From b9b383eb2714e88357af75900c856db2900b83ec Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:25:30 +0600 Subject: [PATCH] feat(oracle): add `flavors` support (#7858) --- docs/docs/coverage/os/oracle.md | 13 +++++++ go.mod | 2 +- go.sum | 4 +-- integration/testdata/fixtures/db/oracle.yaml | 8 +++-- pkg/detector/ospkg/oracle/oracle.go | 18 ++-------- pkg/detector/ospkg/oracle/oracle_test.go | 36 +++++++++++++++++++ .../oracle/testdata/fixtures/oracle7.yaml | 13 +++++++ 7 files changed, 74 insertions(+), 20 deletions(-) diff --git a/docs/docs/coverage/os/oracle.md b/docs/docs/coverage/os/oracle.md index 3799918b9a31..46ab22bc5238 100644 --- a/docs/docs/coverage/os/oracle.md +++ b/docs/docs/coverage/os/oracle.md @@ -28,6 +28,19 @@ See [here](../../scanner/vulnerability.md#data-sources). ### Fixed Version Trivy takes fixed versions from [Oracle security advisories][alerts]. +#### Flavors +Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor. + +| Flavor | Format | Example | +|:-------:|:------------------------------------:|------------------------------------------------------| +| normal | version without `fips` and `ksplice` | 3.6.16-4.el8 | +| fips | `*_fips` | 10:3.6.16-4.0.1.el8_fips | +| ksplice | `*.ksplice*.*` | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 | + + +For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors. +For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped. + ### Severity Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts]. For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645]. diff --git a/go.mod b/go.mod index 4ae28be383e8..403a94099e1a 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/trivy-checks v1.3.0 - github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 + github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc github.com/aws/aws-sdk-go-v2 v1.32.4 diff --git a/go.sum b/go.sum index 1f448b0c1524..d0eb2f97691d 100644 --- a/go.sum +++ b/go.sum @@ -355,8 +355,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy-checks v1.3.0 h1:Z4+wxxApNSJOLcmGPWQ9cS3NGmT/yTaPCTMavIeuVEQ= github.com/aquasecurity/trivy-checks v1.3.0/go.mod h1:WDo8IKyW4FvA69uKYmamSIy3RosCOiBuA1Kfxuigiy0= -github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 h1:G0gnacAORRUqz2Tm5MqivSpldY2GZ74ijhJcMsae+sA= -github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1/go.mod h1:PYkSRx4dlgFATEt+okGwibvbxVEtqsOdH+vX/saACYE= +github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw= +github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y= diff --git a/integration/testdata/fixtures/db/oracle.yaml b/integration/testdata/fixtures/db/oracle.yaml index 7cc73092d651..8418edcfd6cb 100644 --- a/integration/testdata/fixtures/db/oracle.yaml +++ b/integration/testdata/fixtures/db/oracle.yaml @@ -4,7 +4,11 @@ pairs: - key: CVE-2019-3823 value: - FixedVersion: 7.61.1-11.el8 + FixedVersion: "7.61.1-11.el8" + Entries: + - FixedVersion: "7.61.1-11.el8" - key: CVE-2019-5436 value: - FixedVersion: 7.61.1-12.el8 + FixedVersion: "7.61.1-12.el8" + Entries: + - FixedVersion: "7.61.1-12.el8" diff --git a/pkg/detector/ospkg/oracle/oracle.go b/pkg/detector/ospkg/oracle/oracle.go index dd66c11a3cf1..3dbc8c90677f 100644 --- a/pkg/detector/ospkg/oracle/oracle.go +++ b/pkg/detector/ospkg/oracle/oracle.go @@ -2,7 +2,6 @@ package oracle import ( "context" - "strings" "time" version "github.com/knqyf263/go-rpm-version" @@ -43,16 +42,6 @@ func NewScanner() *Scanner { } } -func extractKsplice(v string) string { - subs := strings.Split(strings.ToLower(v), ".") - for _, s := range subs { - if strings.HasPrefix(s, "ksplice") { - return s - } - } - return "" -} - // Detect scans and return vulnerability in Oracle scanner func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) { osVer = osver.Major(osVer) @@ -69,10 +58,9 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository installed := utils.FormatVersion(pkg) installedVersion := version.NewVersion(installed) for _, adv := range advisories { - // when one of them doesn't have ksplice, we'll also skip it - // extract kspliceX and compare it with kspliceY in advisories - // if kspliceX and kspliceY are different, we will skip the advisory - if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) { + // We need to use only advisories from the same flavor as the package flavors. + // See more in https://github.com/aquasecurity/trivy/issues/1967 + if oracleoval.PackageFlavor(adv.FixedVersion) != oracleoval.PackageFlavor(pkg.Release) { continue } diff --git a/pkg/detector/ospkg/oracle/oracle_test.go b/pkg/detector/ospkg/oracle/oracle_test.go index 6fdc73a90e6a..834bc06d9406 100644 --- a/pkg/detector/ospkg/oracle/oracle_test.go +++ b/pkg/detector/ospkg/oracle/oracle_test.go @@ -221,6 +221,42 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "with fips", + fixtures: []string{ + "testdata/fixtures/oracle7.yaml", + "testdata/fixtures/data-source.yaml", + }, + args: args{ + osVer: "7", + pkgs: []ftypes.Package{ + { + Name: "gnutls", + Epoch: 10, + Version: "3.6.15", + Release: "4.0.1.el8_fips", + Arch: "x86_64", + SrcEpoch: 2, + SrcName: "gnutls", + SrcVersion: "3.6.15", + SrcRelease: "4.0.1.el8_fips", + }, + }, + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2021-20232", + PkgName: "gnutls", + InstalledVersion: "10:3.6.15-4.0.1.el8_fips", + FixedVersion: "10:3.6.16-4.0.1.el8_fips", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + }, { name: "malformed", fixtures: []string{ diff --git a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml index 47c9931d8f1c..7dce7818c32e 100644 --- a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml +++ b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml @@ -5,8 +5,21 @@ - key: CVE-2020-8177 value: FixedVersion: "7.29.0-59.0.1.el7_9.1" + Entries: + - FixedVersion: "7.29.0-59.0.1.el7_9.1" - bucket: glibc pairs: - key: CVE-2017-1000364 value: FixedVersion: "2:2.17-157.ksplice1.el7_3.4" + Entries: + - FixedVersion: "2:2.17-157.ksplice1.el7_3.4" + - bucket: gnutls + pairs: + - key: CVE-2021-20232 + value: + FixedVersion: "3.6.16-4.el8" + Entries: + - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + - FixedVersion: "3.6.16-4.el8" +