Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(oracle-oval): Support multiple ELSAs per CVE #221

Merged
merged 19 commits into from
Nov 20, 2024
Merged

fix(oracle-oval): Support multiple ELSAs per CVE #221

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
aa6ed6d
fix(oracle-oval): Support multiple ELSAs per CVE
bpfoster Jun 3, 2022
1dbc8c6
Ensure advisory datasource is populated
bpfoster Jun 6, 2022
9059075
Fix case of multiple ELSAs for the same flavor package
bpfoster Jun 7, 2022
f4bb50a
PR review feedback
bpfoster Jun 9, 2022
63e4055
Fix ksplice handling
bpfoster Jun 9, 2022
3c13c83
Return advisory from loop rather than breaking
bpfoster Jun 10, 2022
c46983e
Save normal version in FixedVersion for backwards compatibility
bpfoster Jun 22, 2022
57dbc86
Merge remote-tracking branch 'origin/main' into oracle-oval-multi-ver…
bpfoster Aug 29, 2022
7cdb661
Merge branch 'master' into 'oracle-oval-multi-versions-fix'
DmitriyLewen Oct 31, 2024
54b2c0b
refactor: fix issues after rebase + use types.Advisories
DmitriyLewen Nov 2, 2024
377b227
test: fix tests
DmitriyLewen Nov 2, 2024
d6c0edd
refactor:
DmitriyLewen Nov 2, 2024
695da90
fix: update Get function
DmitriyLewen Nov 2, 2024
cd98708
test: update/add tests
DmitriyLewen Nov 2, 2024
ed3cdbf
refactor: split `ksplice1` and `ksplice2`
DmitriyLewen Nov 2, 2024
a135499
Revert "refactor: split `ksplice1` and `ksplice2`"
DmitriyLewen Nov 5, 2024
cb14132
refactor: use `ksplice1`/`fips` if normal flavor doesn't exist
DmitriyLewen Nov 19, 2024
6557f9c
test: fix test
DmitriyLewen Nov 19, 2024
95d6d93
Merge branch 'main' of github.com:aquasecurity/trivy-db into oracle-o…
DmitriyLewen Nov 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
153 changes: 130 additions & 23 deletions pkg/vulnsrc/oracle-oval/oracle-oval.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,14 @@ import (
"strings"

version "github.com/knqyf263/go-rpm-version"
"github.com/samber/lo"
bolt "go.etcd.io/bbolt"
"golang.org/x/exp/maps"
"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/utils"
ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
)

Expand All @@ -34,10 +35,10 @@ var (
)

type PutInput struct {
VulnID string // CVE-ID or ELSA-ID
Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description
Advisories map[AffectedPackage]types.Advisory // pkg => advisory
OVAL OracleOVAL // for extensibility, not used in trivy-db
VulnID string // CVE-ID or ELSA-ID
Vuln types.VulnerabilityDetail // vulnerability detail such as CVSS and description
Advisories map[Package]types.Advisories // pkg => advisories
OVALs []OracleOVAL // for extensibility, not used in trivy-db
}

type DB interface {
Expand Down Expand Up @@ -111,6 +112,8 @@ func (vs *VulnSrc) put(ovals []OracleOVAL) error {
}

func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error {
// CVE -> PutInput
putInputs := make(map[string]PutInput)
for _, oval := range ovals {
elsaID := strings.Split(oval.Title, ":")[0]

Expand All @@ -122,14 +125,14 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error {
vulnIDs = append(vulnIDs, elsaID)
}

advisories := map[AffectedPackage]types.Advisory{}
affectedPkgs := walkOracle(oval.Criteria, "", []AffectedPackage{})
advisories := map[Package]types.Advisories{}
affectedPkgs := walkOracle(oval.Criteria, "", "", []AffectedPackage{})
for _, affectedPkg := range affectedPkgs {
if affectedPkg.Package.Name == "" {
continue
}

platformName := affectedPkg.PlatformName()
platformName := affectedPkg.Package.PlatformName()
if !slices.Contains(targetPlatforms, platformName) {
continue
}
Expand All @@ -138,9 +141,18 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error {
return xerrors.Errorf("failed to put data source: %w", err)
}

advisories[affectedPkg] = types.Advisory{
FixedVersion: affectedPkg.Package.FixedVersion,
advs := types.Advisories{
Entries: []types.Advisory{
{
FixedVersion: affectedPkg.FixedVersion,
},
},
}
if savedAdvs, ok := advisories[affectedPkg.Package]; ok {
advs.Entries = append(advs.Entries, savedAdvs.Entries...)
}
advisories[affectedPkg.Package] = advs

}

var references []string
Expand All @@ -156,21 +168,112 @@ func (vs *VulnSrc) commit(tx *bolt.Tx, ovals []OracleOVAL) error {
Severity: severityFromThreat(oval.Severity),
}

err := vs.Put(tx, PutInput{
input := PutInput{
VulnID: vulnID,
Vuln: vuln,
Advisories: advisories,
OVAL: oval,
})
if err != nil {
return xerrors.Errorf("db put error: %w", err)
Advisories: maps.Clone(advisories),
OVALs: []OracleOVAL{oval},
}

if savedInput, ok := putInputs[input.VulnID]; ok {
input.OVALs = append(input.OVALs, savedInput.OVALs...)

for inputPkg, inputAdvs := range input.Advisories {
if savedPkgAdvs, pkgFound := savedInput.Advisories[inputPkg]; pkgFound {
inputAdvs.Entries = append(savedPkgAdvs.Entries, inputAdvs.Entries...)
}
savedInput.Advisories[inputPkg] = inputAdvs
}
input.Advisories = savedInput.Advisories
}
putInputs[input.VulnID] = input
}
}

for _, input := range putInputs {
for pkg, advs := range input.Advisories {
input.Advisories[pkg] = resolveAdvisoriesEntries(advs)
}

err := vs.Put(tx, input)
if err != nil {
return xerrors.Errorf("db put error: %w", err)
}
}

return nil
}

// resolveAdvisoriesEntries removes entries with the same fixedVersion.
// Additionally, it only selects the latest fixedVersion for each flavor.
func resolveAdvisoriesEntries(advisories types.Advisories) types.Advisories {
fixedVersions := lo.Map(advisories.Entries, func(entry types.Advisory, _ int) string {
return entry.FixedVersion
})
fixedVer, resolvedVers := resolveVersions(fixedVersions)
entries := lo.Map(resolvedVers, func(ver string, _ int) types.Advisory {
return types.Advisory{
FixedVersion: ver,
}
})
return types.Advisories{
FixedVersion: fixedVer,
Entries: entries,
}
}

// resolveVersions removes duplicates and returns normal flavor + only one version for each flavor.
func resolveVersions(vers []string) (string, []string) {
vers = lo.Uniq(vers)

fixedVers := make(map[PkgFlavor]string)
for _, ver := range vers {
flavor := PackageFlavor(ver)
if savedVer, ok := fixedVers[flavor]; ok {
v := version.NewVersion(ver)
sv := version.NewVersion(savedVer)
if v.LessThan(sv) {
ver = savedVer
}
}
fixedVers[flavor] = ver
}

versions := lo.Values(fixedVers)
slices.Sort(versions)

fixedVersion := fixedVers[NormalPackageFlavor]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this case.
Should we use fips or ksplice version here?

example - https://linux.oracle.com/errata/ELSA-2016-3515.html

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current DB contains fixed versions for fips or ksplice in this case, right? If so, we should keep it for compatibility.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not entirely correct (which is why this PR was created), but it is only needed for backward compatibility, so let's leave the previous logic
Updated in cb14132


return fixedVersion, versions
}

type PkgFlavor string

const (
NormalPackageFlavor PkgFlavor = "normal"
FipsPackageFlavor PkgFlavor = "fips"
KsplicePackageFlavor PkgFlavor = "ksplice"
)

// PackageFlavor determinants the package "flavor" based on its version string
// - normal
// - FIPS validated
// - ksplice userspace
func PackageFlavor(version string) PkgFlavor {
version = strings.ToLower(version)
if strings.HasSuffix(version, "_fips") {
return FipsPackageFlavor
}

subs := strings.Split(version, ".")
for _, s := range subs {
if strings.HasPrefix(s, "ksplice") {
return KsplicePackageFlavor
}
}
return NormalPackageFlavor
}

func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error {
if err := o.PutVulnerabilityDetail(tx, input.VulnID, source.ID, input.Vuln); err != nil {
return xerrors.Errorf("failed to save Oracle Linux OVAL vulnerability: %w", err)
Expand All @@ -183,7 +286,7 @@ func (o *Oracle) Put(tx *bolt.Tx, input PutInput) error {

for pkg, advisory := range input.Advisories {
platformName := pkg.PlatformName()
if err := o.PutAdvisoryDetail(tx, input.VulnID, pkg.Package.Name, []string{platformName}, advisory); err != nil {
if err := o.PutAdvisoryDetail(tx, input.VulnID, pkg.Name, []string{platformName}, advisory); err != nil {
return xerrors.Errorf("failed to save Oracle Linux advisory: %w", err)
}
}
Expand All @@ -199,7 +302,7 @@ func (o *Oracle) Get(release string, pkgName string) ([]types.Advisory, error) {
return advisories, nil
}

func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPackage {
func walkOracle(cri Criteria, osVer, arch string, pkgs []AffectedPackage) []AffectedPackage {
for _, c := range cri.Criterions {
if strings.HasPrefix(c.Comment, "Oracle Linux ") &&
strings.HasSuffix(c.Comment, " is installed") {
Expand All @@ -211,16 +314,16 @@ func walkOracle(cri Criteria, osVer string, pkgs []AffectedPackage) []AffectedPa
}

pkgs = append(pkgs, AffectedPackage{
OSVer: osVer,
Package: Package{
Name: ss[0],
FixedVersion: version.NewVersion(ss[1]).String(),
Name: ss[0],
OSVer: osVer,
},
FixedVersion: version.NewVersion(ss[1]).String(),
})
}

for _, c := range cri.Criterias {
pkgs = walkOracle(c, osVer, pkgs)
pkgs = walkOracle(c, osVer, arch, pkgs)
}
return pkgs
}
Expand All @@ -234,7 +337,11 @@ func referencesFromContains(sources []string, matches []string) []string {
}
}
}
return ustrings.Unique(references)

references = lo.Uniq(references)
slices.Sort(references)

return references
}

func severityFromThreat(sev string) types.Severity {
Expand Down
Loading
Loading