feat(detect/redhat): detect unpatched vulnerabilities with oval, stop using gost (#1907)

* feat(oval/redhat): detect not fixed package * feat(gost/redhat): stop using to detect unpatched vulnerabilities
2024-05-10 17:32:40 +09:00
parent 827f2cb8d8
commit ef2be3d6ea
8 changed files with 380 additions and 328 deletions
--- a/oval/redhat.go
+++ b/oval/redhat.go
@@ -155,8 +155,9 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
 			vinfo.CveContents = cveContents
 		}

-		vinfo.DistroAdvisories.AppendIfMissing(
-			o.convertToDistroAdvisory(&defpacks.def))
+		if da := o.convertToDistroAdvisory(&defpacks.def); da != nil {
+			vinfo.DistroAdvisories.AppendIfMissing(da)
+		}

 		// uniq(vinfo.AffectedPackages[].Name + defPacks.binpkgFixstat(map[string(=package name)]fixStat{}))
 		collectBinpkgFixstat := defPacks{
@@ -170,11 +171,13 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
 			if stat, ok := collectBinpkgFixstat.binpkgFixstat[pack.Name]; !ok {
 				collectBinpkgFixstat.binpkgFixstat[pack.Name] = fixStat{
 					notFixedYet: pack.NotFixedYet,
+					fixState:    pack.FixState,
 					fixedIn:     pack.FixedIn,
 				}
 			} else if stat.notFixedYet {
 				collectBinpkgFixstat.binpkgFixstat[pack.Name] = fixStat{
 					notFixedYet: true,
+					fixState:    pack.FixState,
 					fixedIn:     pack.FixedIn,
 				}
 			}
@@ -187,20 +190,53 @@ func (o RedHatBase) update(r *models.ScanResult, defpacks defPacks) (nCVEs int)
 }

 func (o RedHatBase) convertToDistroAdvisory(def *ovalmodels.Definition) *models.DistroAdvisory {
-	advisoryID := def.Title
 	switch o.family {
-	case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky, constant.Oracle:
-		if def.Title != "" {
-			ss := strings.Fields(def.Title)
-			advisoryID = strings.TrimSuffix(ss[0], ":")
+	case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky:
+		if !strings.HasPrefix(def.Title, "RHSA-") && !strings.HasPrefix(def.Title, "RHBA-") {
+			return nil
 		}
-	}
-	return &models.DistroAdvisory{
-		AdvisoryID:  advisoryID,
-		Severity:    def.Advisory.Severity,
-		Issued:      def.Advisory.Issued,
-		Updated:     def.Advisory.Updated,
-		Description: def.Description,
+		return &models.DistroAdvisory{
+			AdvisoryID:  strings.TrimSuffix(strings.Fields(def.Title)[0], ":"),
+			Severity:    def.Advisory.Severity,
+			Issued:      def.Advisory.Issued,
+			Updated:     def.Advisory.Updated,
+			Description: def.Description,
+		}
+	case constant.Oracle:
+		if !strings.HasPrefix(def.Title, "ELSA-") {
+			return nil
+		}
+		return &models.DistroAdvisory{
+			AdvisoryID:  strings.TrimSuffix(strings.Fields(def.Title)[0], ":"),
+			Severity:    def.Advisory.Severity,
+			Issued:      def.Advisory.Issued,
+			Updated:     def.Advisory.Updated,
+			Description: def.Description,
+		}
+	case constant.Amazon:
+		if !strings.HasPrefix(def.Title, "ALAS") {
+			return nil
+		}
+		return &models.DistroAdvisory{
+			AdvisoryID:  def.Title,
+			Severity:    def.Advisory.Severity,
+			Issued:      def.Advisory.Issued,
+			Updated:     def.Advisory.Updated,
+			Description: def.Description,
+		}
+	case constant.Fedora:
+		if !strings.HasPrefix(def.Title, "FEDORA") {
+			return nil
+		}
+		return &models.DistroAdvisory{
+			AdvisoryID:  def.Title,
+			Severity:    def.Advisory.Severity,
+			Issued:      def.Advisory.Issued,
+			Updated:     def.Advisory.Updated,
+			Description: def.Description,
+		}
+	default:
+		return nil
 	}
 }