fix(mariner): use advisory_id for definition file names

mariner/mariner.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	repoURL = "https://github.com/microsoft/CBL-MarinerVulnerabilityData/archive/refs/heads/main.tar.gz//CBL-MarinerVulnerabilityData-main"
+	repoURL = "https://github.com/microsoft/AzureLinuxVulnerabilityData/archive/refs/heads/main.tar.gz//AzureLinuxVulnerabilityData-main"
 	cblDir  = "mariner" // CBL-Mariner Vulnerability Data
 	retry   = 3
 
@@ -142,9 +142,7 @@ func (c Config) update(version, path string) error {
 	// write definitions
 	bar := pb.StartNew(len(oval.Definitions.Definition))
 	for _, def := range oval.Definitions.Definition {
-		vulnID := def.Metadata.Reference.RefID
-
-		if err := c.saveAdvisoryPerYear(filepath.Join(dirPath, definitionsDir), vulnID, def); err != nil {
+		if err := c.saveAdvisoryPerYear(filepath.Join(dirPath, definitionsDir), def); err != nil {
 			return xerrors.Errorf("failed to save advisory per year: %w", err)
 		}
 
@@ -154,8 +152,12 @@ func (c Config) update(version, path string) error {
 
 	return nil
 }
+func (c Config) saveAdvisoryPerYear(dirName string, def Definition) error {
+	// Use advisory_id for file name to avoid overwriting files when there are 2 definitions for same CVE
+	// cf. https://github.com/aquasecurity/trivy-db/issues/379
+	fileName := fmt.Sprintf("%s.json", AdvisoryID(def))
 
-func (c Config) saveAdvisoryPerYear(dirName string, vulnID string, def Definition) error {
+	vulnID := def.Metadata.Reference.RefID
 	if !strings.HasPrefix(vulnID, "CVE") {
 		log.Printf("discovered non-CVE-ID: %s", vulnID)
 		return ErrNonCVEID
@@ -168,8 +170,31 @@ func (c Config) saveAdvisoryPerYear(dirName string, vulnID string, def Definitio
 	}
 
 	yearDir := filepath.Join(dirName, s[1])
-	if err := utils.Write(filepath.Join(yearDir, fmt.Sprintf("%s.json", vulnID)), def); err != nil {
+	if err := utils.Write(filepath.Join(yearDir, fileName), def); err != nil {
 		return xerrors.Errorf("unable to write a JSON file: %w", err)
 	}
 	return nil
 }
+
+// AdvisoryID returns advisoryID for Definition.
+// If `advisory_id` field does not exist, create this field yourself using the Azure Linux format.
+//
+// Azure Linux uses `<number_after_last_colon_from_id>-<last_number_from_version>` format for `advisory_id`.
+// cf. https://github.com/aquasecurity/vuln-list-update/pull/271#issuecomment-2111678641
+// e.g.
+//   - `id="oval:com.microsoft.cbl-mariner:def:27423" version="2000000001"` => `27423-1`
+//   - `id="oval:com.microsoft.cbl-mariner:def:11073" version="2000000000"` => `11073`
+//   - `id="oval:com.microsoft.cbl-mariner:def:6343" version="1"` => `6343-1`
+//   - `id="oval:com.microsoft.cbl-mariner:def:6356" version="0"` => `6356`
+func AdvisoryID(def Definition) string {
+	id := def.Metadata.AdvisoryID
+	if id == "" {
+		ss := strings.Split(def.ID, ":")
+		id = ss[len(ss)-1]
+		// for `0` versions `-0` suffix is omitted.
+		if def.Version != "" && def.Version[len(def.Version)-1:] != "0" {
+			id = fmt.Sprintf("%s-%s", id, def.Version[len(def.Version)-1:])
+		}
+	}
+	return id
+}

mariner/mariner_test.go

@@ -66,3 +66,69 @@ func TestUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestAdvisoryID(t *testing.T) {
+	tests := []struct {
+		name string
+		def  mariner.Definition
+		want string
+	}{
+		{
+			name: "advisory_id without version",
+			def: mariner.Definition{
+				Metadata: mariner.Metadata{
+					AdvisoryID: "1111",
+				},
+			},
+			want: "1111",
+		},
+		{
+			name: "advisory_id with version",
+			def: mariner.Definition{
+				Metadata: mariner.Metadata{
+					AdvisoryID: "1111-2",
+				},
+			},
+			want: "1111-2",
+		},
+		{
+			name: "build advisoryID converting long version to 1",
+			def: mariner.Definition{
+				ID:      "oval:com.microsoft.cbl-mariner:def:27423",
+				Version: "2000000001",
+			},
+			want: "27423-1",
+		},
+		{
+			name: "build advisoryID converting long version to 0",
+			def: mariner.Definition{
+				ID:      "oval:com.microsoft.cbl-mariner:def:27423",
+				Version: "2000000000",
+			},
+			want: "27423",
+		},
+		{
+			name: "build advisoryID with short 1 version",
+			def: mariner.Definition{
+				ID:      "oval:com.microsoft.cbl-mariner:def:27423",
+				Version: "1",
+			},
+			want: "27423-1",
+		},
+		{
+			name: "build advisoryID with short 0 version",
+			def: mariner.Definition{
+				ID:      "oval:com.microsoft.cbl-mariner:def:27423",
+				Version: "0",
+			},
+			want: "27423",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := mariner.AdvisoryID(tt.def)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}

mariner/testdata/golden/mariner/2.0/definitions/2014/CVE-2014-8139.json → mariner/testdata/golden/mariner/2.0/definitions/2014/6933.json

@@ -25,4 +25,4 @@
       "TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000269"
     }
   }
-}
+}

mariner/testdata/golden/mariner/2.0/definitions/2023/31872-1.json

@@ -0,0 +1,28 @@
+{
+  "Class": "vulnerability",
+  "ID": "oval:com.microsoft.cbl-mariner:def:31872",
+  "Version": "1",
+  "Metadata": {
+    "Title": "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38",
+    "Affected": {
+      "Family": "unix",
+      "Platform": "CBL-Mariner"
+    },
+    "Reference": {
+      "RefID": "CVE-2023-5678",
+      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+      "Source": "CVE"
+    },
+    "Patchable": "true",
+    "AdvisoryID": "31872-1",
+    "Severity": "Medium",
+    "Description": "CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available."
+  },
+  "Criteria": {
+    "Operator": "AND",
+    "Criterion": {
+      "Comment": "Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678",
+      "TestRef": "oval:com.microsoft.cbl-mariner:tst:31872000"
+    }
+  }
+}

mariner/testdata/golden/mariner/2.0/definitions/2023/31880-1.json

@@ -0,0 +1,28 @@
+{
+  "Class": "vulnerability",
+  "ID": "oval:com.microsoft.cbl-mariner:def:31880",
+  "Version": "1",
+  "Metadata": {
+    "Title": "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28",
+    "Affected": {
+      "Family": "unix",
+      "Platform": "CBL-Mariner"
+    },
+    "Reference": {
+      "RefID": "CVE-2023-5678",
+      "RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-5678",
+      "Source": "CVE"
+    },
+    "Patchable": "true",
+    "AdvisoryID": "31880-1",
+    "Severity": "Medium",
+    "Description": "CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available."
+  },
+  "Criteria": {
+    "Operator": "AND",
+    "Criterion": {
+      "Comment": "Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678",
+      "TestRef": "oval:com.microsoft.cbl-mariner:tst:31880000"
+    }
+  }
+}

mariner/testdata/golden/mariner/2.0/objects/objects.json

@@ -14,6 +14,16 @@
       "ID": "oval:com.microsoft.cbl-mariner:obj:1643374850000669",
       "Version": "1643374850",
       "Name": "mysql"
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:obj:31880001",
+      "Version": "0",
+      "Name": "openssl"
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:obj:31872001",
+      "Version": "0",
+      "Name": "edk2"
     }
   ]
 }

mariner/testdata/golden/mariner/2.0/states/states.json

@@ -26,6 +26,24 @@
         "Datatype": "evr_string",
         "Operation": "less than or equal"
       }
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:ste:31880002",
+      "Version": "0",
+      "Evr": {
+        "Text": "0:1.1.1k-28.cm2",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
+    },
+    {
+      "ID": "oval:com.microsoft.cbl-mariner:ste:31872002",
+      "Version": "0",
+      "Evr": {
+        "Text": "0:20230301gitf80f052277c8-38.cm2",
+        "Datatype": "evr_string",
+        "Operation": "less than"
+      }
     }
   ]
 }

mariner/testdata/golden/mariner/2.0/tests/tests.json

@@ -35,6 +35,30 @@
       "State": {
         "StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374850000670"
       }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678",
+      "ID": "oval:com.microsoft.cbl-mariner:tst:31880000",
+      "Version": "0",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.cbl-mariner:obj:31880001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.cbl-mariner:ste:31880002"
+      }
+    },
+    {
+      "Check": "at least one",
+      "Comment": "Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678",
+      "ID": "oval:com.microsoft.cbl-mariner:tst:31872000",
+      "Version": "0",
+      "Object": {
+        "ObjectRef": "oval:com.microsoft.cbl-mariner:obj:31872001"
+      },
+      "State": {
+        "StateRef": "oval:com.microsoft.cbl-mariner:ste:31872002"
+      }
     }
   ]
 }

mariner/testdata/happy/cbl-mariner-2.0-preview-oval.xml

@@ -55,6 +55,38 @@
         <criterion comment="Package mysql is installed with version 8.0.24 or earlier" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374850000854"/>
       </criteria>
     </definition>
+    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31880" version="1">
+      <metadata>
+        <title>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28</title>
+        <affected family="unix">
+          <platform>CBL-Mariner</platform>
+        </affected>
+        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
+        <patchable>true</patchable>
+        <advisory_id>31880-1</advisory_id>
+        <severity>Medium</severity>
+        <description>CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28. A patched version of the package is available.</description>
+      </metadata>
+      <criteria operator="AND">
+        <criterion comment="Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31880000"/>
+      </criteria>
+    </definition>
+    <definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:31872" version="1">
+      <metadata>
+        <title>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38</title>
+        <affected family="unix">
+          <platform>CBL-Mariner</platform>
+        </affected>
+        <reference ref_id="CVE-2023-5678" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2023-5678" source="CVE"/>
+        <patchable>true</patchable>
+        <advisory_id>31872-1</advisory_id>
+        <severity>Medium</severity>
+        <description>CVE-2023-5678 affecting package edk2 for versions less than 20230301gitf80f052277c8-38. A patched version of the package is available.</description>
+      </metadata>
+      <criteria operator="AND">
+        <criterion comment="Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678" test_ref="oval:com.microsoft.cbl-mariner:tst:31872000"/>
+      </criteria>
+    </definition>
   </definitions>
   <tests>
     <linux-def:rpminfo_test check="at least one" comment="Package unzip is installed with version 6.0 or earlier" id="oval:com.microsoft.cbl-mariner:tst:1643374850000269" version="1643374850">
@@ -69,6 +101,14 @@
       <linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374850000669"/>
       <linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374850000670"/>
     </linux-def:rpminfo_test>
+    <linux-def:rpminfo_test check="at least one" comment="Package openssl is earlier than 1.1.1k-28, affected by CVE-2023-5678" id="oval:com.microsoft.cbl-mariner:tst:31880000" version="0">
+      <linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:31880001"/>
+      <linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:31880002"/>
+    </linux-def:rpminfo_test>
+    <linux-def:rpminfo_test check="at least one" comment="Package edk2 is earlier than 20230301gitf80f052277c8-38, affected by CVE-2023-5678" id="oval:com.microsoft.cbl-mariner:tst:31872000" version="0">
+      <linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:31872001"/>
+      <linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:31872002"/>
+    </linux-def:rpminfo_test>
   </tests>
   <objects>
     <linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374850000123" version="1643374850">
@@ -80,6 +120,12 @@
     <linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374850000669" version="1643374850">
       <linux-def:name>mysql</linux-def:name>
     </linux-def:rpminfo_object>
+    <linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:31880001" version="0">
+      <linux-def:name>openssl</linux-def:name>
+    </linux-def:rpminfo_object>
+    <linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:31872001" version="0">
+      <linux-def:name>edk2</linux-def:name>
+    </linux-def:rpminfo_object>
   </objects>
   <states>
     <linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374850000031" version="1643374850">
@@ -91,5 +137,11 @@
     <linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374850000670" version="1643374850">
       <linux-def:evr datatype="evr_string" operation="less than or equal">0:8.0.24-1.cm1</linux-def:evr>
     </linux-def:rpminfo_state>
+    <linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:31880002" version="0">
+      <linux-def:evr datatype="evr_string" operation="less than">0:1.1.1k-28.cm2</linux-def:evr>
+    </linux-def:rpminfo_state>
+    <linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:31872002" version="0">
+      <linux-def:evr datatype="evr_string" operation="less than">0:20230301gitf80f052277c8-38.cm2</linux-def:evr>
+    </linux-def:rpminfo_state>
   </states>
 </oval_definitions>