clair/ext/vulnsrc/alpine/alpine.go

197 lines
5.2 KiB
Go

// Copyright 2018 clair authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package alpine implements a vulnerability source updater using the
// alpine-secdb git repository.
package alpine
import (
"io"
"os"
"path/filepath"
log "github.com/sirupsen/logrus"
"gopkg.in/yaml.v2"
"github.com/coreos/clair/database"
"github.com/coreos/clair/ext/versionfmt"
"github.com/coreos/clair/ext/versionfmt/dpkg"
"github.com/coreos/clair/ext/vulnsrc"
"github.com/coreos/clair/pkg/fsutil"
"github.com/coreos/clair/pkg/gitutil"
)
const (
// This Alpine vulnerability database affects origin packages, which has
// `origin` field of itself.
secdbGitURL = "https://github.com/alpinelinux/alpine-secdb"
updaterFlag = "alpine-secdbUpdater"
nvdURLPrefix = "https://cve.mitre.org/cgi-bin/cvename.cgi?name="
// affected type indicates if the affected feature hint is for binary or
// source package.
affectedType = database.AffectBinaryPackage
)
func init() {
vulnsrc.RegisterUpdater("alpine", &updater{})
}
type updater struct {
repositoryLocalPath string
}
func (u *updater) Update(db database.Datastore) (resp vulnsrc.UpdateResponse, err error) {
log.WithField("package", "Alpine").Info("start fetching vulnerabilities")
// Pull the master branch.
var (
commit string
existingCommit string
foundCommit bool
namespaces []string
vulns []database.VulnerabilityWithAffected
)
if u.repositoryLocalPath, commit, err = gitutil.CloneOrPull(secdbGitURL, u.repositoryLocalPath, updaterFlag); err != nil {
return
}
// Set the updaterFlag to equal the commit processed.
resp.FlagName = updaterFlag
resp.FlagValue = commit
if existingCommit, foundCommit, err = database.FindKeyValueAndRollback(db, updaterFlag); err != nil {
return
}
// Short-circuit if there have been no updates.
if foundCommit && commit == existingCommit {
log.WithField("package", "alpine").Debug("no update, skip")
return
}
// Get the list of namespaces from the repository.
if namespaces, err = fsutil.Readdir(u.repositoryLocalPath, fsutil.DirectoriesOnly); err != nil {
return
}
// Append any changed vulnerabilities to the response.
for _, namespace := range namespaces {
if vulns, err = parseVulnsFromNamespace(u.repositoryLocalPath, namespace); err != nil {
return
}
resp.Vulnerabilities = append(resp.Vulnerabilities, vulns...)
}
return
}
func (u *updater) Clean() {
if u.repositoryLocalPath != "" {
os.RemoveAll(u.repositoryLocalPath)
}
}
func parseVulnsFromNamespace(repositoryPath, namespace string) (vulns []database.VulnerabilityWithAffected, err error) {
nsDir := filepath.Join(repositoryPath, namespace)
var dbFilenames []string
if dbFilenames, err = fsutil.Readdir(nsDir, fsutil.FilesOnly); err != nil {
return
}
for _, filename := range dbFilenames {
var db *secDB
if db, err = newSecDB(filepath.Join(nsDir, filename)); err != nil {
return
}
vulns = append(vulns, db.Vulnerabilities()...)
}
return
}
type secDB struct {
Distro string `yaml:"distroversion"`
Packages []struct {
Pkg struct {
Name string `yaml:"name"`
Fixes map[string][]string `yaml:"secfixes"`
} `yaml:"pkg"`
} `yaml:"packages"`
}
func newSecDB(filePath string) (file *secDB, err error) {
var f io.ReadCloser
f, err = os.Open(filePath)
if err != nil {
return
}
defer f.Close()
file = &secDB{}
err = yaml.NewDecoder(f).Decode(file)
return
}
func (file *secDB) Vulnerabilities() (vulns []database.VulnerabilityWithAffected) {
if file == nil {
return
}
namespace := database.Namespace{Name: "alpine:" + file.Distro, VersionFormat: dpkg.ParserName}
for _, pkg := range file.Packages {
for version, cveNames := range pkg.Pkg.Fixes {
if err := versionfmt.Valid(dpkg.ParserName, version); err != nil {
log.WithError(err).WithFields(log.Fields{
"version": version,
"package name": pkg.Pkg.Name,
}).Warning("could not parse package version, skipping")
continue
}
for _, cve := range cveNames {
vuln := database.VulnerabilityWithAffected{
Vulnerability: database.Vulnerability{
Name: cve,
Link: nvdURLPrefix + cve,
Severity: database.UnknownSeverity,
Namespace: namespace,
},
}
var fixedInVersion string
if version != versionfmt.MaxVersion {
fixedInVersion = version
}
vuln.Affected = []database.AffectedFeature{
{
AffectedType: affectedType,
FeatureName: pkg.Pkg.Name,
AffectedVersion: version,
FixedInVersion: fixedInVersion,
Namespace: database.Namespace{
Name: "alpine:" + file.Distro,
VersionFormat: dpkg.ParserName,
},
},
}
vulns = append(vulns, vuln)
}
}
}
return
}