Commit Graph

37 Commits

Author SHA1 Message Date
Sida Chen
7dd989c0f2 database: Rename affected Type to feature type 2019-02-19 16:48:42 -05:00
Flavio Castelli
5a4d4913c1
Reintroduce image scanning for openSUSE and SLE
Handle scanning of openSUSE and SUSE Linux Enterprise images.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
2019-01-07 18:48:55 +01:00
Ales Raszka
bd7102d963 Vulnsrc rhel: handle "none" CVE impact
Some RHEL CVEs [1] contains "none" string in impact field. This is throwing
warning message when fetching vulnerabilities. The new code handles this
case and it uses advisory severity instead.

[1] https://www.redhat.com/security/data/oval/com.redhat.rhsa-20080038.xml
2019-01-02 14:27:08 +01:00
Geoff Baskwill
3503ddb96f vulnsrc_oracle: one vulnerability per CVE
Get one vulnerability per CVE for Oracle instead of one per ELSA so we
can have NVD metadata added to the vulnerabilities.

Related: #495, #499.
2018-11-02 19:36:43 -04:00
Sida Chen
72674ca871 vulnsrc: Refactor vulnerability sources to use utility functions 2018-10-22 23:00:58 -04:00
Sida Chen
2236b0a5c9 updater: Add vulnsrc affected feature type
Each vulnerability source has a specific type of feature that it affects

We assume the following:
* Alpine: Binary Package
* Debian: Source Package
* Ubuntu: Source Package
* Oracle OVAL: Binary Package
* RHEL OVAL: Binary Package
2018-10-18 15:06:41 -04:00
Kate Murphy
8d5a0131c4
ext: Use SHA256 instead of SHA1 for fingerprinting
To make static analysis tools happy.

The current use of SHA1 for fingerprinting is safe. However, there is very
little downside to switching to SHA256.
2018-10-12 16:09:14 -04:00
Jimmy Zelinskie
0ca9431235
Merge pull request #621 from jzelinskie/gitutil
pkg/gitutil: init
2018-09-26 11:42:35 -04:00
Jimmy Zelinskie
c2d887f9e9 pkg/gitutil: init
This refactors the code we're using to manage temporary git repositories
into a utility package.
2018-09-19 13:50:54 -04:00
Grégoire Unbekandt
c4ffa0c370 vulnsrc_rhel: cve impact
use the specific CVE's impact field instead of the RHSA's one
2018-09-15 00:00:09 +02:00
Grégoire Unbekandt
a90db713a2 vulnsrc_rhel: add test
Add test for multiple CVE
2018-09-14 23:54:33 +02:00
Grégoire Unbekandt
8b3338ef56 vulnsrc_rhel: minor changes
delete a useless line
2018-09-14 23:54:33 +02:00
Grégoire Unbekandt
4e4e98f328 vulnsrc_rhel: minor changes
Code reorganisation
2018-09-14 23:54:33 +02:00
Grégoire Unbekandt
ac86a36740 vulnsrc_rhel: rhsa_ID by default
If no CVE is present, create a vulnerability with rhsa ID
2018-09-14 23:54:33 +02:00
Grégoire Unbekandt
4ab98cfe54 vulnsrc_rhel: one vulnerability by CVE
Get one vulnerability by CVE_ID for RHEL instead of one by RHSA_ID so we can have NVD metadata added to the vulnerabilities.

Fixes #495
2018-09-14 23:54:33 +02:00
Jimmy Zelinskie
06b257cc97
Merge pull request #606 from MackJM/wip/master_httputil
Adding httputil and version packages to master
2018-09-06 11:27:35 -04:00
Jimmy Zelinskie
ce15f73501 *: gofmt -s 2018-09-05 19:20:35 -04:00
Jean Michel MacKay
9df4f5bd70 Adding httputil and version packages
- Debian/RHEL/Oracle vulnsrc now use httputil to download files
- httputil sets the User-Agent to the requests as Clair/<version> (https://github.com/coreos/clair/)
- httputil holds Status2xx() which returns if the response is a http success (2xx)
- GetClientAddr moved from api/httputil to pkg/httputil
- the version packge holds a Version string which is set at build time from the git tag and sha
- the .git directory was removed from .dockerignore so that we can use the git tag to set the version
2018-09-05 14:56:39 -04:00
Daniel Jiang
9e4a347ecd Quickfix to the URL for fetching alpine's vuln data.
Fixes #593

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
2018-08-23 13:39:26 +08:00
Jimmy Zelinskie
456af5f48c vulnsrc/ubuntu: use new git-based ubuntu tracker 2018-07-10 16:46:46 -04:00
Jimmy Zelinskie
c031f8ea0c vulnsrc/alpine: s/pull/clone 2018-07-05 19:11:30 -04:00
Jimmy Zelinskie
4c2be5285e vulnsrc/alpine: avoid shadowing vars 2018-07-05 19:09:45 -04:00
Sida Chen
fb32dcfa58 Clair Logic, Extensions: updated mock tests, extensions, basic logic
Main Clair logic is changed in worker, updater, notifier for better adapting
ancestry schema. Extensions are updated with the new model and feature lister
 and namespace detector drivers are able to specify the specific listers and
detectors used to process layer's content. InRange and GetFixedIn interfaces
are added to Version format for adapting ranged affected features and next
available fixed in in the future. Tests for worker, updater and extensions
are fixed.
2017-08-10 11:24:40 -04:00
alinar
d4a967e6e6 Fixing always revision 0 for ubuntu 2017-06-07 12:37:24 +01:00
Jimmy Zelinskie
0891bbac00 ext/vulnsrc/alpine: use HTTPS 2017-05-11 15:18:37 -04:00
Sida Chen
9306e99368 converted to structured logging by using logrus
changed from capnslog to logrus for logging JSON structured message.

finished issue #383
2017-05-04 13:59:57 -04:00
Jimmy Zelinskie
09cbfe325b ext/vulnsrc/oracle: ensure flag is largest elsa
If the Oracle Linux directory is ever in the wrong order, this should
ensure that the updaterFlag is always set the latest ELSA value.
2017-04-27 18:57:19 -04:00
Jimmy Zelinskie
bcf47f53ee ext/vulnsrc/oracle: fix ELSA version comparison
Previously we naively compared integers. However, not all versions have
the same length.
2017-04-19 15:15:41 -04:00
Jimmy Zelinskie
300fe980ef ext/vulnsrc/ubuntu: add missing version format 2017-03-01 01:12:27 -05:00
Quentin Machu
d606d85afe
ext/vulnsrc/rhel: fix logging namespace 2017-02-22 10:50:42 -08:00
Jimmy Zelinskie
c8622d5f34 vulnsrc/alpine: unify schema and parse v3.5
HEAD of Alpine SecDB now uses one consistent schema for all of their
vulnerabilities, so the logic around parsing different versions can now
be removed. This change also crawls the directory structure to parse all
files due to the addition of community.yaml tracking community Alpine
Linux packages.
2017-02-07 13:31:28 -08:00
Jimmy Zelinskie
9c63a63944 clair: mv updater clair and mv severity to db 2017-01-22 23:20:56 -05:00
Jimmy Zelinskie
c2f4a44068 utils: rm exec.go
This change also adds a dependency check at startup, rather than
runtime.
2017-01-22 23:02:51 -05:00
Jimmy Zelinskie
343e24eb7e clair: remove types package
This removes the `types` package instead moving the contents to the
top-level clair package.
This change also renames the `Priority` type to `Severity` in order to
reduce confusion.
This change also removes the IsValid method and replaces it with a safe
constructor to avoid the creation of invalid values.
Many docstrings were tweaked in the making of this commit.
2017-01-22 23:02:51 -05:00
Jimmy Zelinskie
f9b319089d ext: lock all drivers 2017-01-22 23:02:50 -05:00
Jimmy Zelinskie
78cef02fda pkg: cerrors -> commonerr 2017-01-22 23:02:50 -05:00
Jimmy Zelinskie
4a990372ff refactor: move updaters and notifier into ext 2017-01-22 23:02:50 -05:00