Merge branch 'master' into ross/rm-pkg-infos

.openshift-ci/Dockerfile.build_root

@@ -10,4 +10,4 @@
 # - `make update` and commit the results
 # - run `/test pj-rehearse-max` on the openshift/release PR to validate the change
 
-FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.48
+FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.51

.openshift-ci/build/Dockerfile.build-bundle

@@ -1,4 +1,4 @@
-FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.46
+FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.51
 
 COPY . /go/src/github.com/stackrox/scanner
 WORKDIR /go/src/github.com/stackrox/scanner

.openshift-ci/build/Dockerfile.build-db-bundle

@@ -1,4 +1,4 @@
-FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.46
+FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.51
 
 COPY . /go/src/github.com/stackrox/scanner
 WORKDIR /go/src/github.com/stackrox/scanner

.openshift-ci/build/Dockerfile.generate-db-dump

@@ -1,4 +1,4 @@
-FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.46
+FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.51
 
 COPY . /go/src/github.com/stackrox/scanner
 WORKDIR /go/src/github.com/stackrox/scanner

.openshift-ci/build/Dockerfile.generate-genesis-dump

@@ -1,4 +1,4 @@
-FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.46
+FROM quay.io/stackrox-io/apollo-ci:scanner-test-0.3.51
 
 COPY . /go/src/github.com/stackrox/scanner
 WORKDIR /go/src/github.com/stackrox/scanner

.openshift-ci/clusters.py

@@ -7,6 +7,7 @@
 """
 
 import os
+import signal
 import subprocess
 import time
 
@@ -30,13 +31,21 @@ class GKECluster:
     REFRESH_PATH = "scripts/ci/gke.sh"
     TEARDOWN_PATH = "scripts/ci/gke.sh"
 
-    def __init__(self, cluster_id):
+    def __init__(self, cluster_id, num_nodes=3, machine_type="e2-standard-4"):
         self.cluster_id = cluster_id
+        self.num_nodes = num_nodes
+        self.machine_type = machine_type
         self.refresh_token_cmd = None
 
     def provision(self):
         with subprocess.Popen(
-            [GKECluster.PROVISION_PATH, "provision_gke_cluster", self.cluster_id]
+                [
+                    GKECluster.PROVISION_PATH,
+                    "provision_gke_cluster",
+                    self.cluster_id,
+                    str(self.num_nodes),
+                    self.machine_type,
+                ]
         ) as cmd:
 
             try:
@@ -47,6 +56,9 @@ def provision(self):
                 popen_graceful_kill(cmd)
                 raise err
 
+        # OpenShift CI sends a SIGINT when tests are canceled
+        signal.signal(signal.SIGINT, self.sigint_handler)
+
         subprocess.run(
             [GKECluster.WAIT_PATH, "wait_for_cluster"],
             check=True,
@@ -65,10 +77,12 @@ def teardown(self):
             print("Pausing teardown because /tmp/hold-cluster exists")
             time.sleep(60)
 
-        try:
-            popen_graceful_kill(self.refresh_token_cmd)
-        except Exception as err:
-            print(f"Could not terminate the token refresh: {err}")
+        if self.refresh_token_cmd is not None:
+            print("Terminating GKE token refresh")
+            try:
+                popen_graceful_kill(self.refresh_token_cmd)
+            except Exception as err:
+                print(f"Could not terminate the token refresh: {err}")
 
         subprocess.run(
             [GKECluster.TEARDOWN_PATH, "teardown_gke_cluster"],
@@ -77,3 +91,7 @@ def teardown(self):
         )
 
         return self
+
+    def sigint_handler(self, signum, frame):
+        print("Tearing down the cluster due to SIGINT", signum, frame)
+        self.teardown()

BUILD_IMAGE_VERSION

@@ -1 +1 @@
-scanner-build-0.3.48
+scanner-build-0.3.51

cpe/attributes/java/java.go

@@ -35,6 +35,36 @@ var (
 	immutableIndicators = []string{
 		"agent",
 	}
+
+	knownSpringVendors    = []string{"pivotal", "pivotal_software", "vmware"}
+	knownSpringComponents = set.NewFrozenStringSet(
+		"spring_advanced_message_queuing_protocol",
+		"spring_aop",
+		"spring_beans",
+		"spring_boot",
+		"spring_boot_autoconfigure",
+		"spring_boot_jarmode_layertools",
+		"spring_cloud_function",
+		"spring_cloud_function_core",
+		"spring_cloud_gateway",
+		"spring_cloud_netflix",
+		"spring_cloud_openfeign",
+		"spring_context",
+		"spring_core",
+		"spring_data_mongodb",
+		"spring_data_rest",
+		"spring_expression",
+		"spring_jcl",
+		"spring_security",
+		"spring_security_core",
+		"spring_security_crypto",
+		"spring_security_oath",
+		"spring_security_web",
+		"spring_web",
+		"spring_web_flow",
+		"spring_webflux",
+		"spring_webmvc",
+	)
 )
 
 func isMutableName(name string) bool {
@@ -70,7 +100,7 @@ func ignored(c *component.Component) bool {
 	return false
 }
 
-func getPossibleVendors(origins []string) set.StringSet {
+func getPossibleVendors(origins []string, names set.StringSet) set.StringSet {
 	// Try splitting on periods
 	vendorSet := set.NewStringSet()
 	for _, orig := range origins {
@@ -90,6 +120,15 @@ func getPossibleVendors(origins []string) set.StringSet {
 	if vendorSet.Cardinality() == 0 {
 		vendorSet.Add("apache")
 	}
+
+	// Add Spring-specific vendors.
+	for name := range names {
+		if knownSpringComponents.Contains(name) {
+			vendorSet.AddAll(knownSpringVendors...)
+			break
+		}
+	}
+
 	return vendorSet
 }
 
@@ -109,8 +148,8 @@ func GetJavaAttributes(c *component.Component) []*wfn.Attributes {
 		return nil
 	}
 
-	vendorSet := getPossibleVendors(java.Origins)
 	nameSet := common.GenerateNameKeys(c)
+	vendorSet := getPossibleVendors(java.Origins, nameSet)
 	versionSet := common.GenerateVersionKeys(c)
 	for k := range versionSet {
 		versionSet.Add(extensionRegex.ReplaceAllString(k, ""))

e2etests/testcase_test.go

@@ -3513,7 +3513,7 @@ Bug Fix(es) and Enhancement(s):
 						FixedBy: "0:6.0.7-1.el8_6",
 					},
 				},
-				FixedBy: "6.0.9-1.el8_6",
+				FixedBy: "6.0.10-1.el8_6",
 				AddedBy: "sha256:16e1dc59de605089610e3be2c77f3cde5eed99b523a0d7a3e3a2f65fa7c60723",
 			},
 			{
@@ -3552,9 +3552,55 @@ Bug Fix(es) and Enhancement(s):
 						FixedBy: "0:6.0.7-1.el8_6",
 					},
 				},
-				FixedBy: "6.0.9-1.el8_6",
+				FixedBy: "6.0.10-1.el8_6",
 				AddedBy: "sha256:16e1dc59de605089610e3be2c77f3cde5eed99b523a0d7a3e3a2f65fa7c60723",
 			},
 		},
 	},
+	{
+		image:                   "quay.io/rhacs-eng/qa:spring-CVE-2022-22978",
+		registry:                "https://quay.io",
+		username:                os.Getenv("QUAY_RHACS_ENG_RO_USERNAME"),
+		password:                os.Getenv("QUAY_RHACS_ENG_RO_PASSWORD"),
+		source:                  "NVD",
+		onlyCheckSpecifiedVulns: true,
+		namespace:               "rhel:8",
+		expectedFeatures: []apiV1.Feature{
+			{
+				Name:          "spring-security-web",
+				VersionFormat: component.JavaSourceType.String(),
+				Version:       "5.5.5",
+				Location:      "application/app.jar:BOOT-INF/lib/spring-security-web-5.5.5.jar",
+				Vulnerabilities: []apiV1.Vulnerability{
+					{
+						Name:          "CVE-2022-22978",
+						Description:   `In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.
+
+Applications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.`,
+						Link:          "https://nvd.nist.gov/vuln/detail/CVE-2022-22978",
+						Severity:      "Important",
+						Metadata: map[string]interface{}{
+							"NVD": map[string]interface{}{
+								"CVSSv2": map[string]interface{}{
+									"ExploitabilityScore": 0.0,
+									"ImpactScore":         0.0,
+									"Score":               0.0,
+									"Vectors":             "",
+								},
+								"CVSSv3": map[string]interface{}{
+									"ExploitabilityScore": 3.9,
+									"ImpactScore":         4.2,
+									"Score":               8.2,
+									"Vectors":             "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
+								},
+							},
+						},
+						FixedBy: "5.5.7",
+					},
+				},
+				FixedBy: "5.5.7",
+				AddedBy: "sha256:5b6e3ce9721946e142ba43e488385ee4d323204a6052e0f20352d89ac00cafa2",
+			},
+		},
+	},
 }

pkg/vulnloader/nvdloader/manual.go

@@ -454,6 +454,71 @@ var manuallyEnrichedVulns = map[string]*schema.NVDCVEFeedJSON10DefCVEItem{
 		LastModifiedDate: "2022-03-31T00:00Z",
 		PublishedDate:    "2022-03-31T00:00Z",
 	},
+	"CVE-2022-22978": {
+		CVE: &schema.CVEJSON40{
+			CVEDataMeta: &schema.CVEJSON40CVEDataMeta{
+				ID: "CVE-2022-22978",
+			},
+			DataFormat:  "MITRE",
+			DataType:    "CVE",
+			DataVersion: "4.0",
+			Description: &schema.CVEJSON40Description{
+				DescriptionData: []*schema.CVEJSON40LangString{
+					{
+						Lang:  "en",
+						Value: "In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers.\n\nApplications using RegexRequestMatcher with '.' in the regular expression are possibly vulnerable to an authorization bypass.",
+					},
+				},
+			},
+			References: &schema.CVEJSON40References{
+				ReferenceData: []*schema.CVEJSON40Reference{
+					{
+						Name: "https://tanzu.vmware.com/security/cve-2022-22978",
+					},
+				},
+			},
+		},
+		Configurations: &schema.NVDCVEFeedJSON10DefConfigurations{
+			CVEDataVersion: "4.0",
+			Nodes: []*schema.NVDCVEFeedJSON10DefNode{
+				{
+					CPEMatch: []*schema.NVDCVEFeedJSON10DefCPEMatch{
+						{
+							Cpe23Uri:              `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding:   "5.6.4",
+							VersionStartIncluding: "5.6.0",
+						},
+						{
+							Cpe23Uri:            `cpe:2.3:a:vmware:spring\-security\-web:*:*:*:*:*:*:*:*`,
+							VersionEndExcluding: "5.5.7",
+						},
+					},
+					Operator: "OR",
+				},
+			},
+		},
+		Impact: &schema.NVDCVEFeedJSON10DefImpact{
+			BaseMetricV3: &schema.NVDCVEFeedJSON10DefImpactBaseMetricV3{
+				CVSSV3: &schema.CVSSV30{
+					AttackComplexity:      "LOW",
+					AttackVector:          "NETWORK",
+					AvailabilityImpact:    "NONE",
+					BaseScore:             8.2,
+					ConfidentialityImpact: "HIGH",
+					IntegrityImpact:       "LOW",
+					PrivilegesRequired:    "NONE",
+					Scope:                 "UNCHANGED",
+					UserInteraction:       "NONE",
+					VectorString:          "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
+					Version:               "3.1",
+				},
+				ExploitabilityScore: 3.9,
+				ImpactScore:         4.2,
+			},
+		},
+		LastModifiedDate: "2022-05-16T00:00Z",
+		PublishedDate:    "2022-05-16T00:00Z",
+	},
 	"CVE-2017-5638": {
 		CVE: &schema.CVEJSON40{
 			CVEDataMeta: &schema.CVEJSON40CVEDataMeta{

scripts/ci/gate-jobs-config.json

@@ -53,7 +53,7 @@
     "run_with_changed_path": "",
     "changed_path_to_ignore": "",
     "run_on_master": "true",
-    "run_on_tags": "true"
+    "run_on_tags": "false"
   },
   "upload-dumps-for-downstream": {
     "run_with_labels": [],

scripts/ci/gke.sh

@@ -75,7 +75,12 @@ create_cluster() {
     else
         die "Support is missing for this CI environment"
     fi
-    # . from branch names
+
+    if is_in_PR_context; then
+        labels="${labels},pr=$(get_PR_number)"
+    fi
+
+    # remove . from branch names
     tags="${tags//./-}"
     labels="${labels//./-}"
     # lowercase
@@ -222,10 +227,17 @@ refresh_gke_token() {
     local real_kubeconfig="${KUBECONFIG:-${HOME}/.kube/config}"
 
     # refresh token every 15m
+    local pid
     while true; do
-        # sleep & wait so that it will exit on TERM
         sleep 900 &
-        wait $!
+        pid="$!"
+        kill_sleep() {
+            echo "refresh_gke_token() terminated, killing the background sleep ($pid)"
+            kill "$pid"
+        }
+        trap kill_sleep SIGINT SIGTERM
+        wait "$pid"
+
         info "Refreshing the GKE auth token"
         gcloud config config-helper --force-auth-refresh >/dev/null
         echo >/tmp/kubeconfig-new