Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(debian,ubuntu): collect running kernel source package (#1935)

Browse Source
This commit is contained in:
MaineK00n
2024-06-06 21:20:16 +09:00
committed by GitHub
parent 5af1a22733
commit e1fab805af
9 changed files with 666 additions and 358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
scanner/debian.go
View File

@@ -6,6 +6,7 @@ import (
"encoding/binary"
"fmt"
"regexp"
"slices"
"strconv"
"strings"
"time"
@@ -383,7 +384,8 @@ func (o *debian) scanInstalledPackages() (models.Packages, models.Packages, mode
}
func (o *debian) parseInstalledPackages(stdout string) (models.Packages, models.SrcPackages, error) {
installed, srcPacks := models.Packages{}, models.SrcPackages{}
installed, srcPacks := models.Packages{}, []models.SrcPackage{}
runningKernelSrcPacks := []models.SrcPackage{}
// e.g.
// curl,ii ,7.38.0-4+deb8u2,,7.38.0-4+deb8u2
@@ -412,25 +414,76 @@ func (o *debian) parseInstalledPackages(stdout string) (models.Packages, models.
o.log.Debugf("%s package status is '%c', ignoring", name, packageStatus)
continue
}
installed[name] = models.Package{
Name: name,
Version: version,
}
if pack, ok := srcPacks[srcName]; ok {
pack.AddBinaryName(name)
srcPacks[srcName] = pack
} else {
srcPacks[srcName] = models.SrcPackage{
Name: srcName,
Version: srcVersion,
BinaryNames: []string{name},
srcPacks = append(srcPacks, models.SrcPackage{
Name: srcName,
Version: srcVersion,
BinaryNames: []string{name},
})
if models.IsKernelSourcePackage(o.getDistro().Family, srcName) {
switch o.getDistro().Family {
case constant.Debian, constant.Raspbian:
switch name {
case fmt.Sprintf("linux-image-%s", o.Kernel.Release), fmt.Sprintf("linux-headers-%s", o.Kernel.Release):
runningKernelSrcPacks = append(runningKernelSrcPacks, models.SrcPackage{
Name: srcName,
Version: srcVersion,
})
default:
}
case constant.Ubuntu:
switch name {
case fmt.Sprintf("linux-image-%s", o.Kernel.Release), fmt.Sprintf("linux-image-unsigned-%s", o.Kernel.Release), fmt.Sprintf("linux-signed-image-%s", o.Kernel.Release), fmt.Sprintf("linux-image-uc-%s", o.Kernel.Release),
fmt.Sprintf("linux-buildinfo-%s", o.Kernel.Release), fmt.Sprintf("linux-cloud-tools-%s", o.Kernel.Release), fmt.Sprintf("linux-headers-%s", o.Kernel.Release), fmt.Sprintf("linux-lib-rust-%s", o.Kernel.Release), fmt.Sprintf("linux-modules-%s", o.Kernel.Release), fmt.Sprintf("linux-modules-extra-%s", o.Kernel.Release), fmt.Sprintf("linux-modules-ipu6-%s", o.Kernel.Release), fmt.Sprintf("linux-modules-ivsc-%s", o.Kernel.Release), fmt.Sprintf("linux-modules-iwlwifi-%s", o.Kernel.Release), fmt.Sprintf("linux-tools-%s", o.Kernel.Release):
runningKernelSrcPacks = append(runningKernelSrcPacks, models.SrcPackage{
Name: srcName,
Version: srcVersion,
})
default:
if (strings.HasPrefix(name, "linux-modules-nvidia-") || strings.HasPrefix(name, "linux-objects-nvidia-") || strings.HasPrefix(name, "linux-signatures-nvidia-")) && strings.HasSuffix(name, o.Kernel.Release) {
runningKernelSrcPacks = append(runningKernelSrcPacks, models.SrcPackage{
Name: srcName,
Version: srcVersion,
})
}
}
default:
return nil, nil, xerrors.Errorf("unknown distro: %s", o.getDistro().Family)
}
}
}
}
return installed, srcPacks, nil
srcs := models.SrcPackages{}
for _, p := range srcPacks {
if models.IsKernelSourcePackage(o.getDistro().Family, p.Name) && !slices.ContainsFunc(runningKernelSrcPacks, func(e models.SrcPackage) bool {
return p.Name == e.Name && p.Version == e.Version
}) {
continue
}
if pack, ok := srcs[p.Name]; ok {
for _, bn := range pack.BinaryNames {
p.AddBinaryName(bn)
}
}
srcs[p.Name] = p
}
bins := models.Packages{}
for _, sp := range srcs {
for _, bn := range sp.BinaryNames {
bins[bn] = installed[bn]
}
}
return bins, srcs, nil
}
func (o *debian) parseScannedPackagesLine(line string) (name, status, version, srcName, srcVersion string, err error) {

170
scanner/debian_test.go
View File

@@ -1,17 +1,21 @@
package scanner
import (
"cmp"
"os"
"reflect"
"sort"
"testing"
gocmp "github.com/google/go-cmp/cmp"
gocmpopts "github.com/google/go-cmp/cmp/cmpopts"
"github.com/k0kubun/pp"
"github.com/future-architect/vuls/cache"
"github.com/future-architect/vuls/config"
"github.com/future-architect/vuls/constant"
"github.com/future-architect/vuls/logging"
"github.com/future-architect/vuls/models"
"github.com/k0kubun/pp"
)
func TestGetCveIDsFromChangelog(t *testing.T) {
@@ -878,3 +882,167 @@ vlc (3.0.11-0+deb10u1) buster-security; urgency=high
})
}
}
func Test_debian_parseInstalledPackages(t *testing.T) {
tests := []struct {
name string
fields osTypeInterface
args string
wantBin models.Packages
wantSrc models.SrcPackages
wantErr bool
}{
{
name: "debian kernel",
fields: &debian{
base: base{
Distro: config.Distro{Family: constant.Debian},
osPackages: osPackages{
Kernel: models.Kernel{
Release: "6.1.0-18-amd64",
Version: "6.1.76-1",
},
},
},
},
args: `linux-base,ii ,4.9,linux-base,4.9
linux-compiler-gcc-12-x86,ii ,6.1.90-1,linux,6.1.90-1
linux-headers-6.1.0-18-amd64,ii ,6.1.76-1,linux,6.1.76-1
linux-headers-6.1.0-18-common,ii ,6.1.76-1,linux,6.1.76-1
linux-image-6.1.0-18-amd64,ii ,6.1.76-1,linux-signed-amd64,6.1.76+1
linux-image-6.1.0-21-amd64-unsigned,ii ,6.1.90-1,linux,6.1.90-1
linux-image-amd64,ii ,6.1.76-1,linux-signed-amd64,6.1.76+1
linux-kbuild-6.1,ii ,6.1.90-1,linux,6.1.90-1
linux-libc-dev:amd64,ii ,6.1.90-1,linux,6.1.90-1`,
wantBin: models.Packages{
"linux-base": models.Package{
Name: "linux-base",
Version: "4.9",
},
"linux-headers-6.1.0-18-amd64": models.Package{
Name: "linux-headers-6.1.0-18-amd64",
Version: "6.1.76-1",
},
"linux-headers-6.1.0-18-common": models.Package{
Name: "linux-headers-6.1.0-18-common",
Version: "6.1.76-1",
},
"linux-image-6.1.0-18-amd64": models.Package{
Name: "linux-image-6.1.0-18-amd64",
Version: "6.1.76-1",
},
"linux-image-amd64": models.Package{
Name: "linux-image-amd64",
Version: "6.1.76-1",
},
},
wantSrc: models.SrcPackages{
"linux-base": models.SrcPackage{
Name: "linux-base",
Version: "4.9",
BinaryNames: []string{"linux-base"},
},
"linux": models.SrcPackage{
Name: "linux",
Version: "6.1.76-1",
BinaryNames: []string{"linux-headers-6.1.0-18-amd64", "linux-headers-6.1.0-18-common"},
},
"linux-signed-amd64": models.SrcPackage{
Name: "linux-signed-amd64",
Version: "6.1.76+1",
BinaryNames: []string{"linux-image-6.1.0-18-amd64", "linux-image-amd64"},
},
},
},
{
name: "ubuntu kernel",
fields: &debian{
base: base{
Distro: config.Distro{Family: constant.Ubuntu},
osPackages: osPackages{
Kernel: models.Kernel{
Release: "5.15.0-69-generic",
},
},
},
},
args: `linux-base,ii ,4.5ubuntu9,linux-base,4.5ubuntu9
linux-doc,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-headers-5.15.0-107,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-headers-5.15.0-107-generic,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-headers-5.15.0-69,ii ,5.15.0-69.76,linux,5.15.0-69.76
linux-headers-5.15.0-69-generic,ii ,5.15.0-69.76,linux,5.15.0-69.76
linux-headers-generic,ii ,5.15.0.69.67,linux-meta,5.15.0.69.67
linux-headers-virtual,ii ,5.15.0.69.67,linux-meta,5.15.0.69.67
linux-image-5.15.0-107-generic,ii ,5.15.0-107.117,linux-signed,5.15.0-107.117
linux-image-5.15.0-69-generic,ii ,5.15.0-69.76,linux-signed,5.15.0-69.76
linux-image-virtual,ii ,5.15.0.69.67,linux-meta,5.15.0.69.67
linux-libc-dev:amd64,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-modules-5.15.0-107-generic,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-modules-5.15.0-69-generic,ii ,5.15.0-69.76,linux,5.15.0-69.76
linux-modules-extra-5.15.0-107-generic,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-realtime-tools-5.15.0-1032,ii ,5.15.0-1032.35,linux-realtime,5.15.0-1032.35
linux-tools-5.15.0-1032-realtime,ii ,5.15.0-1032.35,linux-realtime,5.15.0-1032.35
linux-tools-common,ii ,5.15.0-107.117,linux,5.15.0-107.117
linux-tools-realtime,ii ,5.15.0.1032.31,linux-meta-realtime,5.15.0.1032.31
linux-virtual,ii ,5.15.0.69.67,linux-meta,5.15.0.69.67
`,
wantBin: models.Packages{
"linux-base": {
Name: "linux-base",
Version: "4.5ubuntu9",
},
"linux-headers-5.15.0-69": {
Name: "linux-headers-5.15.0-69",
Version: "5.15.0-69.76",
},
"linux-headers-5.15.0-69-generic": {
Name: "linux-headers-5.15.0-69-generic",
Version: "5.15.0-69.76",
},
"linux-image-5.15.0-69-generic": {
Name: "linux-image-5.15.0-69-generic",
Version: "5.15.0-69.76",
},
"linux-modules-5.15.0-69-generic": {
Name: "linux-modules-5.15.0-69-generic",
Version: "5.15.0-69.76",
},
},
wantSrc: models.SrcPackages{
"linux-base": {
Name: "linux-base",
Version: "4.5ubuntu9",
BinaryNames: []string{"linux-base"},
},
"linux": {
Name: "linux",
Version: "5.15.0-69.76",
BinaryNames: []string{"linux-headers-5.15.0-69", "linux-headers-5.15.0-69-generic", "linux-modules-5.15.0-69-generic"},
},
"linux-signed": {
Name: "linux-signed",
Version: "5.15.0-69.76",
BinaryNames: []string{"linux-image-5.15.0-69-generic"},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
bin, src, err := tt.fields.parseInstalledPackages(tt.args)
if (err != nil) != tt.wantErr {
t.Errorf("debian.parseInstalledPackages() error = %v, wantErr %v", err, tt.wantErr)
return
}
if diff := gocmp.Diff(bin, tt.wantBin); diff != "" {
t.Errorf("debian.parseInstalledPackages() bin: (-got +want):%s\n", diff)
}
if diff := gocmp.Diff(src, tt.wantSrc, gocmpopts.SortSlices(func(i, j string) bool {
return cmp.Less(i, j)
})); diff != "" {
t.Errorf("debian.parseInstalledPackages() src: (-got +want):%s\n", diff)
}
})
}
}