vulnsrc_rhel: one vulnerability by CVE

Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities.

Fixes #495
This commit is contained in:
Grégoire Unbekandt 2017-12-15 17:17:15 +01:00 committed by Grégoire Unbekandt
parent f98ff58afd
commit 4ab98cfe54
2 changed files with 15 additions and 23 deletions

View File

@ -70,6 +70,7 @@ type definition struct {
type reference struct { type reference struct {
Source string `xml:"source,attr"` Source string `xml:"source,attr"`
URI string `xml:"ref_url,attr"` URI string `xml:"ref_url,attr"`
ID string `xml:"ref_id,attr"`
} }
type criteria struct { type criteria struct {
@ -198,8 +199,6 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
if len(pkgs) > 0 { if len(pkgs) > 0 {
vulnerability := database.VulnerabilityWithAffected{ vulnerability := database.VulnerabilityWithAffected{
Vulnerability: database.Vulnerability{ Vulnerability: database.Vulnerability{
Name: name(definition),
Link: link(definition),
Severity: severity(definition), Severity: severity(definition),
Description: description(definition), Description: description(definition),
}, },
@ -207,9 +206,17 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
for _, p := range pkgs { for _, p := range pkgs {
vulnerability.Affected = append(vulnerability.Affected, p) vulnerability.Affected = append(vulnerability.Affected, p)
} }
// One vulnerability by CVE
for _, reference := range definition.References {
if reference.Source == "CVE" {
vulnerability.Name = reference.ID
vulnerability.Link = reference.URI
vulnerabilities = append(vulnerabilities, vulnerability) vulnerabilities = append(vulnerabilities, vulnerability)
} }
} }
}
}
return return
} }
@ -358,21 +365,6 @@ func description(def definition) (desc string) {
return return
} }
func name(def definition) string {
return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
}
func link(def definition) (link string) {
for _, reference := range def.References {
if reference.Source == "RHSA" {
link = reference.URI
break
}
}
return
}
func severity(def definition) database.Severity { func severity(def definition) database.Severity {
switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) { switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) {
case "Low": case "Low":

View File

@ -33,8 +33,8 @@ func TestRHELParser(t *testing.T) {
testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml") testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml")
vulnerabilities, err := parseRHSA(testFile) vulnerabilities, err := parseRHSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].Name) assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link) assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-0252", vulnerabilities[0].Link)
assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity) assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description) assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description)
@ -76,9 +76,9 @@ func TestRHELParser(t *testing.T) {
// Test parsing testdata/fetcher_rhel_test.2.xml // Test parsing testdata/fetcher_rhel_test.2.xml
testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml") testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml")
vulnerabilities, err = parseRHSA(testFile) vulnerabilities, err = parseRHSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 17) {
assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].Name) assert.Equal(t, "CVE-2015-2722", vulnerabilities[0].Name)
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link) assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-2722", vulnerabilities[0].Link)
assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity) assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description) assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)