From 1c3daa23b9e6fb76a9b0b283d3b2a5e1037b50b6 Mon Sep 17 00:00:00 2001 From: Quentin Machu Date: Fri, 18 Nov 2016 18:05:20 +0100 Subject: [PATCH 1/3] updater: minimize vulns' lock duration in the NVD metadata fetcher --- updater/metadata_fetchers/nvd/nvd.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/updater/metadata_fetchers/nvd/nvd.go b/updater/metadata_fetchers/nvd/nvd.go index 7f918963..5ccf0cf6 100644 --- a/updater/metadata_fetchers/nvd/nvd.go +++ b/updater/metadata_fetchers/nvd/nvd.go @@ -105,7 +105,6 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok { vulnerability.Lock.Lock() - defer vulnerability.Lock.Unlock() // Create Metadata map if necessary. if vulnerability.Metadata == nil { @@ -113,6 +112,8 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil } vulnerability.Metadata[metadataKey] = nvdMetadata + + vulnerability.Lock.Unlock() } return nil From 96398465dea9f86b569cacc7d3677db2f09a763b Mon Sep 17 00:00:00 2001 From: Quentin Machu Date: Fri, 18 Nov 2016 18:08:22 +0100 Subject: [PATCH 2/3] updater: Set vulns' Severity from NVD metadata fetcher if unknown If a Vulnerability that goes through the NVD metadata fetcher has an empty or Unknown Severity, then use the CVSS score to set one. This will help to get a more consistent database when a vulnerability source does not provide this information. --- updater/metadata_fetchers/nvd/nvd.go | 30 ++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/updater/metadata_fetchers/nvd/nvd.go b/updater/metadata_fetchers/nvd/nvd.go index 5ccf0cf6..fadf719c 100644 --- a/updater/metadata_fetchers/nvd/nvd.go +++ b/updater/metadata_fetchers/nvd/nvd.go @@ -18,6 +18,7 @@ import ( "github.com/coreos/clair/database" "github.com/coreos/clair/updater" cerrors "github.com/coreos/clair/utils/errors" + "github.com/coreos/clair/utils/types" "github.com/coreos/pkg/capnslog" ) @@ -106,13 +107,17 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok { vulnerability.Lock.Lock() - // Create Metadata map if necessary. + // Create Metadata map if necessary and assign the NVD metadata. if vulnerability.Metadata == nil { vulnerability.Metadata = make(map[string]interface{}) } - vulnerability.Metadata[metadataKey] = nvdMetadata + // Set the Severity using the CVSSv2 Score if none is set yet. + if vulnerability.Severity == "" || vulnerability.Severity == types.Unknown { + vulnerability.Severity = scoreToPriority(nvdMetadata.CVSSv2.Score) + } + vulnerability.Lock.Unlock() } @@ -225,3 +230,24 @@ func getHashFromMetaURL(metaURL string) (string, error) { return "", errors.New("invalid .meta file format") } + +// scoreToPriority converts the CVSS Score (0.0 - 10.0) into user-friendy +// types.Priority following the qualitative rating scale available in the +// CVSS v3.0 specification (https://www.first.org/cvss/specification-document), +// Table 14. The Negligible level is set for CVSS scores between [0, 1), +// replacing the specified None level, originally used for a score of 0. +func scoreToPriority(score float64) types.Priority { + switch { + case score < 1.0: + return types.Negligible + case score < 3.9: + return types.Low + case score < 6.9: + return types.Medium + case score < 8.9: + return types.High + case score <= 10: + return types.Critical + } + return types.Unknown +} From 1faf27ba185bbad2e12558accb65b6460d5ee682 Mon Sep 17 00:00:00 2001 From: Quentin Machu Date: Fri, 18 Nov 2016 18:14:57 +0100 Subject: [PATCH 3/3] utils: Fix OVAL's log statements --- utils/oval/oval.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/utils/oval/oval.go b/utils/oval/oval.go index e27c6eff..f7775b92 100644 --- a/utils/oval/oval.go +++ b/utils/oval/oval.go @@ -166,7 +166,7 @@ var ( // FetchUpdate gets vulnerability updates from the OVAL definitions. func (f *OvalFetcher) FetchUpdate(datastore database.Datastore) (resp updater.FetcherResponse, err error) { - log.Info("fetching %s vulnerabilities", f.OsInfo.DistName()) + log.Infof("fetching %s vulnerabilities", f.OsInfo.DistName()) r, err := http.Get(f.OsInfo.OvalURI()) if err != nil { @@ -247,8 +247,7 @@ func (f *OvalFetcher) ToFeatureVersions(possibilities [][]criterion) []database. } if osVersion == "" { - log.Warning("No OS version found for criterions") - log.Warning(criterions) + log.Warningf("No OS version found for criterions: %#v", criterions) continue }