Merge pull request #656 from glb/elsa_CVEID
vulnsrc_oracle: one vulnerability per CVE
This commit is contained in:
commit
504f0f3af3
@ -63,11 +63,19 @@ type definition struct {
|
||||
References []reference `xml:"metadata>reference"`
|
||||
Criteria criteria `xml:"criteria"`
|
||||
Severity string `xml:"metadata>advisory>severity"`
|
||||
CVEs []cve `xml:"metadata>advisory>cve"`
|
||||
}
|
||||
|
||||
type reference struct {
|
||||
Source string `xml:"source,attr"`
|
||||
URI string `xml:"ref_url,attr"`
|
||||
ID string `xml:"ref_id,attr"`
|
||||
}
|
||||
|
||||
type cve struct {
|
||||
Impact string `xml:"impact,attr"`
|
||||
Href string `xml:"href,attr"`
|
||||
ID string `xml:",chardata"`
|
||||
}
|
||||
|
||||
type criteria struct {
|
||||
@ -227,14 +235,31 @@ func parseELSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
|
||||
Vulnerability: database.Vulnerability{
|
||||
Name: name(definition),
|
||||
Link: link(definition),
|
||||
Severity: severity(definition),
|
||||
Severity: severity(definition.Severity),
|
||||
Description: description(definition),
|
||||
},
|
||||
}
|
||||
for _, p := range pkgs {
|
||||
vulnerability.Affected = append(vulnerability.Affected, p)
|
||||
}
|
||||
vulnerabilities = append(vulnerabilities, vulnerability)
|
||||
|
||||
// Only ELSA is present
|
||||
if len(definition.CVEs) == 0 {
|
||||
vulnerabilities = append(vulnerabilities, vulnerability)
|
||||
continue
|
||||
}
|
||||
|
||||
// Create one vulnerability per CVE
|
||||
for _, currentCVE := range definition.CVEs {
|
||||
vulnerability.Name = currentCVE.ID
|
||||
vulnerability.Link = currentCVE.Href
|
||||
if currentCVE.Impact != "" {
|
||||
vulnerability.Severity = severity(currentCVE.Impact)
|
||||
} else {
|
||||
vulnerability.Severity = severity(definition.Severity)
|
||||
}
|
||||
vulnerabilities = append(vulnerabilities, vulnerability)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -396,20 +421,20 @@ func link(def definition) (link string) {
|
||||
return
|
||||
}
|
||||
|
||||
func severity(def definition) database.Severity {
|
||||
switch strings.ToLower(def.Severity) {
|
||||
func severity(sev string) database.Severity {
|
||||
switch strings.ToLower(sev) {
|
||||
case "n/a":
|
||||
return database.NegligibleSeverity
|
||||
case "low":
|
||||
return database.LowSeverity
|
||||
case "moderate":
|
||||
return database.MediumSeverity
|
||||
case "important":
|
||||
case "important", "high": // some ELSAs have "high" instead of "important"
|
||||
return database.HighSeverity
|
||||
case "critical":
|
||||
return database.CriticalSeverity
|
||||
default:
|
||||
log.WithField("severity", def.Severity).Warning("could not determine vulnerability severity")
|
||||
log.WithField("severity", sev).Warning("could not determine vulnerability severity")
|
||||
return database.UnknownSeverity
|
||||
}
|
||||
}
|
||||
|
@ -15,6 +15,7 @@
|
||||
package oracle
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"runtime"
|
||||
@ -25,7 +26,7 @@ import (
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestOracleParser(t *testing.T) {
|
||||
func TestOracleParserOneCve(t *testing.T) {
|
||||
_, filename, _, _ := runtime.Caller(0)
|
||||
path := filepath.Join(filepath.Dir(filename))
|
||||
|
||||
@ -35,8 +36,8 @@ func TestOracleParser(t *testing.T) {
|
||||
|
||||
vulnerabilities, err := parseELSA(testFile)
|
||||
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
||||
assert.Equal(t, "ELSA-2015-1193", vulnerabilities[0].Name)
|
||||
assert.Equal(t, "http://linux.oracle.com/errata/ELSA-2015-1193.html", vulnerabilities[0].Link)
|
||||
assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)
|
||||
assert.Equal(t, "http://linux.oracle.com/cve/CVE-2015-0252.html", vulnerabilities[0].Link)
|
||||
assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
|
||||
assert.Equal(t, ` [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 `, vulnerabilities[0].Description)
|
||||
|
||||
@ -77,41 +78,30 @@ func TestOracleParser(t *testing.T) {
|
||||
assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
testFile2, _ := os.Open(filepath.Join(path, "/testdata/fetcher_oracle_test.2.xml"))
|
||||
defer testFile2.Close()
|
||||
func TestELSAParserMultipleCVE(t *testing.T) {
|
||||
testFile, _ := os.Open("testdata/fetcher_oracle_test.2.xml")
|
||||
defer testFile.Close()
|
||||
|
||||
vulnerabilities, err = parseELSA(testFile2)
|
||||
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
||||
assert.Equal(t, "ELSA-2015-1207", vulnerabilities[0].Name)
|
||||
assert.Equal(t, "http://linux.oracle.com/errata/ELSA-2015-1207.html", vulnerabilities[0].Link)
|
||||
assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
|
||||
assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerabilities[0].Description)
|
||||
expectedFeatures := []database.AffectedFeature{
|
||||
{
|
||||
AffectedType: affectedType,
|
||||
Namespace: database.Namespace{
|
||||
Name: "oracle:6",
|
||||
VersionFormat: rpm.ParserName,
|
||||
},
|
||||
FeatureName: "firefox",
|
||||
FixedInVersion: "0:38.1.0-1.0.1.el6_6",
|
||||
AffectedVersion: "0:38.1.0-1.0.1.el6_6",
|
||||
},
|
||||
{
|
||||
AffectedType: affectedType,
|
||||
Namespace: database.Namespace{
|
||||
Name: "oracle:7",
|
||||
VersionFormat: rpm.ParserName,
|
||||
},
|
||||
FeatureName: "firefox",
|
||||
FixedInVersion: "0:38.1.0-1.0.1.el7_1",
|
||||
AffectedVersion: "0:38.1.0-1.0.1.el7_1",
|
||||
},
|
||||
}
|
||||
vulnerabilities, err := parseELSA(testFile)
|
||||
|
||||
for _, expectedFeature := range expectedFeatures {
|
||||
assert.Contains(t, vulnerabilities[0].Affected, expectedFeature)
|
||||
// Expected
|
||||
expectedCve := []string{"CVE-2015-2722", "CVE-2015-2724", "CVE-2015-2725", "CVE-2015-2727",
|
||||
"CVE-2015-2728", "CVE-2015-2729", "CVE-2015-2731", "CVE-2015-2733", "CVE-2015-2734",
|
||||
"CVE-2015-2735", "CVE-2015-2736", "CVE-2015-2737", "CVE-2015-2738", "CVE-2015-2739",
|
||||
"CVE-2015-2740", "CVE-2015-2741", "CVE-2015-2743"}
|
||||
expectedSeverity := []string{"Negligible", "Low", "Medium", "High",
|
||||
"Critical", "Unknown", "Critical", "Critical", "Critical",
|
||||
"Critical", "Critical", "Critical", "Critical", "Critical",
|
||||
"Critical", "Critical", "Critical"}
|
||||
|
||||
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, len(expectedCve)) {
|
||||
for i, vulnerability := range vulnerabilities {
|
||||
assert.Equal(t, expectedCve[i], vulnerability.Name)
|
||||
assert.Equal(t, fmt.Sprintf("http://linux.oracle.com/cve/%s.html", expectedCve[i]), vulnerability.Link)
|
||||
assert.Equal(t, database.Severity(expectedSeverity[i]), vulnerability.Severity)
|
||||
assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerability.Description)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -53,12 +53,12 @@ ELSA-2015-1207: firefox security update (CRITICAL)
|
||||
<severity>CRITICAL</severity>
|
||||
<rights>Copyright 2015 Oracle, Inc.</rights>
|
||||
<issued date="2015-07-03"/>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2722.html">CVE-2015-2722</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2724.html">CVE-2015-2724</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2725.html">CVE-2015-2725</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2727.html">CVE-2015-2727</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2728.html">CVE-2015-2728</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2729.html">CVE-2015-2729</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2722.html" impact="N/A">CVE-2015-2722</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2724.html" impact="LOW">CVE-2015-2724</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2725.html" impact="MODERATE">CVE-2015-2725</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2727.html" impact="IMPORTANT">CVE-2015-2727</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2728.html" impact="CRITICAL">CVE-2015-2728</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2729.html" impact="OTHER">CVE-2015-2729</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2731.html">CVE-2015-2731</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2733.html">CVE-2015-2733</cve>
|
||||
<cve href="http://linux.oracle.com/cve/CVE-2015-2734.html">CVE-2015-2734</cve>
|
||||
|
Loading…
Reference in New Issue
Block a user