feat(azure): add support for azurelinux OVAL (#294)

Co-authored-by: DmitriyLewen <[email protected]>

.github/workflows/update.yml

@@ -84,8 +84,8 @@ jobs:
       run: ./scripts/update.sh rocky "Rocky Linux Security Advisory"
 
     - if: always()
-      name: CBL-Mariner Vulnerability Data
-      run: ./scripts/update.sh mariner "CBL-Mariner Vulnerability Data"
+      name: Azure Linux and CBL-Mariner Vulnerability Data
+      run: ./scripts/update.sh azure "Azure Linux and CBL-Mariner Vulnerability Data"
 
     - if: always()
       name: OSV Database
@@ -101,4 +101,4 @@ jobs:
 
     - if: always()
       name: openEuler CVE
-      run: ./scripts/update.sh openeuler "openEuler CVE Data"
+      run: ./scripts/update.sh openeuler "openEuler CVE Data"

README.md

@@ -20,7 +20,7 @@ https://github.com/aquasecurity/vuln-list/
 $ vuln-list-update -h
 Usage of vuln-list-update:
   -target string
-    	update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wolfi, chainguard, openeuler )
+        update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s, azure, openeuler)
   -target-branch string
     	alternative repository branch (only glad)
   -target-uri string

main.go

@@ -39,7 +39,7 @@ import (
 
 var (
 	target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
-		"debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s, openeuler)")
+		"debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s, azure, openeuler)")
 	vulnListDir  = flag.String("vuln-list-dir", "", "vuln-list dir")
 	targetUri    = flag.String("target-uri", "", "alternative repository URI (only glad)")
 	targetBranch = flag.String("target-branch", "", "alternative repository branch (only glad)")
@@ -152,7 +152,7 @@ func run() error {
 		if err := p.Update(); err != nil {
 			return xerrors.Errorf("OSV update error: %w", err)
 		}
-	case "mariner":
+	case "azure", "mariner":
 		src := mariner.NewConfig()
 		if err := src.Update(); err != nil {
 			return xerrors.Errorf("CBL-Mariner Vulnerability Data update error: %w", err)

mariner/mariner.go

@@ -17,14 +17,19 @@ import (
 )
 
 const (
-	repoURL = "https://github.com/microsoft/AzureLinuxVulnerabilityData/archive/refs/heads/main.tar.gz//AzureLinuxVulnerabilityData-main"
-	cblDir  = "mariner" // CBL-Mariner Vulnerability Data
-	retry   = 3
+	// CBL Mariner was rebranded to Azure Linux for version 3.0. The same repo is used for both CBL Mariner and Azure Linux vulnerability data.
+	repoURL  = "https://github.com/microsoft/AzureLinuxVulnerabilityData/archive/refs/heads/main.tar.gz//AzureLinuxVulnerabilityData-main"
+	cblDir   = "mariner" // CBL-Mariner Vulnerability Data
+	azureDir = "azure"   // Azure Linux Vulnerability Data
+	retry    = 3
 
 	testsDir       = "tests"
 	objectsDir     = "objects"
 	statesDir      = "states"
 	definitionsDir = "definitions"
+
+	azurePrefix   = "azurelinux-"
+	marinerPrefix = "cbl-mariner-"
 )
 
 var (
@@ -59,7 +64,7 @@ func WithRetry(retry int) option {
 func NewConfig(opts ...option) Config {
 	o := &options{
 		url:   repoURL,
-		dir:   filepath.Join(utils.VulnListDir(), cblDir),
+		dir:   utils.VulnListDir(),
 		retry: retry,
 	}
 
@@ -75,12 +80,16 @@ func NewConfig(opts ...option) Config {
 func (c Config) Update() error {
 	ctx := context.Background()
 
-	log.Printf("Remove CBL-Mariner Vulnerability Data directory %sn", c.dir)
-	if err := os.RemoveAll(c.dir); err != nil {
+	log.Printf("Remove CBL-Mariner Vulnerability Data directory %s", c.dir)
+	if err := os.RemoveAll(filepath.Join(c.dir, cblDir)); err != nil {
 		return xerrors.Errorf("failed to remove CBL-Mariner Vulnerability Data directory: %w", err)
 	}
+	log.Printf("Remove Azure Linux Vulnerability Data directory %s", c.dir)
+	if err := os.RemoveAll(filepath.Join(c.dir, azureDir)); err != nil {
+		return xerrors.Errorf("failed to remove Azure Linux Vulnerability Data directory: %w", err)
+	}
 
-	log.Print("Fetching CBL-Mariner Vulnerability Data")
+	log.Print("Fetching Azure Linux and CBL-Mariner Vulnerability Data")
 	tmpDir, err := utils.DownloadToTempDir(ctx, c.url)
 	if err != nil {
 		return xerrors.Errorf("failed to retrieve CBL-Mariner Vulnerability Data: %w", err)
@@ -97,22 +106,22 @@ func (c Config) Update() error {
 			continue
 		}
 
-		if !strings.HasPrefix(entry.Name(), "cbl-mariner-") {
+		if !(strings.HasPrefix(entry.Name(), marinerPrefix) || strings.HasPrefix(entry.Name(), azurePrefix)) {
 			continue
 		}
 		if filepath.Ext(entry.Name()) != ".xml" {
 			continue
 		}
 
-		osVersoin := strings.TrimSuffix(strings.TrimSuffix(strings.TrimPrefix(entry.Name(), "cbl-mariner-"), "-oval.xml"), "-preview")
-		if err := c.update(osVersoin, filepath.Join(tmpDir, entry.Name())); err != nil {
+		osVersion := strings.TrimSuffix(strings.TrimSuffix(strings.TrimPrefix(strings.TrimPrefix(entry.Name(), azurePrefix), marinerPrefix), "-oval.xml"), "-preview")
+		if err := c.update(osVersion, filepath.Join(tmpDir, entry.Name()), strings.HasPrefix(entry.Name(), azurePrefix)); err != nil {
 			return xerrors.Errorf("failed to update oval data: %w", err)
 		}
 	}
 	return nil
 }
 
-func (c Config) update(version, path string) error {
+func (c Config) update(version, path string, isAzureLinux bool) error {
 	f, err := os.Open(path)
 	if err != nil {
 		return xerrors.Errorf("failed to open file: %w", err)
@@ -122,7 +131,10 @@ func (c Config) update(version, path string) error {
 	if err := xml.NewDecoder(f).Decode(&oval); err != nil {
 		return xerrors.Errorf("failed to decode xml: %w", err)
 	}
-	dirPath := filepath.Join(c.dir, version)
+	dirPath := filepath.Join(c.dir, azureDir, version)
+	if !isAzureLinux {
+		dirPath = filepath.Join(c.dir, cblDir, version)
+	}
 
 	// write tests/tests.json file
 	if err := utils.Write(filepath.Join(dirPath, testsDir, "tests.json"), oval.Tests); err != nil {

mariner/mariner_test.go

@@ -54,7 +54,7 @@ func TestUpdate(t *testing.T) {
 				rel, err := filepath.Rel(tmpDir, path)
 				require.NoError(t, err, path)
 
-				goldenPath := filepath.Join("testdata", "golden", "mariner", rel)
+				goldenPath := filepath.Join("testdata", "golden", rel)
 				want, err := os.ReadFile(goldenPath)
 				require.NoError(t, err, goldenPath)
 

mariner/testdata/golden/azure/3.0/definitions/2024/42064-1.json

@@ -0,0 +1,29 @@
+{
+  "Class": "vulnerability",
+  "ID": "oval:com.microsoft.azurelinux:def:42064",
+  "Version": "1",
+  "Metadata": {
+    "Title": "CVE-2024-35176 affecting package rubygem-rexml for versions less than 3.2.8-1",
+    "Affected": {
+      "Family": "unix",
+      "Platform": "Azure Linux"
+    },
+    "Reference": {
+      "RefID": "CVE-2024-35176",
+      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2024-35176",
+      "Source": "CVE"
+    },
+    "Patchable": "true",
+    "AdvisoryDate": "2024-05-31T18:55:08Z",
+    "AdvisoryID": "42064-1",
+    "Severity": "Medium",
+    "Description": "CVE-2024-35176 affecting package rubygem-rexml for versions less than 3.2.8-1. An upgraded version of the package is available that resolves this issue."
+  },
+  "Criteria": {
+    "Operator": "AND",
+    "Criterion": {
+      "Comment": "Package rubygem-rexml is earlier than 3.2.8-1, affected by CVE-2024-35176",
+      "TestRef": "oval:com.microsoft.azurelinux:tst:42064000"
+    }
+  }
+}

mariner/testdata/golden/azure/3.0/objects/objects.json

@@ -0,0 +1,9 @@
+{
+  "RpminfoObjects": [
+    {
+      "ID": "oval:com.microsoft.azurelinux:obj:42064001",
+      "Version": "1",
+      "Name": "rubygem-rexml"
+    }
+  ]
+}

mariner/testdata/golden/azure/3.0/states/states.json

@@ -0,0 +1,13 @@
+{
+  "RpminfoState": [
+    {
+      "ID": "oval:com.microsoft.azurelinux:ste:42064002",
+      "Version": "1",
+      "Evr": {
+        "Text": "0:3.2.8-1.azl3",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
+    }
+  ]
+}

mariner/testdata/golden/azure/3.0/tests/tests.json

@@ -0,0 +1,16 @@
+{
+  "RpminfoTests": [
+    {
+      "Check": "at least one",
+      "Comment": "Package rubygem-rexml is earlier than 3.2.8-1, affected by CVE-2024-35176",
+      "ID": "oval:com.microsoft.azurelinux:tst:42064000",
+      "Version": "1",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.azurelinux:obj:42064001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.azurelinux:ste:42064002"
+      }
+    }
+  ]
+}

mariner/testdata/happy/azurelinux-3.0-oval.xml

@@ -0,0 +1,44 @@
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux https://oval.mitre.org/language/version5.11/ovaldefinition/complete/linux-definitions-schema.xsd ">
+  <generator>
+    <oval:product_name>Azure Linux OVAL Definition Generator</oval:product_name>
+    <oval:product_version>17</oval:product_version>
+    <oval:schema_version>5.11</oval:schema_version>
+    <oval:timestamp>2024-06-04T12:04:26.353796366Z</oval:timestamp>
+    <oval:content_version>1717502666</oval:content_version>
+  </generator>
+  <definitions>
+    <definition class="vulnerability" id="oval:com.microsoft.azurelinux:def:42064" version="1">
+      <metadata>
+        <title>CVE-2024-35176 affecting package rubygem-rexml for versions less than 3.2.8-1</title>
+        <affected family="unix">
+          <platform>Azure Linux</platform>
+        </affected>
+        <reference ref_id="CVE-2024-35176" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2024-35176" source="CVE"/>
+        <patchable>true</patchable>
+        <advisory_date>2024-05-31T18:55:08Z</advisory_date>
+        <advisory_id>42064-1</advisory_id>
+        <severity>Medium</severity>
+        <description>CVE-2024-35176 affecting package rubygem-rexml for versions less than 3.2.8-1. An upgraded version of the package is available that resolves this issue.</description>
+      </metadata>
+      <criteria operator="AND">
+        <criterion comment="Package rubygem-rexml is earlier than 3.2.8-1, affected by CVE-2024-35176" test_ref="oval:com.microsoft.azurelinux:tst:42064000"/>
+      </criteria>
+    </definition>
+  </definitions>
+  <tests>
+    <linux-def:rpminfo_test check="at least one" comment="Package rubygem-rexml is earlier than 3.2.8-1, affected by CVE-2024-35176" id="oval:com.microsoft.azurelinux:tst:42064000" version="1">
+      <linux-def:object object_ref="oval:com.microsoft.azurelinux:obj:42064001"/>
+      <linux-def:state state_ref="oval:com.microsoft.azurelinux:ste:42064002"/>
+    </linux-def:rpminfo_test>
+  </tests>
+  <objects>
+    <linux-def:rpminfo_object id="oval:com.microsoft.azurelinux:obj:42064001" version="1">
+      <linux-def:name>rubygem-rexml</linux-def:name>
+    </linux-def:rpminfo_object>
+  </objects>
+  <states>
+    <linux-def:rpminfo_state id="oval:com.microsoft.azurelinux:ste:42064002" version="1">
+      <linux-def:evr datatype="evr_string" operation="less than">0:3.2.8-1.azl3</linux-def:evr>
+    </linux-def:rpminfo_state>
+  </states>
+</oval_definitions>