Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(azure): Add Azure Linux support #409

Merged
merged 5 commits into from
Jul 18, 2024
Merged

feat(azure): Add Azure Linux support #409

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0bf9524
feat(azure): Add Azure Linux support
tofay Jun 6, 2024
6a7145f
merge azure and mariner packages
tofay Jul 15, 2024
f8c2bb0
refactor: merge azure and mariner into one file
DmitriyLewen Jul 16, 2024
4df8cff
fix: linter errors
DmitriyLewen Jul 16, 2024
056f543
Merge branch 'main' into azure-linux
tofay Jul 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions pkg/vulnsrc/azure/azure.go
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

azure is a renamed mariner.
So I think we can use one package for them:

➜  trivy-db git:(azure-linux) ✗ ls -hl ./pkg/vulnsrc/azure 
total 36K
-rw-rw-r-- 1 dmitriy dmitriy  690 июл  2 13:12 azure.go
-rw-rw-r-- 1 dmitriy dmitriy 2,4K июл  2 13:12 azure_test.go
-rw-rw-r-- 1 dmitriy dmitriy 6,9K июл  2 13:39 mariner.go
-rw-rw-r-- 1 dmitriy dmitriy 6,1K июн 20 10:12 mariner_test.go
drwxrwxr-x 2 dmitriy dmitriy 4,0K июл  2 13:57 oval
drwxrwxr-x 4 dmitriy dmitriy 4,0K июл  2 13:12 testdata
-rw-rw-r-- 1 dmitriy dmitriy  206 окт 25  2022 types.go

I suggest the following refactoring:

  1. move logic from mariner.go to azure.go
  2. create only NewMarinerVulnSrc() function in mariner.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done this refactoring. Happy to rebase and git mv the mariner package if it makes reviewing easier.

Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package azure

import (
"path/filepath"

"golang.org/x/xerrors"

"github.com/aquasecurity/trivy-db/pkg/db"
"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
)

var (
ErrNotSupported = xerrors.New("format not supported")
)

func NewVulnSrc() mariner.VulnSrc {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to add this function to this map

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.

return mariner.VulnSrc{
Dbc: db.Config{},
VulnListDir: filepath.Join("azure"),
Source: types.DataSource{
ID: vulnerability.AzureLinux,
Name: "Azure Linux Vulnerability Data",
URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData",
},
PlatformFormat: "Azure Linux %s",
}
}
102 changes: 102 additions & 0 deletions pkg/vulnsrc/azure/azure_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package azure_test

import (
"path/filepath"
"testing"

"github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure"
"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
)

func TestVulnSrc_Update(t *testing.T) {
tests := []struct {
name string
dir string
wantValues []vulnsrctest.WantValues
wantErr string
noBuckets [][]string
}{
{
name: "happy path",
dir: filepath.Join("testdata", "happy"),
wantValues: []vulnsrctest.WantValues{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about vulnerability-detail?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this.

{
Key: []string{"data-source", "Azure Linux 3.0"},
Value: types.DataSource{
ID: vulnerability.AzureLinux,
Name: "Azure Linux Vulnerability Data",
URL: "https://github.com/microsoft/AzureLinuxVulnerabilityData",
},
},
{
Key: []string{"advisory-detail", "CVE-2018-1999023", "Azure Linux 3.0", "ceph"},
Value: types.Advisory{
FixedVersion: "0:18.2.1-1.azl3",
},
},
{
Key: []string{"advisory-detail", "CVE-2023-27534", "Azure Linux 3.0", "tensorflow"},
Value: types.Advisory{
FixedVersion: "0:2.16.1-1.azl3",
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
vs := azure.NewVulnSrc()
vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{
Dir: tt.dir,
WantValues: tt.wantValues,
WantErr: tt.wantErr,
NoBuckets: tt.noBuckets,
})
})
}
}

func TestVulnSrc_Get(t *testing.T) {
tests := []struct {
name string
release string
pkgName string
fixtures []string
want []types.Advisory
wantErr string
}{
{
name: "happy path",
release: "3.0",
pkgName: "ceph",
fixtures: []string{"testdata/fixtures/happy.yaml"},
want: []types.Advisory{
{
VulnerabilityID: "CVE-2018-1999023",
FixedVersion: "0:18.2.1-1.azl3",
},
},
},
{
name: "unknown package",
release: "3.0",
pkgName: "unknown-package",
fixtures: []string{"testdata/fixtures/happy.yaml"},
want: []types.Advisory(nil),
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
vs := azure.NewVulnSrc()
vulnsrctest.TestGet(t, vs, vulnsrctest.TestGetArgs{
Fixtures: tt.fixtures,
WantValues: tt.want,
Release: tt.release,
PkgName: tt.pkgName,
WantErr: tt.wantErr,
})
})
}
}
7 changes: 7 additions & 0 deletions pkg/vulnsrc/azure/testdata/fixtures/happy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
- bucket: Azure Linux 3.0
pairs:
- bucket: ceph
pairs:
- key: CVE-2018-1999023
value:
FixedVersion: 0:18.2.1-1.azl3
29 changes: 29 additions & 0 deletions pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2018/38656-1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.azurelinux:def:38656",
"Version": "1",
"Metadata": {
"Title": "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1",
"Affected": {
"Family": "unix",
"Platform": "Azure Linux"
},
"Reference": {
"RefID": "CVE-2018-1999023",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-1999023",
"Source": "CVE"
},
"Patchable": "true",
"AdvisoryDate": "2024-04-17T22:02:46Z",
"AdvisoryID": "38656-1",
"Severity": "High",
"Description": "CVE-2018-1999023 affecting package ceph for versions less than 18.2.1-1. An upgraded version of the package is available that resolves this issue."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023",
"TestRef": "oval:com.microsoft.azurelinux:tst:38656000"
}
}
}
29 changes: 29 additions & 0 deletions pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/definitions/2023/38611-1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.azurelinux:def:38611",
"Version": "1",
"Metadata": {
"Title": "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1",
"Affected": {
"Family": "unix",
"Platform": "Azure Linux"
},
"Reference": {
"RefID": "CVE-2023-27534",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-27534",
"Source": "CVE"
},
"Patchable": "true",
"AdvisoryDate": "2024-04-17T22:02:46Z",
"AdvisoryID": "38611-1",
"Severity": "High",
"Description": "CVE-2023-27534 affecting package tensorflow for versions less than 2.16.1-1. An upgraded version of the package is available that resolves this issue."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534",
"TestRef": "oval:com.microsoft.azurelinux:tst:38611000"
}
}
}
14 changes: 14 additions & 0 deletions pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/objects/objects.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"RpminfoObjects": [
{
"ID": "oval:com.microsoft.azurelinux:obj:38656001",
"Version": "1",
"Name": "ceph"
},
{
"ID": "oval:com.microsoft.azurelinux:obj:38611001",
"Version": "1",
"Name": "tensorflow"
}
]
}
22 changes: 22 additions & 0 deletions pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/states/states.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{
"RpminfoState": [
{
"ID": "oval:com.microsoft.azurelinux:ste:38656002",
"Version": "1",
"Evr": {
"Text": "0:18.2.1-1.azl3",
"Datatype": "evr_string",
"Operation": "less than"
}
},
{
"ID": "oval:com.microsoft.azurelinux:ste:38611002",
"Version": "1",
"Evr": {
"Text": "0:2.16.1-1.azl3",
"Datatype": "evr_string",
"Operation": "less than"
}
}
]
}
28 changes: 28 additions & 0 deletions pkg/vulnsrc/azure/testdata/happy/vuln-list/azure/3.0/tests/tests.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"RpminfoTests": [
{
"Check": "at least one",
"Comment": "Package ceph is earlier than 18.2.1-1, affected by CVE-2018-1999023",
"ID": "oval:com.microsoft.azurelinux:tst:38656000",
"Version": "1",
"Object": {
"ObjectRef": "oval:com.microsoft.azurelinux:obj:38656001"
},
"State": {
"StateRef": "oval:com.microsoft.azurelinux:ste:38656002"
}
},
{
"Check": "at least one",
"Comment": "Package tensorflow is earlier than 2.16.1-1, affected by CVE-2023-27534",
"ID": "oval:com.microsoft.azurelinux:tst:38611000",
"Version": "1",
"Object": {
"ObjectRef": "oval:com.microsoft.azurelinux:obj:38611001"
},
"State": {
"StateRef": "oval:com.microsoft.azurelinux:ste:38611002"
}
}
]
}
43 changes: 22 additions & 21 deletions pkg/vulnsrc/mariner/mariner.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,6 @@ import (
)

var (
cblDir = filepath.Join("mariner")
platformFormat = "CBL-Mariner %s"

source = types.DataSource{
ID: vulnerability.CBLMariner,
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
}

ErrNotSupported = xerrors.New("format not supported")
)

Expand All @@ -36,21 +27,31 @@ type resolvedTest struct {
}

type VulnSrc struct {
dbc db.Operation
Dbc db.Operation
VulnListDir string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VulnListDir is usually vuln-list dir.
Let's use more obvious name

Suggested change
VulnListDir string
MarinerDir string

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed. (I called it vulnListDir as that's the variable used in the redhat and nvd vuln srcs)

Source types.DataSource
PlatformFormat string
}

func NewVulnSrc() VulnSrc {
return VulnSrc{
dbc: db.Config{},
Dbc: db.Config{},
VulnListDir: filepath.Join("mariner"),
Source: types.DataSource{
ID: vulnerability.CBLMariner,
Name: "CBL-Mariner Vulnerability Data",
URL: "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
},
PlatformFormat: "CBL-Mariner %s",
}
}

func (vs VulnSrc) Name() types.SourceID {
return source.ID
return vs.Source.ID
}

func (vs VulnSrc) Update(dir string) error {
rootDir := filepath.Join(dir, "vuln-list", cblDir)
rootDir := filepath.Join(dir, "vuln-list", vs.VulnListDir)
versions, err := os.ReadDir(rootDir)
if err != nil {
return xerrors.Errorf("unable to list directory entries (%s): %w", rootDir, err)
Expand Down Expand Up @@ -185,9 +186,9 @@ func followTestRefs(test oval.RpmInfoTest, objects map[string]string, states map
}

func (vs VulnSrc) save(majorVer string, entries []Entry) error {
err := vs.dbc.BatchUpdate(func(tx *bolt.Tx) error {
platformName := fmt.Sprintf(platformFormat, majorVer)
if err := vs.dbc.PutDataSource(tx, platformName, source); err != nil {
err := vs.Dbc.BatchUpdate(func(tx *bolt.Tx) error {
platformName := fmt.Sprintf(vs.PlatformFormat, majorVer)
if err := vs.Dbc.PutDataSource(tx, platformName, vs.Source); err != nil {
return xerrors.Errorf("failed to put data source: %w", err)
}

Expand Down Expand Up @@ -215,7 +216,7 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro
continue
}

if err := vs.dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil {
if err := vs.Dbc.PutAdvisoryDetail(tx, cveID, entry.PkgName, []string{platformName}, advisory); err != nil {
return xerrors.Errorf("failed to save CBL-Mariner advisory detail: %w", err)
}

Expand All @@ -226,20 +227,20 @@ func (vs VulnSrc) commit(tx *bolt.Tx, platformName string, entries []Entry) erro
Description: entry.Metadata.Description,
References: []string{entry.Metadata.Reference.RefURL},
}
if err := vs.dbc.PutVulnerabilityDetail(tx, cveID, source.ID, vuln); err != nil {
if err := vs.Dbc.PutVulnerabilityDetail(tx, cveID, vs.Source.ID, vuln); err != nil {
return xerrors.Errorf("failed to save CBL-Mariner vulnerability detail: %w", err)
}

if err := vs.dbc.PutVulnerabilityID(tx, cveID); err != nil {
if err := vs.Dbc.PutVulnerabilityID(tx, cveID); err != nil {
return xerrors.Errorf("failed to save the vulnerability ID: %w", err)
}
}
return nil
}

func (vs VulnSrc) Get(release, pkgName string) ([]types.Advisory, error) {
bucket := fmt.Sprintf(platformFormat, release)
advisories, err := vs.dbc.GetAdvisories(bucket, pkgName)
bucket := fmt.Sprintf(vs.PlatformFormat, release)
advisories, err := vs.Dbc.GetAdvisories(bucket, pkgName)
if err != nil {
return nil, xerrors.Errorf("failed to get CBL-Marina advisories: %w", err)
}
Expand Down
1 change: 1 addition & 0 deletions pkg/vulnsrc/vulnerability/const.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ const (
Alpine types.SourceID = "alpine"
ArchLinux types.SourceID = "arch-linux"
Alma types.SourceID = "alma"
AzureLinux types.SourceID = "azure"
CBLMariner types.SourceID = "cbl-mariner"
Photon types.SourceID = "photon"
RubySec types.SourceID = "ruby-advisory-db"
Expand Down
2 changes: 1 addition & 1 deletion pkg/vulnsrc/vulnerability/vulnerability.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ const (

var (
sources = []types.SourceID{NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
ArchLinux, Alma, Rocky, CBLMariner, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB,
ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB,
}
)

Expand Down