.com/security/CVE-0000-0000", References: []models.Reference{}},
+					fixStatuses: models.PackageFixStatuses{{
+						Name:        "pkg",
+						FixState:    "open",
+						NotFixedYet: true,
+					}},
+				},
+			},
+		},
+		{
+			name: "linux-signed",
+			args: args{
+				cves: map[string]gostmodels.UbuntuCVE{
+					"CVE-0000-0000": {
+						Candidate: "CVE-0000-0000",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "linux",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-0"}},
+							},
+						},
+					},
+					"CVE-0000-0001": {
+						Candidate: "CVE-0000-0001",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "linux",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-2"}},
+							},
+						},
+					},
+				},
+				fixed:                      true,
+				srcPkg:                     models.SrcPackage{Name: "linux-signed", Version: "0.0.0-1", BinaryNames: []string{"linux-image-generic", "linux-headers-generic"}},
+				runningKernelBinaryPkgName: "linux-image-generic",
+			},
+			want: []cveContent{
+				{
+					cveContent: models.CveContent{Type: models.UbuntuAPI, CveID: "CVE-0000-0001", SourceLink: "https://ubuntu.com/security/CVE-0000-0001", References: []models.Reference{}},
+					fixStatuses: models.PackageFixStatuses{{
+						Name:    "linux-image-generic",
+						FixedIn: "0.0.0-2",
+					}},
+				},
+			},
+		},
+		{
+			name: "linux-meta",
+			args: args{
+				cves: map[string]gostmodels.UbuntuCVE{
+					"CVE-0000-0000": {
+						Candidate: "CVE-0000-0000",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "linux",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-0"}},
+							},
+						},
+					},
+					"CVE-0000-0001": {
+						Candidate: "CVE-0000-0001",
+						Patches: []gostmodels.UbuntuPatch{
+							{
+								PackageName:    "linux",
+								ReleasePatches: []gostmodels.UbuntuReleasePatch{{ReleaseName: "jammy", Status: "released", Note: "0.0.0-2"}},
+							},
+						},
+					},
+				},
+				fixed:                      true,
+				srcPkg:                     models.SrcPackage{Name: "linux-meta", Version: "0.0.0.1", BinaryNames: []string{"linux-image-generic", "linux-headers-generic"}},
+				runningKernelBinaryPkgName: "linux-image-generic",
+			},
+			want: []cveContent{
+				{
+					cveContent: models.CveContent{Type: models.UbuntuAPI, CveID: "CVE-0000-0001", SourceLink: "https://ubuntu.com/security/CVE-0000-0001", References: []models.Reference{}},
+					fixStatuses: models.PackageFixStatuses{{
+						Name:    "linux-image-generic",
+						FixedIn: "0.0.0.2",
+					}},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := detect(tt.args.cves, tt.args.fixed, tt.args.srcPkg, tt.args.runningKernelBinaryPkgName); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("detect() = %#v, want %#v", got, tt.want)
+			}
+		})
+	}
+}
--- a/gost/util.go
+++ b/gost/util.go
@@ -9,11 +9,12 @@ import (
 	"time"

 	"github.com/cenkalti/backoff"
+	"github.com/parnurzeal/gorequest"
+	"golang.org/x/xerrors"
+
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
 	"github.com/future-architect/vuls/util"
-	"github.com/parnurzeal/gorequest"
-	"golang.org/x/xerrors"
 )

 type response struct {
@@ -84,11 +85,6 @@ type request struct {
 	cveID          string
 }

-func getAllUnfixedCvesViaHTTP(r *models.ScanResult, urlPrefix string) (
-	responses []response, err error) {
-	return getCvesWithFixStateViaHTTP(r, urlPrefix, "unfixed-cves")
-}
-
 func getCvesWithFixStateViaHTTP(r *models.ScanResult, urlPrefix, fixState string) (responses []response, err error) {
 	nReq := len(r.Packages) + len(r.SrcPackages)
 	reqChan := make(chan request, nReq)