-
Notifications
You must be signed in to change notification settings - Fork 79
/
updaterset.go
166 lines (145 loc) · 4.05 KB
/
updaterset.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package rhel
import (
"context"
"fmt"
"net/http"
"net/url"
"regexp"
"strconv"
"strings"
"github.com/quay/zlog"
"github.com/quay/claircore/libvuln/driver"
"github.com/quay/claircore/rhel/internal/pulp"
)
// DefaultManifest is the url for the Red Hat OVAL pulp repository.
//
//doc:url updater
const DefaultManifest = `https://access.redhat.com/security/data/oval/v2/PULP_MANIFEST`
// NewFactory creates a Factory making updaters based on the contents of the
// provided pulp manifest.
func NewFactory(_ context.Context, manifest string) (*Factory, error) {
var err error
var f Factory
f.url, err = url.Parse(manifest)
if err != nil {
return nil, err
}
return &f, nil
}
// Factory contains the configuration for fetching and parsing a Pulp manifest.
type Factory struct {
url *url.URL
client *http.Client
manifestEtag string
ignoreUnpatched bool
}
// FactoryConfig is the configuration accepted by the rhel updaters.
//
// By convention, this should be in a map called "rhel".
type FactoryConfig struct {
URL string `json:"url" yaml:"url"`
// IgnoreUnpatched dictates whether to ingest unpatched advisory data
// from the RHEL security feeds.
IgnoreUnpatched bool `json:"ignore_unpatched" yaml:"ignore_unpatched"`
}
var _ driver.Configurable = (*Factory)(nil)
// Configure implements [driver.Configurable].
func (f *Factory) Configure(ctx context.Context, cfg driver.ConfigUnmarshaler, c *http.Client) error {
ctx = zlog.ContextWithValues(ctx, "component", "rhel/Factory.Configure")
var fc FactoryConfig
if err := cfg(&fc); err != nil {
return err
}
zlog.Debug(ctx).Msg("loaded incoming config")
if fc.URL != "" {
u, err := url.Parse(fc.URL)
if err != nil {
return err
}
zlog.Info(ctx).
Stringer("url", u).
Msg("configured manifest URL")
f.url = u
}
if c != nil {
zlog.Info(ctx).
Msg("configured HTTP client")
f.client = c
}
f.ignoreUnpatched = fc.IgnoreUnpatched
return nil
}
// UpdaterSet implements [driver.UpdaterSetFactory].
//
// The returned Updaters determine the [claircore.Distribution] it's associated
// with based on the path in the Pulp manifest.
func (f *Factory) UpdaterSet(ctx context.Context) (driver.UpdaterSet, error) {
s := driver.NewUpdaterSet()
req, err := http.NewRequestWithContext(ctx, http.MethodGet, f.url.String(), nil)
if err != nil {
return s, err
}
if f.manifestEtag != "" {
req.Header.Set("if-none-match", f.manifestEtag)
}
res, err := f.client.Do(req)
if res != nil {
defer res.Body.Close()
}
if err != nil {
return s, err
}
switch res.StatusCode {
case http.StatusOK:
if t := f.manifestEtag; t == "" || t != res.Header.Get("etag") {
break
}
fallthrough
case http.StatusNotModified:
// return stub updater to allow us to record that all rhel updaters are up to date
stubUpdater := Updater{name: "rhel-all"}
s.Add(&stubUpdater)
return s, nil
default:
return s, fmt.Errorf("unexpected response: %v", res.Status)
}
m := pulp.Manifest{}
if err := m.Load(res.Body); err != nil {
return s, err
}
for _, e := range m {
name := strings.TrimSuffix(strings.Replace(e.Path, "/", "-", -1), ".oval.xml.bz2")
// We need to disregard this OVAL stream because some advisories therein have
// been released with the CPEs identical to those used in classic RHEL stream.
// This in turn causes false CVEs to appear in scanned images. Red Hat Product
// Security is working on fixing this situation and the plan is to remove this
// exception in the future.
if name == "RHEL7-rhel-7-alt" {
continue
}
uri, err := f.url.Parse(e.Path)
if err != nil {
return s, err
}
m := guessFromPath.FindStringSubmatch(uri.Path)
if m == nil {
continue
}
r, err := strconv.Atoi(m[1])
if err != nil {
zlog.Info(ctx).
Err(err).
Str("path", uri.Path).
Msg("unable to parse pattern into int")
continue
}
up, err := NewUpdater(name, r, uri.String(), f.ignoreUnpatched)
if err != nil {
return s, err
}
_ = s.Add(up)
}
f.manifestEtag = res.Header.Get("etag")
return s, nil
}
var guessFromPath = regexp.MustCompile(`RHEL([0-9]+)`)