Arch Linux Tracker to collect vulnerabilities

aquasecurity · Jun 3, 2021 · 881f317 · 881f317
1 parent 668f12a
commit 881f317
Show file tree

Hide file tree

Showing 9 changed files with 237 additions and 1 deletion.
diff --git a/arch-linux/archlinux.go b/arch-linux/archlinux.go
@@ -0,0 +1,78 @@
+package arch_linux
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+	pb "github.com/cheggaaa/pb/v3"
+	"golang.org/x/xerrors"
+)
+
+const (
+	archLinuxDir       = "arch-linux"
+	securityTrackerURL = "https://security.archlinux.org/json"
+)
+
+type ArchLinuxConfig struct {
+	URL         string
+	VulnListDir string
+	Retry       int
+}
+
+func NewArchLinuxConfig() ArchLinuxConfig {
+	return NewArchLinuxWithConfig(securityTrackerURL, filepath.Join(utils.VulnListDir(), archLinuxDir), 5)
+}
+
+func NewArchLinuxWithConfig(url, path string, retryTimes int) ArchLinuxConfig {
+	return ArchLinuxConfig{
+		URL:         url,
+		VulnListDir: path,
+		Retry:       retryTimes,
+	}
+}
+
+func (alc ArchLinuxConfig) Update() error {
+	log.Println("Fetching Arch Linux data...")
+	vulns, err := alc.retrieveArchLinuxCveDetails()
+	if err != nil {
+		return xerrors.Errorf("failed to retrieve Arch Linux CVE details: %w", err)
+	}
+
+	log.Println("Removing old data...")
+	if err = os.RemoveAll(alc.VulnListDir); err != nil {
+		return xerrors.Errorf("failed to remove Arch Linux dir: %w", err)
+	}
+
+	// Save all JSON files
+	log.Println("Saving new data...")
+	bar := pb.StartNew(len(vulns))
+	dir := filepath.Join(alc.VulnListDir)
+	if err := os.MkdirAll(dir, os.ModePerm); err != nil {
+		return xerrors.Errorf("failed to create the directory: %w", err)
+	}
+	for _, cves := range vulns {
+		filePath := filepath.Join(dir, fmt.Sprintf("%s.json", cves.Name))
+		if err = utils.Write(filePath, cves); err != nil {
+			return xerrors.Errorf("failed to write Debian CVE details: %w", err)
+		}
+		bar.Increment()
+	}
+	bar.Finish()
+	return nil
+}
+
+func (alc ArchLinuxConfig) retrieveArchLinuxCveDetails() (vulns ArchLinuxCVE, err error) {
+	cveJSON, err := utils.FetchURL(alc.URL, "", alc.Retry)
+	if err != nil {
+		return vulns, xerrors.Errorf("failed to fetch cve data from Arch Linux. err: %w", err)
+	}
+
+	if err = json.Unmarshal(cveJSON, &vulns); err != nil {
+		return vulns, xerrors.Errorf("error in unmarshal json: %w", err)
+	}
+	return vulns, nil
+}
diff --git a/arch-linux/archlinux_test.go b/arch-linux/archlinux_test.go
@@ -0,0 +1,71 @@
+package arch_linux
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUpdate(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		inputJSONFile          string
+		expectedOutputJSONFile string
+		expectedError          string
+		ArchLinuxServerUrl     string
+	}{
+		{
+			name:                   "happy path",
+			inputJSONFile:          "testdata/archlinux.json",
+			expectedOutputJSONFile: "testdata/AVG-4.json",
+		},
+		{
+			name:               "sad path, unreachable Arch Linux service",
+			expectedError:      "failed to retrieve Arch Linux CVE details",
+			ArchLinuxServerUrl: "http://foo/bar/baz",
+		},
+		{
+			name:          "sad path, invalid json",
+			inputJSONFile: "testdata/invalid.json",
+			expectedError: "failed to retrieve Arch Linux CVE details",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var ArchLinuxURL string
+			if tc.ArchLinuxServerUrl != "" {
+				ArchLinuxURL = tc.ArchLinuxServerUrl
+			} else {
+				ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+					b, _ := os.ReadFile(tc.inputJSONFile)
+					_, _ = io.WriteString(w, string(b))
+				}))
+				ArchLinuxURL = ts.URL
+				defer ts.Close()
+			}
+
+			dir := t.TempDir()
+
+			c := NewArchLinuxWithConfig(ArchLinuxURL, filepath.Join(dir), 0)
+			err := c.Update()
+			switch {
+			case tc.expectedError != "":
+				require.Error(t, err, tc.name)
+			default:
+				gotJSON, err := os.ReadFile(filepath.Join(dir, "AVG-4.json"))
+				require.NoError(t, err, tc.name)
+
+				wantJSON, _ := os.ReadFile(tc.expectedOutputJSONFile)
+				assert.JSONEq(t, string(wantJSON), string(gotJSON), tc.name)
+			}
+		})
+	}
+}
diff --git a/arch-linux/testdata/AVG-4.json b/arch-linux/testdata/AVG-4.json
@@ -0,0 +1,17 @@
+{
+  "name":"AVG-4",
+  "packages":[
+    "bzip2"
+  ],
+  "status":"Fixed",
+  "severity":"Low",
+  "type":"denial of service",
+  "affected":"1.0.6-5",
+  "fixed":"1.0.6-6",
+  "issues":[
+    "CVE-2016-3189"
+  ],
+  "advisories":[
+    "ASA-201702-19"
+  ]
+}
diff --git a/arch-linux/testdata/archlinux.json b/arch-linux/testdata/archlinux.json
@@ -0,0 +1,38 @@
+[
+  {
+    "name":"AVG-20",
+    "packages":[
+      "curl"
+    ],
+    "status":"Fixed",
+    "severity":"Low",
+    "type":"denial of service",
+    "affected":"7.50.2-1",
+    "fixed":"7.50.3-1",
+    "ticket":null,
+    "issues":[
+      "CVE-2016-7167"
+    ],
+    "advisories":[
+      "ASA-201609-19"
+    ]
+  },
+  {
+    "name":"AVG-4",
+    "packages":[
+      "bzip2"
+    ],
+    "status":"Fixed",
+    "severity":"Low",
+    "type":"denial of service",
+    "affected":"1.0.6-5",
+    "fixed":"1.0.6-6",
+    "ticket":null,
+    "issues":[
+      "CVE-2016-3189"
+    ],
+    "advisories":[
+      "ASA-201702-19"
+    ]
+  }
+]
diff --git a/arch-linux/testdata/invalid.json b/arch-linux/testdata/invalid.json
@@ -0,0 +1 @@
+invalid json
diff --git a/arch-linux/types.go b/arch-linux/types.go
@@ -0,0 +1,13 @@
+package arch_linux
+
+type ArchLinuxCVE []struct {
+	Name       string   `json:"name"`
+	Packages   []string `json:"packages"`
+	Status     string   `json:"status"`
+	Severity   string   `json:"severity"`
+	Type       string   `json:"type"`
+	Affected   string   `json:"affected"`
+	Fixed      string   `json:"fixed"`
+	Issues     []string `json:"issues"`
+	Advisories []string `json:"advisories"`
+}
diff --git a/go.mod b/go.mod
@@ -6,13 +6,13 @@ require (
 	github.com/PuerkitoBio/goquery v1.6.0
 	github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83
 	github.com/cheggaaa/pb v2.0.7+incompatible
+	github.com/cheggaaa/pb/v3 v3.0.8 // indirect
 	github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f // indirect
 	github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f // indirect
 	github.com/fatih/color v1.10.0 // indirect
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed
-	github.com/mattn/go-runewidth v0.0.7 // indirect
 	github.com/parnurzeal/gorequest v0.2.16
 	github.com/pkg/errors v0.8.0 // indirect
 	github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0

diff --git a/go.sum b/go.sum
@@ -1,12 +1,16 @@
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/PuerkitoBio/goquery v1.6.0 h1:j7taAbelrdcsOlGeMenZxc2AWXD5fieT1/znArdnx94=
 github.com/PuerkitoBio/goquery v1.6.0/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
+github.com/VividCortex/ewma v1.1.1 h1:MnEK4VOv6n0RSY4vtRe3h11qjxL3+t0B8yOL8iMXdcM=
+github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
 github.com/andybalholm/cascadia v1.1.0 h1:BuuO6sSfQNFRu1LppgbD25Hr2vLYW25JvxHs5zzsLTo=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
 github.com/cheggaaa/pb v2.0.7+incompatible h1:gLKifR1UkZ/kLkda5gC0K6c8g+jU2sINPtBeOiNlMhU=
 github.com/cheggaaa/pb v2.0.7+incompatible/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
+github.com/cheggaaa/pb/v3 v3.0.8 h1:bC8oemdChbke2FHIIGy9mn4DPJ2caZYQnfbRqwmdCoA=
+github.com/cheggaaa/pb/v3 v3.0.8/go.mod h1:UICbiLec/XO6Hw6k+BHEtHeQFzzBH4i2/qk/ow1EJTA=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f h1:8GDPb0tCY8LQ+OJ3dbHb5sA6YZWXFORQYZx5sdsTlMs=
@@ -36,12 +40,17 @@ github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed h1:fCWISZq4YN
 github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
 github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
 github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.12 h1:Y41i/hVW3Pgwr8gV+J23B9YEY0zxjptBuCWEaxmAOow=
+github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/parnurzeal/gorequest v0.2.16 h1:T/5x+/4BT+nj+3eSknXmCTnEVGSzFzPGdpqmUVVZXHQ=
 github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
 github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0 h1:T9uus1QvcPgeLShS30YOnnzk3r9Vvygp45muhlrufgY=
 github.com/shurcooL/githubv4 v0.0.0-20191127044304-8f68eb5628d0/go.mod h1:hAF0iLZy4td2EX+/8Tw+4nodhlMrwN3HupfaXj3zkGo=
@@ -77,6 +86,8 @@ golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtD
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=

diff --git a/main.go b/main.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"flag"
 	"fmt"
+	arch_linux "github.com/aquasecurity/vuln-list-update/arch-linux"
 	"log"
 	"os"
 	"strconv"
@@ -178,6 +179,12 @@ func run() error {
 			return xerrors.Errorf("error in CWE update: %w", err)
 		}
 		commitMsg = "CWE Advisories"
+	case "arch-linux":
+		al := arch_linux.NewArchLinuxConfig()
+		if err := al.Update(); err != nil {
+			return xerrors.Errorf("error in CWE update: %w", err)
+		}
+		commitMsg = "Arch Linux Security Tracker"
 	default:
 		return xerrors.New("unknown target")
 	}