Merge pull request #7509 from HoussemNasri/oval-downloader

[GSOC23] - B - Enable the downloading and synchronization of OVAL data

java/code/src/com/redhat/rhn/common/conf/ConfigDefaults.java

@@ -235,6 +235,8 @@ public class ConfigDefaults {
 
     public static final String MESSAGE_QUEUE_THREAD_POOL_SIZE = "java.message_queue_thread_pool_size";
 
+    public static final String CVE_AUDIT_ENABLE_OVAL_METADATA = "java.cve_audit.enable_oval_metadata";
+
     /**
      * Token lifetime in seconds
      */
@@ -1188,4 +1190,13 @@ public int getRebootDelay() {
 
         return rebootDelay;
     }
+
+    /**
+     * Check if the usage of OVAL metadata is permitted in scanning systems for CVE vulnerabilities.
+     *
+     * @return {@code true} if OVAL usage is permitted and {@code false} otherwise.
+     * */
+    public boolean isOvalEnabledForCveAudit() {
+        return Config.get().getBoolean(CVE_AUDIT_ENABLE_OVAL_METADATA, false);
+    }
 }

java/code/src/com/redhat/rhn/common/db/datasource/xml/oval_queries.xml

@@ -29,4 +29,27 @@
               AND cve.name = :cve_name;
         </query>
     </mode>
+
+    <mode name="check_oval_availability">
+        <query params="cpe">
+            SELECT 1 FROM suseOVALPlatform plat WHERE starts_with(:cpe, plat.cpe);
+        </query>
+    </mode>
+
+    <mode name="check_errata_availability">
+        <query params="server_id">
+            SELECT 1
+            FROM suseCVEServerChannel,
+                 rhnChannelErrata
+            WHERE suseCVEServerChannel.channel_id = rhnChannelErrata.channel_id
+              AND server_id = :server_id
+        </query>
+    </mode>
+
+    <write-mode name="clear_oval_metadata_by_platform">
+        <query params="cpe">
+            DELETE FROM suseOVALPlatformVulnerablePackage pvp WHERE pvp.platform_id = (SELECT id FROM suseOVALPlatform plat WHERE plat.cpe = :cpe);
+            DELETE FROM suseOVALPlatform plat where plat.cpe = :cpe;
+        </query>
+    </write-mode>
 </datasource_modes>

java/code/src/com/redhat/rhn/domain/server/Server.java

@@ -2431,6 +2431,13 @@ public boolean doesOsSupportPtf() {
         return ServerConstants.SLES.equals(getOs());
     }
 
+    boolean isSLES() {
+        return ServerConstants.SLES.equalsIgnoreCase(getOs());
+    }
+    boolean isSLED() {
+        return ServerConstants.SLED.equalsIgnoreCase(getOs());
+    }
+
     /**
      * Return <code>true</code> if OS supports Confidential Computing Attestation
      *
@@ -2476,6 +2483,10 @@ boolean isSLES15() {
         return ServerConstants.SLES.equals(getOs()) && getRelease().startsWith("15");
     }
 
+    boolean isLeap() {
+       return ServerConstants.LEAP.equalsIgnoreCase(getOs());
+    }
+
     boolean isLeap15() {
         return ServerConstants.LEAP.equalsIgnoreCase(getOs()) && getRelease().startsWith("15");
     }
@@ -2494,6 +2505,10 @@ boolean isopenSUSEMicroOS() {
         return ServerConstants.OPENSUSEMICROOS.equals(getOs());
     }
 
+    boolean isUbuntu() {
+        return ServerConstants.UBUNTU.equalsIgnoreCase(getOs());
+    }
+
     boolean isUbuntu1804() {
         return ServerConstants.UBUNTU.equals(getOs()) && getRelease().equals("18.04");
     }
@@ -2506,6 +2521,10 @@ boolean isUbuntu2204() {
         return ServerConstants.UBUNTU.equals(getOs()) && getRelease().equals("22.04");
     }
 
+    boolean isDebian() {
+        return ServerConstants.DEBIAN.equalsIgnoreCase(getOs());
+    }
+
     boolean isDebian12() {
         return ServerConstants.DEBIAN.equals(getOs()) && getRelease().equals("12");
     }
@@ -2518,6 +2537,10 @@ boolean isDebian10() {
         return ServerConstants.DEBIAN.equals(getOs()) && getRelease().equals("10");
     }
 
+    boolean isRHEL() {
+        return ServerConstants.RHEL.equals(getOs());
+    }
+
     /**
      * This is supposed to cover all RedHat flavors (incl. RHEL, RES and CentOS Linux)
      */

java/code/src/com/redhat/rhn/domain/server/ServerConstants.java

@@ -38,6 +38,8 @@ public class ServerConstants {
     public static final String ALMA = "AlmaLinux";
     public static final String AMAZON = "Amazon Linux";
     public static final String ROCKY = "Rocky";
+    public static final String SLED = "SLED";
+    public static final String RHEL = "Red Hat Enterprise Linux";
 
     private ServerConstants() {
 

java/code/src/com/redhat/rhn/domain/server/ServerFactory.java

@@ -42,6 +42,7 @@
 import com.redhat.rhn.frontend.dto.SystemOverview;
 import com.redhat.rhn.frontend.xmlrpc.ChannelSubscriptionException;
 import com.redhat.rhn.frontend.xmlrpc.ServerNotInGroupException;
+import com.redhat.rhn.manager.audit.OsReleasePair;
 import com.redhat.rhn.manager.entitlement.EntitlementManager;
 import com.redhat.rhn.manager.rhnset.RhnSetDecl;
 import com.redhat.rhn.manager.system.SystemManager;
@@ -66,6 +67,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -249,6 +251,19 @@ public static Optional<Server> lookupProxyServer(String name) {
         }
     }
 
+    /**
+     * List the <b>unique</b> set of pairs of os and release versions used by servers
+     *
+     * @return the set of unique pairs of os and release version used by servers
+     * */
+    public static Set<OsReleasePair> listAllServersOsAndRelease() {
+        List<Object[]> result = SINGLETON.listObjectsByNamedQuery("Server.listAllServersOsAndRelease",
+                Collections.emptyMap());
+
+        return result.stream().map(row -> new OsReleasePair((String) row[0], (String) row[1]))
+                .collect(Collectors.toSet());
+    }
+
     /**
      * Return a map from Salt minion IDs to System IDs.
      * Map entries are limited to systems that are visible by the specified user.

java/code/src/com/redhat/rhn/domain/server/Server_legacyUser.hbm.xml

@@ -361,6 +361,12 @@ PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
                                WHERE USP.user_id = :user_id AND USP.server_id = s.id)
         ]]>
     </sql-query>
+
+    <sql-query name="Server.listAllServersOsAndRelease">
+        <![CDATA[
+            SELECT DISTINCT s.os, s.release FROM rhnServer s
+        ]]>
+    </sql-query>
 
     <sql-query name="Server.findSimpleMinionsByServerIds">
         <![CDATA[

java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml

@@ -8791,6 +8791,9 @@ Alternatively, you will want to download <strong>Incremental Channel Conte
       <trans-unit id="task.status.cve-server-channels" xml:space="preserve">
         <source>CVE Server Channels</source>
       </trans-unit>
+      <trans-unit id="task.status.oval-data-sync" xml:space="preserve">
+        <source>Sync OVAL Data</source>
+      </trans-unit>
       <trans-unit id="task.status.mgr-sync-refresh" xml:space="preserve">
         <source>Refresh mgr-sync data</source>
       </trans-unit>
@@ -8833,6 +8836,9 @@ Alternatively, you will want to download &lt;strong&gt;Incremental Channel Conte
       <trans-unit id="bunch.jsp.description.cve-server-channels-bunch" xml:space="preserve">
         <source>Generates data required for performing CVE audit queries</source>
       </trans-unit>
+      <trans-unit id="bunch.jsp.description.oval-data-sync-bunch" xml:space="preserve">
+        <source>Generate OVAL data required to increase the accuracy of CVE audit queries</source>
+      </trans-unit>
       <trans-unit id="bunch.jsp.description.mgr-sync-refresh-bunch" xml:space="preserve">
         <source>Refreshes data about channels, products and subscriptions</source>
       </trans-unit>

java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAuditHandler.java

@@ -20,7 +20,7 @@
 import com.redhat.rhn.frontend.xmlrpc.MethodInvalidParamException;
 import com.redhat.rhn.frontend.xmlrpc.UnknownCVEIdentifierFaultException;
 import com.redhat.rhn.manager.audit.CVEAuditImage;
-import com.redhat.rhn.manager.audit.CVEAuditManager;
+import com.redhat.rhn.manager.audit.CVEAuditManagerOVAL;
 import com.redhat.rhn.manager.audit.CVEAuditServer;
 import com.redhat.rhn.manager.audit.PatchStatus;
 import com.redhat.rhn.manager.audit.UnknownCVEIdentifierException;
@@ -117,8 +117,7 @@ public List<CVEAuditServer> listSystemsByPatchStatus(User loggedInUser,
         }
 
         try {
-            // TODO: Use CVEAuditManagerOVAL once it's ready
-            List<CVEAuditServer> result = CVEAuditManager.listSystemsByPatchStatus(
+            List<CVEAuditServer> result = CVEAuditManagerOVAL.listSystemsByPatchStatus(
                     loggedInUser, cveIdentifier, patchStatuses);
 
             result.sort(Comparator.comparingInt(s -> s.getPatchStatus().getRank()));
@@ -210,8 +209,7 @@ public List<CVEAuditImage> listImagesByPatchStatus(User loggedInUser,
         }
 
         try {
-            // TODO: Use CVEAuditManagerOVAL once it's ready
-            List<CVEAuditImage> result = CVEAuditManager.listImagesByPatchStatus(
+            List<CVEAuditImage> result = CVEAuditManagerOVAL.listImagesByPatchStatus(
                     loggedInUser, cveIdentifier, patchStatuses);
 
             result.sort(Comparator.comparingInt(i -> i.getPatchStatus().getRank()));

java/code/src/com/redhat/rhn/manager/audit/CVEAuditImage.java

@@ -94,5 +94,9 @@ public Set<ErrataIdAdvisoryPair> getErratas() {
         return erratas;
     }
 
+    @Override
+    public Set<ScanDataSource> getScanDataSources() {
+        return Set.of();
+    }
 
 }

java/code/src/com/redhat/rhn/manager/audit/CVEAuditManager.java

@@ -877,7 +877,8 @@ public static List<CVEAuditServer> listSystemsByPatchStatus(User user,
                         system.getSystemName(),
                         system.getPatchStatus(),
                         system.getChannels(),
-                        system.getErratas()
+                        system.getErratas(),
+                        Set.of(ScanDataSource.CHANNELS)
                 )).collect(Collectors.toList());
     }