fix(debian,ubuntu): collect running kernel source package (#1935)

future-architect · Jun 6, 2024 · e1fab80 · e1fab80
1 parent 5af1a22
commit e1fab80
Show file tree

Hide file tree

Showing 9 changed files with 666 additions and 358 deletions.
diff --git a/gost/debian.go b/gost/debian.go
@@ -7,14 +7,14 @@ import (
  "cmp"
  "encoding/json"
  "fmt"
- "strconv"
  "strings"
 
  debver "github.com/knqyf263/go-deb-version"
  "golang.org/x/exp/maps"
  "golang.org/x/exp/slices"
  "golang.org/x/xerrors"
 
+ "github.com/future-architect/vuls/constant"
  "github.com/future-architect/vuls/logging"
  "github.com/future-architect/vuls/models"
  "github.com/future-architect/vuls/util"
@@ -88,20 +88,16 @@ func (deb Debian) detectCVEsWithFixState(r *models.ScanResult, fixed bool) ([]st
  continue
  }
 
- n := strings.NewReplacer("linux-signed", "linux", "linux-latest", "linux", "-amd64", "", "-arm64", "", "-i386", "").Replace(res.request.packName)
-
- if deb.isKernelSourcePackage(n) {
- isRunning := false
- for _, bn := range r.SrcPackages[res.request.packName].BinaryNames {
- if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
- isRunning = true
- break
- }
- }
- // To detect vulnerabilities in running kernels only, skip if the kernel is not running.
- if !isRunning {
- continue
+ // To detect vulnerabilities in running kernels only, skip if the kernel is not running.
+ if models.IsKernelSourcePackage(constant.Debian, res.request.packName) && !slices.ContainsFunc(r.SrcPackages[res.request.packName].BinaryNames, func(bn string) bool {
+ switch bn {
+ case fmt.Sprintf("linux-image-%s", r.RunningKernel.Release), fmt.Sprintf("linux-headers-%s", r.RunningKernel.Release):
+ return true
+ default:
+ return false
  }
+ }) {
+ continue
  }
 
  cs := map[string]gostmodels.DebianCVE{}
@@ -128,26 +124,27 @@ func (deb Debian) detectCVEsWithFixState(r *models.ScanResult, fixed bool) ([]st
  }
  } else {
  for _, p := range r.SrcPackages {
- n := strings.NewReplacer("linux-signed", "linux", "linux-latest", "linux", "-amd64", "", "-arm64", "", "-i386", "").Replace(p.Name)
-
- if deb.isKernelSourcePackage(n) {
- isRunning := false
- for _, bn := range p.BinaryNames {
- if bn == fmt.Sprintf("linux-image-%s", r.RunningKernel.Release) {
- isRunning = true
- break
- }
- }
- // To detect vulnerabilities in running kernels only, skip if the kernel is not running.
- if !isRunning {
- continue
+ // To detect vulnerabilities in running kernels only, skip if the kernel is not running.
+ if models.IsKernelSourcePackage(constant.Debian, p.Name) && !slices.ContainsFunc(p.BinaryNames, func(bn string) bool {
+ switch bn {
+ case fmt.Sprintf("linux-image-%s", r.RunningKernel.Release), fmt.Sprintf("linux-headers-%s", r.RunningKernel.Release):
+ return true
+ default:
+ return false
  }
+ }) {
+ continue
  }
 
  var f func(string, string) (map[string]gostmodels.DebianCVE, error) = deb.driver.GetFixedCvesDebian
  if !fixed {
  f = deb.driver.GetUnfixedCvesDebian
  }
+
+ n := p.Name
+ if models.IsKernelSourcePackage(constant.Debian, p.Name) {
+ n = models.RenameKernelSourcePackageName(constant.Debian, p.Name)
+ }
  cs, err := f(major(r.Release), n)
  if err != nil {
  return nil, xerrors.Errorf("Failed to get CVEs. release: %s, src package: %s, err: %w", major(r.Release), p.Name, err)
@@ -198,29 +195,7 @@ func (deb Debian) detectCVEsWithFixState(r *models.ScanResult, fixed bool) ([]st
  return maps.Keys(detects), nil
 }
 
-func (deb Debian) isKernelSourcePackage(pkgname string) bool {
- switch ss := strings.Split(pkgname, "-"); len(ss) {
- case 1:
- return pkgname == "linux"
- case 2:
- if ss[0] != "linux" {
- return false
- }
- switch ss[1] {
- case "grsec":
- return true
- default:
- _, err := strconv.ParseFloat(ss[1], 64)
- return err == nil
- }
- default:
- return false
- }
-}
-
 func (deb Debian) detect(cves map[string]gostmodels.DebianCVE, srcPkg models.SrcPackage, runningKernel models.Kernel) []cveContent {
- n := strings.NewReplacer("linux-signed", "linux", "linux-latest", "linux", "-amd64", "", "-arm64", "", "-i386", "").Replace(srcPkg.Name)
-
  var contents []cveContent
  for _, cve := range cves {
  c := cveContent{
@@ -232,9 +207,6 @@ func (deb Debian) detect(cves map[string]gostmodels.DebianCVE, srcPkg models.Src
  switch r.Status {
  case "open", "undetermined":
  for _, bn := range srcPkg.BinaryNames {
- if deb.isKernelSourcePackage(n) && bn != fmt.Sprintf("linux-image-%s", runningKernel.Release) {
- continue
- }
  c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
  Name: bn,
  FixState: r.Status,
@@ -245,7 +217,7 @@ func (deb Debian) detect(cves map[string]gostmodels.DebianCVE, srcPkg models.Src
  installedVersion := srcPkg.Version
  patchedVersion := r.FixedVersion
 
- if deb.isKernelSourcePackage(n) {
+ if models.IsKernelSourcePackage(constant.Debian, srcPkg.Name) {
  installedVersion = runningKernel.Version
  }
 
@@ -257,9 +229,6 @@ func (deb Debian) detect(cves map[string]gostmodels.DebianCVE, srcPkg models.Src
 
  if affected {
  for _, bn := range srcPkg.BinaryNames {
- if deb.isKernelSourcePackage(n) && bn != fmt.Sprintf("linux-image-%s", runningKernel.Release) {
- continue
- }
  c.fixStatuses = append(c.fixStatuses, models.PackageFixStatus{
  Name: bn,
  FixedIn: patchedVersion,

diff --git a/gost/debian_test.go b/gost/debian_test.go
@@ -395,41 +395,6 @@ func TestDebian_detect(t *testing.T) {
  }
 }
 
-func TestDebian_isKernelSourcePackage(t *testing.T) {
- tests := []struct {
- pkgname string
- want bool
- }{
- {
- pkgname: "linux",
- want: true,
- },
- {
- pkgname: "apt",
- want: false,
- },
- {
- pkgname: "linux-5.10",
- want: true,
- },
- {
- pkgname: "linux-grsec",
- want: true,
- },
- {
- pkgname: "linux-base",
- want: false,
- },
- }
- for _, tt := range tests {
- t.Run(tt.pkgname, func(t *testing.T) {
- if got := (Debian{}).isKernelSourcePackage(tt.pkgname); got != tt.want {
- t.Errorf("Debian.isKernelSourcePackage() = %v, want %v", got, tt.want)
- }
- })
- }
-}
-
 func TestDebian_CompareSeverity(t *testing.T) {
  type args struct {
  a string