// Copyright 2018 clair authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // Package alpine implements a vulnerability source updater using the // alpine-secdb git repository. package alpine import ( "io" "os" "path/filepath" log "github.com/sirupsen/logrus" "gopkg.in/yaml.v2" "github.com/coreos/clair/database" "github.com/coreos/clair/ext/versionfmt" "github.com/coreos/clair/ext/versionfmt/dpkg" "github.com/coreos/clair/ext/vulnsrc" "github.com/coreos/clair/pkg/fsutil" "github.com/coreos/clair/pkg/gitutil" ) const ( // This Alpine vulnerability database affects origin packages, which has // `origin` field of itself. secdbGitURL = "https://github.com/alpinelinux/alpine-secdb" updaterFlag = "alpine-secdbUpdater" nvdURLPrefix = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=" // affected type indicates if the affected feature hint is for binary or // source package. affectedType = database.AffectBinaryPackage ) func init() { vulnsrc.RegisterUpdater("alpine", &updater{}) } type updater struct { repositoryLocalPath string } func (u *updater) Update(db database.Datastore) (resp vulnsrc.UpdateResponse, err error) { log.WithField("package", "Alpine").Info("start fetching vulnerabilities") // Pull the master branch. var ( commit string existingCommit string foundCommit bool namespaces []string vulns []database.VulnerabilityWithAffected ) if u.repositoryLocalPath, commit, err = gitutil.CloneOrPull(secdbGitURL, u.repositoryLocalPath, updaterFlag); err != nil { return } // Set the updaterFlag to equal the commit processed. resp.FlagName = updaterFlag resp.FlagValue = commit if existingCommit, foundCommit, err = database.FindKeyValueAndRollback(db, updaterFlag); err != nil { return } // Short-circuit if there have been no updates. if foundCommit && commit == existingCommit { log.WithField("package", "alpine").Debug("no update, skip") return } // Get the list of namespaces from the repository. if namespaces, err = fsutil.Readdir(u.repositoryLocalPath, fsutil.DirectoriesOnly); err != nil { return } // Append any changed vulnerabilities to the response. for _, namespace := range namespaces { if vulns, err = parseVulnsFromNamespace(u.repositoryLocalPath, namespace); err != nil { return } resp.Vulnerabilities = append(resp.Vulnerabilities, vulns...) } return } func (u *updater) Clean() { if u.repositoryLocalPath != "" { os.RemoveAll(u.repositoryLocalPath) } } func parseVulnsFromNamespace(repositoryPath, namespace string) (vulns []database.VulnerabilityWithAffected, err error) { nsDir := filepath.Join(repositoryPath, namespace) var dbFilenames []string if dbFilenames, err = fsutil.Readdir(nsDir, fsutil.FilesOnly); err != nil { return } for _, filename := range dbFilenames { var db *secDB if db, err = newSecDB(filepath.Join(nsDir, filename)); err != nil { return } vulns = append(vulns, db.Vulnerabilities()...) } return } type secDB struct { Distro string `yaml:"distroversion"` Packages []struct { Pkg struct { Name string `yaml:"name"` Fixes map[string][]string `yaml:"secfixes"` } `yaml:"pkg"` } `yaml:"packages"` } func newSecDB(filePath string) (file *secDB, err error) { var f io.ReadCloser f, err = os.Open(filePath) if err != nil { return } defer f.Close() file = &secDB{} err = yaml.NewDecoder(f).Decode(file) return } func (file *secDB) Vulnerabilities() (vulns []database.VulnerabilityWithAffected) { if file == nil { return } namespace := database.Namespace{Name: "alpine:" + file.Distro, VersionFormat: dpkg.ParserName} for _, pkg := range file.Packages { for version, cveNames := range pkg.Pkg.Fixes { if err := versionfmt.Valid(dpkg.ParserName, version); err != nil { log.WithError(err).WithFields(log.Fields{ "version": version, "package name": pkg.Pkg.Name, }).Warning("could not parse package version, skipping") continue } for _, cve := range cveNames { vuln := database.VulnerabilityWithAffected{ Vulnerability: database.Vulnerability{ Name: cve, Link: nvdURLPrefix + cve, Severity: database.UnknownSeverity, Namespace: namespace, }, } var fixedInVersion string if version != versionfmt.MaxVersion { fixedInVersion = version } vuln.Affected = []database.AffectedFeature{ { AffectedType: affectedType, FeatureName: pkg.Pkg.Name, AffectedVersion: version, FixedInVersion: fixedInVersion, Namespace: database.Namespace{ Name: "alpine:" + file.Distro, VersionFormat: dpkg.ParserName, }, }, } vulns = append(vulns, vuln) } } } return }