fix(scanner/dpkg): Fix false-negative in Debian and Ubuntu (#1646)

* fix(scanner/dpkg): fix dpkg-query and not remove src pkgs * refactor(gost): remove unnecesary field and fix typo * refactor(detector/debian): detect using only SrcPackage
2023-04-20 11:42:53 +09:00
parent a1d3fbf66f
commit d4d33fc81d
11 changed files with 586 additions and 673 deletions
--- a/scanner/debian.go
+++ b/scanner/debian.go
@@ -338,7 +338,7 @@ func (o *debian) rebootRequired() (bool, error) {
 	}
 }

-const dpkgQuery = `dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${Source},\${source:Version}\n"`
+const dpkgQuery = `dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${source:Package},\${source:Version}\n"`

 func (o *debian) scanInstalledPackages() (models.Packages, models.Packages, models.SrcPackages, error) {
 	updatable := models.Packages{}
@@ -417,29 +417,19 @@ func (o *debian) parseInstalledPackages(stdout string) (models.Packages, models.
 				Version: version,
 			}

-			if srcName != "" && srcName != name {
-				if pack, ok := srcPacks[srcName]; ok {
-					pack.AddBinaryName(name)
-					srcPacks[srcName] = pack
-				} else {
-					srcPacks[srcName] = models.SrcPackage{
-						Name:        srcName,
-						Version:     srcVersion,
-						BinaryNames: []string{name},
-					}
+			if pack, ok := srcPacks[srcName]; ok {
+				pack.AddBinaryName(name)
+				srcPacks[srcName] = pack
+			} else {
+				srcPacks[srcName] = models.SrcPackage{
+					Name:        srcName,
+					Version:     srcVersion,
+					BinaryNames: []string{name},
 				}
 			}
 		}
 	}

-	// Remove "linux"
-	// kernel-related packages are showed "linux" as source package name
-	// If "linux" is left, oval detection will cause trouble, so delete.
-	delete(srcPacks, "linux")
-	// Remove duplicate
-	for name := range installed {
-		delete(srcPacks, name)
-	}
 	return installed, srcPacks, nil
 }

@@ -454,8 +444,20 @@ func (o *debian) parseScannedPackagesLine(line string) (name, status, version, s
 		status = strings.TrimSpace(ss[1])
 		version = ss[2]
 		// remove version. ex: tar (1.27.1-2)
+
+		// Source name and version are computed from binary package name and version in dpkg.
+		// Source package name:
+		// https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/pkg-format.c#n338
 		srcName = strings.Split(ss[3], " ")[0]
+		if srcName == "" {
+			srcName = name
+		}
+		// Source package version:
+		// https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/pkg-show.c#n428
 		srcVersion = ss[4]
+		if srcVersion == "" {
+			srcVersion = version
+		}
 		return
 	}

--- a/scanner/scanner.go
+++ b/scanner/scanner.go
@@ -10,7 +10,6 @@ import (
 	"strings"
 	"time"

-	debver "github.com/knqyf263/go-deb-version"
 	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"

@@ -230,16 +229,6 @@ func ViaHTTP(header http.Header, body string, toLocalFile bool) (models.ScanResu
 		}

 		kernelVersion := header.Get("X-Vuls-Kernel-Version")
-		if family == constant.Debian {
-			if kernelVersion == "" {
-				logging.Log.Warn("X-Vuls-Kernel-Version is empty. skip kernel vulnerability detection.")
-			} else {
-				if _, err := debver.NewVersion(kernelVersion); err != nil {
-					logging.Log.Warnf("X-Vuls-Kernel-Version is invalid. skip kernel vulnerability detection. actual kernelVersion: %s, err: %s", kernelVersion, err)
-					kernelVersion = ""
-				}
-			}
-		}

 		distro := config.Distro{
 			Family:  family,