Commit Graph

806 Commits

Author SHA1 Message Date
Flavio Castelli
5a4d4913c1
Reintroduce image scanning for openSUSE and SLE
Handle scanning of openSUSE and SUSE Linux Enterprise images.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
2019-01-07 18:48:55 +01:00
Jimmy Zelinskie
5cd6a8cc92
Merge pull request #681 from Allda/rhel_severity
Vulnsrc rhel: handle "none" CVE impact
2019-01-02 15:58:23 -05:00
Ales Raszka
bd7102d963 Vulnsrc rhel: handle "none" CVE impact
Some RHEL CVEs [1] contains "none" string in impact field. This is throwing
warning message when fetching vulnerabilities. The new code handles this
case and it uses advisory severity instead.

[1] https://www.redhat.com/security/data/oval/com.redhat.rhsa-20080038.xml
2019-01-02 14:27:08 +01:00
Jimmy Zelinskie
3947073b9e
Merge pull request #667 from travelaudience/helm-tolerations
HELM: add tolerations
2018-12-19 13:49:22 -05:00
Jeff Knurek
81430ffbb2 HELM: also add option for nodeSelector 2018-12-10 11:42:48 +01:00
Jeff Knurek
6a94d8ccd2 HELM: add option for tolerations 2018-12-10 11:42:16 +01:00
Jimmy Zelinskie
504f0f3af3
Merge pull request #656 from glb/elsa_CVEID
vulnsrc_oracle: one vulnerability per CVE
2018-11-07 16:07:46 -05:00
Geoff Baskwill
3503ddb96f vulnsrc_oracle: one vulnerability per CVE
Get one vulnerability per CVE for Oracle instead of one per ELSA so we
can have NVD metadata added to the vulnerabilities.

Related: #495, #499.
2018-11-02 19:36:43 -04:00
Jimmy Zelinskie
93e7a4cfa8
Merge pull request #650 from Katee/add-ubuntu-cosmic
Add database mapping for Ubuntu Cosmic (18.10)
2018-10-31 11:05:47 -04:00
Jimmy Zelinskie
4c08c8f959
Merge pull request #653 from brosander/helm-dep
Pinning helm postgres dep to the working 1.0.0
2018-10-31 11:05:28 -04:00
Bryan Rosander
00db964497
Pinning helm postgres dep to the working 1.0.0 2018-10-31 10:56:17 -04:00
Kate Murphy
6c682da3e1
database: add mapping for Ubuntu Cosmic (18.10) 2018-10-29 13:42:44 -04:00
Jimmy Zelinskie
c123c95590
Merge pull request #648 from HaraldNordgren/go_versions
Bump Go versions and use '.x' to always get latest patch versions
2018-10-28 12:01:47 -04:00
Harald Nordgren
be24096183 Bump Go versions and use '.x' to always get latest patch versions 2018-10-28 13:44:21 +01:00
Sida Chen
05cbf328aa
Merge pull request #647 from KeyboardNerd/spkg/cvrf
vulnsrc: Refactor debian and alpine sources
2018-10-23 09:30:01 -04:00
Sida Chen
4106322107 vendor: Update gopkg.in/yaml.v2 package
* Update gopkg.in/yaml.v2 package and glide setting
* Update other packages
2018-10-22 23:00:58 -04:00
Sida Chen
72674ca871 vulnsrc: Refactor vulnerability sources to use utility functions 2018-10-22 23:00:58 -04:00
Sida Chen
a3f7387ff1 database: Add FindKeyValue function wrapper 2018-10-22 23:00:57 -04:00
Sida Chen
c3904c9696 pkg: Add fsutil to contian file system utility functions 2018-10-22 23:00:57 -04:00
Sida Chen
1ee1b95afc
Merge pull request #644 from KeyboardNerd/bug/git
gitutil: Fix git pull on non-git repository directory
2018-10-22 14:45:30 -04:00
Jimmy Zelinskie
0c2e5e73c2
Merge pull request #645 from Katee/include-cvssv3
Switch to NVD JSON feed and include CVSSv3
2018-10-22 13:03:42 -04:00
Kate Murphy
081ae34af1
ext: remove duplicate vectorValuesToLetters definition 2018-10-19 15:00:00 -04:00
Kate Murphy
4f0da12b12
ext: pass through CVSSv3 impact and exploitability score 2018-10-19 10:44:23 -04:00
Jimmy Zelinskie
8efc3e4038 ext: remove unneeded use of init() 2018-10-18 18:48:07 -04:00
Jimmy Zelinskie
699d1143e5 ext: fixup incorrect copyright year 2018-10-18 18:47:37 -04:00
Sida Chen
335cb65917
Merge pull request #646 from KeyboardNerd/spkg/model 2018-10-18 16:44:48 -04:00
Sida Chen
2236b0a5c9 updater: Add vulnsrc affected feature type
Each vulnerability source has a specific type of feature that it affects

We assume the following:
* Alpine: Binary Package
* Debian: Source Package
* Ubuntu: Source Package
* Oracle OVAL: Binary Package
* RHEL OVAL: Binary Package
2018-10-18 15:06:41 -04:00
Sida Chen
00fadfc3e3 database: Add affected feature type
Affected feature type is for determining either the source feature or
the binary feature that an vulnerability affects.
2018-10-18 15:06:41 -04:00
Sida Chen
11b67e612c gitutil: Fix git pull on non-git repository directory
* Add conditional check: if the git repo directory is newly created, we
clone.
* Add tests

Fixes #641
2018-10-17 10:43:52 -04:00
Kate Murphy
b81e4454fb
ext: Parse CVSSv3 data from JSON NVD feed 2018-10-16 19:08:17 -04:00
Kate Murphy
14277a8f5d
ext: Add JSON NVD parsing tests 2018-10-16 18:53:32 -04:00
Kate Murphy
aab46f5658
ext: Parse NVD JSON feed instead of XML
The JSON feed provides some values that are not available in the XML
feed such as CVSSv3.
2018-10-16 18:53:32 -04:00
Sida Chen
17539bda60
Merge pull request #640 from KeyboardNerd/sourcePackage
database: Replace Parent Feature with source metadata
2018-10-15 16:49:50 -04:00
Sida Chen
f759dd54c0 database: Replace Parent Feature with source metadata
Feature's source feature string is directly stored in the database
instead of having the parent pointer to simplify the database.
2018-10-15 16:26:24 -04:00
Jimmy Zelinskie
2ac088dd0f
Merge pull request #639 from Katee/update-sha1-to-sha256
Use SHA256 instead of SHA1 for fingerprinting
2018-10-15 11:43:56 -04:00
Sida Chen
fe614f2b01
Merge pull request #638 from KeyboardNerd/featureTree
Parse Source package from package information databases
2018-10-15 10:11:55 -04:00
Kate Murphy
8d5a0131c4
ext: Use SHA256 instead of SHA1 for fingerprinting
To make static analysis tools happy.

The current use of SHA1 for fingerprinting is safe. However, there is very
little downside to switching to SHA256.
2018-10-12 16:09:14 -04:00
Sida Chen
2cc61f9fc0 ext/featurefmt/apk: Extract origin package information from database
"o" field is used to extract the Package Origin from the APK database.
2018-10-11 18:02:58 -04:00
Sida Chen
a057e4a943 ext/featurefmt/rpm: Extract source package from rpm database
Source package is now extracted from the RPM database by using
${SourceRPM} option in the rpm --qf argument.
2018-10-11 18:02:58 -04:00
Sida Chen
4ac046642f ext/featurefmt/dpkg: Extract source package metadata
The source package metadata is extracted from the source line instead
of forcing the binary package to have source package information.
2018-10-11 18:02:58 -04:00
Sida Chen
1c40e7d016 ext/featurefmt: Refactor featurefmt testing code
1. Featurefmt testing code is moved to featurefmttest package.
2. Featurefmt now can be tested against a csv file, which contains the
expected package information result.
2018-10-11 18:02:58 -04:00
Sida Chen
3fe894c5ad database: Add parent feature pointer to Feature struct
Feature now has a pointer to parent feature. If a vulnerability affects
a parent feature, this child feature will be affected.
2018-10-09 19:52:10 -04:00
Jimmy Zelinskie
ddaf19b3a6
Merge pull request #633 from coreos/roadmap-1
*: update roadmap
2018-10-08 16:13:46 -04:00
Sida Chen
3c72fa29a6
Merge pull request #620 from KeyboardNerd/feature/detector
Internally version all detected content by extension
2018-10-08 15:16:04 -04:00
Jimmy Zelinskie
74efdf6b51
*: update roadmap
Fixes #626.
2018-10-08 15:10:27 -04:00
Sida Chen
69c0c84348 api: Rename detector type to DType
Rename detector type to DType because all reserved key words should be
avoided used as type name or variable name.
2018-10-08 14:34:19 -04:00
Sida Chen
a3e9b5b55d database: rename utility functions with commit/rollback
All database utility functions are renamed to explicitly say if it will
commit changes or rollback changes on success.
2018-10-08 13:12:18 -04:00
Sida Chen
e657d26313 database: move dbutil and testutil to database from pkg
Move dbutil and testutil to database from pkg
Rename all "result"
2018-10-08 12:10:35 -04:00
Sida Chen
0c1b80b2ed pgsql: Implement database queries for detector relationship
* Refactor layer and ancestry
* Add tests
* Fix bugs introduced when the queries were moved
2018-10-08 11:27:15 -04:00
Sida Chen
028324014b clair: Implement worker detector support
The worker is changed to accommodate the new database model and API.
Worker is refactored to move the database query helper functions to pkg.
2018-10-08 10:42:40 -04:00