diff --git a/java/code/src/com/redhat/rhn/common/db/datasource/xml/Package_queries.xml b/java/code/src/com/redhat/rhn/common/db/datasource/xml/Package_queries.xml
index d3a089ff4d85..1ea91a80d7e8 100644
--- a/java/code/src/com/redhat/rhn/common/db/datasource/xml/Package_queries.xml
+++ b/java/code/src/com/redhat/rhn/common/db/datasource/xml/Package_queries.xml
@@ -573,6 +573,38 @@ SELECT PN.name as NAME,
+
+
+ WITH highest_id_packages AS (
+ SELECT p.name_id, p.evr_id, p.package_arch_id, max(p.id) AS id
+ FROM rhnServerPackage sp
+ INNER JOIN rhnServer s ON sp.server_id = s.id
+ INNER JOIN rhnServerChannel sc on sc.server_id = s.id
+ INNER JOIN rhnChannelPackage cp on cp.channel_id = sc.channel_id
+ INNER JOIN rhnpackage p ON sp.evr_id = p.evr_id AND sp.name_id = p.name_id AND sp.package_arch_id = p.package_arch_id AND p.id = cp.package_id
+ WHERE sp.server_id = :sid AND (p.org_id = s.org_id or p.org_id is null)
+ GROUP BY p.name_id, p.evr_id, p.package_arch_id
+ )
+ SELECT p.id AS package_id,
+ pn.id || '|' || pe.id || '|' || pa.id as id_combo,
+ pn.name as name,
+ pa.label as arch,
+ pe.epoch as epoch,
+ pe.version as version,
+ pe.release as release,
+ pe.type AS type
+ FROM rhnPackageName pn
+ INNER JOIN rhnServerPackage sp ON sp.name_id = pn.id
+ INNER JOIN rhnServer s ON sp.server_id = s.id
+ INNER JOIN rhnPackageEvr pe ON sp.evr_id = pe.id
+ LEFT JOIN rhnPackageArch pa ON sp.package_arch_id = pa.id
+ LEFT JOIN highest_id_packages hp ON hp.name_id = sp.name_id AND hp.evr_id = sp.evr_id AND hp.package_arch_id = sp.package_arch_id
+ LEFT JOIN rhnpackage p ON hp.id = p.id
+ WHERE sp.server_id = :sid
+
+
+
+
SELECT PN.id || '|' || SPE.id AS ID_COMBO,
diff --git a/java/code/src/com/redhat/rhn/common/db/datasource/xml/file-list.xml b/java/code/src/com/redhat/rhn/common/db/datasource/xml/file-list.xml
index 5c6379e9dcfc..5038130324de 100644
--- a/java/code/src/com/redhat/rhn/common/db/datasource/xml/file-list.xml
+++ b/java/code/src/com/redhat/rhn/common/db/datasource/xml/file-list.xml
@@ -25,6 +25,7 @@
+
diff --git a/java/code/src/com/redhat/rhn/common/db/datasource/xml/oval_queries.xml b/java/code/src/com/redhat/rhn/common/db/datasource/xml/oval_queries.xml
new file mode 100755
index 000000000000..e275ccbbf381
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/common/db/datasource/xml/oval_queries.xml
@@ -0,0 +1,93 @@
+
+
+
+ call insert_product_vulnerable_packages(:package_name, :fix_version, :product_name, :cve_name)
+
+
+
+
+
+ SELECT vulnerablePkg.name AS vulnerablePkgName, vulnerablePkg.fix_version AS vulnerablePkgFixVersion
+ FROM suseovalvulnerablepackage vulnerablePkg,
+ rhncve cve,
+ suseovalplatform platform,
+ suseovalplatformvulnerablepackage platVulnerablePkg
+ WHERE cve.name = :cve_name
+ AND platform.cpe = :product_cpe
+ AND platVulnerablePkg.cve_id = cve.id
+ AND platVulnerablePkg.platform_id = platform.id
+ AND platVulnerablePkg.vulnerable_pkg_id = vulnerablePkg.id;
+
+
+
+
+
+ SELECT 1
+ FROM suseOVALPlatformVulnerablePackage platVul,
+ rhncve cve
+ WHERE platVul.cve_id = cve.id
+ AND cve.name = :cve_name;
+
+
+
+
+
+ SELECT rhnServer.id AS system_id,
+ rhnServer.name system_name,
+ rhnpackagename.name package_name,
+ rhnpackageevr.type package_type,
+ ovalVulPkg.fix_version patched_version,
+ rhnpackageevr.epoch installed_epoch,
+ rhnpackageevr.version installed_version,
+ rhnpackageevr.release installed_release,
+ rhncve.name cve
+ FROM rhnserver,
+ rhncve,
+ suseovalplatformvulnerablepackage ovalPlatVulPkg,
+ suseovalplatform ovalPlat,
+ suseovalvulnerablepackage ovalVulPkg,
+ rhnserverpackage serverPkg,
+ rhnpackagename,
+ rhnpackageevr
+ WHERE rhnserver.cpe = ovalPlat.cpe
+ AND rhnserver.id = serverPkg.server_id
+ AND rhnpackagename.id = serverPkg.name_id
+ AND rhnpackageevr.id = serverPkg.evr_id
+ AND rhnpackagename.name = ovalVulPkg.name
+ AND ovalPlatVulPkg.cve_id = rhncve.id
+ AND ovalPlatVulPkg.platform_id = ovalPlat.id
+ AND ovalPlatVulPkg.vulnerable_pkg_id = ovalVulPkg.id
+ AND rhncve.name = :cve_name;
+
+
+
+
+
+ SELECT rhnServer.id system_id,
+ rhnServer.name system_name,
+ rhnpackagename.name package_name,
+ rhnpackageevr.type package_type,
+ ovalVulPkg.fix_version patched_version,
+ rhnpackageevr.epoch installed_epoch,
+ rhnpackageevr.version installed_version,
+ rhnpackageevr.release installed_release,
+ rhncve.name cve
+ FROM rhnserver,
+ rhncve,
+ suseovalplatformvulnerablepackage ovalPlatVulPkg,
+ suseovalplatform ovalPlat,
+ suseovalvulnerablepackage ovalVulPkg,
+ rhnserverpackage serverPkg,
+ rhnpackagename,
+ rhnpackageevr
+ WHERE rhnserver.cpe = ovalPlat.cpe
+ AND rhnserver.id = serverPkg.server_id
+ AND rhnpackagename.id = serverPkg.name_id
+ AND rhnpackageevr.id = serverPkg.evr_id
+ AND rhnpackagename.name = ovalVulPkg.name
+ AND ovalPlatVulPkg.cve_id = rhncve.id
+ AND ovalPlatVulPkg.platform_id = ovalPlat.id
+ AND ovalPlatVulPkg.vulnerable_pkg_id = ovalVulPkg.id
+
+
+
diff --git a/java/code/src/com/redhat/rhn/domain/errata/Cve.java b/java/code/src/com/redhat/rhn/domain/errata/Cve.java
index 2d1b75ad6fd2..12834a7d2249 100644
--- a/java/code/src/com/redhat/rhn/domain/errata/Cve.java
+++ b/java/code/src/com/redhat/rhn/domain/errata/Cve.java
@@ -13,6 +13,10 @@
* in this software or its documentation.
*/
package com.redhat.rhn.domain.errata;
+
+import org.apache.commons.lang3.builder.EqualsBuilder;
+import org.apache.commons.lang3.builder.HashCodeBuilder;
+
/**
*
*
@@ -48,4 +52,28 @@ public void setName(String nameIn) {
public String getName() {
return name;
}
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public boolean equals(final Object other) {
+ if (!(other instanceof Cve)) {
+ return false;
+ }
+ Cve castOther = (Cve) other;
+ return new EqualsBuilder()
+ .append(id, castOther.id)
+ .isEquals();
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public int hashCode() {
+ return new HashCodeBuilder()
+ .append(id)
+ .toHashCode();
+ }
}
diff --git a/java/code/src/com/redhat/rhn/domain/rhnpackage/PackageType.java b/java/code/src/com/redhat/rhn/domain/rhnpackage/PackageType.java
index f551c8fbcf72..db0d9439fef9 100644
--- a/java/code/src/com/redhat/rhn/domain/rhnpackage/PackageType.java
+++ b/java/code/src/com/redhat/rhn/domain/rhnpackage/PackageType.java
@@ -14,6 +14,8 @@
*/
package com.redhat.rhn.domain.rhnpackage;
+import java.util.EnumSet;
+
public enum PackageType {
RPM("rpm"),
DEB("deb");
@@ -27,4 +29,10 @@ public enum PackageType {
public String getDbString() {
return dbString;
}
+
+ public static PackageType fromDbString(String dbString) {
+ return EnumSet.allOf(PackageType.class).stream()
+ .filter(packageType -> packageType.dbString.equals(dbString))
+ .findAny().orElseThrow();
+ }
}
diff --git a/java/code/src/com/redhat/rhn/domain/server/Server.java b/java/code/src/com/redhat/rhn/domain/server/Server.java
index 915226c97825..8ceb80467ad9 100644
--- a/java/code/src/com/redhat/rhn/domain/server/Server.java
+++ b/java/code/src/com/redhat/rhn/domain/server/Server.java
@@ -139,6 +139,8 @@ public class Server extends BaseDomainHelper implements Identifiable {
private MaintenanceSchedule maintenanceSchedule;
private Boolean hasConfigFeature;
+ private String cpe;
+
public static final String VALID_CNAMES = "valid_cnames_";
/**
@@ -2459,4 +2461,21 @@ public void setOsFamily(String osFamilyIn) {
this.osFamily = osFamilyIn;
}
+ /**
+ * Getter for CPE (Common Platform Enumeration)
+ *
+ * @return cpe
+ * */
+ public String getCpe() {
+ return cpe;
+ }
+
+ /**
+ * Setter for CPE (Common Platform Enumeration)
+ *
+ * @param cpeIn to set
+ * */
+ public void setCpe(String cpeIn) {
+ this.cpe = cpeIn;
+ }
}
diff --git a/java/code/src/com/redhat/rhn/domain/server/Server_legacyUser.hbm.xml b/java/code/src/com/redhat/rhn/domain/server/Server_legacyUser.hbm.xml
index a906cdfb8801..47f446a06513 100644
--- a/java/code/src/com/redhat/rhn/domain/server/Server_legacyUser.hbm.xml
+++ b/java/code/src/com/redhat/rhn/domain/server/Server_legacyUser.hbm.xml
@@ -15,6 +15,7 @@ PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
+ = 0;
+
+ status = isPackagePatched ? Status.PATCHED : Status.VULNERABLE;
+ }
+
+ public enum Status {
+ PATCHED, VULNERABLE
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAffectedServer.java b/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAffectedServer.java
new file mode 100644
index 000000000000..a6b64cf4a754
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAffectedServer.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.frontend.xmlrpc.audit;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * A server that is affected by a CVE
+ * */
+public class CVEAffectedServer {
+ private Long id;
+ private String name;
+ private List affectedPackages;
+
+ public CVEAffectedServer(Long id, String name, List affectedPackages) {
+ this.id = id;
+ this.name = name;
+ this.affectedPackages = new ArrayList<>(affectedPackages);
+ }
+
+ public Long getId() {
+ return id;
+ }
+
+ public void setId(Long id) {
+ this.id = id;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public List getAffectedPackages() {
+ return affectedPackages;
+ }
+
+ public void setAffectedPackages(List affectedPackages) {
+ this.affectedPackages = affectedPackages;
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAuditHandler.java b/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAuditHandler.java
index 5479fac18803..d6a9f22202d2 100644
--- a/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAuditHandler.java
+++ b/java/code/src/com/redhat/rhn/frontend/xmlrpc/audit/CVEAuditHandler.java
@@ -14,22 +14,29 @@
*/
package com.redhat.rhn.frontend.xmlrpc.audit;
+import static java.util.stream.Collectors.groupingBy;
+
import com.redhat.rhn.FaultException;
+import com.redhat.rhn.domain.rhnpackage.PackageType;
import com.redhat.rhn.domain.user.User;
import com.redhat.rhn.frontend.xmlrpc.BaseHandler;
import com.redhat.rhn.frontend.xmlrpc.MethodInvalidParamException;
import com.redhat.rhn.frontend.xmlrpc.UnknownCVEIdentifierFaultException;
+import com.redhat.rhn.manager.audit.CVEAffectedPackageItem;
import com.redhat.rhn.manager.audit.CVEAuditImage;
-import com.redhat.rhn.manager.audit.CVEAuditManager;
+import com.redhat.rhn.manager.audit.CVEAuditManagerOVAL;
import com.redhat.rhn.manager.audit.CVEAuditServer;
import com.redhat.rhn.manager.audit.PatchStatus;
import com.redhat.rhn.manager.audit.UnknownCVEIdentifierException;
import com.suse.manager.api.ReadOnly;
+import com.suse.oval.OVALCachingFactory;
import java.util.Comparator;
import java.util.EnumSet;
import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
/**
* CVESearchHandler
@@ -57,7 +64,7 @@ public class CVEAuditHandler extends BaseHandler {
*/
@ReadOnly
public List listSystemsByPatchStatus(User loggedInUser,
- String cveIdentifier) {
+ String cveIdentifier) {
return listSystemsByPatchStatus(loggedInUser, cveIdentifier, null);
}
@@ -111,7 +118,7 @@ public List listSystemsByPatchStatus(User loggedInUser,
}
try {
- List result = CVEAuditManager.listSystemsByPatchStatus(
+ List result = CVEAuditManagerOVAL.listSystemsByPatchStatus(
loggedInUser, cveIdentifier, patchStatuses);
result.sort(Comparator.comparingInt(s -> s.getPatchStatus().getRank()));
@@ -177,7 +184,8 @@ public List listImagesByPatchStatus(User loggedInUser,
*/
@ReadOnly
public List listImagesByPatchStatus(User loggedInUser,
- String cveIdentifier, List patchStatusLabels) throws FaultException {
+ String cveIdentifier, List patchStatusLabels)
+ throws FaultException {
// Convert list of strings to patch status objects
EnumSet patchStatuses = EnumSet.noneOf(PatchStatus.class);
@@ -196,7 +204,7 @@ public List listImagesByPatchStatus(User loggedInUser,
}
try {
- List result = CVEAuditManager.listImagesByPatchStatus(
+ List result = CVEAuditManagerOVAL.listImagesByPatchStatus(
loggedInUser, cveIdentifier, patchStatuses);
result.sort(Comparator.comparingInt(i -> i.getPatchStatus().getRank()));
@@ -207,4 +215,84 @@ public List listImagesByPatchStatus(User loggedInUser,
throw new UnknownCVEIdentifierFaultException();
}
}
+
+ /**
+ * List visible systems with their corresponding affected packages regarding a given CVE identifier
+ *
+ * @param loggedInUser The current user
+ * @param cveIdentifier the CVE number to search for
+ *
+ * @apidoc.doc List visible systems with their corresponding affected packages regarding a given CVE identifier
+ * @apidoc.param #session_key()
+ * @apidoc.param #param("string", "cveIdentifier")
+ * @apidoc.returntype #return_array_begin() $CVEAffectedServerSerializer #array_end()
+ */
+ @ReadOnly
+ public List listAffectedSystems(User loggedInUser, String cveIdentifier) {
+ List affectedPackageItems =
+ OVALCachingFactory.listSystemsAffectedPackages(cveIdentifier);
+
+ return groupAffectedPackagesBySystemAndCollect(affectedPackageItems);
+ }
+
+
+ /**
+ * List known CVEs along the visible systems affected by the CVE with their corresponding affected packages
+ *
+ * @param loggedInUser The current user
+ *
+ * @apidoc.doc List known CVEs along the visible systems affected by the CVE with their corresponding
+ * affected packages
+ * @apidoc.param #session_key()
+ * @apidoc.returntype #return_array_begin() $CVEAffectedServerSerializer #array_end()
+ */
+ @ReadOnly
+ public Map> listAffectedSystemsByCve(User loggedInUser) {
+ List affectedPackageItems =
+ OVALCachingFactory.listSystemsAffectedPackages();
+
+ Map> affectedPackageItemsByCve =
+ affectedPackageItems.stream().collect(groupingBy(CVEAffectedPackageItem::getCve));
+
+ return affectedPackageItemsByCve.entrySet()
+ .stream().map(entry -> {
+ String cve = entry.getKey();
+ List cveAffectedPackageItems = entry.getValue();
+
+ List affectedServers =
+ groupAffectedPackagesBySystemAndCollect(cveAffectedPackageItems);
+
+ return Map.entry(cve, affectedServers);
+ }).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
+ }
+
+ private static List groupAffectedPackagesBySystemAndCollect(
+ List affectedPackageItems) {
+ Map> affectedPackageItemsBySystem = affectedPackageItems.stream()
+ .collect(groupingBy(CVEAffectedPackageItem::getSystemId));
+
+ return affectedPackageItemsBySystem.entrySet().stream()
+ .map(entry -> {
+ Long systemId = entry.getKey();
+ List systemAffectedPackageItems = entry.getValue();
+
+ String systemName = systemAffectedPackageItems.get(0).getSystemName();
+
+ List affectedPackages = systemAffectedPackageItems
+ .stream()
+ .map(CVEAuditHandler::toAffectedPackage).collect(Collectors.toList());
+
+ return new CVEAffectedServer(systemId, systemName, affectedPackages);
+
+ }).collect(Collectors.toList());
+ }
+
+ private static CVEAffectedPackage toAffectedPackage(CVEAffectedPackageItem packageItem) {
+ String packageName = packageItem.getPackageName();
+ PackageType packageType = packageItem.getPackageType();
+ String installedVersion = packageItem.getInstalledPackageEvr().toUniversalEvrString();
+ String patchedVersion = packageItem.getPatchedVersion();
+
+ return new CVEAffectedPackage(packageName, installedVersion, patchedVersion, packageType);
+ }
}
diff --git a/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedPackageSerializer.java b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedPackageSerializer.java
new file mode 100644
index 000000000000..afc5fdabe5fd
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedPackageSerializer.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.frontend.xmlrpc.serializer;
+
+import com.redhat.rhn.frontend.xmlrpc.audit.CVEAffectedPackage;
+
+import com.suse.manager.api.ApiResponseSerializer;
+import com.suse.manager.api.SerializationBuilder;
+import com.suse.manager.api.SerializedApiResponse;
+
+public class CVEAffectedPackageSerializer extends ApiResponseSerializer {
+ @Override
+ public SerializedApiResponse serialize(CVEAffectedPackage src) {
+ return new SerializationBuilder()
+ .add("name", src.getPackageName())
+ .add("installed_version", src.getInstalledVersion())
+ .add("patched_version", src.getPatchedVersion())
+ .add("patch_status", src.getStatus().toString())
+ .build();
+ }
+
+ @Override
+ public Class getSupportedClass() {
+ return CVEAffectedPackage.class;
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedServerSerializer.java b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedServerSerializer.java
new file mode 100644
index 000000000000..14aec54da641
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/CVEAffectedServerSerializer.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.frontend.xmlrpc.serializer;
+
+import com.redhat.rhn.frontend.xmlrpc.audit.CVEAffectedServer;
+
+import com.suse.manager.api.ApiResponseSerializer;
+import com.suse.manager.api.SerializationBuilder;
+import com.suse.manager.api.SerializedApiResponse;
+
+public class CVEAffectedServerSerializer extends ApiResponseSerializer {
+ @Override
+ public SerializedApiResponse serialize(CVEAffectedServer src) {
+ return new SerializationBuilder()
+ .add("system_id", src.getId())
+ .add("system_name", src.getName())
+ .add("affected_packages", src.getAffectedPackages())
+ .build();
+ }
+
+ @Override
+ public Class getSupportedClass() {
+ return CVEAffectedServer.class;
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/SerializerRegistry.java b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/SerializerRegistry.java
index a29a006de06e..70cd399239e9 100644
--- a/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/SerializerRegistry.java
+++ b/java/code/src/com/redhat/rhn/frontend/xmlrpc/serializer/SerializerRegistry.java
@@ -160,6 +160,8 @@ private SerializerRegistry() {
SERIALIZER_CLASSES.add(SystemEventDtoSerializer.class);
SERIALIZER_CLASSES.add(SystemEventDetailsDtoSerializer.class);
SERIALIZER_CLASSES.add(PaygSshDataSerializer.class);
+ SERIALIZER_CLASSES.add(CVEAffectedPackageSerializer.class);
+ SERIALIZER_CLASSES.add(CVEAffectedServerSerializer.class);
}
/**
diff --git a/java/code/src/com/redhat/rhn/manager/audit/CVEAffectedPackageItem.java b/java/code/src/com/redhat/rhn/manager/audit/CVEAffectedPackageItem.java
new file mode 100644
index 000000000000..cb0857684274
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/CVEAffectedPackageItem.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.manager.audit;
+
+import com.redhat.rhn.domain.rhnpackage.PackageEvr;
+import com.redhat.rhn.domain.rhnpackage.PackageType;
+
+public class CVEAffectedPackageItem {
+ private Long systemId;
+ private String systemName;
+ private String packageName;
+ private PackageType packageType;
+ private String patchedVersion;
+ private PackageEvr installedPackageEvr;
+ private String cve;
+
+ /**
+ * Standard constructor
+ * */
+ public CVEAffectedPackageItem(Long systemId, String systemName, String packageName, PackageType packageType, String patchedVersion,
+ String installedEpoch, String installedVersion, String installedRelease, String cveIn) {
+ this.systemId = systemId;
+ this.systemName = systemName;
+ this.packageName = packageName;
+ this.packageType = packageType;
+ this.patchedVersion = patchedVersion;
+ this.installedPackageEvr = new PackageEvr(installedEpoch, installedVersion, installedRelease, packageType);
+ cve = cveIn;
+ }
+
+ public Long getSystemId() {
+ return systemId;
+ }
+
+ public void setSystemId(Long systemId) {
+ this.systemId = systemId;
+ }
+
+ public String getSystemName() {
+ return systemName;
+ }
+
+ public void setSystemName(String systemName) {
+ this.systemName = systemName;
+ }
+
+ public String getPackageName() {
+ return packageName;
+ }
+
+ public void setPackageName(String packageName) {
+ this.packageName = packageName;
+ }
+
+ public PackageType getPackageType() {
+ return packageType;
+ }
+
+ public void setPackageType(PackageType packageType) {
+ this.packageType = packageType;
+ }
+
+ public String getPatchedVersion() {
+ return patchedVersion;
+ }
+
+ public void setPatchedVersion(String patchedVersion) {
+ this.patchedVersion = patchedVersion;
+ }
+
+ public PackageEvr getInstalledPackageEvr() {
+ return installedPackageEvr;
+ }
+
+ public void setInstalledPackageEvr(PackageEvr installedPackageEvr) {
+ this.installedPackageEvr = installedPackageEvr;
+ }
+
+ public String getCve() {
+ return cve;
+ }
+
+ public void setCve(String cveIn) {
+ cve = cveIn;
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManager.java b/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManager.java
index 43088314f8e8..aa03c2e8fcd1 100644
--- a/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManager.java
+++ b/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManager.java
@@ -87,7 +87,7 @@ public class CVEAuditManager {
new HashMap<>();
/** Magic number signalling a patch present in a product migration channel */
- private static final int SUCCESSOR_PRODUCT_RANK_BOUNDARY = 50_000;
+ public static final int SUCCESSOR_PRODUCT_RANK_BOUNDARY = 50_000;
/** Magic number signalling a patch present in a product predecessor channel */
private static final int PREDECESSOR_PRODUCT_RANK_BOUNDARY = 100_000;
@@ -129,7 +129,7 @@ public static void insertRelevantImageChannels(Map addRelevantMigrationProductChannels(
* @return the channel ID
*/
public static Long getBaseProductChannelId(SUSEProductDto baseProduct,
- ChannelArch arch) {
+ ChannelArch arch) {
Long baseProductID = baseProduct.getId();
if (baseProductID != null) {
EssentialChannelDto channel =
@@ -604,7 +604,7 @@ public static Long getBaseProductChannelId(SUSEProductDto baseProduct,
* - contained in a certain channel
* in order to detect if the system is affected or not by a certain CVE
*/
- private static class CVEPatchStatus {
+ public static class CVEPatchStatus {
private final long systemId;
private final String systemName;
@@ -803,8 +803,15 @@ Otherwise, all values will be null (no EVR present)
}
- private static Stream listSystemsByPatchStatus(User user,
- String cveIdentifier) {
+ /**
+ * List visible systems with their patch status regarding a given CVE identifier.
+ *
+ * @param user the calling user
+ * @param cveIdentifier the CVE identifier to lookup
+ * @return list of system records with patch status
+ */
+ public static Stream listSystemsByPatchStatus(User user,
+ String cveIdentifier) {
SelectMode m = ModeFactory.getMode("cve_audit_queries",
"list_systems_by_patch_status");
@@ -844,7 +851,6 @@ Otherwise, all values will be null (no EVR present)
}
-
/**
* List visible systems with their patch status regarding a given CVE identifier.
*
@@ -937,91 +943,7 @@ private static List listSystemsByPatchStatus(List> systemResultMap : resultsBySystem.entrySet()) {
- CVEAuditSystemBuilder system = new CVEAuditSystemBuilder(systemResultMap.getKey());
- List systemResults = systemResultMap.getValue();
- system.setSystemName(systemResults.get(0).getSystemName());
-
- // The relevant channels assigned to the system
- Set assignedChannels = new HashSet<>();
-
- // Group results for the system further by package names, filtering out 'not-affected' entries
- Map> resultsByPackage =
- systemResults.stream().filter(r -> r.getErrataId().isPresent())
- .filter(r -> r.getChannelRank().orElse(0L) < PREDECESSOR_PRODUCT_RANK_BOUNDARY)
- .collect(Collectors.groupingBy(r -> r.getPackageName().get()));
-
- // When live patching is available, the original kernel packages ('-default' or '-xen') must be ignored.
- // Keep a list of package names to be ignored.
- Set livePatchedPackages = resultsByPackage.keySet().stream()
- .map(p -> Pattern.compile("^(?:kgraft-patch|kernel-livepatch)-.*-([^-]*)$").matcher(p))
- .filter(Matcher::matches).map(m -> "kernel-" + m.group(1)).collect(Collectors.toSet());
-
- AtomicBoolean patchInSuccessorProduct = new AtomicBoolean(false);
- AtomicBoolean patchesInstalled = new AtomicBoolean(false);
- Set successorErratas = new HashSet<>();
-
- // Loop through affected packages one by one
- for (Map.Entry> packageResults : resultsByPackage.entrySet()) {
- if (livePatchedPackages.contains(packageResults.getKey())) {
- // This package is substituted with live patching, ignore it
- continue;
- }
-
- // Get the result row with the top ranked channel containing the package,
- // or empty if the package is already patched
- Optional patchCandidateResult = getPatchCandidateResult(packageResults.getValue());
-
- patchCandidateResult.ifPresentOrElse(result -> {
- // The package is not patched. Keep a list of the missing patch and the top candidate channel
- AuditChannelInfo channel = new AuditChannelInfo(result.getChannelId().get(),
- result.getChannelName(), result.getChannelLabel(), result.getChannelRank().orElse(0L));
- ErrataIdAdvisoryPair errata = new ErrataIdAdvisoryPair(result.getErrataId().get(),
- result.getErrataAdvisory());
- system.addErrata(errata);
- system.addChannel(channel);
-
- if (result.isChannelAssigned()) {
- assignedChannels.add(channel);
- }
- else if (result.getChannelRank().get() >= SUCCESSOR_PRODUCT_RANK_BOUNDARY) {
- patchInSuccessorProduct.set(true);
- successorErratas.add(errata);
- }
- }, () -> {
- patchesInstalled.set(true);
- });
- }
-
- boolean allChannelsForOneErrataAssigned = assignedChannels.containsAll(system.getChannels());
- // Filter out channels that are part of a successor or predecessor product. This is to make sure the
- // current product is chosen as the most suitable candidate if there is a patch available for it or
- // a patch is already installed, even though it might not contain a patch for all the packages e.g.
- // because some versions are to old to be affected.
- if (patchInSuccessorProduct.get()) {
- Set erratasNotInSuccessor = system.getErratas().stream().filter(errata ->
- !successorErratas.contains(errata)).collect(Collectors.toSet());
- Set filteredChannels = system.getChannels().stream().filter(channel ->
- channel.getRank() < SUCCESSOR_PRODUCT_RANK_BOUNDARY).collect(Collectors.toSet());
-
- // If there are no erratas found that are not part of a successor product and there are already
- // patches installed we assume that the system is already patched
- if (erratasNotInSuccessor.isEmpty() && patchesInstalled.get()) {
- system.setChannels(Collections.emptySet());
- system.setErratas(Collections.emptySet());
- }
- else if (!filteredChannels.isEmpty()) {
- allChannelsForOneErrataAssigned = assignedChannels.containsAll(filteredChannels);
- if (allChannelsForOneErrataAssigned) {
- // Don't display the patches and channels that belong to successor products
- system.setChannels(filteredChannels);
- system.setErratas(erratasNotInSuccessor);
- }
- }
- }
-
- system.setPatchStatus(getPatchStatus(system.getErratas().isEmpty(),
- allChannelsForOneErrataAssigned, !resultsByPackage.isEmpty(),
- patchInSuccessorProduct.get()));
+ CVEAuditSystemBuilder system = doAuditSystem(systemResultMap.getKey(), systemResultMap.getValue());
// Check if the patch status is contained in the filter
if (patchStatuses.contains(system.getPatchStatus())) {
@@ -1033,6 +955,104 @@ else if (!filteredChannels.isEmpty()) {
return ret;
}
+ /**
+ * Audit the given system with an id {@code systemId} based on Channels data exclusively.
+ *
+ * @param systemId the id of the system to audit
+ * @param systemResults list produced by {@link CVEAuditManager#listSystemsByPatchStatus(User, String)},
+ * helpful for determining patch status and relevant channels and erratas
+ * @return a record with data about a single system containing that system's patch status regarding a certain
+ * given CVE identifier as well as sets of relevant channels and erratas.
+ */
+ public static CVEAuditSystemBuilder doAuditSystem(Long systemId, List systemResults) {
+ CVEAuditSystemBuilder system = new CVEAuditSystemBuilder(systemId);
+ system.setSystemName(systemResults.get(0).getSystemName());
+
+ // The relevant channels assigned to the system
+ Set assignedChannels = new HashSet<>();
+
+ // Group results for the system further by package names, filtering out 'not-affected' entries
+ Map> resultsByPackage =
+ systemResults.stream().filter(r -> r.getErrataId().isPresent())
+ .filter(r -> r.getChannelRank().orElse(0L) < PREDECESSOR_PRODUCT_RANK_BOUNDARY)
+ .collect(Collectors.groupingBy(r -> r.getPackageName().get()));
+
+ // When live patching is available, the original kernel packages ('-default' or '-xen') must be ignored.
+ // Keep a list of package names to be ignored.
+ Set livePatchedPackages = resultsByPackage.keySet().stream()
+ .map(p -> Pattern.compile("^(?:kgraft-patch|kernel-livepatch)-.*-([^-]*)$").matcher(p))
+ .filter(Matcher::matches).map(m -> "kernel-" + m.group(1)).collect(Collectors.toSet());
+
+ AtomicBoolean patchInSuccessorProduct = new AtomicBoolean(false);
+ AtomicBoolean patchesInstalled = new AtomicBoolean(false);
+ Set successorErratas = new HashSet<>();
+
+ // Loop through affected packages one by one
+ for (Map.Entry> packageResults : resultsByPackage.entrySet()) {
+ if (livePatchedPackages.contains(packageResults.getKey())) {
+ // This package is substituted with live patching, ignore it
+ continue;
+ }
+
+ // Get the result row with the top ranked channel containing the package,
+ // or empty if the package is already patched
+ Optional patchCandidateResult = getPatchCandidateResult(packageResults.getValue());
+
+ patchCandidateResult.ifPresentOrElse(result -> {
+ // The package is not patched. Keep a list of the missing patch and the top candidate channel
+ AuditChannelInfo channel = new AuditChannelInfo(result.getChannelId().get(),
+ result.getChannelName(), result.getChannelLabel(), result.getChannelRank().orElse(0L));
+ ErrataIdAdvisoryPair errata = new ErrataIdAdvisoryPair(result.getErrataId().get(),
+ result.getErrataAdvisory());
+ system.addErrata(errata);
+ system.addChannel(channel);
+
+ if (result.isChannelAssigned()) {
+ assignedChannels.add(channel);
+ }
+ else if (result.getChannelRank().get() >= SUCCESSOR_PRODUCT_RANK_BOUNDARY) {
+ patchInSuccessorProduct.set(true);
+ successorErratas.add(errata);
+ }
+ }, () -> {
+ patchesInstalled.set(true);
+ });
+ }
+
+ boolean allChannelsForOneErrataAssigned = assignedChannels.containsAll(system.getChannels());
+ // Filter out channels that are part of a successor or predecessor product. This is to make sure the
+ // current product is chosen as the most suitable candidate if there is a patch available for it or
+ // a patch is already installed, even though it might not contain a patch for all the packages e.g.
+ // because some versions are to old to be affected.
+ if (patchInSuccessorProduct.get()) {
+ Set erratasNotInSuccessor = system.getErratas().stream().filter(errata ->
+ !successorErratas.contains(errata)).collect(Collectors.toSet());
+ Set filteredChannels = system.getChannels().stream().filter(channel ->
+ channel.getRank() < SUCCESSOR_PRODUCT_RANK_BOUNDARY).collect(Collectors.toSet());
+
+ // If there are no erratas found that are not part of a successor product and there are already
+ // patches installed we assume that the system is already patched
+ if (erratasNotInSuccessor.isEmpty() && patchesInstalled.get()) {
+ system.setChannels(Collections.emptySet());
+ system.setErratas(Collections.emptySet());
+ }
+ else if (!filteredChannels.isEmpty()) {
+ allChannelsForOneErrataAssigned = assignedChannels.containsAll(filteredChannels);
+ if (allChannelsForOneErrataAssigned) {
+ // Don't display the patches and channels that belong to successor products
+ system.setChannels(filteredChannels);
+ system.setErratas(erratasNotInSuccessor);
+ }
+ }
+ }
+
+ system.setPatchStatus(getPatchStatus(system.getErratas().isEmpty(),
+ allChannelsForOneErrataAssigned, !resultsByPackage.isEmpty(),
+ patchInSuccessorProduct.get()));
+
+ return system;
+ }
+
/**
* Finds the best candidate channel among the CVE query results for a single
* package, or none if the package is already fully patched
@@ -1041,7 +1061,7 @@ else if (!filteredChannels.isEmpty()) {
* @return best candidate channel result for a patch on the specified package,
* or empty if the package is already patched
*/
- private static Optional getPatchCandidateResult(List packageResults) {
+ protected static Optional getPatchCandidateResult(List packageResults) {
Comparator evrComparator = Comparator.comparing(r -> r.getPackageEvr().get());
Optional latestInstalled = packageResults.stream()
@@ -1129,7 +1149,7 @@ public static PatchStatus getPatchStatus(
return PatchStatus.PATCHED;
}
else if (allChannelsForOneErrataAssigned) {
- return PatchStatus.AFFECTED_PATCH_APPLICABLE;
+ return PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE;
}
else if (patchInSuccessorProduct) {
return PatchStatus.AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT;
diff --git a/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManagerOVAL.java b/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManagerOVAL.java
new file mode 100644
index 000000000000..e13e88dd0315
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/CVEAuditManagerOVAL.java
@@ -0,0 +1,311 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.manager.audit;
+
+
+import static com.redhat.rhn.manager.audit.CVEAuditManager.SUCCESSOR_PRODUCT_RANK_BOUNDARY;
+
+import com.redhat.rhn.domain.rhnpackage.PackageEvr;
+import com.redhat.rhn.domain.server.Server;
+import com.redhat.rhn.domain.user.User;
+import com.redhat.rhn.manager.rhnpackage.PackageManager;
+
+import com.suse.oval.OVALCachingFactory;
+import com.suse.oval.ShallowSystemPackage;
+import com.suse.oval.vulnerablepkgextractor.VulnerablePackage;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.ArrayList;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+/**
+ * This class, same as {@link CVEAuditManager}, provides the functionality of CVE auditing.It bases its evaluation on
+ * OVAL data, in addition to channels data. Therefore, it provides more accurate results.
+ *
+ * We can't get rid of {@link CVEAuditManager} yet because not all supported Linux distributions provide
+ * OVAL vulnerability definitions, thus, we fall back to {@link CVEAuditManager} in that case.
+ *
+ */
+public class CVEAuditManagerOVAL {
+
+ private static final Logger LOG = LogManager.getLogger(CVEAuditManagerOVAL.class);
+
+ private CVEAuditManagerOVAL() {
+
+ }
+
+ /**
+ * List visible systems with their patch status regarding a given CVE identifier.
+ *
+ * @param user the calling user
+ * @param cveIdentifier the CVE identifier to lookup
+ * @param patchStatuses the patch statuses
+ * @return list of system records with patch status
+ * @throws UnknownCVEIdentifierException if the CVE number is not known
+ */
+ public static List listSystemsByPatchStatus(User user, String cveIdentifier,
+ EnumSet patchStatuses)
+ throws UnknownCVEIdentifierException {
+ if (isCVEIdentifierUnknown(cveIdentifier)) {
+ throw new UnknownCVEIdentifierException();
+ }
+
+ List result = new ArrayList<>();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cveIdentifier)
+ .collect(Collectors.toList());
+
+ // Group the results by system
+ Map> resultsBySystem =
+ results.stream().collect(Collectors.groupingBy(CVEAuditManager.CVEPatchStatus::getSystemId));
+
+ Set clients = user.getServers();
+ for (Server clientServer : clients) {
+ CVEAuditSystemBuilder systemAuditResult;
+ // We need this initially to be able to get errata and audit channels information for the OVAL
+ // implementation.
+ // TODO: We could make a custom query that would get us only the data we're interested in instead of relying
+ // on CVEAuditManager#doAuditSystem implementation.
+
+ CVEAuditSystemBuilder auditWithChannelsResult =
+ CVEAuditManager.doAuditSystem(clientServer.getId(), resultsBySystem.get(clientServer.getId()));
+
+ if (doesSupportOVALAuditing(clientServer)) {
+ systemAuditResult = doAuditSystem(cveIdentifier, resultsBySystem.get(clientServer.getId()),
+ clientServer);
+ systemAuditResult.setChannels(auditWithChannelsResult.getChannels());
+ systemAuditResult.setErratas(auditWithChannelsResult.getErratas());
+ }
+ else {
+ systemAuditResult = auditWithChannelsResult;
+ }
+
+ if (patchStatuses.contains(systemAuditResult.getPatchStatus())) {
+ result.add(new CVEAuditServer(
+ systemAuditResult.getId(),
+ systemAuditResult.getSystemName(),
+ systemAuditResult.getPatchStatus(),
+ systemAuditResult.getChannels(),
+ systemAuditResult.getErratas()));
+ }
+ }
+
+ return result;
+ }
+
+ private static boolean isCVEIdentifierUnknown(String cveIdentifier) {
+ return !OVALCachingFactory.canAuditCVE(cveIdentifier);
+ }
+
+ /**
+ * Check if server support OVAL CVE auditing
+ *
+ * @param clientServer the server to check
+ * @return {@code True}
+ * */
+ public static boolean doesSupportOVALAuditing(Server clientServer) {
+ // TODO: check if OVAL is synced and client product is support .e.g. Red Hat, Debian, Ubuntu or SUSE
+ return true;
+ }
+
+ /**
+ * Audit the given {@code clientServer} regarding the given CVE identifier based on OVAL and Channels data.
+ *
+ * @param clientServer the server to audit
+ * @param results list produced by {@link CVEAuditManager#listSystemsByPatchStatus(User, String)},
+ * helpful for determining the availability of a patch for the vulnerability in channels.
+ * @param cveIdentifier the CVE identifier
+ * @return a record with data about a single system containing that system's patch status regarding a certain
+ * given CVE identifier as well as sets of relevant channels and erratas.
+ * */
+ public static CVEAuditSystemBuilder doAuditSystem(String cveIdentifier,
+ List results,
+ Server clientServer) {
+ // It's possible to have 2 or more patches for one package. It's necessary to apply all of them because
+ // they will have the same outcome i.e. patch the package; instead we need to choose only one.
+ // To choose the one, we rank patches based on the channel they come from .e.g.
+ // assigned, successor product, etc. And for each vulnerable package we keep only the highest ranking patch
+ results = keepOnlyPatchCandidates(results);
+
+ CVEAuditSystemBuilder cveAuditServerBuilder = new CVEAuditSystemBuilder(clientServer.getId());
+ cveAuditServerBuilder.setSystemName(clientServer.getName());
+
+ List allInstalledPackages =
+ PackageManager.shallowSystemPackageList(clientServer.getId());
+
+ LOG.error("Vul packages before filtering: {}",
+ OVALCachingFactory.getVulnerablePackagesByProductAndCve(clientServer.getCpe(), cveIdentifier));
+
+ Set clientProductVulnerablePackages =
+ OVALCachingFactory.getVulnerablePackagesByProductAndCve(clientServer.getCpe(), cveIdentifier).stream()
+ .filter(pkg -> isPackageInstalled(pkg, allInstalledPackages))
+ .collect(Collectors.toSet());
+
+ LOG.error("Vul packages: {}", clientProductVulnerablePackages);
+
+ if (clientProductVulnerablePackages.isEmpty()) {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.NOT_AFFECTED);
+ return cveAuditServerBuilder;
+ }
+
+ Set patchedVulnerablePackages = clientProductVulnerablePackages.stream()
+ .filter(vulnerablePackage -> vulnerablePackage.getFixVersion().isPresent()).collect(
+ Collectors.toSet());
+
+ Set unpatchedVulnerablePackages = clientProductVulnerablePackages.stream()
+ .filter(vulnerablePackage -> vulnerablePackage.getFixVersion().isEmpty()).collect(
+ Collectors.toSet());
+
+ boolean allPackagesUnpatched = unpatchedVulnerablePackages.size() == clientProductVulnerablePackages.size();
+
+ if (allPackagesUnpatched) {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_PATCH_UNAVAILABLE);
+ }
+ else {
+ boolean allPackagesPatched = patchedVulnerablePackages.stream().allMatch(patchedPackage ->
+ allInstalledPackages.stream()
+ .filter(installedPackage ->
+ Objects.equals(installedPackage.getName(), patchedPackage.getName()))
+ .anyMatch(installedPackage ->
+ installedPackage.getPackageEVR()
+ .compareTo(PackageEvr.parseRpm(patchedPackage.getFixVersion().get())) >= 0));
+
+ if (allPackagesPatched) {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.PATCHED);
+ }
+ else {
+ List patchesInAssignedChannels = results.stream()
+ .filter(CVEAuditManager.CVEPatchStatus::isChannelAssigned)
+ .collect(Collectors.toList());
+
+ List patchesInUnassignedChannels = results.stream()
+ .filter(cvePatchStatus -> !cvePatchStatus.isChannelAssigned())
+ .collect(Collectors.toList());
+
+ long numberOfPackagesWithPatchInAssignedChannels =
+ patchedVulnerablePackages.stream().filter(patchedPackage -> patchesInAssignedChannels
+ .stream()
+ .anyMatch(patch ->
+ patch.getPackageName().equals(Optional.of(patchedPackage.getName()))
+ )
+ ).count();
+
+ boolean allPackagesHavePatchInAssignedChannels =
+ numberOfPackagesWithPatchInAssignedChannels == patchedVulnerablePackages.size();
+ boolean somePackagesHavePatchInAssignedChannels = numberOfPackagesWithPatchInAssignedChannels > 0;
+
+ if (allPackagesHavePatchInAssignedChannels) {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE);
+ }
+ else if (somePackagesHavePatchInAssignedChannels) {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_PARTIAL_PATCH_APPLICABLE);
+ }
+ else {
+ long numberOfPackagesWithPatchInUnassignedChannels =
+ patchedVulnerablePackages.stream().filter(patchedPackage -> patchesInUnassignedChannels
+ .stream()
+ .anyMatch(patch ->
+ patch.getPackageName().equals(Optional.of(patchedPackage.getName()))
+ )
+ ).count();
+
+ boolean somePackagesHavePatchInUnassignedChannels =
+ numberOfPackagesWithPatchInUnassignedChannels > 0 &&
+ numberOfPackagesWithPatchInUnassignedChannels == patchedVulnerablePackages.size();
+
+ boolean allPackagesHavePatchInUnassignedChannels =
+ numberOfPackagesWithPatchInUnassignedChannels == patchedVulnerablePackages.size();
+
+ if (allPackagesHavePatchInUnassignedChannels) {
+ boolean allPackagesHavePatchInSuccessorChannel = patchesInUnassignedChannels.stream()
+ .allMatch(patch ->
+ patch.getChannelRank().orElse(0L) >= SUCCESSOR_PRODUCT_RANK_BOUNDARY);
+ if (allPackagesHavePatchInSuccessorChannel) {
+ cveAuditServerBuilder
+ .setPatchStatus(PatchStatus.AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT);
+ }
+ else {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_PATCH_INAPPLICABLE);
+ }
+ }
+ else if (somePackagesHavePatchInUnassignedChannels) {
+ //TODO: Not sure how to handle...
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_PATCH_UNAVAILABLE_IN_UYUNI);
+ }
+ else {
+ cveAuditServerBuilder.setPatchStatus(PatchStatus.AFFECTED_PATCH_UNAVAILABLE_IN_UYUNI);
+ }
+ }
+ }
+ }
+
+ LOG.error("Patch Status: {}", cveAuditServerBuilder.getPatchStatus());
+
+ return cveAuditServerBuilder;
+ }
+
+ private static List keepOnlyPatchCandidates(
+ List results) {
+ List patchCandidates = new ArrayList<>();
+
+ Map> resultsByPackage = results.stream()
+ .filter(result -> result.getPackageName().isPresent())
+ .collect(Collectors.groupingBy(r -> r.getPackageName().get()));
+
+ for (String packageName : resultsByPackage.keySet()) {
+ List packageResults = resultsByPackage.get(packageName);
+ CVEAuditManager.getPatchCandidateResult(packageResults).ifPresent(patchCandidates::add);
+ }
+
+ return patchCandidates;
+ }
+
+ private static boolean isPackageInstalled(VulnerablePackage pkg, List allInstalledPackages) {
+ return allInstalledPackages.stream()
+ .anyMatch(installed -> Objects.equals(installed.getName(), pkg.getName()));
+ }
+
+ /**
+ * List visible images with their patch status regarding a given CVE identifier.
+ *
+ * @param user the calling user
+ * @param cveIdentifier the CVE identifier to lookup
+ * @param patchStatuses the patch statuses
+ * @return list of images records with patch status
+ * @throws UnknownCVEIdentifierException if the CVE number is not known
+ */
+ public static List listImagesByPatchStatus(User user,
+ String cveIdentifier, EnumSet patchStatuses)
+ throws UnknownCVEIdentifierException {
+ // TODO: Audit images with OVAL
+ return CVEAuditManager.listImagesByPatchStatus(user, cveIdentifier, patchStatuses);
+ }
+
+ /**
+ * Populate channels for CVE Audit
+ * */
+ public static void populateCVEChannels() {
+ CVEAuditManager.populateCVEChannels();
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/manager/audit/PatchStatus.java b/java/code/src/com/redhat/rhn/manager/audit/PatchStatus.java
index ac228f5dfbe8..c3d07ae33d4b 100644
--- a/java/code/src/com/redhat/rhn/manager/audit/PatchStatus.java
+++ b/java/code/src/com/redhat/rhn/manager/audit/PatchStatus.java
@@ -21,11 +21,14 @@
public enum PatchStatus {
// Values sorted by seriousness
- AFFECTED_PATCH_INAPPLICABLE("Affected, patch available in unassigned channel", 0),
- AFFECTED_PATCH_APPLICABLE("Affected, patch available in assigned channel", 1),
- NOT_AFFECTED("Not affected", 2),
- PATCHED("Patched", 3),
- AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT("Affected, patch available in a Product Migration target", 4);
+ AFFECTED_PATCH_UNAVAILABLE("Affected, patch is unavailable anywhere", 0),
+ AFFECTED_PATCH_UNAVAILABLE_IN_UYUNI("Affected, patch is unavailable in any of the synced channels", 1),
+ AFFECTED_PATCH_INAPPLICABLE("Affected, patch available in unassigned channel", 2),
+ AFFECTED_PARTIAL_PATCH_APPLICABLE("Affected, partial patch available in assigned channel", 3),
+ AFFECTED_FULL_PATCH_APPLICABLE("Affected, full patch available in assigned channel", 4),
+ NOT_AFFECTED("Not affected", 5),
+ PATCHED("Patched", 6),
+ AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT("Affected, patch available in a Product Migration target", 7);
/**
* The lower the more severe
diff --git a/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerOVALTest.java b/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerOVALTest.java
new file mode 100644
index 000000000000..a237026a37ff
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerOVALTest.java
@@ -0,0 +1,497 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.redhat.rhn.manager.audit.test;
+
+import static com.redhat.rhn.domain.rhnpackage.test.PackageNameTest.createTestPackageName;
+import static com.redhat.rhn.testing.ErrataTestUtils.createLaterTestPackage;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestChannel;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestCve;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestErrata;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestInstalledPackage;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestPackage;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestServer;
+import static com.redhat.rhn.testing.ErrataTestUtils.createTestUser;
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import com.redhat.rhn.common.hibernate.HibernateFactory;
+import com.redhat.rhn.domain.channel.Channel;
+import com.redhat.rhn.domain.errata.Cve;
+import com.redhat.rhn.domain.errata.Errata;
+import com.redhat.rhn.domain.rhnpackage.Package;
+import com.redhat.rhn.domain.server.Server;
+import com.redhat.rhn.domain.user.User;
+import com.redhat.rhn.manager.audit.CVEAuditManager;
+import com.redhat.rhn.manager.audit.CVEAuditManagerOVAL;
+import com.redhat.rhn.manager.audit.CVEAuditSystemBuilder;
+import com.redhat.rhn.manager.audit.PatchStatus;
+import com.redhat.rhn.manager.audit.RankedChannel;
+import com.redhat.rhn.manager.audit.UnknownCVEIdentifierException;
+import com.redhat.rhn.testing.RhnBaseTestCase;
+import com.redhat.rhn.testing.TestUtils;
+
+import com.suse.oval.OVALCachingFactory;
+import com.suse.oval.OVALCleaner;
+import com.suse.oval.OsFamily;
+import com.suse.oval.OvalParser;
+import com.suse.oval.ovaltypes.OvalRootType;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+// TODO: Test that if we get AFFECTED_PATCH_INAPPLICABLE auditServer.Channels and auditServer.Erratas are not null
+public class CVEAuditManagerOVALTest extends RhnBaseTestCase {
+ private static final Logger LOG = LogManager.getLogger(CVEAuditManagerOVALTest.class);
+ private OvalParser ovalParser = new OvalParser();
+
+ @Test
+ void testDoAuditSystemNotAffected() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.5"); // Not Leap 15.4
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.NOT_AFFECTED, systemAuditResult.getPatchStatus());
+ }
+
+ /**
+ * If the system's OS is flagged as vulnerable based on OVAL, it doesn't necessarily mean that the system
+ * is vulnerable. For example, if none of the vulnerable packages are installed on the system,
+ * it means that the system is by definition NOT_AFFECTED.
+ * This test verifies this scenario.
+ * */
+ @Test
+ void testDoAuditSystemNotAffectedWhenOSIsAffected() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4"); // openSUSE Leap 15.4, same as the affected OS in OVAL
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.NOT_AFFECTED, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemPatched() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ User user = createTestUser();
+
+ Channel channel = createTestChannel(user);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package unpatched = createTestPackage(user, channel, "noarch");
+ unpatched.setPackageName(createTestPackageName("kernel-debug-base"));
+ Package patched = createLaterTestPackage(user, null, channel, unpatched,
+ "0", "4.12.14", "150100.197.137.2");
+
+ createTestInstalledPackage(patched, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.PATCHED, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemAffectedFullPatchAvailable() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package unpatched = createTestPackage(user, channel, "noarch",
+ "kernel-debug-base", "0", "4.12.13", "150100.197.137.2");
+
+ Package patched = createTestPackage(user, errata, channel, "noarch",
+ "kernel-debug-base", "0", "4.12.14", "150100.197.137.2");
+
+ createTestInstalledPackage(unpatched, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, systemAuditResult.getPatchStatus());
+ }
+
+
+ @Test
+ void testDoAuditSystemAffectedPatchUnavailable() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-2.xml"));
+
+ Cve cve = createTestCve("CVE-2008-2934");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package affected = createTestPackage(user, channel, "noarch", "MozillaFirefox");
+ createTestPackage(user, channel, "noarch", "MozillaFirefox-devel");
+
+ createTestInstalledPackage(affected, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_PATCH_UNAVAILABLE, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemAffectedPartialPatchAvailable() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-3.xml"));
+
+ Cve cve = createTestCve("CVE-2008-2934");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ // Only package 'MozillaFirefox' has a patch in the assigned channels
+ createTestPackage(user, errata, channel, "noarch", "MozillaFirefox", "0", "2.4.0",
+ "150400.1.12");
+
+ Package unpatched1 =
+ createTestPackage(user, channel, "noarch", "MozillaFirefox", "0", "2.3.0",
+ "150400.1.12");
+ Package unpatched2 =
+ createTestPackage(user, channel, "noarch", "MozillaFirefox-devel", "0",
+ "2.3.0", "150400.1.12");
+
+ createTestInstalledPackage(unpatched1, server);
+ createTestInstalledPackage(unpatched2, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_PARTIAL_PATCH_APPLICABLE, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemAffectedPartialPatchAvailableFalsePositive() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-3.xml"));
+
+ Cve cve = createTestCve("CVE-2008-2934");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ createTestPackage(user, errata, channel, "noarch", "MozillaFirefox", "0", "2.4.0", "150400.1.12");
+ Package unpatched = createTestPackage(user, channel, "noarch", "MozillaFirefox", "0", "2.3.0", "150400.1.12");
+
+ // The 'MozillaFirefox-devel' package is identified as vulnerable based on the OVAL data,
+ // but it is not currently installed on the system.
+ // Although 'MozillaFirefox-devel' does not have a patch available in the assigned channels,
+ // the algorithm should return AFFECTED_FULL_PATCH_APPLICABLE instead of AFFECTED_PARTIAL_PATCH_APPLICABLE.
+ // This decision is made because the 'MozillaFirefox' package,
+ // which is installed, has a patch that can be applied.
+ createTestPackage(user, channel, "noarch", "MozillaFirefox-devel");
+
+ createTestInstalledPackage(unpatched, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemAffectedPatchInapplicable() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user);
+
+ // This channel is not assigned to server
+ Channel otherChannel = createTestChannel(user, errata);
+ Set assignedChannels = Set.of(channel);
+ Server server = createTestServer(user, assignedChannels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package unpatched = createTestPackage(user, channel, "noarch",
+ "kernel-debug-base", "0", "4.12.13", "150100.197.137.2");
+
+ // Patch exists in an unassigned channel
+ createTestPackage(user, errata, otherChannel, "noarch",
+ "kernel-debug-base", "0", "4.12.14", "150100.197.137.2");
+
+ createTestInstalledPackage(unpatched, server);
+
+ CVEAuditManager.populateCVEChannels();
+ // We don't have to care about the internals of populateCVEChannels and weather it will assign otherChannel as
+ // a relevant channel to server; we add it ourselves.
+ RankedChannel otherChannelRanked = new RankedChannel(otherChannel.getId(), 0);
+ Map> relevantChannels = new HashMap<>();
+ relevantChannels.put(server, List.of(otherChannelRanked));
+ CVEAuditManager.insertRelevantServerChannels(relevantChannels);
+ HibernateFactory.getSession().flush();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_PATCH_INAPPLICABLE, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ void testDoAuditSystemAffectedPatchInapplicableSuccessorProduct() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user);
+
+ // This channel is not assigned to server
+ Channel otherChannel = createTestChannel(user, errata);
+ Set assignedChannels = Set.of(channel);
+ Server server = createTestServer(user, assignedChannels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package unpatched = createTestPackage(user, channel, "noarch",
+ "kernel-debug-base", "0", "4.12.13", "150100.197.137.2");
+
+ // Patch exists in an unassigned channel
+ createTestPackage(user, errata, otherChannel, "noarch",
+ "kernel-debug-base", "0", "4.12.14", "150100.197.137.2");
+
+ createTestInstalledPackage(unpatched, server);
+
+ CVEAuditManager.populateCVEChannels();
+ // We set the rank to SUCCESSOR_PRODUCT_RANK_BOUNDARY in order to imply that it's a successor product
+ // migration channel
+ RankedChannel otherChannelRanked = new RankedChannel(otherChannel.getId(),
+ CVEAuditManager.SUCCESSOR_PRODUCT_RANK_BOUNDARY);
+ // We don't have to care about the internals of populateCVEChannels and weather it will assign otherChannel as
+ // a relevant channel to server; we add it ourselves.
+ Map> relevantChannels = new HashMap<>();
+ relevantChannels.put(server, List.of(otherChannelRanked));
+ CVEAuditManager.insertRelevantServerChannels(relevantChannels);
+ HibernateFactory.getSession().flush();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT, systemAuditResult.getPatchStatus());
+ }
+
+ /**
+ * Verify that bnc#833783 is fixed:
+ * Test that irrelevant packages do not alter a system's PATCHED status
+ *
+ * @throws Exception if anything goes wrong
+ */
+ @Test
+ public void testDoAuditSystemPatchedWithIrrelevantErrata() throws Exception {
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve cve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ Set cves = Set.of(cve);
+ User user = createTestUser();
+
+ Errata errata = createTestErrata(user, cves);
+ Channel channel = createTestChannel(user, errata);
+ Set channels = Set.of(channel);
+
+ Server server = createTestServer(user, channels);
+ server.setCpe("cpe:/o:opensuse:leap:15.4");
+
+ Package unpatched = createTestPackage(user, channel, "noarch");
+ unpatched.setPackageName(createTestPackageName("kernel-debug-base"));
+ Package patched = createLaterTestPackage(user, errata, channel, unpatched,
+ "0", "4.12.14", "150100.197.137.2");
+
+ createTestInstalledPackage(patched, server);
+
+ CVEAuditManager.populateCVEChannels();
+
+ List results = CVEAuditManager.listSystemsByPatchStatus(user, cve.getName())
+ .collect(Collectors.toList());
+
+ CVEAuditSystemBuilder systemAuditResult = CVEAuditManagerOVAL.doAuditSystem(cve.getName(), results, server);
+
+ assertEquals(PatchStatus.PATCHED, systemAuditResult.getPatchStatus());
+ }
+
+ @Test
+ public void testListSystemsByPatchStatusUnknownCVE() {
+ String unknownCVE = TestUtils.randomString().substring(0, 13);
+ // Although we add the CVE to rhnCve, the exception should be still thrown because the CVE is not linked to any
+ // OVAL vulnerability in the database .i.e. not present in suseOVALPlatformVulnerablePackage
+ createTestCve(unknownCVE);
+
+ User user = createTestUser();
+
+ assertThrows(UnknownCVEIdentifierException.class,
+ () -> CVEAuditManagerOVAL.listSystemsByPatchStatus(user, unknownCVE,
+ EnumSet.allOf(PatchStatus.class)));
+ }
+
+ @Test
+ public void testListSystemsByPatchStatusKnownCVE() throws IOException, ClassNotFoundException {
+ User user = createTestUser();
+
+ OvalRootType ovalRoot = ovalParser.parse(TestUtils
+ .findTestData("/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml"));
+
+ Cve knownCve = createTestCve("CVE-2022-2991");
+
+ extractAndSaveVulnerablePackages(ovalRoot);
+
+ assertDoesNotThrow(() -> CVEAuditManagerOVAL.listSystemsByPatchStatus(user, knownCve.getName(),
+ EnumSet.allOf(PatchStatus.class)));
+ }
+
+ private static void extractAndSaveVulnerablePackages(OvalRootType rootType) {
+ OVALCleaner.cleanup(rootType, OsFamily.openSUSE_LEAP, "15.4");
+ OVALCachingFactory.savePlatformsVulnerablePackages(rootType);
+
+ HibernateFactory.getSession().flush();
+ }
+}
diff --git a/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerTest.java b/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerTest.java
index 7922a281ccea..bc0a36e0dbd6 100644
--- a/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerTest.java
+++ b/java/code/src/com/redhat/rhn/manager/audit/test/CVEAuditManagerTest.java
@@ -333,11 +333,13 @@ public void testFindAllTargetProducts() throws Exception {
public void testSetPatchStatus() {
assertEquals(PatchStatus.PATCHED, CVEAuditManager.getPatchStatus(true, true, true, false));
assertEquals(PatchStatus.PATCHED, CVEAuditManager.getPatchStatus(true, false, true, false));
- assertEquals(PatchStatus.AFFECTED_PATCH_APPLICABLE, CVEAuditManager.getPatchStatus(false, true, true, false));
+ assertEquals(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE,
+ CVEAuditManager.getPatchStatus(false, true, true, false));
assertEquals(PatchStatus.AFFECTED_PATCH_INAPPLICABLE,
CVEAuditManager.getPatchStatus(false, false, true, false));
assertEquals(PatchStatus.NOT_AFFECTED, CVEAuditManager.getPatchStatus(false, false, false, false));
- assertEquals(PatchStatus.AFFECTED_PATCH_APPLICABLE, CVEAuditManager.getPatchStatus(false, true, true, true));
+ assertEquals(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE,
+ CVEAuditManager.getPatchStatus(false, true, true, true));
assertEquals(PatchStatus.AFFECTED_PATCH_INAPPLICABLE_SUCCESSOR_PRODUCT,
CVEAuditManager.getPatchStatus(false, false, true, true));
}
@@ -566,12 +568,12 @@ public void testListSystemsByPatchStatusAffectedPatchApplicable() throws Excepti
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results =
CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
// Everything is filtered except expected
- filter = EnumSet.of(PatchStatus.AFFECTED_PATCH_APPLICABLE);
+ filter = EnumSet.of(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE);
results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
// Only the expected result is filtered
filter = EnumSet.complementOf(filter);
@@ -711,7 +713,7 @@ public void testChannelOrderWithClonedChannels() throws Exception {
// Verify the order of returned channels
CVEAuditSystem result = findSystemRecord(server, results);
- assertEquals(PatchStatus.AFFECTED_PATCH_APPLICABLE, result.getPatchStatus());
+ assertEquals(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, result.getPatchStatus());
Iterator it = result.getChannels().iterator();
assertEquals((Long) channelClone.getId(), (Long) it.next().getId());
}
@@ -893,7 +895,7 @@ public void testPatchPartlyApplied() throws Exception {
// No filtering
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
}
/**
@@ -1140,7 +1142,7 @@ public void testLTSS() throws Exception {
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results =
CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server1, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server1, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
assertSystemPatchStatus(server2, PatchStatus.PATCHED, results);
assertSystemPatchStatus(server3, PatchStatus.PATCHED, results);
}
@@ -1268,7 +1270,7 @@ public void testAssignedChannelPreferredOverMigration() throws Exception {
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
List channels = new ArrayList<>(results.get(0).getChannels());
assertEquals(1, channels.size());
assertEquals(updateChannelSP2.getId().longValue(), channels.get(0).getId());
@@ -1342,7 +1344,7 @@ public void testIgnoreOldProductsWhenCurrentPatchAvailable() throws Exception {
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
}
/**
@@ -1411,7 +1413,7 @@ public void testIgnoreSuccessorProductsWhenCurrentPatchAvailable() throws Except
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
// Make sure the errata and channel for the successor product is filtered out
assertEquals(1, results.stream().findFirst().get().getErratas().size());
assertEquals(1, results.stream().findFirst().get().getChannels().size());
@@ -1533,7 +1535,7 @@ public void testSDK() throws Exception {
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server1, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server1, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
assertSystemPatchStatus(server2, PatchStatus.PATCHED, results);
}
@@ -1675,7 +1677,7 @@ public void testLivePatchingAffectedPatchApplicable() throws Exception {
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
}
/**
@@ -1749,7 +1751,7 @@ public void testLivePatchingAffectedPatchApplicableSles15() throws Exception {
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveName, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
}
/**
@@ -1900,7 +1902,7 @@ public void testLivePatchingAffectedOnlyKernelPatchApplicable() throws Exception
CVEAuditManager.populateCVEChannels();
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results = CVEAuditManager.listSystemsByPatchStatus(user, cveNameKernelExclusive, filter);
- assertSystemPatchStatus(server, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertSystemPatchStatus(server, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
Iterator it = results.get(0).getChannels().iterator();
assertEquals((Long) baseChannelClone.getId(), (Long) it.next().getId());
@@ -1982,12 +1984,12 @@ public void testListImagesByPatchStatusAffectedPatchApplicable() throws Exceptio
EnumSet filter = EnumSet.allOf(PatchStatus.class);
List results =
CVEAuditManager.listImagesByPatchStatus(user, cveName, filter);
- assertImagePatchStatus(image, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertImagePatchStatus(image, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
// Everything is filtered except expected
- filter = EnumSet.of(PatchStatus.AFFECTED_PATCH_APPLICABLE);
+ filter = EnumSet.of(PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE);
results = CVEAuditManager.listImagesByPatchStatus(user, cveName, filter);
- assertImagePatchStatus(image, PatchStatus.AFFECTED_PATCH_APPLICABLE, results);
+ assertImagePatchStatus(image, PatchStatus.AFFECTED_FULL_PATCH_APPLICABLE, results);
// Only the expected result is filtered
filter = EnumSet.complementOf(filter);
diff --git a/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml
new file mode 100644
index 000000000000..164766c5d664
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-1.xml
@@ -0,0 +1,85 @@
+
+
+
+
+
+
+ CVE-2022-2991
+
+ openSUSE Leap 15.4
+
+
+ A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results
+ from the lack of proper validation of the length of user-supplied data prior to copying it to a
+ fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges
+ and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability
+ to execute high-privileged code on the target system to exploit this vulnerability.
+
+
+
+
+ Important
+ CVE-2022-2991
+
+
+ cpe:/o:opensuse:leap:15.4
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ openSUSE-release
+
+
+
+ kernel-debug-base
+
+
+
+
+
+
+ 15.4
+
+
+ 0:4.12.14-150100.197.137.2
+
+
+
+
\ No newline at end of file
diff --git a/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-2.xml b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-2.xml
new file mode 100644
index 000000000000..eb368a912a57
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-2.xml
@@ -0,0 +1,97 @@
+
+
+
+
+
+
+ CVE-2008-2934
+
+ SUSE Linux Enterprise Server 15 SP1-LTSS
+ SUSE Linux Enterprise Server for SAP Applications 15 SP1
+
+
+
+
+ Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file that triggers a free of an uninitialized pointer.
+
+
+
+
+ Moderate
+ CVE-2008-2934
+ SUSE bug 407573
+
+ cpe:/o:suse:sles-ltss:15:sp1
+ cpe:/o:suse:sles_sap:15:sp1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ openSUSE-release
+
+
+
+ MozillaFirefox
+
+
+
+ MozillaFirefox-devel
+
+
+
+
+
+
+ 15.4
+
+
+
+ 0:0-0
+
+
+
+ 0:0-0
+
+
+
+
\ No newline at end of file
diff --git a/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-3.xml b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-3.xml
new file mode 100644
index 000000000000..484a6528d28a
--- /dev/null
+++ b/java/code/src/com/redhat/rhn/manager/audit/test/oval/oval-def-3.xml
@@ -0,0 +1,96 @@
+
+
+
+
+
+ CVE-2008-2934
+
+ SUSE Linux Enterprise Server 15 SP1-LTSS
+ SUSE Linux Enterprise Server for SAP Applications 15 SP1
+
+
+
+
+ Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file that triggers a free of an uninitialized pointer.
+
+
+
+
+ Moderate
+ CVE-2008-2934
+ SUSE bug 407573
+
+ cpe:/o:suse:sles-ltss:15:sp1
+ cpe:/o:suse:sles_sap:15:sp1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ openSUSE-release
+
+
+
+ MozillaFirefox
+
+
+
+ MozillaFirefox-devel
+
+
+
+
+
+
+ 15.4
+
+
+
+ 0:2.4.0-150400.1.12
+
+
+
+ 0:2.4.0-150400.1.12
+
+
+
+
\ No newline at end of file
diff --git a/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java b/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
index 84c0d5a3d6fb..f71f1fee3ad2 100644
--- a/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
+++ b/java/code/src/com/redhat/rhn/manager/rhnpackage/PackageManager.java
@@ -61,6 +61,7 @@
import com.redhat.rhn.manager.system.IncompatibleArchException;
import com.suse.manager.utils.PagedSqlQueryBuilder;
+import com.suse.oval.ShallowSystemPackage;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
@@ -322,6 +323,21 @@ public static DataResult systemPackageList(Long sid, PageContro
return PackageManager.getPackagesPerSystem(sid, "system_package_list", pc);
}
+ /**
+ * Returns list of packages for given server
+ *
+ * @param sid Server Id
+ * @return list of packages for given server
+ */
+ public static DataResult shallowSystemPackageList(Long sid) {
+ SelectMode m = ModeFactory.getMode("Package_queries", "shallow_system_package_list");
+
+ Map params = new HashMap<>();
+ params.put("sid", sid);
+
+ return m.execute(params);
+ }
+
/**
* Returns list of package for given server
* @param sid Server Id
diff --git a/java/code/src/com/redhat/rhn/taskomatic/task/CVEServerChannels.java b/java/code/src/com/redhat/rhn/taskomatic/task/CVEServerChannels.java
index cbb6f394b7cf..402e43db795f 100644
--- a/java/code/src/com/redhat/rhn/taskomatic/task/CVEServerChannels.java
+++ b/java/code/src/com/redhat/rhn/taskomatic/task/CVEServerChannels.java
@@ -14,7 +14,7 @@
*/
package com.redhat.rhn.taskomatic.task;
-import com.redhat.rhn.manager.audit.CVEAuditManager;
+import com.redhat.rhn.manager.audit.CVEAuditManagerOVAL;
import org.quartz.JobExecutionContext;
@@ -44,7 +44,7 @@ public void execute(JobExecutionContext context) {
// Measure time and calculate the total duration
Date start = new Date();
- CVEAuditManager.populateCVEChannels();
+ CVEAuditManagerOVAL.populateCVEChannels();
if (log.isDebugEnabled()) {
long duration = new Date().getTime() - start.getTime();
diff --git a/java/code/src/com/redhat/rhn/testing/ErrataTestUtils.java b/java/code/src/com/redhat/rhn/testing/ErrataTestUtils.java
index 58249c4edfc1..c1b3c91497af 100644
--- a/java/code/src/com/redhat/rhn/testing/ErrataTestUtils.java
+++ b/java/code/src/com/redhat/rhn/testing/ErrataTestUtils.java
@@ -12,8 +12,11 @@
* granted to use or replicate Red Hat trademarks that are incorporated
* in this software or its documentation.
*/
+
package com.redhat.rhn.testing;
+import static com.redhat.rhn.domain.rhnpackage.test.PackageNameTest.createTestPackageName;
+
import com.redhat.rhn.common.db.datasource.ModeFactory;
import com.redhat.rhn.common.db.datasource.WriteMode;
import com.redhat.rhn.common.hibernate.HibernateFactory;
@@ -26,6 +29,7 @@
import com.redhat.rhn.domain.errata.ClonedErrata;
import com.redhat.rhn.domain.errata.Cve;
import com.redhat.rhn.domain.errata.Errata;
+import com.redhat.rhn.domain.errata.ErrataFactory;
import com.redhat.rhn.domain.errata.test.ErrataFactoryTest;
import com.redhat.rhn.domain.rhnpackage.Package;
import com.redhat.rhn.domain.rhnpackage.PackageEvr;
@@ -353,6 +357,78 @@ public static Package createTestPackage(User user, Errata errata, Channel channe
return result;
}
+ /**
+ * Create a {@link Package}.
+ *
+ * @param user the package owner
+ * @param errata an errata that will contain the new package
+ * @param channel the channel in which the new package is to be published
+ * @param arch the package architecture label
+ * @param name the package name
+ * @param epoch the package epoch in EVR
+ * @param version the package version in EVR
+ * @param release the package release in EVR
+ * @return the newly created patch
+ */
+ public static Package createTestPackage(User user, Errata errata, Channel channel, String arch, String name,
+ String epoch, String version, String release) {
+ Package result = createTestPackage(user, errata, channel, arch);
+
+ PackageEvr pevr =
+ PackageEvrFactory.lookupOrCreatePackageEvr(epoch, version, release, result.getPackageType());
+
+ result.setRpmVersion(result.getRpmVersion());
+ result.setDescription(result.getDescription());
+ result.setSummary(result.getSummary());
+ result.setPackageSize(result.getPackageSize());
+ result.setPayloadSize(result.getPayloadSize());
+ result.setBuildHost(result.getBuildHost());
+ result.setVendor(result.getVendor());
+ result.setPayloadFormat(result.getPayloadFormat());
+ result.setCompat(result.getCompat());
+ result.setPath(result.getPath());
+ result.setHeaderSignature(result.getHeaderSignature());
+ result.setCopyright(result.getCopyright());
+ result.setCookie(result.getCookie());
+ result.setPackageName(createTestPackageName(name));
+ result.setPackageEvr(pevr);
+ result.setPackageGroup(result.getPackageGroup());
+
+ TestUtils.saveAndFlush(result);
+
+ return result;
+ }
+
+ /**
+ * Create a {@link Package}.
+ *
+ * @param user the package owner
+ * @param channel the channel in which the new package is to be published
+ * @param arch the package architecture label
+ * @param name the package name
+ * @param epoch the package epoch in EVR
+ * @param version the package version in EVR
+ * @param release the package release in EVR
+ * @return the newly created patch
+ */
+ public static Package createTestPackage(User user, Channel channel, String arch, String name,
+ String epoch, String version, String release) {
+ return createTestPackage(user, null, channel, arch, name, epoch, version, release);
+ }
+
+ /**
+ * Create a {@link Package}.
+ *
+ * @param user the package owner
+ * @param channel the channel in which the new package is to be published
+ * @param arch the package architecture label
+ * @param name the package name
+ * @return the newly created patch
+ */
+ public static Package createTestPackage(User user, Channel channel, String arch, String name) {
+ return createTestPackage(user, null, channel, arch, name, "1", "0", "1");
+ }
+
/**
* Create a {@link Package} which has a greater version number than another.
* @param user the package owner
diff --git a/java/code/src/com/redhat/rhn/testing/TestCaseHelper.java b/java/code/src/com/redhat/rhn/testing/TestCaseHelper.java
index 5508e8623ebf..41052485d432 100644
--- a/java/code/src/com/redhat/rhn/testing/TestCaseHelper.java
+++ b/java/code/src/com/redhat/rhn/testing/TestCaseHelper.java
@@ -35,7 +35,7 @@ public static void tearDownHelper() {
if (HibernateFactory.inTransaction()) {
try {
HibernateFactory.rollbackTransaction();
- //HibernateFactory.commitTransaction();
+ // HibernateFactory.commitTransaction();
}
catch (TransactionException e) {
rollbackException = e;
diff --git a/java/code/src/com/suse/manager/reactor/messaging/RegisterMinionEventMessageAction.java b/java/code/src/com/suse/manager/reactor/messaging/RegisterMinionEventMessageAction.java
index 9f1b8ac14da2..9c34014c73a3 100644
--- a/java/code/src/com/suse/manager/reactor/messaging/RegisterMinionEventMessageAction.java
+++ b/java/code/src/com/suse/manager/reactor/messaging/RegisterMinionEventMessageAction.java
@@ -495,6 +495,7 @@ else if (!minion.getOrg().equals(org)) {
String kernelrelease = grains.getValueAsString("kernelrelease");
String osarch = grains.getValueAsString("osarch");
+ String cpe = grains.getValueAsString("cpe");
minion.setOs(osfullname);
minion.setOsFamily(osfamily);
@@ -507,6 +508,7 @@ else if (!minion.getOrg().equals(org)) {
minion.setModified(minion.getCreated());
minion.setContactMethod(getContactMethod(activationKey, isSaltSSH, minionId));
minion.setHostname(grains.getOptionalAsString(FQDN).orElse(null));
+ minion.setCpe(cpe);
systemInfo.getKernelLiveVersion().ifPresent(minion::setKernelLiveVersion);
diff --git a/java/code/src/com/suse/manager/utils/SaltUtils.java b/java/code/src/com/suse/manager/utils/SaltUtils.java
index 3318c7b1dd95..1c777b0319ab 100644
--- a/java/code/src/com/suse/manager/utils/SaltUtils.java
+++ b/java/code/src/com/suse/manager/utils/SaltUtils.java
@@ -1451,6 +1451,7 @@ else if ("debian".equalsIgnoreCase(grains.getValueAsString("os"))) {
server.setOsFamily(grains.getValueAsString("os_family"));
server.setRunningKernel(grains.getValueAsString("kernelrelease"));
server.setOs(grains.getValueAsString("osfullname"));
+ server.setCpe(grains.getValueAsString("cpe"));
/** Release is set directly from grain information for SUSE systems only.
RH systems require some parsing on the grains to get the correct release
diff --git a/java/code/src/com/suse/manager/webui/controllers/CVEAuditController.java b/java/code/src/com/suse/manager/webui/controllers/CVEAuditController.java
index a3a7d18b7382..0c42fb3d6946 100644
--- a/java/code/src/com/suse/manager/webui/controllers/CVEAuditController.java
+++ b/java/code/src/com/suse/manager/webui/controllers/CVEAuditController.java
@@ -25,7 +25,7 @@
import com.redhat.rhn.common.localization.LocalizationService;
import com.redhat.rhn.domain.user.User;
import com.redhat.rhn.manager.audit.CVEAuditImage;
-import com.redhat.rhn.manager.audit.CVEAuditManager;
+import com.redhat.rhn.manager.audit.CVEAuditManagerOVAL;
import com.redhat.rhn.manager.audit.CVEAuditServer;
import com.redhat.rhn.manager.audit.CVEAuditSystem;
import com.redhat.rhn.manager.audit.PatchStatus;
@@ -141,13 +141,13 @@ public static Object cveAudit(Request req, Response res, User user) {
switch (cveAuditRequest.getTarget()) {
case SERVER:
Set systemSet = RhnSetDecl.SYSTEMS.get(user).getElementValues();
- List cveAuditServers = CVEAuditManager
+ List cveAuditServers = CVEAuditManagerOVAL
.listSystemsByPatchStatus(user, cveAuditRequest.cveIdentifier,
cveAuditRequest.statuses);
cveAuditServers.forEach(serv -> serv.setSelected(systemSet.contains(serv.getId())));
return json(res, ResultJson.success(cveAuditServers));
case IMAGE:
- List cveAuditImages = CVEAuditManager
+ List cveAuditImages = CVEAuditManagerOVAL
.listImagesByPatchStatus(user, cveAuditRequest.cveIdentifier,
cveAuditRequest.statuses);
return json(res, ResultJson.success(cveAuditImages));
@@ -163,13 +163,13 @@ private static List handleRequest(CVEAuditRequest request, User
throws UnknownCVEIdentifierException {
switch (request.getTarget()) {
case SERVER:
- List cveAuditServers = CVEAuditManager
+ List cveAuditServers = CVEAuditManagerOVAL
.listSystemsByPatchStatus(user, request.cveIdentifier,
request.statuses);
return cveAuditServers.stream().map(x -> (CVEAuditSystem)x)
.collect(Collectors.toList());
case IMAGE:
- List cveAuditImages = CVEAuditManager
+ List cveAuditImages = CVEAuditManagerOVAL
.listImagesByPatchStatus(user, request.cveIdentifier,
request.statuses);
return cveAuditImages.stream().map(x -> (CVEAuditSystem)x)
diff --git a/java/code/src/com/suse/oval/OVALCachingFactory.java b/java/code/src/com/suse/oval/OVALCachingFactory.java
new file mode 100644
index 000000000000..206a1746afdf
--- /dev/null
+++ b/java/code/src/com/suse/oval/OVALCachingFactory.java
@@ -0,0 +1,187 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval;
+
+import com.redhat.rhn.common.db.datasource.CallableMode;
+import com.redhat.rhn.common.db.datasource.DataResult;
+import com.redhat.rhn.common.db.datasource.ModeFactory;
+import com.redhat.rhn.common.db.datasource.Row;
+import com.redhat.rhn.common.db.datasource.SelectMode;
+import com.redhat.rhn.common.hibernate.HibernateFactory;
+
+import com.redhat.rhn.domain.rhnpackage.PackageType;
+import com.redhat.rhn.manager.audit.CVEAffectedPackageItem;
+import com.suse.oval.manager.OVALLookupHelper;
+import com.suse.oval.ovaltypes.DefinitionType;
+import com.suse.oval.ovaltypes.OvalRootType;
+import com.suse.oval.vulnerablepkgextractor.ProductVulnerablePackages;
+import com.suse.oval.vulnerablepkgextractor.VulnerablePackage;
+import com.suse.oval.vulnerablepkgextractor.VulnerablePackagesExtractor;
+import com.suse.oval.vulnerablepkgextractor.VulnerablePackagesExtractors;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.hibernate.Session;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.StreamSupport;
+
+public class OVALCachingFactory extends HibernateFactory {
+ private static final Logger LOG = LogManager.getLogger(OVALCachingFactory.class);
+ private static OVALCachingFactory instance = new OVALCachingFactory();
+
+ private OVALCachingFactory() {
+ // Left empty on purpose
+ }
+
+ /**
+ * Extracts and save the list of vulnerable packages from {@code rootType}
+ *
+ * @param rootType the OVAL root to extract from
+ * */
+ // TODO: Following the single responsibility principle this method shouldn't have to extract vulnerable packages
+ // itself
+ public static void savePlatformsVulnerablePackages(OvalRootType rootType) {
+ CallableMode mode = ModeFactory.getCallableMode("oval_queries", "add_product_vulnerable_package");
+
+ OVALLookupHelper ovalLookupHelper = new OVALLookupHelper(rootType);
+
+ DataResult> batch = new DataResult<>(new ArrayList<>(1000));
+
+ for (DefinitionType definition : rootType.getDefinitions()) {
+ VulnerablePackagesExtractor vulnerablePackagesExtractor =
+ VulnerablePackagesExtractors.create(definition, rootType.getOsFamily(), ovalLookupHelper);
+
+ List extractionResult = vulnerablePackagesExtractor.extract();
+ for (ProductVulnerablePackages productVulnerablePackages : extractionResult) {
+ for (String cve : productVulnerablePackages.getCves()) {
+ for (VulnerablePackage vulnerablePackage : productVulnerablePackages.getVulnerablePackages()) {
+ Map params = new HashMap<>();
+ params.put("product_name", productVulnerablePackages.getProductCpe());
+ params.put("cve_name", cve);
+ params.put("package_name", vulnerablePackage.getName());
+ params.put("fix_version", vulnerablePackage.getFixVersion().orElse(null));
+
+ batch.add(params);
+
+ if (batch.size() % 1000 == 0) {
+ mode.getQuery().executeBatchUpdates(batch);
+ batch.clear();
+ commitTransaction();
+
+ Session session = getSession();
+ if (!inTransaction()) {
+ session.beginTransaction();
+ }
+ }
+ }
+ }
+ }
+ }
+
+ mode.getQuery().executeBatchUpdates(new DataResult<>(batch));
+
+ LOG.warn("Ending...");
+ }
+
+ /**
+ * Lookup the list of vulnerable packages by the pair of cpe and cve
+ *
+ * @param cve the cve
+ * @param productCpe the product cpe
+ * @return the list of vulnerable packages
+ * */
+ public static List getVulnerablePackagesByProductAndCve(String productCpe, String cve) {
+ SelectMode mode = ModeFactory.getMode("oval_queries", "get_vulnerable_packages");
+
+ Map params = new HashMap<>();
+ params.put("cve_name", cve);
+ params.put("product_cpe", productCpe);
+
+ DataResult result = mode.execute(params);
+
+ return result.stream().map(row -> {
+ VulnerablePackage vulnerablePackage = new VulnerablePackage();
+ vulnerablePackage.setName((String) row.get("vulnerablepkgname"));
+ vulnerablePackage.setFixVersion((String) row.get("vulnerablepkgfixversion"));
+ return vulnerablePackage;
+ }).collect(Collectors.toList());
+ }
+
+ /**
+ * Verify the presence of OVAL data in the database for the given CVE to determine whether an audit of the CVE
+ * can be conducted.
+ *
+ * @param cve the cve to check for
+ * @return {@code True} if we can audit for CVE and {@code False} otherwise
+ * */
+ public static boolean canAuditCVE(String cve) {
+ SelectMode m = ModeFactory.getMode("oval_queries", "can_audit_cve");
+ Map params = new HashMap<>();
+ params.put("cve_name", cve);
+
+ DataResult result = m.execute(params);
+
+ return !result.isEmpty();
+ }
+
+ public static List listSystemsAffectedPackages(String cve) {
+ SelectMode mode = ModeFactory.getMode("oval_queries", "list_systems_affected_packages");
+
+ Map params = new HashMap<>();
+ params.put("cve_name", cve);
+
+ DataResult result = mode.execute(params);
+
+ return result.stream()
+ .map(OVALCachingFactory::createCVEAffectedPackageItemFromRow)
+ .collect(Collectors.toList());
+ }
+
+ public static List listSystemsAffectedPackages() {
+ SelectMode mode = ModeFactory.getMode("oval_queries", "list_systems_affected_packages_all_cves");
+
+ Map params = new HashMap<>();
+
+ DataResult result = mode.execute(params);
+
+ return result.stream()
+ .map(OVALCachingFactory::createCVEAffectedPackageItemFromRow)
+ .collect(Collectors.toList());
+ }
+
+ private static CVEAffectedPackageItem createCVEAffectedPackageItemFromRow(Row row) {
+ return new CVEAffectedPackageItem(
+ (Long) row.get("system_id"),
+ (String) row.get("system_name"),
+ (String) row.get("package_name"),
+ PackageType.fromDbString((String) row.get("package_type")),
+ (String) row.get("patched_version"),
+ (String) row.get("installed_epoch"),
+ (String) row.get("installed_version"),
+ (String) row.get("installed_release"),
+ (String) row.get("cve"));
+ }
+
+ @Override
+ protected Logger getLogger() {
+ return LOG;
+ }
+}
diff --git a/java/code/src/com/suse/oval/OVALCleaner.java b/java/code/src/com/suse/oval/OVALCleaner.java
new file mode 100644
index 000000000000..6104f739fc91
--- /dev/null
+++ b/java/code/src/com/suse/oval/OVALCleaner.java
@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval;
+
+
+import com.suse.oval.ovaltypes.Advisory;
+import com.suse.oval.ovaltypes.AdvisoryCveType;
+import com.suse.oval.ovaltypes.BaseCriteria;
+import com.suse.oval.ovaltypes.CriteriaType;
+import com.suse.oval.ovaltypes.CriterionType;
+import com.suse.oval.ovaltypes.DefinitionClassEnum;
+import com.suse.oval.ovaltypes.DefinitionType;
+import com.suse.oval.ovaltypes.ObjectType;
+import com.suse.oval.ovaltypes.OvalRootType;
+import com.suse.oval.ovaltypes.StateType;
+import com.suse.oval.ovaltypes.TestType;
+
+import org.apache.commons.lang3.NotImplementedException;
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * This class is responsible for cleaning OVAL resources and filling up missing data. It acts as an adapter that takes
+ * OVAL data from multiple sources and make changes to it to have a more predictable format.
+ */
+public class OVALCleaner {
+ private OVALCleaner() {
+ }
+
+ /**
+ * Cleanup the given {@code root} based on {@code osFamily} and {@code osVersion}
+ *
+ * @param root the OVAL root to clean up
+ * @param osFamily the osFamily of the OVAL
+ * @param osVersion the osVersion of the OVAL
+ * */
+ public static void cleanup(OvalRootType root, OsFamily osFamily, String osVersion) {
+ root.setOsFamily(osFamily);
+ root.setOsVersion(osVersion);
+
+ if (osFamily == OsFamily.REDHAT_ENTERPRISE_LINUX) {
+ root.getDefinitions().removeIf(def -> def.getId().contains("unaffected"));
+ }
+
+ if (osFamily == OsFamily.DEBIAN || osFamily == OsFamily.SUSE_LINUX_ENTERPRISE_SERVER ||
+ osFamily == OsFamily.SUSE_LINUX_ENTERPRISE_DESKTOP || osFamily == OsFamily.openSUSE_LEAP) {
+ // For the above OS families, we only need OVAL vulnerability definitions
+ root.getDefinitions().removeIf(def -> def.getDefinitionClass() != DefinitionClassEnum.VULNERABILITY);
+ }
+
+ // Although it's rare, but it's possible to get null criteria trees.
+ root.getDefinitions().removeIf(def -> def.getCriteria() == null);
+
+ root.getDefinitions().forEach(definition -> doCleanupDefinition(definition, osFamily, osVersion));
+ root.getTests().forEach(test -> doCleanupTest(test, osFamily, osVersion));
+ root.getStates().forEach(state -> doCleanupState(state, osFamily, osVersion));
+ root.getObjects().forEach(object -> doCleanupObject(object, osFamily, osVersion));
+ }
+
+ private static void doCleanupDefinition(DefinitionType definition, OsFamily osFamily, String osVersion) {
+ fillCves(definition, osFamily);
+ fillOsFamily(definition, osFamily);
+ fillOsVersion(definition, osVersion);
+
+ if (osFamily == OsFamily.DEBIAN) {
+ convertDebianTestRefs(definition.getCriteria(), osVersion);
+ }
+ }
+
+ private static void fillCves(DefinitionType definition, OsFamily osFamily) {
+ switch (osFamily) {
+ case REDHAT_ENTERPRISE_LINUX:
+ case openSUSE_LEAP:
+ case SUSE_LINUX_ENTERPRISE_SERVER:
+ case SUSE_LINUX_ENTERPRISE_DESKTOP:
+ List cves =
+ definition.getMetadata().getAdvisory().map(Advisory::getCveList)
+ .orElse(Collections.emptyList())
+ .stream().map(AdvisoryCveType::getCve).collect(Collectors.toList());
+ definition.setCves(cves);
+ break;
+ case DEBIAN:
+ definition.setSingleCve(definition.getMetadata().getTitle().split("\\s+")[0]);
+ break;
+ default:
+ throw new NotImplementedException("Cannot extract cve from '" + osFamily + "' OVAL definitions");
+ }
+
+ List cleanCves = definition.getCves().stream().map(OVALCleaner::removeWhitespaceChars)
+ .collect(Collectors.toList());
+
+ definition.setCves(cleanCves);
+ }
+
+ private static String removeWhitespaceChars(String s) {
+ return StringUtils.deleteWhitespace(s);
+ }
+
+ private static void fillOsFamily(DefinitionType definition, OsFamily osFamily) {
+ definition.setOsFamily(osFamily);
+ }
+
+ private static void fillOsVersion(DefinitionType definition, String osVersion) {
+ definition.setOsVersion(osVersion);
+ }
+
+ private static void doCleanupTest(TestType test, OsFamily osFamily, String osVersion) {
+ if (osFamily == OsFamily.DEBIAN) {
+ test.setId(convertDebianId(test.getId(), osVersion));
+ test.setObjectRef(convertDebianId(test.getObjectRef(), osVersion));
+ if (test.getStateRef().isPresent()) {
+ test.setStateRef(convertDebianId(test.getStateRef().get(), osVersion));
+ }
+ }
+ }
+
+ private static void doCleanupState(StateType state, OsFamily osFamily, String osVersion) {
+ if (osFamily == OsFamily.DEBIAN) {
+ state.setId(convertDebianId(state.getId(), osVersion));
+ }
+ }
+
+ private static void doCleanupObject(ObjectType object, OsFamily osFamily, String osVersion) {
+ if (osFamily == OsFamily.DEBIAN) {
+ object.setId(convertDebianId(object.getId(), osVersion));
+ }
+ }
+
+ /**
+ * Debian Ids are not unique among different versions, so it's possible to have OVAL constructs that have the
+ * same id but different content for different versions of Debian.
+ *
+ * To work around this, we insert the codename of the version into the id string
+ */
+ private static void convertDebianTestRefs(BaseCriteria root, String osVersion) {
+ if (root instanceof CriteriaType) {
+ for (BaseCriteria criteria : ((CriteriaType) root).getChildren()) {
+ convertDebianTestRefs(criteria, osVersion);
+ }
+ }
+ else {
+ CriterionType criterionType = (CriterionType) root;
+ criterionType.setTestRef(convertDebianId(criterionType.getTestRef(), osVersion));
+ }
+ }
+
+ /**
+ * Debian Ids are not unique among different versions, so it's possible to have OVAL constructs that have the
+ * same id but different content for different versions of Debian.
+ *
+ * To work around this, we insert the codename of the version into the id string
+ */
+ private static String convertDebianId(String id, String osVersion) {
+ String codename;
+ if ("10.0".equals(osVersion) || "10".equals(osVersion)) {
+ codename = "buster";
+ }
+ else if ("11.0".equals(osVersion) || "11".equals(osVersion)) {
+ codename = "bullseye";
+ }
+ else if ("12.0".equals(osVersion) || "12".equals(osVersion)) {
+ codename = "bookworm";
+ }
+ else {
+ throw new IllegalArgumentException("Invalid debian version: " + osVersion);
+ }
+ return id.replaceAll("debian", "debian-" + codename);
+ }
+}
diff --git a/java/code/src/com/suse/oval/OsFamily.java b/java/code/src/com/suse/oval/OsFamily.java
new file mode 100644
index 000000000000..87ac46c62627
--- /dev/null
+++ b/java/code/src/com/suse/oval/OsFamily.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval;
+
+public enum OsFamily {
+ openSUSE_LEAP("openSUSE Leap", "leap", "opensuse"),
+ SUSE_LINUX_ENTERPRISE_SERVER("SUSE Linux Enterprise Server", "sles", "suse"),
+ SUSE_LINUX_ENTERPRISE_DESKTOP("SUSE Linux Enterprise Desktop", "sled", "suse"),
+ REDHAT_ENTERPRISE_LINUX("Red Hat Enterprise Linux", "enterprise_linux", "redhat"),
+ UBUNTU("Ubuntu", "ubuntu", "canonical"),
+ DEBIAN("Debian", "debian", "debian");
+
+ private final String vendor;
+ private final String fullname;
+ // Should consist of all lower case characters
+ private final String shortname;
+
+ OsFamily(String fullnameIn, String shortnameIn, String vendorIn) {
+ this.fullname = fullnameIn;
+ this.shortname = shortnameIn;
+ this.vendor = vendorIn;
+ }
+ OsFamily(String fullnameIn, String vendorIn) {
+ this(fullnameIn, fullnameIn.toLowerCase(), vendorIn);
+ }
+}
diff --git a/java/code/src/com/suse/oval/OvalParser.java b/java/code/src/com/suse/oval/OvalParser.java
new file mode 100755
index 000000000000..babe3b0b22f7
--- /dev/null
+++ b/java/code/src/com/suse/oval/OvalParser.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval;
+
+import com.suse.oval.exceptions.OvalParserException;
+import com.suse.oval.ovaltypes.OvalRootType;
+
+import java.io.File;
+import java.net.URISyntaxException;
+import java.net.URL;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+
+/**
+ * The Oval Parser is responsible for parsing OVAL(Open Vulnerability and Assessment Language) documents
+ */
+public class OvalParser {
+
+ /**
+ * Parse the given OVAL file
+ *
+ * @param ovalFile the OVAL file to parse
+ * @return the parsed OVAL encapulated in a {@link OvalRootType} object=
+ * */
+ public OvalRootType parse(File ovalFile) throws OvalParserException {
+ try {
+ JAXBContext jaxbContext = JAXBContext.newInstance(OvalRootType.class);
+ Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
+ return (OvalRootType) unmarshaller.unmarshal(ovalFile);
+ }
+ catch (JAXBException e) {
+ throw new OvalParserException("Failed to parse the given OVAL file at: " + ovalFile.getAbsolutePath(), e);
+ }
+ }
+
+ /**
+ * Parse the given OVAL file from a URL
+ *
+ * @param url the URL to get the OVAL file from
+ * @return the parsed OVAL encapsulated in a {@link OvalRootType} object
+ * */
+ public OvalRootType parse(URL url) {
+ try {
+ return parse(new File(url.toURI()));
+ }
+ catch (URISyntaxException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ShallowSystemPackage.java b/java/code/src/com/suse/oval/ShallowSystemPackage.java
new file mode 100644
index 000000000000..f789b4cd418f
--- /dev/null
+++ b/java/code/src/com/suse/oval/ShallowSystemPackage.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval;
+
+import com.redhat.rhn.domain.rhnpackage.PackageEvr;
+import com.redhat.rhn.frontend.dto.IdComboDto;
+
+/**
+ * A more compact version of {@link com.redhat.rhn.frontend.dto.PackageListItem} that contains the minimum amount of
+ * information for package version comparison.
+ * */
+public class ShallowSystemPackage extends IdComboDto {
+ private Long packageId;
+ private Long id;
+ private String name;
+ private String evr;
+ private String arch;
+ private String epoch;
+ private String version;
+ private String release;
+ private String type;
+
+ /**
+ * Default constructor
+ * */
+ public ShallowSystemPackage() {
+ }
+
+ /**
+ * @return Returns the Id.
+ */
+ @Override
+ public Long getId() {
+ return id;
+ }
+
+ /**
+ * @param idIn The Id to set.
+ */
+ public void setId(Long idIn) {
+ id = idIn;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String nameIn) {
+ this.name = nameIn;
+ }
+
+ public String getEvr() {
+ return evr;
+ }
+
+ public void setEvr(String evrIn) {
+ this.evr = evrIn;
+ }
+
+ /**
+ * @return Returns the packageId
+ */
+ public Long getPackageId() {
+ return packageId;
+ }
+
+ /**
+ * @param packageIdIn The packageId to set
+ */
+ public void setPackageId(Long packageIdIn) {
+ packageId = packageIdIn;
+ }
+
+ public String getArch() {
+ return arch;
+ }
+
+ public void setArch(String archIn) {
+ this.arch = archIn;
+ }
+
+ public String getEpoch() {
+ return epoch;
+ }
+
+ public void setEpoch(String epochIn) {
+ this.epoch = epochIn;
+ }
+
+ public String getVersion() {
+ return version;
+ }
+
+ public void setVersion(String versionIn) {
+ this.version = versionIn;
+ }
+
+ public String getRelease() {
+ return release;
+ }
+
+ public void setRelease(String releaseIn) {
+ this.release = releaseIn;
+ }
+
+ public String getType() {
+ return type;
+ }
+
+ public void setType(String typeIn) {
+ this.type = typeIn;
+ }
+
+ public PackageEvr getPackageEVR() {
+ return new PackageEvr(epoch, version, release, type);
+ }
+}
diff --git a/java/code/src/com/suse/oval/cpe/Cpe.java b/java/code/src/com/suse/oval/cpe/Cpe.java
new file mode 100644
index 000000000000..71068621d1c2
--- /dev/null
+++ b/java/code/src/com/suse/oval/cpe/Cpe.java
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.cpe;
+
+import java.util.Objects;
+
+public class Cpe {
+ private static final SimpleCpeParser CPE_PARSER = new SimpleCpeParser();
+ private String vendor;
+ private String product;
+ private String version;
+ private String update;
+
+ /**
+ * Create a CPE with all components set to the empty string ""
+ * */
+ public Cpe() {
+ vendor = "";
+ product = "";
+ version = "";
+ update = "";
+ }
+
+ /**
+ * Gets the vendor value or empty if not set
+ *
+ * @return the vendor value or an empty string if not set
+ * */
+ public String getVendor() {
+ return vendor;
+ }
+
+ void setVendor(String vendorIn) {
+ if (vendorIn != null) {
+ this.vendor = vendorIn;
+ }
+ }
+
+ /**
+ * Gets the product value or empty if not set
+ *
+ * @return the product value or an empty string if not set
+ * */
+ public String getProduct() {
+ return product;
+ }
+
+ void setProduct(String productIn) {
+ if (productIn != null) {
+ this.product = productIn;
+ }
+ }
+
+ /**
+ * Gets the version value or empty if not set
+ *
+ * @return the version value or an empty string if not set
+ * */
+ public String getVersion() {
+ return version;
+ }
+
+ void setVersion(String versionIn) {
+ if (versionIn != null) {
+ this.version = versionIn;
+ }
+ }
+
+ /**
+ * Gets the update value or empty if not set
+ *
+ * @return the update value or an empty string if not set
+ * */
+ public String getUpdate() {
+ return update;
+ }
+
+ void setUpdate(String updateIn) {
+ if (updateIn != null) {
+ this.update = updateIn;
+ }
+ }
+
+ /**
+ * Parse the given Cpe URI string and returns a {@link Cpe} object
+ *
+ * @param cpe the cpe URI to parse
+ * @return a cpe object with all the Cpe information
+ * */
+ public static Cpe parse(String cpe) {
+ return CPE_PARSER.parse(cpe);
+ }
+
+ /**
+ * Converts and returns the Cpe as plain text URI
+ *
+ * @return the cpe as URI
+ * */
+ public String asString() {
+ String cpe = "cpe:/o:" + vendor + ":" + product + ":" + version + ":" + update;
+
+ // Removing trailing colons ':'
+ return cpe.replaceAll(":*$", "");
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ Cpe cpe = (Cpe) o;
+ return Objects.equals(vendor, cpe.vendor) && Objects.equals(product, cpe.product) &&
+ Objects.equals(version, cpe.version) && Objects.equals(update, cpe.update);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(vendor, product, version, update);
+ }
+}
diff --git a/java/code/src/com/suse/oval/cpe/CpeBuilder.java b/java/code/src/com/suse/oval/cpe/CpeBuilder.java
new file mode 100644
index 000000000000..2ff0919d4831
--- /dev/null
+++ b/java/code/src/com/suse/oval/cpe/CpeBuilder.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.cpe;
+
+public final class CpeBuilder {
+ private final Cpe cpe = new Cpe();
+
+ /**
+ * Sets the vendor and returns {@code CpeBuilder} to continue building the {@link Cpe} object
+ *
+ * @param vendor the vendor to set
+ * @return the CpeBuilder to continue building the Cpe object
+ * */
+ public CpeBuilder withVendor(String vendor) {
+ cpe.setVendor(vendor);
+ return this;
+ }
+
+ /**
+ * Sets the product and returns {@code CpeBuilder} to continue building the {@link Cpe} object
+ *
+ * @param product the product to set
+ * @return the CpeBuilder to continue building the Cpe object
+ * */
+ public CpeBuilder withProduct(String product) {
+ cpe.setProduct(product);
+ return this;
+ }
+
+ /**
+ * Sets the version and returns {@code CpeBuilder} to continue building the {@link Cpe} object
+ *
+ * @param version the version to set
+ * @return the CpeBuilder to continue building the Cpe object
+ * */
+ public CpeBuilder withVersion(String version) {
+ cpe.setVersion(version);
+ return this;
+ }
+
+ /**
+ * Sets the update and returns {@code CpeBuilder} to continue building the {@link Cpe} object
+ *
+ * @param update the update value to set
+ * @return the CpeBuilder to continue building the Cpe object
+ * */
+ public CpeBuilder withUpdate(String update) {
+ cpe.setUpdate(update);
+ return this;
+ }
+
+ /**
+ * Builds the {@link Cpe} object
+ *
+ * @return the built cpe
+ * */
+ public Cpe build() {
+ return cpe;
+ }
+}
diff --git a/java/code/src/com/suse/oval/cpe/SimpleCpeParser.java b/java/code/src/com/suse/oval/cpe/SimpleCpeParser.java
new file mode 100644
index 000000000000..c46f25a5bb92
--- /dev/null
+++ b/java/code/src/com/suse/oval/cpe/SimpleCpeParser.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.cpe;
+
+/**
+ * A simple and minimal CPE parser to parse CPE URI bindings included in OVAL files.
+ */
+public class SimpleCpeParser {
+
+
+ /**
+ * CPE Examples:
+ *
+ * CPE: cpe:/o:opensuse:leap:15.4
+ *
+ * PART: o(it's an operating system's CPE)
+ * VENDOR: opensuse(CPE describes a product manufactured by openSUSE)
+ * PRODUCT: leap(The product name is leap)
+ * VERSION: 15.4(The product version is 15.4)
+ *
+ * CPE: cpe:/o:suse:sle_hpc:15:sp4
+ *
+ * PART: o(it's an operating system's CPE)
+ * VENDOR: suse(CPE describes a product manufactured by SUSE)
+ * PRODUCT: sle_hpc(The product name is sle_hpc)
+ * VERSION: 15(The product version is 15)
+ * UPDATE: sp4(The product update is sp4)
+ *
+ * @param cpeURI The raw CPE URI to parse
+ * @return the corresponding {@link Cpe} object of the given {@code cpeURI}
+ */
+ public Cpe parse(String cpeURI) {
+ if (!cpeURI.startsWith("cpe:/o:")) {
+ throw new IllegalArgumentException("CPE is expected to be in URI format and for operating systems");
+ }
+
+ cpeURI = cpeURI.replace("cpe:/o:", "");
+
+ String[] parts = cpeURI.split(":");
+
+ if (parts.length < 3) {
+ throw new IllegalArgumentException("CPE is expected to at least have vendor, product and version");
+ }
+
+ Cpe cpe = new Cpe();
+ cpe.setVendor(parts[0]);
+ cpe.setProduct(parts[1]);
+ cpe.setVersion(parts[2]);
+
+ if (parts.length > 3) {
+ cpe.setUpdate(parts[3]);
+ }
+
+ return cpe;
+ }
+}
diff --git a/java/code/src/com/suse/oval/exceptions/OvalParserException.java b/java/code/src/com/suse/oval/exceptions/OvalParserException.java
new file mode 100755
index 000000000000..679428e80e88
--- /dev/null
+++ b/java/code/src/com/suse/oval/exceptions/OvalParserException.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.exceptions;
+
+/**
+ * A runtime exception throne by {@link com.suse.oval.OvalParser} when it encounters errors while parsing an OVAL file
+ * */
+public class OvalParserException extends RuntimeException {
+
+ /**
+ * Constructs a new parser exception with null as its detail message. The cause is not initialized, and may
+ * subsequently be initialized by a call to initCause.
+ * */
+ public OvalParserException() {
+ super();
+ }
+
+ /**
+ * Constructs a new parser exception with the specified detail message.
+ *
+ * @param message the detail message. The detail message is saved for later retrieval by the getMessage() method.
+ * */
+
+ public OvalParserException(String message) {
+ super(message);
+ }
+
+ /**
+ * Constructs a new parser exception with the specified cause.
+ *
+ * @param cause the cause (which is saved for later retrieval by the getCause() method).
+ * */
+ public OvalParserException(Throwable cause) {
+ super(cause);
+ }
+
+ /**
+ * Constructs a new parser exception with the specified detail message and cause.
+ *
+ * @param cause the cause (which is saved for later retrieval by the getCause() method).
+ * @param message the detail message. The detail message is saved for later retrieval by the getMessage() method.
+ * */
+ public OvalParserException(String message, Throwable cause) {
+ super(message, cause);
+ }
+}
diff --git a/java/code/src/com/suse/oval/manager/OVALLookupHelper.java b/java/code/src/com/suse/oval/manager/OVALLookupHelper.java
new file mode 100644
index 000000000000..342baddcc908
--- /dev/null
+++ b/java/code/src/com/suse/oval/manager/OVALLookupHelper.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.manager;
+
+import com.suse.oval.ovaltypes.ObjectType;
+import com.suse.oval.ovaltypes.OvalRootType;
+import com.suse.oval.ovaltypes.StateType;
+import com.suse.oval.ovaltypes.TestType;
+
+import java.util.Optional;
+
+public class OVALLookupHelper {
+ private final OvalStateManager stateManager;
+ private final OvalTestManager testManager;
+ private final OvalObjectManager objectManager;
+
+ /**
+ * Standard constructor
+ *
+ * @param rootType the root to get OVAL resources from
+ * */
+ public OVALLookupHelper(OvalRootType rootType) {
+ this.stateManager = new OvalStateManager(rootType.getStates());
+ this.testManager = new OvalTestManager(rootType.getTests());
+ this.objectManager = new OvalObjectManager(rootType.getObjects());
+ }
+
+ /**
+ * Looks up an OVAL test with an id of {@code testId}
+ *
+ * @param testId the test id to look up
+ * @return the cached {@link TestType} object that correspond to the test id
+ * */
+ public Optional lookupTestById(String testId) {
+ // TODO: testManager#get throws an exception if testId is invalid
+ return Optional.ofNullable(testManager.get(testId));
+ }
+
+ /**
+ * Looks up an OVAL state with an id of {@code stateId}
+ *
+ * @param stateId the object id to look up
+ * @return the cached StateType object that correspond to the state id
+ * */
+ public Optional lookupStateById(String stateId) {
+ return Optional.ofNullable(stateManager.get(stateId));
+ }
+
+ /**
+ * Looks up an OVAL object with an id of {@code objectID}
+ *
+ * @param objectId the object id to look up
+ * @return the cached ObjectType object that correspond to the object id
+ * */
+ public Optional lookupObjectById(String objectId) {
+ return Optional.ofNullable(objectManager.get(objectId));
+ }
+}
diff --git a/java/code/src/com/suse/oval/manager/OvalObjectManager.java b/java/code/src/com/suse/oval/manager/OvalObjectManager.java
new file mode 100755
index 000000000000..d5006711a0ef
--- /dev/null
+++ b/java/code/src/com/suse/oval/manager/OvalObjectManager.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.manager;
+
+import com.suse.oval.ovaltypes.ObjectType;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * A cache for {@link ObjectType} to access OVAL objects quickly
+ */
+public class OvalObjectManager {
+ private final Map objectsMap = new HashMap<>();
+
+ /**
+ * Standard constructor
+ *
+ * @param objects the objects to store and lookup later
+ * */
+ public OvalObjectManager(List objects) {
+ for (ObjectType objectType : objects) {
+ objectsMap.put(objectType.getId(), objectType);
+ }
+ }
+
+ /**
+ * Looks up an OVAL object with an id of {@code objectId}
+ *
+ * @param objectId the object id to look up
+ * @return the cached {@link ObjectType} object that correspond to the object id
+ * */
+ public ObjectType get(String objectId) {
+ ObjectType object = objectsMap.get(objectId);
+ if (object == null) {
+ throw new IllegalArgumentException("The object id is invalid: " + objectId);
+ }
+ return object;
+ }
+ /**
+ * Check if an OVAL object with an id of {@code objectId} exists
+ * */
+ protected boolean exists(String objectId) {
+ return objectsMap.containsKey(objectId);
+ }
+}
diff --git a/java/code/src/com/suse/oval/manager/OvalStateManager.java b/java/code/src/com/suse/oval/manager/OvalStateManager.java
new file mode 100755
index 000000000000..7985dcb155ec
--- /dev/null
+++ b/java/code/src/com/suse/oval/manager/OvalStateManager.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.manager;
+
+import com.suse.oval.ovaltypes.StateType;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * A cache for {@link StateType} to access OVAL states quickly
+ */
+public class OvalStateManager {
+ private final Map statesMap = new HashMap<>();
+
+ /**
+ * Standard constructor
+ *
+ * @param states the states to store and lookup later
+ * */
+ public OvalStateManager(List states) {
+ for (StateType state : states) {
+ statesMap.put(state.getId(), state);
+ }
+ }
+
+ /**
+ * Looks up an OVAL state with an id of {@code stateId} or throws an exception if none is found.
+ *
+ * @param stateId the id of state to lookup
+ * @return the state
+ * */
+ public StateType get(String stateId) {
+ StateType state = statesMap.get(stateId);
+ if (state == null) {
+ throw new IllegalArgumentException("The state id is invalid: " + stateId);
+ }
+ return state;
+ }
+
+ /**
+ * Check if an OVAL state with an id of {@code stateId} exists
+ *
+ * @param stateId the state id to check if exists
+ * @return whether a state with {@code stateId} exist or not
+ * */
+ protected boolean exists(String stateId) {
+ return statesMap.containsKey(stateId);
+ }
+}
diff --git a/java/code/src/com/suse/oval/manager/OvalTestManager.java b/java/code/src/com/suse/oval/manager/OvalTestManager.java
new file mode 100755
index 000000000000..883afad0e9ac
--- /dev/null
+++ b/java/code/src/com/suse/oval/manager/OvalTestManager.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.manager;
+
+
+import com.suse.oval.ovaltypes.TestType;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * A cache for {@link TestType} to access OVAL tests quickly
+ */
+public class OvalTestManager {
+ private final Map testsMap = new HashMap<>();
+
+ /**
+ * Standard constructor
+ *
+ * @param tests the tests to store and lookup later
+ * */
+ public OvalTestManager(List tests) {
+ for (TestType test : tests) {
+ testsMap.put(test.getId(), test);
+ }
+ }
+
+ /**
+ * Looks up an OVAL test with an id of {@code testId} or throws an exception if none is found.
+ *
+ * @param testId the id of test to lookup
+ * @return the test
+ * */
+ public TestType get(String testId) {
+ TestType test = testsMap.get(testId);
+ if (test == null) {
+ throw new IllegalArgumentException("The test id is invalid: " + testId);
+ }
+ return test;
+ }
+
+ /**
+ * Check if an OVAL test with an id of {@code testId} exists
+ *
+ * @param testId the state id to check if exists
+ * @return whether a test with {@code testId} exist or not
+ * */
+ public boolean exists(String testId) {
+ return testsMap.containsKey(testId);
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/Advisory.java b/java/code/src/com/suse/oval/ovaltypes/Advisory.java
new file mode 100644
index 000000000000..2ed4301238ad
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/Advisory.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class Advisory {
+ @XmlElement(name = "affected_cpe_list", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ private AffectedCpeList affectedCpeList;
+
+ @XmlElement(name = "cve", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ private List cveList;
+
+ @XmlElement(name = "affected", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ private AdvisoryAffectedType affected;
+
+ public void setAffectedCpeList(AffectedCpeList affectedCpeListIn) {
+ this.affectedCpeList = affectedCpeListIn;
+ }
+
+ public List getAffectedCpeList() {
+ return Optional.ofNullable(affectedCpeList)
+ .map(AffectedCpeList::getCpeList)
+ .orElse(Collections.emptyList());
+ }
+
+ public List getAffectedComponents() {
+ return Optional.ofNullable(affected).map(AdvisoryAffectedType::getResolution)
+ .map(AdvisoryResolutionType::getAffectedComponents).orElse(Collections.emptyList());
+ }
+
+ public List getCveList() {
+ return Optional.ofNullable(cveList).orElse(Collections.emptyList());
+ }
+
+ public void setCveList(List cveListIn) {
+ this.cveList = cveListIn;
+ }
+
+ public void setAffected(AdvisoryAffectedType affectedIn) {
+ this.affected = affectedIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/AdvisoryAffectedType.java b/java/code/src/com/suse/oval/ovaltypes/AdvisoryAffectedType.java
new file mode 100644
index 000000000000..614dc60236d4
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/AdvisoryAffectedType.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class AdvisoryAffectedType {
+ @XmlElement(name = "resolution", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ private AdvisoryResolutionType resolution;
+
+ /**
+ * Gets the resolution
+ *
+ * @return the resolution
+ * */
+ public AdvisoryResolutionType getResolution() {
+ return resolution;
+ }
+
+ /**
+ * Sets the resolution type
+ *
+ * @param resolutionIn the resolution to set
+ * */
+ public void setResolution(AdvisoryResolutionType resolutionIn) {
+ this.resolution = resolutionIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/AdvisoryCveType.java b/java/code/src/com/suse/oval/ovaltypes/AdvisoryCveType.java
new file mode 100644
index 000000000000..c2eeb45c8760
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/AdvisoryCveType.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.XmlValue;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class AdvisoryCveType {
+ @XmlValue
+ private String cve;
+
+ public String getCve() {
+ return cve;
+ }
+
+ public void setCve(String cveIn) {
+ this.cve = cveIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/AdvisoryResolutionType.java b/java/code/src/com/suse/oval/ovaltypes/AdvisoryResolutionType.java
new file mode 100644
index 000000000000..b1aa806ef4b3
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/AdvisoryResolutionType.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class AdvisoryResolutionType {
+ @XmlElement(name = "component", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected List affectedComponents;
+ @XmlAttribute(name = "state", required = true)
+ protected String state;
+
+ public List getAffectedComponents() {
+ return affectedComponents;
+ }
+
+ public void setAffectedComponents(List affectedComponentsIn) {
+ this.affectedComponents = affectedComponentsIn;
+ }
+
+ public String getState() {
+ return state;
+ }
+
+ public void setState(String stateIn) {
+ this.state = stateIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/AffectedCpeList.java b/java/code/src/com/suse/oval/ovaltypes/AffectedCpeList.java
new file mode 100644
index 000000000000..e00656e279b5
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/AffectedCpeList.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class AffectedCpeList {
+ @XmlElement(name = "cpe", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ private List cpeList;
+
+ /**
+ * Gets the list of CPEs
+ *
+ * @return the CPEs or an empty list if none is set
+ * */
+ public List getCpeList() {
+ if (cpeList == null) {
+ return new ArrayList<>();
+ }
+ return cpeList;
+ }
+
+ /**
+ * Sets the CPEs
+ *
+ * @param cpeListIn the CPEs to set
+ * */
+ public void setCpeList(List cpeListIn) {
+ this.cpeList = cpeListIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/ArchType.java b/java/code/src/com/suse/oval/ovaltypes/ArchType.java
new file mode 100755
index 000000000000..8dbc2e840704
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/ArchType.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.XmlValue;
+
+/**
+ * This is the architecture for which the package was built, like : i386, ppc, sparc, noarch.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class ArchType {
+ @XmlValue
+ private String value;
+ @XmlAttribute(name = "operation", required = true)
+ private OperationEnumeration operation;
+
+ public String getValue() {
+ return value;
+ }
+
+ public void setValue(String valueIn) {
+ this.value = valueIn;
+ }
+
+ public OperationEnumeration getOperation() {
+ return operation;
+ }
+
+ public void setOperation(OperationEnumeration operationIn) {
+ this.operation = operationIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/BaseCriteria.java b/java/code/src/com/suse/oval/ovaltypes/BaseCriteria.java
new file mode 100644
index 000000000000..8321c8465024
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/BaseCriteria.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.fasterxml.jackson.annotation.JsonSubTypes;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+import java.io.Serializable;
+
+@JsonTypeInfo(
+ use = JsonTypeInfo.Id.NAME,
+ property = "type")
+@JsonSubTypes({
+ @JsonSubTypes.Type(value = CriteriaType.class, name = "criteriaType"),
+ @JsonSubTypes.Type(value = CriterionType.class, name = "criterionType")}
+)
+public interface BaseCriteria extends Serializable {
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/CriteriaType.java b/java/code/src/com/suse/oval/ovaltypes/CriteriaType.java
new file mode 100755
index 000000000000..73e8764443b8
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/CriteriaType.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElements;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The required operator attribute provides the logical operator that binds the different statements inside a criteria
+ * together. The optional negate attribute signifies that the result of the criteria as a whole should be negated
+ * during analysis.
+ *
+ * For example, consider a criteria that evaluates to TRUE if certain software is installed.
+ *
+ * By negating this test, it now evaluates to TRUE if the software is NOT installed. The optional comment attribute
+ * provides a short description of the criteria.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "CriteriaType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class CriteriaType implements BaseCriteria {
+
+ @XmlElements({
+ @XmlElement(name = "criteria",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", type = CriteriaType.class),
+ @XmlElement(name = "criterion",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", type = CriterionType.class)
+ })
+ protected List children;
+ @XmlAttribute(name = "operator")
+ protected LogicOperatorType operator;
+ @XmlAttribute(name = "negate")
+ protected Boolean negate;
+ @XmlAttribute(name = "comment")
+ protected String comment;
+
+ /**
+ * Gets the value of the contained criteria or criterion objects.
+ *
+ * @return the list of criteria or criterion children under this criteria
+ */
+ public List getChildren() {
+ if (children == null) {
+ children = new ArrayList<>();
+ }
+ return this.children;
+ }
+
+ /**
+ * Gets the value of the operator property.
+ *
+ * @return the operator property or {@link LogicOperatorType#AND} if none is specified
+ */
+ public LogicOperatorType getOperator() {
+ if (operator == null) {
+ return LogicOperatorType.AND;
+ }
+ else {
+ return operator;
+ }
+ }
+
+ /**
+ * Sets the value of the operator property.
+ *
+ * @param value the operator property to set
+ */
+ public void setOperator(LogicOperatorType value) {
+ this.operator = value;
+ }
+
+ /**
+ * Gets the value of the negate property.
+ *
+ * @return a boolean that indicates whether to negate result after evaluation or {@code false} if none is specified
+ */
+ public boolean isNegate() {
+ if (negate == null) {
+ return false;
+ }
+ else {
+ return negate;
+ }
+ }
+
+ /**
+ * Sets the value of the negate property.
+ *
+ * @param value a boolean that indicates whether to negate result after evaluation or not
+ */
+ public void setNegate(Boolean value) {
+ this.negate = value;
+ }
+
+ /**
+ * Gets the value of the comment property.
+ *
+ * @return the comment
+ */
+ public String getComment() {
+ return comment;
+ }
+
+ /**
+ * Sets the value of the comment property.
+ *
+ * @param value the comment to set
+ */
+ public void setComment(String value) {
+ this.comment = value;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/CriterionType.java b/java/code/src/com/suse/oval/ovaltypes/CriterionType.java
new file mode 100755
index 000000000000..6065ee42b73f
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/CriterionType.java
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * The required test_ref attribute is the actual id of the test being referenced. The optional negate attribute
+ * signifies that the result of an individual test should be negated during analysis. For example, consider a test
+ * that evaluates to TRUE if a specific patch is installed. By negating this test, it now evaluates to TRUE
+ * if the patch is NOT installed.
+ *
+ * The optional comment attribute provides a short description of the specified test and should mirror the comment
+ * attribute of the actual test.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "CriterionType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class CriterionType implements BaseCriteria {
+
+ @XmlAttribute(name = "test_ref", required = true)
+ protected String testRef;
+ @XmlAttribute(name = "negate")
+ protected Boolean negate;
+ @XmlAttribute(name = "comment")
+ protected String comment;
+
+ /**
+ * Gets the value of the testRef property.
+ * @return testRef
+ */
+ public String getTestRef() {
+ return testRef;
+ }
+
+ /**
+ * Sets the value of the testRef property.
+ * @param value the test id associated with this criterion
+ */
+ public void setTestRef(String value) {
+ this.testRef = value;
+ }
+
+ /**
+ * Gets the value of the negate property.
+ * @return isNegate
+ */
+ public boolean isNegate() {
+ if (negate == null) {
+ return false;
+ }
+ else {
+ return negate;
+ }
+ }
+
+ /**
+ * Sets the value of the negate property.
+ * @param value weather to negate the criterion evaluation or not
+ */
+ public void setNegate(Boolean value) {
+ this.negate = value;
+ }
+
+ /**
+ * Gets the value of the comment property.
+ * @return the comment associated with this criterion
+ */
+ public String getComment() {
+ return comment;
+ }
+
+ /**
+ * Sets the value of the comment property.
+ * @param value the comment to set
+ */
+ public void setComment(String value) {
+ this.comment = value;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/DefinitionClassEnum.java b/java/code/src/com/suse/oval/ovaltypes/DefinitionClassEnum.java
new file mode 100755
index 000000000000..9f0dc24a162a
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/DefinitionClassEnum.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+
+@XmlType(name = "ClassEnumeration", namespace = "http://oval.mitre.org/XMLSchema/oval-common-5")
+@XmlEnum
+public enum DefinitionClassEnum {
+
+ /**
+ * A patch definition details the machine state of whether a patch executable should be installed.
+ *
+ * A definition of this class will evaluate to true when the specified patch is missing from the system.
+ * Another way of thinking about this is that a patch definition is stating "the patch should be installed if ...".
+ *
+ * Note that word SHOULD is intended to mean more than just CAN the patch executable be installed.
+ * In other words, if a more recent patch is already installed then the specified patch might not need
+ * to be installed.
+ */
+ @XmlEnumValue("patch")
+ PATCH("patch"),
+
+ /**
+ * A vulnerability definition describes the conditions under which a machine is vulnerable.
+ *
+ * A definition of this class will evaluate to true when the system is found to be vulnerable with the stated issue.
+ * Another way of thinking about this is that a vulnerability definition is stating
+ * "the system is vulnerable if ...".
+ */
+ @XmlEnumValue("vulnerability")
+ VULNERABILITY("vulnerability");
+ private final String value;
+
+ DefinitionClassEnum(String v) {
+ value = v;
+ }
+
+ /**
+ * Returns a {@link DefinitionClassEnum} object that correspond to the given definition class string
+ *
+ * @param v the value
+ * @return a {@link DefinitionClassEnum}
+ * */
+ public static DefinitionClassEnum fromValue(String v) {
+ for (DefinitionClassEnum c : DefinitionClassEnum.values()) {
+ if (c.value.equals(v)) {
+ return c;
+ }
+ }
+ throw new IllegalArgumentException(v);
+ }
+
+ /**
+ * Gets the string value
+ *
+ * @return the string value
+ * */
+ public String value() {
+ return value;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/DefinitionType.java b/java/code/src/com/suse/oval/ovaltypes/DefinitionType.java
new file mode 100755
index 000000000000..79de6daba3ae
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/DefinitionType.java
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.OsFamily;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+
+import javax.persistence.Transient;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+
+/**
+ * The required id attribute is the OVAL-ID of the Definition. The form of an OVAL-ID must follow the specific format
+ * described by the oval:DefinitionIDPattern.
+ *
+ * The required version attribute holds the current version of the definition.
+ *
+ * Versions are integers, starting at 1 and incrementing every time a definition is modified. The required class
+ * attribute indicates the specific class to which the definition belongs. The class gives a hint to a user,
+ * so they can know what the definition writer is trying to say. See the definition of oval-def:ClassEnumeration
+ * for more information about the different valid classes.
+ *
+ * The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information
+ * has been kept around for historic purposes.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "definition", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class DefinitionType {
+
+ @XmlElement(name = "metadata", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", required = true)
+ protected MetadataType metadata;
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected CriteriaType criteria;
+ @XmlAttribute(name = "id", required = true)
+ protected String id;
+ @XmlAttribute(name = "class", required = true)
+ protected DefinitionClassEnum definitionClass;
+
+ @Transient
+ protected List cves = new ArrayList<>();
+ @Transient
+ protected OsFamily osFamily;
+ @Transient
+ private String osVersion;
+
+ /**
+ * Gets the value of the metadata property.
+ *
+ * @return possible object is
+ * {@link MetadataType }
+ */
+ public MetadataType getMetadata() {
+ return metadata;
+ }
+
+ /**
+ * Sets the value of the metadata property.
+ *
+ * @param value the metadata to set
+ */
+ public void setMetadata(MetadataType value) {
+ this.metadata = value;
+ }
+
+ public CriteriaType getCriteria() {
+ return criteria;
+ }
+
+ public void setCriteria(CriteriaType criteriaIn) {
+ this.criteria = criteriaIn;
+ }
+
+ /**
+ * Gets the value of the id property.
+ * @return the id
+ */
+ public String getId() {
+ return id;
+ }
+
+ /**
+ * Sets the value of the id property.
+ * @param valueIn the id to set
+ */
+ public void setId(String valueIn) {
+ this.id = valueIn;
+ }
+
+ /**
+ * Gets the value of the clazz property.
+ * @return the definition class
+ */
+ public DefinitionClassEnum getDefinitionClass() {
+ return definitionClass;
+ }
+
+ /**
+ * Sets the value of the clazz property.
+ * @param value the definition class to set
+ */
+ public void setDefinitionClass(DefinitionClassEnum value) {
+ this.definitionClass = value;
+ }
+
+ /**
+ * Returns any CVE in the list of associated CVEs. To be called when the caller knows that there is a single CVE
+ * associated with this definition.
+ *
+ * @return the CVE wrapped in an {@code Optional}
+ * */
+ public Optional getSingleCve() {
+ if (cves.isEmpty()) {
+ return Optional.empty();
+ }
+ return cves.stream().findFirst();
+ }
+
+ /**
+ * Clears the list of associated CVEs and add a single CVE.
+ *
+ * @param cve the cve to add
+ * */
+ public void setSingleCve(String cve) {
+ this.cves.clear();
+ this.cves.add(cve);
+ }
+
+ /**
+ * Returns the list of associated CVEs
+ *
+ * @return the list of CVEs
+ * */
+ public List getCves() {
+ return cves;
+ }
+
+ public void setCves(List cvesIn) {
+ this.cves = cvesIn;
+ }
+
+ public OsFamily getOsFamily() {
+ return osFamily;
+ }
+
+ public void setOsFamily(OsFamily osFamilyIn) {
+ this.osFamily = osFamilyIn;
+ }
+
+ public String getOsVersion() {
+ return osVersion;
+ }
+
+ public void setOsVersion(String osVersionIn) {
+ this.osVersion = osVersionIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/DefinitionsType.java b/java/code/src/com/suse/oval/ovaltypes/DefinitionsType.java
new file mode 100755
index 000000000000..4878de5d6d69
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/DefinitionsType.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The DefinitionsType complex type is a container for one or more definition elements.
+ * Each definition element describes a single OVAL Definition.
+ *
+ * Please refer to the description of the {@link DefinitionType} for more information about an individual definition.
+ *
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "DefinitionsType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class DefinitionsType {
+
+ @XmlElement(name = "definition", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", required = true)
+ protected List definitions;
+
+ /**
+ * Gets the list of definitions
+ *
+ * @return the list of contained OVAL definitions.
+ */
+ public List getDefinitions() {
+ if (definitions == null) {
+ definitions = new ArrayList<>();
+ }
+ return this.definitions;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/EVRDataTypeEnum.java b/java/code/src/com/suse/oval/ovaltypes/EVRDataTypeEnum.java
new file mode 100755
index 000000000000..53d6c11e59d7
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/EVRDataTypeEnum.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlType(namespace = "http://oval.mitre.org/XMLSchema/oval-common-5")
+@XmlEnum
+public enum EVRDataTypeEnum {
+ @XmlEnumValue("debian_evr_string")
+ DEBIAN_EVR,
+ @XmlEnumValue("evr_string")
+ RPM_EVR
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/EVRType.java b/java/code/src/com/suse/oval/ovaltypes/EVRType.java
new file mode 100755
index 000000000000..013e5a6c5c2d
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/EVRType.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.XmlValue;
+
+/**
+ * This represents the epoch, version, and release fields as a single version string.
+ * It has the form "EPOCH:VERSION-RELEASE".
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class EVRType {
+ @XmlValue
+ private String value;
+ @XmlAttribute(name = "datatype")
+ private EVRDataTypeEnum datatype;
+ @XmlAttribute(name = "operation", required = true)
+ private OperationEnumeration operation;
+
+ public String getValue() {
+ return value;
+ }
+
+ public void setValue(String valueIn) {
+ this.value = valueIn;
+ }
+
+ public EVRDataTypeEnum getDatatype() {
+ return datatype;
+ }
+
+ public void setDatatype(EVRDataTypeEnum datatypeIn) {
+ this.datatype = datatypeIn;
+ }
+
+ public OperationEnumeration getOperation() {
+ return operation;
+ }
+
+ public void setOperation(OperationEnumeration operationIn) {
+ this.operation = operationIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/FamilyEnum.java b/java/code/src/com/suse/oval/ovaltypes/FamilyEnum.java
new file mode 100755
index 000000000000..17e7eaec4f07
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/FamilyEnum.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+
+@XmlType(name = "FamilyEnumeration", namespace = "http://oval.mitre.org/XMLSchema/oval-common-5")
+@XmlEnum
+public enum FamilyEnum {
+
+
+ /**
+ * The catos value describes the Cisco CatOS operating system.
+ */
+ @XmlEnumValue("catos")
+ CATOS("catos"),
+
+ /**
+ * The ios value describes the Cisco IOS operating system.
+ */
+ @XmlEnumValue("ios")
+ IOS("ios"),
+
+ /**
+ * The macos value describes the Mac operating system.
+ */
+ @XmlEnumValue("macos")
+ MACOS("macos"),
+
+ /**
+ * The pixos value describes the Cisco PIX operating system.
+ */
+ @XmlEnumValue("pixos")
+ PIXOS("pixos"),
+
+ /**
+ * The undefined value is to be used when the desired family is not available.
+ */
+ @XmlEnumValue("undefined")
+ UNDEFINED("undefined"),
+
+ /**
+ * The unix value describes the UNIX operating system.
+ */
+ @XmlEnumValue("unix")
+ UNIX("unix"),
+
+ /**
+ * The vmware_infrastructure value describes VMWare Infrastructure.
+ */
+ @XmlEnumValue("vmware_infrastructure")
+ VMWARE_INFRASTRUCTURE("vmware_infrastructure"),
+
+ /**
+ * The windows value describes the Microsoft Windows operating system.
+ */
+ @XmlEnumValue("windows")
+ WINDOWS("windows");
+ private final String value;
+
+ FamilyEnum(String v) {
+ value = v;
+ }
+
+ /**
+ * Returns the string value of this OS familty's enum
+ *
+ * @return the string value of OS family
+ * */
+ public String value() {
+ return value;
+ }
+
+ /**
+ * Returns an {@link FamilyEnum} object that correspond to the given OS family string
+ *
+ * @param v the string value
+ * @return an {@link FamilyEnum}
+ * */
+ public static FamilyEnum fromValue(String v) {
+ for (FamilyEnum c: FamilyEnum.values()) {
+ if (c.value.equals(v)) {
+ return c;
+ }
+ }
+ throw new IllegalArgumentException(v);
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/LogicOperatorType.java b/java/code/src/com/suse/oval/ovaltypes/LogicOperatorType.java
new file mode 100755
index 000000000000..72628e308d83
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/LogicOperatorType.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlType(name = "OperatorEnumeration", namespace = "http://oval.mitre.org/XMLSchema/oval-common-5")
+@XmlEnum
+public enum LogicOperatorType {
+
+
+ /**
+ * The AND operator produces a true result if every argument is true. If one or more arguments are false,
+ * the result of the AND is false. If one or more of the arguments are unknown, and if none of the arguments
+ * are false, then the AND operator produces a result of unknown.
+ */
+ AND,
+
+ /**
+ * The ONE operator produces a true result if one and only one argument is true. If there are more than argument
+ * is true (or if there are no true arguments), the result of the ONE is false. If one or more of the arguments
+ * are unknown, then the ONE operator produces a result of unknown.
+ */
+ ONE,
+
+ /**
+ * The OR operator produces a true result if one or more arguments is true. If every argument is false, the result
+ * of the OR is false. If one or more of the arguments are unknown and if none of arguments are true, then the
+ * OR operator produces a result of unknown.
+ */
+ OR,
+
+ /**
+ * XOR is defined to be true if an odd number of its arguments are true, and false otherwise. If any of the
+ * arguments are unknown, then the XOR operator produces a result of unknown.
+ */
+ XOR;
+
+ /**
+ * Gets the string value
+ *
+ * @return the string value
+ * */
+ public String value() {
+ return name();
+ }
+
+ /**
+ * Returns an {@link LogicOperatorType} object that correspond to the given operator string
+ *
+ * @param v the value
+ * @return an {@link LogicOperatorType}
+ * */
+ public static LogicOperatorType fromValue(String v) {
+ return valueOf(v);
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/MetadataType.java b/java/code/src/com/suse/oval/ovaltypes/MetadataType.java
new file mode 100755
index 000000000000..41efdc003ab7
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/MetadataType.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.Optional;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * Additional metadata is also allowed, although it is not part of the official OVAL Schema.
+ * Individual organizations can place metadata items that they feel are important and these will be skipped during
+ * the validation.
+ *
+ * All OVAL really cares about is that the stated metadata items are there.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "MetadataType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class MetadataType {
+
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", required = true)
+ protected String title;
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", required = true)
+ protected String description;
+ @XmlElement(name = "advisory", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected Advisory advisory;
+
+ /**
+ * Gets the value of the title property.
+ *
+ * @return the title
+ */
+ public String getTitle() {
+ return title;
+ }
+
+ /**
+ * Sets the value of the title property.
+ *
+ * @param valueIn the title to set
+ */
+ public void setTitle(String valueIn) {
+ this.title = valueIn;
+ }
+
+ /**
+ * Gets the value of the description property.
+ *
+ * @return the description
+ */
+ public String getDescription() {
+ return description;
+ }
+
+ /**
+ * Sets the value of the description property.
+ *
+ * @param valueIn the description to set
+ */
+ public void setDescription(String valueIn) {
+ this.description = valueIn;
+ }
+
+ public Optional getAdvisory() {
+ return Optional.ofNullable(advisory);
+ }
+
+ public void setAdvisory(Advisory advisoryIn) {
+ this.advisory = advisoryIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/ObjectRefType.java b/java/code/src/com/suse/oval/ovaltypes/ObjectRefType.java
new file mode 100755
index 000000000000..85cd0c91196f
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/ObjectRefType.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The ObjectRefType defines an object reference to be used by OVAL Tests that are defined in the component schemas.
+ * The required object_ref attribute specifies the id of the OVAL Object being referenced.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ObjectRefType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class ObjectRefType {
+
+ @XmlAttribute(name = "object_ref", required = true)
+ protected String objectRef;
+
+ /**
+ * Gets the value of the objectRef property.
+ *
+ * @return the object id
+ */
+ public String getObjectRef() {
+ return objectRef;
+ }
+
+ /**
+ * Sets the value of the objectRef property.
+ * @param value the object id to set
+ */
+ public void setObjectRef(String value) {
+ this.objectRef = value;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/ObjectType.java b/java/code/src/com/suse/oval/ovaltypes/ObjectType.java
new file mode 100755
index 000000000000..29be99eada9c
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/ObjectType.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.ovaltypes.linux.DpkginfoObject;
+import com.suse.oval.ovaltypes.linux.RpminfoObject;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * The required id attribute uniquely identifies each object, and must conform to the format specified by the
+ * ObjectIdPattern simple type. The required version attribute holds the current version of the object element.
+ *
+ * Versions are integers, starting at 1 and incrementing every time an object is modified. The optional comment
+ * attribute provides a short description of the object.
+ *
+ * The optional deprecated attribute signifies that an id is no longer to be used or referenced but the information
+ * has been kept around for historic purposes.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ObjectType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class ObjectType {
+
+ @XmlAttribute(name = "id", required = true)
+ protected String id;
+ @XmlAttribute(name = "comment")
+ protected String comment;
+
+ // These attributes are not specified for the base object type as per the schema; nevertheless,
+ // they have been included since both dpkg and rpm objects have them.
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux")
+ protected String name;
+
+ /**
+ * Gets the value of the id property.
+ *
+ * @return the object id
+ */
+ public String getId() {
+ return id;
+ }
+
+ /**
+ * Sets the value of the id property.
+ *
+ * @param valueIn the object id to set
+ */
+ public void setId(String valueIn) {
+ this.id = valueIn;
+ }
+
+ /**
+ * Gets the value of the comment property.
+ *
+ * @return the comment
+ */
+ public String getComment() {
+ return comment;
+ }
+
+ /**
+ * Sets the value of the comment property.
+ *
+ * @param valueIn the comment value to set
+ */
+ public void setComment(String valueIn) {
+ this.comment = valueIn;
+ }
+
+ /**
+ * Returns the package name.
+ *
+ * @return the package name
+ */
+ public String getPackageName() {
+ return name;
+ }
+
+ public void setPackageName(String nameIn) {
+ this.name = nameIn;
+ }
+
+ public boolean isDpkg() {
+ return this instanceof DpkginfoObject;
+ }
+
+ public boolean isRpm() {
+ return this instanceof RpminfoObject;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/ObjectsType.java b/java/code/src/com/suse/oval/ovaltypes/ObjectsType.java
new file mode 100755
index 000000000000..3de393c5f04e
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/ObjectsType.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.ovaltypes.linux.DpkginfoObject;
+import com.suse.oval.ovaltypes.linux.RpminfoObject;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElements;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The ObjectsType is a container for one or more object child elements.
+ *
+ * Each object element provides details that define a unique set of matching items to be used by an OVAL Test.
+ * Please refer to the description of the object element for more information about an individual object.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ObjectsType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class ObjectsType {
+
+ @XmlElements({
+ @XmlElement(name = "rpminfo_object",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = RpminfoObject.class),
+ @XmlElement(name = "dpkginfo_object",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = DpkginfoObject.class),
+ @XmlElement(name = "object",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", type = ObjectType.class)
+ })
+ protected List objects;
+
+ /**
+ * Gets the list of contained objects.
+ * @return the objects
+ */
+ public List getObjects() {
+ if (objects == null) {
+ objects = new ArrayList<>();
+ }
+ return this.objects;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/OperationEnumeration.java b/java/code/src/com/suse/oval/ovaltypes/OperationEnumeration.java
new file mode 100755
index 000000000000..6719375df3ed
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/OperationEnumeration.java
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlType(name = "OperationEnumeration", namespace = "http://oval.mitre.org/XMLSchema/oval-common-5")
+@XmlEnum
+public enum OperationEnumeration {
+
+
+ /**
+ * The 'equals' operation returns true if the actual value on the system is equal to the stated entity.
+ * When the specified datatype is a string, this results in a case-sensitive comparison.
+ */
+ @XmlEnumValue("equals")
+ EQUALS("equals"),
+
+ /**
+ * The 'not equal' operation returns true if the actual value on the system is not equal to the stated entity.
+ * When the specified datatype is a string, this results in a case-sensitive comparison.
+ */
+ @XmlEnumValue("not equal")
+ NOT_EQUAL("not equal"),
+
+ /**
+ * The 'case insensitive equals' operation is meant for string data and returns true if the actual value on
+ * the system is equal (using a case insensitive comparison) to the stated entity.
+ */
+ @XmlEnumValue("case insensitive equals")
+ CASE_INSENSITIVE_EQUALS("case insensitive equals"),
+
+ /**
+ * The 'case insensitive not equal' operation is meant for string data and returns true if the actual value on
+ * the system is not equal (using a case insensitive comparison) to the stated entity.
+ */
+ @XmlEnumValue("case insensitive not equal")
+ CASE_INSENSITIVE_NOT_EQUAL("case insensitive not equal"),
+
+ /**
+ * The 'greater than' operation returns true if the actual value on the system is greater than the stated entity.
+ */
+ @XmlEnumValue("greater than")
+ GREATER_THAN("greater than"),
+
+ /**
+ * The 'less than' operation returns true if the actual value on the system is less than the stated entity.
+ */
+ @XmlEnumValue("less than")
+ LESS_THAN("less than"),
+
+ /**
+ * The 'greater than or equal' operation returns true if the actual value on the system is greater than or equal
+ * to the stated entity.
+ */
+ @XmlEnumValue("greater than or equal")
+ GREATER_THAN_OR_EQUAL("greater than or equal"),
+
+ /**
+ * The 'less than or equal' operation returns true if the actual value on the system is less than or
+ * equal to the stated entity.
+ */
+ @XmlEnumValue("less than or equal")
+ LESS_THAN_OR_EQUAL("less than or equal"),
+
+ /**
+ * The 'bitwise and' operation is used to determine if a specific bit is set. It returns true if performing
+ * a BITWISE AND with the binary representation of the stated entity against the binary representation of
+ * the actual value on the system results in a binary value that is equal to the binary representation of the
+ * stated entity.
+ *
+ * For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine is
+ * 6 (same as 0110 in binary), then performing a 'bitwise and' with the stated integer 4 (0100) returns 4 (0100).
+ *
+ * Since the result is the same as the state mask, then the test returns true. If the actual value on your machine
+ * is 1 (0001), then the 'bitwise and' with the stated integer 4 (0100) returns 0 (0000). Since the result is not
+ * the same as the stated mask, then the test fails.
+ */
+ @XmlEnumValue("bitwise and")
+ BITWISE_AND("bitwise and"),
+
+ /**
+ * The 'bitwise or' operation is used to determine if a specific bit is not set. It returns true if performing
+ * a BITWISE OR with the binary representation of the stated entity against the binary representation of the actual
+ * value on the system results in a binary value that is equal to the binary representation of the stated entity.
+ *
+ * For example, assuming a datatype of 'int', if the actual integer value of the setting on your machine
+ * is 6 (same as 0110 in binary), then performing a 'bitwise or' with the stated integer 14 (1110)
+ * returns 14 (1110).
+ *
+ * Since the result is the same as the state mask, then the test returns true. If the actual value on your machine
+ * is 1 (0001), then the 'bitwise or' with the stated integer 14 (1110) returns 15 (1111). Since the result is not
+ * the same as the stated mask, then the test fails.
+ */
+ @XmlEnumValue("bitwise or")
+ BITWISE_OR("bitwise or"),
+
+ /**
+ * The 'pattern match' operation allows an item to be tested against a regular expression.
+ *
+ * When used by an entity in an OVAL Object, the regular expression represents the unique set of matching items
+ * on the system. OVAL supports a common subset of the regular expression character classes, operations, expressions
+ * and other lexical tokens defined within Perl 5's regular expression specification. For more information on
+ * the supported regular expression syntax in OVAL see: http://oval.mitre.org/language/about/re_support_5.6.html
+ */
+ @XmlEnumValue("pattern match")
+ PATTERN_MATCH("pattern match"),
+
+ /**
+ * The 'subset of' operation returns true if the actual set on the system is a subset of the set defined
+ * by the stated entity.
+ */
+ @XmlEnumValue("subset of")
+ SUBSET_OF("subset of"),
+
+ /**
+ * The 'superset of' operation returns true if the actual set on the system is a superset of the set defined
+ * by the stated entity.
+ */
+ @XmlEnumValue("superset of")
+ SUPERSET_OF("superset of");
+ private final String value;
+
+ OperationEnumeration(String v) {
+ value = v;
+ }
+
+ /**
+ * Gets the string value
+ *
+ * @return the string value
+ * */
+ public String value() {
+ return value;
+ }
+
+ /**
+ * Returns an {@link OperationEnumeration} object that correspond to the given operation string
+ *
+ * @param v the value
+ * @return an {@link OperationEnumeration}
+ * */
+ public static OperationEnumeration fromValue(String v) {
+ for (OperationEnumeration c: OperationEnumeration.values()) {
+ if (c.value.equals(v)) {
+ return c;
+ }
+ }
+ throw new IllegalArgumentException(v);
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/OvalRootType.java b/java/code/src/com/suse/oval/ovaltypes/OvalRootType.java
new file mode 100755
index 000000000000..78549984e3e7
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/OvalRootType.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.OsFamily;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+
+import javax.persistence.Transient;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "")
+@XmlRootElement(name = "oval_definitions", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class OvalRootType {
+
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected DefinitionsType definitions;
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected TestsType tests;
+ @XmlElement(name = "objects", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected ObjectsType objects;
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+ protected StatesType states;
+ @Transient
+ protected OsFamily osFamily;
+ @Transient
+ protected String osVersion;
+
+ /**
+ * Gets the list of OVAL definitions.
+ *
+ * @return the list of associated OVAL definitions
+ */
+ public List getDefinitions() {
+ if (definitions == null) {
+ return new ArrayList<>();
+ }
+ else {
+ return definitions.getDefinitions();
+ }
+ }
+
+ /**
+ * Sets the list of OVAL definitions.
+ *
+ * @param value the definitions to set
+ */
+ public void setDefinitions(List value) {
+ this.definitions = new DefinitionsType();
+ this.definitions.definitions = new ArrayList<>(value);
+ }
+
+ /**
+ * Gets the list of OVAL tests.
+ *
+ * @return the list of associated OVAL tests
+ */
+ public List getTests() {
+ return Optional.ofNullable(tests).map(TestsType::getTests).orElse(new ArrayList<>());
+ }
+
+ /**
+ * Sets the list of OVAL tests.
+ *
+ * @param value the tests to set
+ */
+ public void setTests(List value) {
+ this.tests = new TestsType();
+ this.tests.tests = new ArrayList<>(value);
+ }
+
+ /**
+ * Gets the list of OVAL objects.
+ *
+ * @return the list of associated OVAL objects
+ */
+ public List getObjects() {
+ return Optional.ofNullable(objects).map(ObjectsType::getObjects).orElse(new ArrayList<>());
+ }
+
+ /**
+ * Sets the list of OVAL objects.
+ *
+ * @param value the objects to set
+ */
+ public void setObjects(List value) {
+ this.objects = new ObjectsType();
+ this.objects.objects = new ArrayList<>(value);
+ }
+
+ /**
+ * Gets the list of OVAL states.
+ *
+ * @return the list of associated OVAL states
+ */
+ public List getStates() {
+ return Optional.ofNullable(states).map(StatesType::getStates).orElse(new ArrayList<>());
+ }
+
+ /**
+ * Sets the list of OVAL states.
+ *
+ * @param value the OVAL states to set
+ */
+ public void setStates(List value) {
+ this.states = new StatesType();
+ this.states.states = new ArrayList<>(value);
+ }
+
+ public OsFamily getOsFamily() {
+ return osFamily;
+ }
+
+ public void setOsFamily(OsFamily osFamilyIn) {
+ this.osFamily = osFamilyIn;
+ }
+
+ public String getOsVersion() {
+ return osVersion;
+ }
+
+ public void setOsVersion(String osVersionIn) {
+ this.osVersion = osVersionIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/StateRefType.java b/java/code/src/com/suse/oval/ovaltypes/StateRefType.java
new file mode 100755
index 000000000000..e5c8a327c101
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/StateRefType.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * The StateRefType defines a state reference to be used by OVAL Tests that are defined in the component schemas.
+ * The required state_ref attribute specifies the id of the OVAL State being referenced.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "StateRefType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class StateRefType {
+
+ @XmlAttribute(name = "state_ref", required = true)
+ protected String stateRef;
+
+ /**
+ * Gets the value of the stateRef property.
+ *
+ * @return the contained state id
+ */
+ public String getStateRef() {
+ return stateRef;
+ }
+
+ /**
+ * Sets the value of the stateRef property.
+ * @param value the state id
+ */
+ public void setStateRef(String value) {
+ this.stateRef = value;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/StateType.java b/java/code/src/com/suse/oval/ovaltypes/StateType.java
new file mode 100755
index 000000000000..a1d42b9e5754
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/StateType.java
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.Optional;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * When evaluating a particular state against an object, one should evaluate each individual entity separately.
+ * The individual results are then combined by the operator to produce an overall result.
+ *
+ * This process holds true even when there are multiple instances of the same entity. Evaluate each instance separately,
+ * taking the entity check attribute into account, and then combine everything using the operator.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "StateType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class StateType {
+
+ @XmlAttribute(name = "id", required = true)
+ protected String id;
+ @XmlAttribute(name = "operator")
+ protected LogicOperatorType operator;
+ @XmlAttribute(name = "comment")
+ protected String comment;
+ @XmlElement(name = "evr", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux")
+ protected EVRType packageEVR;
+ @XmlElement(name = "arch", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux")
+ protected ArchType packageArch;
+ @XmlElement(name = "version", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux")
+ protected VersionType packageVersion;
+
+ /**
+ * Gets the value of the id property.
+ *
+ * @return the state id
+ */
+ public String getId() {
+ return id;
+ }
+
+ /**
+ * Sets the value of the id property.
+ *
+ * @param value the state id
+ */
+ public void setId(String value) {
+ this.id = value;
+ }
+
+ /**
+ * Gets the value of the operator property.
+ *
+ * @return the operator
+ */
+ public LogicOperatorType getOperator() {
+ if (operator == null) {
+ return LogicOperatorType.AND;
+ }
+ else {
+ return operator;
+ }
+ }
+
+ /**
+ * Sets the value of the operator property.
+ *
+ * @param value the operator
+ */
+ public void setOperator(LogicOperatorType value) {
+ this.operator = value;
+ }
+
+ /**
+ * Gets the value of the comment property.
+ *
+ * @return the comment associated with this state
+ */
+ public String getComment() {
+ return comment;
+ }
+
+ /**
+ * Sets the value of the comment property.
+ *
+ * @param value the comment value to set
+ */
+ public void setComment(String value) {
+ this.comment = value;
+ }
+
+ public Optional getPackageEVR() {
+ return Optional.ofNullable(packageEVR);
+ }
+
+ public void setPackageEVR(EVRType packageEVRIn) {
+ this.packageEVR = packageEVRIn;
+ }
+
+ public Optional getPackageArch() {
+ return Optional.ofNullable(packageArch);
+ }
+
+ public void setPackageArch(ArchType packageArchIn) {
+ this.packageArch = packageArchIn;
+ }
+
+ public Optional getPackageVersion() {
+ return Optional.ofNullable(packageVersion);
+ }
+
+ public void setPackageVersion(VersionType packageVersionIn) {
+ this.packageVersion = packageVersionIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/StatesType.java b/java/code/src/com/suse/oval/ovaltypes/StatesType.java
new file mode 100755
index 000000000000..031ea7bb5cbe
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/StatesType.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.ovaltypes.linux.DpkginfoState;
+import com.suse.oval.ovaltypes.linux.RpminfoState;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElements;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The StatesType is a container for one or more state child elements.
+ * Each state provides details about specific characteristics that can be used during an evaluation of an object.
+ *
+ * Please refer to the description of the state element for more information about an individual state.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "StatesType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class StatesType {
+
+ @XmlElements({
+ @XmlElement(name = "rpminfo_state",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = RpminfoState.class),
+ @XmlElement(name = "dpkginfo_state",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = DpkginfoState.class),
+ @XmlElement(name = "state",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", type = StateType.class)
+ })
+ protected List states;
+
+ /**
+ * Gets the contained states.
+ * @return the states
+ */
+ public List getStates() {
+ if (states == null) {
+ states = new ArrayList<>();
+ }
+ return this.states;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/TestType.java b/java/code/src/com/suse/oval/ovaltypes/TestType.java
new file mode 100755
index 000000000000..602a564adea7
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/TestType.java
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import java.util.List;
+import java.util.Optional;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The optional state_operator attribute provides the logical operator that combines the evaluation results from
+ * each referenced state on a per item basis. Each matching item is compared to each referenced state.
+ *
+ * The result of comparing each state to a single item is combined based on the specified state_operator value to
+ * determine one result for each item. Finally, the results for each item are combined based on the specified
+ * check value.
+ *
+ * Note that if the test does not contain any references to OVAL States, then the state_operator attribute has no
+ * meaning and can be ignored during evaluation.
+ *
+ * Referencing multiple states in one test allows ranges of possible values to be expressed. For example, one state
+ * can check that a value greater than 8 is found and another state can check that a value of less than 16 is found.
+ * In this example the referenced states are combined with a state_operator = 'AND' indicating that the conditions
+ * of all referenced states must be satisfied and that the value must be between 8 AND 16. The valid state_operation
+ * values are explained in the description of the OperatorEnumeration simple type.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "TestType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class TestType {
+
+ @XmlAttribute(name = "id", required = true)
+ protected String id;
+ @XmlAttribute(name = "comment", required = true)
+ protected String comment;
+
+ /**
+ * These attributes are not specified for the base test type as per the schema; nevertheless, it has been included
+ * since both dpkg and rpm test types have it.
+ */
+ @XmlElement(namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", required = true)
+ protected ObjectRefType object;
+ @XmlElement(name = "state", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux")
+ protected List states;
+
+ /**
+ * Gets the value of the id property.
+ *
+ * @return the test's id
+ */
+ public String getId() {
+ return id;
+ }
+
+ /**
+ * Sets the value of the id property.
+ *
+ * @param valueIn the test id to set
+ */
+ public void setId(String valueIn) {
+ this.id = valueIn;
+ }
+
+ /**
+ * Gets the value of the comment property.
+ *
+ * @return the comment value
+ */
+ public String getComment() {
+ return comment;
+ }
+
+ /**
+ * Sets the value of the comment property.
+ *
+ * @param valueIn the comment value to set
+ */
+ public void setComment(String valueIn) {
+ this.comment = valueIn;
+ }
+
+ /**
+ * Gets the value of the object property.
+ *
+ * @return the id of the object associated with this test
+ */
+ public String getObjectRef() {
+ if (object == null) {
+ throw new IllegalStateException("Objects cannot be null");
+ }
+ return object.objectRef;
+ }
+
+ /**
+ * Sets the value of the object property.
+ * @param valueIn the object id to set
+ */
+ public void setObjectRef(String valueIn) {
+ ObjectRefType refType = new ObjectRefType();
+ refType.setObjectRef(valueIn);
+ this.object = refType;
+ }
+
+ /**
+ * Gets the value of the state property.
+ *
+ * NOTE: Although the OVAL specs says that an OVAL test could have 0 or more states but for the OVAL files that
+ * we are consuming, is always 0 or 1 state hence an {@code Optional} is used.
+ *
+ * @return an {@link Optional} that may or may not contain a state reference
+ */
+ public Optional getStateRef() {
+ if (this.states == null) {
+ return Optional.empty();
+ }
+ else if (this.states.size() == 1) {
+ return Optional.ofNullable(states.get(0).getStateRef());
+ }
+ else {
+ throw new IllegalStateException("Each test is expected to have 0 or 1 state");
+ }
+ }
+
+ public void setStates(List statesIn) {
+ this.states = statesIn;
+ }
+
+ /**
+ * Sets the associated state id
+ *
+ * @param valueIn the state id to set
+ * */
+ public void setStateRef(String valueIn) {
+ states.clear();
+ StateRefType stateRef = new StateRefType();
+ stateRef.setStateRef(valueIn);
+ states.add(stateRef);
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/TestsType.java b/java/code/src/com/suse/oval/ovaltypes/TestsType.java
new file mode 100755
index 000000000000..874b3e49c70c
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/TestsType.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import com.suse.oval.ovaltypes.linux.DpkginfoTest;
+import com.suse.oval.ovaltypes.linux.RpminfoTest;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElements;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * The TestsType complex type is a container for one or more test child elements.
+ *
+ * Each test element describes a single OVAL Test. Please refer to the description of the TestType for more information
+ * about an individual test.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "TestsType", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class TestsType {
+
+ @XmlElements({
+ @XmlElement(name = "rpminfo_test",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = RpminfoTest.class),
+ @XmlElement(name = "dpkginfo_test",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5#linux", type = DpkginfoTest.class),
+ @XmlElement(name = "test",
+ namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5", type = TestType.class)
+ })
+ protected List tests;
+
+ /**
+ * Gets the value of the contained tests.
+ *
+ * @return the list of contained tests
+ */
+ public List getTests() {
+ if (tests == null) {
+ tests = new ArrayList<>();
+ }
+ return this.tests;
+ }
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/VersionType.java b/java/code/src/com/suse/oval/ovaltypes/VersionType.java
new file mode 100755
index 000000000000..41fa03c4b77b
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/VersionType.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.XmlValue;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "", namespace = "http://oval.mitre.org/XMLSchema/oval-definitions-5")
+public class VersionType {
+ @XmlValue
+ private String value;
+ @XmlAttribute(name = "operation", required = true)
+ private OperationEnumeration operation;
+
+ public String getValue() {
+ return value;
+ }
+
+ public void setValue(String valueIn) {
+ this.value = valueIn;
+ }
+
+ public OperationEnumeration getOperation() {
+ return operation;
+ }
+
+ public void setOperation(OperationEnumeration operationIn) {
+ this.operation = operationIn;
+ }
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoObject.java b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoObject.java
new file mode 100755
index 000000000000..da371e9c1961
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoObject.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+import com.suse.oval.ovaltypes.ObjectType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * A dpkginfo object consists of a single name entity that identifies the package being checked.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "dpkginfo_object")
+public class DpkginfoObject extends ObjectType {
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoState.java b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoState.java
new file mode 100755
index 000000000000..56b358a4e334
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoState.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+
+import com.suse.oval.ovaltypes.StateType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ *
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "dpkginfo_state")
+public class DpkginfoState extends StateType {
+
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoTest.java b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoTest.java
new file mode 100755
index 000000000000..2c750cf4fe7a
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/DpkginfoTest.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+import com.suse.oval.ovaltypes.TestType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ *
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "dpkginfo_test")
+public class DpkginfoTest extends TestType {
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoObject.java b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoObject.java
new file mode 100755
index 000000000000..638c7ce89852
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoObject.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+import com.suse.oval.ovaltypes.ObjectType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * A rpm info object consists of a single name entity that identifies the package being checked.
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "rpminfo_object")
+public class RpminfoObject extends ObjectType {
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoState.java b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoState.java
new file mode 100755
index 000000000000..2a05f9c3ecb0
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoState.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+
+import com.suse.oval.ovaltypes.StateType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "rpminfo_state")
+public class RpminfoState extends StateType {
+}
diff --git a/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoTest.java b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoTest.java
new file mode 100755
index 000000000000..fbc9593cd4ba
--- /dev/null
+++ b/java/code/src/com/suse/oval/ovaltypes/linux/RpminfoTest.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.ovaltypes.linux;
+
+import com.suse.oval.ovaltypes.TestType;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ *
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "rpminfo_test")
+public class RpminfoTest extends TestType {
+
+}
diff --git a/java/code/src/com/suse/oval/vulnerablepkgextractor/CriteriaTreeBasedExtractor.java b/java/code/src/com/suse/oval/vulnerablepkgextractor/CriteriaTreeBasedExtractor.java
new file mode 100644
index 000000000000..9a8de93334bc
--- /dev/null
+++ b/java/code/src/com/suse/oval/vulnerablepkgextractor/CriteriaTreeBasedExtractor.java
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.vulnerablepkgextractor;
+
+import com.suse.oval.ovaltypes.BaseCriteria;
+import com.suse.oval.ovaltypes.CriteriaType;
+import com.suse.oval.ovaltypes.CriterionType;
+import com.suse.oval.ovaltypes.DefinitionType;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * An abstract implementation that provides utility methods to extract vulnerable package information from
+ * OVAL criteria trees
+ */
+public abstract class CriteriaTreeBasedExtractor implements VulnerablePackagesExtractor {
+ protected final DefinitionType definition;
+ protected final CriteriaType criteriaRoot;
+
+ protected CriteriaTreeBasedExtractor(DefinitionType definitionIn) {
+ assertDefinitionIsValid(definitionIn);
+
+ this.definition = definitionIn;
+ this.criteriaRoot = definitionIn.getCriteria();
+ }
+
+ protected abstract List extractItem(BaseCriteria criteriaType);
+
+ /**
+ * Tests whether the extractor can extract package vulnerability information from the given criteria node or not
+ */
+ protected abstract boolean test(BaseCriteria criteria);
+
+ /**
+ * Walk the criteria tree and extact product vulnerable packages based on the implementation of
+ * {@code test()} and {@code extractItem()}
+ *
+ * @return a list of ProductVulnerablePackages. It's a list because an OVAL definition could encapsulate
+ * vulnerability information for multiple products. In that case, each item in the returned list gives the list of
+ * vulnerable packages for one product.
+ * */
+ public final List extract() {
+ List matchedCriteriaList = walkCriteriaTree();
+
+ return matchedCriteriaList.stream().map(this::extractItem)
+ .flatMap(Collection::stream)
+ .collect(Collectors.toList());
+ }
+
+ /**
+ * A helper method to recursively collect the children criterions contained at most {@code maxNestingLevel} levels
+ * inside the given {@code criteria} or returns the actual {@code criteria} if it's of type {@link CriterionType}
+ *
+ * @param criteria the criteria to collect criterions from
+ * @param maxNestingLevel the maximum level to reach when recursively collecting criterions
+ * @return the list of criterions inside {@code criteria}
+ * */
+ public List collectCriterions(BaseCriteria criteria, int maxNestingLevel) {
+ List result = new ArrayList<>();
+
+ collectCriterionsHelper(criteria, 0, maxNestingLevel, result);
+
+ return result;
+ }
+
+ /**
+ * A helper method to collect the children criterions contained directly inside the given {@code criteria}
+ * or returns the actual {@code criteria} if it's of type {@link CriterionType}
+ *
+ * @param criteria the criteria to collect criterions from
+ * @return the list of criterions inside {@code criteria}
+ * */
+ public List collectCriterions(BaseCriteria criteria) {
+ return collectCriterions(criteria, 0);
+ }
+
+ private void collectCriterionsHelper(BaseCriteria criteria, int currentLevel, int maxNestingLevel,
+ List criterions) {
+ if (criteria instanceof CriterionType) {
+ criterions.add((CriterionType) criteria);
+ }
+ else {
+ if (currentLevel > maxNestingLevel) {
+ return;
+ }
+ for (BaseCriteria child : ((CriteriaType) (criteria)).getChildren()) {
+ collectCriterionsHelper(child, currentLevel + 1, maxNestingLevel, criterions);
+ }
+ }
+ }
+
+ private List walkCriteriaTree() {
+ List matches = new ArrayList<>();
+
+ walkCriteriaTreeHelper(criteriaRoot, matches);
+
+ return matches;
+ }
+
+ private void walkCriteriaTreeHelper(BaseCriteria criteria, List matches) {
+ if (criteria == null) {
+ return;
+ }
+ else if (test(criteria)) {
+ matches.add(criteria);
+ }
+ if (criteria instanceof CriteriaType) {
+ for (BaseCriteria childCriteria : ((CriteriaType) criteria).getChildren()) {
+ walkCriteriaTreeHelper(childCriteria, matches);
+ }
+ }
+ }
+
+ @Override
+ public void assertDefinitionIsValid(DefinitionType definitionIn) {
+ assert definitionIn != null;
+ assert definitionIn.getCriteria() != null;
+ }
+}
diff --git a/java/code/src/com/suse/oval/vulnerablepkgextractor/DebianVulnerablePackagesExtractor.java b/java/code/src/com/suse/oval/vulnerablepkgextractor/DebianVulnerablePackagesExtractor.java
new file mode 100644
index 000000000000..23c419719693
--- /dev/null
+++ b/java/code/src/com/suse/oval/vulnerablepkgextractor/DebianVulnerablePackagesExtractor.java
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.vulnerablepkgextractor;
+
+import com.suse.oval.OsFamily;
+import com.suse.oval.cpe.Cpe;
+import com.suse.oval.cpe.CpeBuilder;
+import com.suse.oval.ovaltypes.BaseCriteria;
+import com.suse.oval.ovaltypes.CriterionType;
+import com.suse.oval.ovaltypes.DefinitionClassEnum;
+import com.suse.oval.ovaltypes.DefinitionType;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Vulnerable package extractor for OVALs from: Debian OVAL
+ * */
+public class DebianVulnerablePackagesExtractor extends CriteriaTreeBasedExtractor {
+ private static final Logger LOG = LogManager.getLogger(DebianVulnerablePackagesExtractor.class);
+ private static final Pattern DEBIAN_PACKAGE_REGEX = Pattern
+ .compile("(?\\S+) DPKG is earlier than (?.*)");
+
+ /**
+ * Standard constructor
+ *
+ * @param vulnerabilityDefinition the vulnerability definition to extract vulnerable packages from
+ * */
+ public DebianVulnerablePackagesExtractor(DefinitionType vulnerabilityDefinition) {
+ super(vulnerabilityDefinition);
+ }
+
+ @Override
+ protected List extractItem(BaseCriteria criteria) {
+ CriterionType criterionType = (CriterionType) criteria;
+
+ Matcher matcher = DEBIAN_PACKAGE_REGEX.matcher(criterionType.getComment());
+
+ // Although we know the comment matches the regex (see test()), we need to call matches() otherwise
+ // Matcher#group throws an exception
+ matcher.matches();
+
+ if (matcher.groupCount() != 2) {
+ return Collections.emptyList();
+ }
+
+ String packageName = matcher.group("packageName");
+ String evr = matcher.group("evr");
+
+ VulnerablePackage vulnerablePackage = new VulnerablePackage();
+ vulnerablePackage.setName(packageName);
+ if ("0".equals(evr)) {
+ // Affected/unpatched package
+ vulnerablePackage.setFixVersion(null);
+ }
+ else {
+ vulnerablePackage.setFixVersion(evr);
+ }
+
+ ProductVulnerablePackages productVulnerablePackages = new ProductVulnerablePackages();
+ productVulnerablePackages.setProductCpe(deriveCpe().asString());
+ productVulnerablePackages.setVulnerablePackages(List.of(vulnerablePackage));
+ productVulnerablePackages.setSingleCve(definition.getSingleCve().orElseThrow());
+
+ return List.of(productVulnerablePackages);
+ }
+
+ private Cpe deriveCpe() {
+ String osVersion = definition.getOsVersion();
+
+ return new CpeBuilder()
+ .withVendor("debian")
+ .withProduct("debian_linux")
+ .withVersion(osVersion)
+ .build();
+ }
+
+ @Override
+ protected boolean test(BaseCriteria criteria) {
+ if (!(criteria instanceof CriterionType)) {
+ return false;
+ }
+
+ CriterionType criterionType = (CriterionType) criteria;
+ return DEBIAN_PACKAGE_REGEX.asMatchPredicate().test(criterionType.getComment());
+ }
+
+ @Override
+ public void assertDefinitionIsValid(DefinitionType definitionIn) {
+ super.assertDefinitionIsValid(definitionIn);
+
+ assert definitionIn.getOsFamily() == OsFamily.DEBIAN;
+ assert definitionIn.getDefinitionClass() == DefinitionClassEnum.VULNERABILITY;
+ }
+}
diff --git a/java/code/src/com/suse/oval/vulnerablepkgextractor/ProductVulnerablePackages.java b/java/code/src/com/suse/oval/vulnerablepkgextractor/ProductVulnerablePackages.java
new file mode 100644
index 000000000000..682d93e20b5f
--- /dev/null
+++ b/java/code/src/com/suse/oval/vulnerablepkgextractor/ProductVulnerablePackages.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.vulnerablepkgextractor;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * This class encapsulates information about a product, a cve and the packages that made the product
+ * vulnerable to the cve
+ */
+public class ProductVulnerablePackages {
+ private List cves = new ArrayList<>();
+ private String productCpe;
+ private final List vulnerablePackages = new ArrayList<>();
+ private String productUserFriendlyName;
+
+ public String getProductCpe() {
+ return productCpe;
+ }
+
+ public void setProductCpe(String productCpeIn) {
+ this.productCpe = productCpeIn;
+ }
+
+ public List getVulnerablePackages() {
+ return vulnerablePackages;
+ }
+
+ /**
+ * Sets the list of vulnerable packages
+ *
+ * @param vulnerablePackagesIn the list of vulnerable packages
+ * */
+ public void setVulnerablePackages(List vulnerablePackagesIn) {
+ this.vulnerablePackages.clear();
+ this.vulnerablePackages.addAll(vulnerablePackagesIn);
+ }
+
+ public List getCves() {
+ return cves;
+ }
+
+ public void setCves(List cvesIn) {
+ this.cves = cvesIn;
+ }
+
+ /**
+ * Clears the list of relevant CVEs and adds a single CVE
+ *
+ * @param cve the cve to add
+ */
+ public void setSingleCve(String cve) {
+ this.cves.clear();
+ cves.add(cve);
+ }
+
+ public void setProductUserFriendlyName(String product) {
+ this.productUserFriendlyName = product;
+ }
+
+ public String getProductUserFriendlyName() {
+ return productUserFriendlyName;
+ }
+}
diff --git a/java/code/src/com/suse/oval/vulnerablepkgextractor/SUSEVulnerablePackageExtractor.java b/java/code/src/com/suse/oval/vulnerablepkgextractor/SUSEVulnerablePackageExtractor.java
new file mode 100644
index 000000000000..9c138dd752c4
--- /dev/null
+++ b/java/code/src/com/suse/oval/vulnerablepkgextractor/SUSEVulnerablePackageExtractor.java
@@ -0,0 +1,243 @@
+/*
+ * Copyright (c) 2023 SUSE LLC
+ *
+ * This software is licensed to you under the GNU General Public License,
+ * version 2 (GPLv2). There is NO WARRANTY for this software, express or
+ * implied, including the implied warranties of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+ * along with this software; if not, see
+ * http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+ *
+ * Red Hat trademarks are not licensed under GPLv2. No permission is
+ * granted to use or replicate Red Hat trademarks that are incorporated
+ * in this software or its documentation.
+ */
+
+package com.suse.oval.vulnerablepkgextractor;
+
+import com.suse.oval.OsFamily;
+import com.suse.oval.cpe.Cpe;
+import com.suse.oval.cpe.CpeBuilder;
+import com.suse.oval.manager.OVALLookupHelper;
+import com.suse.oval.ovaltypes.BaseCriteria;
+import com.suse.oval.ovaltypes.CriteriaType;
+import com.suse.oval.ovaltypes.CriterionType;
+import com.suse.oval.ovaltypes.DefinitionClassEnum;
+import com.suse.oval.ovaltypes.DefinitionType;
+import com.suse.oval.ovaltypes.EVRType;
+import com.suse.oval.ovaltypes.LogicOperatorType;
+import com.suse.oval.ovaltypes.ObjectType;
+import com.suse.oval.ovaltypes.StateType;
+import com.suse.oval.ovaltypes.TestType;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+
+/**
+ * Vulnerable package extractor for OVALs
+ * from: SUSE OVAL
+ */
+public class SUSEVulnerablePackageExtractor extends CriteriaTreeBasedExtractor {
+ private static final Pattern RELEASE_PACKAGE_REGEX = Pattern.compile(
+ "^\\s*(?[-a-zA-Z_]+)\\s*.*==(?[0-9.]+)\\s*$");
+ private static final Logger LOG = LogManager.getLogger(SUSEVulnerablePackageExtractor.class);
+ private final OVALLookupHelper ovalLookupHelper;
+
+ /**
+ * Standard constructor
+ *
+ * @param vulnerabilityDefinitionIn the vulnerability definition to extract vulnerable packages from
+ * @param ovalLookupHelperIn the oval lookup helper
+ * */
+ public SUSEVulnerablePackageExtractor(DefinitionType vulnerabilityDefinitionIn,
+ OVALLookupHelper ovalLookupHelperIn) {
+ super(vulnerabilityDefinitionIn);
+ Objects.requireNonNull(ovalLookupHelperIn);
+
+ this.ovalLookupHelper = ovalLookupHelperIn;
+ }
+
+ @Override
+ protected List extractItem(BaseCriteria criteria) {
+ CriteriaType criteriaType = (CriteriaType) criteria;
+
+ BaseCriteria productCriteriaRootNode = criteriaType.getChildren().get(0);
+ BaseCriteria packageCriteriaRootNode = criteriaType.getChildren().get(1);
+
+ List productCriterions = collectCriterions(productCriteriaRootNode);
+
+ List