fix(ubuntu): vulnerability detection for kernel package (#1591)

* fix(ubuntu): vulnerability detection for kernel package * feat(gost/ubuntu): update mod to treat status: deferred as unfixed * feat(ubuntu): support 22.10
2023-02-03 15:56:58 +09:00
parent bfe0db77b4
commit ad2edbb844
10 changed files with 600 additions and 780 deletions
--- a/oval/debian.go
+++ b/oval/debian.go
@@ -4,15 +4,11 @@
 package oval

 import (
-	"fmt"
-	"strings"
-
 	"golang.org/x/xerrors"

 	"github.com/future-architect/vuls/constant"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
-	"github.com/future-architect/vuls/util"
 	ovaldb "github.com/vulsio/goval-dictionary/db"
 	ovalmodels "github.com/vulsio/goval-dictionary/models"
 )
@@ -219,322 +215,6 @@ func NewUbuntu(driver ovaldb.DB, baseURL string) Ubuntu {
 }

 // FillWithOval returns scan result after updating CVE info by OVAL
-func (o Ubuntu) FillWithOval(r *models.ScanResult) (nCVEs int, err error) {
-	switch util.Major(r.Release) {
-	case "14":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-azure",
-			"linux-lts-xenial",
-			"linux-meta",
-			"linux-meta-aws",
-			"linux-meta-azure",
-			"linux-meta-lts-xenial",
-			"linux-signed",
-			"linux-signed-azure",
-			"linux-signed-lts-xenial",
-			"linux",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	case "16":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-aws-hwe",
-			"linux-azure",
-			"linux-euclid",
-			"linux-flo",
-			"linux-gcp",
-			"linux-gke",
-			"linux-goldfish",
-			"linux-hwe",
-			"linux-kvm",
-			"linux-mako",
-			"linux-meta",
-			"linux-meta-aws",
-			"linux-meta-aws-hwe",
-			"linux-meta-azure",
-			"linux-meta-gcp",
-			"linux-meta-hwe",
-			"linux-meta-kvm",
-			"linux-meta-oracle",
-			"linux-meta-raspi2",
-			"linux-meta-snapdragon",
-			"linux-oem",
-			"linux-oracle",
-			"linux-raspi2",
-			"linux-signed",
-			"linux-signed-azure",
-			"linux-signed-gcp",
-			"linux-signed-hwe",
-			"linux-signed-oracle",
-			"linux-snapdragon",
-			"linux",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	case "18":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-aws-5.0",
-			"linux-azure",
-			"linux-gcp",
-			"linux-gcp-5.3",
-			"linux-gke-4.15",
-			"linux-gke-5.0",
-			"linux-gke-5.3",
-			"linux-hwe",
-			"linux-kvm",
-			"linux-meta",
-			"linux-meta-aws",
-			"linux-meta-aws-5.0",
-			"linux-meta-azure",
-			"linux-meta-gcp",
-			"linux-meta-gcp-5.3",
-			"linux-meta-gke-4.15",
-			"linux-meta-gke-5.0",
-			"linux-meta-gke-5.3",
-			"linux-meta-hwe",
-			"linux-meta-kvm",
-			"linux-meta-oem",
-			"linux-meta-oem-osp1",
-			"linux-meta-oracle",
-			"linux-meta-oracle-5.0",
-			"linux-meta-oracle-5.3",
-			"linux-meta-raspi2",
-			"linux-meta-raspi2-5.3",
-			"linux-meta-snapdragon",
-			"linux-oem",
-			"linux-oem-osp1",
-			"linux-oracle",
-			"linux-oracle-5.0",
-			"linux-oracle-5.3",
-			"linux-raspi2",
-			"linux-raspi2-5.3",
-			"linux-signed",
-			"linux-signed-azure",
-			"linux-signed-gcp",
-			"linux-signed-gcp-5.3",
-			"linux-signed-gke-4.15",
-			"linux-signed-gke-5.0",
-			"linux-signed-gke-5.3",
-			"linux-signed-hwe",
-			"linux-signed-oem",
-			"linux-signed-oem-osp1",
-			"linux-signed-oracle",
-			"linux-signed-oracle-5.0",
-			"linux-signed-oracle-5.3",
-			"linux-snapdragon",
-			"linux",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	case "20":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-azure",
-			"linux-gcp",
-			"linux-kvm",
-			"linux-meta",
-			"linux-meta-aws",
-			"linux-meta-azure",
-			"linux-meta-gcp",
-			"linux-meta-kvm",
-			"linux-meta-oem-5.6",
-			"linux-meta-oracle",
-			"linux-meta-raspi",
-			"linux-meta-riscv",
-			"linux-oem-5.6",
-			"linux-oracle",
-			"linux-raspi",
-			"linux-raspi2",
-			"linux-riscv",
-			"linux-signed",
-			"linux-signed-azure",
-			"linux-signed-gcp",
-			"linux-signed-oem-5.6",
-			"linux-signed-oracle",
-			"linux",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	case "21":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-base-sgx",
-			"linux-base",
-			"linux-cloud-tools-common",
-			"linux-cloud-tools-generic",
-			"linux-cloud-tools-lowlatency",
-			"linux-cloud-tools-virtual",
-			"linux-gcp",
-			"linux-generic",
-			"linux-gke",
-			"linux-headers-aws",
-			"linux-headers-gcp",
-			"linux-headers-gke",
-			"linux-headers-oracle",
-			"linux-image-aws",
-			"linux-image-extra-virtual",
-			"linux-image-gcp",
-			"linux-image-generic",
-			"linux-image-gke",
-			"linux-image-lowlatency",
-			"linux-image-oracle",
-			"linux-image-virtual",
-			"linux-lowlatency",
-			"linux-modules-extra-aws",
-			"linux-modules-extra-gcp",
-			"linux-modules-extra-gke",
-			"linux-oracle",
-			"linux-tools-aws",
-			"linux-tools-common",
-			"linux-tools-gcp",
-			"linux-tools-generic",
-			"linux-tools-gke",
-			"linux-tools-host",
-			"linux-tools-lowlatency",
-			"linux-tools-oracle",
-			"linux-tools-virtual",
-			"linux-virtual",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	case "22":
-		kernelNamesInOval := []string{
-			"linux-aws",
-			"linux-azure",
-			"linux-gcp",
-			"linux-generic",
-			"linux-gke",
-			"linux-header-aws",
-			"linux-header-azure",
-			"linux-header-gcp",
-			"linux-header-generic",
-			"linux-header-gke",
-			"linux-header-oracle",
-			"linux-image-aws",
-			"linux-image-azure",
-			"linux-image-gcp",
-			"linux-image-generic",
-			"linux-image-gke",
-			"linux-image-oracle",
-			"linux-oracle",
-			"linux-tools-aws",
-			"linux-tools-azure",
-			"linux-tools-common",
-			"linux-tools-gcp",
-			"linux-tools-generic",
-			"linux-tools-gke",
-			"linux-tools-oracle",
-		}
-		return o.fillWithOval(r, kernelNamesInOval)
-	}
-	return 0, fmt.Errorf("Ubuntu %s is not support for now", r.Release)
-}
-
-func (o Ubuntu) fillWithOval(r *models.ScanResult, kernelNamesInOval []string) (nCVEs int, err error) {
-	linuxImage := "linux-image-" + r.RunningKernel.Release
-	runningKernelVersion := ""
-	kernelPkgInOVAL := ""
-	isOVALKernelPkgAdded := false
-	unusedKernels := []models.Package{}
-	copiedSourcePkgs := models.SrcPackages{}
-
-	if r.Container.ContainerID == "" {
-		if v, ok := r.Packages[linuxImage]; ok {
-			runningKernelVersion = v.Version
-		} else {
-			logging.Log.Warnf("Unable to detect vulns of running kernel because the version of the running kernel is unknown. server: %s",
-				r.ServerName)
-		}
-
-		for _, n := range kernelNamesInOval {
-			if p, ok := r.Packages[n]; ok {
-				kernelPkgInOVAL = p.Name
-				break
-			}
-		}
-
-		// remove unused kernels from packages to prevent detecting vulns of unused kernel
-		for _, n := range kernelNamesInOval {
-			if v, ok := r.Packages[n]; ok {
-				unusedKernels = append(unusedKernels, v)
-				delete(r.Packages, n)
-			}
-		}
-
-		// Remove linux-* in order to detect only vulnerabilities in the running kernel.
-		for n := range r.Packages {
-			if n != kernelPkgInOVAL && strings.HasPrefix(n, "linux-") {
-				unusedKernels = append(unusedKernels, r.Packages[n])
-				delete(r.Packages, n)
-			}
-		}
-		for srcPackName, srcPack := range r.SrcPackages {
-			copiedSourcePkgs[srcPackName] = srcPack
-			targetBinaryNames := []string{}
-			for _, n := range srcPack.BinaryNames {
-				if n == kernelPkgInOVAL || !strings.HasPrefix(n, "linux-") {
-					targetBinaryNames = append(targetBinaryNames, n)
-				}
-			}
-			srcPack.BinaryNames = targetBinaryNames
-			r.SrcPackages[srcPackName] = srcPack
-		}
-
-		if kernelPkgInOVAL == "" {
-			logging.Log.Warnf("The OVAL name of the running kernel image %+v is not found. So vulns of `linux` wll be detected. server: %s",
-				r.RunningKernel, r.ServerName)
-			kernelPkgInOVAL = "linux"
-			isOVALKernelPkgAdded = true
-		}
-
-		if runningKernelVersion != "" {
-			r.Packages[kernelPkgInOVAL] = models.Package{
-				Name:    kernelPkgInOVAL,
-				Version: runningKernelVersion,
-			}
-		}
-	}
-
-	var relatedDefs ovalResult
-	if o.driver == nil {
-		if relatedDefs, err = getDefsByPackNameViaHTTP(r, o.baseURL); err != nil {
-			return 0, xerrors.Errorf("Failed to get Definitions via HTTP. err: %w", err)
-		}
-	} else {
-		if relatedDefs, err = getDefsByPackNameFromOvalDB(r, o.driver); err != nil {
-			return 0, xerrors.Errorf("Failed to get Definitions from DB. err: %w", err)
-		}
-	}
-
-	if isOVALKernelPkgAdded {
-		delete(r.Packages, kernelPkgInOVAL)
-	}
-	for _, p := range unusedKernels {
-		r.Packages[p.Name] = p
-	}
-	r.SrcPackages = copiedSourcePkgs
-
-	for _, defPacks := range relatedDefs.entries {
-		// Remove "linux" added above for searching oval
-		// "linux" is not a real package name (key of affected packages in OVAL)
-		if nfy, ok := defPacks.binpkgFixstat[kernelPkgInOVAL]; isOVALKernelPkgAdded && ok {
-			defPacks.binpkgFixstat[linuxImage] = nfy
-			delete(defPacks.binpkgFixstat, kernelPkgInOVAL)
-			for i, p := range defPacks.def.AffectedPacks {
-				if p.Name == kernelPkgInOVAL {
-					p.Name = linuxImage
-					defPacks.def.AffectedPacks[i] = p
-				}
-			}
-		}
-		o.update(r, defPacks)
-	}
-
-	for _, vuln := range r.ScannedCves {
-		if conts, ok := vuln.CveContents[models.Ubuntu]; ok {
-			for i, cont := range conts {
-				cont.SourceLink = "http://people.ubuntu.com/~ubuntu-security/cve/" + cont.CveID
-				vuln.CveContents[models.Ubuntu][i] = cont
-			}
-		}
-	}
-	return len(relatedDefs.entries), nil
+func (o Ubuntu) FillWithOval(_ *models.ScanResult) (nCVEs int, err error) {
+	return 0, nil
 }