From 03800bdff603fbc33c8aa55b89b40d5d373adcfc Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 11 Jul 2023 09:22:56 +0600 Subject: [PATCH 1/9] add arch support --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 168 ++++-- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 70 +++ .../oval/oracle/2022/ELSA-2022-4803.json | 510 ++++++++++++++++++ pkg/vulnsrc/oracle-oval/types.go | 1 + 4 files changed, 704 insertions(+), 45 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 860bae0d..5a2f1ef0 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -3,6 +3,8 @@ package oracleoval import ( "encoding/json" "fmt" + "github.com/samber/lo" + "golang.org/x/exp/slices" "io" "log" "path/filepath" @@ -33,10 +35,11 @@ var ( ) type PutInput struct { - VulnID string // CVE-ID or ELSA-ID - Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description - Advisories map[AffectedPackage]types.Advisory // pkg => advisory - OVAL OracleOVAL // for extensibility, not used in trivy-db + VulnID string // CVE-ID or ELSA-ID + PlatformName string // Oracle Linux 5/6/7... + Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description + Advisories map[string]types.Advisories // pkgName => advisories + OVAL OracleOVAL // for extensibility, not used in trivy-db } type DB interface { @@ -110,6 +113,9 @@ func (vs *VulnSrc) put(ovals []OracleOVAL) error { } func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { + foundPlatformNames := map[string]struct{}{} + // platform => cveID => PutInput + savedInputs := map[string]map[string]PutInput{} for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] @@ -121,46 +127,106 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { vulnIDs = append(vulnIDs, elsaID) } - advisories := map[AffectedPackage]types.Advisory{} - affectedPkgs := walkOracle(oval.Criteria, "", []AffectedPackage{}) - for _, affectedPkg := range affectedPkgs { - if affectedPkg.Package.Name == "" { - continue - } - - platformName := affectedPkg.PlatformName() - if !ustrings.InSlice(platformName, targetPlatforms) { - continue - } - - if err := vs.PutDataSource(tx, platformName, source); err != nil { - return xerrors.Errorf("failed to put data source: %w", err) - } - - advisories[affectedPkg] = types.Advisory{ - FixedVersion: affectedPkg.Package.FixedVersion, + for _, vulnID := range vulnIDs { + affectedPkgs := walkOracle(oval.Criteria, "", "", []AffectedPackage{}) + for _, affectedPkg := range affectedPkgs { + pkgName := affectedPkg.Package.Name + if pkgName == "" { + continue + } + + platformName := affectedPkg.PlatformName() + if !ustrings.InSlice(platformName, targetPlatforms) { + continue + } + + // save unique platform name + // will save datasources for these platforms later + if _, ok := foundPlatformNames[platformName]; !ok { + foundPlatformNames[platformName] = struct{}{} + } + + input := PutInput{ + Advisories: map[string]types.Advisories{}, + } + savedPlatformVulns := map[string]PutInput{} + if savedVulns, ok := savedInputs[platformName]; ok { + savedPlatformVulns = savedVulns + if in, ok := savedVulns[vulnID]; ok { + input = in + } + } + + entry := types.Advisory{ + FixedVersion: affectedPkg.Package.FixedVersion, + Arches: []string{affectedPkg.Arch}, + VendorIDs: []string{elsaID}, + } + + // if the advisory for this package and CVE have been kept - just add the new architecture + if adv, ok := input.Advisories[pkgName]; ok { + // update `fixedVersion` if `fixedVersion` for `x86_64` was not previously saved + adv.FixedVersion = fixedVersion(adv.FixedVersion, entry.FixedVersion, affectedPkg.Arch) + + old, i, found := lo.FindIndexOf(adv.Entries, func(adv types.Advisory) bool { + return adv.FixedVersion == entry.FixedVersion + }) + + // If the advisory with the same fixed version and ELSA-ID is present - just add the new architecture + if found { + if !slices.Contains(old.Arches, affectedPkg.Arch) { + adv.Entries[i].Arches = append(old.Arches, affectedPkg.Arch) + } + if !slices.Contains(old.VendorIDs, elsaID) { + adv.Entries[i].VendorIDs = append(old.VendorIDs, elsaID) + } + input.Advisories[pkgName] = adv + } else if !found { + adv.Entries = append(adv.Entries, entry) + input.Advisories[pkgName] = adv + } + } else { + input.Advisories[pkgName] = types.Advisories{ + // will save `0.0.0` version for non-`x86_64` arch + // to avoid false positives when using old Trivy with new database + FixedVersion: fixedVersion("0.0.0", entry.FixedVersion, affectedPkg.Arch), // For backward compatibility + Entries: []types.Advisory{entry}, + } + } + if len(input.Advisories) == 0 { + continue + } + + var references []string + for _, ref := range oval.References { + references = append(references, ref.URI) + } + + vuln := types.VulnerabilityDetail{ + Description: oval.Description, + References: referencesFromContains(references, []string{elsaID, vulnID}), + Title: oval.Title, + Severity: severityFromThreat(oval.Severity), + } + + input.VulnID = vulnID + input.Vuln = vuln + input.PlatformName = platformName + + savedPlatformVulns[vulnID] = input + savedInputs[platformName] = savedPlatformVulns } } + } - var references []string - for _, ref := range oval.References { - references = append(references, ref.URI) + for platformName := range foundPlatformNames { + if err := vs.PutDataSource(tx, platformName, source); err != nil { + return xerrors.Errorf("failed to put data source: %w", err) } - - for _, vulnID := range vulnIDs { - vuln := types.VulnerabilityDetail{ - Description: oval.Description, - References: referencesFromContains(references, []string{elsaID, vulnID}), - Title: oval.Title, - Severity: severityFromThreat(oval.Severity), - } - - err := vs.Put(tx, PutInput{ - VulnID: vulnID, - Vuln: vuln, - Advisories: advisories, - OVAL: oval, - }) + } + for _, pkgs := range savedInputs { + for _, input := range pkgs { + err := vs.Put(tx, input) if err != nil { return xerrors.Errorf("db put error: %w", err) } @@ -180,9 +246,8 @@ func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { return xerrors.Errorf("failed to save %s: %w", input.VulnID, err) } - for pkg, advisory := range input.Advisories { - platformName := pkg.PlatformName() - if err := o.PutAdvisoryDetail(tx, input.VulnID, pkg.Package.Name, []string{platformName}, advisory); err != nil { + for pkgName, advisory := range input.Advisories { + if err := o.PutAdvisoryDetail(tx, input.VulnID, pkgName, []string{input.PlatformName}, advisory); err != nil { return xerrors.Errorf("failed to save Oracle Linux advisory: %w", err) } } @@ -198,12 +263,15 @@ func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { return advisories, nil } -func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPackage { +func walkOracle(cri Criteria, osVer, arch string, pkgs []AffectedPackage) []AffectedPackage { for _, c := range cri.Criterions { if strings.HasPrefix(c.Comment, "Oracle Linux ") && strings.HasSuffix(c.Comment, " is installed") { osVer = strings.TrimSuffix(strings.TrimPrefix(c.Comment, "Oracle Linux "), " is installed") } + if strings.HasPrefix(c.Comment, "Oracle Linux arch is ") { + arch = strings.TrimPrefix(c.Comment, "Oracle Linux arch is ") + } ss := strings.Split(c.Comment, " is earlier than ") if len(ss) != 2 { continue @@ -211,6 +279,7 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa pkgs = append(pkgs, AffectedPackage{ OSVer: osVer, + Arch: arch, Package: Package{ Name: ss[0], FixedVersion: version.NewVersion(ss[1]).String(), @@ -219,7 +288,7 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa } for _, c := range cri.Criterias { - pkgs = walkOracle(c, osVer, pkgs) + pkgs = walkOracle(c, osVer, arch, pkgs) } return pkgs } @@ -249,3 +318,12 @@ func severityFromThreat(sev string) types.Severity { } return types.SeverityUnknown } + +// fixedVersion checks for the arch and only updates version for `x86_64` +// only used for types.Advisories.FixedVersion for backward compatibility +func fixedVersion(prevVersion, newVersion, arch string) string { + if arch == "x86_64" || arch == "noarch" { + return newVersion + } + return prevVersion +} diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 846cb4cd..9c609fbe 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -195,6 +195,76 @@ func TestVulnSrc_Update(t *testing.T) { }, }, }, + { + name: "happy path multi arch", + dir: filepath.Join("testdata", "multi-arch"), + wantValues: []vulnsrctest.WantValues{ + { + Key: []string{"data-source", "Oracle Linux 5"}, + Value: types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, + Value: types.Advisory{ + FixedVersion: "30:9.3.3-8.el5", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, + Value: types.Advisory{ + FixedVersion: "30:9.3.3-8.el5", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, + Value: types.Advisory{ + FixedVersion: "30:9.3.3-8.el5", + }, + }, + { + Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, + Value: types.Advisory{ + FixedVersion: "30:9.3.3-8.el5", + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2007-0493", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", + Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", + References: []string{ + "http://linux.oracle.com/cve/CVE-2007-0493.html", + "http://linux.oracle.com/errata/ELSA-2007-0057.html", + }, + Severity: types.SeverityMedium, + }, + }, + { + Key: []string{"vulnerability-detail", "CVE-2007-0494", "oracle-oval"}, + Value: types.VulnerabilityDetail{ + Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", + Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", + References: []string{ + "http://linux.oracle.com/cve/CVE-2007-0494.html", + "http://linux.oracle.com/errata/ELSA-2007-0057.html", + }, + Severity: types.SeverityMedium, + }, + }, + { + Key: []string{"vulnerability-id", "CVE-2007-0493"}, + Value: map[string]interface{}{}, + }, + { + Key: []string{"vulnerability-id", "CVE-2007-0494"}, + Value: map[string]interface{}{}, + }, + }, + }, { name: "happy path ELSA-ID", dir: filepath.Join("testdata", "elsa-id"), diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json new file mode 100644 index 00000000..892ca3c2 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json @@ -0,0 +1,510 @@ +{ + "Title": "ELSA-2022-4803: rsyslog security update (IMPORTANT)", + "Description": "[8.24.0-57.0.4.el7_9.3]\n- Newer gcc complains about implicit declaration of prctl. Added header file to quiesce the compiler\n\n[8.24.0-57.3]\n- Address CVE-2022-24903, Heap-based overflow in TCP syslog server\n resolves: rhbz#2081395", + "Platform": [ + "Oracle Linux 7" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2022-4803.html", + "ID": "ELSA-2022-4803" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2022-24903.html", + "ID": "CVE-2022-24903" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-gnutls is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-gnutls is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-gssapi is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-gssapi is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-kafka is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-kafka is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmjsonparse is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mmjsonparse is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mysql is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mysql is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-pgsql is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-pgsql is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-relp is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-relp is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-crypto is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-crypto is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-doc is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-elasticsearch is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-elasticsearch is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-libdbi is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-libdbi is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmaudit is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mmaudit is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmkubernetes is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mmkubernetes is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmnormalize is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mmnormalize is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmsnmptrapd is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-mmsnmptrapd is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-snmp is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-snmp is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-udpspoof is earlier than 0:8.24.0-57.0.4.el7_9.3" + }, + { + "Comment": "rsyslog-udpspoof is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is aarch64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-gnutls is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-gnutls is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-gssapi is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-gssapi is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-kafka is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-kafka is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmjsonparse is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mmjsonparse is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mysql is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mysql is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-pgsql is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-pgsql is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-relp is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-relp is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-crypto is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-crypto is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-doc is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-doc is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-elasticsearch is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-elasticsearch is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-libdbi is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-libdbi is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmaudit is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mmaudit is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmkubernetes is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mmkubernetes is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmnormalize is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mmnormalize is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-mmsnmptrapd is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-mmsnmptrapd is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-snmp is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-snmp is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "rsyslog-udpspoof is earlier than 0:8.24.0-57.0.1.el7_9.3" + }, + { + "Comment": "rsyslog-udpspoof is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 7 is installed" + } + ] + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2022-24903.html", + "ID": "CVE-2022-24903" + } + ], + "Issued": { + "Date": "2022-05-31" + } +} \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/types.go b/pkg/vulnsrc/oracle-oval/types.go index c3da7ec9..95a79f08 100644 --- a/pkg/vulnsrc/oracle-oval/types.go +++ b/pkg/vulnsrc/oracle-oval/types.go @@ -43,6 +43,7 @@ type Package struct { type AffectedPackage struct { Package Package OSVer string + Arch string } type Date struct { From db17c9d4abf2650dbb0972fe8cd87a19a4234f1b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 11 Jul 2023 10:39:42 +0600 Subject: [PATCH 2/9] update tests --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 9 +- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 267 ++++++++---- .../oval/oracle/2007/ELSA-2007-0057.json | 26 +- .../oval/oracle/2007/ELSA-2007-0057.json | 6 +- .../oval/oracle/2022/ELSA-2022-4803.json | 408 ------------------ .../oval/oracle/0001/ELSA-0001-0001.json | 55 --- 6 files changed, 220 insertions(+), 551 deletions(-) delete mode 100644 pkg/vulnsrc/oracle-oval/testdata/unknown-platform/vuln-list/oval/oracle/0001/ELSA-0001-0001.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 5a2f1ef0..33ed0ca8 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -114,7 +114,7 @@ func (vs *VulnSrc) put(ovals []OracleOVAL) error { func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { foundPlatformNames := map[string]struct{}{} - // platform => cveID => PutInput + // platform => vulnID => PutInput savedInputs := map[string]map[string]PutInput{} for _, oval := range ovals { elsaID := strings.Split(oval.Title, ":")[0] @@ -131,7 +131,12 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { affectedPkgs := walkOracle(oval.Criteria, "", "", []AffectedPackage{}) for _, affectedPkg := range affectedPkgs { pkgName := affectedPkg.Package.Name - if pkgName == "" { + // there are cases when advisory doesn't have arch + // it looks as bug + // because CVE doesn't contain this ELSA + // e.g. https://linux.oracle.com/errata/ELSA-2018-0013.html + // https://linux.oracle.com/cve/CVE-2017-5715.html + if pkgName == "" || affectedPkg.Arch == "" { continue } diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 9c609fbe..2e195629 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -37,26 +37,70 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", + Entries: []types.Advisory{ + { + FixedVersion: "30:9.3.3-8.el5", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2007-0057", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", + Entries: []types.Advisory{ + { + FixedVersion: "30:9.3.3-8.el5", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2007-0057", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", + Entries: []types.Advisory{ + { + FixedVersion: "30:9.3.3-8.el5", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2007-0057", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "30:9.3.3-8.el5", + Entries: []types.Advisory{ + { + FixedVersion: "30:9.3.3-8.el5", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2007-0057", + }, + }, + }, }, }, { @@ -115,50 +159,138 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-doc"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-doc"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 6", "kernel-uek-firmware"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el6uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el6uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-doc"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-doc"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-1094", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { Key: []string{"advisory-detail", "CVE-2018-19824", "Oracle Linux 7", "kernel-uek-firmware"}, - Value: types.Advisory{ + Value: types.Advisories{ FixedVersion: "4.1.12-124.24.3.el7uek", + Entries: []types.Advisory{ + { + FixedVersion: "4.1.12-124.24.3.el7uek", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2019-4510", + }, + }, + }, }, }, { @@ -200,7 +332,7 @@ func TestVulnSrc_Update(t *testing.T) { dir: filepath.Join("testdata", "multi-arch"), wantValues: []vulnsrctest.WantValues{ { - Key: []string{"data-source", "Oracle Linux 5"}, + Key: []string{"data-source", "Oracle Linux 7"}, Value: types.DataSource{ ID: vulnerability.OracleOVAL, Name: "Oracle Linux OVAL definitions", @@ -208,59 +340,45 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"advisory-detail", "CVE-2007-0494", "Oracle Linux 5", "bind-sdb"}, - Value: types.Advisory{ - FixedVersion: "30:9.3.3-8.el5", - }, - }, - { - Key: []string{"vulnerability-detail", "CVE-2007-0493", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", - Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", - References: []string{ - "http://linux.oracle.com/cve/CVE-2007-0493.html", - "http://linux.oracle.com/errata/ELSA-2007-0057.html", + Key: []string{"advisory-detail", "CVE-2022-24903", "Oracle Linux 7", "rsyslog"}, + Value: types.Advisories{ + FixedVersion: "8.24.0-57.0.1.el7_9.3", + Entries: []types.Advisory{ + { + FixedVersion: "8.24.0-57.0.4.el7_9.3", + Arches: []string{ + "aarch64", + }, + VendorIDs: []string{ + "ELSA-2022-4803", + }, + }, + { + FixedVersion: "8.24.0-57.0.1.el7_9.3", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2022-4803", + }, + }, }, - Severity: types.SeverityMedium, }, }, { - Key: []string{"vulnerability-detail", "CVE-2007-0494", "oracle-oval"}, + Key: []string{"vulnerability-detail", "CVE-2022-24903", string(vulnerability.OracleOVAL)}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2007-0057: Moderate: bind security update (MODERATE)", - Description: "[30:9.3.3-8]\n - added fix for #224445 - CVE-2007-0493 BIND might crash after\n attempting to read free()-ed memory\n - added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service\n - Resolves: rhbz#224445\n - Resolves: rhbz#225229", + Title: "ELSA-2022-4803: rsyslog security update (IMPORTANT)", + Description: "[8.24.0-57.0.4.el7_9.3]\n- Newer gcc complains about implicit declaration of prctl. Added header file to quiesce the compiler\n\n[8.24.0-57.3]\n- Address CVE-2022-24903, Heap-based overflow in TCP syslog server\n resolves: rhbz#2081395", References: []string{ - "http://linux.oracle.com/cve/CVE-2007-0494.html", - "http://linux.oracle.com/errata/ELSA-2007-0057.html", + "https://linux.oracle.com/cve/CVE-2022-24903.html", + "https://linux.oracle.com/errata/ELSA-2022-4803.html", }, - Severity: types.SeverityMedium, + Severity: types.SeverityHigh, }, }, { - Key: []string{"vulnerability-id", "CVE-2007-0493"}, - Value: map[string]interface{}{}, - }, - { - Key: []string{"vulnerability-id", "CVE-2007-0494"}, + Key: []string{"vulnerability-id", "CVE-2022-24903"}, Value: map[string]interface{}{}, }, }, @@ -279,8 +397,19 @@ func TestVulnSrc_Update(t *testing.T) { }, { Key: []string{"advisory-detail", "ELSA-2007-0057", "Oracle Linux 5", "bind-devel"}, - Value: types.Advisory{ - FixedVersion: "9.3.3-8.el5", + Value: types.Advisories{ + FixedVersion: "30:9.3.3-8.el5", + Entries: []types.Advisory{ + { + FixedVersion: "30:9.3.3-8.el5", + Arches: []string{ + "x86_64", + }, + VendorIDs: []string{ + "ELSA-2007-0057", + }, + }, + }, }, }, { @@ -300,28 +429,6 @@ func TestVulnSrc_Update(t *testing.T) { }, }, }, - { - name: "unknown platform", - dir: filepath.Join("testdata", "unknown-platform"), - wantValues: []vulnsrctest.WantValues{ - { - Key: []string{"vulnerability-detail", "CVE-0001-0001", "oracle-oval"}, - Value: types.VulnerabilityDetail{ - Title: "ELSA-0001-0001: Moderate: empty security update (N/A)", - Description: "empty description", - References: []string{ - "http://linux.oracle.com/cve/CVE-0001-0001.html", - "http://linux.oracle.com/errata/ELSA-0001-0001.html", - }, - Severity: types.SeverityUnknown, - }, - }, - { - Key: []string{"vulnerability-id", "CVE-0001-0001"}, - Value: map[string]interface{}{}, - }, - }, - }, { name: "sad path (dir doesn't exist)", dir: filepath.Join("testdata", "badPath"), diff --git a/pkg/vulnsrc/oracle-oval/testdata/elsa-id/vuln-list/oval/oracle/2007/ELSA-2007-0057.json b/pkg/vulnsrc/oracle-oval/testdata/elsa-id/vuln-list/oval/oracle/2007/ELSA-2007-0057.json index 6bc24178..437ab51a 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/elsa-id/vuln-list/oval/oracle/2007/ELSA-2007-0057.json +++ b/pkg/vulnsrc/oracle-oval/testdata/elsa-id/vuln-list/oval/oracle/2007/ELSA-2007-0057.json @@ -24,13 +24,29 @@ "Criterias": [ { "Operator": "AND", - "Criterias": null, - "Criterions": [ + "Criterias": [ { - "Comment": "bind-devel is earlier than 0:9.3.3-8.el5" - }, + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bind-devel is earlier than 30:9.3.3-8.el5" + }, + { + "Comment": "bind-devel is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ { - "Comment": "bind-devel is signed with the Oracle Linux 5 key" + "Comment": "Oracle Linux arch is x86_64" } ] } diff --git a/pkg/vulnsrc/oracle-oval/testdata/happy/vuln-list/oval/oracle/2007/ELSA-2007-0057.json b/pkg/vulnsrc/oracle-oval/testdata/happy/vuln-list/oval/oracle/2007/ELSA-2007-0057.json index 3270ce52..728d39a5 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/happy/vuln-list/oval/oracle/2007/ELSA-2007-0057.json +++ b/pkg/vulnsrc/oracle-oval/testdata/happy/vuln-list/oval/oracle/2007/ELSA-2007-0057.json @@ -66,7 +66,11 @@ ] } ], - "Criterions": null + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] } ], "Criterions": [ diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json index 892ca3c2..8bcfa5c7 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json @@ -39,210 +39,6 @@ "Comment": "rsyslog is signed with the Oracle Linux 7 key" } ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-gnutls is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-gnutls is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-gssapi is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-gssapi is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-kafka is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-kafka is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmjsonparse is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mmjsonparse is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mysql is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mysql is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-pgsql is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-pgsql is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-relp is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-relp is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-crypto is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-crypto is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-doc is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-doc is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-elasticsearch is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-elasticsearch is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-libdbi is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-libdbi is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmaudit is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mmaudit is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmkubernetes is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mmkubernetes is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmnormalize is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mmnormalize is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmsnmptrapd is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-mmsnmptrapd is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-snmp is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-snmp is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-udpspoof is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog-udpspoof is signed with the Oracle Linux 7 key" - } - ] } ], "Criterions": null @@ -271,210 +67,6 @@ "Comment": "rsyslog is signed with the Oracle Linux 7 key" } ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-gnutls is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-gnutls is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-gssapi is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-gssapi is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-kafka is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-kafka is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmjsonparse is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mmjsonparse is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mysql is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mysql is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-pgsql is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-pgsql is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-relp is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-relp is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-crypto is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-crypto is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-doc is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-doc is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-elasticsearch is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-elasticsearch is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-libdbi is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-libdbi is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmaudit is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mmaudit is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmkubernetes is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mmkubernetes is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmnormalize is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mmnormalize is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-mmsnmptrapd is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-mmsnmptrapd is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-snmp is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-snmp is signed with the Oracle Linux 7 key" - } - ] - }, - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog-udpspoof is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog-udpspoof is signed with the Oracle Linux 7 key" - } - ] } ], "Criterions": null diff --git a/pkg/vulnsrc/oracle-oval/testdata/unknown-platform/vuln-list/oval/oracle/0001/ELSA-0001-0001.json b/pkg/vulnsrc/oracle-oval/testdata/unknown-platform/vuln-list/oval/oracle/0001/ELSA-0001-0001.json deleted file mode 100644 index 27c613e8..00000000 --- a/pkg/vulnsrc/oracle-oval/testdata/unknown-platform/vuln-list/oval/oracle/0001/ELSA-0001-0001.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "Title": "ELSA-0001-0001: Moderate: empty security update (N/A)", - "Description": "empty description", - "Platform": [ - "Oracle Linux 1" - ], - "References": [ - { - "Source": "elsa", - "URI": "http://linux.oracle.com/errata/ELSA-0001-0001.html", - "ID": "ELSA-0001-0001" - }, - { - "Source": "CVE", - "URI": "http://linux.oracle.com/cve/CVE-0001-0001.html", - "ID": "CVE-0001-0001" - } - ], - "Criteria": { - "Operator": "AND", - "Criterias": [ - { - "Operator": "OR", - "Criterias": [ - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "test is earlier than 30:9.3.3-8.el5" - }, - { - "Comment": "test is signed with the Oracle Linux 5 key" - } - ] - } - ], - "Criterions": null - } - ], - "Criterions": [ - { - "Comment": "Oracle Linux 1 is installed" - } - ] - }, - "Severity": "N/A", - "Cves": [ - { - "Impact": "", - "Href": "http://linux.oracle.com/cve/CVE-0001-0001.html", - "ID": "CVE-0001-0001" - } - ] -} From 52820a45597173aa89528144d6c6d89c4a4bed9a Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 11 Jul 2023 15:13:26 +0600 Subject: [PATCH 3/9] update Get function --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 36 +++++++++++++++-- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 39 ++++++++++++------- .../testdata/fixtures/data-source.yaml | 7 ++++ 3 files changed, 65 insertions(+), 17 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 33ed0ca8..184d5a62 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -45,7 +45,7 @@ type PutInput struct { type DB interface { db.Operation Put(*bolt.Tx, PutInput) error - Get(release, pkgName string) ([]types.Advisory, error) + Get(release, pkgName, arch string) ([]types.Advisory, error) } type VulnSrc struct { @@ -259,12 +259,40 @@ func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { return nil } -func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) { +func (o *Oracle) Get(release string, pkgName, arch string) ([]types.Advisory, error) { bucket := fmt.Sprintf(platformFormat, release) - advisories, err := o.GetAdvisories(bucket, pkgName) + rawAdvisories, err := o.ForEachAdvisory([]string{bucket}, pkgName) if err != nil { - return nil, xerrors.Errorf("failed to get Oracle Linux advisories: %w", err) + return nil, xerrors.Errorf("unable to iterate advisories: %w", err) } + var advisories []types.Advisory + for vulnID, v := range rawAdvisories { + var adv types.Advisories + if err = json.Unmarshal(v.Content, &adv); err != nil { + return nil, xerrors.Errorf("failed to unmarshal advisory JSON: %w", err) + } + + // For backward compatibility + // The old trivy-db has no entries, but has fixed versions only. + if len(adv.Entries) == 0 { + advisories = append(advisories, types.Advisory{ + VulnerabilityID: vulnID, + FixedVersion: adv.FixedVersion, + DataSource: &v.Source, + }) + continue + } + + for _, entry := range adv.Entries { + if !slices.Contains(entry.Arches, arch) { + continue + } + entry.VulnerabilityID = vulnID + entry.DataSource = &v.Source + advisories = append(advisories, entry) + } + } + return advisories, nil } diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 2e195629..75d4da98 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -1,7 +1,12 @@ -package oracleoval +package oracleoval_test import ( + "github.com/aquasecurity/trivy-db/pkg/db" + "github.com/aquasecurity/trivy-db/pkg/dbtest" + oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval" "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "os" "path/filepath" "testing" @@ -442,7 +447,7 @@ func TestVulnSrc_Update(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - vs := NewVulnSrc() + vs := oracleoval.NewVulnSrc() vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ Dir: tt.dir, WantValues: tt.wantValues, @@ -458,20 +463,27 @@ func TestVulnSrc_Get(t *testing.T) { fixtures []string version string pkgName string + arch string want []types.Advisory - wantErr string + wantErr require.ErrorAssertionFunc }{ { name: "happy path", - fixtures: []string{"testdata/fixtures/happy.yaml"}, + fixtures: []string{"testdata/fixtures/happy.yaml", "testdata/fixtures/data-source.yaml"}, version: "8", pkgName: "bind", want: []types.Advisory{ { VulnerabilityID: "ELSA-2019-1145", FixedVersion: "32:9.11.4-17.P2.el8_0", + DataSource: &types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, }, }, + wantErr: require.NoError, }, { name: "no advisories are returned", @@ -479,25 +491,26 @@ func TestVulnSrc_Get(t *testing.T) { version: "8", pkgName: "no-package", want: nil, + wantErr: require.NoError, }, { name: "GetAdvisories returns an error", fixtures: []string{"testdata/fixtures/sad.yaml"}, version: "8", pkgName: "bind", - wantErr: "failed to unmarshal advisory JSON", + wantErr: require.Error, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - vs := NewVulnSrc() - vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{ - Fixtures: tt.fixtures, - WantValues: tt.want, - Release: tt.version, - PkgName: tt.pkgName, - WantErr: tt.wantErr, - }) + _ = dbtest.InitDB(t, tt.fixtures) + defer db.Close() + + vs := oracleoval.NewVulnSrc() + got, err := vs.Get(tt.version, tt.pkgName, tt.arch) + + tt.wantErr(t, err) + assert.Equal(t, tt.want, got) }) } } diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml new file mode 100644 index 00000000..7eef13b6 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml @@ -0,0 +1,7 @@ +- bucket: data-source + pairs: + - key: Oracle Linux 8 + value: + ID: "oracle-oval" + Name: "Oracle Linux OVAL definitions" + URL: "https://linux.oracle.com/security/oval/" \ No newline at end of file From ff4a8e1644f13973a05d5f4a407cd658f7ad783e Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 12 Jul 2023 08:51:48 +0600 Subject: [PATCH 4/9] update Get tests --- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 51 ++++++++++++++++++- .../testdata/fixtures/data-source.yaml | 7 +++ .../oracle-oval/testdata/fixtures/happy.yaml | 30 ++++++++++- .../oracle-oval/testdata/fixtures/old.yaml | 7 +++ 4 files changed, 91 insertions(+), 4 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 75d4da98..14d502dc 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -468,10 +468,57 @@ func TestVulnSrc_Get(t *testing.T) { wantErr require.ErrorAssertionFunc }{ { - name: "happy path", + name: "the same fixed version", fixtures: []string{"testdata/fixtures/happy.yaml", "testdata/fixtures/data-source.yaml"}, version: "8", pkgName: "bind", + arch: "x86_64", + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2018-5743", + FixedVersion: "32:9.11.4-17.P2.el8_0", + Arches: []string{ + "aarch64", + "x86_64", + }, + VendorIDs: []string{"ELSA-2019-1145"}, + DataSource: &types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + wantErr: require.NoError, + }, + { + name: "different fixed versions for different arches", + fixtures: []string{"testdata/fixtures/happy.yaml", "testdata/fixtures/data-source.yaml"}, + version: "7", + pkgName: "rsyslog", + arch: "aarch64", + want: []types.Advisory{ + { + VulnerabilityID: "CVE-2022-24903", + FixedVersion: "8.24.0-57.0.4.el7_9.3", + Arches: []string{ + "aarch64", + }, + VendorIDs: []string{"ELSA-2022-4803"}, + DataSource: &types.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + wantErr: require.NoError, + }, + { + name: "old schema, no entries", + fixtures: []string{"testdata/fixtures/old.yaml", "testdata/fixtures/data-source.yaml"}, + version: "8", + pkgName: "bind", want: []types.Advisory{ { VulnerabilityID: "ELSA-2019-1145", @@ -487,7 +534,7 @@ func TestVulnSrc_Get(t *testing.T) { }, { name: "no advisories are returned", - fixtures: []string{"testdata/fixtures/happy.yaml"}, + fixtures: []string{"testdata/fixtures/old.yaml"}, version: "8", pkgName: "no-package", want: nil, diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml index 7eef13b6..659386ed 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/data-source.yaml @@ -1,6 +1,13 @@ - bucket: data-source pairs: - key: Oracle Linux 8 + value: + ID: "oracle-oval" + Name: "Oracle Linux OVAL definitions" + URL: "https://linux.oracle.com/security/oval/" +- bucket: data-source + pairs: + - key: Oracle Linux 7 value: ID: "oracle-oval" Name: "Oracle Linux OVAL definitions" diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index 05fb8b16..bf1860cf 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -2,6 +2,32 @@ pairs: - bucket: bind pairs: - - key: ELSA-2019-1145 + - key: CVE-2018-5743 value: - FixedVersion: "32:9.11.4-17.P2.el8_0" + FixedVersion: 32:9.11.4-17.P2.el8_0 + Entries: + - FixedVersion: 32:9.11.4-17.P2.el8_0 + Arches: + - aarch64 + - x86_64 + VendorIds: + - ELSA-2019-1145 +- bucket: Oracle Linux 7 + pairs: + - bucket: rsyslog + pairs: + - key: CVE-2022-24903 + value: + FixedVersion: 8.24.0-57.0.1.el7_9.3 + Entries: + - FixedVersion: 8.24.0-57.0.1.el7_9.3 + Arches: + - x86_64 + VendorIds: + - ELSA-2022-4803 + - FixedVersion: 8.24.0-57.0.4.el7_9.3 + Arches: + - aarch64 + VendorIds: + - ELSA-2022-4803 + diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml new file mode 100644 index 00000000..31f7a7e9 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/old.yaml @@ -0,0 +1,7 @@ +- bucket: Oracle Linux 8 + pairs: + - bucket: bind + pairs: + - key: ELSA-2019-1145 + value: + FixedVersion: 32:9.11.4-17.P2.el8_0 From 1458dd1cc492cc13b4908b6c5e977e73711fe150 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 8 Oct 2024 15:31:49 +0600 Subject: [PATCH 5/9] fix: linter errors --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 3 +-- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 8 ++++---- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index c212bba6..045f8c66 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -9,9 +9,8 @@ import ( "slices" "strings" - "github.com/samber/lo" - version "github.com/knqyf263/go-rpm-version" + "github.com/samber/lo" bolt "go.etcd.io/bbolt" "golang.org/x/xerrors" diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 96bad2ef..7007066f 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -5,16 +5,16 @@ import ( "path/filepath" "testing" - "github.com/aquasecurity/trivy-db/pkg/db" - "github.com/aquasecurity/trivy-db/pkg/dbtest" - oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval" - "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/aquasecurity/trivy-db/pkg/db" + "github.com/aquasecurity/trivy-db/pkg/dbtest" "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/utils" + oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" + "github.com/aquasecurity/trivy-db/pkg/vulnsrctest" ) func TestMain(m *testing.M) { From f3168f161f361a72d369bd4c5553969cf770baf9 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 16 Oct 2024 13:54:43 +0600 Subject: [PATCH 6/9] refactor: don't save vendorIDs --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 4 -- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 47 ------------------- .../oracle-oval/testdata/fixtures/happy.yaml | 6 --- 3 files changed, 57 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 045f8c66..6f2f6933 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -165,7 +165,6 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { entry := types.Advisory{ FixedVersion: affectedPkg.Package.FixedVersion, Arches: []string{affectedPkg.Arch}, - VendorIDs: []string{elsaID}, } // if the advisory for this package and CVE have been kept - just add the new architecture @@ -182,9 +181,6 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { if !slices.Contains(old.Arches, affectedPkg.Arch) { adv.Entries[i].Arches = append(old.Arches, affectedPkg.Arch) } - if !slices.Contains(old.VendorIDs, elsaID) { - adv.Entries[i].VendorIDs = append(old.VendorIDs, elsaID) - } input.Advisories[pkgName] = adv } else if !found { adv.Entries = append(adv.Entries, entry) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index 7007066f..a4b25fd3 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -51,9 +51,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2007-0057", - }, }, }, }, @@ -68,9 +65,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2007-0057", - }, }, }, }, @@ -85,9 +79,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2007-0057", - }, }, }, }, @@ -102,9 +93,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2007-0057", - }, }, }, }, @@ -173,9 +161,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -190,9 +175,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -207,9 +189,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -224,9 +203,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -241,9 +217,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -258,9 +231,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -275,9 +245,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -292,9 +259,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2019-4510", - }, }, }, }, @@ -355,18 +319,12 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "aarch64", }, - VendorIDs: []string{ - "ELSA-2022-4803", - }, }, { FixedVersion: "8.24.0-57.0.1.el7_9.3", Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2022-4803", - }, }, }, }, @@ -411,9 +369,6 @@ func TestVulnSrc_Update(t *testing.T) { Arches: []string{ "x86_64", }, - VendorIDs: []string{ - "ELSA-2007-0057", - }, }, }, }, @@ -482,7 +437,6 @@ func TestVulnSrc_Get(t *testing.T) { "aarch64", "x86_64", }, - VendorIDs: []string{"ELSA-2019-1145"}, DataSource: &types.DataSource{ ID: vulnerability.OracleOVAL, Name: "Oracle Linux OVAL definitions", @@ -505,7 +459,6 @@ func TestVulnSrc_Get(t *testing.T) { Arches: []string{ "aarch64", }, - VendorIDs: []string{"ELSA-2022-4803"}, DataSource: &types.DataSource{ ID: vulnerability.OracleOVAL, Name: "Oracle Linux OVAL definitions", diff --git a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml index bf1860cf..4377c9fc 100644 --- a/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml +++ b/pkg/vulnsrc/oracle-oval/testdata/fixtures/happy.yaml @@ -10,8 +10,6 @@ Arches: - aarch64 - x86_64 - VendorIds: - - ELSA-2019-1145 - bucket: Oracle Linux 7 pairs: - bucket: rsyslog @@ -23,11 +21,7 @@ - FixedVersion: 8.24.0-57.0.1.el7_9.3 Arches: - x86_64 - VendorIds: - - ELSA-2022-4803 - FixedVersion: 8.24.0-57.0.4.el7_9.3 Arches: - aarch64 - VendorIds: - - ELSA-2022-4803 From 41ae6532b25b98e70d6f46735efdfd73b30345be Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 21 Oct 2024 17:51:38 +0600 Subject: [PATCH 7/9] fix: remove extra versions --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 48 ++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 6f2f6933..4c29d300 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -7,6 +7,7 @@ import ( "log" "path/filepath" "slices" + "sort" "strings" version "github.com/knqyf263/go-rpm-version" @@ -182,7 +183,7 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { adv.Entries[i].Arches = append(old.Arches, affectedPkg.Arch) } input.Advisories[pkgName] = adv - } else if !found { + } else { adv.Entries = append(adv.Entries, entry) input.Advisories[pkgName] = adv } @@ -225,8 +226,13 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return xerrors.Errorf("failed to put data source: %w", err) } } - for _, pkgs := range savedInputs { - for _, input := range pkgs { + inputs := lo.Entries(savedInputs) + sort.Slice(inputs, func(i, j int) bool { + return inputs[i].Key < inputs[j].Key // sort by platform + }) + for _, entry := range inputs { + for _, input := range entry.Value { + input = removeExtraVersions(input) err := vs.Put(tx, input) if err != nil { return xerrors.Errorf("db put error: %w", err) @@ -237,6 +243,42 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error { return nil } +func removeExtraVersions(input PutInput) PutInput { + for pkgName, adv := range input.Advisories { + // arch -> fixedVersion + fixedVersions := map[string]string{} + for _, entry := range adv.Entries { + for _, arch := range entry.Arches { + fixedVersions[arch] = entry.FixedVersion + if arch == "x86_64" { + adv.FixedVersion = entry.FixedVersion + } + } + } + var entries []types.Advisory + for arch, fixedVer := range fixedVersions { + if i := slices.IndexFunc(entries, func(advisory types.Advisory) bool { + return advisory.FixedVersion == fixedVer + }); i != -1 { + entries[i].Arches = append(entries[i].Arches, arch) + slices.Sort(entries[i].Arches) + } else { + entries = append(entries, types.Advisory{ + FixedVersion: fixedVer, + Arches: []string{arch}, + }) + } + } + + sort.Slice(entries, func(i, j int) bool { + return entries[i].Arches[0] < entries[j].Arches[0] + }) + adv.Entries = entries + input.Advisories[pkgName] = adv + } + return input +} + func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error { if err := o.PutVulnerabilityDetail(tx, input.VulnID, source.ID, input.Vuln); err != nil { return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err) From 8b82d5e5dbbed373af0ebf0d4db4d0301424a5ca Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Mon, 21 Oct 2024 17:51:44 +0600 Subject: [PATCH 8/9] test: update tests --- pkg/vulnsrc/oracle-oval/oracle-oval_test.go | 25 +- .../oval/oracle/2014/ELSA-2014-1306.json | 286 ++++++++++++++++++ .../oval/oracle/2014/ELSA-2014-3077.json | 112 +++++++ .../oval/oracle/2022/ELSA-2022-4803.json | 102 ------- 4 files changed, 411 insertions(+), 114 deletions(-) create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-1306.json create mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-3077.json delete mode 100644 pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go index a4b25fd3..7c39927c 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval_test.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval_test.go @@ -302,7 +302,7 @@ func TestVulnSrc_Update(t *testing.T) { dir: filepath.Join("testdata", "multi-arch"), wantValues: []vulnsrctest.WantValues{ { - Key: []string{"data-source", "Oracle Linux 7"}, + Key: []string{"data-source", "Oracle Linux 5"}, Value: types.DataSource{ ID: vulnerability.OracleOVAL, Name: "Oracle Linux OVAL definitions", @@ -310,19 +310,20 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"advisory-detail", "CVE-2022-24903", "Oracle Linux 7", "rsyslog"}, + Key: []string{"advisory-detail", "CVE-2014-7169", "Oracle Linux 5", "bash"}, Value: types.Advisories{ - FixedVersion: "8.24.0-57.0.1.el7_9.3", + FixedVersion: "3.2-33.el5.1.0.1", Entries: []types.Advisory{ { - FixedVersion: "8.24.0-57.0.4.el7_9.3", + FixedVersion: "3.2-33.el5.1.0.2", Arches: []string{ - "aarch64", + "i386", }, }, { - FixedVersion: "8.24.0-57.0.1.el7_9.3", + FixedVersion: "3.2-33.el5.1.0.1", Arches: []string{ + "ia64", "x86_64", }, }, @@ -330,19 +331,19 @@ func TestVulnSrc_Update(t *testing.T) { }, }, { - Key: []string{"vulnerability-detail", "CVE-2022-24903", string(vulnerability.OracleOVAL)}, + Key: []string{"vulnerability-detail", "CVE-2014-7169", string(vulnerability.OracleOVAL)}, Value: types.VulnerabilityDetail{ - Title: "ELSA-2022-4803: rsyslog security update (IMPORTANT)", - Description: "[8.24.0-57.0.4.el7_9.3]\n- Newer gcc complains about implicit declaration of prctl. Added header file to quiesce the compiler\n\n[8.24.0-57.3]\n- Address CVE-2022-24903, Heap-based overflow in TCP syslog server\n resolves: rhbz#2081395", + Title: "ELSA-2014-1306: bash security update (IMPORTANT)", + Description: "[4.2.45-5.4]\n- CVE-2014-7169\n Resolves: #1146324\n\n[4.2.45-5.3]\n- amend patch to match upstream's\n Related: #1146324\n\n[4.2.45-5.2]\n- Fix-up the patch\n Related: #1141647", References: []string{ - "https://linux.oracle.com/cve/CVE-2022-24903.html", - "https://linux.oracle.com/errata/ELSA-2022-4803.html", + "https://linux.oracle.com/cve/CVE-2014-7169.html", + "https://linux.oracle.com/errata/ELSA-2014-1306.html", }, Severity: types.SeverityHigh, }, }, { - Key: []string{"vulnerability-id", "CVE-2022-24903"}, + Key: []string{"vulnerability-id", "CVE-2014-7169"}, Value: map[string]interface{}{}, }, }, diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-1306.json b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-1306.json new file mode 100644 index 00000000..1041d750 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-1306.json @@ -0,0 +1,286 @@ +{ + "Title": "ELSA-2014-1306: bash security update (IMPORTANT)", + "Description": "[4.2.45-5.4]\n- CVE-2014-7169\n Resolves: #1146324\n\n[4.2.45-5.3]\n- amend patch to match upstream's\n Related: #1146324\n\n[4.2.45-5.2]\n- Fix-up the patch\n Related: #1141647", + "Platform": [ + "Oracle Linux 5", + "Oracle Linux 6", + "Oracle Linux 7" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2014-1306.html", + "ID": "ELSA-2014-1306" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2014-7186.html", + "ID": "CVE-2014-7186" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2014-7169.html", + "ID": "CVE-2014-7169" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2014-7187.html", + "ID": "CVE-2014-7187" + } + ], + "Criteria": { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5_11.4" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is ia64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5_11.4" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5_11.4" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is i386" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 5 is installed" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:4.1.2-15.el6_5.2" + }, + { + "Comment": "bash is signed with the Oracle Linux 6 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash-doc is earlier than 0:4.1.2-15.el6_5.2" + }, + { + "Comment": "bash-doc is signed with the Oracle Linux 6 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:4.1.2-15.el6_5.2" + }, + { + "Comment": "bash is signed with the Oracle Linux 6 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash-doc is earlier than 0:4.1.2-15.el6_5.2" + }, + { + "Comment": "bash-doc is signed with the Oracle Linux 6 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is i686" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 6 is installed" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:4.2.45-5.el7_0.4" + }, + { + "Comment": "bash is signed with the Oracle Linux 7 key" + } + ] + }, + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash-doc is earlier than 0:4.2.45-5.el7_0.4" + }, + { + "Comment": "bash-doc is signed with the Oracle Linux 7 key" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 7 is installed" + } + ] + } + ], + "Criterions": null + }, + "Severity": "IMPORTANT", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2014-7186.html", + "ID": "CVE-2014-7186" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2014-7169.html", + "ID": "CVE-2014-7169" + }, + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2014-7187.html", + "ID": "CVE-2014-7187" + } + ], + "Issued": { + "Date": "2014-09-25" + } +} \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-3077.json b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-3077.json new file mode 100644 index 00000000..08bc82b9 --- /dev/null +++ b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2014/ELSA-2014-3077.json @@ -0,0 +1,112 @@ +{ + "Title": "ELSA-2014-3077: bash security update (CRITICAL)", + "Description": "[3.2-33.1.0.1]\n- Preliminary fix for CVE-2014-7169", + "Platform": [ + "Oracle Linux 5" + ], + "References": [ + { + "Source": "elsa", + "URI": "https://linux.oracle.com/errata/ELSA-2014-3077.html", + "ID": "ELSA-2014-3077" + }, + { + "Source": "CVE", + "URI": "https://linux.oracle.com/cve/CVE-2014-7169.html", + "ID": "CVE-2014-7169" + } + ], + "Criteria": { + "Operator": "AND", + "Criterias": [ + { + "Operator": "OR", + "Criterias": [ + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5.1.0.1" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is ia64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5.1.0.1" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is x86_64" + } + ] + }, + { + "Operator": "AND", + "Criterias": [ + { + "Operator": "AND", + "Criterias": null, + "Criterions": [ + { + "Comment": "bash is earlier than 0:3.2-33.el5.1.0.2" + }, + { + "Comment": "bash is signed with the Oracle Linux 5 key" + } + ] + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux arch is i386" + } + ] + } + ], + "Criterions": null + } + ], + "Criterions": [ + { + "Comment": "Oracle Linux 5 is installed" + } + ] + }, + "Severity": "CRITICAL", + "Cves": [ + { + "Impact": "", + "Href": "https://linux.oracle.com/cve/CVE-2014-7169.html", + "ID": "CVE-2014-7169" + } + ], + "Issued": { + "Date": "2014-09-25" + } +} \ No newline at end of file diff --git a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json b/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json deleted file mode 100644 index 8bcfa5c7..00000000 --- a/pkg/vulnsrc/oracle-oval/testdata/multi-arch/vuln-list/oval/oracle/2022/ELSA-2022-4803.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "Title": "ELSA-2022-4803: rsyslog security update (IMPORTANT)", - "Description": "[8.24.0-57.0.4.el7_9.3]\n- Newer gcc complains about implicit declaration of prctl. Added header file to quiesce the compiler\n\n[8.24.0-57.3]\n- Address CVE-2022-24903, Heap-based overflow in TCP syslog server\n resolves: rhbz#2081395", - "Platform": [ - "Oracle Linux 7" - ], - "References": [ - { - "Source": "elsa", - "URI": "https://linux.oracle.com/errata/ELSA-2022-4803.html", - "ID": "ELSA-2022-4803" - }, - { - "Source": "CVE", - "URI": "https://linux.oracle.com/cve/CVE-2022-24903.html", - "ID": "CVE-2022-24903" - } - ], - "Criteria": { - "Operator": "AND", - "Criterias": [ - { - "Operator": "OR", - "Criterias": [ - { - "Operator": "AND", - "Criterias": [ - { - "Operator": "OR", - "Criterias": [ - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog is earlier than 0:8.24.0-57.0.4.el7_9.3" - }, - { - "Comment": "rsyslog is signed with the Oracle Linux 7 key" - } - ] - } - ], - "Criterions": null - } - ], - "Criterions": [ - { - "Comment": "Oracle Linux arch is aarch64" - } - ] - }, - { - "Operator": "AND", - "Criterias": [ - { - "Operator": "OR", - "Criterias": [ - { - "Operator": "AND", - "Criterias": null, - "Criterions": [ - { - "Comment": "rsyslog is earlier than 0:8.24.0-57.0.1.el7_9.3" - }, - { - "Comment": "rsyslog is signed with the Oracle Linux 7 key" - } - ] - } - ], - "Criterions": null - } - ], - "Criterions": [ - { - "Comment": "Oracle Linux arch is x86_64" - } - ] - } - ], - "Criterions": null - } - ], - "Criterions": [ - { - "Comment": "Oracle Linux 7 is installed" - } - ] - }, - "Severity": "IMPORTANT", - "Cves": [ - { - "Impact": "", - "Href": "https://linux.oracle.com/cve/CVE-2022-24903.html", - "ID": "CVE-2022-24903" - } - ], - "Issued": { - "Date": "2022-05-31" - } -} \ No newline at end of file From 6af71172d14275c1ae89cbdeb4dbce05847cf822 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Wed, 23 Oct 2024 11:51:32 +0600 Subject: [PATCH 9/9] fix: remove 0.0.0 versions --- pkg/vulnsrc/oracle-oval/oracle-oval.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/vulnsrc/oracle-oval/oracle-oval.go b/pkg/vulnsrc/oracle-oval/oracle-oval.go index 4c29d300..b529ac38 100644 --- a/pkg/vulnsrc/oracle-oval/oracle-oval.go +++ b/pkg/vulnsrc/oracle-oval/oracle-oval.go @@ -249,9 +249,11 @@ func removeExtraVersions(input PutInput) PutInput { fixedVersions := map[string]string{} for _, entry := range adv.Entries { for _, arch := range entry.Arches { - fixedVersions[arch] = entry.FixedVersion - if arch == "x86_64" { - adv.FixedVersion = entry.FixedVersion + if entry.FixedVersion != "0.0.0" { + fixedVersions[arch] = entry.FixedVersion + if arch == "x86_64" { + adv.FixedVersion = entry.FixedVersion + } } } } @@ -274,6 +276,10 @@ func removeExtraVersions(input PutInput) PutInput { return entries[i].Arches[0] < entries[j].Arches[0] }) adv.Entries = entries + + if adv.FixedVersion == "0.0.0" { + adv.FixedVersion = "" + } input.Advisories[pkgName] = adv } return input