updater: Refactor and merge fetcher responses
Fixes #17 and lays the groundwork for #19.
This commit is contained in:
parent
867279a5c9
commit
a7b683d4ba
@ -14,10 +14,7 @@
|
|||||||
|
|
||||||
package updater
|
package updater
|
||||||
|
|
||||||
import (
|
import "github.com/coreos/clair/database"
|
||||||
"github.com/coreos/clair/database"
|
|
||||||
"github.com/coreos/clair/utils/types"
|
|
||||||
)
|
|
||||||
|
|
||||||
var fetchers = make(map[string]Fetcher)
|
var fetchers = make(map[string]Fetcher)
|
||||||
|
|
||||||
@ -31,17 +28,8 @@ type FetcherResponse struct {
|
|||||||
FlagName string
|
FlagName string
|
||||||
FlagValue string
|
FlagValue string
|
||||||
Notes []string
|
Notes []string
|
||||||
Vulnerabilities []FetcherVulnerability
|
Vulnerabilities []*database.Vulnerability
|
||||||
}
|
Packages []*database.Package
|
||||||
|
|
||||||
// FetcherVulnerability represents an individual vulnerability processed from
|
|
||||||
// an update.
|
|
||||||
type FetcherVulnerability struct {
|
|
||||||
ID string
|
|
||||||
Link string
|
|
||||||
Description string
|
|
||||||
Priority types.Priority
|
|
||||||
FixedIn []*database.Package
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// RegisterFetcher makes a Fetcher available by the provided name.
|
// RegisterFetcher makes a Fetcher available by the provided name.
|
||||||
|
@ -24,8 +24,8 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/coreos/clair/database"
|
"github.com/coreos/clair/database"
|
||||||
cerrors "github.com/coreos/clair/utils/errors"
|
|
||||||
"github.com/coreos/clair/updater"
|
"github.com/coreos/clair/updater"
|
||||||
|
cerrors "github.com/coreos/clair/utils/errors"
|
||||||
"github.com/coreos/clair/utils/types"
|
"github.com/coreos/clair/utils/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -114,7 +114,8 @@ func buildResponse(jsonReader io.Reader, latestKnownHash string) (resp updater.F
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Extract vulnerability data from Debian's JSON schema.
|
// Extract vulnerability data from Debian's JSON schema.
|
||||||
vulnerabilities, unknownReleases := parseDebianJSON(&data)
|
var unknownReleases map[string]struct{}
|
||||||
|
resp.Vulnerabilities, resp.Packages, unknownReleases = parseDebianJSON(&data)
|
||||||
|
|
||||||
// Log unknown releases
|
// Log unknown releases
|
||||||
for k := range unknownReleases {
|
for k := range unknownReleases {
|
||||||
@ -123,16 +124,11 @@ func buildResponse(jsonReader io.Reader, latestKnownHash string) (resp updater.F
|
|||||||
log.Warning(note)
|
log.Warning(note)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Convert the vulnerabilities map to a slice in the response
|
|
||||||
for _, v := range vulnerabilities {
|
|
||||||
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
|
|
||||||
}
|
|
||||||
|
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.FetcherVulnerability, unknownReleases map[string]struct{}) {
|
func parseDebianJSON(data *jsonData) (vulnerabilities []*database.Vulnerability, packages []*database.Package, unknownReleases map[string]struct{}) {
|
||||||
vulnerabilities = make(map[string]updater.FetcherVulnerability)
|
mvulnerabilities := make(map[string]*database.Vulnerability)
|
||||||
unknownReleases = make(map[string]struct{})
|
unknownReleases = make(map[string]struct{})
|
||||||
|
|
||||||
for pkgName, pkgNode := range *data {
|
for pkgName, pkgNode := range *data {
|
||||||
@ -150,9 +146,9 @@ func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.Fetcher
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Get or create the vulnerability.
|
// Get or create the vulnerability.
|
||||||
vulnerability, vulnerabilityAlreadyExists := vulnerabilities[vulnName]
|
vulnerability, vulnerabilityAlreadyExists := mvulnerabilities[vulnName]
|
||||||
if !vulnerabilityAlreadyExists {
|
if !vulnerabilityAlreadyExists {
|
||||||
vulnerability = updater.FetcherVulnerability{
|
vulnerability = &database.Vulnerability{
|
||||||
ID: vulnName,
|
ID: vulnName,
|
||||||
Link: strings.Join([]string{cveURLPrefix, "/", vulnName}, ""),
|
Link: strings.Join([]string{cveURLPrefix, "/", vulnName}, ""),
|
||||||
Priority: types.Unknown,
|
Priority: types.Unknown,
|
||||||
@ -191,14 +187,20 @@ func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.Fetcher
|
|||||||
Name: pkgName,
|
Name: pkgName,
|
||||||
Version: version,
|
Version: version,
|
||||||
}
|
}
|
||||||
vulnerability.FixedIn = append(vulnerability.FixedIn, pkg)
|
vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, pkg.GetNode())
|
||||||
|
packages = append(packages, pkg)
|
||||||
|
|
||||||
// Store the vulnerability.
|
// Store the vulnerability.
|
||||||
vulnerabilities[vulnName] = vulnerability
|
mvulnerabilities[vulnName] = vulnerability
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Convert the vulnerabilities map to a slice
|
||||||
|
for _, v := range mvulnerabilities {
|
||||||
|
vulnerabilities = append(vulnerabilities, v)
|
||||||
|
}
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -38,39 +38,49 @@ func TestDebianParser(t *testing.T) {
|
|||||||
assert.Equal(t, types.Low, vulnerability.Priority)
|
assert.Equal(t, types.Low, vulnerability.Priority)
|
||||||
assert.Equal(t, "This vulnerability is not very dangerous.", vulnerability.Description)
|
assert.Equal(t, "This vulnerability is not very dangerous.", vulnerability.Description)
|
||||||
|
|
||||||
if assert.Len(t, vulnerability.FixedIn, 2) {
|
expectedPackages := []*database.Package{
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "debian:8",
|
OS: "debian:8",
|
||||||
Name: "aptdaemon",
|
Name: "aptdaemon",
|
||||||
Version: types.MaxVersion,
|
Version: types.MaxVersion,
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "debian:unstable",
|
OS: "debian:unstable",
|
||||||
Name: "aptdaemon",
|
Name: "aptdaemon",
|
||||||
Version: types.NewVersionUnsafe("1.1.1+bzr982-1"),
|
Version: types.NewVersionUnsafe("1.1.1+bzr982-1"),
|
||||||
})
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, expectedPackage := range expectedPackages {
|
||||||
|
assert.Contains(t, response.Packages, expectedPackage)
|
||||||
|
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
|
||||||
}
|
}
|
||||||
} else if vulnerability.ID == "CVE-2003-0779" {
|
} else if vulnerability.ID == "CVE-2003-0779" {
|
||||||
assert.Equal(t, "https://security-tracker.debian.org/tracker/CVE-2003-0779", vulnerability.Link)
|
assert.Equal(t, "https://security-tracker.debian.org/tracker/CVE-2003-0779", vulnerability.Link)
|
||||||
assert.Equal(t, types.High, vulnerability.Priority)
|
assert.Equal(t, types.High, vulnerability.Priority)
|
||||||
assert.Equal(t, "But this one is very dangerous.", vulnerability.Description)
|
assert.Equal(t, "But this one is very dangerous.", vulnerability.Description)
|
||||||
|
|
||||||
if assert.Len(t, vulnerability.FixedIn, 3) {
|
expectedPackages := []*database.Package{
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "debian:8",
|
OS: "debian:8",
|
||||||
Name: "aptdaemon",
|
Name: "aptdaemon",
|
||||||
Version: types.NewVersionUnsafe("0.7.0"),
|
Version: types.NewVersionUnsafe("0.7.0"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "debian:unstable",
|
OS: "debian:unstable",
|
||||||
Name: "aptdaemon",
|
Name: "aptdaemon",
|
||||||
Version: types.NewVersionUnsafe("0.7.0"),
|
Version: types.NewVersionUnsafe("0.7.0"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "debian:8",
|
OS: "debian:8",
|
||||||
Name: "asterisk",
|
Name: "asterisk",
|
||||||
Version: types.NewVersionUnsafe("0.5.56"),
|
Version: types.NewVersionUnsafe("0.5.56"),
|
||||||
})
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, expectedPackage := range expectedPackages {
|
||||||
|
assert.Contains(t, response.Packages, expectedPackage)
|
||||||
|
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
assert.Fail(t, "Wrong vulnerability name: ", vulnerability.ID)
|
assert.Fail(t, "Wrong vulnerability name: ", vulnerability.ID)
|
||||||
|
@ -24,8 +24,8 @@ import (
|
|||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/coreos/clair/database"
|
"github.com/coreos/clair/database"
|
||||||
cerrors "github.com/coreos/clair/utils/errors"
|
|
||||||
"github.com/coreos/clair/updater"
|
"github.com/coreos/clair/updater"
|
||||||
|
cerrors "github.com/coreos/clair/utils/errors"
|
||||||
"github.com/coreos/clair/utils/types"
|
"github.com/coreos/clair/utils/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -128,17 +128,14 @@ func (f *RHELFetcher) FetchUpdate() (resp updater.FetcherResponse, err error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Parse the XML.
|
// Parse the XML.
|
||||||
vs, err := parseRHSA(r.Body)
|
vs, pkgs, err := parseRHSA(r.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return resp, err
|
return resp, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Collect vulnerabilities.
|
// Collect vulnerabilities.
|
||||||
for _, v := range vs {
|
resp.Vulnerabilities = append(resp.Vulnerabilities, vs...)
|
||||||
if len(v.FixedIn) > 0 {
|
resp.Packages = append(resp.Packages, pkgs...)
|
||||||
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set the flag if we found anything.
|
// Set the flag if we found anything.
|
||||||
@ -152,7 +149,7 @@ func (f *RHELFetcher) FetchUpdate() (resp updater.FetcherResponse, err error) {
|
|||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseRHSA(ovalReader io.Reader) (vulnerabilities []updater.FetcherVulnerability, err error) {
|
func parseRHSA(ovalReader io.Reader) (vulnerabilities []*database.Vulnerability, packages []*database.Package, err error) {
|
||||||
// Decode the XML.
|
// Decode the XML.
|
||||||
var ov oval
|
var ov oval
|
||||||
err = xml.NewDecoder(ovalReader).Decode(&ov)
|
err = xml.NewDecoder(ovalReader).Decode(&ov)
|
||||||
@ -163,18 +160,21 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []updater.FetcherVulnerabi
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Iterate over the definitions and collect any vulnerabilities that affect
|
// Iterate over the definitions and collect any vulnerabilities that affect
|
||||||
// more than one package.
|
// at least one package.
|
||||||
for _, definition := range ov.Definitions {
|
for _, definition := range ov.Definitions {
|
||||||
packages := toPackages(definition.Criteria)
|
pkgs := toPackages(definition.Criteria)
|
||||||
if len(packages) > 0 {
|
if len(pkgs) > 0 {
|
||||||
vuln := updater.FetcherVulnerability{
|
vulnerability := &database.Vulnerability{
|
||||||
ID: name(definition),
|
ID: name(definition),
|
||||||
Link: link(definition),
|
Link: link(definition),
|
||||||
Priority: priority(definition),
|
Priority: priority(definition),
|
||||||
Description: description(definition),
|
Description: description(definition),
|
||||||
FixedIn: packages,
|
|
||||||
}
|
}
|
||||||
vulnerabilities = append(vulnerabilities, vuln)
|
for _, p := range pkgs {
|
||||||
|
vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, p.GetNode())
|
||||||
|
}
|
||||||
|
vulnerabilities = append(vulnerabilities, vulnerability)
|
||||||
|
packages = append(packages, pkgs...)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,52 +31,62 @@ func TestRHELParser(t *testing.T) {
|
|||||||
|
|
||||||
// Test parsing testdata/fetcher_rhel_test.1.xml
|
// Test parsing testdata/fetcher_rhel_test.1.xml
|
||||||
testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml")
|
testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml")
|
||||||
vulnerabilities, err := parseRHSA(testFile)
|
vulnerabilities, packages, err := parseRHSA(testFile)
|
||||||
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
||||||
assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].ID)
|
assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].ID)
|
||||||
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link)
|
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link)
|
||||||
assert.Equal(t, types.Medium, vulnerabilities[0].Priority)
|
assert.Equal(t, types.Medium, vulnerabilities[0].Priority)
|
||||||
assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description)
|
assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description)
|
||||||
|
|
||||||
if assert.Len(t, vulnerabilities[0].FixedIn, 3) {
|
expectedPackages := []*database.Package{
|
||||||
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "centos:7",
|
OS: "centos:7",
|
||||||
Name: "xerces-c",
|
Name: "xerces-c",
|
||||||
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "centos:7",
|
OS: "centos:7",
|
||||||
Name: "xerces-c-devel",
|
Name: "xerces-c-devel",
|
||||||
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "centos:7",
|
OS: "centos:7",
|
||||||
Name: "xerces-c-doc",
|
Name: "xerces-c-doc",
|
||||||
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
|
||||||
})
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for _, expectedPackage := range expectedPackages {
|
||||||
|
assert.Contains(t, packages, expectedPackage)
|
||||||
|
assert.Contains(t, vulnerabilities[0].FixedInNodes, expectedPackage.GetNode())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Test parsing testdata/fetcher_rhel_test.2.xml
|
// Test parsing testdata/fetcher_rhel_test.2.xml
|
||||||
testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml")
|
testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml")
|
||||||
vulnerabilities, err = parseRHSA(testFile)
|
vulnerabilities, packages, err = parseRHSA(testFile)
|
||||||
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
|
||||||
assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].ID)
|
assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].ID)
|
||||||
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link)
|
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link)
|
||||||
assert.Equal(t, types.Critical, vulnerabilities[0].Priority)
|
assert.Equal(t, types.Critical, vulnerabilities[0].Priority)
|
||||||
assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)
|
assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)
|
||||||
|
|
||||||
if assert.Len(t, vulnerabilities[0].FixedIn, 2) {
|
expectedPackages := []*database.Package{
|
||||||
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "centos:6",
|
OS: "centos:6",
|
||||||
Name: "firefox",
|
Name: "firefox",
|
||||||
Version: types.NewVersionUnsafe("38.1.0-1.el6_6"),
|
Version: types.NewVersionUnsafe("38.1.0-1.el6_6"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "centos:7",
|
OS: "centos:7",
|
||||||
Name: "firefox",
|
Name: "firefox",
|
||||||
Version: types.NewVersionUnsafe("38.1.0-1.el7_1"),
|
Version: types.NewVersionUnsafe("38.1.0-1.el7_1"),
|
||||||
})
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for _, expectedPackage := range expectedPackages {
|
||||||
|
assert.Contains(t, packages, expectedPackage)
|
||||||
|
assert.Contains(t, vulnerabilities[0].FixedInNodes, expectedPackage.GetNode())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -133,13 +133,14 @@ func (fetcher *UbuntuFetcher) FetchUpdate() (resp updater.FetcherResponse, err e
|
|||||||
}
|
}
|
||||||
defer file.Close()
|
defer file.Close()
|
||||||
|
|
||||||
v, unknownReleases, err := parseUbuntuCVE(file)
|
v, pkgs, unknownReleases, err := parseUbuntuCVE(file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return resp, err
|
return resp, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(v.FixedIn) > 0 {
|
if len(v.FixedInNodes) > 0 {
|
||||||
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
|
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
|
||||||
|
resp.Packages = append(resp.Packages, pkgs...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Log any unknown releases.
|
// Log any unknown releases.
|
||||||
@ -255,7 +256,8 @@ func getRevisionNumber(pathToRepo string) (int, error) {
|
|||||||
return revno, nil
|
return revno, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func parseUbuntuCVE(fileContent io.Reader) (vulnerability updater.FetcherVulnerability, unknownReleases map[string]struct{}, err error) {
|
func parseUbuntuCVE(fileContent io.Reader) (vulnerability *database.Vulnerability, packages []*database.Package, unknownReleases map[string]struct{}, err error) {
|
||||||
|
vulnerability = &database.Vulnerability{}
|
||||||
unknownReleases = make(map[string]struct{})
|
unknownReleases = make(map[string]struct{})
|
||||||
readingDescription := false
|
readingDescription := false
|
||||||
scanner := bufio.NewScanner(fileContent)
|
scanner := bufio.NewScanner(fileContent)
|
||||||
@ -351,7 +353,13 @@ func parseUbuntuCVE(fileContent io.Reader) (vulnerability updater.FetcherVulnera
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Create and add the new package.
|
// Create and add the new package.
|
||||||
vulnerability.FixedIn = append(vulnerability.FixedIn, &database.Package{OS: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]], Name: md["package"], Version: version})
|
pkg := &database.Package{
|
||||||
|
OS: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]],
|
||||||
|
Name: md["package"],
|
||||||
|
Version: version,
|
||||||
|
}
|
||||||
|
packages = append(packages, pkg)
|
||||||
|
vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, pkg.GetNode())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -32,7 +32,7 @@ func TestUbuntuParser(t *testing.T) {
|
|||||||
// Test parsing testdata/fetcher_
|
// Test parsing testdata/fetcher_
|
||||||
testData, _ := os.Open(path + "/testdata/fetcher_ubuntu_test.txt")
|
testData, _ := os.Open(path + "/testdata/fetcher_ubuntu_test.txt")
|
||||||
defer testData.Close()
|
defer testData.Close()
|
||||||
vulnerability, unknownReleases, err := parseUbuntuCVE(testData)
|
vulnerability, packages, unknownReleases, err := parseUbuntuCVE(testData)
|
||||||
if assert.Nil(t, err) {
|
if assert.Nil(t, err) {
|
||||||
assert.Equal(t, "CVE-2015-4471", vulnerability.ID)
|
assert.Equal(t, "CVE-2015-4471", vulnerability.ID)
|
||||||
assert.Equal(t, types.Medium, vulnerability.Priority)
|
assert.Equal(t, types.Medium, vulnerability.Priority)
|
||||||
@ -42,22 +42,27 @@ func TestUbuntuParser(t *testing.T) {
|
|||||||
_, hasUnkownRelease := unknownReleases["unknown"]
|
_, hasUnkownRelease := unknownReleases["unknown"]
|
||||||
assert.True(t, hasUnkownRelease)
|
assert.True(t, hasUnkownRelease)
|
||||||
|
|
||||||
if assert.Len(t, vulnerability.FixedIn, 3) {
|
expectedPackages := []*database.Package{
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "ubuntu:14.04",
|
OS: "ubuntu:14.04",
|
||||||
Name: "libmspack",
|
Name: "libmspack",
|
||||||
Version: types.MaxVersion,
|
Version: types.MaxVersion,
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "ubuntu:15.04",
|
OS: "ubuntu:15.04",
|
||||||
Name: "libmspack",
|
Name: "libmspack",
|
||||||
Version: types.NewVersionUnsafe("0.4-3"),
|
Version: types.NewVersionUnsafe("0.4-3"),
|
||||||
})
|
},
|
||||||
assert.Contains(t, vulnerability.FixedIn, &database.Package{
|
&database.Package{
|
||||||
OS: "ubuntu:15.10",
|
OS: "ubuntu:15.10",
|
||||||
Name: "libmspack-anotherpkg",
|
Name: "libmspack-anotherpkg",
|
||||||
Version: types.NewVersionUnsafe("0.1"),
|
Version: types.NewVersionUnsafe("0.1"),
|
||||||
})
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, expectedPackage := range expectedPackages {
|
||||||
|
assert.Contains(t, packages, expectedPackage)
|
||||||
|
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,8 @@
|
|||||||
package updater
|
package updater
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"fmt"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"strconv"
|
"strconv"
|
||||||
"time"
|
"time"
|
||||||
@ -30,23 +32,12 @@ import (
|
|||||||
|
|
||||||
const (
|
const (
|
||||||
flagName = "updater"
|
flagName = "updater"
|
||||||
|
notesFlagName = "updater/notes"
|
||||||
refreshLockDuration = time.Minute * 8
|
refreshLockDuration = time.Minute * 8
|
||||||
lockDuration = refreshLockDuration + time.Minute*2
|
lockDuration = refreshLockDuration + time.Minute*2
|
||||||
|
|
||||||
// healthMaxConsecutiveLocalFailures defines the number of times the updater
|
|
||||||
// can fail before we should tag it as unhealthy
|
|
||||||
healthMaxConsecutiveLocalFailures = 5
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "updater")
|
||||||
log = capnslog.NewPackageLogger("github.com/coreos/clair", "updater")
|
|
||||||
|
|
||||||
healthLatestSuccessfulUpdate time.Time
|
|
||||||
healthLockOwner string
|
|
||||||
healthIdentifier string
|
|
||||||
healthConsecutiveLocalFailures int
|
|
||||||
healthNotes []string
|
|
||||||
)
|
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
health.RegisterHealthchecker("updater", Healthcheck)
|
health.RegisterHealthchecker("updater", Healthcheck)
|
||||||
@ -63,19 +54,17 @@ func Run(interval time.Duration, st *utils.Stopper) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
whoAmI := uuid.New()
|
whoAmI := uuid.New()
|
||||||
healthIdentifier = whoAmI
|
|
||||||
log.Infof("updater service started. lock identifier: %s", whoAmI)
|
log.Infof("updater service started. lock identifier: %s", whoAmI)
|
||||||
|
|
||||||
for {
|
for {
|
||||||
// Set the next update time to (last update time + interval) or now if there
|
// Set the next update time to (last update time + interval) or now if there
|
||||||
// is no last update time stored in database (first update) or if an error
|
// is no last update time stored in database (first update) or if an error
|
||||||
// occurs
|
// occurs
|
||||||
nextUpdate := time.Now().UTC()
|
var nextUpdate time.Time
|
||||||
if lastUpdateTSS, err := database.GetFlagValue(flagName); err == nil && lastUpdateTSS != "" {
|
if lastUpdate := getLastUpdate(); !lastUpdate.IsZero() {
|
||||||
if lastUpdateTS, err := strconv.ParseInt(lastUpdateTSS, 10, 64); err == nil {
|
nextUpdate = lastUpdate.Add(interval)
|
||||||
healthLatestSuccessfulUpdate = time.Unix(lastUpdateTS, 0)
|
} else {
|
||||||
nextUpdate = time.Unix(lastUpdateTS, 0).Add(interval)
|
nextUpdate = time.Now().UTC()
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// If the next update timer is in the past, then try to update.
|
// If the next update timer is in the past, then try to update.
|
||||||
@ -84,8 +73,6 @@ func Run(interval time.Duration, st *utils.Stopper) {
|
|||||||
log.Debug("attempting to obtain update lock")
|
log.Debug("attempting to obtain update lock")
|
||||||
hasLock, hasLockUntil := database.Lock(flagName, lockDuration, whoAmI)
|
hasLock, hasLockUntil := database.Lock(flagName, lockDuration, whoAmI)
|
||||||
if hasLock {
|
if hasLock {
|
||||||
healthLockOwner = healthIdentifier
|
|
||||||
|
|
||||||
// Launch update in a new go routine.
|
// Launch update in a new go routine.
|
||||||
doneC := make(chan bool, 1)
|
doneC := make(chan bool, 1)
|
||||||
go func() {
|
go func() {
|
||||||
@ -105,6 +92,8 @@ func Run(interval time.Duration, st *utils.Stopper) {
|
|||||||
|
|
||||||
// Unlock the update.
|
// Unlock the update.
|
||||||
database.Unlock(flagName, whoAmI)
|
database.Unlock(flagName, whoAmI)
|
||||||
|
|
||||||
|
continue
|
||||||
} else {
|
} else {
|
||||||
lockOwner, lockExpiration, err := database.LockInfo(flagName)
|
lockOwner, lockExpiration, err := database.LockInfo(flagName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -113,7 +102,6 @@ func Run(interval time.Duration, st *utils.Stopper) {
|
|||||||
} else {
|
} else {
|
||||||
log.Debugf("update lock is already taken by %s until %v", lockOwner, lockExpiration)
|
log.Debugf("update lock is already taken by %s until %v", lockOwner, lockExpiration)
|
||||||
nextUpdate = lockExpiration
|
nextUpdate = lockExpiration
|
||||||
healthLockOwner = lockOwner
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -137,8 +125,62 @@ func Run(interval time.Duration, st *utils.Stopper) {
|
|||||||
func Update() {
|
func Update() {
|
||||||
log.Info("updating vulnerabilities")
|
log.Info("updating vulnerabilities")
|
||||||
|
|
||||||
|
// Fetch updates.
|
||||||
|
status, responses := fetch()
|
||||||
|
|
||||||
|
// Merge responses.
|
||||||
|
vulnerabilities, packages, flags, notes, err := mergeAndVerify(responses)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("an error occured when merging update responses: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
responses = nil
|
||||||
|
|
||||||
|
// TODO(Quentin-M): Complete informations using NVD
|
||||||
|
|
||||||
|
// Insert packages.
|
||||||
|
log.Tracef("beginning insertion of %d packages for update", len(packages))
|
||||||
|
err = database.InsertPackages(packages)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("an error occured when inserting packages for update: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
packages = nil
|
||||||
|
|
||||||
|
// Insert vulnerabilities.
|
||||||
|
log.Tracef("beginning insertion of %d vulnerabilities for update", len(vulnerabilities))
|
||||||
|
notifications, err := database.InsertVulnerabilities(vulnerabilities)
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("an error occured when inserting vulnerabilities for update: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
vulnerabilities = nil
|
||||||
|
|
||||||
|
// Insert notifications into the database.
|
||||||
|
err = database.InsertNotifications(notifications, database.GetDefaultNotificationWrapper())
|
||||||
|
if err != nil {
|
||||||
|
log.Errorf("an error occured when inserting notifications for update: %s", err)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
notifications = nil
|
||||||
|
|
||||||
|
// Update flags and notes.
|
||||||
|
for flagName, flagValue := range flags {
|
||||||
|
database.UpdateFlag(flagName, flagValue)
|
||||||
|
}
|
||||||
|
database.UpdateFlag(notesFlagName, notes)
|
||||||
|
|
||||||
|
// Update last successful update if every fetchers worked properly.
|
||||||
|
if status {
|
||||||
|
database.UpdateFlag(flagName, strconv.FormatInt(time.Now().UTC().Unix(), 10))
|
||||||
|
}
|
||||||
|
log.Info("update finished")
|
||||||
|
}
|
||||||
|
|
||||||
|
// fetch get data from the registered fetchers, in parallel.
|
||||||
|
func fetch() (status bool, responses []*FetcherResponse) {
|
||||||
// Fetch updates in parallel.
|
// Fetch updates in parallel.
|
||||||
var status = true
|
status = true
|
||||||
var responseC = make(chan *FetcherResponse, 0)
|
var responseC = make(chan *FetcherResponse, 0)
|
||||||
for n, f := range fetchers {
|
for n, f := range fetchers {
|
||||||
go func(name string, fetcher Fetcher) {
|
go func(name string, fetcher Fetcher) {
|
||||||
@ -155,129 +197,122 @@ func Update() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Collect results of updates.
|
// Collect results of updates.
|
||||||
var responses []*FetcherResponse
|
for i := 0; i < len(fetchers); i++ {
|
||||||
var notes []string
|
resp := <-responseC
|
||||||
for i := 0; i < len(fetchers); {
|
if resp != nil {
|
||||||
select {
|
responses = append(responses, resp)
|
||||||
case resp := <-responseC:
|
|
||||||
if resp != nil {
|
|
||||||
responses = append(responses, resp)
|
|
||||||
notes = append(notes, resp.Notes...)
|
|
||||||
}
|
|
||||||
i++
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
close(responseC)
|
close(responseC)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// TODO(Quentin-M): Merge responses together
|
// merge put all the responses together (vulnerabilities, packages, flags, notes), ensure the
|
||||||
// TODO(Quentin-M): Complete informations using NVD
|
// uniqueness of vulnerabilities and packages and verify that every vulnerability's fixedInNodes
|
||||||
|
// have their corresponding package definition.
|
||||||
|
func mergeAndVerify(responses []*FetcherResponse) (svulnerabilities []*database.Vulnerability, spackages []*database.Package, flags map[string]string, snotes string, err error) {
|
||||||
|
vulnerabilities := make(map[string]*database.Vulnerability)
|
||||||
|
packages := make(map[string]*database.Package)
|
||||||
|
flags = make(map[string]string)
|
||||||
|
var notes []string
|
||||||
|
|
||||||
// Store flags out of the response struct.
|
// Merge responses.
|
||||||
flags := make(map[string]string)
|
|
||||||
for _, response := range responses {
|
for _, response := range responses {
|
||||||
|
// Notes
|
||||||
|
notes = append(notes, response.Notes...)
|
||||||
|
// Flags
|
||||||
if response.FlagName != "" && response.FlagValue != "" {
|
if response.FlagName != "" && response.FlagValue != "" {
|
||||||
flags[response.FlagName] = response.FlagValue
|
flags[response.FlagName] = response.FlagValue
|
||||||
}
|
}
|
||||||
}
|
// Packages
|
||||||
|
for _, p := range response.Packages {
|
||||||
// Update health notes.
|
node := p.GetNode()
|
||||||
healthNotes = notes
|
if _, ok := packages[node]; !ok {
|
||||||
|
packages[node] = p
|
||||||
// Build list of packages.
|
}
|
||||||
var packages []*database.Package
|
}
|
||||||
for _, response := range responses {
|
// Vulnerabilities
|
||||||
for _, v := range response.Vulnerabilities {
|
for _, v := range response.Vulnerabilities {
|
||||||
packages = append(packages, v.FixedIn...)
|
if vulnerability, ok := vulnerabilities[v.ID]; !ok {
|
||||||
}
|
vulnerabilities[v.ID] = v
|
||||||
}
|
} else {
|
||||||
|
mergeVulnerability(vulnerability, v)
|
||||||
// Insert packages into the database.
|
|
||||||
log.Tracef("beginning insertion of %d packages for update", len(packages))
|
|
||||||
t := time.Now()
|
|
||||||
err := database.InsertPackages(packages)
|
|
||||||
log.Tracef("inserting %d packages took %v", len(packages), time.Since(t))
|
|
||||||
if err != nil {
|
|
||||||
log.Errorf("an error occured when inserting packages for update: %s", err)
|
|
||||||
updateHealth(false)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
packages = nil
|
|
||||||
|
|
||||||
// Build a list of vulnerabilties.
|
|
||||||
var vulnerabilities []*database.Vulnerability
|
|
||||||
for _, response := range responses {
|
|
||||||
for _, v := range response.Vulnerabilities {
|
|
||||||
var packageNodes []string
|
|
||||||
for _, pkg := range v.FixedIn {
|
|
||||||
packageNodes = append(packageNodes, pkg.Node)
|
|
||||||
}
|
}
|
||||||
vulnerabilities = append(vulnerabilities, &database.Vulnerability{ID: v.ID, Link: v.Link, Priority: v.Priority, Description: v.Description, FixedInNodes: packageNodes})
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
responses = nil
|
|
||||||
|
|
||||||
// Insert vulnerabilities into the database.
|
// Verify that the packages used in the vulnerabilities are specified.
|
||||||
log.Tracef("beginning insertion of %d vulnerabilities for update", len(vulnerabilities))
|
for _, v := range vulnerabilities {
|
||||||
t = time.Now()
|
for _, node := range v.FixedInNodes {
|
||||||
notifications, err := database.InsertVulnerabilities(vulnerabilities)
|
if _, ok := packages[node]; !ok {
|
||||||
log.Tracef("inserting %d vulnerabilities took %v", len(vulnerabilities), time.Since(t))
|
err = fmt.Errorf("vulnerability %s is fixed by an unspecified package", v.ID)
|
||||||
if err != nil {
|
return
|
||||||
log.Errorf("an error occured when inserting vulnerabilities for update: %s", err)
|
}
|
||||||
updateHealth(false)
|
}
|
||||||
return
|
|
||||||
}
|
|
||||||
vulnerabilities = nil
|
|
||||||
|
|
||||||
// Insert notifications into the database.
|
|
||||||
err = database.InsertNotifications(notifications, database.GetDefaultNotificationWrapper())
|
|
||||||
if err != nil {
|
|
||||||
log.Errorf("an error occured when inserting notifications for update: %s", err)
|
|
||||||
updateHealth(false)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
notifications = nil
|
|
||||||
|
|
||||||
// Update flags in the database.
|
|
||||||
for flagName, flagValue := range flags {
|
|
||||||
database.UpdateFlag(flagName, flagValue)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update health depending on the status of the fetchers.
|
// Convert data and return
|
||||||
updateHealth(status)
|
for _, v := range vulnerabilities {
|
||||||
if status {
|
svulnerabilities = append(svulnerabilities, v)
|
||||||
now := time.Now().UTC()
|
|
||||||
database.UpdateFlag(flagName, strconv.FormatInt(now.Unix(), 10))
|
|
||||||
healthLatestSuccessfulUpdate = now
|
|
||||||
}
|
}
|
||||||
log.Info("update finished")
|
for _, p := range packages {
|
||||||
|
spackages = append(spackages, p)
|
||||||
|
}
|
||||||
|
|
||||||
|
bnotes, _ := json.Marshal(notes)
|
||||||
|
snotes = string(bnotes)
|
||||||
|
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateHealth(s bool) {
|
// mergeVulnerability updates the target vulnerability structure using the specified one.
|
||||||
if s == false {
|
func mergeVulnerability(target, source *database.Vulnerability) {
|
||||||
healthConsecutiveLocalFailures++
|
if source.Link != "" {
|
||||||
} else {
|
target.Link = source.Link
|
||||||
healthConsecutiveLocalFailures = 0
|
}
|
||||||
|
if source.Description != "" {
|
||||||
|
target.Description = source.Description
|
||||||
|
}
|
||||||
|
if source.Priority.Compare(target.Priority) > 0 {
|
||||||
|
target.Priority = source.Priority
|
||||||
|
}
|
||||||
|
for _, node := range source.FixedInNodes {
|
||||||
|
if !utils.Contains(node, target.FixedInNodes) {
|
||||||
|
target.FixedInNodes = append(target.FixedInNodes, node)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Healthcheck returns the health of the updater service.
|
// Healthcheck returns the health of the updater service.
|
||||||
func Healthcheck() health.Status {
|
func Healthcheck() health.Status {
|
||||||
|
notes := getNotes()
|
||||||
|
|
||||||
return health.Status{
|
return health.Status{
|
||||||
IsEssential: false,
|
IsEssential: false,
|
||||||
IsHealthy: healthConsecutiveLocalFailures < healthMaxConsecutiveLocalFailures,
|
IsHealthy: len(notes) == 0,
|
||||||
Details: struct {
|
Details: struct {
|
||||||
HealthIdentifier string
|
LatestSuccessfulUpdate time.Time
|
||||||
HealthLockOwner string
|
Notes []string `json:",omitempty"`
|
||||||
LatestSuccessfulUpdate time.Time
|
|
||||||
ConsecutiveLocalFailures int
|
|
||||||
Notes []string `json:",omitempty"`
|
|
||||||
}{
|
}{
|
||||||
HealthIdentifier: healthIdentifier,
|
LatestSuccessfulUpdate: getLastUpdate(),
|
||||||
HealthLockOwner: healthLockOwner,
|
Notes: notes,
|
||||||
LatestSuccessfulUpdate: healthLatestSuccessfulUpdate,
|
|
||||||
ConsecutiveLocalFailures: healthConsecutiveLocalFailures,
|
|
||||||
Notes: healthNotes,
|
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func getLastUpdate() time.Time {
|
||||||
|
if lastUpdateTSS, err := database.GetFlagValue(flagName); err == nil && lastUpdateTSS != "" {
|
||||||
|
if lastUpdateTS, err := strconv.ParseInt(lastUpdateTSS, 10, 64); err == nil {
|
||||||
|
return time.Unix(lastUpdateTS, 0).UTC()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return time.Time{}
|
||||||
|
}
|
||||||
|
|
||||||
|
func getNotes() (notes []string) {
|
||||||
|
if jsonNotes, err := database.GetFlagValue(notesFlagName); err == nil && jsonNotes != "" {
|
||||||
|
json.Unmarshal([]byte(jsonNotes), notes)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user