rhel: add csaf/vex updater #1165
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1165 +/- ##
==========================================
+ Coverage 55.25% 55.35% +0.10%
==========================================
Files 278 282 +4
Lines 17199 17834 +635
==========================================
+ Hits 9503 9872 +369
- Misses 6738 6928 +190
- Partials 958 1034 +76 ☔ View full report in Codecov by Sentry. |
crozzy
force-pushed
the
csaf-vex
branch
7 times, most recently
from
a834c67
to
0c787f2
Compare
crozzy
force-pushed
the
csaf-vex
branch
7 times, most recently
from
758d6a4
to
fbfbf82
Compare
crozzy
force-pushed
the
csaf-vex
branch
4 times, most recently
from
89006e1
to
4deb036
Compare
crozzy
force-pushed
the
csaf-vex
branch
5 times, most recently
from
12e41cb
to
052599d
Compare
hdonnay
reviewed
Feb 5, 2024
hdonnay
reviewed
Feb 5, 2024
hdonnay
reviewed
Feb 5, 2024
crozzy
force-pushed
the
csaf-vex
branch
2 times, most recently
from
7d90161
to
a5d8a67
Compare
crozzy
force-pushed
the
csaf-vex
branch
6 times, most recently
from
272c600
to
7b20cac
Compare
hdonnay
reviewed
Jul 30, 2024
rhel/matcher.go
Outdated
| // as a CPE match expression, and to be considered vulnerable, | ||
| // the relationship between claircore.IndexRecord.Repository.CPE and | ||
| // the claircore.Vulnerability.Repo.CPE needs to be a CPE Name Comparison | ||
| // Relation of SUBSET(⊂)(source is a subset of, or equal to the target). |
There was a problem hiding this comment.
Should be ⊇ (or the spec SUPERSET) -- "Source is a superset or equal to the target"
crozzy
force-pushed
the
csaf-vex
branch
5 times, most recently
from
d43b87e
to
ea4747f
Compare
RTann
reviewed
Aug 6, 2024
rhel/vex/fetcher.go
Outdated
Comment on lines
154
to
156
| // Here we are construct new-line-delimited JSON by first compacting the | ||
| // JSON from the file, writing a newline to the bc buf and appending the | ||
| // compacted JSON, and finally writing all those bytes to the snappy.Writer. |
There was a problem hiding this comment.
Suggested change
| // Here we are construct new-line-delimited JSON by first compacting the | |
| // JSON from the file, writing a newline to the bc buf and appending the | |
| // compacted JSON, and finally writing all those bytes to the snappy.Writer. | |
| // Here we construct new-line-delimited JSON by first compacting the | |
| // JSON from the file, writing a newline to the bc buf and appending the | |
| // compacted JSON, and finally writing all those bytes to the snappy.Writer. |
Also I think the ordering here is incorrect. First the compacted JSON is written, then the newline
rhel/vex/parser.go
Outdated
| // DeltaParse implements [driver.DeltaUpdater]. | ||
| func (u *Updater) DeltaParse(ctx context.Context, contents io.ReadCloser) ([]*claircore.Vulnerability, []string, error) { | ||
| ctx = zlog.ContextWithValues(ctx, "component", "rhel/vex/Updater.DeltaParse") | ||
| // This map is needed for deduplication purposes, the compressed CSAF data maybe include |
There was a problem hiding this comment.
Suggested change
| // This map is needed for deduplication purposes, the compressed CSAF data maybe include | |
| // This map is needed for deduplication purposes, the compressed CSAF data may include |
Replace the Red Hat OVALv2 update source with the Red Hat CSAF/VEX data. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Start matching repository CPEs based on the CPE subset relation. This change interprets VEX CPEs identifying Red Hat repositories as CPE matching expressions and looks for a subset relation with the record's repositoty CPE. This change also introduces a fallback to deal with CPEs in the VEX data that are expected to describe a subset relationship but don't use the correct matching syntax, in these cases matching is done with a crude string prefix match. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Previously the IgnoreUnpatched config key was a part of the RHEL updater and would dictate whether or not the updater would ingest unpatched vulnerabilities. This change moves that key to the RHEL matcher and dictates whether the matcher should check for a fixed_in_version when querying potential vulnerabilities. This makes the config option more usable at the expense of DB size. Signed-off-by: crozzy <joseph.crosland@gmail.com>
Given that the rhel-vex data will be responsible for Red Hat vulnerabilities we no longer want the existing OVAL updater to be a default (or even selectable). This patch also removes existing RHEL OVAL data from the matcher DB. Signed-off-by: crozzy <joseph.crosland@gmail.com>
|
@RTann I can't reply in-line to this comment
Yes, we can move it, if you're going earlier you shouldn't need to change anything, if you're going later and you want earlier vulns to not be available for matching anymore you can iterate the version ( |
RTann
approved these changes
Aug 17, 2024
Comment on lines
+63
to
+66
| links := []string{} | ||
| for _, r := range v.References { | ||
| links = append(links, r.URL) | ||
| } |
There was a problem hiding this comment.
I'm referring to this "self" under vulnerabilities.references:
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-3727"
},
{
"category": "external",
"summary": "RHBZ#2274767",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2274767"
},
not sure if it's guaranteed to be first, but it's definitely the one users will care about most. Though, that can just be the client's problem to fetch it, if that's the one they want (for example StackRox can just search for the link prefixed with https://access.redhat.com/security/cve/CVE-
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TODO