vulnsrc_oracle: one vulnerability per CVE

Get one vulnerability per CVE for Oracle instead of one per ELSA so we can have NVD metadata added to the vulnerabilities. Related: #495, #499.
2018-11-02 19:28:54 -04:00 · 2018-11-02 19:28:54 -04:00 · 3503ddb96f
commit 3503ddb96f
parent 93e7a4cfa8
3 changed files with 66 additions and 51 deletions
--- a/ext/vulnsrc/oracle/oracle.go
+++ b/ext/vulnsrc/oracle/oracle.go
@ -63,11 +63,19 @@ type definition struct {
 	References  []reference `xml:"metadata>reference"`
 	Criteria    criteria    `xml:"criteria"`
 	Severity    string      `xml:"metadata>advisory>severity"`
 	CVEs        []cve       `xml:"metadata>advisory>cve"`
 }
 type reference struct {
 	Source string `xml:"source,attr"`
 	URI    string `xml:"ref_url,attr"`
 	ID     string `xml:"ref_id,attr"`
 }
 type cve struct {
 	Impact string `xml:"impact,attr"`
 	Href   string `xml:"href,attr"`
 	ID     string `xml:",chardata"`
 }
 type criteria struct {
@ -227,14 +235,31 @@ func parseELSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 				Vulnerability: database.Vulnerability{
 					Name:        name(definition),
 					Link:        link(definition),
-					Severity:    severity(definition),
+					Severity:    severity(definition.Severity),
 					Description: description(definition),
 				},
 			}
 			for _, p := range pkgs {
 				vulnerability.Affected = append(vulnerability.Affected, p)
 			}
-			vulnerabilities = append(vulnerabilities, vulnerability)
+
 			// Only ELSA is present
 			if len(definition.CVEs) == 0 {
 				vulnerabilities = append(vulnerabilities, vulnerability)
 				continue
 			}
 			// Create one vulnerability per CVE
 			for _, currentCVE := range definition.CVEs {
 				vulnerability.Name = currentCVE.ID
 				vulnerability.Link = currentCVE.Href
 				if currentCVE.Impact != "" {
 					vulnerability.Severity = severity(currentCVE.Impact)
 				} else {
 					vulnerability.Severity = severity(definition.Severity)
 				}
 				vulnerabilities = append(vulnerabilities, vulnerability)
 			}
 		}
 	}
@ -396,20 +421,20 @@ func link(def definition) (link string) {
 	return
 }
-func severity(def definition) database.Severity {
+func severity(sev string) database.Severity {
-	switch strings.ToLower(def.Severity) {
+	switch strings.ToLower(sev) {
 	case "n/a":
 		return database.NegligibleSeverity
 	case "low":
 		return database.LowSeverity
 	case "moderate":
 		return database.MediumSeverity
-	case "important":
+	case "important", "high": // some ELSAs have "high" instead of "important"
 		return database.HighSeverity
 	case "critical":
 		return database.CriticalSeverity
 	default:
-		log.WithField("severity", def.Severity).Warning("could not determine vulnerability severity")
+		log.WithField("severity", sev).Warning("could not determine vulnerability severity")
 		return database.UnknownSeverity
 	}
 }
--- a/ext/vulnsrc/oracle/oracle_test.go
+++ b/ext/vulnsrc/oracle/oracle_test.go
@ -15,6 +15,7 @@
 package oracle
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"runtime"
@ -25,7 +26,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
-func TestOracleParser(t *testing.T) {
+func TestOracleParserOneCve(t *testing.T) {
 	_, filename, _, _ := runtime.Caller(0)
 	path := filepath.Join(filepath.Dir(filename))
@ -35,8 +36,8 @@ func TestOracleParser(t *testing.T) {
 	vulnerabilities, err := parseELSA(testFile)
 	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
-		assert.Equal(t, "ELSA-2015-1193", vulnerabilities[0].Name)
+		assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)
-		assert.Equal(t, "http://linux.oracle.com/errata/ELSA-2015-1193.html", vulnerabilities[0].Link)
+		assert.Equal(t, "http://linux.oracle.com/cve/CVE-2015-0252.html", vulnerabilities[0].Link)
 		assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
 		assert.Equal(t, ` [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 `, vulnerabilities[0].Description)
@ -77,41 +78,30 @@ func TestOracleParser(t *testing.T) {
 			assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)
 		}
 	}
 }
-	testFile2, _ := os.Open(filepath.Join(path, "/testdata/fetcher_oracle_test.2.xml"))
+func TestELSAParserMultipleCVE(t *testing.T) {
-	defer testFile2.Close()
+	testFile, _ := os.Open("testdata/fetcher_oracle_test.2.xml")
 	defer testFile.Close()
-	vulnerabilities, err = parseELSA(testFile2)
+	vulnerabilities, err := parseELSA(testFile)
 	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
 		assert.Equal(t, "ELSA-2015-1207", vulnerabilities[0].Name)
 		assert.Equal(t, "http://linux.oracle.com/errata/ELSA-2015-1207.html", vulnerabilities[0].Link)
 		assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
 		assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerabilities[0].Description)
 		expectedFeatures := []database.AffectedFeature{
 			{
 				AffectedType: affectedType,
 				Namespace: database.Namespace{
 					Name:          "oracle:6",
 					VersionFormat: rpm.ParserName,
 				},
 				FeatureName:     "firefox",
 				FixedInVersion:  "0:38.1.0-1.0.1.el6_6",
 				AffectedVersion: "0:38.1.0-1.0.1.el6_6",
 			},
 			{
 				AffectedType: affectedType,
 				Namespace: database.Namespace{
 					Name:          "oracle:7",
 					VersionFormat: rpm.ParserName,
 				},
 				FeatureName:     "firefox",
 				FixedInVersion:  "0:38.1.0-1.0.1.el7_1",
 				AffectedVersion: "0:38.1.0-1.0.1.el7_1",
 			},
 		}
-		for _, expectedFeature := range expectedFeatures {
+	// Expected
-			assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)
+	expectedCve := []string{"CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727",
 		"CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734",
 		"CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739",
 		"CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743"}
 	expectedSeverity := []string{"Negligible", "Low", "Medium", "High",
 		"Critical", "Unknown", "Critical", "Critical", "Critical",
 		"Critical", "Critical", "Critical", "Critical", "Critical",
 		"Critical", "Critical", "Critical"}
 	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, len(expectedCve)) {
 		for i, vulnerability := range vulnerabilities {
 			assert.Equal(t, expectedCve[i], vulnerability.Name)
 			assert.Equal(t, fmt.Sprintf("http://linux.oracle.com/cve/%s.html", expectedCve[i]), vulnerability.Link)
 			assert.Equal(t, database.Severity(expectedSeverity[i]), vulnerability.Severity)
 			assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerability.Description)
 		}
 	}
 }
--- a/ext/vulnsrc/oracle/testdata/fetcher_oracle_test.2.xml
+++ b/ext/vulnsrc/oracle/testdata/fetcher_oracle_test.2.xml
@ -47,18 +47,18 @@ ELSA-2015-1207:  firefox security update (CRITICAL)
 - Fixed rhbz#1222807 by removing preun section
 </description>
 <!--
- ~~~~~~~~~~~~~~~~~~~~   advisory details   ~~~~~~~~~~~~~~~~~~~ 
+ ~~~~~~~~~~~~~~~~~~~~   advisory details   ~~~~~~~~~~~~~~~~~~~
 -->
 <advisory>
 <severity>CRITICAL</severity>
 <rights>Copyright 2015 Oracle, Inc.</rights>
 <issued date="2015-07-03"/>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2722.html">CVE-2015-2722</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2722.html" impact="N/A">CVE-2015-2722</cve>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2724.html">CVE-2015-2724</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2724.html" impact="LOW">CVE-2015-2724</cve>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2725.html">CVE-2015-2725</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2725.html" impact="MODERATE">CVE-2015-2725</cve>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2727.html">CVE-2015-2727</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2727.html" impact="IMPORTANT">CVE-2015-2727</cve>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2728.html">CVE-2015-2728</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2728.html" impact="CRITICAL">CVE-2015-2728</cve>
-<cve href="http://linux.oracle.com/cve/CVE-2015-2729.html">CVE-2015-2729</cve>
+<cve href="http://linux.oracle.com/cve/CVE-2015-2729.html" impact="OTHER">CVE-2015-2729</cve>
 <cve href="http://linux.oracle.com/cve/CVE-2015-2731.html">CVE-2015-2731</cve>
 <cve href="http://linux.oracle.com/cve/CVE-2015-2733.html">CVE-2015-2733</cve>
 <cve href="http://linux.oracle.com/cve/CVE-2015-2734.html">CVE-2015-2734</cve>
@ -99,7 +99,7 @@ ELSA-2015-1207:  firefox security update (CRITICAL)
 </definition>
 </definitions>
 <!--
- ~~~~~~~~~~~~~~~~~~~~~   rpminfo tests   ~~~~~~~~~~~~~~~~~~~~~ 
+ ~~~~~~~~~~~~~~~~~~~~~   rpminfo tests   ~~~~~~~~~~~~~~~~~~~~~
 -->
 <tests>
 <rpminfo_test id="oval:com.oracle.elsa:tst:20151207001"  version="501" comment="Oracle Linux 5 is installed" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
@ -141,7 +141,7 @@ ELSA-2015-1207:  firefox security update (CRITICAL)
 </tests>
 <!--
- ~~~~~~~~~~~~~~~~~~~~   rpminfo objects   ~~~~~~~~~~~~~~~~~~~~ 
+ ~~~~~~~~~~~~~~~~~~~~   rpminfo objects   ~~~~~~~~~~~~~~~~~~~~
 -->
 <objects>
 <rpminfo_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:com.oracle.elsa:obj:20151207002" version="501">
@ -154,7 +154,7 @@ ELSA-2015-1207:  firefox security update (CRITICAL)
 </objects>
 <states>
 <!--
- ~~~~~~~~~~~~~~~~~~~~   rpminfo states   ~~~~~~~~~~~~~~~~~~~~~ 
+ ~~~~~~~~~~~~~~~~~~~~   rpminfo states   ~~~~~~~~~~~~~~~~~~~~~
 -->
 <rpminfo_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" id="oval:com.oracle.elsa:ste:20151207001" version="501"><signature_keyid operation="equals">66ced3de1e5e0159</signature_keyid>
 </rpminfo_state>