vulnsrc_rhel: one vulnerability by CVE

[yebinama]

Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities.

Fixes #495

[jzelinskie]

Let's put this logic in the name function.

Also, let's try to do this and if there isn't a Source reference, we can failover to the RHSA value.

The same logic can be applied to links in the link function.

[yebinama]

I think that the name function was convenient when there was only one vulnerability to deal with.

This for loop creates one vulnerability for each CVE referenced by the RHSA (ie: (len(references) - 1) vulnerabilities).

Maybe I could iterate on definition.References on line 188 and call name and link with the reference instead of the definition?

Something like:

for _, definition := range ov.Definitions {
	pkgs := toFeatures(definition.Criteria)
	if len(pkgs) > 0 {
		var affected []database.AffectedFeature
		for _, p := range pkgs {
			affected = append(affected, p)
		}

		for _, reference := range definition.References {
			if reference.Source == "CVE" {
				vulnerability := database.VulnerabilityWithAffected{
					Vulnerability: database.Vulnerability{
						Severity:    severity(definition),
						Description: description(definition),
						Name:        name(reference),
						Link:           link(reference),
					},
					Affected: affected,
				}
				vulnerabilities = append(vulnerabilities, vulnerability)
			}
		}
	}
}

And then failover to a unique vulnerability with RHSA ID if there are no CVE at all.

[jzelinskie]

That sounds reasonable.

[jzelinskie]

Maybe we could leave this code the same, but rename the functions rhsaName(def) and rhsaLink(def).

[yebinama]

I agree on that, we can default to RHSA name and link.

[jzelinskie]

I don't see the reasoning behind removing this line and moving it anywhere else.

[yebinama]

I have to move this line because of the new behavior.
I'll try to explain with an example.

These are the references for an RHSA:

>   <reference source="RHSA" ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html"/>
>   <reference source="CVE" ref_id="CVE-2015-2722" ref_url="https://access.redhat.com/security/cve/CVE-2015-2722"/>
>   <reference source="CVE" ref_id="CVE-2015-2724" ref_url="https://access.redhat.com/security/cve/CVE-2015-2724"/>
>   <reference source="CVE" ref_id="CVE-2015-2725" ref_url="https://access.redhat.com/security/cve/CVE-2015-2725"/>

The actual behavior is to create only one vulnerability and name it "RHSA-2015:1207" which references these 3 CVE.
If we want to name the vulnerabilities with the CVE ID, we now have to create the 3 following vulnerabilities:

• CVE-2015-2722
• CVE-2015-2724
• CVE-2015-2725

That's why I iterate over definition.References and append a new vulnerability for each loop.

[jzelinskie]

If we default to rhsaName and rhsaLink, we could make this code a little more simple by making it along the lines of

// Prefer the CVE name and link if available.
if len(definition.References) > 1 {
  for _, ref := range definition.References {
    if ref.Source == "CVE" {
      vulnerability.Name = ref.ID
      vulnerability.Link = ref.URI
    }
  }
}

[yebinama]

Let's take the same example as above:

>   <reference source="RHSA" ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html"/>
>   <reference source="CVE" ref_id="CVE-2015-2722" ref_url="https://access.redhat.com/security/cve/CVE-2015-2722"/>
>   <reference source="CVE" ref_id="CVE-2015-2724" ref_url="https://access.redhat.com/security/cve/CVE-2015-2724"/>
>   <reference source="CVE" ref_id="CVE-2015-2725" ref_url="https://access.redhat.com/security/cve/CVE-2015-2725"/>

If we do that we will only create one vulnerability (CVE-2015-2725) and lose the data for the 2 others CVE.

[yebinama]

We don't have to test if (ref.Source == "CVE") since all the references starting from the index 1 are CVE.
We create one vulnerability for each CVE.
As append copies the vulnerability, we can reuse the same object for each loop and only change the name and the link.

[yebinama]

The RHSA is always the first reference.

[yebinama]

Only one reference, it's the RHSA. We append the default vulnerability.

[yebinama]

Let's take 3 examples to cover all cases and explain the behavior

Example1:

>   <reference source="RHSA" ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html"/>

We will only create one vulnerability:

• RHSA-2015-1207

Example2:

>   <reference source="RHSA" ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html"/>
>   <reference source="CVE" ref_id="CVE-2015-2722" ref_url="https://access.redhat.com/security/cve/CVE-2015-2722"/>

We'll create one vulnerability:

• CVE-2015-2722

Example3:

>   <reference source="RHSA" ref_id="RHSA-2015:1207-00" ref_url="https://rhn.redhat.com/errata/RHSA-2015-1207.html"/>
>   <reference source="CVE" ref_id="CVE-2015-2722" ref_url="https://access.redhat.com/security/cve/CVE-2015-2722"/>
>   <reference source="CVE" ref_id="CVE-2015-2724" ref_url="https://access.redhat.com/security/cve/CVE-2015-2724"/>
>   <reference source="CVE" ref_id="CVE-2015-2725" ref_url="https://access.redhat.com/security/cve/CVE-2015-2725"/>

We'll create 3 vulnerabilities:

• CVE-2015-2722
• CVE-2015-2724
• CVE-2015-2725

[jzelinskie]

This change looks good. Can you add a test for the Example 3 case? Thanks a bunch. I'm sorry for the delay and any confusion.

[yebinama]

Sure, I'll add a new test to cover all the cases.

[yebinama]

I've slightly changed the behavior.
The RHSA's severity is determined by the highest CVE's severity.
Now that we create one vulnerability by CVE, we can't use the RHSA's severity for CVE affected by a lower impact.
If no severity is defined, we use the default one (RHSA), else we use the specific one.

[jzelinskie]

Sorry about the delay. If you can rebase this change, I will merge it immediately.

[yebinama]

Done :)

[jzelinskie]

LGTM! Thank you for your patience. I'm really glad to get this merged.