436 lines
12 KiB
Go
436 lines
12 KiB
Go
//go:build !scanner
|
|
// +build !scanner
|
|
|
|
package gost
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"strconv"
|
|
"strings"
|
|
|
|
debver "github.com/knqyf263/go-deb-version"
|
|
"golang.org/x/exp/maps"
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/future-architect/vuls/logging"
|
|
"github.com/future-architect/vuls/models"
|
|
"github.com/future-architect/vuls/util"
|
|
gostmodels "github.com/vulsio/gost/models"
|
|
)
|
|
|
|
// Ubuntu is Gost client for Ubuntu
|
|
type Ubuntu struct {
|
|
Base
|
|
}
|
|
|
|
func (ubu Ubuntu) supported(version string) bool {
|
|
_, ok := map[string]string{
|
|
"606": "dapper",
|
|
"610": "edgy",
|
|
"704": "feisty",
|
|
"710": "gutsy",
|
|
"804": "hardy",
|
|
"810": "intrepid",
|
|
"904": "jaunty",
|
|
"910": "karmic",
|
|
"1004": "lucid",
|
|
"1010": "maverick",
|
|
"1104": "natty",
|
|
"1110": "oneiric",
|
|
"1204": "precise",
|
|
"1210": "quantal",
|
|
"1304": "raring",
|
|
"1310": "saucy",
|
|
"1404": "trusty",
|
|
"1410": "utopic",
|
|
"1504": "vivid",
|
|
"1510": "wily",
|
|
"1604": "xenial",
|
|
"1610": "yakkety",
|
|
"1704": "zesty",
|
|
"1710": "artful",
|
|
"1804": "bionic",
|
|
"1810": "cosmic",
|
|
"1904": "disco",
|
|
"1910": "eoan",
|
|
"2004": "focal",
|
|
"2010": "groovy",
|
|
"2104": "hirsute",
|
|
"2110": "impish",
|
|
"2204": "jammy",
|
|
"2210": "kinetic",
|
|
"2304": "lunar",
|
|
"2310": "mantic",
|
|
"2404": "noble",
|
|
}[version]
|
|
return ok
|
|
}
|
|
|
|
type cveContent struct {
|
|
cveContent models.CveContent
|
|
fixStatuses models.PackageFixStatuses
|
|
}
|
|
|
|
// DetectCVEs fills cve information that has in Gost
|
|
func (ubu Ubuntu) DetectCVEs(r *models.ScanResult, _ bool) (nCVEs int, err error) {
|
|
if !ubu.supported(strings.Replace(r.Release, ".", "", 1)) {
|
|
logging.Log.Warnf("Ubuntu %s is not supported yet", r.Release)
|
|
return 0, nil
|
|
}
|
|
|
|
if r.Container.ContainerID == "" {
|
|
if r.RunningKernel.Release == "" {
|
|
logging.Log.Warnf("Since the exact kernel release is not available, the vulnerability in the kernel package is not detected.")
|
|
}
|
|
}
|
|
|
|
fixedCVEs, err := ubu.detectCVEsWithFixState(r, true)
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to detect fixed CVEs. err: %w", err)
|
|
}
|
|
|
|
unfixedCVEs, err := ubu.detectCVEsWithFixState(r, false)
|
|
if err != nil {
|
|
return 0, xerrors.Errorf("Failed to detect unfixed CVEs. err: %w", err)
|
|
}
|
|
|
|
return len(unique(append(fixedCVEs, unfixedCVEs...))), nil
|
|
}
|
|
|
|
func (ubu Ubuntu) detectCVEsWithFixState(r *models.ScanResult, fixed bool) ([]string, error) {
|
|
detects := map[string]cveContent{}
|
|
if ubu.driver == nil {
|
|
urlPrefix, err := util.URLPathJoin(ubu.baseURL, "ubuntu", strings.Replace(r.Release, ".", "", 1), "pkgs")
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("Failed to join URLPath. err: %w", err)
|
|
}
|
|
s := "fixed-cves"
|
|
if !fixed {
|
|
s = "unfixed-cves"
|
|
}
|
|
responses, err := getCvesWithFixStateViaHTTP(r, urlPrefix, s)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("Failed to get fixed CVEs via HTTP. err: %w", err)
|
|
}
|
|
|
|
for _, res := range responses {
|
|
if !res.request.isSrcPack {
|
|
continue
|
|
}
|
|
|
|
n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(res.request.packName)
|
|
|
|
if ubu.isKernelSourcePackage(n) {
|
|
isRunning := false
|
|
for _, bn := range r.SrcPackages[res.request.packName].BinaryNames {
|
|
if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
|
|
isRunning = true
|
|
break
|
|
}
|
|
}
|
|
// To detect vulnerabilities in running kernels only, skip if the kernel is not running.
|
|
if !isRunning {
|
|
continue
|
|
}
|
|
}
|
|
|
|
cs := map[string]gostmodels.UbuntuCVE{}
|
|
if err := json.Unmarshal([]byte(res.json), &cs); err != nil {
|
|
return nil, xerrors.Errorf("Failed to unmarshal json. err: %w", err)
|
|
}
|
|
for _, content := range ubu.detect(cs, fixed, models.SrcPackage{Name: res.request.packName, Version: r.SrcPackages[res.request.packName].Version, BinaryNames: r.SrcPackages[res.request.packName].BinaryNames}, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
|
|
c, ok := detects[content.cveContent.CveID]
|
|
if ok {
|
|
content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
|
|
}
|
|
detects[content.cveContent.CveID] = content
|
|
}
|
|
}
|
|
} else {
|
|
for _, p := range r.SrcPackages {
|
|
n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(p.Name)
|
|
|
|
if ubu.isKernelSourcePackage(n) {
|
|
isRunning := false
|
|
for _, bn := range p.BinaryNames {
|
|
if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
|
|
isRunning = true
|
|
break
|
|
}
|
|
}
|
|
// To detect vulnerabilities in running kernels only, skip if the kernel is not running.
|
|
if !isRunning {
|
|
continue
|
|
}
|
|
}
|
|
|
|
var f func(string, string) (map[string]gostmodels.UbuntuCVE, error) = ubu.driver.GetFixedCvesUbuntu
|
|
if !fixed {
|
|
f = ubu.driver.GetUnfixedCvesUbuntu
|
|
}
|
|
cs, err := f(strings.Replace(r.Release, ".", "", 1), n)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("Failed to get CVEs. release: %s, src package: %s, err: %w", major(r.Release), p.Name, err)
|
|
}
|
|
for _, content := range ubu.detect(cs, fixed, p, fmt.Sprintf("linux-image-%s", r.RunningKernel.Release)) {
|
|
c, ok := detects[content.cveContent.CveID]
|
|
if ok {
|
|
content.fixStatuses = append(content.fixStatuses, c.fixStatuses...)
|
|
}
|
|
detects[content.cveContent.CveID] = content
|
|
}
|
|
}
|
|
}
|
|
|
|
for _, content := range detects {
|
|
v, ok := r.ScannedCves[content.cveContent.CveID]
|
|
if ok {
|
|
if v.CveContents == nil {
|
|
v.CveContents = models.NewCveContents(content.cveContent)
|
|
} else {
|
|
v.CveContents[models.UbuntuAPI] = []models.CveContent{content.cveContent}
|
|
}
|
|
v.Confidences.AppendIfMissing(models.UbuntuAPIMatch)
|
|
} else {
|
|
v = models.VulnInfo{
|
|
CveID: content.cveContent.CveID,
|
|
CveContents: models.NewCveContents(content.cveContent),
|
|
Confidences: models.Confidences{models.UbuntuAPIMatch},
|
|
}
|
|
}
|
|
|
|
for _, s := range content.fixStatuses {
|
|
v.AffectedPackages = v.AffectedPackages.Store(s)
|
|
}
|
|
r.ScannedCves[content.cveContent.CveID] = v
|
|
}
|
|
|
|
return maps.Keys(detects), nil
|
|
}
|
|
|
|
func (ubu Ubuntu) detect(cves map[string]gostmodels.UbuntuCVE, fixed bool, srcPkg models.SrcPackage, runningKernelBinaryPkgName string) []cveContent {
|
|
n := strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(srcPkg.Name)
|
|
|
|
var contents []cveContent
|
|
for _, cve := range cves {
|
|
c := cveContent{
|
|
cveContent: *(Ubuntu{}).ConvertToModel(&cve),
|
|
}
|
|
|
|
if fixed {
|
|
for _, p := range cve.Patches {
|
|
for _, rp := range p.ReleasePatches {
|
|
installedVersion := srcPkg.Version
|
|
patchedVersion := rp.Note
|
|
|
|
// https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/generate-oval#n384
|
|
if ubu.isKernelSourcePackage(n) && strings.HasPrefix(srcPkg.Name, "linux-meta") {
|
|
// 5.15.0.1026.30~20.04.16 -> 5.15.0.1026
|
|
ss := strings.Split(installedVersion, ".")
|
|
if len(ss) >= 4 {
|
|
installedVersion = strings.Join(ss[:4], ".")
|
|
}
|
|
|
|
// 5.15.0-1026.30~20.04.16 -> 5.15.0.1026
|
|
lhs, rhs, ok := strings.Cut(patchedVersion, "-")
|
|
if ok {
|
|
patchedVersion = fmt.Sprintf("%s.%s", lhs, strings.Split(rhs, ".")[0])
|
|
}
|
|
}
|
|
|
|
affected, err := ubu.isGostDefAffected(installedVersion, patchedVersion)
|
|
if err != nil {
|
|
logging.Log.Debugf("Failed to parse versions: %s, Ver: %s, Gost: %s", err, installedVersion, patchedVersion)
|
|
continue
|
|
}
|
|
|
|
if affected {
|
|
for _, bn := range srcPkg.BinaryNames {
|
|
if ubu.isKernelSourcePackage(n) && bn != runningKernelBinaryPkgName {
|
|
continue
|
|
}
|
|
c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
|
|
Name: bn,
|
|
FixedIn: patchedVersion,
|
|
})
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
for _, bn := range srcPkg.BinaryNames {
|
|
if ubu.isKernelSourcePackage(n) && bn != runningKernelBinaryPkgName {
|
|
continue
|
|
}
|
|
c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
|
|
Name: bn,
|
|
FixState: "open",
|
|
NotFixedYet: true,
|
|
})
|
|
}
|
|
}
|
|
|
|
if len(c.fixStatuses) > 0 {
|
|
c.fixStatuses.Sort()
|
|
contents = append(contents, c)
|
|
}
|
|
}
|
|
return contents
|
|
}
|
|
|
|
func (ubu Ubuntu) isGostDefAffected(versionRelease, gostVersion string) (affected bool, err error) {
|
|
vera, err := debver.NewVersion(versionRelease)
|
|
if err != nil {
|
|
return false, xerrors.Errorf("Failed to parse version. version: %s, err: %w", versionRelease, err)
|
|
}
|
|
verb, err := debver.NewVersion(gostVersion)
|
|
if err != nil {
|
|
return false, xerrors.Errorf("Failed to parse version. version: %s, err: %w", gostVersion, err)
|
|
}
|
|
return vera.LessThan(verb), nil
|
|
}
|
|
|
|
// ConvertToModel converts gost model to vuls model
|
|
func (ubu Ubuntu) ConvertToModel(cve *gostmodels.UbuntuCVE) *models.CveContent {
|
|
references := []models.Reference{}
|
|
for _, r := range cve.References {
|
|
if strings.Contains(r.Reference, "https://cve.mitre.org/cgi-bin/cvename.cgi?name=") {
|
|
references = append(references, models.Reference{Source: "CVE", Link: r.Reference})
|
|
} else {
|
|
references = append(references, models.Reference{Link: r.Reference})
|
|
}
|
|
}
|
|
|
|
for _, b := range cve.Bugs {
|
|
references = append(references, models.Reference{Source: "Bug", Link: b.Bug})
|
|
}
|
|
|
|
for _, u := range cve.Upstreams {
|
|
for _, upstreamLink := range u.UpstreamLinks {
|
|
references = append(references, models.Reference{Source: "UPSTREAM", Link: upstreamLink.Link})
|
|
}
|
|
}
|
|
|
|
return &models.CveContent{
|
|
Type: models.UbuntuAPI,
|
|
CveID: cve.Candidate,
|
|
Summary: cve.Description,
|
|
Cvss2Severity: cve.Priority,
|
|
Cvss3Severity: cve.Priority,
|
|
SourceLink: fmt.Sprintf("https://ubuntu.com/security/%s", cve.Candidate),
|
|
References: references,
|
|
Published: cve.PublicDate,
|
|
}
|
|
}
|
|
|
|
// https://git.launchpad.net/ubuntu-cve-tracker/tree/scripts/cve_lib.py#n931
|
|
func (ubu Ubuntu) isKernelSourcePackage(pkgname string) bool {
|
|
switch ss := strings.Split(pkgname, "-"); len(ss) {
|
|
case 1:
|
|
return pkgname == "linux"
|
|
case 2:
|
|
if ss[0] != "linux" {
|
|
return false
|
|
}
|
|
switch ss[1] {
|
|
case "armadaxp", "mako", "manta", "flo", "goldfish", "joule", "raspi", "raspi2", "snapdragon", "aws", "azure", "bluefield", "dell300x", "gcp", "gke", "gkeop", "ibm", "lowlatency", "kvm", "oem", "oracle", "euclid", "hwe", "riscv":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[1], 64)
|
|
return err == nil
|
|
}
|
|
case 3:
|
|
if ss[0] != "linux" {
|
|
return false
|
|
}
|
|
switch ss[1] {
|
|
case "ti":
|
|
return ss[2] == "omap4"
|
|
case "raspi", "raspi2", "gke", "gkeop", "ibm", "oracle", "riscv":
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
case "aws":
|
|
switch ss[2] {
|
|
case "hwe", "edge":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
case "azure":
|
|
switch ss[2] {
|
|
case "fde", "edge":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
case "gcp":
|
|
switch ss[2] {
|
|
case "edge":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
case "intel":
|
|
switch ss[2] {
|
|
case "iotg":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
case "oem":
|
|
switch ss[2] {
|
|
case "osp1":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
case "lts":
|
|
return ss[2] == "xenial"
|
|
case "hwe":
|
|
switch ss[2] {
|
|
case "edge":
|
|
return true
|
|
default:
|
|
_, err := strconv.ParseFloat(ss[2], 64)
|
|
return err == nil
|
|
}
|
|
default:
|
|
return false
|
|
}
|
|
case 4:
|
|
if ss[0] != "linux" {
|
|
return false
|
|
}
|
|
switch ss[1] {
|
|
case "azure":
|
|
if ss[2] != "fde" {
|
|
return false
|
|
}
|
|
_, err := strconv.ParseFloat(ss[3], 64)
|
|
return err == nil
|
|
case "intel":
|
|
if ss[2] != "iotg" {
|
|
return false
|
|
}
|
|
_, err := strconv.ParseFloat(ss[3], 64)
|
|
return err == nil
|
|
case "lowlatency":
|
|
if ss[2] != "hwe" {
|
|
return false
|
|
}
|
|
_, err := strconv.ParseFloat(ss[3], 64)
|
|
return err == nil
|
|
default:
|
|
return false
|
|
}
|
|
default:
|
|
return false
|
|
}
|
|
}
|