arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updater: Refactor and merge fetcher responses

Browse Source 
Fixes #17 and lays the groundwork for #19.
This commit is contained in:
Quentin Machu 2015-12-01 14:58:17 -05:00
parent 867279a5c9
commit a7b683d4ba
8 changed files with 257 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
updater/fetchers.go
View File

@ -14,10 +14,7 @@
package updater package updater
import ( import "github.com/coreos/clair/database"
"github.com/coreos/clair/database"
"github.com/coreos/clair/utils/types"
)
var fetchers = make(map[string]Fetcher) var fetchers = make(map[string]Fetcher)
@ -31,17 +28,8 @@ type FetcherResponse struct {
FlagName string FlagName string
FlagValue string FlagValue string
Notes []string Notes []string
Vulnerabilities []FetcherVulnerability Vulnerabilities []*database.Vulnerability
} Packages []*database.Package
// FetcherVulnerability represents an individual vulnerability processed from
// an update.
type FetcherVulnerability struct {
ID string
Link string
Description string
Priority types.Priority
FixedIn []*database.Package
} }
// RegisterFetcher makes a Fetcher available by the provided name. // RegisterFetcher makes a Fetcher available by the provided name.

28
updater/fetchers/debian.go
View File

@ -24,8 +24,8 @@ import (
"strings" "strings"
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
cerrors "github.com/coreos/clair/utils/errors"
"github.com/coreos/clair/updater" "github.com/coreos/clair/updater"
cerrors "github.com/coreos/clair/utils/errors"
"github.com/coreos/clair/utils/types" "github.com/coreos/clair/utils/types"
) )
@ -114,7 +114,8 @@ func buildResponse(jsonReader io.Reader, latestKnownHash string) (resp updater.F
} }
// Extract vulnerability data from Debian's JSON schema. // Extract vulnerability data from Debian's JSON schema.
vulnerabilities, unknownReleases := parseDebianJSON(&data) var unknownReleases map[string]struct{}
resp.Vulnerabilities, resp.Packages, unknownReleases = parseDebianJSON(&data)
// Log unknown releases // Log unknown releases
for k := range unknownReleases { for k := range unknownReleases {
@ -123,16 +124,11 @@ func buildResponse(jsonReader io.Reader, latestKnownHash string) (resp updater.F
log.Warning(note) log.Warning(note)
} }
// Convert the vulnerabilities map to a slice in the response
for _, v := range vulnerabilities {
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
}
return resp, nil return resp, nil
} }
func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.FetcherVulnerability, unknownReleases map[string]struct{}) { func parseDebianJSON(data *jsonData) (vulnerabilities []*database.Vulnerability, packages []*database.Package, unknownReleases map[string]struct{}) {
vulnerabilities = make(map[string]updater.FetcherVulnerability) mvulnerabilities := make(map[string]*database.Vulnerability)
unknownReleases = make(map[string]struct{}) unknownReleases = make(map[string]struct{})
for pkgName, pkgNode := range *data { for pkgName, pkgNode := range *data {
@ -150,9 +146,9 @@ func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.Fetcher
} }
// Get or create the vulnerability. // Get or create the vulnerability.
vulnerability, vulnerabilityAlreadyExists := vulnerabilities[vulnName] vulnerability, vulnerabilityAlreadyExists := mvulnerabilities[vulnName]
if !vulnerabilityAlreadyExists { if !vulnerabilityAlreadyExists {
vulnerability = updater.FetcherVulnerability{ vulnerability = &database.Vulnerability{
ID: vulnName, ID: vulnName,
Link: strings.Join([]string{cveURLPrefix, "/", vulnName}, ""), Link: strings.Join([]string{cveURLPrefix, "/", vulnName}, ""),
Priority: types.Unknown, Priority: types.Unknown,
@ -191,14 +187,20 @@ func parseDebianJSON(data *jsonData) (vulnerabilities map[string]updater.Fetcher
Name: pkgName, Name: pkgName,
Version: version, Version: version,
} }
vulnerability.FixedIn = append(vulnerability.FixedIn, pkg) vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, pkg.GetNode())
packages = append(packages, pkg)
// Store the vulnerability. // Store the vulnerability.
vulnerabilities[vulnName] = vulnerability mvulnerabilities[vulnName] = vulnerability
} }
} }
} }
// Convert the vulnerabilities map to a slice
for _, v := range mvulnerabilities {
vulnerabilities = append(vulnerabilities, v)
}
return return
} }

34
updater/fetchers/debian_test.go
View File

@ -38,39 +38,49 @@ func TestDebianParser(t *testing.T) {
assert.Equal(t, types.Low, vulnerability.Priority) assert.Equal(t, types.Low, vulnerability.Priority)
assert.Equal(t, "This vulnerability is not very dangerous.", vulnerability.Description) assert.Equal(t, "This vulnerability is not very dangerous.", vulnerability.Description)
if assert.Len(t, vulnerability.FixedIn, 2) { expectedPackages := []*database.Package{
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "debian:8", OS: "debian:8",
Name: "aptdaemon", Name: "aptdaemon",
Version: types.MaxVersion, Version: types.MaxVersion,
}) },
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "debian:unstable", OS: "debian:unstable",
Name: "aptdaemon", Name: "aptdaemon",
Version: types.NewVersionUnsafe("1.1.1+bzr982-1"), Version: types.NewVersionUnsafe("1.1.1+bzr982-1"),
}) },
}
for _, expectedPackage := range expectedPackages {
assert.Contains(t, response.Packages, expectedPackage)
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
} }
} else if vulnerability.ID == "CVE-2003-0779" { } else if vulnerability.ID == "CVE-2003-0779" {
assert.Equal(t, "https://security-tracker.debian.org/tracker/CVE-2003-0779", vulnerability.Link) assert.Equal(t, "https://security-tracker.debian.org/tracker/CVE-2003-0779", vulnerability.Link)
assert.Equal(t, types.High, vulnerability.Priority) assert.Equal(t, types.High, vulnerability.Priority)
assert.Equal(t, "But this one is very dangerous.", vulnerability.Description) assert.Equal(t, "But this one is very dangerous.", vulnerability.Description)
if assert.Len(t, vulnerability.FixedIn, 3) { expectedPackages := []*database.Package{
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "debian:8", OS: "debian:8",
Name: "aptdaemon", Name: "aptdaemon",
Version: types.NewVersionUnsafe("0.7.0"), Version: types.NewVersionUnsafe("0.7.0"),
}) },
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "debian:unstable", OS: "debian:unstable",
Name: "aptdaemon", Name: "aptdaemon",
Version: types.NewVersionUnsafe("0.7.0"), Version: types.NewVersionUnsafe("0.7.0"),
}) },
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "debian:8", OS: "debian:8",
Name: "asterisk", Name: "asterisk",
Version: types.NewVersionUnsafe("0.5.56"), Version: types.NewVersionUnsafe("0.5.56"),
}) },
}
for _, expectedPackage := range expectedPackages {
assert.Contains(t, response.Packages, expectedPackage)
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
} }
} else { } else {
assert.Fail(t, "Wrong vulnerability name: ", vulnerability.ID) assert.Fail(t, "Wrong vulnerability name: ", vulnerability.ID)

28
updater/fetchers/rhel.go
View File

@ -24,8 +24,8 @@ import (
"strings" "strings"
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
cerrors "github.com/coreos/clair/utils/errors"
"github.com/coreos/clair/updater" "github.com/coreos/clair/updater"
cerrors "github.com/coreos/clair/utils/errors"
"github.com/coreos/clair/utils/types" "github.com/coreos/clair/utils/types"
) )
@ -128,17 +128,14 @@ func (f *RHELFetcher) FetchUpdate() (resp updater.FetcherResponse, err error) {
} }
// Parse the XML. // Parse the XML.
vs, err := parseRHSA(r.Body) vs, pkgs, err := parseRHSA(r.Body)
if err != nil { if err != nil {
return resp, err return resp, err
} }
// Collect vulnerabilities. // Collect vulnerabilities.
for _, v := range vs { resp.Vulnerabilities = append(resp.Vulnerabilities, vs...)
if len(v.FixedIn) > 0 { resp.Packages = append(resp.Packages, pkgs...)
resp.Vulnerabilities = append(resp.Vulnerabilities, v)
}
}
} }
// Set the flag if we found anything. // Set the flag if we found anything.
@ -152,7 +149,7 @@ func (f *RHELFetcher) FetchUpdate() (resp updater.FetcherResponse, err error) {
return resp, nil return resp, nil
} }
func parseRHSA(ovalReader io.Reader) (vulnerabilities []updater.FetcherVulnerability, err error) { func parseRHSA(ovalReader io.Reader) (vulnerabilities []*database.Vulnerability, packages []*database.Package, err error) {
// Decode the XML. // Decode the XML.
var ov oval var ov oval
err = xml.NewDecoder(ovalReader).Decode(&ov) err = xml.NewDecoder(ovalReader).Decode(&ov)
@ -163,18 +160,21 @@ func parseRHSA(ovalReader io.Reader) (vulnerabilities []updater.FetcherVulnerabi
} }
// Iterate over the definitions and collect any vulnerabilities that affect // Iterate over the definitions and collect any vulnerabilities that affect
// more than one package. // at least one package.
for _, definition := range ov.Definitions { for _, definition := range ov.Definitions {
packages := toPackages(definition.Criteria) pkgs := toPackages(definition.Criteria)
if len(packages) > 0 { if len(pkgs) > 0 {
vuln := updater.FetcherVulnerability{ vulnerability := &database.Vulnerability{
ID: name(definition), ID: name(definition),
Link: link(definition), Link: link(definition),
Priority: priority(definition), Priority: priority(definition),
Description: description(definition), Description: description(definition),
FixedIn: packages,
} }
vulnerabilities = append(vulnerabilities, vuln) for _, p := range pkgs {
vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, p.GetNode())
}
vulnerabilities = append(vulnerabilities, vulnerability)
packages = append(packages, pkgs...)
} }
} }

38
updater/fetchers/rhel_test.go
View File

@ -31,52 +31,62 @@ func TestRHELParser(t *testing.T) {
// Test parsing testdata/fetcher_rhel_test.1.xml // Test parsing testdata/fetcher_rhel_test.1.xml
testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml") testFile, _ := os.Open(path + "/testdata/fetcher_rhel_test.1.xml")
vulnerabilities, err := parseRHSA(testFile) vulnerabilities, packages, err := parseRHSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].ID) assert.Equal(t, "RHSA-2015:1193", vulnerabilities[0].ID)
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link) assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1193.html", vulnerabilities[0].Link)
assert.Equal(t, types.Medium, vulnerabilities[0].Priority) assert.Equal(t, types.Medium, vulnerabilities[0].Priority)
assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description) assert.Equal(t, `Xerces-C is a validating XML parser written in a portable subset of C++. A flaw was found in the way the Xerces-C XML parser processed certain XML documents. A remote attacker could provide specially crafted XML input that, when parsed by an application using Xerces-C, would cause that application to crash.`, vulnerabilities[0].Description)
if assert.Len(t, vulnerabilities[0].FixedIn, 3) { expectedPackages := []*database.Package{
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{ &database.Package{
OS: "centos:7", OS: "centos:7",
Name: "xerces-c", Name: "xerces-c",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"), Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
}) },
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{ &database.Package{
OS: "centos:7", OS: "centos:7",
Name: "xerces-c-devel", Name: "xerces-c-devel",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"), Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
}) },
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{ &database.Package{
OS: "centos:7", OS: "centos:7",
Name: "xerces-c-doc", Name: "xerces-c-doc",
Version: types.NewVersionUnsafe("3.1.1-7.el7_1"), Version: types.NewVersionUnsafe("3.1.1-7.el7_1"),
}) },
} }
for _, expectedPackage := range expectedPackages {
assert.Contains(t, packages, expectedPackage)
assert.Contains(t, vulnerabilities[0].FixedInNodes, expectedPackage.GetNode())
}
} }
// Test parsing testdata/fetcher_rhel_test.2.xml // Test parsing testdata/fetcher_rhel_test.2.xml
testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml") testFile, _ = os.Open(path + "/testdata/fetcher_rhel_test.2.xml")
vulnerabilities, err = parseRHSA(testFile) vulnerabilities, packages, err = parseRHSA(testFile)
if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) { if assert.Nil(t, err) && assert.Len(t, vulnerabilities, 1) {
assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].ID) assert.Equal(t, "RHSA-2015:1207", vulnerabilities[0].ID)
assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link) assert.Equal(t, "https://rhn.redhat.com/errata/RHSA-2015-1207.html", vulnerabilities[0].Link)
assert.Equal(t, types.Critical, vulnerabilities[0].Priority) assert.Equal(t, types.Critical, vulnerabilities[0].Priority)
assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description) assert.Equal(t, `Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.`, vulnerabilities[0].Description)
if assert.Len(t, vulnerabilities[0].FixedIn, 2) { expectedPackages := []*database.Package{
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{ &database.Package{
OS: "centos:6", OS: "centos:6",
Name: "firefox", Name: "firefox",
Version: types.NewVersionUnsafe("38.1.0-1.el6_6"), Version: types.NewVersionUnsafe("38.1.0-1.el6_6"),
}) },
assert.Contains(t, vulnerabilities[0].FixedIn, &database.Package{ &database.Package{
OS: "centos:7", OS: "centos:7",
Name: "firefox", Name: "firefox",
Version: types.NewVersionUnsafe("38.1.0-1.el7_1"), Version: types.NewVersionUnsafe("38.1.0-1.el7_1"),
}) },
} }
for _, expectedPackage := range expectedPackages {
assert.Contains(t, packages, expectedPackage)
assert.Contains(t, vulnerabilities[0].FixedInNodes, expectedPackage.GetNode())
}
} }
} }

16
updater/fetchers/ubuntu.go
View File

@ -133,13 +133,14 @@ func (fetcher *UbuntuFetcher) FetchUpdate() (resp updater.FetcherResponse, err e
} }
defer file.Close() defer file.Close()
v, unknownReleases, err := parseUbuntuCVE(file) v, pkgs, unknownReleases, err := parseUbuntuCVE(file)
if err != nil { if err != nil {
return resp, err return resp, err
} }
if len(v.FixedIn) > 0 { if len(v.FixedInNodes) > 0 {
resp.Vulnerabilities = append(resp.Vulnerabilities, v) resp.Vulnerabilities = append(resp.Vulnerabilities, v)
resp.Packages = append(resp.Packages, pkgs...)
} }
// Log any unknown releases. // Log any unknown releases.
@ -255,7 +256,8 @@ func getRevisionNumber(pathToRepo string) (int, error) {
return revno, nil return revno, nil
} }
func parseUbuntuCVE(fileContent io.Reader) (vulnerability updater.FetcherVulnerability, unknownReleases map[string]struct{}, err error) { func parseUbuntuCVE(fileContent io.Reader) (vulnerability *database.Vulnerability, packages []*database.Package, unknownReleases map[string]struct{}, err error) {
vulnerability = &database.Vulnerability{}
unknownReleases = make(map[string]struct{}) unknownReleases = make(map[string]struct{})
readingDescription := false readingDescription := false
scanner := bufio.NewScanner(fileContent) scanner := bufio.NewScanner(fileContent)
@ -351,7 +353,13 @@ func parseUbuntuCVE(fileContent io.Reader) (vulnerability updater.FetcherVulnera
} }
// Create and add the new package. // Create and add the new package.
vulnerability.FixedIn = append(vulnerability.FixedIn, &database.Package{OS: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]], Name: md["package"], Version: version}) pkg := &database.Package{
OS: "ubuntu:" + database.UbuntuReleasesMapping[md["release"]],
Name: md["package"],
Version: version,
}
packages = append(packages, pkg)
vulnerability.FixedInNodes = append(vulnerability.FixedInNodes, pkg.GetNode())
} }
} }
} }

21
updater/fetchers/ubuntu_test.go
View File

@ -32,7 +32,7 @@ func TestUbuntuParser(t *testing.T) {
// Test parsing testdata/fetcher_ // Test parsing testdata/fetcher_
testData, _ := os.Open(path + "/testdata/fetcher_ubuntu_test.txt") testData, _ := os.Open(path + "/testdata/fetcher_ubuntu_test.txt")
defer testData.Close() defer testData.Close()
vulnerability, unknownReleases, err := parseUbuntuCVE(testData) vulnerability, packages, unknownReleases, err := parseUbuntuCVE(testData)
if assert.Nil(t, err) { if assert.Nil(t, err) {
assert.Equal(t, "CVE-2015-4471", vulnerability.ID) assert.Equal(t, "CVE-2015-4471", vulnerability.ID)
assert.Equal(t, types.Medium, vulnerability.Priority) assert.Equal(t, types.Medium, vulnerability.Priority)
@ -42,22 +42,27 @@ func TestUbuntuParser(t *testing.T) {
_, hasUnkownRelease := unknownReleases["unknown"] _, hasUnkownRelease := unknownReleases["unknown"]
assert.True(t, hasUnkownRelease) assert.True(t, hasUnkownRelease)
if assert.Len(t, vulnerability.FixedIn, 3) { expectedPackages := []*database.Package{
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "ubuntu:14.04", OS: "ubuntu:14.04",
Name: "libmspack", Name: "libmspack",
Version: types.MaxVersion, Version: types.MaxVersion,
}) },
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "ubuntu:15.04", OS: "ubuntu:15.04",
Name: "libmspack", Name: "libmspack",
Version: types.NewVersionUnsafe("0.4-3"), Version: types.NewVersionUnsafe("0.4-3"),
}) },
assert.Contains(t, vulnerability.FixedIn, &database.Package{ &database.Package{
OS: "ubuntu:15.10", OS: "ubuntu:15.10",
Name: "libmspack-anotherpkg", Name: "libmspack-anotherpkg",
Version: types.NewVersionUnsafe("0.1"), Version: types.NewVersionUnsafe("0.1"),
}) },
}
for _, expectedPackage := range expectedPackages {
assert.Contains(t, packages, expectedPackage)
assert.Contains(t, vulnerability.FixedInNodes, expectedPackage.GetNode())
} }
} }
} }

273
updater/updater.go
View File

@ -17,6 +17,8 @@
package updater package updater
import ( import (
"encoding/json"
"fmt"
"math/rand" "math/rand"
"strconv" "strconv"
"time" "time"
@ -30,23 +32,12 @@ import (
const ( const (
flagName = "updater" flagName = "updater"
notesFlagName = "updater/notes"
refreshLockDuration = time.Minute * 8 refreshLockDuration = time.Minute * 8
lockDuration = refreshLockDuration + time.Minute*2 lockDuration = refreshLockDuration + time.Minute*2
// healthMaxConsecutiveLocalFailures defines the number of times the updater
// can fail before we should tag it as unhealthy
healthMaxConsecutiveLocalFailures = 5
) )
var ( var log = capnslog.NewPackageLogger("github.com/coreos/clair", "updater")
log = capnslog.NewPackageLogger("github.com/coreos/clair", "updater")
healthLatestSuccessfulUpdate time.Time
healthLockOwner string
healthIdentifier string
healthConsecutiveLocalFailures int
healthNotes []string
)
func init() { func init() {
health.RegisterHealthchecker("updater", Healthcheck) health.RegisterHealthchecker("updater", Healthcheck)
@ -63,19 +54,17 @@ func Run(interval time.Duration, st *utils.Stopper) {
} }
whoAmI := uuid.New() whoAmI := uuid.New()
healthIdentifier = whoAmI
log.Infof("updater service started. lock identifier: %s", whoAmI) log.Infof("updater service started. lock identifier: %s", whoAmI)
for { for {
// Set the next update time to (last update time + interval) or now if there // Set the next update time to (last update time + interval) or now if there
// is no last update time stored in database (first update) or if an error // is no last update time stored in database (first update) or if an error
// occurs // occurs
nextUpdate := time.Now().UTC() var nextUpdate time.Time
if lastUpdateTSS, err := database.GetFlagValue(flagName); err == nil && lastUpdateTSS != "" { if lastUpdate := getLastUpdate(); !lastUpdate.IsZero() {
if lastUpdateTS, err := strconv.ParseInt(lastUpdateTSS, 10, 64); err == nil { nextUpdate = lastUpdate.Add(interval)
healthLatestSuccessfulUpdate = time.Unix(lastUpdateTS, 0) } else {
nextUpdate = time.Unix(lastUpdateTS, 0).Add(interval) nextUpdate = time.Now().UTC()
}
} }
// If the next update timer is in the past, then try to update. // If the next update timer is in the past, then try to update.
@ -84,8 +73,6 @@ func Run(interval time.Duration, st *utils.Stopper) {
log.Debug("attempting to obtain update lock") log.Debug("attempting to obtain update lock")
hasLock, hasLockUntil := database.Lock(flagName, lockDuration, whoAmI) hasLock, hasLockUntil := database.Lock(flagName, lockDuration, whoAmI)
if hasLock { if hasLock {
healthLockOwner = healthIdentifier
// Launch update in a new go routine. // Launch update in a new go routine.
doneC := make(chan bool, 1) doneC := make(chan bool, 1)
go func() { go func() {
@ -105,6 +92,8 @@ func Run(interval time.Duration, st *utils.Stopper) {
// Unlock the update. // Unlock the update.
database.Unlock(flagName, whoAmI) database.Unlock(flagName, whoAmI)
continue
} else { } else {
lockOwner, lockExpiration, err := database.LockInfo(flagName) lockOwner, lockExpiration, err := database.LockInfo(flagName)
if err != nil { if err != nil {
@ -113,7 +102,6 @@ func Run(interval time.Duration, st *utils.Stopper) {
} else { } else {
log.Debugf("update lock is already taken by %s until %v", lockOwner, lockExpiration) log.Debugf("update lock is already taken by %s until %v", lockOwner, lockExpiration)
nextUpdate = lockExpiration nextUpdate = lockExpiration
healthLockOwner = lockOwner
} }
} }
} }
@ -137,8 +125,62 @@ func Run(interval time.Duration, st *utils.Stopper) {
func Update() { func Update() {
log.Info("updating vulnerabilities") log.Info("updating vulnerabilities")
// Fetch updates.
status, responses := fetch()
// Merge responses.
vulnerabilities, packages, flags, notes, err := mergeAndVerify(responses)
if err != nil {
log.Errorf("an error occured when merging update responses: %s", err)
return
}
responses = nil
// TODO(Quentin-M): Complete informations using NVD
// Insert packages.
log.Tracef("beginning insertion of %d packages for update", len(packages))
err = database.InsertPackages(packages)
if err != nil {
log.Errorf("an error occured when inserting packages for update: %s", err)
return
}
packages = nil
// Insert vulnerabilities.
log.Tracef("beginning insertion of %d vulnerabilities for update", len(vulnerabilities))
notifications, err := database.InsertVulnerabilities(vulnerabilities)
if err != nil {
log.Errorf("an error occured when inserting vulnerabilities for update: %s", err)
return
}
vulnerabilities = nil
// Insert notifications into the database.
err = database.InsertNotifications(notifications, database.GetDefaultNotificationWrapper())
if err != nil {
log.Errorf("an error occured when inserting notifications for update: %s", err)
return
}
notifications = nil
// Update flags and notes.
for flagName, flagValue := range flags {
database.UpdateFlag(flagName, flagValue)
}
database.UpdateFlag(notesFlagName, notes)
// Update last successful update if every fetchers worked properly.
if status {
database.UpdateFlag(flagName, strconv.FormatInt(time.Now().UTC().Unix(), 10))
}
log.Info("update finished")
}
// fetch get data from the registered fetchers, in parallel.
func fetch() (status bool, responses []*FetcherResponse) {
// Fetch updates in parallel. // Fetch updates in parallel.
var status = true status = true
var responseC = make(chan *FetcherResponse, 0) var responseC = make(chan *FetcherResponse, 0)
for n, f := range fetchers { for n, f := range fetchers {
go func(name string, fetcher Fetcher) { go func(name string, fetcher Fetcher) {
@ -155,129 +197,122 @@ func Update() {
} }
// Collect results of updates. // Collect results of updates.
var responses []*FetcherResponse for i := 0; i < len(fetchers); i++ {
var notes []string resp := <-responseC
for i := 0; i < len(fetchers); { if resp != nil {
select { responses = append(responses, resp)
case resp := <-responseC:
if resp != nil {
responses = append(responses, resp)
notes = append(notes, resp.Notes...)
}
i++
} }
} }
close(responseC) close(responseC)
return
}
// TODO(Quentin-M): Merge responses together // merge put all the responses together (vulnerabilities, packages, flags, notes), ensure the
// TODO(Quentin-M): Complete informations using NVD // uniqueness of vulnerabilities and packages and verify that every vulnerability's fixedInNodes
// have their corresponding package definition.
func mergeAndVerify(responses []*FetcherResponse) (svulnerabilities []*database.Vulnerability, spackages []*database.Package, flags map[string]string, snotes string, err error) {
vulnerabilities := make(map[string]*database.Vulnerability)
packages := make(map[string]*database.Package)
flags = make(map[string]string)
var notes []string
// Store flags out of the response struct. // Merge responses.
flags := make(map[string]string)
for _, response := range responses { for _, response := range responses {
// Notes
notes = append(notes, response.Notes...)
// Flags
if response.FlagName != "" && response.FlagValue != "" { if response.FlagName != "" && response.FlagValue != "" {
flags[response.FlagName] = response.FlagValue flags[response.FlagName] = response.FlagValue
} }
} // Packages
for _, p := range response.Packages {
// Update health notes. node := p.GetNode()
healthNotes = notes if _, ok := packages[node]; !ok {
packages[node] = p
// Build list of packages. }
var packages []*database.Package }
for _, response := range responses { // Vulnerabilities
for _, v := range response.Vulnerabilities { for _, v := range response.Vulnerabilities {
packages = append(packages, v.FixedIn...) if vulnerability, ok := vulnerabilities[v.ID]; !ok {
} vulnerabilities[v.ID] = v
} } else {
mergeVulnerability(vulnerability, v)
// Insert packages into the database.
log.Tracef("beginning insertion of %d packages for update", len(packages))
t := time.Now()
err := database.InsertPackages(packages)
log.Tracef("inserting %d packages took %v", len(packages), time.Since(t))
if err != nil {
log.Errorf("an error occured when inserting packages for update: %s", err)
updateHealth(false)
return
}
packages = nil
// Build a list of vulnerabilties.
var vulnerabilities []*database.Vulnerability
for _, response := range responses {
for _, v := range response.Vulnerabilities {
var packageNodes []string
for _, pkg := range v.FixedIn {
packageNodes = append(packageNodes, pkg.Node)
} }
vulnerabilities = append(vulnerabilities, &database.Vulnerability{ID: v.ID, Link: v.Link, Priority: v.Priority, Description: v.Description, FixedInNodes: packageNodes})
} }
} }
responses = nil
// Insert vulnerabilities into the database. // Verify that the packages used in the vulnerabilities are specified.
log.Tracef("beginning insertion of %d vulnerabilities for update", len(vulnerabilities)) for _, v := range vulnerabilities {
t = time.Now() for _, node := range v.FixedInNodes {
notifications, err := database.InsertVulnerabilities(vulnerabilities) if _, ok := packages[node]; !ok {
log.Tracef("inserting %d vulnerabilities took %v", len(vulnerabilities), time.Since(t)) err = fmt.Errorf("vulnerability %s is fixed by an unspecified package", v.ID)
if err != nil { return
log.Errorf("an error occured when inserting vulnerabilities for update: %s", err) }
updateHealth(false) }
return
}
vulnerabilities = nil
// Insert notifications into the database.
err = database.InsertNotifications(notifications, database.GetDefaultNotificationWrapper())
if err != nil {
log.Errorf("an error occured when inserting notifications for update: %s", err)
updateHealth(false)
return
}
notifications = nil
// Update flags in the database.
for flagName, flagValue := range flags {
database.UpdateFlag(flagName, flagValue)
} }
// Update health depending on the status of the fetchers. // Convert data and return
updateHealth(status) for _, v := range vulnerabilities {
if status { svulnerabilities = append(svulnerabilities, v)
now := time.Now().UTC()
database.UpdateFlag(flagName, strconv.FormatInt(now.Unix(), 10))
healthLatestSuccessfulUpdate = now
} }
log.Info("update finished") for _, p := range packages {
spackages = append(spackages, p)
}
bnotes, _ := json.Marshal(notes)
snotes = string(bnotes)
return
} }
func updateHealth(s bool) { // mergeVulnerability updates the target vulnerability structure using the specified one.
if s == false { func mergeVulnerability(target, source *database.Vulnerability) {
healthConsecutiveLocalFailures++ if source.Link != "" {
} else { target.Link = source.Link
healthConsecutiveLocalFailures = 0 }
if source.Description != "" {
target.Description = source.Description
}
if source.Priority.Compare(target.Priority) > 0 {
target.Priority = source.Priority
}
for _, node := range source.FixedInNodes {
if !utils.Contains(node, target.FixedInNodes) {
target.FixedInNodes = append(target.FixedInNodes, node)
}
} }
} }
// Healthcheck returns the health of the updater service. // Healthcheck returns the health of the updater service.
func Healthcheck() health.Status { func Healthcheck() health.Status {
notes := getNotes()
return health.Status{ return health.Status{
IsEssential: false, IsEssential: false,
IsHealthy: healthConsecutiveLocalFailures < healthMaxConsecutiveLocalFailures, IsHealthy: len(notes) == 0,
Details: struct { Details: struct {
HealthIdentifier string LatestSuccessfulUpdate time.Time
HealthLockOwner string Notes []string `json:",omitempty"`
LatestSuccessfulUpdate time.Time
ConsecutiveLocalFailures int
Notes []string `json:",omitempty"`
}{ }{
HealthIdentifier: healthIdentifier, LatestSuccessfulUpdate: getLastUpdate(),
HealthLockOwner: healthLockOwner, Notes: notes,
LatestSuccessfulUpdate: healthLatestSuccessfulUpdate,
ConsecutiveLocalFailures: healthConsecutiveLocalFailures,
Notes: healthNotes,
}, },
} }
} }
func getLastUpdate() time.Time {
if lastUpdateTSS, err := database.GetFlagValue(flagName); err == nil && lastUpdateTSS != "" {
if lastUpdateTS, err := strconv.ParseInt(lastUpdateTSS, 10, 64); err == nil {
return time.Unix(lastUpdateTS, 0).UTC()
}
}
return time.Time{}
}
func getNotes() (notes []string) {
if jsonNotes, err := database.GetFlagValue(notesFlagName); err == nil && jsonNotes != "" {
json.Unmarshal([]byte(jsonNotes), notes)
}
return
}