diff --git a/src/vunnel/providers/sles/parser.py b/src/vunnel/providers/sles/parser.py
index 20aed8ea..9b08fff9 100644
--- a/src/vunnel/providers/sles/parser.py
+++ b/src/vunnel/providers/sles/parser.py
@@ -323,7 +323,12 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict)
if release_version not in version_release_feed:
version_release_feed[release_version] = defaultdict(Vulnerability)
- version_release_feed[release_version][release_name] = feed_obj
+ if release_name not in version_release_feed[release_version]:
+ version_release_feed[release_version][release_name] = feed_obj
+ else:
+ old_feed_obj = version_release_feed[release_version][release_name]
+ feed_obj.FixedIn.extend(old_feed_obj.FixedIn)
+ version_release_feed[release_version][release_name] = feed_obj
# resolve multiple normalized entries per version
results.extend(cls._release_resolver(version_release_feed, vulnerability_obj.name))
diff --git a/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2010-1323.json b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2010-1323.json
new file mode 100644
index 00000000..b677c6df
--- /dev/null
+++ b/tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2010-1323.json
@@ -0,0 +1,125 @@
+{
+ "identifier": "sles:15/cve-2010-1323",
+ "item": {
+ "Vulnerability": {
+ "CVSS": [
+ {
+ "base_metrics": {
+ "base_score": 3.7,
+ "base_severity": "Low",
+ "exploitability_score": 2.2,
+ "impact_score": 1.4
+ },
+ "status": "N/A",
+ "vector_string": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
+ "version": "3.0"
+ }
+ ],
+ "Description": "MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checks\n ums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain\n checksums that (1) are unkeyed or (2) use RC4 keys.",
+ "FixedIn": [
+ {
+ "Module": "",
+ "Name": "krb5-plugin-kdb-ldap",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-server",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-32bit",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-client",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-devel",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-plugin-preauth-otp",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ },
+ {
+ "Module": "",
+ "Name": "krb5-plugin-preauth-pkinit",
+ "NamespaceName": "sles:15",
+ "VendorAdvisory": {
+ "AdvisorySummary": [],
+ "NoAdvisory": false
+ },
+ "Version": "0:1.15.2-4.25",
+ "VersionFormat": "rpm",
+ "VulnerableRange": null
+ }
+ ],
+ "Link": "https://www.suse.com/security/cve/CVE-2010-1323",
+ "Metadata": {},
+ "Name": "CVE-2010-1323",
+ "NamespaceName": "sles:15",
+ "Severity": "Medium"
+ }
+ },
+ "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json"
+}
diff --git a/tests/unit/providers/sles/test-fixtures/suse_truncated.xml b/tests/unit/providers/sles/test-fixtures/suse_truncated.xml
index b1886563..60a0323d 100644
--- a/tests/unit/providers/sles/test-fixtures/suse_truncated.xml
+++ b/tests/unit/providers/sles/test-fixtures/suse_truncated.xml
@@ -227,6 +227,77 @@
+
+
+ CVE-2010-1323
+
+ SUSE Linux Enterprise Desktop 15
+ SUSE Linux Enterprise High Performance Computing 15
+ SUSE Linux Enterprise Module for Basesystem 15
+ SUSE Linux Enterprise Module for Server Applications 15
+ SUSE Linux Enterprise Server 15
+ SUSE Linux Enterprise Server for SAP Applications 15
+
+
+
+
+
+
+
MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checks
+ ums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain
+ checksums that (1) are unkeyed or (2) use RC4 keys.
+
+ Moderate
+ CVE-2010-1323 at SUSE
+ CVE-2010-1323
+ at NVD
+ SUSE bug 650650
+
+ cpe:/o:suse:sle-module-basesystem:15
+ cpe:/o:suse:sle-module-server-applications:15
+ cpe:/o:suse:sle_hpc:15
+ cpe:/o:suse:sled:15
+ cpe:/o:suse:sles:15
+ cpe:/o:suse:sles_sap:15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -253,6 +324,62 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -264,6 +391,48 @@
kernel-default
+
+ SLE_HPC-release
+
+
+ sles-release
+
+
+ SLES_SAP-release
+
+
+ sled-release
+
+
+ sle-module-basesystem-release
+
+
+ sle-module-server-applications-release
+
+
+ krb5
+
+
+ krb5-32bit
+
+
+ krb5-client
+
+
+ krb5-devel
+
+
+ krb5-plugin-preauth-otp
+
+
+ krb5-plugin-preauth-pkinit
+
+
+ krb5-plugin-kdb-ldap
+
+
+ krb5-server
+
@@ -280,5 +449,8 @@
(aarch64|ppc64le|s390x|x86_64)
0:4.12.14-197.89.2
+
+ 0:1.15.2-4.25
+
diff --git a/tests/unit/providers/sles/test_sles.py b/tests/unit/providers/sles/test_sles.py
index 4f3193a5..4e2a8f48 100644
--- a/tests/unit/providers/sles/test_sles.py
+++ b/tests/unit/providers/sles/test_sles.py
@@ -5,8 +5,8 @@
import defusedxml.ElementTree as ET
import pytest
-from vunnel import result, workspace
-from vunnel.providers.sles import Config, Provider, parser
+from vunnel import result
+from vunnel.providers.sles import Config, Provider
from vunnel.providers.sles.parser import (
PARSER_CONFIG,
Parser,
@@ -21,7 +21,7 @@
VersionParser,
iter_parse_vulnerability_file,
)
-from vunnel.utils.vulnerability import CVSS, CVSSBaseMetrics, FixedIn, Vulnerability
+from vunnel.utils.vulnerability import CVSS, CVSSBaseMetrics, FixedIn, Vulnerability, VendorAdvisory
class TestSLESVulnerabilityParser:
@@ -154,6 +154,98 @@ def parsed_vulnerabilities(self):
],
Metadata={},
),
+ Vulnerability(
+ Name="CVE-2010-1323",
+ NamespaceName="sles:15",
+ Description="MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checks\n ums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain\n checksums that (1) are unkeyed or (2) use RC4 keys.",
+ Severity="Medium",
+ Link="https://www.suse.com/security/cve/CVE-2010-1323",
+ CVSS=[
+ CVSS(
+ version="3.0",
+ vector_string="CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
+ base_metrics=CVSSBaseMetrics(
+ base_score=3.7, exploitability_score=2.2, impact_score=1.4, base_severity="Low"
+ ),
+ status="N/A",
+ )
+ ],
+ FixedIn=[
+ FixedIn(
+ Name="krb5-plugin-kdb-ldap",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-server",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-32bit",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-client",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-devel",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-plugin-preauth-otp",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ FixedIn(
+ Name="krb5-plugin-preauth-pkinit",
+ NamespaceName="sles:15",
+ VersionFormat="rpm",
+ Version="0:1.15.2-4.25",
+ Module="",
+ VendorAdvisory=VendorAdvisory(NoAdvisory=False, AdvisorySummary=[]),
+ VulnerableRange=None,
+ ),
+ ],
+ Metadata={},
+ ),
Vulnerability(
Name="CVE-2021-29154",
NamespaceName="sles:15.1",
@@ -298,7 +390,7 @@ def mock_download(self, *args, **kwargs):
p.update(None)
- assert 2 == workspace.num_result_entries()
+ assert 3 == workspace.num_result_entries()
assert workspace.result_schemas_valid(require_entries=True)