-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reintroduce image scanning for openSUSE and SLE #506
Conversation
Thank you so much for reworking all of these changes! I'm really sorry for the slow response. We don't really have an e2e test framework, and the API changed this release. You can do manual testing by simply using cURL against the API server. It handles both gRPC and JSON over REST. I'd also like to see some changes to the documentation to include the licensing information for the data in the openSUSE database. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mostly looks good since it's a lot of copypasta from the the RHEL vulnsrc. Ideally after this is merged, we can refactor some of the OVAL parsing into a library decoupled from the particular distribution.
ext/vulnsrc/suse/suse.go
Outdated
|
||
log "github.com/sirupsen/logrus" | ||
|
||
"fmt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be grouped in the first section of imports
ext/vulnsrc/suse/suse.go
Outdated
up.UpdaterFlag = "openSUSEUpdater" | ||
up.FileRegexp = regexp.MustCompile(`opensuse.leap.(\d+\.*\d*).xml`) | ||
default: | ||
panic("Unrecognized flavor") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
panic("tried to create an updater for an unrecognized flavor of suse")
ext/vulnsrc/suse/suse.go
Outdated
if err != nil { | ||
return resp, err | ||
} | ||
log.WithField("flagvalue", flagValue) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This probably needs to be something like Debug level if it stays at all.
ext/vulnsrc/suse/suse.go
Outdated
|
||
// this contains the modification time of the most recent | ||
// file expressed as unix time (int64) | ||
latestOval, _ := strconv.ParseInt(flagValue, 10, 64) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why ignore this error?
ext/vulnsrc/suse/suse.go
Outdated
log.Fields{ | ||
"ovalFile": ovalFile, | ||
"updater": u.Name, | ||
}).Debug("file to check") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.WithFields(log.Fields{
"ovalFile": ovalFile,
"updater": u.Name,
}).Debug("file to check")
ext/vulnsrc/suse/suse.go
Outdated
} | ||
|
||
// timestamp format 2017-10-23T04:07:14 | ||
layout := "2006-1-2T15:04:05" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pull this out into a constant timeFormatOVAL
ext/vulnsrc/suse/suse.go
Outdated
Vulnerability: database.Vulnerability{ | ||
Name: name(definition), | ||
Link: link(definition), | ||
//TODO: handle that once openSUSE/SLE OVAL files have severity info |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pull this out into a function severity(definition)
that doesn't do anything but return UnknownSeverity, and has this comment.
ext/vulnsrc/suse/suse.go
Outdated
// Attempt to parse package data from trees of criterions. | ||
for _, c := range criterions { | ||
if match := suseInstalledCommentRegexp.FindStringSubmatch(c.Comment); match != nil { | ||
if len(match) != 4 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's easier to read this conditional if you keep it if (positive case) else negative case
.
if len(match) == 4 {
osVerison = ...
} else {
log.WithField().Warning()
}
ext/vulnsrc/suse/suse.go
Outdated
re := regexp.MustCompile(`-\d+\.`) | ||
|
||
matches := re.FindStringSubmatchIndex(fullname) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
get rid of this new line
ext/vulnsrc/suse/suse_test.go
Outdated
"libfreerdp2-2.0.0~git.1463131968.4e66df7-11.69 is installed": []string{"libfreerdp2", "2.0.0~git.1463131968.4e66df7-11.69"}, | ||
"ruby2.1-rubygem-sle2docker-0.2.3-5.1 is installed": []string{"ruby2.1-rubygem-sle2docker", "0.2.3-5.1"}, | ||
"xen-libs-4.4.1_06-2.2 is installed": []string{"xen-libs", "4.4.1_06-2.2"}, | ||
"runc-0.1.1+gitr2816_02f8fa7 is installed": []string{"runc", "0.1.1+gitr2816_02f8fa7"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add some tests for the failure scenario
@jzelinskie sorry for the late response... I've implemented all the changes you requested. Once you are fine with the changes I'll rebase this branch against master and squash all the commits into a single one. ❤️ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
couple of tiny nitpicks, but feel free to rebase now
ext/vulnsrc/suse/suse.go
Outdated
// Fetch the update list. | ||
r, err := http.Get(ovalURI) | ||
if err != nil { | ||
log.Fatal(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be fatal.
ext/vulnsrc/suse/suse.go
Outdated
// Collect vulnerabilities. | ||
for _, v := range vs { | ||
resp.Vulnerabilities = append(resp.Vulnerabilities, v) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This for-loop can be done in one line:
resp.Vulnerabilities = append(resp.Vulnerabilities, vs...)
ext/vulnsrc/suse/suse.go
Outdated
} | ||
for _, p := range pkgs { | ||
vulnerability.Affected = append(vulnerability.Affected, p) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This for-loop can be done in one line:
vulnerability.Affected = append(vulnerability.Affected, pkgs...)
ext/vulnsrc/suse/suse.go
Outdated
} | ||
|
||
if suseOpenSUSEInstalledCommentRegexp.FindStringSubmatch(c.Comment) == nil && strings.HasSuffix(c.Comment, " is installed") { | ||
name, version, err := splitPackageNameAndVersion(c.Comment[:len(c.Comment)-13]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In order to make it obvious where 13
is coming from: len(c.Comment)-len(" is installed")
@jzelinskie I've update the code with the changes you proposed. Take a look at the changes I made and gimme the final green light for the rebase. |
I don't want this to hang any longer. Rebase away! |
bcf33b3
to
fd554e6
Compare
@jzelinskie done! |
fd554e6
to
47c6299
Compare
I did another forced push to address the style check errors reported by |
Hi Guys, any forecast when this feature will be available? |
Sorry for the silence around the holidays. This code all looks fine. I think all this PR needs is to add OpenSUSE to the documentation in a few places. Most importantly here: https://github.com/coreos/clair/blob/master/Documentation/drivers-and-data-sources.md#data-sources-for-the-built-in-drivers |
Handle scanning of openSUSE and SUSE Linux Enterprise images. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Expand the documentation about the available data sources to mention openSUSE and SLE. Signed-off-by: Flavio Castelli <fcastelli@suse.com>
47c6299
to
1105102
Compare
@jzelinskie I did a rebase against master and then added a new commit which extends the documentation. Thanks for pointing that out. AFAIK this is the only place of the documentation that needs to be extended. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay! Let's get this ball rolling!
As promised inside of #503... handle scanning of openSUSE and SUSE Linux Enterprise images.
The unit tests are passing but I wasn't able to test the code against real images because neither clair-scanner nor reg work against
master
's new API. Suggestions about how to test the changes are welcome 😃