Merge branch 'main' of github.com:aquasecurity/trivy-db into oracle-o…

…val-multi-versions-fix
aquasecurity · Nov 20, 2024 · 95d6d93 · 95d6d93
2 parents 6557f9c + 6242a39
commit 95d6d93
Show file tree

Hide file tree

Showing 24 changed files with 354 additions and 119 deletions.
diff --git a/go.mod b/go.mod
@@ -16,10 +16,10 @@ require (
 	github.com/pandatix/go-cvss v0.6.2
 	github.com/samber/lo v1.47.0
 	github.com/stretchr/testify v1.9.0
-	github.com/urfave/cli v1.22.15
+	github.com/urfave/cli v1.22.16
 	go.etcd.io/bbolt v1.3.11
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
-	golang.org/x/text v0.18.0
+	golang.org/x/text v0.19.0
 	golang.org/x/tools v0.24.0
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	gopkg.in/cheggaaa/pb.v1 v1.0.28
@@ -28,7 +28,7 @@ require (
 )
 
 require (
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/goccy/go-yaml v1.8.1 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1,5 +1,5 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -14,8 +14,8 @@ github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:
 github.com/briandowns/spinner v1.23.0 h1:alDF2guRWqa/FOZZYWjlMIx2L6H0wyewPxo/CH4Pt2A=
 github.com/briandowns/spinner v1.23.0/go.mod h1:rPG4gmXeN3wQV/TsAY4w8lPdIM6RX3yqeBQJSrbXjuE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
+github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -84,8 +84,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM=
-github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0=
+github.com/urfave/cli v1.22.16 h1:MH0k6uJxdwdeWQTwhSO42Pwr4YLrNLwBtg1MRgTqPdQ=
+github.com/urfave/cli v1.22.16/go.mod h1:EeJR6BKodywf4zciqrdw6hpCPk68JO9z5LazXZMn5Po=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
@@ -116,8 +116,8 @@ golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
 golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=

diff --git a/pkg/db/db.go b/pkg/db/db.go
@@ -85,12 +85,12 @@ func Init(dbDir string, opts ...Option) (err error) {
 			if err = os.Remove(dbPath); err != nil {
 				return
 			}
-			db, err = bolt.Open(dbPath, 0600, dbOptions.boltOptions)
+			db, err = bolt.Open(dbPath, 0644, dbOptions.boltOptions)
 		}
 		debug.SetPanicOnFault(false)
 	}()
 
-	db, err = bolt.Open(dbPath, 0600, dbOptions.boltOptions)
+	db, err = bolt.Open(dbPath, 0644, dbOptions.boltOptions)
 	if err != nil {
 		return xerrors.Errorf("failed to open db: %w", err)
 	}

diff --git a/pkg/vulnsrc/azure/azure.go b/pkg/vulnsrc/azure/azure.go
@@ -131,25 +131,32 @@ func resolveDefinitions(defs []oval.Definition, tests map[string]resolvedTest) [
 	var entries []Entry
 
 	for _, def := range defs {
-		test, ok := tests[def.Criteria.Criterion.TestRef]
-		if !ok {
-			continue
-		}
-		entry := Entry{
-			PkgName:  test.Name,
-			Version:  test.Version,
-			Operator: test.Operator,
-			Metadata: def.Metadata,
+		// `Criterion` may contain a multiple testRefs
+		// e.g. `earlier than 1.20.7-1` and `greater than 0.0.0`
+		// cf. https://github.com/aquasecurity/vuln-list-update/pull/313
+		for _, criterion := range def.Criteria.Criterion {
+			// `tests` contains only supported operators
+			test, ok := tests[criterion.TestRef]
+			if !ok {
+				continue
+			}
+			entry := Entry{
+				PkgName:  test.Name,
+				Version:  test.Version,
+				Operator: test.Operator,
+				Metadata: def.Metadata,
+			}
+
+			entries = append(entries, entry)
 		}
-
-		entries = append(entries, entry)
 	}
 	return entries
 }
 
 const (
 	lte operator = "less than or equal"
 	lt  operator = "less than"
+	gt  operator = "greater than"
 )
 
 func resolveTests(dir string) (map[string]resolvedTest, error) {
@@ -179,7 +186,10 @@ func resolveTests(dir string) (map[string]resolvedTest, error) {
 		if err != nil {
 			return nil, xerrors.Errorf("unable to follow test refs: %w", err)
 		}
-		tests[test.ID] = t
+
+		if t.Name != "" {
+			tests[test.ID] = t
+		}
 	}
 
 	return tests, nil
@@ -212,6 +222,11 @@ func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map
 		return resolvedTest{}, xerrors.Errorf("state data type (%s): %w", state.Evr.Datatype, ErrNotSupported)
 	}
 
+	// We don't currently support `greater than` operator
+	if state.Evr.Operation == string(gt) {
+		return resolvedTest{}, nil
+	}
+
 	if state.Evr.Operation != string(lte) && state.Evr.Operation != string(lt) {
 		return resolvedTest{}, xerrors.Errorf("state operation (%s): %w", state.Evr.Operation, ErrNotSupported)
 	}

diff --git a/pkg/vulnsrc/azure/azure_test.go b/pkg/vulnsrc/azure/azure_test.go
@@ -57,6 +57,17 @@ func TestVulnSrc_Update(t *testing.T) {
 						FixedVersion: "0:2.16.1-1.azl3",
 					},
 				},
+				{
+					Key: []string{
+						"advisory-detail",
+						"CVE-2023-29409",
+						"Azure Linux 3.0",
+						"golang",
+					},
+					Value: types.Advisory{
+						FixedVersion: "0:1.20.7-1.azl3",
+					},
+				},
 				{
 					Key: []string{
 						"vulnerability-detail",
@@ -83,6 +94,19 @@ func TestVulnSrc_Update(t *testing.T) {
 						References:  []string{"https://nvd.nist.gov/vuln/detail/CVE-2018-1999023"},
 					},
 				},
+				{
+					Key: []string{
+						"vulnerability-detail",
+						"CVE-2023-29409",
+						"azure",
+					},
+					Value: types.VulnerabilityDetail{
+						Severity:    types.SeverityMedium,
+						Title:       "CVE-2023-29409 affecting package golang for versions less than 1.20.7-1",
+						Description: "CVE-2023-29409 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available.",
+						References:  []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-29409"},
+					},
+				},
 				{
 					Key: []string{
 						"vulnerability-id",
@@ -97,6 +121,13 @@ func TestVulnSrc_Update(t *testing.T) {
 					},
 					Value: map[string]interface{}{},
 				},
+				{
+					Key: []string{
+						"vulnerability-id",
+						"CVE-2023-29409",
+					},
+					Value: map[string]interface{}{},
+				},
 			},
 		},
 		{
@@ -272,6 +303,12 @@ func TestVulnSrc_Update(t *testing.T) {
 			dir:     filepath.Join("testdata", "sad", "empty-stateref-tests"),
 			wantErr: "unable to follow test refs: invalid test, no state ref",
 		},
+		{
+			name:    "sad path Criterion is not array",
+			dist:    azure.Mariner,
+			dir:     filepath.Join("testdata", "sad", "criterion-is-not-array"),
+			wantErr: "cannot unmarshal object into Go struct field Criteria.Criteria.Criterion of type []oval.Criterion",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/pkg/vulnsrc/azure/oval/types.go b/pkg/vulnsrc/azure/oval/types.go
@@ -11,7 +11,7 @@ type Definition struct {
 
 type Criteria struct {
 	Operator  string
-	Criterion Criterion
+	Criterion []Criterion
 }
 
 type Criterion struct {

diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json
@@ -21,9 +21,11 @@
   },
   "Criteria": {
     "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023",
-      "TestRef": "oval:com.microsoft.azurelinux:tst:38656000"
-    }
+    "Criterion": [
+      {
+        "Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023",
+        "TestRef": "oval:com.microsoft.azurelinux:tst:38656000"
+      }
+    ]
   }
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json
@@ -21,9 +21,11 @@
   },
   "Criteria": {
     "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534",
-      "TestRef": "oval:com.microsoft.azurelinux:tst:38611000"
-    }
+    "Criterion": [
+      {
+        "Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534",
+        "TestRef": "oval:com.microsoft.azurelinux:tst:38611000"
+      }
+    ]
   }
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/52881-2.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/52881-2.json
@@ -0,0 +1,34 @@
+{
+  "Class": "vulnerability",
+  "ID": "oval:com.microsoft.azurelinux:def:52881",
+  "Version": "2",
+  "Metadata": {
+    "Title": "CVE-2023-29409 affecting package golang for versions less than 1.20.7-1",
+    "Affected": {
+      "Family": "unix",
+      "Platform": "Azure Linux"
+    },
+    "Reference": {
+      "RefID": "CVE-2023-29409",
+      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409",
+      "Source": "CVE"
+    },
+    "Patchable": "true",
+    "AdvisoryID": "52881-2",
+    "Severity": "Medium",
+    "Description": "CVE-2023-29409 affecting package golang for versions less than 1.20.7-1. A patched version of the package is available."
+  },
+  "Criteria": {
+    "Operator": "AND",
+    "Criterion": [
+      {
+        "Comment": "Package golang is earlier than 1.20.7-1, affected by CVE-2023-29409",
+        "TestRef": "oval:com.microsoft.azurelinux:tst:52881000"
+      },
+      {
+        "Comment": "Package golang is greater than 0.0.0, affected by CVE-2023-29409",
+        "TestRef": "oval:com.microsoft.azurelinux:tst:52881003"
+      }
+    ]
+  }
+}
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json
@@ -9,6 +9,16 @@
       "ID": "oval:com.microsoft.azurelinux:obj:38611001",
       "Version": "1",
       "Name": "tensorflow"
+    },
+    {
+      "ID": "oval:com.microsoft.azurelinux:obj:52881004",
+      "Version": "1",
+      "Name": "golang"
+    },
+    {
+      "ID": "oval:com.microsoft.azurelinux:obj:52881001",
+      "Version": "1",
+      "Name": "golang"
     }
   ]
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json
@@ -17,6 +17,24 @@
         "Datatype": "evr_string",
         "Operation": "less than"
       }
+    },
+    {
+      "ID": "oval:com.microsoft.azurelinux:ste:52881005",
+      "Version": "1",
+      "Evr": {
+        "Text": "0:0.0.0.azl3",
+        "Datatype": "evr_string",
+        "Operation": "greater than"
+      }
+    },
+    {
+      "ID": "oval:com.microsoft.azurelinux:ste:52881002",
+      "Version": "1",
+      "Evr": {
+        "Text": "0:1.20.7-1.azl3",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
     }
   ]
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json
@@ -23,6 +23,30 @@
       "State": {
         "StateRef": "oval:com.microsoft.azurelinux:ste:38611002"
       }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package golang is greater than 0.0.0, affected by CVE-2023-29409",
+      "ID": "oval:com.microsoft.azurelinux:tst:52881003",
+      "Version": "1",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.azurelinux:obj:52881004"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.azurelinux:ste:52881005"
+      }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package golang is earlier than 1.20.7-1, affected by CVE-2023-29409",
+      "ID": "oval:com.microsoft.azurelinux:tst:52881000",
+      "Version": "1",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.azurelinux:obj:52881001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.azurelinux:ste:52881002"
+      }
     }
   ]
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/1.0/definitions/2008/3173.json
@@ -21,9 +21,11 @@
   },
   "Criteria": {
     "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
-      "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000003"
-    }
+    "Criterion": [
+      {
+        "Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000003"
+      }
+    ]
   }
 }
diff --git a/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json b/pkg/vulnsrc/azure/testdata/happy/vuln-list/mariner/2.0/definitions/2021/7412.json
@@ -20,9 +20,11 @@
   },
   "Criteria": {
     "Operator": "AND",
-    "Criterion": {
-      "Comment": "Package wireshark is installed with version 3.4.4 or earlier",
-      "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000435"
-    }
+    "Criterion": [
+      {
+        "Comment": "Package wireshark is installed with version 3.4.4 or earlier",
+        "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000435"
+      }
+    ]
   }
 }