fix(vm): update ext4-filesystem parser for parse multi block extents (#…

…4616) * chore(deps): update ext4-filesystem parser for parse multi block extents * test(vm): update integration-vm test fixtures * test(vm): add gzip decompresser for sparse file * test(vm): add mage command update golden file for vm integration test * chore(magefile): [WIP] change test repository * Revert "chore(magefile): [WIP] change test repository" This reverts commit c015c88. * fix(test): update fixtures and golden file * fix(test): revert fixVersion and PkgID
aquasecurity · Jun 18, 2023 · 4d9b444 · 4d9b444
1 parent c29197a
commit 4d9b444
Show file tree

Hide file tree

Showing 10 changed files with 131 additions and 165 deletions.
diff --git a/go.mod b/go.mod
@@ -62,7 +62,7 @@ require (
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
 	github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3
-	github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1
+	github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70

diff --git a/go.sum b/go.sum
@@ -1256,8 +1256,8 @@ github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac h1:QyRucnGOLHJ
 github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac/go.mod h1:J7Vb0sf0JzOhT0uHTeCqO6dqP/ELVcQvQ6yQ/56ZRGw=
 github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3 h1:CCX8exCYIPHrMKba1KDhM37PxC3/amBUZXH8yoJOAMQ=
 github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3/go.mod h1:5NOkqebMwu8UiOTSjwqam1Ykdr7fci52TVE2xDQnIiM=
-github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1 h1:GBZZSY8xEoAf76ZOlxqKi/OMufpZnTxpTf7ectT1eNM=
-github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1/go.mod h1:X08d9nmB+eg7Gj2XWAOkiG8lbMFbgGXPsDKEvkFwyF8=
+github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1 h1:jQ0px48V+wp35FSimlg9e/bB8XSrBz0SxPLbnYCq6/4=
+github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ=
 github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 h1:AevUBW4cc99rAF8q8vmddIP8qd/0J5s/UyltGbp66dg=
 github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08/go.mod h1:JOkBRrE1HvgTyjk6diFtNGgr8XJMtIfiBzkL5krqzVk=
 github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd h1:Y30EzvuoVp97b0unb/GOFXzBUKRXZXUN2e0wYmvC+ic=

diff --git a/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden b/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden
@@ -25,40 +25,41 @@
       "Type": "amazon",
       "Vulnerabilities": [
         {
-          "VulnerabilityID": "CVE-2022-21233",
-          "PkgID": "microcode_ctl@2.1-47.amzn2.0.12.x86_64",
-          "PkgName": "microcode_ctl",
-          "InstalledVersion": "2:2.1-47.amzn2.0.12",
-          "FixedVersion": "2:2.1-47.amzn2.0.13",
+          "VulnerabilityID": "CVE-2022-38177",
+          "PkgID": "bind-export-libs@9.11.4-26.P2.amzn2.5.2.x86_64",
+          "PkgName": "bind-export-libs",
+          "InstalledVersion": "32:9.11.4-26.P2.amzn2.5.2",
+          "FixedVersion": "99:9.11.4-26.P2.amzn2.13",
           "Layer": {},
           "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21233",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38177",
           "DataSource": {
             "ID": "amazon",
             "Name": "Amazon Linux Security Center",
             "URL": "https://alas.aws.amazon.com/"
           },
-          "Title": "hw: cpu: Intel: Stale Data Read from legacy xAPIC vulnerability",
-          "Description": "Improper isolation of shared resources in some Intel(R) Processors may allow",
+          "Title": "bind: memory leak in ECDSA DNSSEC verification code",
+          "Description": "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.",
           "Severity": "MEDIUM",
           "CVSS": {
             "nvd": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
+              "V3Score": 7.5
             },
             "redhat": {
               "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
-              "V3Score": 6
+              "V3Score": 7.5
             }
           },
           "References": [
-            "https://access.redhat.com/security/cve/CVE-2022-21233",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233",
-            "https://security.netapp.com/advisory/ntap-20220923-0002/",
-            "https://ubuntu.com/security/notices/USN-5612-1"
+            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
+            "https://access.redhat.com/errata/RHSA-2022:6763",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json",
+            "https://access.redhat.com/security/cve/CVE-2022-38177"
           ],
-          "PublishedDate": "2022-08-18T20:15:00Z",
-          "LastModifiedDate": "2022-09-23T15:15:00Z"
+          "PublishedDate": "2022-09-21T11:15:00Z",
+          "LastModifiedDate": "2022-09-21T11:15:00Z"
         }
       ]
     }

diff --git a/integration/testdata/fixtures/db/amazon.yaml b/integration/testdata/fixtures/db/amazon.yaml
@@ -18,8 +18,8 @@
         - key: CVE-2019-5481
           value:
             FixedVersion: 7.61.1-12.amzn2.0.1
-    - bucket: microcode_ctl
+    - bucket: bind-export-libs
       pairs:
-        - key: CVE-2022-21233
+        - key: CVE-2022-38177
           value:
-            FixedVersion: 2:2.1-47.amzn2.0.13
+            FixedVersion: 99:9.11.4-26.P2.amzn2.13
diff --git a/integration/testdata/fixtures/db/ubuntu.yaml b/integration/testdata/fixtures/db/ubuntu.yaml
@@ -14,8 +14,7 @@
             FixedVersion: 1.44.1-1ubuntu1.2
 - bucket: ubuntu 22.04
   pairs:
-    - bucket: bind9
+    - bucket: bash
       pairs:
-        - key: CVE-2022-2795
-          value:
-            FixedVersion: 1:9.18.1-1ubuntu1.2
+        - key: CVE-2022-3715
+          value: {}
diff --git a/integration/testdata/fixtures/db/vulnerability.yaml b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -1,55 +1,51 @@
 - bucket: vulnerability
   pairs:
-  - key: CVE-2022-21233
+  - key: CVE-2022-38177
     value:
-      Title: "hw: cpu: Intel: Stale Data Read from legacy xAPIC vulnerability"
-      Description: "Improper isolation of shared resources in some Intel(R) Processors may allow"
-      Severity: MEDIUM
+      Title: "bind: memory leak in ECDSA DNSSEC verification code"
+      Description: "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources."
+      Severity: HIGH
       CVSS:
         nvd:
-          V3Score: 5.5
-          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+          V3Score: 7.5
+          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"
         redhat:
-          V3Score: 6.0
+          V3Score: 7.5
           V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"
-      LastModifiedDate: "2022-09-23T15:15:00Z"
-      PublishedDate: "2022-08-18T20:15:00Z"
+      LastModifiedDate: "2022-09-21T11:15:00Z"
+      PublishedDate: "2022-09-21T11:15:00Z"
       References:
-        - "https://access.redhat.com/security/cve/CVE-2022-21233"
-        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233"
-        - "https://security.netapp.com/advisory/ntap-20220923-0002/"
-        - "https://ubuntu.com/security/notices/USN-5612-1"
+        - "http://www.openwall.com/lists/oss-security/2022/09/21/3"
+        - "https://access.redhat.com/errata/RHSA-2022:6763"
+        - "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json"
+        - "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json"
+        - "https://access.redhat.com/security/cve/CVE-2022-38177"
       VendorSeverity:
         arch-linux: 2
         nvd: 2
         redhat: 2
         ubuntu: 2
-  - key: CVE-2022-2795
+  - key: CVE-2022-3715
     value:
-      Title: "bind: processing large delegations may severely degrade resolver performance"
-      Severity: HIGH
-      Description: By flooding the target resolver with queries exploiting this flaw an attacker
+      Title: a heap-buffer-overflow in valid_parameter_transform
+      Severity: LOW
+      Description: A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.
       CVSS:
         nvd:
-          V3Score: 7.5
-          V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+          V3Score: 7.8
+          V3Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
         redhat:
-          V3Score: 5.3
-          V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+          V3Score: 6.6
+          V3Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
       CweIDs:
-        - CWE-400
-      LastModifiedDate: 2022-10-06T20:15:00Z
-      PublishedDate: 2022-09-21T11:15:00Z
+        - CWE-787
+      LastModifiedDate: 2023-02-24T18:38:00Z
+      PublishedDate: 2023-01-05T15:15:00Z
       References:
-        - http://www.openwall.com/lists/oss-security/2022/09/21/3
-        - https://access.redhat.com/security/cve/CVE-2022-2795
-        - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795
-        - https://kb.isc.org/docs/cve-2022-2795
-        - https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html
-        - https://nvd.nist.gov/vuln/detail/CVE-2022-2795
-        - https://ubuntu.com/security/notices/USN-5626-1
-        - https://ubuntu.com/security/notices/USN-5626-2
-        - https://www.debian.org/security/2022/dsa-5235
+        - https://access.redhat.com/errata/RHSA-2023:0340
+        - https://access.redhat.com/security/cve/CVE-2022-3715
+        - https://bugzilla.redhat.com/2126720
+        - https://bugzilla.redhat.com/show_bug.cgi?id=2126720
       VendorSeverity:
         cbl-mariner: 3.0
         nvd: 3.0

diff --git a/integration/testdata/ubuntu-gp2-x86-vm.json.golden b/integration/testdata/ubuntu-gp2-x86-vm.json.golden
@@ -25,121 +25,37 @@
       "Type": "ubuntu",
       "Vulnerabilities": [
         {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-dnsutils@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-dnsutils",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
+          "VulnerabilityID": "CVE-2022-3715",
+          "PkgID": "bash@5.1-6ubuntu1",
+          "PkgName": "bash",
+          "InstalledVersion": "5.1-6ubuntu1",
           "Layer": {},
           "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3715",
+          "Title": "a heap-buffer-overflow in valid_parameter_transform",
+          "Description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.",
           "Severity": "HIGH",
           "CweIDs": [
-            "CWE-400"
+            "CWE-787"
           ],
           "CVSS": {
             "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+              "V3Score": 7.8
             },
             "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
+              "V3Score": 6.6
             }
           },
           "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
+            "https://access.redhat.com/errata/RHSA-2023:0340",
+            "https://access.redhat.com/security/cve/CVE-2022-3715",
+            "https://bugzilla.redhat.com/2126720",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2126720"
           ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-host@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-host",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
-          "Layer": {},
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
-          ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-libs@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-libs",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
-          "Layer": {},
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
-          ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
+          "PublishedDate": "2023-01-05T15:15:00Z",
+          "LastModifiedDate": "2023-02-24T18:38:00Z"
         }
       ]
     }

diff --git a/integration/vm_test.go b/integration/vm_test.go
@@ -91,7 +91,7 @@ func TestVM(t *testing.T) {
 			// Set up the output file
 			outputFile := filepath.Join(tmpDir, "output.json")
 			if *update {
-				outputFile = tt.golden
+				outputFile = filepath.Join(currentDir, tt.golden)
 			}
 
 			// Get the absolute path of the golden file
@@ -100,7 +100,7 @@ func TestVM(t *testing.T) {
 
 			// Decompress the gzipped image file
 			imagePath := filepath.Join(tmpDir, imageFile)
-			testutil.DecompressGzip(t, tt.args.input, imagePath)
+			testutil.DecompressSparseGzip(t, tt.args.input, imagePath)
 
 			// Change the current working directory so that targets in the result could be the same as golden files.
 			err = os.Chdir(tmpDir)