Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Red Hat Container Catalog uses CVE name instead of advisory link in vulnerability name field #627

Closed
jasinner opened this issue Jun 6, 2022 · 3 comments
Closed

Red Hat Container Catalog uses CVE name instead of advisory link in vulnerability name field #627

jasinner opened this issue Jun 6, 2022 · 3 comments

Comments

@jasinner
Copy link
Contributor

jasinner commented Jun 6, 2022

Change the way Vulnerabilities are created by Red Hat Container Catalog updater so that they match the way the OVAL parser save Vulnerabilities. Specifically:

  • name field should include the advisory ID
  • links field should include the advisory link, and the relevant RH CVE database link

Use a Vulnerability entry created by rhel/parser.go as an example if in doubt.

We need to do this so that it's easier to tell Vulnerabilities created by the rhcc matcher apart from unpatched vulnerabilities created by the rhel parser.
@jasinner
Copy link
Contributor Author

jasinner commented Jun 6, 2022

Here's an example of a patched vulnerability from the rhel parser:

{
            "id": "1324977",
            "updater": "RHEL8-rhel-8-including-unpatched",
            "name": "RHSA-2022:2201: rsync security update (Important)",
            "description": "The rsync utility enables the users to copy and synchronize files locally or across a network. Synchronization with rsync is fast because rsync only sends the differences in files over the network instead of sending whole files. The rsync utility is also used as a mirroring tool.\n\nSecurity Fix(es):\n\n* zlib: A flaw found in zlib when compressing (not decompressing) certain inputs (CVE-2018-25032)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
            "issued": "2022-05-11T00:00:00Z",
            "links": "https://access.redhat.com/errata/RHSA-2022:2201 https://access.redhat.com/security/cve/CVE-2018-25032",
            "severity": "Important",
            "normalized_severity": "High",
            "package": {
                "id": "",
                "name": "rsync",
                "version": "",
                "kind": "binary",
                "arch": "aarch64|ppc64le|s390x|x86_64"
            },
            "distribution": {
                "id": "",
                "did": "rhel",
                "name": "Red Hat Enterprise Linux Server",
                "version": "8",
                "version_code_name": "",
                "version_id": "8",
                "arch": "",
                "cpe": "cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*",
                "pretty_name": "Red Hat Enterprise Linux Server 8"
            },
            "repository": {
                "name": "cpe:/o:redhat:enterprise_linux:8::baseos",
                "key": "rhel-cpe-repository"
            },
            "fixed_in_version": "0:3.1.3-14.el8_6.2",
            "arch_op": "pattern match"
        }

@jasinner
Copy link
Contributor Author

jasinner commented Jun 6, 2022

An example from the existing RHCC updater:

{
            "id": "5554",
            "updater": "rhel-container-updater",
            "name": "CVE-2021-3762",
            "description": "A directory traversal vulnerability was found in the ClairCore engine of Clair. An attacker can exploit this by supplying a crafted container image which, when scanned by Clair, allows for arbitrary file write on the filesystem, potentially allowing for remote code execution.",
            "issued": "2021-09-28T00:00:00Z",
            "links": "https://access.redhat.com/errata/RHSA-2021:3665",
            "severity": "important",
            "normalized_severity": "High",
            "package": {
                "id": "",
                "name": "quay/clair-rhel8",
                "version": "",
                "kind": "binary"
            },
            "distribution": {
                "id": "",
                "did": "",
                "name": "",
                "version": "",
                "version_code_name": "",
                "version_id": "",
                "arch": "",
                "cpe": "",
                "pretty_name": ""
            },
            "repository": {
                "name": "Red Hat Container Catalog",
                "uri": "https://catalog.redhat.com/software/containers/explore"
            },
            "fixed_in_version": "v3.5.7-8"
        }

Some things of note:

  • name: the rhel parser includes the advisory ID and the title. Which is not available in cvemap
  • link : links are space separated and include the CVE database URL https://access.redhat.com/security/cve/`cve-id`
  • description in rhel comes from RHSA, whereas we don't have that data available in cvemap
  • severity field has the first character uppercase in rhel parser, it's all lowercase in rhcc

jasinner added a commit to jasinner/claircore that referenced this issue Jun 6, 2022
@jasinner
rhcc: Update vulnerability details to match rhel patched
1964f94 
The updater in rhcc matcher was using CVE Name as the vulnerability name
which more closely aligns with vulnerabilities coming from unpatched
OVAL definitions. This change switchs rhcc matcher to use the advisory
name in the vulnerablity name field.

See-Also: quay#627
@jasinner jasinner mentioned this issue Jun 6, 2022
Merged
hdonnay pushed a commit to jasinner/claircore that referenced this issue Jun 7, 2022
@jasinner @hdonnay
rhcc: Update vulnerability details to match rhel patched
de0aac8 
The updater in rhcc matcher was using CVE Name as the vulnerability name
which more closely aligns with vulnerabilities coming from unpatched
OVAL definitions. This change switchs rhcc matcher to use the advisory
name in the vulnerablity name field.

See-Also: quay#627
@hdonnay
Copy link
Member

hdonnay commented Jun 9, 2022

This is merged.

@hdonnay hdonnay closed this as completed Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hdonnay @jasinner