From 4ab98cfe54bedcce7880cc03b1c52d5a91811860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= Date: Fri, 15 Dec 2017 17:17:15 +0100 Subject: [PATCH] vulnsrc_rhel: one vulnerability by CVE Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities. Fixes #495 --- ext/vulnsrc/rhel/rhel.go | 28 ++++++++++------------------ ext/vulnsrc/rhel/rhel_test.go | 10 +++++----- 2 files changed, 15 insertions(+), 23 deletions(-) diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go index 481beabf..b5da99be 100644 --- a/ext/vulnsrc/rhel/rhel.go +++ b/ext/vulnsrc/rhel/rhel.go @@ -70,6 +70,7 @@ type definition struct { type reference struct { Source string `xml:"source,attr"` URI string `xml:"ref_url,attr"` + ID string `xml:"ref_id,attr"` } type criteria struct { @@ -198,8 +199,6 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi if len(pkgs) > 0 { vulnerability := database.VulnerabilityWithAffected{ Vulnerability: database.Vulnerability{ - Name: name(definition), - Link: link(definition), Severity: severity(definition), Description: description(definition), }, @@ -207,7 +206,15 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi for _, p := range pkgs { vulnerability.Affected = append(vulnerability.Affected, p) } - vulnerabilities = append(vulnerabilities, vulnerability) + + // One vulnerability by CVE + for _, reference := range definition.References { + if reference.Source == "CVE" { + vulnerability.Name = reference.ID + vulnerability.Link = reference.URI + vulnerabilities = append(vulnerabilities, vulnerability) + } + } } } @@ -358,21 +365,6 @@ func description(def definition) (desc string) { return } -func name(def definition) string { - return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")]) -} - -func link(def definition) (link string) { - for _, reference := range def.References { - if reference.Source == "RHSA" { - link = reference.URI - break - } - } - - return -} - func severity(def definition) database.Severity { switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) { case "Low": diff --git a/ext/vulnsrc/rhel/rhel_test.go b/ext/vulnsrc/rhel/rhel_test.go index e91ec502..86136a78 100644 --- a/ext/vulnsrc/rhel/rhel_test.go +++ b/ext/vulnsrc/rhel/rhel_test.go @@ -33,8 +33,8 @@ func TestRHELParser(t *testing.T) { testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml") vulnerabilities, err := parseRHSA(testFile) if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { - assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].Name) - assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link) + assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name) + assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-0252", vulnerabilities[0].Link) assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity) assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description) @@ -76,9 +76,9 @@ func TestRHELParser(t *testing.T) { // Test parsing testdata/fetcher_rhel_test.2.xml testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml") vulnerabilities, err = parseRHSA(testFile) - if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { - assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].Name) - assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link) + if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 17) { + assert.Equal(t, "CVE-2015-2722", vulnerabilities[0].Name) + assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-2722", vulnerabilities[0].Link) assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity) assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)