quay · crozzy · Feb 2, 2024 · Apr 25, 2024 · May 9, 2024 · May 14, 2024
@@ -0,0 +1,4 @@
+-- The rhel-vex updater will now be responsible for RHEL advisories so we have
+-- to delete the existing rhel vulnerabilities.
+DELETE FROM update_operation WHERE updater ~ 'RHEL[5-9]-*';
+DELETE FROM vuln where updater ~ 'RHEL[5-9]-*';
@@ -108,4 +108,8 @@ var MatcherMigrations = []migrate.Migration{
 		ID: 12,
 		Up: runFile("matcher/12-add-latest_update_operation-index.sql"),
 	},
+	{
+		ID: 13,
+		Up: runFile("matcher/13-delete-rhel-oval.sql"),
+	},
 }
@@ -7,6 +7,7 @@ import (
 
 	"github.com/doug-martin/goqu/v8"
 	_ "github.com/doug-martin/goqu/v8/dialect/postgres"
+	"github.com/doug-martin/goqu/v8/exp"
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/datastore"
@@ -70,6 +71,8 @@ func buildGetQuery(record *claircore.IndexRecord, opts *datastore.GetOpts) (stri
 			ex = goqu.Ex{"dist_arch": record.Distribution.Arch}
 		case driver.RepositoryName:
 			ex = goqu.Ex{"repo_name": record.Repository.Name}
+		case driver.HasFixedInVersion:
+			ex = goqu.Ex{"fixed_in_version": goqu.Op{exp.NeqOp.String(): ""}}
 		default:
 			return "", fmt.Errorf("was provided unknown matcher: %v", m)
 		}

@@ -202,6 +202,20 @@ func TestGetQueryBuilderDeterministicArgs(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "FixedInVersion",
+			expectedQuery: preamble + both +
+				`("fixed_in_version" != '')` + epilogue,
+			matchExps: []driver.MatchConstraint{driver.HasFixedInVersion},
+			indexRecord: func() *claircore.IndexRecord {
+				pkgs := test.GenUniquePackages(1)
+				dists := test.GenUniqueDistributions(1)
+				return &claircore.IndexRecord{
+					Package:      pkgs[0],
+					Distribution: dists[0],
+				}
+			},
+		},
 	}
 
 	// This is safe to do because SQL doesn't care about what whitespace is

@@ -15,8 +15,9 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
+	github.com/package-url/packageurl-go v0.1.2
 	github.com/prometheus/client_golang v1.19.0
-	github.com/quay/claircore/toolkit v1.2.0
+	github.com/quay/claircore/toolkit v1.2.1
 	github.com/quay/claircore/updater/driver v1.0.0
 	github.com/quay/goval-parser v0.8.8
 	github.com/quay/zlog v1.1.8

@@ -133,6 +133,8 @@ github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK86
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/package-url/packageurl-go v0.1.2 h1:0H2DQt6DHd/NeRlVwW4EZ4oEI6Bn40XlNPRqegcxuo4=
+github.com/package-url/packageurl-go v0.1.2/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -146,8 +148,8 @@ github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSz
 github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
-github.com/quay/claircore/toolkit v1.2.0 h1:cgMCIJH8Gzl/7p6y4hVAhSEvPvT9iGWHcmpIeO8PbJQ=
-github.com/quay/claircore/toolkit v1.2.0/go.mod h1:m6ZRpxJClVAraNpIYyCsW/ULF/33ye7KkGTyNTMwvDY=
+github.com/quay/claircore/toolkit v1.2.1 h1:6cpa0xGWtFIn7QAsc8zbJohQ7Tm8yOGZMCq/iQkrsqQ=
+github.com/quay/claircore/toolkit v1.2.1/go.mod h1:m6ZRpxJClVAraNpIYyCsW/ULF/33ye7KkGTyNTMwvDY=
 github.com/quay/goval-parser v0.8.8 h1:Uf+f9iF2GIR5GPUY2pGoa9il2+4cdES44ZlM0mWm4cA=
 github.com/quay/goval-parser v0.8.8/go.mod h1:Y0NTNfPYOC7yxsYKzJOrscTWUPq1+QbtHw4XpPXWPMc=
 github.com/quay/zlog v1.1.8 h1:/cKgHpqKu3g7mB9OlvnfbqrbPIssyxeameDBytGPrNs=

@@ -142,7 +142,7 @@ func (mc *Controller) filter(ctx context.Context, interested []*claircore.IndexR
 		if err != nil {
 			return nil, err
 		}
-		filtered[record.Package.ID] = match
+		filtered[record.Package.ID] = append(filtered[record.Package.ID], match...)
 	}
 	return filtered, nil
 }

@@ -41,6 +41,8 @@ const (
 	DistributionPrettyName
 	// should match claircore.Package.Repository.Name => claircore.Vulnerability.Package.Repository.Name
 	RepositoryName
+	// should match claircore.Vulnerability.FixedInVersion != ""
+	HasFixedInVersion
 )
 
 // Matcher is an interface which a Controller uses to query the vulnstore for vulnerabilities.

@@ -53,13 +53,13 @@ var defaultMatchers = []driver.Matcher{
 	&photon.Matcher{},
 	&python.Matcher{},
 	rhcc.Matcher,
-	&rhel.Matcher{},
 	&ruby.Matcher{},
 	&suse.Matcher{},
 	&ubuntu.Matcher{},
 }
 
 func inner(ctx context.Context) error {
+	registry.Register("rhel", &rhel.MatcherFactory{})
 	for _, m := range defaultMatchers {
 		mf := driver.MatcherStatic(m)
 		registry.Register(m.Name(), mf)

@@ -2,15 +2,21 @@
 
 import (
 	"context"
+	"strings"
 
 	version "github.com/knqyf263/go-rpm-version"
 
+	"github.com/quay/zlog"
+
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 // Matcher implements driver.Matcher.
-type Matcher struct{}
+type Matcher struct {
+	ignoreUnpatched bool
+}
 
 var _ driver.Matcher = (*Matcher)(nil)
 
@@ -25,15 +31,52 @@
 }
 
 // Query implements driver.Matcher.
-func (*Matcher) Query() []driver.MatchConstraint {
-	return []driver.MatchConstraint{
-		driver.PackageModule,
-		driver.RepositoryName,
+func (m *Matcher) Query() []driver.MatchConstraint {
+	mcs := []driver.MatchConstraint{driver.PackageModule}
+	if m.ignoreUnpatched {
+		mcs = append(mcs, driver.HasFixedInVersion)
 	}
+	return mcs
+}
+
+// isCPESubstringMatch is a hack that accounts for CPEs in the VEX
+// data that are expected to be treated as subset matching CPEs but
+// don't use the correct syntax defined in the spec.
+// E.g. cpe:/a:redhat:openshift:4.13::el8 is expected to match to
+// cpe:/a:redhat:openshift:4.
+// TODO: Remove once RH VEX data updates CPEs with the correct matching
+// syntax.
+func isCPESubstringMatch(recordCPE cpe.WFN, vulnCPE cpe.WFN) bool {
+	return strings.HasPrefix(strings.TrimRight(recordCPE.String(), ":*"), strings.TrimRight(vulnCPE.String(), ":*"))
 }
 
 // Vulnerable implements driver.Matcher.
-func (m *Matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+//
+// Vulnerable will interpret the claircore.Vulnerability.Repo.CPE
+// as a CPE match expression, and to be considered vulnerable,
+// the relationship between claircore.IndexRecord.Repository.CPE and
+// the claircore.Vulnerability.Repo.CPE needs to be a CPE Name Comparison
+// Relation of SUBSET(⊂)(source is a subset of, or equal to the target).
+// https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7696.pdf Section 6.2.
+func (m *Matcher) Vulnerable(ctx context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	if vuln.Repo == nil || record.Repository == nil || vuln.Repo.Key != repositoryKey {
+		return false, nil
+	}
+	var err error
+	// This conversion has to be done because our current data structure doesn't
+	// support the claircore.Vulnerability.Repo.CPE field.
+	vuln.Repo.CPE, err = cpe.Unbind(vuln.Repo.Name)
+	if err != nil {
+		zlog.Warn(ctx).
+			Str("vulnerability name", vuln.Name).
+			Err(err).
+			Msg("unable to unbind repo CPE")
+		return false, nil
+	}
+	if !cpe.Compare(record.Repository.CPE, vuln.Repo.CPE).IsSubset() && !isCPESubstringMatch(record.Repository.CPE, vuln.Repo.CPE) {
+		return false, nil
+	}
+
 	pkgVer := version.NewVersion(record.Package.Version)
 	var vulnVer version.Version
 	// Assume the vulnerability record we have is for the last known vulnerable

@@ -21,6 +21,7 @@ import (
 	"github.com/quay/claircore/pkg/ctxlock"
 	"github.com/quay/claircore/test/integration"
 	pgtest "github.com/quay/claircore/test/postgres"
+	"github.com/quay/claircore/toolkit/types/cpe"
 )
 
 func TestMain(m *testing.M) {
@@ -118,43 +119,119 @@ func TestVulnerable(t *testing.T) {
 		Package: &claircore.Package{
 			Version: "0.33.0-6.el8",
 		},
+		Repository: &claircore.Repository{
+			CPE:  cpe.MustUnbind("cpe:/o:redhat:enterprise_linux:8::baseos"),
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
+	}
+	openshiftRecord := &claircore.IndexRecord{
+		Package: &claircore.Package{
+			Version: "0.33.0-6.el8",
+		},
+		Repository: &claircore.Repository{
+			CPE:  cpe.MustUnbind("cpe:/a:redhat:openshift:4.13::el8"),
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
 	}
 	fixedVulnPast := &claircore.Vulnerability{
 		Package: &claircore.Package{
 			Version: "",
 		},
 		FixedInVersion: "0.33.0-5.el8",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
 	}
 	fixedVulnCurrent := &claircore.Vulnerability{
 		Package: &claircore.Package{
 			Version: "",
 		},
 		FixedInVersion: "0.33.0-6.el8",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
 	}
 	fixedVulnFuture := &claircore.Vulnerability{
 		Package: &claircore.Package{
 			Version: "",
 		},
 		FixedInVersion: "0.33.0-7.el8",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
 	}
 	unfixedVuln := &claircore.Vulnerability{
 		Package: &claircore.Package{
 			Version: "",
 		},
 		FixedInVersion: "",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
+	}
+	unfixedVulnBadCPE := &claircore.Vulnerability{
+		Package: &claircore.Package{
+			Version: "",
+		},
+		FixedInVersion: "",
+		Repo: &claircore.Repository{
+			Name: "cep:o:redhat:enterprise_linux:8::baseos",
+			Key:  "rhel-cpe-repository",
+		},
+	}
+	unfixedVulnRepoIsSubset := &claircore.Vulnerability{
+		Package: &claircore.Package{
+			Version: "",
+		},
+		FixedInVersion: "",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8",
+			Key:  "rhel-cpe-repository",
+		},
+	}
+	unfixedVulnRepoNotSubset := &claircore.Vulnerability{
+		Package: &claircore.Package{
+			Version: "",
+		},
+		FixedInVersion: "",
+		Repo: &claircore.Repository{
+			Name: "cpe:/o:redhat:enterprise_linux:8::appstream",
+			Key:  "rhel-cpe-repository",
+		},
+	}
+	unfixedVulnRepoSubstring := &claircore.Vulnerability{
+		Package: &claircore.Package{
+			Version: "",
+		},
+		FixedInVersion: "",
+		Repo: &claircore.Repository{
+			Name: "cpe:/a:redhat:openshift:4",
+			Key:  "rhel-cpe-repository",
+		},
 	}
 
 	testCases := []vulnerableTestCase{
 		{ir: record, v: fixedVulnPast, want: false, name: "vuln fixed in past version"},
 		{ir: record, v: fixedVulnCurrent, want: false, name: "vuln fixed in current version"},
 		{ir: record, v: fixedVulnFuture, want: true, name: "outdated package"},
 		{ir: record, v: unfixedVuln, want: true, name: "unfixed vuln"},
+		{ir: record, v: unfixedVulnBadCPE, want: false, name: "unfixed vuln, invalid CPE"},
+		{ir: record, v: unfixedVulnRepoIsSubset, want: true, name: "unfixed vuln, Repo is a subset"},
+		{ir: record, v: unfixedVulnRepoNotSubset, want: false, name: "unfixed vuln, Repo not a subset"},
+		{ir: openshiftRecord, v: unfixedVulnRepoSubstring, want: true, name: "unfixed vuln, Repo is a substring match"},
 	}
 
 	m := &Matcher{}
-
+	ctx := context.Background()
+	ctx = zlog.Test(ctx, t)
 	for _, tc := range testCases {
-		got, err := m.Vulnerable(nil, tc.ir, tc.v)
+		got, err := m.Vulnerable(ctx, tc.ir, tc.v)
 		if err != nil {
 			t.Error(err)
 		}
@@ -163,3 +240,36 @@ func TestVulnerable(t *testing.T) {
 		}
 	}
 }
+
+func TestIsCPEStringSubsetMatch(t *testing.T) {
+	t.Parallel()
+
+	testcases := []struct {
+		name               string
+		recordCPE, vulnCPE cpe.WFN
+		match              bool
+	}{
+		{
+			name:      "simple_case",
+			recordCPE: cpe.MustUnbind("cpe:/a:redhat:openshift:4.13::el8"),
+			vulnCPE:   cpe.MustUnbind("cpe:/a:redhat:openshift:4"),
+			match:     true,
+		},
+		{
+			name:      "wrong_minor",
+			recordCPE: cpe.MustUnbind("cpe:/a:redhat:openshift:4.13::el8"),
+			vulnCPE:   cpe.MustUnbind("cpe:/a:redhat:openshift:4.1::el8"),
+			match:     false,
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			tt := tc
+			matched := isCPESubstringMatch(tt.recordCPE, tt.vulnCPE)
+			if matched != tt.match {
+				t.Errorf("unexpected matching %s and %s", tt.recordCPE, tt.vulnCPE)
+			}
+		})
+	}
+}