Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable os vulns to have version range #317

Merged
merged 2 commits into from
May 28, 2024
Merged

feat: enable os vulns to have version range #317

merged 2 commits into from
May 28, 2024

Conversation

willmurphyscode
Copy link
Contributor

The Mariner distro feed will start including version ranges in the OVAL XML. Update models and grype-db transformer to be able to handle this in version 5.

This is the other half of anchore/vunnel#585

@willmurphyscode
feat: enable os vulns to have version range
20c715a 
The Mariner distro feed will start including version ranges in the OVAL
XML. Update models and grype-db transformer to be able to handle this in
version 5.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode marked this pull request as ready for review May 24, 2024 18:11
@willmurphyscode willmurphyscode self-assigned this May 24, 2024
wagoodman
wagoodman reviewed May 28, 2024
View reviewed changes
pkg/process/v5/transformers/os/transform.go Outdated
constraint = common.CleanConstraint(constraint)
if len(constraint) == 0 {
func enforceConstraint(fixedVersion, vulnerableRange, format, vulnerabilityID string) string {
if len(vulnerableRange) > 0 && !strings.HasSuffix(vulnerabilityID, "ALASKERNEL") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like there is new special casing for ALASKERNEL, but I don't see how that relates to this (maybe I'm missing something)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ALASKERNEL generates it's own version range from a hard-coded lower bound for a given kernel:

grype-db/pkg/process/v5/transformers/os/transform.go

Line 200 in dcc9d3f

if strings.HasPrefix(vulnerabilityID, "ALASKERNEL-") {

this special casing is to avoid skipping that if vunnel ends up emitting a version range.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an existing test that covers this? if not, can you add a new test for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These tests cover the behavior:

grype-db/pkg/process/v5/transformers/os/transform_test.go

Lines 780 to 880 in dcc9d3f

{
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel-headers",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.4, < 5.4.144-69.257.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
{
ID: "CVE-2021-3753",
Namespace: "nvd:cpe",
},
{
ID: "CVE-2021-40490",
Namespace: "nvd:cpe",
},
},
Fix: grypeDB.Fix{
Versions: []string{"5.4.144-69.257.amzn2"},
State: grypeDB.FixedState,
},
},
{
ID: "ALASKERNEL-5.4-2022-007",
PackageName: "kernel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.4, < 5.4.144-69.257.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
{
ID: "CVE-2021-3753",
Namespace: "nvd:cpe",
},
{
ID: "CVE-2021-40490",
Namespace: "nvd:cpe",
},
},
Fix: grypeDB.Fix{
Versions: []string{"5.4.144-69.257.amzn2"},
State: grypeDB.FixedState,
},
},
{
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel-headers",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.10, < 5.10.62-55.141.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
{
ID: "CVE-2021-3753",
Namespace: "nvd:cpe",
},
{
ID: "CVE-2021-40490",
Namespace: "nvd:cpe",
},
},
Fix: grypeDB.Fix{
Versions: []string{"5.10.62-55.141.amzn2"},
State: grypeDB.FixedState,
},
},
{
ID: "ALASKERNEL-5.10-2022-005",
PackageName: "kernel",
PackageQualifiers: []qualifier.Qualifier{rpmmodularity.Qualifier{
Kind: "rpm-modularity",
Module: "",
}},
VersionConstraint: ">= 5.10, < 5.10.62-55.141.amzn2",
VersionFormat: "rpm",
Namespace: "amazon:distro:amazonlinux:2",
RelatedVulnerabilities: []grypeDB.VulnerabilityReference{
{
ID: "CVE-2021-3753",
Namespace: "nvd:cpe",
},
{
ID: "CVE-2021-40490",
Namespace: "nvd:cpe",
},
},
Fix: grypeDB.Fix{
Versions: []string{"5.10.62-55.141.amzn2"},
State: grypeDB.FixedState,
},
},
},

But they pass without the hard-coded prefix check, but that's because there's no vulnerable range on the test fixtures:

grype-db/pkg/process/v5/transformers/os/test-fixtures/amazon-multiple-kernel-advisories.json

Line 33 in dcc9d3f

"Version": "4.14.246-187.474.amzn2"

I think there's also no vulnerable range on the upstream data; it just felt like counting on a coincidence to leave out the ALASKERNEL- prefix check.

Then again, if upstream vunnel starts shipping version ranges on ALASKERNEL- vulnerabilities, why shouldn't grype-db believe vunnel? I think it might make sense to remove the check here.

@willmurphyscode
remove special case on ALASKERNEL
6c8ea34 
If the ALAS provider starts emitting vulnerableRange for ALAS kernel
vulnerabilities, there's no reason grype-db shouldn't respect them.

Signed-off-by: Will Murphy <[email protected]>
@willmurphyscode willmurphyscode merged commit ab9a900 into main May 28, 2024
14 checks passed
@willmurphyscode willmurphyscode deleted the feat-range-in-os-vuln branch May 28, 2024 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels
None yet
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@willmurphyscode @wagoodman