feat(redhat): added architecture check (aquasecurity#2172)

Co-authored-by: Teppei Fukuda <[email protected]>
project-zot · Jun 2, 2022 · 92c0452 · 92c0452
1 parent 1eb73f3
commit 92c0452
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e
+	github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07
 	github.com/caarlos0/env/v6 v6.9.3
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.8

diff --git a/go.sum b/go.sum
@@ -195,8 +195,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:
 github.com/aquasecurity/table v1.5.1 h1:y05AuHM3p4BGybbGn/XbcTX3RxpyzeTXAXYMcJve4IE=
 github.com/aquasecurity/table v1.5.1/go.mod h1:1MFKrEPJ8NchM917BrVGvsqoXJo1OL1Ja7dF3PgUea4=
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o=
-github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e h1:NLm5KWGcnkwaUR1GODPePyhNsbuFiT6lgKYcCcW9c10=
-github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA=
+github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07 h1:EZfv20xfeW4Pj3yOjdzc+PnVvxJYgY7a0E0F3ewRsLI=
+github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA=
 github.com/aquasecurity/trivy-kubernetes v0.3.0 h1:8SQZcwjq4jN8yeC8IH+14gjU84ws0KzqvQsQPSIrNB8=
 github.com/aquasecurity/trivy-kubernetes v0.3.0/go.mod h1:DhD+SMq4HhoOHfXhb5N+ViY3Qms2uS1+7S3Wzpxmaus=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=

diff --git a/integration/testdata/fixtures/db/redhat.yaml b/integration/testdata/fixtures/db/redhat.yaml
@@ -16,6 +16,8 @@
                   - 924
                 Cves:
                   - Severity: 1.0
+                Arches:
+                  - x86_64
     - bucket: openssl
       pairs:
         - key: RHSA-2019:2304

diff --git a/pkg/detector/ospkg/redhat/redhat.go b/pkg/detector/ospkg/redhat/redhat.go
@@ -8,6 +8,7 @@ import (
 
 	version "github.com/knqyf263/go-rpm-version"
 	"golang.org/x/exp/maps"
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 	"k8s.io/utils/clock"
 
@@ -144,6 +145,13 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
 
 	uniqVulns := map[string]types.DetectedVulnerability{}
 	for _, adv := range advisories {
+		// if Arches for advisory is empty or pkg.Arch is "noarch", then any Arches are affected
+		if len(adv.Arches) != 0 && pkg.Arch != "noarch" {
+			if !slices.Contains(adv.Arches, pkg.Arch) {
+				continue
+			}
+		}
+
 		vulnID := adv.VulnerabilityID
 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  vulnID,

diff --git a/pkg/detector/ospkg/redhat/redhat_test.go b/pkg/detector/ospkg/redhat/redhat_test.go
@@ -151,6 +151,96 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path: package without architecture",
+			fixtures: []string{
+				"testdata/fixtures/redhat.yaml",
+				"testdata/fixtures/cpe.yaml",
+			},
+			args: args{
+				osVer: "7.6",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "kernel-headers",
+						Version:    "3.10.0-1127.19",
+						Release:    "1.el7",
+						Epoch:      0,
+						Arch:       "noarch",
+						SrcName:    "kernel-headers",
+						SrcVersion: "3.10.0-1127.19",
+						SrcRelease: "1.el7",
+						SrcEpoch:   0,
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+						BuildInfo: &ftypes.BuildInfo{
+							ContentSets: []string{"rhel-7-server-rpms"},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2016-5195",
+					VendorIDs:        []string{"RHSA-2017:0372"},
+					PkgName:          "kernel-headers",
+					InstalledVersion: "3.10.0-1127.19-1.el7",
+					FixedVersion:     "4.5.0-15.2.1.el7",
+					SeveritySource:   vulnerability.RedHat,
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityHigh.String(),
+					},
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+				},
+			},
+		},
+		{
+			name: "happy path: advisories have different arches",
+			fixtures: []string{
+				"testdata/fixtures/redhat.yaml",
+				"testdata/fixtures/cpe.yaml",
+			},
+			args: args{
+				osVer: "7.6",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "kernel-headers",
+						Version:    "3.10.0-326.36",
+						Release:    "3.el7",
+						Epoch:      0,
+						Arch:       "x86_64",
+						SrcName:    "kernel-headers",
+						SrcVersion: "3.10.0-326.36",
+						SrcRelease: "3.el7",
+						SrcEpoch:   0,
+						Layer: ftypes.Layer{
+							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+						},
+						BuildInfo: &ftypes.BuildInfo{
+							ContentSets: []string{"rhel-7-server-rpms"},
+						},
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2016-5195",
+					VendorIDs:        []string{"RHSA-2016:2098"},
+					PkgName:          "kernel-headers",
+					InstalledVersion: "3.10.0-326.36-3.el7",
+					FixedVersion:     "3.10.0-327.36.3.el7",
+					SeveritySource:   vulnerability.RedHat,
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityHigh.String(),
+					},
+					Layer: ftypes.Layer{
+						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
+					},
+				},
+			},
+		},
 		{
 			name: "no build info",
 			fixtures: []string{

diff --git a/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml b/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml
@@ -69,9 +69,38 @@
         - key: CVE-2006-4023
           value:
             Entries:
-              - FixedVersion: """
+              - FixedVersion: ""
                 Affected:
                   - 0
                   - 1
                 Cves:
                   - Severity: 1
+    - bucket: kernel-headers
+      pairs:
+        - key: RHSA-2016:2098
+          value:
+            Entries:
+              - FixedVersion: 0:3.10.0-327.36.3.el7
+                Affected:
+                  - 0
+                  - 1
+                Cves:
+                  - ID: CVE-2016-5195
+                    Severity: 3
+                Arches:
+                  - ppc64
+                  - ppc64le
+                  - s390x
+                  - x86_64
+        - key: RHSA-2017:0372
+          value:
+            Entries:
+              - FixedVersion: 0:4.5.0-15.2.1.el7
+                Affected:
+                  - 0
+                  - 1
+                Cves:
+                  - ID: CVE-2016-5195
+                    Severity: 3
+                Arches:
+                  - aarch64
-Original file line number
+Diff line change
@@ Expand Up / @@ -16,6 +16,8 @@ @@
                       - 924
                     Cves:
                       - Severity: 1.0
+                    Arches:
+                      - x86_64
         - bucket: openssl
           pairs:
             - key: RHSA-2019:2304
@@ Expand Down @@