Limit "whole-only" config families to "growing" and "every nvt"

CHANGELOG.md

@@ -24,6 +24,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Expect report format scripts to exit with code 0 [#1383](https://github.com/greenbone/gvmd/pull/1383)
 - Send entire families to ospd-openvas using VT_GROUP [#1384](https://github.com/greenbone/gvmd/pull/1384)
 - The internal list of current Local Security Checks for the 'Closed CVEs' feature was updated [#1381](https://github.com/greenbone/gvmd/pull/1381)
+- Limit "whole-only" config families to "growing" and "every nvt" [#1386](https://github.com/greenbone/gvmd/pull/1386)
 
 ### Fixed
 - Use GMP version with leading zero for feed dirs [#1287](https://github.com/greenbone/gvmd/pull/1287)

src/gmp.c

@@ -18358,6 +18358,13 @@ handle_modify_config (gmp_parser_t *gmp_parser, GError **error)
             log_event_fail ("config", "Scan Config",
                             modify_config_data->config_id, "modified");
             goto modify_config_leave;
+          case 3:
+            SEND_TO_CLIENT_OR_FAIL
+             (XML_ERROR_SYNTAX ("modify_config",
+                                "Attempt to modify NVT in whole-only family"));
+            log_event_fail ("config", "Scan Config",
+                            modify_config_data->config_id, "modified");
+            goto modify_config_leave;
           case -1:
             SEND_TO_CLIENT_OR_FAIL
              (XML_ERROR_SYNTAX ("modify_config",
@@ -18408,6 +18415,14 @@ handle_modify_config (gmp_parser_t *gmp_parser, GError **error)
             log_event_fail ("config", "Scan Config",
                             modify_config_data->config_id, "modified");
             goto modify_config_leave;
+          case 3:
+            SEND_TO_CLIENT_OR_FAIL
+             (XML_ERROR_SYNTAX ("modify_config",
+                                "Whole-only families must include entire"
+                                " family and be growing"));
+            log_event_fail ("config", "Scan Config",
+                            modify_config_data->config_id, "modified");
+            goto modify_config_leave;
           case -1:
             SEND_TO_CLIENT_OR_FAIL
              (XML_ERROR_SYNTAX ("modify_config",

src/manage.c

@@ -2567,7 +2567,7 @@ launch_osp_openvas_task (task_t task, target_t target, const char *scan_id,
           gchar *filter;
           osp_vt_group_t *vt_group;
 
-          filter = g_strdup_printf ("filter=%s", family);
+          filter = g_strdup_printf ("family=%s", family);
           vt_group = osp_vt_group_new (filter);
           g_free (filter);
 

src/manage.h

@@ -1099,6 +1099,20 @@ user_has_super (const char *, user_t);
   " 'Ubuntu Local Security Checks',"               \
   " 'Windows : Microsoft Bulletins'"
 
+/**
+ * @brief Whole only families.
+ */
+#define FAMILIES_WHOLE_ONLY                        \
+  { "CentOS Local Security Checks",                \
+    "Debian Local Security Checks",                \
+    "Fedora Local Security Checks",                \
+    "Huawei EulerOS Local Security Checks",        \
+    "Oracle Linux Local Security Checks",          \
+    "Red Hat Local Security Checks",               \
+    "SuSE Local Security Checks",                  \
+    "Ubuntu Local Security Checks",                \
+    NULL }
+
 gboolean
 find_result_with_permission (const char*, result_t*, const char *);
 

src/manage_sql_configs.c

@@ -894,7 +894,8 @@ nvt_selector_has (const char* quoted_selector, const char* family_or_nvt,
  * @param[in]  growing_families      The rest of the growing families.
  * @param[in]  grow_families         1 if families should grow, else 0.
  *
- * @return 0 success, 1 config in use, 2 failed to find config, -1 error.
+ * @return 0 success, 1 config in use, 2 failed to find config, 3 whole-only
+ *         families must be growing and include entire family, -1 error.
  */
 int
 manage_set_config_families (const gchar *config_id,
@@ -903,12 +904,22 @@ manage_set_config_families (const gchar *config_id,
                             GPtrArray* growing_families,
                             int grow_families)
 {
+  static const gchar *wholes[] = FAMILIES_WHOLE_ONLY;
   config_t config;
   iterator_t families;
   gchar *quoted_selector;
   int constraining;
   char *selector;
 
+  /* Ensure that whole-only families include all NVTs and are growing. */
+
+  for (const gchar **whole = wholes; *whole; whole++)
+    if (member (growing_all_families, *whole)
+        || member (static_all_families, *whole))
+      return 3;
+
+  /* Check the args. */
+
   sql_begin_immediate ();
 
   if (find_config_with_permission (config_id, &config, "modify_config"))
@@ -4206,6 +4217,24 @@ manage_set_config (const gchar *config_id, const char*name, const char *comment,
   return 0;
 }
 
+/**
+ * @brief Check whether a family is "whole-only".
+ *
+ * @param[in]  family         Family name.
+ *
+ * @return 1 if whole-only, else 0.
+ */
+int
+family_whole_only (const gchar *family)
+{
+  static const gchar *wholes[] = FAMILIES_WHOLE_ONLY;
+
+  for (const gchar **whole = wholes; *whole; whole++)
+    if (strcmp (*whole, family) == 0)
+      return 1;
+  return 0;
+}
+
 /**
  * @brief Get whether a config selects every NVT in a given family.
  *
@@ -4245,7 +4274,8 @@ config_family_entire_and_growing (config_t config, const char* family)
  * @param[in]  family         Family name.
  * @param[in]  selected_nvts  NVT's.
  *
- * @return 0 success, 1 config in use, 2 failed to find config, -1 error.
+ * @return 0 success, 1 config in use, 2 failed to find config, 3 whole-only
+ *         family, -1 error.
  */
 int
 manage_set_config_nvts (const gchar *config_id, const char* family,
@@ -4256,6 +4286,9 @@ manage_set_config_nvts (const gchar *config_id, const char* family,
   gchar *quoted_family, *quoted_selector;
   int new_nvt_count = 0, old_nvt_count;
 
+  if (family_whole_only (family))
+    return 3;
+
   sql_begin_immediate ();
 
   if (find_config_with_permission (config_id, &config, "modify_config"))
@@ -4963,3 +4996,51 @@ check_db_configs ()
                  __func__);
     }
 }
+
+/**
+ * @brief Check whole-only families.
+ *
+ * Called after NVT sync.
+ */
+void
+check_whole_only_in_configs ()
+{
+  static const gchar *wholes[] = FAMILIES_WHOLE_ONLY;
+
+  for (const gchar **whole = wholes; *whole; whole++)
+    {
+      gchar *quoted_family;
+
+      quoted_family = sql_quote (*whole);
+
+      /* Delete any excluding NVT selectors. */
+
+      sql ("DELETE FROM nvt_selectors"
+           " WHERE type = " G_STRINGIFY (NVT_SELECTOR_TYPE_NVT)
+           " AND exclude = 1"
+           " AND EXISTS (SELECT * FROM nvts"
+           "             WHERE oid = family_or_nvt"
+           "             AND family = '%s');",
+           quoted_family);
+
+      /* Convert any including NVT selectors to family selectors. */
+
+      sql ("WITH sels AS (DELETE FROM nvt_selectors"
+           "                     WHERE type = " G_STRINGIFY (NVT_SELECTOR_TYPE_NVT)
+           "              AND EXISTS (SELECT * FROM nvts"
+           "                          WHERE oid = family_or_nvt"
+           "                          AND family = '%s')"
+           "              RETURNING name),"
+           "     names AS (SELECT distinct * FROM sels)"
+           " INSERT INTO nvt_selectors"
+           " (name, exclude, type, family_or_nvt, family)"
+           " SELECT names.name, 0, " G_STRINGIFY (NVT_SELECTOR_TYPE_FAMILY) ","
+           "        '%s', '%s'"
+           " FROM names;",
+           quoted_family,
+           quoted_family,
+           quoted_family);
+
+      g_free (quoted_family);
+    }
+}

src/manage_sql_configs.h

@@ -100,4 +100,7 @@ update_config (config_t, const gchar *, const gchar *, const gchar *,
 void
 check_db_configs ();
 
+void
+check_whole_only_in_configs ();
+
 #endif /* not _GVMD_MANAGE_SQL_CONFIGS_H */

src/manage_sql_nvts.c

@@ -40,6 +40,7 @@
 #include "manage_sql_nvts.h"
 #include "manage_preferences.h"
 #include "manage_sql.h"
+#include "manage_sql_configs.h"
 #include "sql.h"
 #include "utils.h"
 
@@ -1958,6 +1959,8 @@ update_nvt_cache_osp (const gchar *update_socket, gchar *db_feed_version,
   check_preference_names (0, old_nvts_last_modified);
   check_preference_names (1, old_nvts_last_modified);
 
+  check_whole_only_in_configs ();
+
   return 0;
 }