From ffbaa0a508beb9b95c6d04ab06cca5952b1d7ec6 Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Tue, 18 Jul 2017 21:54:11 +0900 Subject: [PATCH] Extract Advisory.Description on RHEL, Amazon, Oracle (#450) --- models/vulninfos.go | 9 ++-- scan/redhat.go | 26 ++++++++--- scan/redhat_test.go | 103 +++++++++++++++----------------------------- 3 files changed, 60 insertions(+), 78 deletions(-) diff --git a/models/vulninfos.go b/models/vulninfos.go index f0e92b82..df5ecc40 100644 --- a/models/vulninfos.go +++ b/models/vulninfos.go @@ -189,10 +189,11 @@ func (v *VulnInfo) NilToEmpty() *VulnInfo { // DistroAdvisory has Amazon Linux, RHEL, FreeBSD Security Advisory information. type DistroAdvisory struct { - AdvisoryID string - Severity string - Issued time.Time - Updated time.Time + AdvisoryID string + Severity string + Issued time.Time + Updated time.Time + Description string } // Confidence is a ranking how confident the CVE-ID was deteted correctly diff --git a/scan/redhat.go b/scan/redhat.go index c1f12708..f1960ae7 100644 --- a/scan/redhat.go +++ b/scan/redhat.go @@ -564,6 +564,13 @@ func (o *redhat) getDiffChangelog(pack models.Package, availableChangelog string v = strings.TrimPrefix(v, "-") v = strings.TrimPrefix(v, "[") v = strings.TrimSuffix(v, "]") + + // On Amazon often end with email address. Go to next line + if strings.HasPrefix(v, "<") && strings.HasSuffix(v, ">") { + diff = append(diff, line) + continue + } + version := ver.NewVersion(v) if installedVer.Equal(version) || installedVer.GreaterThan(version) { found = true @@ -746,15 +753,12 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID // find the new section pattern if horizontalRulePattern.MatchString(line) { - // set previous section's result to return-variable if sectionState == Content { - foundCveIDs := []string{} for cveID := range cveIDsSetInThisSection { foundCveIDs = append(foundCveIDs, cveID) } - result = append(result, distroAdvisoryCveIDs{ DistroAdvisory: advisory, CveIDs: foundCveIDs, @@ -763,6 +767,7 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID // reset for next section. cveIDsSetInThisSection = make(map[string]bool) inDesctiption = false + advisory = models.DistroAdvisory{} } // Go to next section @@ -785,16 +790,24 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID case Content: if found := o.isDescriptionLine(line); found { inDesctiption = true + ss := strings.Split(line, ":") + advisory.Description += fmt.Sprintf("%s ", + strings.TrimSpace(strings.Join(ss[1:len(ss)], ":"))) + continue } // severity - severity, found := o.parseYumUpdateinfoToGetSeverity(line) - if found { + if severity, found := o.parseYumUpdateinfoToGetSeverity(line); found { advisory.Severity = severity + continue } // No need to parse in description except severity if inDesctiption { + if ss := strings.Split(line, ":"); 1 < len(ss) { + advisory.Description += fmt.Sprintf("%s ", + strings.TrimSpace(strings.Join(ss[1:len(ss)], ":"))) + } continue } @@ -806,16 +819,19 @@ func (o *redhat) parseYumUpdateinfo(stdout string) (result []distroAdvisoryCveID advisoryID, found := o.parseYumUpdateinfoToGetAdvisoryID(line) if found { advisory.AdvisoryID = advisoryID + continue } issued, found := o.parseYumUpdateinfoLineToGetIssued(line) if found { advisory.Issued = issued + continue } updated, found := o.parseYumUpdateinfoLineToGetUpdated(line) if found { advisory.Updated = updated + continue } } } diff --git a/scan/redhat_test.go b/scan/redhat_test.go index e5414fe7..eda7eb6f 100644 --- a/scan/redhat_test.go +++ b/scan/redhat_test.go @@ -307,9 +307,6 @@ func TestParseYumUpdateinfoOL(t *testing.T) { Issued : 2017-02-15 CVEs : CVE-2017-3135 Description : [32:9.9.4-38.2] - : - Fix CVE-2017-3135 (ISC change 4557) - : - Fix and test caching CNAME before DNAME (ISC - : change 4558) Severity : Moderate =============================================================================== @@ -323,10 +320,6 @@ Description : [32:9.9.4-38.2] CVEs : CVE-2016-8610 : CVE-2017-3731 Description : [1.0.1e-48.4] - : - fix CVE-2017-3731 - DoS via truncated packets - : with RC4-MD5 cipher - : - fix CVE-2016-8610 - DoS of single-threaded - : servers via excessive alerts Severity : Moderate =============================================================================== @@ -339,10 +332,6 @@ Description : [1.0.1e-48.4] Issued : 2017-02-15 CVEs : CVE-2017-6074 Description : kernel-uek - : [4.1.12-61.1.28] - : - dccp: fix freeing skb too early for - : IPV6_RECVPKTINFO (Andrey Konovalov) [Orabug: - : 25598257] {CVE-2017-6074} Severity : Important ` @@ -360,17 +349,19 @@ Description : kernel-uek []distroAdvisoryCveIDs{ { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "ELSA-2017-0276", - Severity: "Moderate", - Issued: issued, + AdvisoryID: "ELSA-2017-0276", + Severity: "Moderate", + Issued: issued, + Description: "[32:9.9.4-38.2] ", }, CveIDs: []string{"CVE-2017-3135"}, }, { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "ELSA-2017-0286", - Severity: "Moderate", - Issued: issued, + AdvisoryID: "ELSA-2017-0286", + Severity: "Moderate", + Issued: issued, + Description: "[1.0.1e-48.4] ", }, CveIDs: []string{ "CVE-2016-8610", @@ -379,9 +370,10 @@ Description : kernel-uek }, { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "ELSA-2017-3520", - Severity: "Important", - Issued: issued, + AdvisoryID: "ELSA-2017-3520", + Severity: "Important", + Issued: issued, + Description: "kernel-uek ", }, CveIDs: []string{"CVE-2017-6074"}, }, @@ -418,12 +410,6 @@ func TestParseYumUpdateinfoRHEL(t *testing.T) { Bugs : 1259087 - CVE-2015-5722 bind: malformed DNSSEC key failed assertion denial of service CVEs : CVE-2015-5722 Description : The Berkeley Internet Name Domain (BIND) is an implementation of - : the Domain Name System (DNS) protocols. BIND - : includes a DNS server (named); a resolver library - : (routines for applications to use when interfacing - : with DNS); and tools for verifying that the DNS - : server is operating correctly. - : Severity : Important =============================================================================== @@ -439,12 +425,6 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of CVEs : CVE-2015-8000 : CVE-2015-8001 Description : The Berkeley Internet Name Domain (BIND) is an implementation of - : the Domain Name System (DNS) protocols. BIND - : includes a DNS server (named); a resolver library - : (routines for applications to use when interfacing - : with DNS); and tools for verifying that the DNS - : server is operating correctly. - : Severity : Low =============================================================================== @@ -458,12 +438,6 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of Bugs : 1299364 - CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c CVEs : CVE-2015-8704 : CVE-2015-8705 Description : The Berkeley Internet Name Domain (BIND) is an implementation of - : the Domain Name System (DNS) protocols. BIND - : includes a DNS server (named); a resolver library - : (routines for applications to use when interfacing - : with DNS); and tools for verifying that the DNS - : server is operating correctly. - : Severity : Moderate ` @@ -482,18 +456,20 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of []distroAdvisoryCveIDs{ { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "RHSA-2015:1705", - Severity: "Important", - Issued: issued, + AdvisoryID: "RHSA-2015:1705", + Severity: "Important", + Issued: issued, + Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ", }, CveIDs: []string{"CVE-2015-5722"}, }, { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "RHSA-2015:2655", - Severity: "Low", - Issued: issued, - Updated: updated, + AdvisoryID: "RHSA-2015:2655", + Severity: "Low", + Issued: issued, + Updated: updated, + Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ", }, CveIDs: []string{ "CVE-2015-8000", @@ -502,10 +478,10 @@ Description : The Berkeley Internet Name Domain (BIND) is an implementation of }, { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "RHSA-2016:0073", - Severity: "Moderate", - Issued: issued, - Updated: updated, + AdvisoryID: "RHSA-2016:0073", + Severity: "Moderate", + Issued: issued, + Description: "The Berkeley Internet Name Domain (BIND) is an implementation of ", }, CveIDs: []string{ "CVE-2015-8704", @@ -553,10 +529,6 @@ func TestParseYumUpdateinfoAmazon(t *testing.T) { Issued : 2015-12-15 13:30 CVEs : CVE-2016-1494 Description : Package updates are available for Amazon Linux AMI that fix the - : following vulnerabilities: CVE-2016-1494: - : 1295869: - : CVE-2016-1494 python-rsa: Signature forgery using - : Bleichenbacher'06 attack Severity : medium =============================================================================== @@ -571,32 +543,25 @@ Description : Package updates are available for Amazon Linux AMI that fix the : CVE-2015-3195 : CVE-2015-3196 Description : Package updates are available for Amazon Linux AMI that fix the - : following vulnerabilities: CVE-2015-3196: - : 1288326: - : CVE-2015-3196 OpenSSL: Race condition handling PSK - : identify hint A race condition flaw, leading to a - : double free, was found in the way OpenSSL handled - : pre-shared keys (PSKs). A remote attacker could - : use this flaw to crash a multi-threaded SSL/TLS - : client. - : Severity : medium`, []distroAdvisoryCveIDs{ { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "ALAS-2016-644", - Severity: "medium", - Issued: issued, + AdvisoryID: "ALAS-2016-644", + Severity: "medium", + Issued: issued, + Description: "Package updates are available for Amazon Linux AMI that fix the ", }, CveIDs: []string{"CVE-2016-1494"}, }, { DistroAdvisory: models.DistroAdvisory{ - AdvisoryID: "ALAS-2015-614", - Severity: "medium", - Issued: issued, - Updated: updated, + AdvisoryID: "ALAS-2015-614", + Severity: "medium", + Issued: issued, + Updated: updated, + Description: "Package updates are available for Amazon Linux AMI that fix the ", }, CveIDs: []string{ "CVE-2015-3194",