Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(detect/redhat): detect unpatched vulnerabilities with oval, stop using gost (#1907)

Browse Source 
* feat(oval/redhat): detect not fixed package

* feat(gost/redhat): stop using to detect unpatched vulnerabilities
This commit is contained in:
MaineK00n
2024-05-10 17:32:40 +09:00
committed by GitHub
parent 827f2cb8d8
commit ef2be3d6ea
8 changed files with 380 additions and 328 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
oval/redhat.go
View File

@@ -155,8 +155,9 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
vinfo.CveContents = cveContents
}
vinfo.DistroAdvisories.AppendIfMissing(
o.convertToDistroAdvisory(&defpacks.def))
if da := o.convertToDistroAdvisory(&defpacks.def); da != nil {
vinfo.DistroAdvisories.AppendIfMissing(da)
}
// uniq(vinfo.AffectedPackages[].Name + defPacks.binpkgFixstat(map[string(=package name)]fixStat{}))
collectBinpkgFixstat := defPacks{
@@ -170,11 +171,13 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
if stat, ok := collectBinpkgFixstat.binpkgFixstat[pack.Name]; !ok {
collectBinpkgFixstat.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: pack.NotFixedYet,
fixState: pack.FixState,
fixedIn: pack.FixedIn,
}
} else if stat.notFixedYet {
collectBinpkgFixstat.binpkgFixstat[pack.Name] = fixStat{
notFixedYet: true,
fixState: pack.FixState,
fixedIn: pack.FixedIn,
}
}
@@ -187,20 +190,53 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
}
func (o RedHatBase) convertToDistroAdvisory(def *ovalmodels.Definition) *models.DistroAdvisory {
advisoryID := def.Title
switch o.family {
case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky, constant.Oracle:
if def.Title != "" {
ss := strings.Fields(def.Title)
advisoryID = strings.TrimSuffix(ss[0], ":")
case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky:
if !strings.HasPrefix(def.Title, "RHSA-") && !strings.HasPrefix(def.Title, "RHBA-") {
return nil
}
}
return &models.DistroAdvisory{
AdvisoryID: advisoryID,
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
return &models.DistroAdvisory{
AdvisoryID: strings.TrimSuffix(strings.Fields(def.Title)[0], ":"),
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
}
case constant.Oracle:
if !strings.HasPrefix(def.Title, "ELSA-") {
return nil
}
return &models.DistroAdvisory{
AdvisoryID: strings.TrimSuffix(strings.Fields(def.Title)[0], ":"),
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
}
case constant.Amazon:
if !strings.HasPrefix(def.Title, "ALAS") {
return nil
}
return &models.DistroAdvisory{
AdvisoryID: def.Title,
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
}
case constant.Fedora:
if !strings.HasPrefix(def.Title, "FEDORA") {
return nil
}
return &models.DistroAdvisory{
AdvisoryID: def.Title,
Severity: def.Advisory.Severity,
Issued: def.Advisory.Issued,
Updated: def.Advisory.Updated,
Description: def.Description,
}
default:
return nil
}
}

100
oval/util.go
View File

@@ -18,6 +18,7 @@ import (
debver "github.com/knqyf263/go-deb-version"
rpmver "github.com/knqyf263/go-rpm-version"
"github.com/parnurzeal/gorequest"
"golang.org/x/exp/slices"
"golang.org/x/xerrors"
"github.com/future-architect/vuls/config"
@@ -43,6 +44,7 @@ type defPacks struct {
type fixStat struct {
notFixedYet bool
fixState string
fixedIn string
isSrcPack bool
srcPackName string
@@ -53,6 +55,7 @@ func (e defPacks) toPackStatuses() (ps models.PackageFixStatuses) {
ps = append(ps, models.PackageFixStatus{
Name: name,
NotFixedYet: stat.notFixedYet,
FixState: stat.fixState,
FixedIn: stat.fixedIn,
})
}
@@ -197,7 +200,7 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
select {
case res := <-resChan:
for _, def := range res.defs {
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, res.request, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
affected, notFixedYet, fixState, fixedIn, err := isOvalDefAffected(def, res.request, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
if err != nil {
errs = append(errs, err)
continue
@@ -209,16 +212,18 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
if res.request.isSrcPack {
for _, n := range res.request.binaryPackNames {
fs := fixStat{
srcPackName: res.request.packName,
isSrcPack: true,
notFixedYet: notFixedYet,
fixState: fixState,
fixedIn: fixedIn,
isSrcPack: true,
srcPackName: res.request.packName,
}
relatedDefs.upsert(def, n, fs)
}
} else {
fs := fixStat{
notFixedYet: notFixedYet,
fixState: fixState,
fixedIn: fixedIn,
}
relatedDefs.upsert(def, res.request.packName, fs)
@@ -338,7 +343,7 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
return relatedDefs, xerrors.Errorf("Failed to get %s OVAL info by package: %#v, err: %w", r.Family, req, err)
}
for _, def := range definitions {
affected, notFixedYet, fixedIn, err := isOvalDefAffected(def, req, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
affected, notFixedYet, fixState, fixedIn, err := isOvalDefAffected(def, req, ovalFamily, ovalRelease, r.RunningKernel, r.EnabledDnfModules)
if err != nil {
return relatedDefs, xerrors.Errorf("Failed to exec isOvalAffected. err: %w", err)
}
@@ -349,9 +354,10 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
if req.isSrcPack {
for _, binName := range req.binaryPackNames {
fs := fixStat{
notFixedYet: false,
isSrcPack: true,
notFixedYet: notFixedYet,
fixState: fixState,
fixedIn: fixedIn,
isSrcPack: true,
srcPackName: req.packName,
}
relatedDefs.upsert(def, binName, fs)
@@ -359,6 +365,7 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
} else {
fs := fixStat{
notFixedYet: notFixedYet,
fixState: fixState,
fixedIn: fixedIn,
}
relatedDefs.upsert(def, req.packName, fs)
@@ -370,13 +377,13 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
var modularVersionPattern = regexp.MustCompile(`.+\.module(?:\+el|_f)\d{1,2}.*`)
func isOvalDefAffected(def ovalmodels.Definition, req request, family, release string, running models.Kernel, enabledMods []string) (affected, notFixedYet bool, fixedIn string, err error) {
func isOvalDefAffected(def ovalmodels.Definition, req request, family, release string, running models.Kernel, enabledMods []string) (affected, notFixedYet bool, fixState, fixedIn string, err error) {
if family == constant.Amazon && release == "2" {
if def.Advisory.AffectedRepository == "" {
def.Advisory.AffectedRepository = "amzn2-core"
}
if req.repository != def.Advisory.AffectedRepository {
return false, false, "", nil
return false, false, "", "", nil
}
}
@@ -403,32 +410,49 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
}
// There is a modular package and a non-modular package with the same name. (e.g. fedora 35 community-mysql)
if ovalPack.ModularityLabel == "" && modularVersionPattern.MatchString(req.versionRelease) {
continue
} else if ovalPack.ModularityLabel != "" && !modularVersionPattern.MatchString(req.versionRelease) {
continue
}
isModularityLabelEmptyOrSame := false
if ovalPack.ModularityLabel != "" {
var modularityNameStreamLabel string
if ovalPack.ModularityLabel == "" {
if modularVersionPattern.MatchString(req.versionRelease) {
continue
}
} else {
// expect ovalPack.ModularityLabel e.g. RedHat: nginx:1.16, Fedora: mysql:8.0:3520211031142409:f27b74a8
if !modularVersionPattern.MatchString(req.versionRelease) {
continue
}
ss := strings.Split(ovalPack.ModularityLabel, ":")
if len(ss) < 2 {
logging.Log.Warnf("Invalid modularitylabel format in oval package. Maybe it is necessary to fix modularitylabel of goval-dictionary. expected: ${name}:${stream}(:${version}:${context}:${arch}), actual: %s", ovalPack.ModularityLabel)
continue
}
modularityNameStreamLabel := fmt.Sprintf("%s:%s", ss[0], ss[1])
for _, mod := range enabledMods {
if mod == modularityNameStreamLabel {
isModularityLabelEmptyOrSame = true
break
}
modularityNameStreamLabel = fmt.Sprintf("%s:%s", ss[0], ss[1])
if !slices.Contains(enabledMods, modularityNameStreamLabel) {
continue
}
} else {
isModularityLabelEmptyOrSame = true
}
if !isModularityLabelEmptyOrSame {
continue
if ovalPack.NotFixedYet {
switch family {
case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky:
n := req.packName
if modularityNameStreamLabel != "" {
n = fmt.Sprintf("%s/%s", modularityNameStreamLabel, req.packName)
}
for _, r := range def.Advisory.AffectedResolution {
if slices.ContainsFunc(r.Components, func(c ovalmodels.Component) bool { return c.Component == n }) {
switch r.State {
case "Will not fix", "Under investigation":
return false, true, r.State, ovalPack.Version, nil
default:
return true, true, r.State, ovalPack.Version, nil
}
}
}
return true, true, "", ovalPack.Version, nil
default:
return true, true, "", ovalPack.Version, nil
}
}
if running.Release != "" {
@@ -443,21 +467,16 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
}
}
if ovalPack.NotFixedYet {
return true, true, ovalPack.Version, nil
}
// Compare between the installed version vs the version in OVAL
less, err := lessThan(family, req.versionRelease, ovalPack)
if err != nil {
logging.Log.Debugf("Failed to parse versions: %s, Ver: %#v, OVAL: %#v, DefID: %s",
err, req.versionRelease, ovalPack, def.DefinitionID)
return false, false, ovalPack.Version, nil
logging.Log.Debugf("Failed to parse versions: %s, Ver: %#v, OVAL: %#v, DefID: %s", err, req.versionRelease, ovalPack, def.DefinitionID)
return false, false, "", ovalPack.Version, nil
}
if less {
if req.isSrcPack {
// Unable to judge whether fixed or not-fixed of src package(Ubuntu, Debian)
return true, false, ovalPack.Version, nil
return true, false, "", ovalPack.Version, nil
}
// If the version of installed is less than in OVAL
@@ -474,7 +493,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
constant.Raspbian,
constant.Ubuntu:
// Use fixed state in OVAL for these distros.
return true, false, ovalPack.Version, nil
return true, false, "", ovalPack.Version, nil
}
// But CentOS/Alma/Rocky can't judge whether fixed or unfixed.
@@ -485,20 +504,19 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
// In these mode, the blow field was set empty.
// Vuls can not judge fixed or unfixed.
if req.newVersionRelease == "" {
return true, false, ovalPack.Version, nil
return true, false, "", ovalPack.Version, nil
}
// compare version: newVer vs oval
less, err := lessThan(family, req.newVersionRelease, ovalPack)
if err != nil {
logging.Log.Debugf("Failed to parse versions: %s, NewVer: %#v, OVAL: %#v, DefID: %s",
err, req.newVersionRelease, ovalPack, def.DefinitionID)
return false, false, ovalPack.Version, nil
logging.Log.Debugf("Failed to parse versions: %s, NewVer: %#v, OVAL: %#v, DefID: %s", err, req.newVersionRelease, ovalPack, def.DefinitionID)
return false, false, "", ovalPack.Version, nil
}
return true, less, ovalPack.Version, nil
return true, less, "", ovalPack.Version, nil
}
}
return false, false, "", nil
return false, false, "", "", nil
}
func lessThan(family, newVer string, packInOVAL ovalmodels.Package) (bool, error) {

241
oval/util_test.go
View File

@@ -210,6 +210,7 @@ func TestIsOvalDefAffected(t *testing.T) {
in in
affected bool
notFixedYet bool
fixState string
fixedIn string
wantErr bool
}{
@@ -1910,10 +1911,245 @@ func TestIsOvalDefAffected(t *testing.T) {
affected: false,
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: true,
notFixedYet: true,
fixState: "",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Affected",
Components: []ovalmodels.Component{
{
Component: "kernel",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: true,
notFixedYet: true,
fixState: "Affected",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Fix deferred",
Components: []ovalmodels.Component{
{
Component: "kernel",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: true,
notFixedYet: true,
fixState: "Fix deferred",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Out of support scope",
Components: []ovalmodels.Component{
{
Component: "kernel",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: true,
notFixedYet: true,
fixState: "Out of support scope",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Will not fix",
Components: []ovalmodels.Component{
{
Component: "kernel",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: false,
notFixedYet: true,
fixState: "Will not fix",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Under investigation",
Components: []ovalmodels.Component{
{
Component: "kernel",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "kernel",
NotFixedYet: true,
},
},
},
req: request{
packName: "kernel",
versionRelease: "4.18.0-513.5.1.el8_9",
arch: "x86_64",
},
},
affected: false,
notFixedYet: true,
fixState: "Under investigation",
fixedIn: "",
},
{
in: in{
family: constant.RedHat,
release: "8",
def: ovalmodels.Definition{
Advisory: ovalmodels.Advisory{
AffectedResolution: []ovalmodels.Resolution{
{
State: "Affected",
Components: []ovalmodels.Component{
{
Component: "nodejs:20/nodejs",
},
},
},
},
},
AffectedPacks: []ovalmodels.Package{
{
Name: "nodejs",
NotFixedYet: true,
ModularityLabel: "nodejs:20",
},
},
},
req: request{
packName: "nodejs",
versionRelease: "1:20.11.1-1.module+el8.9.0+21380+12032667",
arch: "x86_64",
},
mods: []string{"nodejs:20"},
},
affected: true,
notFixedYet: true,
fixState: "Affected",
fixedIn: "",
},
}
for i, tt := range tests {
affected, notFixedYet, fixedIn, err := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.release, tt.in.kernel, tt.in.mods)
affected, notFixedYet, fixState, fixedIn, err := isOvalDefAffected(tt.in.def, tt.in.req, tt.in.family, tt.in.release, tt.in.kernel, tt.in.mods)
if tt.wantErr != (err != nil) {
t.Errorf("[%d] err\nexpected: %t\n actual: %s\n", i, tt.wantErr, err)
}
@@ -1923,6 +2159,9 @@ func TestIsOvalDefAffected(t *testing.T) {
if tt.notFixedYet != notFixedYet {
t.Errorf("[%d] notfixedyet\nexpected: %v\n actual: %v\n", i, tt.notFixedYet, notFixedYet)
}
if tt.fixState != fixState {
t.Errorf("[%d] fixedState\nexpected: %v\n actual: %v\n", i, tt.fixState, fixState)
}
if tt.fixedIn != fixedIn {
t.Errorf("[%d] fixedIn\nexpected: %v\n actual: %v\n", i, tt.fixedIn, fixedIn)
}