2017-01-04 02:44:32 +00:00
|
|
|
// Copyright 2017 clair authors
|
2015-11-13 19:11:28 +00:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2017-01-04 02:44:32 +00:00
|
|
|
// Package rhel implements a vulnerability source updater using the
|
|
|
|
// Red Hat Linux OVAL Database.
|
2016-01-13 21:41:00 +00:00
|
|
|
package rhel
|
2015-11-13 19:11:28 +00:00
|
|
|
|
|
|
|
import (
|
2016-12-19 22:03:39 +00:00
|
|
|
"bufio"
|
|
|
|
"encoding/xml"
|
2017-05-04 17:21:25 +00:00
|
|
|
"fmt"
|
2016-12-19 22:03:39 +00:00
|
|
|
"io"
|
|
|
|
"net/http"
|
2015-11-13 19:11:28 +00:00
|
|
|
"regexp"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
|
2017-05-04 17:21:25 +00:00
|
|
|
log "github.com/sirupsen/logrus"
|
2016-12-28 01:45:11 +00:00
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
"github.com/coreos/clair/database"
|
2016-12-28 01:45:11 +00:00
|
|
|
"github.com/coreos/clair/ext/versionfmt"
|
2017-01-03 21:00:20 +00:00
|
|
|
"github.com/coreos/clair/ext/versionfmt/rpm"
|
2017-01-04 02:44:32 +00:00
|
|
|
"github.com/coreos/clair/ext/vulnsrc"
|
2017-01-13 07:08:52 +00:00
|
|
|
"github.com/coreos/clair/pkg/commonerr"
|
2015-11-13 19:11:28 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// Before this RHSA, it deals only with RHEL <= 4.
|
|
|
|
firstRHEL5RHSA = 20070044
|
|
|
|
firstConsideredRHEL = 5
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
ovalURI = "https://www.redhat.com/security/data/oval/"
|
|
|
|
rhsaFilePrefix = "com.redhat.rhsa-"
|
|
|
|
updaterFlag = "rhelUpdater"
|
2015-11-13 19:11:28 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2016-12-19 22:03:39 +00:00
|
|
|
ignoredCriterions = []string{
|
|
|
|
" is signed with Red Hat ",
|
|
|
|
" Client is installed",
|
|
|
|
" Workstation is installed",
|
|
|
|
" ComputeNode is installed",
|
|
|
|
}
|
|
|
|
|
2015-11-13 19:11:28 +00:00
|
|
|
rhsaRegexp = regexp.MustCompile(`com.redhat.rhsa-(\d+).xml`)
|
|
|
|
)
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
type oval struct {
|
|
|
|
Definitions []definition `xml:"definitions>definition"`
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
type definition struct {
|
|
|
|
Title string `xml:"metadata>title"`
|
|
|
|
Description string `xml:"metadata>description"`
|
|
|
|
References []reference `xml:"metadata>reference"`
|
|
|
|
Criteria criteria `xml:"criteria"`
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
type reference struct {
|
|
|
|
Source string `xml:"source,attr"`
|
|
|
|
URI string `xml:"ref_url,attr"`
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
type criteria struct {
|
|
|
|
Operator string `xml:"operator,attr"`
|
|
|
|
Criterias []*criteria `xml:"criteria"`
|
|
|
|
Criterions []criterion `xml:"criterion"`
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
type criterion struct {
|
|
|
|
Comment string `xml:"comment,attr"`
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2017-01-04 02:44:32 +00:00
|
|
|
type updater struct{}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
func init() {
|
2017-01-04 02:44:32 +00:00
|
|
|
vulnsrc.RegisterUpdater("rhel", &updater{})
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2017-01-04 02:44:32 +00:00
|
|
|
func (u *updater) Update(datastore database.Datastore) (resp vulnsrc.UpdateResponse, err error) {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithField("package", "RHEL").Info("Start fetching vulnerabilities")
|
2017-07-26 23:22:29 +00:00
|
|
|
|
|
|
|
tx, err := datastore.Begin()
|
|
|
|
if err != nil {
|
|
|
|
return resp, err
|
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
// Get the first RHSA we have to manage.
|
2017-07-26 23:22:29 +00:00
|
|
|
flagValue, ok, err := tx.FindKeyValue(updaterFlag)
|
2016-12-19 22:03:39 +00:00
|
|
|
if err != nil {
|
|
|
|
return resp, err
|
|
|
|
}
|
2017-07-26 23:22:29 +00:00
|
|
|
|
|
|
|
if err := tx.Rollback(); err != nil {
|
|
|
|
return resp, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if !ok {
|
|
|
|
flagValue = ""
|
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
firstRHSA, err := strconv.Atoi(flagValue)
|
|
|
|
if firstRHSA == 0 || err != nil {
|
|
|
|
firstRHSA = firstRHEL5RHSA
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fetch the update list.
|
|
|
|
r, err := http.Get(ovalURI)
|
|
|
|
if err != nil {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithError(err).Error("could not download RHEL's update list")
|
2017-01-13 07:08:52 +00:00
|
|
|
return resp, commonerr.ErrCouldNotDownload
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get the list of RHSAs that we have to process.
|
|
|
|
var rhsaList []int
|
|
|
|
scanner := bufio.NewScanner(r.Body)
|
|
|
|
for scanner.Scan() {
|
|
|
|
line := scanner.Text()
|
|
|
|
r := rhsaRegexp.FindStringSubmatch(line)
|
|
|
|
if len(r) == 2 {
|
|
|
|
rhsaNo, _ := strconv.Atoi(r[1])
|
|
|
|
if rhsaNo > firstRHSA {
|
|
|
|
rhsaList = append(rhsaList, rhsaNo)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, rhsa := range rhsaList {
|
|
|
|
// Download the RHSA's XML file.
|
|
|
|
r, err := http.Get(ovalURI + rhsaFilePrefix + strconv.Itoa(rhsa) + ".xml")
|
|
|
|
if err != nil {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithError(err).Error("could not download RHEL's update list")
|
2017-01-13 07:08:52 +00:00
|
|
|
return resp, commonerr.ErrCouldNotDownload
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Parse the XML.
|
|
|
|
vs, err := parseRHSA(r.Body)
|
|
|
|
if err != nil {
|
|
|
|
return resp, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Collect vulnerabilities.
|
|
|
|
for _, v := range vs {
|
|
|
|
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set the flag if we found anything.
|
|
|
|
if len(rhsaList) > 0 {
|
|
|
|
resp.FlagName = updaterFlag
|
|
|
|
resp.FlagValue = strconv.Itoa(rhsaList[len(rhsaList)-1])
|
|
|
|
} else {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithField("package", "Red Hat").Debug("no update")
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return resp, nil
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2017-01-04 02:44:32 +00:00
|
|
|
func (u *updater) Clean() {}
|
|
|
|
|
2017-07-26 23:22:29 +00:00
|
|
|
func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWithAffected, err error) {
|
2016-12-19 22:03:39 +00:00
|
|
|
// Decode the XML.
|
|
|
|
var ov oval
|
|
|
|
err = xml.NewDecoder(ovalReader).Decode(&ov)
|
|
|
|
if err != nil {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithError(err).Error("could not decode RHEL's XML")
|
2017-01-13 07:08:52 +00:00
|
|
|
err = commonerr.ErrCouldNotParse
|
2016-12-19 22:03:39 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Iterate over the definitions and collect any vulnerabilities that affect
|
|
|
|
// at least one package.
|
|
|
|
for _, definition := range ov.Definitions {
|
2017-07-26 23:22:29 +00:00
|
|
|
pkgs := toFeatures(definition.Criteria)
|
2016-12-19 22:03:39 +00:00
|
|
|
if len(pkgs) > 0 {
|
2017-07-26 23:22:29 +00:00
|
|
|
vulnerability := database.VulnerabilityWithAffected{
|
|
|
|
Vulnerability: database.Vulnerability{
|
|
|
|
Name: name(definition),
|
|
|
|
Link: link(definition),
|
|
|
|
Severity: severity(definition),
|
|
|
|
Description: description(definition),
|
|
|
|
},
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
for _, p := range pkgs {
|
2017-07-26 23:22:29 +00:00
|
|
|
vulnerability.Affected = append(vulnerability.Affected, p)
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
vulnerabilities = append(vulnerabilities, vulnerability)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
func getCriterions(node criteria) [][]criterion {
|
|
|
|
// Filter useless criterions.
|
|
|
|
var criterions []criterion
|
|
|
|
for _, c := range node.Criterions {
|
|
|
|
ignored := false
|
|
|
|
|
|
|
|
for _, ignoredItem := range ignoredCriterions {
|
|
|
|
if strings.Contains(c.Comment, ignoredItem) {
|
|
|
|
ignored = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !ignored {
|
|
|
|
criterions = append(criterions, c)
|
|
|
|
}
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
if node.Operator == "AND" {
|
|
|
|
return [][]criterion{criterions}
|
|
|
|
} else if node.Operator == "OR" {
|
|
|
|
var possibilities [][]criterion
|
|
|
|
for _, c := range criterions {
|
|
|
|
possibilities = append(possibilities, []criterion{c})
|
|
|
|
}
|
|
|
|
return possibilities
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
return [][]criterion{}
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
func getPossibilities(node criteria) [][]criterion {
|
|
|
|
if len(node.Criterias) == 0 {
|
|
|
|
return getCriterions(node)
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
var possibilitiesToCompose [][][]criterion
|
|
|
|
for _, criteria := range node.Criterias {
|
|
|
|
possibilitiesToCompose = append(possibilitiesToCompose, getPossibilities(*criteria))
|
|
|
|
}
|
|
|
|
if len(node.Criterions) > 0 {
|
|
|
|
possibilitiesToCompose = append(possibilitiesToCompose, getCriterions(node))
|
|
|
|
}
|
|
|
|
|
|
|
|
var possibilities [][]criterion
|
|
|
|
if node.Operator == "AND" {
|
|
|
|
for _, possibility := range possibilitiesToCompose[0] {
|
|
|
|
possibilities = append(possibilities, possibility)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, possibilityGroup := range possibilitiesToCompose[1:] {
|
|
|
|
var newPossibilities [][]criterion
|
|
|
|
|
|
|
|
for _, possibility := range possibilities {
|
|
|
|
for _, possibilityInGroup := range possibilityGroup {
|
|
|
|
var p []criterion
|
|
|
|
p = append(p, possibility...)
|
|
|
|
p = append(p, possibilityInGroup...)
|
|
|
|
newPossibilities = append(newPossibilities, p)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
possibilities = newPossibilities
|
|
|
|
}
|
|
|
|
} else if node.Operator == "OR" {
|
|
|
|
for _, possibilityGroup := range possibilitiesToCompose {
|
|
|
|
for _, possibility := range possibilityGroup {
|
|
|
|
possibilities = append(possibilities, possibility)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return possibilities
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2017-07-26 23:22:29 +00:00
|
|
|
func toFeatures(criteria criteria) []database.AffectedFeature {
|
2016-12-19 22:03:39 +00:00
|
|
|
// There are duplicates in Red Hat .xml files.
|
|
|
|
// This map is for deduplication.
|
2017-07-26 23:22:29 +00:00
|
|
|
featureVersionParameters := make(map[string]database.AffectedFeature)
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
possibilities := getPossibilities(criteria)
|
|
|
|
for _, criterions := range possibilities {
|
|
|
|
var (
|
2017-07-26 23:22:29 +00:00
|
|
|
featureVersion database.AffectedFeature
|
2016-12-19 22:03:39 +00:00
|
|
|
osVersion int
|
|
|
|
err error
|
|
|
|
)
|
|
|
|
|
|
|
|
// Attempt to parse package data from trees of criterions.
|
|
|
|
for _, c := range criterions {
|
|
|
|
if strings.Contains(c.Comment, " is installed") {
|
|
|
|
const prefixLen = len("Red Hat Enterprise Linux ")
|
|
|
|
osVersion, err = strconv.Atoi(strings.TrimSpace(c.Comment[prefixLen : prefixLen+strings.Index(c.Comment[prefixLen:], " ")]))
|
|
|
|
if err != nil {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithField("criterion comment", c.Comment).Warning("could not parse Red Hat release version from criterion comment")
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
} else if strings.Contains(c.Comment, " is earlier than ") {
|
|
|
|
const prefixLen = len(" is earlier than ")
|
2017-07-26 23:22:29 +00:00
|
|
|
featureVersion.FeatureName = strings.TrimSpace(c.Comment[:strings.Index(c.Comment, " is earlier than ")])
|
2016-12-28 01:45:11 +00:00
|
|
|
version := c.Comment[strings.Index(c.Comment, " is earlier than ")+prefixLen:]
|
2017-01-03 21:00:20 +00:00
|
|
|
err := versionfmt.Valid(rpm.ParserName, version)
|
2016-12-19 22:03:39 +00:00
|
|
|
if err != nil {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithError(err).WithField("version", version).Warning("could not parse package version. skipping")
|
2016-12-28 01:45:11 +00:00
|
|
|
} else {
|
2017-07-26 23:22:29 +00:00
|
|
|
featureVersion.AffectedVersion = version
|
|
|
|
if version != versionfmt.MaxVersion {
|
|
|
|
featureVersion.FixedInVersion = version
|
|
|
|
}
|
|
|
|
featureVersion.Namespace.VersionFormat = rpm.ParserName
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if osVersion >= firstConsideredRHEL {
|
|
|
|
// TODO(vbatts) this is where features need multiple labels ('centos' and 'rhel')
|
2017-07-26 23:22:29 +00:00
|
|
|
featureVersion.Namespace.Name = "centos" + ":" + strconv.Itoa(osVersion)
|
2016-12-19 22:03:39 +00:00
|
|
|
} else {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2017-07-26 23:22:29 +00:00
|
|
|
if featureVersion.Namespace.Name != "" && featureVersion.FeatureName != "" && featureVersion.AffectedVersion != "" && featureVersion.FixedInVersion != "" {
|
|
|
|
featureVersionParameters[featureVersion.Namespace.Name+":"+featureVersion.FeatureName] = featureVersion
|
2016-12-19 22:03:39 +00:00
|
|
|
} else {
|
2017-05-04 17:21:25 +00:00
|
|
|
log.WithField("criterions", fmt.Sprintf("%v", criterions)).Warning("could not determine a valid package from criterions")
|
2016-12-19 22:03:39 +00:00
|
|
|
}
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
// Convert the map to slice.
|
2017-07-26 23:22:29 +00:00
|
|
|
var featureVersionParametersArray []database.AffectedFeature
|
2016-12-19 22:03:39 +00:00
|
|
|
for _, fv := range featureVersionParameters {
|
|
|
|
featureVersionParametersArray = append(featureVersionParametersArray, fv)
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
return featureVersionParametersArray
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
func description(def definition) (desc string) {
|
|
|
|
// It is much more faster to proceed like this than using a Replacer.
|
|
|
|
desc = strings.Replace(def.Description, "\n\n\n", " ", -1)
|
|
|
|
desc = strings.Replace(desc, "\n\n", " ", -1)
|
|
|
|
desc = strings.Replace(desc, "\n", " ", -1)
|
|
|
|
return
|
|
|
|
}
|
2015-11-13 19:11:28 +00:00
|
|
|
|
2016-12-19 22:03:39 +00:00
|
|
|
func name(def definition) string {
|
|
|
|
return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
|
|
|
|
}
|
|
|
|
|
|
|
|
func link(def definition) (link string) {
|
|
|
|
for _, reference := range def.References {
|
|
|
|
if reference.Source == "RHSA" {
|
|
|
|
link = reference.URI
|
|
|
|
break
|
|
|
|
}
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
2016-12-19 22:03:39 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-01-19 18:42:37 +00:00
|
|
|
func severity(def definition) database.Severity {
|
2017-01-15 15:52:13 +00:00
|
|
|
switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) {
|
2016-12-19 22:03:39 +00:00
|
|
|
case "Low":
|
2017-01-19 18:42:37 +00:00
|
|
|
return database.LowSeverity
|
2016-12-19 22:03:39 +00:00
|
|
|
case "Moderate":
|
2017-01-19 18:42:37 +00:00
|
|
|
return database.MediumSeverity
|
2016-12-19 22:03:39 +00:00
|
|
|
case "Important":
|
2017-01-19 18:42:37 +00:00
|
|
|
return database.HighSeverity
|
2016-12-19 22:03:39 +00:00
|
|
|
case "Critical":
|
2017-01-19 18:42:37 +00:00
|
|
|
return database.CriticalSeverity
|
2016-12-19 22:03:39 +00:00
|
|
|
default:
|
2017-01-15 15:52:13 +00:00
|
|
|
log.Warning("could not determine vulnerability severity from: %s.", def.Title)
|
2017-01-19 18:42:37 +00:00
|
|
|
return database.UnknownSeverity
|
2015-11-13 19:11:28 +00:00
|
|
|
}
|
|
|
|
}
|