Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Extract Advisory.Description on RHEL, Amazon, Oracle (#450)

Browse Source
This commit is contained in:
Kota Kanbe
2017-07-18 21:54:11 +09:00
committed by kota kanbe
parent a9ebac3818
commit ffbaa0a508
3 changed files with 60 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
models/vulninfos.go
View File

@@ -189,10 +189,11 @@ func (v *VulnInfo) NilToEmpty() *VulnInfo {
// DistroAdvisory has Amazon Linux, RHEL, FreeBSD Security Advisory information.
type DistroAdvisory struct {
AdvisoryID string
Severity string
Issued time.Time
Updated time.Time
AdvisoryID string
Severity string
Issued time.Time
Updated time.Time
Description string
}
// Confidence is a ranking how confident the CVE-ID was deteted correctly

26
scan/redhat.go
View File

@@ -564,6 +564,13 @@ func (o *redhat) getDiffChangelog(pack models.Package, availableChangelog string
v = strings.TrimPrefix(v, "-")
v = strings.TrimPrefix(v, "[")
v = strings.TrimSuffix(v, "]")
// On Amazon often end with email address. <aaa@aaa.com> Go to next line
if strings.HasPrefix(v, "<") && strings.HasSuffix(v, ">") {
diff = append(diff, line)
continue
}
version := ver.NewVersion(v)
if installedVer.Equal(version) || installedVer.GreaterThan(version) {
found = true
@@ -746,15 +753,12 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
// find the new section pattern
if horizontalRulePattern.MatchString(line) {
// set previous section's result to return-variable
if sectionState == Content {
foundCveIDs := []string{}
for cveID := range cveIDsSetInThisSection {
foundCveIDs = append(foundCveIDs, cveID)
}
result = append(result, distroAdvisoryCveIDs{
DistroAdvisory: advisory,
CveIDs: foundCveIDs,
@@ -763,6 +767,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
// reset for next section.
cveIDsSetInThisSection = make(map[string]bool)
inDesctiption = false
advisory = models.DistroAdvisory{}
}
// Go to next section
@@ -785,16 +790,24 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
case Content:
if found := o.isDescriptionLine(line); found {
inDesctiption = true
ss := strings.Split(line, ":")
advisory.Description += fmt.Sprintf("%s ",
strings.TrimSpace(strings.Join(ss[1:len(ss)], ":")))
continue
}
// severity
severity, found := o.parseYumUpdateinfoToGetSeverity(line)
if found {
if severity, found := o.parseYumUpdateinfoToGetSeverity(line); found {
advisory.Severity = severity
continue
}
// No need to parse in description except severity
if inDesctiption {
if ss := strings.Split(line, ":"); 1 < len(ss) {
advisory.Description += fmt.Sprintf("%s ",
strings.TrimSpace(strings.Join(ss[1:len(ss)], ":")))
}
continue
}
@@ -806,16 +819,19 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID
advisoryID, found := o.parseYumUpdateinfoToGetAdvisoryID(line)
if found {
advisory.AdvisoryID = advisoryID
continue
}
issued, found := o.parseYumUpdateinfoLineToGetIssued(line)
if found {
advisory.Issued = issued
continue
}
updated, found := o.parseYumUpdateinfoLineToGetUpdated(line)
if found {
advisory.Updated = updated
continue
}
}
}

103
scan/redhat_test.go
View File

@@ -307,9 +307,6 @@ func TestParseYumUpdateinfoOL(t *testing.T) {
Issued : 2017-02-15
CVEs : CVE-2017-3135
Description : [32:9.9.4-38.2]
: - Fix CVE-2017-3135 (ISC change 4557)
: - Fix and test caching CNAME before DNAME (ISC
: change 4558)
Severity : Moderate
===============================================================================
@@ -323,10 +320,6 @@ Description : [32:9.9.4-38.2]
CVEs : CVE-2016-8610
: CVE-2017-3731
Description : [1.0.1e-48.4]
: - fix CVE-2017-3731 - DoS via truncated packets
: with RC4-MD5 cipher
: - fix CVE-2016-8610 - DoS of single-threaded
: servers via excessive alerts
Severity : Moderate
===============================================================================
@@ -339,10 +332,6 @@ Description : [1.0.1e-48.4]
Issued : 2017-02-15
CVEs : CVE-2017-6074
Description : kernel-uek
: [4.1.12-61.1.28]
: - dccp: fix freeing skb too early for
: IPV6_RECVPKTINFO (Andrey Konovalov) [Orabug:
: 25598257] {CVE-2017-6074}
Severity : Important
`
@@ -360,17 +349,19 @@ Description : kernel-uek
[]distroAdvisoryCveIDs{
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "ELSA-2017-0276",
Severity: "Moderate",
Issued: issued,
AdvisoryID: "ELSA-2017-0276",
Severity: "Moderate",
Issued: issued,
Description: "[32:9.9.4-38.2] ",
},
CveIDs: []string{"CVE-2017-3135"},
},
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "ELSA-2017-0286",
Severity: "Moderate",
Issued: issued,
AdvisoryID: "ELSA-2017-0286",
Severity: "Moderate",
Issued: issued,
Description: "[1.0.1e-48.4] ",
},
CveIDs: []string{
"CVE-2016-8610",
@@ -379,9 +370,10 @@ Description : kernel-uek
},
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "ELSA-2017-3520",
Severity: "Important",
Issued: issued,
AdvisoryID: "ELSA-2017-3520",
Severity: "Important",
Issued: issued,
Description: "kernel-uek ",
},
CveIDs: []string{"CVE-2017-6074"},
},
@@ -418,12 +410,6 @@ func TestParseYumUpdateinfoRHEL(t *testing.T) {
Bugs : 1259087 - CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service
CVEs : CVE-2015-5722
Description : The Berkeley Internet Name Domain (BIND) is an implementation of
: the Domain Name System (DNS) protocols. BIND
: includes a DNS server (named); a resolver library
: (routines for applications to use when interfacing
: with DNS); and tools for verifying that the DNS
: server is operating correctly.
:
Severity : Important
===============================================================================
@@ -439,12 +425,6 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
CVEs : CVE-2015-8000
: CVE-2015-8001
Description : The Berkeley Internet Name Domain (BIND) is an implementation of
: the Domain Name System (DNS) protocols. BIND
: includes a DNS server (named); a resolver library
: (routines for applications to use when interfacing
: with DNS); and tools for verifying that the DNS
: server is operating correctly.
:
Severity : Low
===============================================================================
@@ -458,12 +438,6 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
Bugs : 1299364 - CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c CVEs : CVE-2015-8704
: CVE-2015-8705
Description : The Berkeley Internet Name Domain (BIND) is an implementation of
: the Domain Name System (DNS) protocols. BIND
: includes a DNS server (named); a resolver library
: (routines for applications to use when interfacing
: with DNS); and tools for verifying that the DNS
: server is operating correctly.
:
Severity : Moderate
`
@@ -482,18 +456,20 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
[]distroAdvisoryCveIDs{
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "RHSA-2015:1705",
Severity: "Important",
Issued: issued,
AdvisoryID: "RHSA-2015:1705",
Severity: "Important",
Issued: issued,
Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ",
},
CveIDs: []string{"CVE-2015-5722"},
},
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "RHSA-2015:2655",
Severity: "Low",
Issued: issued,
Updated: updated,
AdvisoryID: "RHSA-2015:2655",
Severity: "Low",
Issued: issued,
Updated: updated,
Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ",
},
CveIDs: []string{
"CVE-2015-8000",
@@ -502,10 +478,10 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of
},
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "RHSA-2016:0073",
Severity: "Moderate",
Issued: issued,
Updated: updated,
AdvisoryID: "RHSA-2016:0073",
Severity: "Moderate",
Issued: issued,
Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ",
},
CveIDs: []string{
"CVE-2015-8704",
@@ -553,10 +529,6 @@ func TestParseYumUpdateinfoAmazon(t *testing.T) {
Issued : 2015-12-15 13:30
CVEs : CVE-2016-1494
Description : Package updates are available for Amazon Linux AMI that fix the
: following vulnerabilities: CVE-2016-1494:
: 1295869:
: CVE-2016-1494 python-rsa: Signature forgery using
: Bleichenbacher'06 attack
Severity : medium
===============================================================================
@@ -571,32 +543,25 @@ Description : Package updates are available for Amazon Linux AMI that fix the
: CVE-2015-3195
: CVE-2015-3196
Description : Package updates are available for Amazon Linux AMI that fix the
: following vulnerabilities: CVE-2015-3196:
: 1288326:
: CVE-2015-3196 OpenSSL: Race condition handling PSK
: identify hint A race condition flaw, leading to a
: double free, was found in the way OpenSSL handled
: pre-shared keys (PSKs). A remote attacker could
: use this flaw to crash a multi-threaded SSL/TLS
: client.
:
Severity : medium`,
[]distroAdvisoryCveIDs{
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "ALAS-2016-644",
Severity: "medium",
Issued: issued,
AdvisoryID: "ALAS-2016-644",
Severity: "medium",
Issued: issued,
Description: "Package updates are available for Amazon Linux AMI that fix the ",
},
CveIDs: []string{"CVE-2016-1494"},
},
{
DistroAdvisory: models.DistroAdvisory{
AdvisoryID: "ALAS-2015-614",
Severity: "medium",
Issued: issued,
Updated: updated,
AdvisoryID: "ALAS-2015-614",
Severity: "medium",
Issued: issued,
Updated: updated,
Description: "Package updates are available for Amazon Linux AMI that fix the ",
},
CveIDs: []string{
"CVE-2015-3194",