-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(oracle): split version flavors #452
fix(oracle): split version flavors #452
Conversation
Have you considered using ELSA-IDs for keys? It would require a modification on the Trivy side to also display CVE-IDs, but I don't think it would be that bad since the old Trivy only displays ELSA-IDs instead of CVE-IDs. |
I suggested the same before 😄 |
It's a fair point. I totally forgot about it. |
I'm not sure about that.
|
Please let me think about it. I'm now confused about FIPS. This adviosry seems relevant to FIPS according to the description, but the version doesn't contain
Do you have any ideas? |
hm... i couldn't to think explanation for that... ELSA-2022-9221 has
|
Another question. This vulnerability has no ELSA for FIPS. Does it mean FIPS gnutls is not affected? |
This advisory is mixing up normal and fips flavors. |
Take a look - aquasecurity/trivy#1967 (comment)
IIUC you are right (or there is no fix for FIPS gnutls) |
@@ -39,24 +39,36 @@ func TestVulnSrc_Update(t *testing.T) { | |||
Key: []string{"advisory-detail", "CVE-2007-0493", "Oracle Linux 5", "bind-devel"}, | |||
Value: types.Advisory{ | |||
FixedVersion: "30:9.3.3-8.el5", | |||
PatchedVersions: []string{ | |||
"30:9.3.3-8.el5", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use FixedVersion
for normal flavor. Do we also need to store this version in PatchedVersions
? It helps reduce the size.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm... after adding arches (#453) this logic will be confusing (because we will only keep normal version for x86_64
arch in FixedVersion
)
But i will check your solution to understand how much space we can save.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, I'm wondering how much using PatchedVersions
helps from the size perspective after migrating to Advisories
in #453.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll write an example. Just a moment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I used PatchedVersions
in #453 to avoid creating a new Entry
for each flavor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PatchedVersions
method needs a more complicated implementation as it needs to aggregate entries, but the data size will be bigger. There is no reason to go with that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great research! So, we would go for FixedVersion, right?
Right!
The PatchedVersions method needs a more complicated implementation as it needs to aggregate entries, but the data size will be bigger. There is no reason to go with that.
agree with you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so are you going to update this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't need to add flavors and arches in one PR.
So I will update this PR, after merging this PR we will add arches.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree. We should add changes step by step.
close this PR in favor #221 |
Description
Oracle Linux uses
normal
,fips
(e.g.3.6.16-4.0.1.el8_fips
) andksplice
(e.g.2:2.28-151.0.1.ksplice2.el8
) version flavors.We need to separate these versions so that we only compare version with same flavors.
See #220 for more details.
PR info
We are currently unable to change the database schema, so this PR is workaround to keep multiple versions for single CVE.
We currently use FixedVersion for OS advisories.
But in this case PatchedVersions was used.
It adds options to save all flavors for single advisory.
To save backward compatibility - we only keep version with
normal
flavor inFixedVersion
.DB sizes:
before:
after
Related PRs