Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

incorrect regex matching for rhel6 #436

Closed
kbrwn opened this issue Jul 26, 2017 · 5 comments
Closed

incorrect regex matching for rhel6 #436

kbrwn opened this issue Jul 26, 2017 · 5 comments
Labels
kind/bug things are not as they seem

Comments

@kbrwn
Copy link

kbrwn commented Jul 26, 2017

When using rhel6 as the base os /etc/redhat-release is how the os version is identified:

$ docker run -it  registry.access.redhat.com/rhel6/rhel:6.8-127 cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)

This file matches the regex used to identify oracle linux and outputs an invalid os name to the clair database:

clairtest=# select * from namespace;
 id |      name       | version_format 
----+-----------------+----------------
[...]
 25 | enterprise:6    | rpm
(25 rows)

The result is that this image is not checked against the correct CVEs and will show up as passed in the registry.

https://play.golang.org/p/P4K8HDyAFG

https://github.com/coreos/clair/blob/master/ext/featurens/redhatrelease/redhatrelease.go#L54

@Djelibeybi @jzelinskie
@jzelinskie jzelinskie added the kind/bug things are not as they seem label Jul 26, 2017
@strantalis
Copy link

Could this be as simple as changing the order in which the os is evaluated. Basically evaluating rhel first. Not sure if I might be missing something but put together a working example that works and one that doesn't.

Working Example
Not Working Example

@Djelibeybi
Copy link
Contributor

Djelibeybi commented Aug 9, 2017
edited

If you run the same command on Oracle Linux, it returns the same value:

$ docker run -it --rm oraclelinux:6 cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.9 (Santiago)

So, we have to test for Oracle Linux first, using /etc/oracle-release before we test for Red Hat:

$ docker run -it --rm oraclelinux:6 cat /etc/oracle-release
Oracle Linux Server release 6.9

That's why /etc/oracle-release is the first file in the list to check and why we test for Oracle Linux first, because it's designed to look like Red Hat.

@strantalis
Copy link

If its iterating over these values in that order wouldn't it look for /etc/oracle-release first?

func (d detector) RequiredFilenames() []string {
	return []string{"etc/oracle-release", "etc/centos-release", "etc/redhat-release", "etc/system-release"}
}

@Djelibeybi
Copy link
Contributor

I'll leave this up to @jzelinskie to debug.

@joerayme
Copy link
Contributor

joerayme commented Jan 3, 2018

We've just encountered the same issue. I think to fix it we may need to tweak the regexes.

What seems to be happening is it first looks for the Oracle match ((?P<os>[^\s]*) (Linux Server release) (?P<version>[\d]+)) and applies this to the content of /etc/redhat-release which in RHEL is e.g. "Red Hat Enterprise Linux Server release 7.2 (Maipo)". So the regex match will be:

  1. Enterprise
  2. Linux Server release
  3. 7

This results in the namespace being incorrectly identified as 'enterprise' as match 1 is then taken and lowercased on https://github.com/coreos/clair/blob/master/ext/featurens/redhatrelease/redhatrelease.go#L57

Is there a reason the Oracle regex doesn't just say (?P<os>Oracle) (Linux Server release) (?P<version>[\d]+)?

joerayme added a commit to joerayme/clair that referenced this issue Jan 12, 2018
@joerayme
featurens: Ensure RHEL is correctly identified
a32769f 
When trying to identify various RedHat releases, RHEL was not being
picked up as a centos release because the Oracle Linux regex was too
permissive: it would match any release name with '<something> Linux
Server release' in the name. By being more restrictive with the Oracle
regex, RHEL is now properly identified.

I don't know why the Oracle regex used such a permissive matcher for the
name but it still passes all the tests by replacing it with the word
'Oracle'.

Fixes quay#436
joerayme added a commit to joerayme/clair that referenced this issue Jan 12, 2018
@joerayme
featurens: Ensure RHEL is correctly identified
947a8aa 
When trying to identify various RedHat releases, RHEL was not being
picked up as a centos release because the Oracle Linux regex was too
permissive: it would match any release name with '<something> Linux
Server release' in the name. By being more restrictive with the Oracle
regex, RHEL is now properly identified.

I don't know why the Oracle regex used such a permissive matcher for the
name but it still passes all the tests by replacing it with the word
'Oracle'.

Fixes quay#436
@joerayme joerayme mentioned this issue Jan 12, 2018
Merged
joerayme added a commit to joerayme/clair that referenced this issue Jan 15, 2018
@joerayme
featurens: Ensure RHEL is correctly identified
0caae76 
When trying to identify various RedHat releases, RHEL was not being
picked up as a centos release because the Oracle Linux regex was too
permissive: it would match any release name with '<something> Linux
Server release' in the name. By being more restrictive with the Oracle
regex, RHEL is now properly identified.

I don't know why the Oracle regex used such a permissive matcher for the
name but it still passes all the tests by replacing it with the word
'Oracle'.

Fixes quay#436
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug things are not as they seem
Milestone
No milestone
Development

No branches or pull requests
5 participants
@joerayme @Djelibeybi @jzelinskie @kbrwn @strantalis