From 90f1d8d78aa20b47fafab2c8ecb07247f075ef45 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Mon, 9 Dec 2024 17:43:40 +0600 Subject: [PATCH] fix(oracle): add architectures support for advisories (#4809) --- go.mod | 2 +- go.sum | 4 +- integration/testdata/fixtures/db/oracle.yaml | 6 +++ pkg/detector/ospkg/oracle/oracle.go | 2 +- pkg/detector/ospkg/oracle/oracle_test.go | 54 +++++++++++++++++++ .../oracle/testdata/fixtures/oracle7.yaml | 23 +++++++- 6 files changed, 86 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 58fc755ee97c..47aca47b414e 100644 --- a/go.mod +++ b/go.mod @@ -24,7 +24,7 @@ require ( github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8 github.com/aquasecurity/tml v0.6.1 github.com/aquasecurity/trivy-checks v1.4.0 - github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 + github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc github.com/aws/aws-sdk-go-v2 v1.32.5 diff --git a/go.sum b/go.sum index e7ab291a3ac8..a3381756644d 100644 --- a/go.sum +++ b/go.sum @@ -355,8 +355,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY= github.com/aquasecurity/trivy-checks v1.4.0 h1:XFGPuA8C4f31GO9g7xOkubHq4W87y9iXrWnulsIoZFs= github.com/aquasecurity/trivy-checks v1.4.0/go.mod h1:TSUbI3wBy9jgQl5lRUCR+B5pNiOxp6M26Jep8VCL/eM= -github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw= -github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0= +github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e h1:O5j5SeCNBrXApgBTOobO06q4LMxJxIhcSGE7H6Y154E= +github.com/aquasecurity/trivy-db v0.0.0-20241209111357-8c398f13db0e/go.mod h1:gS8VhlNxhraiq60BBnJw9kGtjeMspQ9E8pX24jCL4jg= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI= github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8= github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y= diff --git a/integration/testdata/fixtures/db/oracle.yaml b/integration/testdata/fixtures/db/oracle.yaml index 8418edcfd6cb..88745d05b23d 100644 --- a/integration/testdata/fixtures/db/oracle.yaml +++ b/integration/testdata/fixtures/db/oracle.yaml @@ -7,8 +7,14 @@ FixedVersion: "7.61.1-11.el8" Entries: - FixedVersion: "7.61.1-11.el8" + Arches: + - x86_64 + - aarch64 - key: CVE-2019-5436 value: FixedVersion: "7.61.1-12.el8" Entries: - FixedVersion: "7.61.1-12.el8" + Arches: + - x86_64 + - aarch64 diff --git a/pkg/detector/ospkg/oracle/oracle.go b/pkg/detector/ospkg/oracle/oracle.go index 3dbc8c90677f..2d3dd0237211 100644 --- a/pkg/detector/ospkg/oracle/oracle.go +++ b/pkg/detector/ospkg/oracle/oracle.go @@ -50,7 +50,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository var vulns []types.DetectedVulnerability for _, pkg := range pkgs { - advisories, err := s.vs.Get(osVer, pkg.Name) + advisories, err := s.vs.Get(osVer, pkg.Name, pkg.Arch) if err != nil { return nil, xerrors.Errorf("failed to get Oracle Linux advisory: %w", err) } diff --git a/pkg/detector/ospkg/oracle/oracle_test.go b/pkg/detector/ospkg/oracle/oracle_test.go index 834bc06d9406..860c75eba937 100644 --- a/pkg/detector/ospkg/oracle/oracle_test.go +++ b/pkg/detector/ospkg/oracle/oracle_test.go @@ -139,6 +139,60 @@ func TestScanner_Detect(t *testing.T) { }, }, }, + { + name: "different fixed versions for different arches", + fixtures: []string{ + "testdata/fixtures/oracle7.yaml", + "testdata/fixtures/data-source.yaml", + }, + args: args{ + osVer: "7", + pkgs: []ftypes.Package{ + { + Name: "rsyslog", + Version: "8.24.0", + Release: "57.0.0.el7", + Arch: "x86_64", + SrcName: "rsyslog", + SrcVersion: "8.24.0", + SrcRelease: "57.0.0.el7", + }, + { + Name: "rsyslog", + Version: "8.24.0", + Release: "57.0.0.el7", + Arch: "aarch64", + SrcName: "rsyslog", + SrcVersion: "8.24.0", + SrcRelease: "57.0.0.el7", + }, + }, + }, + want: []types.DetectedVulnerability{ + { + VulnerabilityID: "CVE-2022-24903", + PkgName: "rsyslog", + InstalledVersion: "8.24.0-57.0.0.el7", + FixedVersion: "8.24.0-57.0.1.el7_9.3", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + { + VulnerabilityID: "CVE-2022-24903", + PkgName: "rsyslog", + InstalledVersion: "8.24.0-57.0.0.el7", + FixedVersion: "8.24.0-57.0.4.el7_9.3", + DataSource: &dbTypes.DataSource{ + ID: vulnerability.OracleOVAL, + Name: "Oracle Linux OVAL definitions", + URL: "https://linux.oracle.com/security/oval/", + }, + }, + }, + }, { name: "without ksplice", fixtures: []string{ diff --git a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml index 7dce7818c32e..2b5e1e4e3c39 100644 --- a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml +++ b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml @@ -7,6 +7,9 @@ FixedVersion: "7.29.0-59.0.1.el7_9.1" Entries: - FixedVersion: "7.29.0-59.0.1.el7_9.1" + Arches: + - x86_64 + - aarch64 - bucket: glibc pairs: - key: CVE-2017-1000364 @@ -14,6 +17,9 @@ FixedVersion: "2:2.17-157.ksplice1.el7_3.4" Entries: - FixedVersion: "2:2.17-157.ksplice1.el7_3.4" + Arches: + - x86_64 + - aarch64 - bucket: gnutls pairs: - key: CVE-2021-20232 @@ -21,5 +27,20 @@ FixedVersion: "3.6.16-4.el8" Entries: - FixedVersion: "10:3.6.16-4.0.1.el8_fips" + Arches: + - x86_64 - FixedVersion: "3.6.16-4.el8" - + Arches: + - x86_64 + - bucket: rsyslog + pairs: + - key: CVE-2022-24903 + value: + FixedVersion: "8.24.0-57.0.1.el7_9.3" + Entries: + - FixedVersion: "8.24.0-57.0.1.el7_9.3" + Arches: + - x86_64 + - FixedVersion: "8.24.0-57.0.4.el7_9.3" + Arches: + - aarch64