Flavio Castelli
5a4d4913c1
Reintroduce image scanning for openSUSE and SLE
...
Handle scanning of openSUSE and SUSE Linux Enterprise images.
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
6 years ago
Ales Raszka
bd7102d963
Vulnsrc rhel: handle "none" CVE impact
...
Some RHEL CVEs [1] contains "none" string in impact field. This is throwing
warning message when fetching vulnerabilities. The new code handles this
case and it uses advisory severity instead.
[1] https://www.redhat.com/security/data/oval/com.redhat.rhsa-20080038.xml
6 years ago
Geoff Baskwill
3503ddb96f
vulnsrc_oracle: one vulnerability per CVE
...
Get one vulnerability per CVE for Oracle instead of one per ELSA so we
can have NVD metadata added to the vulnerabilities.
Related: #495 , #499 .
6 years ago
Sida Chen
05cbf328aa
Merge pull request #647 from KeyboardNerd/spkg/cvrf
...
vulnsrc: Refactor debian and alpine sources
6 years ago
Sida Chen
72674ca871
vulnsrc: Refactor vulnerability sources to use utility functions
6 years ago
Jimmy Zelinskie
0c2e5e73c2
Merge pull request #645 from Katee/include-cvssv3
...
Switch to NVD JSON feed and include CVSSv3
6 years ago
Kate Murphy
081ae34af1
ext: remove duplicate vectorValuesToLetters definition
6 years ago
Kate Murphy
4f0da12b12
ext: pass through CVSSv3 impact and exploitability score
6 years ago
Jimmy Zelinskie
8efc3e4038
ext: remove unneeded use of init()
6 years ago
Jimmy Zelinskie
699d1143e5
ext: fixup incorrect copyright year
6 years ago
Sida Chen
2236b0a5c9
updater: Add vulnsrc affected feature type
...
Each vulnerability source has a specific type of feature that it affects
We assume the following:
* Alpine: Binary Package
* Debian: Source Package
* Ubuntu: Source Package
* Oracle OVAL: Binary Package
* RHEL OVAL: Binary Package
6 years ago
Kate Murphy
b81e4454fb
ext: Parse CVSSv3 data from JSON NVD feed
6 years ago
Kate Murphy
14277a8f5d
ext: Add JSON NVD parsing tests
6 years ago
Kate Murphy
aab46f5658
ext: Parse NVD JSON feed instead of XML
...
The JSON feed provides some values that are not available in the XML
feed such as CVSSv3.
6 years ago
Sida Chen
f759dd54c0
database: Replace Parent Feature with source metadata
...
Feature's source feature string is directly stored in the database
instead of having the parent pointer to simplify the database.
6 years ago
Jimmy Zelinskie
2ac088dd0f
Merge pull request #639 from Katee/update-sha1-to-sha256
...
Use SHA256 instead of SHA1 for fingerprinting
6 years ago
Kate Murphy
8d5a0131c4
ext: Use SHA256 instead of SHA1 for fingerprinting
...
To make static analysis tools happy.
The current use of SHA1 for fingerprinting is safe. However, there is very
little downside to switching to SHA256.
6 years ago
Sida Chen
2cc61f9fc0
ext/featurefmt/apk: Extract origin package information from database
...
"o" field is used to extract the Package Origin from the APK database.
6 years ago
Sida Chen
a057e4a943
ext/featurefmt/rpm: Extract source package from rpm database
...
Source package is now extracted from the RPM database by using
${SourceRPM} option in the rpm --qf argument.
6 years ago
Sida Chen
4ac046642f
ext/featurefmt/dpkg: Extract source package metadata
...
The source package metadata is extracted from the source line instead
of forcing the binary package to have source package information.
6 years ago
Sida Chen
1c40e7d016
ext/featurefmt: Refactor featurefmt testing code
...
1. Featurefmt testing code is moved to featurefmttest package.
2. Featurefmt now can be tested against a csv file, which contains the
expected package information result.
6 years ago
Sida Chen
3c72fa29a6
Merge pull request #620 from KeyboardNerd/feature/detector
...
Internally version all detected content by extension
6 years ago
Sida Chen
e657d26313
database: move dbutil and testutil to database from pkg
...
Move dbutil and testutil to database from pkg
Rename all "result"
6 years ago
Sida Chen
53bf19aecf
ext: Lister and Detector returns detector info with detected content
...
1. Every Lister and Detector are versioned
2. detected content, are returned in a map with detector info as the key
6 years ago
Jimmy Zelinskie
0ca9431235
Merge pull request #621 from jzelinskie/gitutil
...
pkg/gitutil: init
6 years ago
Jimmy Zelinskie
44ae4bc959
Merge pull request #610 from MackJM/wip/master_nvd_httputil
...
Using httputil for NVD
6 years ago
Jimmy Zelinskie
c2d887f9e9
pkg/gitutil: init
...
This refactors the code we're using to manage temporary git repositories
into a utility package.
6 years ago
Grégoire Unbekandt
c4ffa0c370
vulnsrc_rhel: cve impact
...
use the specific CVE's impact field instead of the RHSA's one
6 years ago
Grégoire Unbekandt
a90db713a2
vulnsrc_rhel: add test
...
Add test for multiple CVE
6 years ago
Grégoire Unbekandt
8b3338ef56
vulnsrc_rhel: minor changes
...
delete a useless line
6 years ago
Grégoire Unbekandt
4e4e98f328
vulnsrc_rhel: minor changes
...
Code reorganisation
6 years ago
Grégoire Unbekandt
ac86a36740
vulnsrc_rhel: rhsa_ID by default
...
If no CVE is present, create a vulnerability with rhsa ID
6 years ago
Grégoire Unbekandt
4ab98cfe54
vulnsrc_rhel: one vulnerability by CVE
...
Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities.
Fixes #495
6 years ago
Jean Michel MacKay
30848d9eb7
Fixed extra newline
6 years ago
Jean Michel MacKay
56b4f23ae2
Move downloadFeed out to a seperate function
6 years ago
Jean Michel MacKay
f34f94320a
Embed nvd's downloading and storing of meta data into a function to help with resource management
6 years ago
Jean Michel MacKay
3959f416fa
Fix up error and changing close to defer close
6 years ago
Jean Michel MacKay
49cbdd7a7c
Using httputil for NVD
...
nvd was missed when moving to httputil, this fixes it
6 years ago
Jimmy Zelinskie
06b257cc97
Merge pull request #606 from MackJM/wip/master_httputil
...
Adding httputil and version packages to master
6 years ago
Jimmy Zelinskie
ce15f73501
*: gofmt -s
6 years ago
Jean Michel MacKay
9df4f5bd70
Adding httputil and version packages
...
- Debian/RHEL/Oracle vulnsrc now use httputil to download files
- httputil sets the User-Agent to the requests as Clair/<version> (https://github.com/coreos/clair/ )
- httputil holds Status2xx() which returns if the response is a http success (2xx)
- GetClientAddr moved from api/httputil to pkg/httputil
- the version packge holds a Version string which is set at build time from the git tag and sha
- the .git directory was removed from .dockerignore so that we can use the git tag to set the version
6 years ago
Jimmy Zelinskie
ce6b00887b
vulnmdsrc: update NVD URLs
...
This connects us via a domain hosted on AWS which should provide
performance benefits for users running Clair on AWS and alleviate load
from the NIST campus network.
Fixes #575 .
6 years ago
Daniel Jiang
9e4a347ecd
Quickfix to the URL for fetching alpine's vuln data.
...
Fixes #593
Signed-off-by: Daniel Jiang <jiangd@vmware.com>
6 years ago
Jimmy Zelinskie
f32f438a98
Merge branch 'master' into nvdupdates
6 years ago
honglichang(常红立)
0d5f300c5b
fix nvd path
...
1. stop clair, not del nvd xml
6 years ago
ErikThoreson
df1dd5c149
adding publisher datetime and updating nvd feed download
6 years ago
Jimmy Zelinskie
456af5f48c
vulnsrc/ubuntu: use new git-based ubuntu tracker
6 years ago
Jimmy Zelinskie
c031f8ea0c
vulnsrc/alpine: s/pull/clone
6 years ago
Jimmy Zelinskie
4c2be5285e
vulnsrc/alpine: avoid shadowing vars
6 years ago
Joe Ray
947a8aa00c
featurens: Ensure RHEL is correctly identified
...
When trying to identify various RedHat releases, RHEL was not being
picked up as a centos release because the Oracle Linux regex was too
permissive: it would match any release name with '<something> Linux
Server release' in the name. By being more restrictive with the Oracle
regex, RHEL is now properly identified.
I don't know why the Oracle regex used such a permissive matcher for the
name but it still passes all the tests by replacing it with the word
'Oracle'.
Fixes #436
7 years ago