-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(redhat): add rejected vulnerability check for rhsa-xxx #236
base: main
Are you sure you want to change the base?
Conversation
@@ -342,6 +342,15 @@ func parseDefinitions(advisories []redhatOVAL, tests map[string]rpmInfoTest, uni | |||
|
|||
var cveEntries []CveEntry | |||
for _, cve := range advisory.Metadata.Advisory.Cves { | |||
// get details from NVD | |||
details, err := vs.dbc.GetVulnerabilityDetail(cve.CveID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VulnSrc should be order-agnostic. Your change depends on the order. NVD must be inserted before Red Hat OVAL. I'd suggest adding CveIDs here.
https://github.com/aquasecurity/trivy-db/blob/2bd1364579ec652f8f595c4a61595fd9575e8496/pkg/types/types.go
And check the rejected status of the related CVE-IDs as well here.
trivy-db/pkg/vulnsrc/vulnerability/vulnerability.go
Lines 178 to 189 in 9304617
func getRejectedStatus(details map[types.SourceID]types.VulnerabilityDetail) bool { | |
for _, source := range sources { | |
d, ok := details[source] | |
if !ok { | |
continue | |
} | |
if strings.Contains(d.Description, rejectVulnerability) { | |
return true | |
} | |
} | |
return false | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR is too complicated. We should consider how to simplify it.
@@ -1,65 +1,65 @@ | |||
package redhatoval | |||
package types |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you tell me the reason why we want to move this package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we need to decode Advisory structure here:
trivy-db/pkg/db/advisory_detail.go
Lines 119 to 128 in 03e5c84
for i, entry := range advisory.Entries { | |
var cves []redhatovaltypes.CveEntry | |
for _, cve := range entry.Cves { | |
// Include in the database only non-rejected Cves | |
if !ustrings.InSlice(cve.ID, rejectedCve) { | |
cves = append(cves, cve) | |
} | |
} | |
advisory.Entries[i].Cves = cves | |
} |
this is necessary to remove rejected cves from
CveEntry
.But we can't import
redhatoval
package from db
package, because we will get cycle import
.(redhatoval
imported db
for PutAdvisoryDetail
func)
// SaveRhsaAdvisoryDetails Extract 'RHSA' advisories from 'advisory-detail'-'Red Hat' bucket and copy them in each | ||
func (dbc Config) SaveRhsaAdvisoryDetails(tx *bolt.Tx, vulnID string, rejectedCve []string) error { | ||
root := tx.Bucket([]byte(advisoryDetailBucket)) | ||
if root == nil { | ||
return nil | ||
} | ||
|
||
cveBucket := root.Bucket([]byte(vulnID)) | ||
if cveBucket == nil { | ||
return nil | ||
} | ||
|
||
redHatBucket := cveBucket.Bucket([]byte("Red Hat")) | ||
if redHatBucket == nil { | ||
return nil | ||
} | ||
|
||
if err := dbc.saveRhsaAdvisories(tx, redHatBucket, []string{"Red Hat"}, vulnID, rejectedCve); err != nil { | ||
return xerrors.Errorf("walk advisories error: %w", err) | ||
} | ||
|
||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this function for...?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this function finds all Red Hat
buckets, decodes them, removes rejected cves and saves to db as SaveAdvisoryDetails
.
Description
RHSA-xxx
advisories don't checks toreject
when optimizing becauseNVD
only containsCVE-xxx
.Added check for RHSAs
Related issues