-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rhel: add csaf/vex updater #1165
base: main
Are you sure you want to change the base?
Changes from all commits
b868619
a273882
dec1f1c
ce1075a
27eae66
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
-- The rhel-vex updater will now be responsible for RHEL advisories so we have | ||
-- to delete the existing rhel vulnerabilities. | ||
DELETE FROM update_operation WHERE updater ~ 'RHEL[5-9]-*'; | ||
DELETE FROM vuln where updater ~ 'RHEL[5-9]-*'; |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,15 +2,21 @@ | |
|
||
import ( | ||
"context" | ||
"strings" | ||
|
||
version "github.com/knqyf263/go-rpm-version" | ||
|
||
"github.com/quay/zlog" | ||
|
||
"github.com/quay/claircore" | ||
"github.com/quay/claircore/libvuln/driver" | ||
"github.com/quay/claircore/toolkit/types/cpe" | ||
) | ||
|
||
// Matcher implements driver.Matcher. | ||
type Matcher struct{} | ||
type Matcher struct { | ||
ignoreUnpatched bool | ||
} | ||
|
||
var _ driver.Matcher = (*Matcher)(nil) | ||
|
||
|
@@ -25,15 +31,52 @@ | |
} | ||
|
||
// Query implements driver.Matcher. | ||
func (*Matcher) Query() []driver.MatchConstraint { | ||
return []driver.MatchConstraint{ | ||
driver.PackageModule, | ||
driver.RepositoryName, | ||
crozzy marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why remove the repo check here and place it in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As a result of SECDATA-496 (not linking as it's internal) it was decided that unpatched advisories would not be related to all potential repos but they would be related to a subset (using CPE's URI Binding matching notation). This means that comparing the repo is more involved than |
||
func (m *Matcher) Query() []driver.MatchConstraint { | ||
mcs := []driver.MatchConstraint{driver.PackageModule} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. curious why do we check the package module? does every package have a related module? why not check for distribution name? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We are not deriving any distribution info from the VEX data. The OVAL updater didn't derive distribution from the data either, it parses the name of the file, and this info isn't used for matching. |
||
if m.ignoreUnpatched { | ||
mcs = append(mcs, driver.HasFixedInVersion) | ||
} | ||
return mcs | ||
} | ||
|
||
// isCPESubstringMatch is a hack that accounts for CPEs in the VEX | ||
// data that are expected to be treated as subset matching CPEs but | ||
// don't use the correct syntax defined in the spec. | ||
// E.g. cpe:/a:redhat:openshift:4.13::el8 is expected to match to | ||
// cpe:/a:redhat:openshift:4. | ||
// TODO: Remove once RH VEX data updates CPEs with the correct matching | ||
// syntax. | ||
func isCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool { | ||
return strings.HasPrefix(strings.TrimRight(recordCPE.String(), ":*"), strings.TrimRight(vulnCPE.String(), ":*")) | ||
} | ||
|
||
// Vulnerable implements driver.Matcher. | ||
func (m *Matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) { | ||
// | ||
// Vulnerable will interpret the claircore.Vulnerability.Repo.CPE | ||
// as a CPE match expression, and to be considered vulnerable, | ||
// the relationship between claircore.IndexRecord.Repository.CPE and | ||
// the claircore.Vulnerability.Repo.CPE needs to be a CPE Name Comparison | ||
// Relation of SUBSET(⊂)(source is a subset of, or equal to the target). | ||
// https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf Section 6.2. | ||
func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) { | ||
if vuln.Repo == nil || record.Repository == nil || vuln.Repo.Key != repositoryKey { | ||
return false, nil | ||
} | ||
var err error | ||
// This conversion has to be done because our current data structure doesn't | ||
// support the claircore.Vulnerability.Repo.CPE field. | ||
vuln.Repo.CPE, err = cpe.Unbind(vuln.Repo.Name) | ||
if err != nil { | ||
zlog.Warn(ctx). | ||
Str("vulnerability name", vuln.Name). | ||
Err(err). | ||
Msg("unable to unbind repo CPE") | ||
return false, nil | ||
} | ||
if !cpe.Compare(record.Repository.CPE, vuln.Repo.CPE).IsSubset() && !isCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) { | ||
return false, nil | ||
} | ||
|
||
pkgVer := version.NewVersion(record.Package.Version) | ||
var vulnVer version.Version | ||
// Assume the vulnerability record we have is for the last known vulnerable | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we test OpenShift CPEs? Has there been an agreement on whether Prod Sec or Claircore will have to handle OpenShift CPEs? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the provided pattern doesn't match what it's "meant" to (and there's not a bug in the match implementation), it's a bug in the data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hard to tell without context: what was this overwriting before? How bad was this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context:
Filter()
methodmap[record.Package.ID][]vuln
).Vulnerable()
we iterate through the records and check if it (the record) is vulnerable to any of it's potential vulns.filtered
map we're referring toSo we have a situation where previously the
record.Package.ID
was specific enough because there was only onerecord
with thatrecord.Package.ID
because we were Querying on theRepoName
. Now there are mutiplerecords
with the samerecord.Package.ID
but differentrecord.Repo
s. Hence, the lastrecord
with a randomRepo
would overwrite any potential legitimate vulnerabilities if the matches weren't appended