From 139239828040a7bf45506daba3d36111c4dbad44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= <gregoire.unbekandt@orange.com>
Date: Fri, 15 Dec 2017 17:17:15 +0100
Subject: [PATCH 1/4] vulnsrc_rhel: one vulnerability by CVE

Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities.

Fixes #495
---
 ext/vulnsrc/rhel/rhel.go      | 28 ++++++++++------------------
 ext/vulnsrc/rhel/rhel_test.go | 10 +++++-----
 2 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go
index f4cbce8f..ae22c834 100644
--- a/ext/vulnsrc/rhel/rhel.go
+++ b/ext/vulnsrc/rhel/rhel.go
@@ -70,6 +70,7 @@ type definition struct {
 type reference struct {
 	Source string `xml:"source,attr"`
 	URI    string `xml:"ref_url,attr"`
+	ID     string `xml:"ref_id,attr"`
 }
 
 type criteria struct {
@@ -186,8 +187,6 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 		if len(pkgs) > 0 {
 			vulnerability := database.VulnerabilityWithAffected{
 				Vulnerability: database.Vulnerability{
-					Name:        name(definition),
-					Link:        link(definition),
 					Severity:    severity(definition),
 					Description: description(definition),
 				},
@@ -195,7 +194,15 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 			for _, p := range pkgs {
 				vulnerability.Affected = append(vulnerability.Affected, p)
 			}
-			vulnerabilities = append(vulnerabilities, vulnerability)
+
+			// One vulnerability by CVE
+			for _, reference := range definition.References {
+				if reference.Source == "CVE" {
+					vulnerability.Name = reference.ID
+					vulnerability.Link = reference.URI
+					vulnerabilities = append(vulnerabilities, vulnerability)
+				}
+			}
 		}
 	}
 
@@ -346,21 +353,6 @@ func description(def definition) (desc string) {
 	return
 }
 
-func name(def definition) string {
-	return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
-}
-
-func link(def definition) (link string) {
-	for _, reference := range def.References {
-		if reference.Source == "RHSA" {
-			link = reference.URI
-			break
-		}
-	}
-
-	return
-}
-
 func severity(def definition) database.Severity {
 	switch strings.TrimSpace(def.Title[strings.LastIndex(def.Title, "(")+1 : len(def.Title)-1]) {
 	case "Low":
diff --git a/ext/vulnsrc/rhel/rhel_test.go b/ext/vulnsrc/rhel/rhel_test.go
index e91ec502..86136a78 100644
--- a/ext/vulnsrc/rhel/rhel_test.go
+++ b/ext/vulnsrc/rhel/rhel_test.go
@@ -33,8 +33,8 @@ func TestRHELParser(t *testing.T) {
 	testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml")
 	vulnerabilities, err := parseRHSA(testFile)
 	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
-		assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].Name)
-		assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link)
+		assert.Equal(t, "CVE-2015-0252", vulnerabilities[0].Name)
+		assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-0252", vulnerabilities[0].Link)
 		assert.Equal(t, database.MediumSeverity, vulnerabilities[0].Severity)
 		assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description)
 
@@ -76,9 +76,9 @@ func TestRHELParser(t *testing.T) {
 	// Test parsing testdata/fetcher_rhel_test.2.xml
 	testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml")
 	vulnerabilities, err = parseRHSA(testFile)
-	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
-		assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].Name)
-		assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link)
+	if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 17) {
+		assert.Equal(t, "CVE-2015-2722", vulnerabilities[0].Name)
+		assert.Equal(t, "https://access.redhat.com/security/cve/CVE-2015-2722", vulnerabilities[0].Link)
 		assert.Equal(t, database.CriticalSeverity, vulnerabilities[0].Severity)
 		assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)
 

From 6d1efc8552d0603faa32cec15dd0ae3f0004e4dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= <gregoire.unbekandt@orange.com>
Date: Thu, 21 Dec 2017 10:55:55 +0100
Subject: [PATCH 2/4] vulnsrc_rhel: rhsa_ID by default

If no CVE is present, create a vulnerability with rhsa ID
---
 ext/vulnsrc/rhel/rhel.go | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go
index ae22c834..afd8a26d 100644
--- a/ext/vulnsrc/rhel/rhel.go
+++ b/ext/vulnsrc/rhel/rhel.go
@@ -185,6 +185,8 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 	for _, definition := range ov.Definitions {
 		pkgs := toFeatures(definition.Criteria)
 		if len(pkgs) > 0 {
+
+			// Init vulnerability
 			vulnerability := database.VulnerabilityWithAffected{
 				Vulnerability: database.Vulnerability{
 					Severity:    severity(definition),
@@ -195,11 +197,15 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 				vulnerability.Affected = append(vulnerability.Affected, p)
 			}
 
-			// One vulnerability by CVE
-			for _, reference := range definition.References {
-				if reference.Source == "CVE" {
-					vulnerability.Name = reference.ID
-					vulnerability.Link = reference.URI
+			// Only RHSA is present
+			if len(definition.References) == 1 {
+				vulnerability.Name = rhsaName(definition)
+				vulnerability.Link = definition.References[0].URI
+				vulnerabilities = append(vulnerabilities, vulnerability)
+			} else {
+				for _, reference := range definition.References[1:] {
+					vulnerability.Name = name(reference)
+					vulnerability.Link = link(reference)
 					vulnerabilities = append(vulnerabilities, vulnerability)
 				}
 			}
@@ -368,3 +374,15 @@ func severity(def definition) database.Severity {
 		return database.UnknownSeverity
 	}
 }
+
+func name(ref reference) string {
+	return ref.ID
+}
+
+func link(ref reference) string {
+	return ref.URI
+}
+
+func rhsaName(def definition) string {
+	return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
+}

From 19b648e9b32baea8e901db950feb44965e703776 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= <gregoire.unbekandt@orange.com>
Date: Fri, 22 Dec 2017 10:48:22 +0100
Subject: [PATCH 3/4] vulnsrc_rhel: minor changes

Code reorganisation
---
 ext/vulnsrc/rhel/rhel.go | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go
index afd8a26d..4d4d7e77 100644
--- a/ext/vulnsrc/rhel/rhel.go
+++ b/ext/vulnsrc/rhel/rhel.go
@@ -189,6 +189,8 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 			// Init vulnerability
 			vulnerability := database.VulnerabilityWithAffected{
 				Vulnerability: database.Vulnerability{
+					Name:        rhsaName(definition),
+					Link:        rhsaLink(definition),
 					Severity:    severity(definition),
 					Description: description(definition),
 				},
@@ -199,13 +201,12 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 
 			// Only RHSA is present
 			if len(definition.References) == 1 {
-				vulnerability.Name = rhsaName(definition)
 				vulnerability.Link = definition.References[0].URI
 				vulnerabilities = append(vulnerabilities, vulnerability)
 			} else {
 				for _, reference := range definition.References[1:] {
-					vulnerability.Name = name(reference)
-					vulnerability.Link = link(reference)
+					vulnerability.Name = reference.ID
+					vulnerability.Link = reference.URI
 					vulnerabilities = append(vulnerabilities, vulnerability)
 				}
 			}
@@ -375,14 +376,13 @@ func severity(def definition) database.Severity {
 	}
 }
 
-func name(ref reference) string {
-	return ref.ID
-}
-
-func link(ref reference) string {
-	return ref.URI
-}
-
 func rhsaName(def definition) string {
 	return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
 }
+
+func rhsaLink(def definition) (link string) {
+	if len(def.References) > 0 {
+		link = def.References[0].URI
+	}
+	return
+}

From 8160d0ef437d36879e261422dc5f0f1f18a61e68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gr=C3=A9goire=20Unbekandt?= <gregoire.unbekandt@orange.com>
Date: Fri, 22 Dec 2017 11:23:58 +0100
Subject: [PATCH 4/4] vulnsrc_rhel: minor changes

delete a useless line
---
 ext/vulnsrc/rhel/rhel.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/ext/vulnsrc/rhel/rhel.go b/ext/vulnsrc/rhel/rhel.go
index 4d4d7e77..1966ff17 100644
--- a/ext/vulnsrc/rhel/rhel.go
+++ b/ext/vulnsrc/rhel/rhel.go
@@ -201,7 +201,6 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []database.VulnerabilityWi
 
 			// Only RHSA is present
 			if len(definition.References) == 1 {
-				vulnerability.Link = definition.References[0].URI
 				vulnerabilities = append(vulnerabilities, vulnerability)
 			} else {
 				for _, reference := range definition.References[1:] {