From 92c0452b744481471ec7eb9ef5828b0fb419af22 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Thu, 2 Jun 2022 18:35:42 +0600 Subject: [PATCH] feat(redhat): added architecture check (#2172) Co-authored-by: Teppei Fukuda --- go.mod | 2 +- go.sum | 4 +- integration/testdata/fixtures/db/redhat.yaml | 2 + pkg/detector/ospkg/redhat/redhat.go | 8 ++ pkg/detector/ospkg/redhat/redhat_test.go | 90 +++++++++++++++++++ .../redhat/testdata/fixtures/redhat.yaml | 31 ++++++- 6 files changed, 133 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index a8b58cf2fda7..59859ac074f9 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 - github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e + github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07 github.com/caarlos0/env/v6 v6.9.3 github.com/cenkalti/backoff v2.2.1+incompatible github.com/cheggaaa/pb/v3 v3.0.8 diff --git a/go.sum b/go.sum index f344ab43ae7c..0336a0aaeb17 100644 --- a/go.sum +++ b/go.sum @@ -195,8 +195,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1: github.com/aquasecurity/table v1.5.1 h1:y05AuHM3p4BGybbGn/XbcTX3RxpyzeTXAXYMcJve4IE= github.com/aquasecurity/table v1.5.1/go.mod h1:1MFKrEPJ8NchM917BrVGvsqoXJo1OL1Ja7dF3PgUea4= github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbpLo5dxHQCyEhqzizsDSNrNhn/7uRTCZzo4A1o= -github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e h1:NLm5KWGcnkwaUR1GODPePyhNsbuFiT6lgKYcCcW9c10= -github.com/aquasecurity/trivy-db v0.0.0-20220510190819-8ca06716f46e/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA= +github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07 h1:EZfv20xfeW4Pj3yOjdzc+PnVvxJYgY7a0E0F3ewRsLI= +github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07/go.mod h1:/nULgnDeq/JMPMVwE1dmf4kWlYn++7VrM3O2naj4BHA= github.com/aquasecurity/trivy-kubernetes v0.3.0 h1:8SQZcwjq4jN8yeC8IH+14gjU84ws0KzqvQsQPSIrNB8= github.com/aquasecurity/trivy-kubernetes v0.3.0/go.mod h1:DhD+SMq4HhoOHfXhb5N+ViY3Qms2uS1+7S3Wzpxmaus= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= diff --git a/integration/testdata/fixtures/db/redhat.yaml b/integration/testdata/fixtures/db/redhat.yaml index 3ca5da000d6e..b4787bc1e4c0 100644 --- a/integration/testdata/fixtures/db/redhat.yaml +++ b/integration/testdata/fixtures/db/redhat.yaml @@ -16,6 +16,8 @@ - 924 Cves: - Severity: 1.0 + Arches: + - x86_64 - bucket: openssl pairs: - key: RHSA-2019:2304 diff --git a/pkg/detector/ospkg/redhat/redhat.go b/pkg/detector/ospkg/redhat/redhat.go index 51f9f804e4e9..93c98afa5a3a 100644 --- a/pkg/detector/ospkg/redhat/redhat.go +++ b/pkg/detector/ospkg/redhat/redhat.go @@ -8,6 +8,7 @@ import ( version "github.com/knqyf263/go-rpm-version" "golang.org/x/exp/maps" + "golang.org/x/exp/slices" "golang.org/x/xerrors" "k8s.io/utils/clock" @@ -144,6 +145,13 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln uniqVulns := map[string]types.DetectedVulnerability{} for _, adv := range advisories { + // if Arches for advisory is empty or pkg.Arch is "noarch", then any Arches are affected + if len(adv.Arches) != 0 && pkg.Arch != "noarch" { + if !slices.Contains(adv.Arches, pkg.Arch) { + continue + } + } + vulnID := adv.VulnerabilityID vuln := types.DetectedVulnerability{ VulnerabilityID: vulnID, diff --git a/pkg/detector/ospkg/redhat/redhat_test.go b/pkg/detector/ospkg/redhat/redhat_test.go index f39ed26e0826..f0db646099e1 100644 --- a/pkg/detector/ospkg/redhat/redhat_test.go +++ b/pkg/detector/ospkg/redhat/redhat_test.go @@ -151,6 +151,96 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "happy path: package without architecture", + fixtures: []string{ + "testdata/fixtures/redhat.yaml", + "testdata/fixtures/cpe.yaml", + }, + args: args{ + osVer: "7.6", + pkgs: []ftypes.Package{ + { + Name: "kernel-headers", + Version: "3.10.0-1127.19", + Release: "1.el7", + Epoch: 0, + Arch: "noarch", + SrcName: "kernel-headers", + SrcVersion: "3.10.0-1127.19", + SrcRelease: "1.el7", + SrcEpoch: 0, + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + BuildInfo: &ftypes.BuildInfo{ + ContentSets: []string{"rhel-7-server-rpms"}, + }, + }, + }, + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2016-5195", + VendorIDs: []string{"RHSA-2017:0372"}, + PkgName: "kernel-headers", + InstalledVersion: "3.10.0-1127.19-1.el7", + FixedVersion: "4.5.0-15.2.1.el7", + SeveritySource: vulnerability.RedHat, + Vulnerability: dbTypes.Vulnerability{ + Severity: dbTypes.SeverityHigh.String(), + }, + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + }, + }, + }, + { + name: "happy path: advisories have different arches", + fixtures: []string{ + "testdata/fixtures/redhat.yaml", + "testdata/fixtures/cpe.yaml", + }, + args: args{ + osVer: "7.6", + pkgs: []ftypes.Package{ + { + Name: "kernel-headers", + Version: "3.10.0-326.36", + Release: "3.el7", + Epoch: 0, + Arch: "x86_64", + SrcName: "kernel-headers", + SrcVersion: "3.10.0-326.36", + SrcRelease: "3.el7", + SrcEpoch: 0, + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + BuildInfo: &ftypes.BuildInfo{ + ContentSets: []string{"rhel-7-server-rpms"}, + }, + }, + }, + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2016-5195", + VendorIDs: []string{"RHSA-2016:2098"}, + PkgName: "kernel-headers", + InstalledVersion: "3.10.0-326.36-3.el7", + FixedVersion: "3.10.0-327.36.3.el7", + SeveritySource: vulnerability.RedHat, + Vulnerability: dbTypes.Vulnerability{ + Severity: dbTypes.SeverityHigh.String(), + }, + Layer: ftypes.Layer{ + DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02", + }, + }, + }, + }, { name: "no build info", fixtures: []string{ diff --git a/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml b/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml index df8d9e169c70..313a474fc89c 100644 --- a/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml +++ b/pkg/detector/ospkg/redhat/testdata/fixtures/redhat.yaml @@ -69,9 +69,38 @@ - key: CVE-2006-4023 value: Entries: - - FixedVersion: """ + - FixedVersion: "" Affected: - 0 - 1 Cves: - Severity: 1 + - bucket: kernel-headers + pairs: + - key: RHSA-2016:2098 + value: + Entries: + - FixedVersion: 0:3.10.0-327.36.3.el7 + Affected: + - 0 + - 1 + Cves: + - ID: CVE-2016-5195 + Severity: 3 + Arches: + - ppc64 + - ppc64le + - s390x + - x86_64 + - key: RHSA-2017:0372 + value: + Entries: + - FixedVersion: 0:4.5.0-15.2.1.el7 + Affected: + - 0 + - 1 + Cves: + - ID: CVE-2016-5195 + Severity: 3 + Arches: + - aarch64 \ No newline at end of file