Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(redhat): add rejected vulnerability check for rhsa-xxx #236

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(redhat): add rejected vulnerability check for rhsa-xxx #236

wants to merge 2 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Aug 2, 2022
edited
Loading

Description

RHSA-xxx advisories don't checks to reject when optimizing because NVD only contains CVE-xxx.
Added check for RHSAs

Related issues

knqyf263
knqyf263 reviewed Aug 3, 2022
View reviewed changes
pkg/vulnsrc/redhat-oval/redhat-oval.go Outdated
@@ -342,6 +342,15 @@ func parseDefinitions(advisories []redhatOVAL, tests map[string]rpmInfoTest, uni

var cveEntries []CveEntry
for _, cve := range advisory.Metadata.Advisory.Cves {
// get details from NVD
details, err := vs.dbc.GetVulnerabilityDetail(cve.CveID)
Copy link
Collaborator

@knqyf263 knqyf263 Aug 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VulnSrc should be order-agnostic. Your change depends on the order. NVD must be inserted before Red Hat OVAL. I'd suggest adding CveIDs here.
https://github.com/aquasecurity/trivy-db/blob/2bd1364579ec652f8f595c4a61595fd9575e8496/pkg/types/types.go

And check the rejected status of the related CVE-IDs as well here.

trivy-db/pkg/vulnsrc/vulnerability/vulnerability.go

Lines 178 to 189 in 9304617

func getRejectedStatus(details map[types.SourceID]types.VulnerabilityDetail) bool {
for _, source := range sources {
d, ok := details[source]
if !ok {
continue
}
if strings.Contains(d.Description, rejectVulnerability) {
return true
}
}
return false
}

knqyf263
knqyf263 reviewed Aug 10, 2022
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is too complicated. We should consider how to simplify it.

pkg/vulnsrc/redhat-oval/types/types.go
@@ -1,65 +1,65 @@
package redhatoval
package types
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you tell me the reason why we want to move this package?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to decode Advisory structure here:

trivy-db/pkg/db/advisory_detail.go

Lines 119 to 128 in 03e5c84

for i, entry := range advisory.Entries {
var cves []redhatovaltypes.CveEntry
for _, cve := range entry.Cves {
// Include in the database only non-rejected Cves
if !ustrings.InSlice(cve.ID, rejectedCve) {
cves = append(cves, cve)
}
}
advisory.Entries[i].Cves = cves
}

this is necessary to remove rejected cves from CveEntry.
But we can't import redhatoval package from db package, because we will get cycle import.(redhatoval imported db for PutAdvisoryDetail func)

pkg/db/advisory_detail.go
Comment on lines +83 to +105
// SaveRhsaAdvisoryDetails Extract 'RHSA' advisories from 'advisory-detail'-'Red Hat' bucket and copy them in each
func (dbc Config) SaveRhsaAdvisoryDetails(tx *bolt.Tx, vulnID string, rejectedCve []string) error {
root := tx.Bucket([]byte(advisoryDetailBucket))
if root == nil {
return nil
}

cveBucket := root.Bucket([]byte(vulnID))
if cveBucket == nil {
return nil
}

redHatBucket := cveBucket.Bucket([]byte("Red Hat"))
if redHatBucket == nil {
return nil
}

if err := dbc.saveRhsaAdvisories(tx, redHatBucket, []string{"Red Hat"}, vulnID, rejectedCve); err != nil {
return xerrors.Errorf("walk advisories error: %w", err)
}

return nil
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this function for...?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function finds all Red Hat buckets, decodes them, removes rejected cves and saves to db as SaveAdvisoryDetails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Trivy warns "failed to get the vulnerability" about a rejected CVE, CVE-2021-20095
2 participants
@DmitriyLewen @knqyf263