Skip to content

Commit

Permalink
feat(oracle): add flavors support (#7858)
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored Nov 20, 2024
1 parent 9988147 commit b9b383e
Show file tree
Hide file tree
Showing 7 changed files with 74 additions and 20 deletions.
13 changes: 13 additions & 0 deletions docs/docs/coverage/os/oracle.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,19 @@ See [here](../../scanner/vulnerability.md#data-sources).
### Fixed Version
Trivy takes fixed versions from [Oracle security advisories][alerts].

#### Flavors
Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.

| Flavor | Format | Example |
|:-------:|:------------------------------------:|------------------------------------------------------|
| normal | version without `fips` and `ksplice` | 3.6.16-4.el8 |
| fips | `*_fips` | 10:3.6.16-4.0.1.el8_fips |
| ksplice | `*.ksplice*.*` | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |


For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors.
For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped.

### Severity
Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts].
For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645].
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.3.0
github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1
github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc
github.com/aws/aws-sdk-go-v2 v1.32.4
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -355,8 +355,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.3.0 h1:Z4+wxxApNSJOLcmGPWQ9cS3NGmT/yTaPCTMavIeuVEQ=
github.com/aquasecurity/trivy-checks v1.3.0/go.mod h1:WDo8IKyW4FvA69uKYmamSIy3RosCOiBuA1Kfxuigiy0=
github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 h1:G0gnacAORRUqz2Tm5MqivSpldY2GZ74ijhJcMsae+sA=
github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1/go.mod h1:PYkSRx4dlgFATEt+okGwibvbxVEtqsOdH+vX/saACYE=
github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw=
github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y=
Expand Down
8 changes: 6 additions & 2 deletions integration/testdata/fixtures/db/oracle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,11 @@
pairs:
- key: CVE-2019-3823
value:
FixedVersion: 7.61.1-11.el8
FixedVersion: "7.61.1-11.el8"
Entries:
- FixedVersion: "7.61.1-11.el8"
- key: CVE-2019-5436
value:
FixedVersion: 7.61.1-12.el8
FixedVersion: "7.61.1-12.el8"
Entries:
- FixedVersion: "7.61.1-12.el8"
18 changes: 3 additions & 15 deletions pkg/detector/ospkg/oracle/oracle.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package oracle

import (
"context"
"strings"
"time"

version "github.com/knqyf263/go-rpm-version"
Expand Down Expand Up @@ -43,16 +42,6 @@ func NewScanner() *Scanner {
}
}

func extractKsplice(v string) string {
subs := strings.Split(strings.ToLower(v), ".")
for _, s := range subs {
if strings.HasPrefix(s, "ksplice") {
return s
}
}
return ""
}

// Detect scans and return vulnerability in Oracle scanner
func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
osVer = osver.Major(osVer)
Expand All @@ -69,10 +58,9 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
// when one of them doesn't have ksplice, we'll also skip it
// extract kspliceX and compare it with kspliceY in advisories
// if kspliceX and kspliceY are different, we will skip the advisory
if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) {
// We need to use only advisories from the same flavor as the package flavors.
// See more in https://github.com/aquasecurity/trivy/issues/1967
if oracleoval.PackageFlavor(adv.FixedVersion) != oracleoval.PackageFlavor(pkg.Release) {
continue
}

Expand Down
36 changes: 36 additions & 0 deletions pkg/detector/ospkg/oracle/oracle_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,42 @@ func TestScanner_Detect(t *testing.T) {
},
},
},
{
name: "with fips",
fixtures: []string{
"testdata/fixtures/oracle7.yaml",
"testdata/fixtures/data-source.yaml",
},
args: args{
osVer: "7",
pkgs: []ftypes.Package{
{
Name: "gnutls",
Epoch: 10,
Version: "3.6.15",
Release: "4.0.1.el8_fips",
Arch: "x86_64",
SrcEpoch: 2,
SrcName: "gnutls",
SrcVersion: "3.6.15",
SrcRelease: "4.0.1.el8_fips",
},
},
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2021-20232",
PkgName: "gnutls",
InstalledVersion: "10:3.6.15-4.0.1.el8_fips",
FixedVersion: "10:3.6.16-4.0.1.el8_fips",
DataSource: &dbTypes.DataSource{
ID: vulnerability.OracleOVAL,
Name: "Oracle Linux OVAL definitions",
URL: "https://linux.oracle.com/security/oval/",
},
},
},
},
{
name: "malformed",
fixtures: []string{
Expand Down
13 changes: 13 additions & 0 deletions pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,21 @@
- key: CVE-2020-8177
value:
FixedVersion: "7.29.0-59.0.1.el7_9.1"
Entries:
- FixedVersion: "7.29.0-59.0.1.el7_9.1"
- bucket: glibc
pairs:
- key: CVE-2017-1000364
value:
FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
Entries:
- FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
- bucket: gnutls
pairs:
- key: CVE-2021-20232
value:
FixedVersion: "3.6.16-4.el8"
Entries:
- FixedVersion: "10:3.6.16-4.0.1.el8_fips"
- FixedVersion: "3.6.16-4.el8"

0 comments on commit b9b383e

Please sign in to comment.