Add Oracle Linux fetcher to grab and parse OVAL data.
Signed-off-by: Avi Miller <>
This commit is contained in:
@ -30,6 +30,7 @@ import (
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
_ ""
Normal file
Normal file
@ -0,0 +1,355 @@
// Copyright 2015 clair authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package oracle
import (
cerrors ""
const (
firstOracle5ELSA = 20070057
ovalURI = ""
elsaFilePrefix = ""
updaterFlag = "oracleUpdater"
var (
ignoredCriterions = []string{
" is signed with the Oracle Linux",
elsaRegexp = regexp.MustCompile(`\d+).xml`)
log = capnslog.NewPackageLogger("", "updater/fetchers/oracle")
type oval struct {
Definitions []definition `xml:"definitions>definition"`
type definition struct {
Title string `xml:"metadata>title"`
Description string `xml:"metadata>description"`
References []reference `xml:"metadata>reference"`
Criteria criteria `xml:"criteria"`
Severity string `xml:"metadata>advisory>severity"`
type reference struct {
Source string `xml:"source,attr"`
URI string `xml:"ref_url,attr"`
type criteria struct {
Operator string `xml:"operator,attr"`
Criterias []*criteria `xml:"criteria"`
Criterions []criterion `xml:"criterion"`
type criterion struct {
Comment string `xml:"comment,attr"`
// OracleFetcher implements updater.Fetcher and gets vulnerability updates from
// the Oracle Linux OVAL definitions.
type OracleFetcher struct{}
func init() {
updater.RegisterFetcher("Oracle", &OracleFetcher{})
// FetchUpdate gets vulnerability updates from the Oracle Linux OVAL definitions.
func (f *OracleFetcher) FetchUpdate(datastore database.Datastore) (resp updater.FetcherResponse, err error) {
log.Info("fetching Oracle Linux vulnerabilities")
// Get the first ELSA we have to manage.
flagValue, err := datastore.GetKeyValue(updaterFlag)
if err != nil {
return resp, err
firstELSA, err := strconv.Atoi(flagValue)
if firstELSA == 0 || err != nil {
firstELSA = firstOracle5ELSA
// Fetch the update list.
r, err := http.Get(ovalURI)
if err != nil {
log.Errorf("could not download Oracle's update list: %s", err)
return resp, cerrors.ErrCouldNotDownload
// Get the list of ELSAs that we have to process.
var elsaList []int
scanner := bufio.NewScanner(r.Body)
for scanner.Scan() {
line := scanner.Text()
r := elsaRegexp.FindStringSubmatch(line)
if len(r) == 2 {
elsaNo, _ := strconv.Atoi(r[1])
if elsaNo > firstELSA {
elsaList = append(elsaList, elsaNo)
for _, elsa := range elsaList {
// Download the ELSA's XML file.
r, err := http.Get(ovalURI + elsaFilePrefix + strconv.Itoa(elsa) + ".xml")
if err != nil {
log.Errorf("could not download Oracle's update file: %s", err)
return resp, cerrors.ErrCouldNotDownload
// Parse the XML.
vs, err := parseELSA(r.Body)
if err != nil {
return resp, err
// Collect vulnerabilities.
for _, v := range vs {
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
// Set the flag if we found anything.
if len(elsaList) > 0 {
resp.FlagName = updaterFlag
resp.FlagValue = strconv.Itoa(elsaList[len(elsaList)-1])
} else {
log.Debug("no Oracle Linux update.")
return resp, nil
func parseELSA(ovalReader io.Reader) (vulnerabilities []database.Vulnerability, err error) {
// Decode the XML.
var ov oval
err = xml.NewDecoder(ovalReader).Decode(&ov)
if err != nil {
log.Errorf("could not decode Oracle's XML: %s", err)
err = cerrors.ErrCouldNotParse
// Iterate over the definitions and collect any vulnerabilities that affect
// at least one package.
for _, definition := range ov.Definitions {
pkgs := toFeatureVersions(definition.Criteria)
if len(pkgs) > 0 {
vulnerability := database.Vulnerability{
Name: name(definition),
Link: link(definition),
Severity: priority(definition),
Description: description(definition),
for _, p := range pkgs {
vulnerability.FixedIn = append(vulnerability.FixedIn, p)
vulnerabilities = append(vulnerabilities, vulnerability)
func getCriterions(node criteria) [][]criterion {
// Filter useless criterions.
var criterions []criterion
for _, c := range node.Criterions {
ignored := false
for _, ignoredItem := range ignoredCriterions {
if strings.Contains(c.Comment, ignoredItem) {
ignored = true
if !ignored {
criterions = append(criterions, c)
if node.Operator == "AND" {
return [][]criterion{criterions}
} else if node.Operator == "OR" {
var possibilities [][]criterion
for _, c := range criterions {
possibilities = append(possibilities, []criterion{c})
return possibilities
return [][]criterion{}
func getPossibilities(node criteria) [][]criterion {
if len(node.Criterias) == 0 {
return getCriterions(node)
var possibilitiesToCompose [][][]criterion
for _, criteria := range node.Criterias {
possibilitiesToCompose = append(possibilitiesToCompose, getPossibilities(*criteria))
if len(node.Criterions) > 0 {
possibilitiesToCompose = append(possibilitiesToCompose, getCriterions(node))
var possibilities [][]criterion
if node.Operator == "AND" {
for _, possibility := range possibilitiesToCompose[0] {
possibilities = append(possibilities, possibility)
for _, possibilityGroup := range possibilitiesToCompose[1:] {
var newPossibilities [][]criterion
for _, possibility := range possibilities {
for _, possibilityInGroup := range possibilityGroup {
var p []criterion
p = append(p, possibility...)
p = append(p, possibilityInGroup...)
newPossibilities = append(newPossibilities, p)
possibilities = newPossibilities
} else if node.Operator == "OR" {
for _, possibilityGroup := range possibilitiesToCompose {
for _, possibility := range possibilityGroup {
possibilities = append(possibilities, possibility)
return possibilities
func toFeatureVersions(criteria criteria) []database.FeatureVersion {
// There are duplicates in Oracle .xml files.
// This map is for deduplication.
featureVersionParameters := make(map[string]database.FeatureVersion)
possibilities := getPossibilities(criteria)
for _, criterions := range possibilities {
var (
featureVersion database.FeatureVersion
osVersion int
err error
// Attempt to parse package data from trees of criterions.
for _, c := range criterions {
if strings.Contains(c.Comment, " is installed") {
const prefixLen = len("Oracle Linux ")
osVersion, err = strconv.Atoi(strings.TrimSpace(c.Comment[prefixLen : prefixLen+strings.Index(c.Comment[prefixLen:], " ")]))
if err != nil {
log.Warningf("could not parse Oracle Linux release version from: '%s'.", c.Comment)
} else if strings.Contains(c.Comment, " is earlier than ") {
const prefixLen = len(" is earlier than ")
featureVersion.Feature.Name = strings.TrimSpace(c.Comment[:strings.Index(c.Comment, " is earlier than ")])
featureVersion.Version, err = types.NewVersion(c.Comment[strings.Index(c.Comment, " is earlier than ")+prefixLen:])
if err != nil {
log.Warningf("could not parse package version '%s': %s. skipping", c.Comment[strings.Index(c.Comment, " is earlier than ")+prefixLen:], err.Error())
featureVersion.Feature.Namespace.Name = "oracle" + ":" + strconv.Itoa(osVersion)
if featureVersion.Feature.Namespace.Name != "" && featureVersion.Feature.Name != "" && featureVersion.Version.String() != "" {
featureVersionParameters[featureVersion.Feature.Namespace.Name+":"+featureVersion.Feature.Name] = featureVersion
} else {
log.Warningf("could not determine a valid package from criterions: %v", criterions)
// Convert the map to slice.
var featureVersionParametersArray []database.FeatureVersion
for _, fv := range featureVersionParameters {
featureVersionParametersArray = append(featureVersionParametersArray, fv)
return featureVersionParametersArray
func description(def definition) (desc string) {
// It is much more faster to proceed like this than using a Replacer.
desc = strings.Replace(def.Description, "\n\n\n", " ", -1)
desc = strings.Replace(desc, "\n\n", " ", -1)
desc = strings.Replace(desc, "\n", " ", -1)
func name(def definition) string {
return strings.TrimSpace(def.Title[:strings.Index(def.Title, ": ")])
func link(def definition) (link string) {
for _, reference := range def.References {
if reference.Source == "elsa" {
link = reference.URI
func priority(def definition) types.Priority {
// Parse the priority.
priority := strings.ToLower(def.Severity)
// Normalize the priority.
switch priority {
case "n/a":
return types.Negligible
case "low":
return types.Low
case "moderate":
return types.Medium
case "important":
return types.High
case "critical":
return types.Critical
log.Warningf("could not determine vulnerability priority from: %s.", priority)
return types.Unknown
// Clean deletes any allocated resources.
func (f *OracleFetcher) Clean() {}
Normal file
Normal file
@ -0,0 +1,98 @@
// Copyright 2015 clair authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
package oracle
import (
func TestOracleParser(t *testing.T) {
_, filename, _, _ := runtime.Caller(0)
path := filepath.Join(filepath.Dir(filename))
// Test parsing testdata/fetcher_oracle_test.1.xml
testFile, _ := os.Open(path + "/testdata/fetcher_oracle_test.1.xml")
vulnerabilities, err := parseELSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
assert.Equal(t, "ELSA-2015-1193", vulnerabilities[0].Name)
assert.Equal(t, "", vulnerabilities[0].Link)
assert.Equal(t, types.Medium, vulnerabilities[0].Severity)
assert.Equal(t, ` [3.1.1-7] Resolves: rhbz#1217104 CVE-2015-0252 `, vulnerabilities[0].Description)
expectedFeatureVersions := []database.FeatureVersion{
Feature: database.Feature{
Namespace: database.Namespace{Name: "oracle:7"},
Name: "xerces-c",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
Feature: database.Feature{
Namespace: database.Namespace{Name: "oracle:7"},
Name: "xerces-c-devel",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
Feature: database.Feature{
Namespace: database.Namespace{Name: "oracle:7"},
Name: "xerces-c-doc",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
for _, expectedFeatureVersion := range expectedFeatureVersions {
assert.Contains(t, vulnerabilities[0].FixedIn, expectedFeatureVersion)
testFile, _ = os.Open(path + "/testdata/fetcher_oracle_test.2.xml")
vulnerabilities, err = parseELSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
assert.Equal(t, "ELSA-2015-1207", vulnerabilities[0].Name)
assert.Equal(t, "", vulnerabilities[0].Link)
assert.Equal(t, types.Critical, vulnerabilities[0].Severity)
assert.Equal(t, ` [38.1.0-1.0.1.el7_1] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file [38.1.0-1] - Update to 38.1.0 ESR [38.0.1-2] - Fixed rhbz#1222807 by removing preun section `, vulnerabilities[0].Description)
expectedFeatureVersions := []database.FeatureVersion{
Feature: database.Feature{
Namespace: database.Namespace{Name: "oracle:6"},
Name: "firefox",
Version: types.NewVersionUnsafe("38.1.0-1.0.1.el6_6"),
Feature: database.Feature{
Namespace: database.Namespace{Name: "oracle:7"},
Name: "firefox",
Version: types.NewVersionUnsafe("38.1.0-1.0.1.el7_1"),
for _, expectedFeatureVersion := range expectedFeatureVersions {
assert.Contains(t, vulnerabilities[0].FixedIn, expectedFeatureVersion)
Normal file
Normal file
@ -0,0 +1,120 @@
<oval_definitions xmlns="" xmlns:oval="" xmlns:oval-def="" xmlns:unix-def="" xmlns:red-def="" xmlns:xsi="" xsi:schemaLocation=" oval-common-schema.xsd oval-definitions-schema.xsd unix-definitions-schema.xsd linux-definitions-schema.xsd">
<oval:product_name>Oracle Errata System</oval:product_name>
<oval:product_version>Oracle Linux</oval:product_version>
<definition id="" version="501" class="patch">
ELSA-2015-1193: xerces-c security update (MODERATE)
<affected family="unix">
<platform>Oracle Linux 7</platform>
<reference source="elsa" ref_id="ELSA-2015-1193" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-0252" ref_url=""/>
Resolves: rhbz#1217104 CVE-2015-0252
~~~~~~~~~~~~~~~~~~~~ advisory details ~~~~~~~~~~~~~~~~~~~
<rights>Copyright 2015 Oracle, Inc.</rights>
<issued date="2015-06-29"/>
<cve href="">CVE-2015-0252</cve>
<criteria operator="AND">
<criterion test_ref="" comment="Oracle Linux 7 is installed"/>
<criteria operator="OR">
<criteria operator="AND">
<criterion test_ref="" comment="xerces-c is earlier than 0:3.1.1-7.el7_1"/>
<criterion test_ref="" comment="xerces-c is signed with the Oracle Linux 7 key"/>
<criteria operator="AND">
<criterion test_ref="" comment="xerces-c-doc is earlier than 0:3.1.1-7.el7_1"/>
<criterion test_ref="" comment="xerces-c-doc is signed with the Oracle Linux 7 key"/>
<criteria operator="AND">
<criterion test_ref="" comment="xerces-c-devel is earlier than 0:3.1.1-7.el7_1"/>
<criterion test_ref="" comment="xerces-c-devel is signed with the Oracle Linux 7 key"/>
~~~~~~~~~~~~~~~~~~~~~ rpminfo tests ~~~~~~~~~~~~~~~~~~~~~
<rpminfo_test id="" version="501" comment="Oracle Linux 7 is installed" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c is earlier than 0:3.1.1-7.el7_1" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c is signed with the Oracle Linux 7 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c-doc is earlier than 0:3.1.1-7.el7_1" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c-doc is signed with the Oracle Linux 7 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c-devel is earlier than 0:3.1.1-7.el7_1" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="xerces-c-devel is signed with the Oracle Linux 7 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
~~~~~~~~~~~~~~~~~~~~ rpminfo objects ~~~~~~~~~~~~~~~~~~~~
<rpminfo_object xmlns="" id="" version="501">
<rpminfo_object xmlns="" id="" version="501">
<rpminfo_object xmlns="" id="" version="501">
<rpminfo_object xmlns="" id="" version="501">
~~~~~~~~~~~~~~~~~~~~ rpminfo states ~~~~~~~~~~~~~~~~~~~~~
<rpminfo_state xmlns="" id="" version="501"><signature_keyid operation="equals">72f97b74ec551f03</signature_keyid>
<rpminfo_state xmlns="" id="" version="501"><version operation="pattern match">^7</version>
<rpminfo_state xmlns="" id="" version="501"><evr datatype="evr_string" operation="less than">0:3.1.1-7.el7_1</evr>
Normal file
Normal file
@ -0,0 +1,177 @@
<oval_definitions xmlns="" xmlns:oval="" xmlns:oval-def="" xmlns:unix-def="" xmlns:red-def="" xmlns:xsi="" xsi:schemaLocation=" oval-common-schema.xsd oval-definitions-schema.xsd unix-definitions-schema.xsd linux-definitions-schema.xsd">
<oval:product_name>Oracle Errata System</oval:product_name>
<oval:product_version>Oracle Linux</oval:product_version>
<definition id="" version="501" class="patch">
ELSA-2015-1207: firefox security update (CRITICAL)
<affected family="unix">
<platform>Oracle Linux 5</platform>
<platform>Oracle Linux 6</platform>
<platform>Oracle Linux 7</platform>
<reference source="elsa" ref_id="ELSA-2015-1207" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2722" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2724" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2725" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2727" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2728" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2729" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2731" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2733" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2734" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2735" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2736" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2737" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2738" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2739" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2740" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2741" ref_url=""/>
<reference source="CVE" ref_id="CVE-2015-2743" ref_url=""/>
- Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat file
- Update to 38.1.0 ESR
- Fixed rhbz#1222807 by removing preun section
~~~~~~~~~~~~~~~~~~~~ advisory details ~~~~~~~~~~~~~~~~~~~
<rights>Copyright 2015 Oracle, Inc.</rights>
<issued date="2015-07-03"/>
<cve href="">CVE-2015-2722</cve>
<cve href="">CVE-2015-2724</cve>
<cve href="">CVE-2015-2725</cve>
<cve href="">CVE-2015-2727</cve>
<cve href="">CVE-2015-2728</cve>
<cve href="">CVE-2015-2729</cve>
<cve href="">CVE-2015-2731</cve>
<cve href="">CVE-2015-2733</cve>
<cve href="">CVE-2015-2734</cve>
<cve href="">CVE-2015-2735</cve>
<cve href="">CVE-2015-2736</cve>
<cve href="">CVE-2015-2737</cve>
<cve href="">CVE-2015-2738</cve>
<cve href="">CVE-2015-2739</cve>
<cve href="">CVE-2015-2740</cve>
<cve href="">CVE-2015-2741</cve>
<cve href="">CVE-2015-2743</cve>
<criteria operator="OR">
<criteria operator="AND">
<criterion test_ref="" comment="Oracle Linux 5 is installed"/>
<criteria operator="AND">
<criterion test_ref="" comment="firefox is earlier than 0:38.1.0-1.0.1.el5_11"/>
<criterion test_ref="" comment="firefox is signed with the Oracle Linux 5 key"/>
<criteria operator="AND">
<criterion test_ref="" comment="Oracle Linux 6 is installed"/>
<criteria operator="AND">
<criterion test_ref="" comment="firefox is earlier than 0:38.1.0-1.0.1.el6_6"/>
<criterion test_ref="" comment="firefox is signed with the Oracle Linux 6 key"/>
<criteria operator="AND">
<criterion test_ref="" comment="Oracle Linux 7 is installed"/>
<criteria operator="AND">
<criterion test_ref="" comment="firefox is earlier than 0:38.1.0-1.0.1.el7_1"/>
<criterion test_ref="" comment="firefox is signed with the Oracle Linux 7 key"/>
~~~~~~~~~~~~~~~~~~~~~ rpminfo tests ~~~~~~~~~~~~~~~~~~~~~
<rpminfo_test id="" version="501" comment="Oracle Linux 5 is installed" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is earlier than 0:38.1.0-1.0.1.el5_11" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is signed with the Oracle Linux 5 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="Oracle Linux 6 is installed" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is earlier than 0:38.1.0-1.0.1.el6_6" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is signed with the Oracle Linux 6 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="Oracle Linux 7 is installed" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is earlier than 0:38.1.0-1.0.1.el7_1" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
<rpminfo_test id="" version="501" comment="firefox is signed with the Oracle Linux 7 key" check="at least one" xmlns="">
<object object_ref="" />
<state state_ref="" />
~~~~~~~~~~~~~~~~~~~~ rpminfo objects ~~~~~~~~~~~~~~~~~~~~
<rpminfo_object xmlns="" id="" version="501">
<rpminfo_object xmlns="" id="" version="501">
~~~~~~~~~~~~~~~~~~~~ rpminfo states ~~~~~~~~~~~~~~~~~~~~~
<rpminfo_state xmlns="" id="" version="501"><signature_keyid operation="equals">66ced3de1e5e0159</signature_keyid>
<rpminfo_state xmlns="" id="" version="501"><signature_keyid operation="equals">72f97b74ec551f03</signature_keyid>
<rpminfo_state xmlns="" id="" version="501"><version operation="pattern match">^5</version>
<rpminfo_state xmlns="" id="" version="501"><evr datatype="evr_string" operation="less than">0:38.1.0-1.0.1.el5_11</evr>
<rpminfo_state xmlns="" id="" version="501"><version operation="pattern match">^6</version>
<rpminfo_state xmlns="" id="" version="501"><evr datatype="evr_string" operation="less than">0:38.1.0-1.0.1.el6_6</evr>
<rpminfo_state xmlns="" id="" version="501"><version operation="pattern match">^7</version>
<rpminfo_state xmlns="" id="" version="501"><evr datatype="evr_string" operation="less than">0:38.1.0-1.0.1.el7_1</evr>
Reference in New Issue
Block a user