bump up version

* fix(report): kernel vulns detection in Ubuntu

* fix(ubuntu): remove linux-* to detect only running kernel vulns

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+github: kotakanbe

config/config.go

@@ -17,7 +17,7 @@ import (
 )
 
 // Version of Vuls
-var Version = "0.9.1"
+var Version = "0.9.3"
 
 // Revision of Git
 var Revision string

models/vulninfos.go

@@ -567,6 +567,13 @@ func (v VulnInfo) PatchStatus(packs Packages) string {
 			return "unfixed"
 		}
 
+		// Fast and offline mode can not get the candidate version.
+		// Vuls can be considered as 'fixed' if not-fixed-yet==true and
+		// the fixed-in-version (information in the oval) is not an empty.
+		if p.FixedIn != "" {
+			continue
+		}
+
 		// fast, offline mode doesn't have new version
 		if pack, ok := packs[p.Name]; ok {
 			if pack.NewVersion == "" {

oval/debian.go

@@ -2,6 +2,7 @@ package oval
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/future-architect/vuls/config"
 	"github.com/future-architect/vuls/models"
@@ -189,61 +190,107 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
 	switch major(r.Release) {
 	case "14":
 		kernelNamesInOval := []string{
-			"linux",
 			"linux-aws",
 			"linux-azure",
-			"linux-firmware",
-			"linux-lts-utopic",
-			"linux-lts-vivid",
-			"linux-lts-wily",
 			"linux-lts-xenial",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-azure",
+			"linux-meta-lts-xenial",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-lts-xenial",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	case "16":
 		kernelNamesInOval := []string{
-			"linux-image-aws",
-			"linux-image-aws-hwe",
-			"linux-image-azure",
-			"linux-image-extra-virtual",
-			"linux-image-extra-virtual-lts-utopic",
-			"linux-image-extra-virtual-lts-vivid",
-			"linux-image-extra-virtual-lts-wily",
-			"linux-image-extra-virtual-lts-xenial",
-			"linux-image-gcp",
-			"linux-image-generic-lpae",
-			"linux-image-generic-lpae-hwe-16.04",
-			"linux-image-generic-lpae-lts-utopic",
-			"linux-image-generic-lpae-lts-vivid",
-			"linux-image-generic-lpae-lts-wily",
-			"linux-image-generic-lpae-lts-xenial",
-			"linux-image-generic-lts-utopic",
-			"linux-image-generic-lts-vivid",
-			"linux-image-generic-lts-wily",
-			"linux-image-generic-lts-xenial",
-			"linux-image-gke",
-			"linux-image-hwe-generic-trusty",
-			"linux-image-hwe-virtual-trusty",
-			"linux-image-kvm",
-			"linux-image-lowlatency",
-			"linux-image-lowlatency-lts-utopic",
-			"linux-image-lowlatency-lts-vivid",
-			"linux-image-lowlatency-lts-wily",
+			"linux-aws",
+			"linux-aws-hwe",
+			"linux-azure",
+			"linux-euclid",
+			"linux-flo",
+			"linux-gcp",
+			"linux-gke",
+			"linux-goldfish",
+			"linux-hwe",
+			"linux-kvm",
+			"linux-mako",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-aws-hwe",
+			"linux-meta-azure",
+			"linux-meta-gcp",
+			"linux-meta-hwe",
+			"linux-meta-kvm",
+			"linux-meta-oracle",
+			"linux-meta-raspi2",
+			"linux-meta-snapdragon",
+			"linux-oem",
+			"linux-oracle",
+			"linux-raspi2",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-gcp",
+			"linux-signed-hwe",
+			"linux-signed-oracle",
+			"linux-snapdragon",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	case "18":
 		kernelNamesInOval := []string{
-			"linux-image-aws",
-			"linux-image-azure",
-			"linux-image-extra-virtual",
-			"linux-image-gcp",
-			"linux-image-generic-lpae",
-			"linux-image-kvm",
-			"linux-image-lowlatency",
-			"linux-image-oem",
-			"linux-image-oracle",
-			"linux-image-raspi2",
-			"linux-image-snapdragon",
-			"linux-image-virtual",
+			"linux-aws",
+			"linux-aws-5.0",
+			"linux-azure",
+			"linux-gcp",
+			"linux-gcp-5.3",
+			"linux-gke-4.15",
+			"linux-gke-5.0",
+			"linux-gke-5.3",
+			"linux-hwe",
+			"linux-kvm",
+			"linux-meta",
+			"linux-meta-aws",
+			"linux-meta-aws-5.0",
+			"linux-meta-azure",
+			"linux-meta-gcp",
+			"linux-meta-gcp-5.3",
+			"linux-meta-gke-4.15",
+			"linux-meta-gke-5.0",
+			"linux-meta-gke-5.3",
+			"linux-meta-hwe",
+			"linux-meta-kvm",
+			"linux-meta-oem",
+			"linux-meta-oem-osp1",
+			"linux-meta-oracle",
+			"linux-meta-oracle-5.0",
+			"linux-meta-oracle-5.3",
+			"linux-meta-raspi2",
+			"linux-meta-raspi2-5.3",
+			"linux-meta-snapdragon",
+			"linux-oem",
+			"linux-oem-osp1",
+			"linux-oracle",
+			"linux-oracle-5.0",
+			"linux-oracle-5.3",
+			"linux-raspi2",
+			"linux-raspi2-5.3",
+			"linux-signed",
+			"linux-signed-azure",
+			"linux-signed-gcp",
+			"linux-signed-gcp-5.3",
+			"linux-signed-gke-4.15",
+			"linux-signed-gke-5.0",
+			"linux-signed-gke-5.3",
+			"linux-signed-hwe",
+			"linux-signed-oem",
+			"linux-signed-oem-osp1",
+			"linux-signed-oracle",
+			"linux-signed-oracle-5.0",
+			"linux-signed-oracle-5.3",
+			"linux-snapdragon",
+			"linux",
 		}
 		return o.fillWithOval(driver, r, kernelNamesInOval)
 	}
@@ -251,12 +298,12 @@ func (o Ubuntu) FillWithOval(driver db.DB, r *models.ScanResult) (nCVEs int, err
 }
 
 func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOval []string) (nCVEs int, err error) {
-	// kernel names in OVAL except for linux-image-generic
 	linuxImage := "linux-image-" + r.RunningKernel.Release
 	runningKernelVersion := ""
 	kernelPkgInOVAL := ""
-	isOVALKernelPkgAdded := true
+	isOVALKernelPkgAdded := false
 	unusedKernels := []models.Package{}
+	copiedSourcePkgs := models.SrcPackages{}
 
 	if r.Container.ContainerID == "" {
 		if v, ok := r.Packages[linuxImage]; ok {
@@ -281,17 +328,31 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
 			}
 		}
 
-		if kernelPkgInOVAL == "" {
-			if r.Release == "14" {
-				kernelPkgInOVAL = "linux"
-			} else if _, ok := r.Packages["linux-image-generic"]; !ok {
-				util.Log.Warnf("The OVAL name of the running kernel image %s is not found. So vulns of linux-image-generic wll be detected. server: %s",
-					r.RunningKernel.Version, r.ServerName)
-				kernelPkgInOVAL = "linux-image-generic"
-			} else {
-				isOVALKernelPkgAdded = false
+		// Remove linux-* in order to detect only vulnerabilities in the running kernel.
+		for n := range r.Packages {
+			if n != kernelPkgInOVAL && strings.HasPrefix(n, "linux-") {
+				unusedKernels = append(unusedKernels, r.Packages[n])
+				delete(r.Packages, n)
 			}
 		}
+		for srcPackName, srcPack := range r.SrcPackages {
+			copiedSourcePkgs[srcPackName] = srcPack
+			targetBianryNames := []string{}
+			for _, n := range srcPack.BinaryNames {
+				if n == kernelPkgInOVAL || !strings.HasPrefix(n, "linux-") {
+					targetBianryNames = append(targetBianryNames, n)
+				}
+			}
+			srcPack.BinaryNames = targetBianryNames
+			r.SrcPackages[srcPackName] = srcPack
+		}
+
+		if kernelPkgInOVAL == "" {
+			util.Log.Warnf("The OVAL name of the running kernel image %+v is not found. So vulns of `linux` wll be detected. server: %s",
+				r.RunningKernel, r.ServerName)
+			kernelPkgInOVAL = "linux"
+			isOVALKernelPkgAdded = true
+		}
 
 		if runningKernelVersion != "" {
 			r.Packages[kernelPkgInOVAL] = models.Package{
@@ -318,6 +379,7 @@ func (o Ubuntu) fillWithOval(driver db.DB, r *models.ScanResult, kernelNamesInOv
 	for _, p := range unusedKernels {
 		r.Packages[p.Name] = p
 	}
+	r.SrcPackages = copiedSourcePkgs
 
 	for _, defPacks := range relatedDefs.entries {
 		// Remove "linux" added above for searching oval