pepelyaevip/vuln-list-update
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

feat(cbl-mariner) support CBL Mariner Vulnerability Data (#133)

Browse Source
This commit is contained in:
Masahiro331 2022-01-29 22:33:40 +09:00 committed by GitHub
parent e57b35fc33
commit 23a9b285d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 915 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/update.yml vendored
View File

@ -95,6 +95,10 @@ jobs:
name: Rocky Linux Security Advisory
run: ./vuln-list-update -target rocky
- if: always()
name: CBL-Mariner Vulnerability Data
run: ./vuln-list-update -target mariner
- if: always()
name: OSV Database
run: ./vuln-list-update -target osv

2
README.md
View File

@ -20,7 +20,7 @@ https://github.com/aquasecurity/vuln-list/
$ vuln-list-update -h
Usage of vuln-list-update:
-target string
update target (nvd, alpine, redhat, debian, ubuntu)
update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner)
-years string
update years (only redhat)
```

9
main.go
View File

@ -25,6 +25,7 @@ import (
"github.com/aquasecurity/vuln-list-update/git"
"github.com/aquasecurity/vuln-list-update/glad"
govulndb "github.com/aquasecurity/vuln-list-update/go-vulndb"
"github.com/aquasecurity/vuln-list-update/mariner"
"github.com/aquasecurity/vuln-list-update/nvd"
oracleoval "github.com/aquasecurity/vuln-list-update/oracle/oval"
"github.com/aquasecurity/vuln-list-update/osv"
@ -45,7 +46,7 @@ const (
var (
target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
"debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb)")
"debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner)")
years = flag.String("years", "", "update years (only redhat)")
)
@ -214,6 +215,12 @@ func run() error {
return xerrors.Errorf("Go Vulnerability Database update error: %w", err)
}
commitMsg = "Go Vulnerability Database"
case "mariner":
src := mariner.NewConfig()
if err := src.Update(); err != nil {
return xerrors.Errorf("CBL-Mariner Vulnerability Data update error: %w", err)
}
commitMsg = "CBL-Mariner Vulnerability Data"
default:
return xerrors.New("unknown target")
}

175
mariner/mariner.go Normal file
View File

@ -0,0 +1,175 @@
package mariner
import (
"context"
"encoding/xml"
"errors"
"fmt"
"log"
"os"
"path/filepath"
"strings"
"github.com/cheggaaa/pb"
"golang.org/x/xerrors"
"github.com/aquasecurity/vuln-list-update/utils"
)
const (
repoURL = "https://github.com/microsoft/CBL-MarinerVulnerabilityData/archive/refs/heads/main.tar.gz//CBL-MarinerVulnerabilityData-main"
cblDir = "mariner" // CBL-Mariner Vulnerability Data
retry = 3
testsDir = "tests"
objectsDir = "objects"
statesDir = "states"
definitionsDir = "definitions"
)
var (
ErrInvalidCVEFormat = errors.New("invalid CVE-ID format")
ErrNonCVEID = errors.New("discovered non-CVE-ID")
)
type Config struct {
*options
}
type option func(*options)
type options struct {
url string
dir string
retry int
}
func WithURL(url string) option {
return func(opts *options) { opts.url = url }
}
func WithDir(dir string) option {
return func(opts *options) { opts.dir = dir }
}
func WithRetry(retry int) option {
return func(opts *options) { opts.retry = retry }
}
func NewConfig(opts ...option) Config {
o := &options{
url: repoURL,
dir: filepath.Join(utils.VulnListDir(), cblDir),
retry: retry,
}
for _, opt := range opts {
opt(o)
}
return Config{
options: o,
}
}
func (c Config) Update() error {
ctx := context.Background()
log.Printf("Remove CBL-Mariner Vulnerability Data directory %sn", c.dir)
if err := os.RemoveAll(c.dir); err != nil {
return xerrors.Errorf("failed to remove CBL-Mariner Vulnerability Data directory: %w", err)
}
log.Print("Fetching CBL-Mariner Vulnerability Data")
tmpDir, err := utils.DownloadToTempDir(ctx, c.url)
if err != nil {
return xerrors.Errorf("failed to retrieve CBL-Mariner Vulnerability Data: %w", err)
}
defer os.RemoveAll(tmpDir)
entries, err := os.ReadDir(tmpDir)
if err != nil {
return xerrors.Errorf("failed to read directory: %w", err)
}
for _, entry := range entries {
if entry.IsDir() {
continue
}
if !strings.HasPrefix(entry.Name(), "cbl-mariner-") {
continue
}
if filepath.Ext(entry.Name()) != ".xml" {
continue
}
osVersoin := strings.TrimSuffix(strings.TrimSuffix(strings.TrimPrefix(entry.Name(), "cbl-mariner-"), "-oval.xml"), "-preview")
if err := c.update(osVersoin, filepath.Join(tmpDir, entry.Name())); err != nil {
return xerrors.Errorf("failed to update oval data: %w", err)
}
}
return nil
}
func (c Config) update(version, path string) error {
f, err := os.Open(path)
if err != nil {
return xerrors.Errorf("failed to open file: %w", err)
}
var oval OvalDefinitions
if err := xml.NewDecoder(f).Decode(&oval); err != nil {
return xerrors.Errorf("failed to decode xml: %w", err)
}
dirPath := filepath.Join(c.dir, version)
// write tests/tests.json file
if err := utils.Write(filepath.Join(dirPath, testsDir, "tests.json"), oval.Tests); err != nil {
return xerrors.Errorf("failed to write tests: %w", err)
}
// write objects/objects.json file
if err := utils.Write(filepath.Join(dirPath, objectsDir, "objects.json"), oval.Objects); err != nil {
return xerrors.Errorf("failed to write objects: %w", err)
}
// write states/states.json file
if err := utils.Write(filepath.Join(dirPath, statesDir, "states.json"), oval.States); err != nil {
return xerrors.Errorf("failed to write states: %w", err)
}
// write definitions
bar := pb.StartNew(len(oval.Definitions.Definition))
for _, def := range oval.Definitions.Definition {
vulnID := def.Metadata.Reference.RefID
if err := c.saveAdvisoryPerYear(filepath.Join(dirPath, definitionsDir), vulnID, def); err != nil {
return xerrors.Errorf("failed to save advisory per year: %w", err)
}
bar.Increment()
}
bar.Finish()
return nil
}
func (c Config) saveAdvisoryPerYear(dirName string, vulnID string, def Definition) error {
if !strings.HasPrefix(vulnID, "CVE") {
log.Printf("discovered non-CVE-ID: %s", vulnID)
return ErrNonCVEID
}
s := strings.Split(vulnID, "-")
if len(s) != 3 {
log.Printf("invalid CVE-ID format: %s", vulnID)
return ErrInvalidCVEFormat
}
yearDir := filepath.Join(dirName, s[1])
if err := utils.Write(filepath.Join(yearDir, fmt.Sprintf("%s.json", vulnID)), def); err != nil {
return xerrors.Errorf("unable to write a JSON file: %w", err)
}
return nil
}

68
mariner/mariner_test.go Normal file
View File

@ -0,0 +1,68 @@
package mariner_test
import (
"io/fs"
"os"
"path/filepath"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/vuln-list-update/mariner"
)
func TestUpdate(t *testing.T) {
tests := []struct {
name string
inputFile string
wantErr string
}{
{
name: "happy path",
inputFile: "file::testdata/happy",
},
{
name: "sad path, invalid xml",
inputFile: "file::testdata/sad",
wantErr: "failed to decode xml",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tmpDir := t.TempDir()
cc := mariner.NewConfig(mariner.WithURL(tt.inputFile), mariner.WithDir(tmpDir), mariner.WithRetry(0))
err := cc.Update()
if tt.wantErr != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tt.wantErr)
return
}
require.NoError(t, err)
err = filepath.WalkDir(tmpDir, func(path string, d fs.DirEntry, err error) error {
require.NoError(t, err, tt.name)
if !d.Type().IsRegular() {
return nil
}
got, err := os.ReadFile(path)
require.NoError(t, err, path)
rel, err := filepath.Rel(tmpDir, path)
require.NoError(t, err, path)
goldenPath := filepath.Join("testdata", "golden", "mariner", rel)
want, err := os.ReadFile(goldenPath)
require.NoError(t, err, goldenPath)
assert.JSONEq(t, string(want), string(got), path)
return nil
})
require.NoError(t, err, tt.name)
})
}
}

29
mariner/testdata/golden/mariner/1.0/definitions/2008/CVE-2008-3914.json vendored Normal file
View File

@ -0,0 +1,29 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:3173",
"Version": "1643374849",
"Metadata": {
"Title": "CVE-2008-3914 affecting package clamav 0.101.2",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2008-3914",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2008-3914",
"Source": "CVE"
},
"Patchable": "true",
"AdvisoryDate": "2021-05-06T23:56:51Z",
"AdvisoryID": "3173",
"Severity": "Critical",
"Description": "CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000003"
}
}
}

29
mariner/testdata/golden/mariner/1.0/definitions/2018/CVE-2018-25012.json vendored Normal file
View File

@ -0,0 +1,29 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:4209",
"Version": "1643374849",
"Metadata": {
"Title": "CVE-2018-25012 affecting package libwebp 1.0.0",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2018-25012",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-25012",
"Source": "CVE"
},
"Patchable": "true",
"AdvisoryDate": "2021-06-09T03:50:29Z",
"AdvisoryID": "4209",
"Severity": "Critical",
"Description": "CVE-2018-25012 affecting package libwebp 1.0.0. An upgraded version of the package is available that resolves this issue."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package libwebp is earlier than 1.0.3-1, affected by CVE-2018-25012",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000151"
}
}
}

29
mariner/testdata/golden/mariner/1.0/definitions/2021/CVE-2021-35942.json vendored Normal file
View File

@ -0,0 +1,29 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:4820",
"Version": "1643374849",
"Metadata": {
"Title": "CVE-2021-35942 affecting package glibc 2.28",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2021-35942",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-35942",
"Source": "CVE"
},
"Patchable": "true",
"AdvisoryDate": "2021-08-11T06:39:32Z",
"AdvisoryID": "4820",
"Severity": "Critical",
"Description": "CVE-2021-35942 affecting package glibc 2.28. A patched version of the package is available."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package glibc is earlier than 2.28-19, affected by CVE-2021-35942",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374849000145"
}
}
}

19
mariner/testdata/golden/mariner/1.0/objects/objects.json vendored Normal file
View File

@ -0,0 +1,19 @@
{
"RpminfoObjects": [
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374849000004",
"Version": "1643374849",
"Name": "clamav"
},
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374849000051",
"Version": "1643374849",
"Name": "glibc"
},
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374849000067",
"Version": "1643374849",
"Name": "libwebp"
}
]
}

31
mariner/testdata/golden/mariner/1.0/states/states.json vendored Normal file
View File

@ -0,0 +1,31 @@
{
"RpminfoState": [
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374849000005",
"Version": "1643374849",
"Evr": {
"Text": "0:0.103.2-1.cm1",
"Datatype": "evr_string",
"Operation": "less than"
}
},
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374849000068",
"Version": "1643374849",
"Evr": {
"Text": "0:1.0.3-1.cm1",
"Datatype": "evr_string",
"Operation": "less than"
}
},
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374849000146",
"Version": "1643374849",
"Evr": {
"Text": "0:2.28-19.cm1",
"Datatype": "evr_string",
"Operation": "less than"
}
}
]
}

40
mariner/testdata/golden/mariner/1.0/tests/tests.json vendored Normal file
View File

@ -0,0 +1,40 @@
{
"RpminfoTests": [
{
"Check": "at least one",
"Comment": "Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374849000003",
"Version": "1643374849",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374849000004"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374849000005"
}
},
{
"Check": "at least one",
"Comment": "Package glibc is earlier than 2.28-19, affected by CVE-2021-35942",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374849000145",
"Version": "1643374849",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374849000051"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374849000146"
}
},
{
"Check": "at least one",
"Comment": "Package libwebp is earlier than 1.0.3-1, affected by CVE-2018-25012",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374849000151",
"Version": "1643374849",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374849000067"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374849000068"
}
}
]
}

28
mariner/testdata/golden/mariner/2.0/definitions/2014/CVE-2014-8139.json vendored Normal file
View File

@ -0,0 +1,28 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:6933",
"Version": "1643374850",
"Metadata": {
"Title": "CVE-2014-8139 affecting package unzip 6.0",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2014-8139",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2014-8139",
"Source": "CVE"
},
"Patchable": "false",
"AdvisoryID": "6933",
"Severity": "High",
"Description": "CVE-2014-8139 affecting package unzip 6.0. No patch is available currently."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package unzip is installed with version 6.0 or earlier",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000269"
}
}
}

28
mariner/testdata/golden/mariner/2.0/definitions/2021/CVE-2021-39924.json vendored Normal file
View File

@ -0,0 +1,28 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:7412",
"Version": "1643374850",
"Metadata": {
"Title": "CVE-2021-39924 affecting package wireshark 3.4.4",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2021-39924",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-39924",
"Source": "CVE"
},
"Patchable": "false",
"AdvisoryID": "7412",
"Severity": "High",
"Description": "CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package wireshark is installed with version 3.4.4 or earlier",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000435"
}
}
}

28
mariner/testdata/golden/mariner/2.0/definitions/2022/CVE-2022-21309.json vendored Normal file
View File

@ -0,0 +1,28 @@
{
"Class": "vulnerability",
"ID": "oval:com.microsoft.cbl-mariner:def:7700",
"Version": "1643374850",
"Metadata": {
"Title": "CVE-2022-21309 affecting package mysql 8.0.24",
"Affected": {
"Family": "unix",
"Platform": "CBL-Mariner"
},
"Reference": {
"RefID": "CVE-2022-21309",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-21309",
"Source": "CVE"
},
"Patchable": "false",
"AdvisoryID": "7700",
"Severity": "Medium",
"Description": "CVE-2022-21309 affecting package mysql 8.0.24. No patch is available currently."
},
"Criteria": {
"Operator": "AND",
"Criterion": {
"Comment": "Package mysql is installed with version 8.0.24 or earlier",
"TestRef": "oval:com.microsoft.cbl-mariner:tst:1643374850000854"
}
}
}

19
mariner/testdata/golden/mariner/2.0/objects/objects.json vendored Normal file
View File

@ -0,0 +1,19 @@
{
"RpminfoObjects": [
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374850000123",
"Version": "1643374850",
"Name": "unzip"
},
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374850000429",
"Version": "1643374850",
"Name": "wireshark"
},
{
"ID": "oval:com.microsoft.cbl-mariner:obj:1643374850000669",
"Version": "1643374850",
"Name": "mysql"
}
]
}

31
mariner/testdata/golden/mariner/2.0/states/states.json vendored Normal file
View File

@ -0,0 +1,31 @@
{
"RpminfoState": [
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374850000031",
"Version": "1643374850",
"Evr": {
"Text": "0:3.4.4-2.cm1",
"Datatype": "evr_string",
"Operation": "less than or equal"
}
},
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374850000124",
"Version": "1643374850",
"Evr": {
"Text": "0:6.0-19.cm1",
"Datatype": "evr_string",
"Operation": "less than or equal"
}
},
{
"ID": "oval:com.microsoft.cbl-mariner:ste:1643374850000670",
"Version": "1643374850",
"Evr": {
"Text": "0:8.0.24-1.cm1",
"Datatype": "evr_string",
"Operation": "less than or equal"
}
}
]
}

40
mariner/testdata/golden/mariner/2.0/tests/tests.json vendored Normal file
View File

@ -0,0 +1,40 @@
{
"RpminfoTests": [
{
"Check": "at least one",
"Comment": "Package unzip is installed with version 6.0 or earlier",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374850000269",
"Version": "1643374850",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374850000123"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374850000124"
}
},
{
"Check": "at least one",
"Comment": "Package wireshark is installed with version 3.4.4 or earlier",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374850000435",
"Version": "1643374850",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374850000429"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374850000031"
}
},
{
"Check": "at least one",
"Comment": "Package mysql is installed with version 8.0.24 or earlier",
"ID": "oval:com.microsoft.cbl-mariner:tst:1643374850000854",
"Version": "1643374850",
"Object": {
"ObjectRef": "oval:com.microsoft.cbl-mariner:obj:1643374850000669"
},
"State": {
"StateRef": "oval:com.microsoft.cbl-mariner:ste:1643374850000670"
}
}
]
}

0
mariner/testdata/happy/README.md vendored Normal file
View File

0
mariner/testdata/happy/SECURITY.md vendored Normal file
View File

98
mariner/testdata/happy/cbl-mariner-1.0-oval.xml vendored Normal file
View File

@ -0,0 +1,98 @@
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux https://oval.mitre.org/language/version5.11/ovaldefinition/complete/linux-definitions-schema.xsd ">
<generator>
<oval:product_name>CBL-Mariner OVAL Definition Generator</oval:product_name>
<oval:product_version>8</oval:product_version>
<oval:schema_version>5.11</oval:schema_version>
<oval:timestamp>2022-01-28T13:00:49.330011518Z</oval:timestamp>
<oval:content_version>1643374849</oval:content_version>
</generator>
<definitions>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:3173" version="1643374849">
<metadata>
<title>CVE-2008-3914 affecting package clamav 0.101.2</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2008-3914" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2008-3914" source="CVE"/>
<patchable>true</patchable>
<advisory_date>2021-05-06T23:56:51Z</advisory_date>
<advisory_id>3173</advisory_id>
<severity>Critical</severity>
<description>CVE-2008-3914 affecting package clamav 0.101.2. An upgraded version of the package is available that resolves this issue.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374849000003"/>
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:4820" version="1643374849">
<metadata>
<title>CVE-2021-35942 affecting package glibc 2.28</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2021-35942" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2021-35942" source="CVE"/>
<patchable>true</patchable>
<advisory_date>2021-08-11T06:39:32Z</advisory_date>
<advisory_id>4820</advisory_id>
<severity>Critical</severity>
<description>CVE-2021-35942 affecting package glibc 2.28. A patched version of the package is available.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package glibc is earlier than 2.28-19, affected by CVE-2021-35942" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374849000145"/>
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:4209" version="1643374849">
<metadata>
<title>CVE-2018-25012 affecting package libwebp 1.0.0</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2018-25012" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2018-25012" source="CVE"/>
<patchable>true</patchable>
<advisory_date>2021-06-09T03:50:29Z</advisory_date>
<advisory_id>4209</advisory_id>
<severity>Critical</severity>
<description>CVE-2018-25012 affecting package libwebp 1.0.0. An upgraded version of the package is available that resolves this issue.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package libwebp is earlier than 1.0.3-1, affected by CVE-2018-25012" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374849000151"/>
</criteria>
</definition>
</definitions>
<tests>
<linux-def:rpminfo_test check="at least one" comment="Package clamav is earlier than 0.103.2-1, affected by CVE-2008-3914" id="oval:com.microsoft.cbl-mariner:tst:1643374849000003" version="1643374849">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374849000004"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374849000005"/>
</linux-def:rpminfo_test>
<linux-def:rpminfo_test check="at least one" comment="Package glibc is earlier than 2.28-19, affected by CVE-2021-35942" id="oval:com.microsoft.cbl-mariner:tst:1643374849000145" version="1643374849">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374849000051"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374849000146"/>
</linux-def:rpminfo_test>
<linux-def:rpminfo_test check="at least one" comment="Package libwebp is earlier than 1.0.3-1, affected by CVE-2018-25012" id="oval:com.microsoft.cbl-mariner:tst:1643374849000151" version="1643374849">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374849000067"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374849000068"/>
</linux-def:rpminfo_test>
</tests>
<objects>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374849000004" version="1643374849">
<linux-def:name>clamav</linux-def:name>
</linux-def:rpminfo_object>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374849000051" version="1643374849">
<linux-def:name>glibc</linux-def:name>
</linux-def:rpminfo_object>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374849000067" version="1643374849">
<linux-def:name>libwebp</linux-def:name>
</linux-def:rpminfo_object>
</objects>
<states>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374849000005" version="1643374849">
<linux-def:evr datatype="evr_string" operation="less than">0:0.103.2-1.cm1</linux-def:evr>
</linux-def:rpminfo_state>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374849000068" version="1643374849">
<linux-def:evr datatype="evr_string" operation="less than">0:1.0.3-1.cm1</linux-def:evr>
</linux-def:rpminfo_state>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374849000146" version="1643374849">
<linux-def:evr datatype="evr_string" operation="less than">0:2.28-19.cm1</linux-def:evr>
</linux-def:rpminfo_state>
</states>
</oval_definitions>

95
mariner/testdata/happy/cbl-mariner-2.0-preview-oval.xml vendored Normal file
View File

@ -0,0 +1,95 @@
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:linux-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 https://oval.mitre.org/language/version5.11/ovaldefinition/complete/oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux https://oval.mitre.org/language/version5.11/ovaldefinition/complete/linux-definitions-schema.xsd ">
<generator>
<oval:product_name>CBL-Mariner OVAL Definition Generator</oval:product_name>
<oval:product_version>8</oval:product_version>
<oval:schema_version>5.11</oval:schema_version>
<oval:timestamp>2022-01-28T13:00:50.306260678Z</oval:timestamp>
<oval:content_version>1643374850</oval:content_version>
</generator>
<definitions>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:6933" version="1643374850">
<metadata>
<title>CVE-2014-8139 affecting package unzip 6.0</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2014-8139" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2014-8139" source="CVE"/>
<patchable>false</patchable>
<advisory_id>6933</advisory_id>
<severity>High</severity>
<description>CVE-2014-8139 affecting package unzip 6.0. No patch is available currently.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package unzip is installed with version 6.0 or earlier" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374850000269"/>
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:7412" version="1643374850">
<metadata>
<title>CVE-2021-39924 affecting package wireshark 3.4.4</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2021-39924" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2021-39924" source="CVE"/>
<patchable>false</patchable>
<advisory_id>7412</advisory_id>
<severity>High</severity>
<description>CVE-2021-39924 affecting package wireshark 3.4.4. No patch is available currently.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package wireshark is installed with version 3.4.4 or earlier" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374850000435"/>
</criteria>
</definition>
<definition class="vulnerability" id="oval:com.microsoft.cbl-mariner:def:7700" version="1643374850">
<metadata>
<title>CVE-2022-21309 affecting package mysql 8.0.24</title>
<affected family="unix">
<platform>CBL-Mariner</platform>
</affected>
<reference ref_id="CVE-2022-21309" ref_url="https://nvd.nist.gov/vuln/detail/CVE-2022-21309" source="CVE"/>
<patchable>false</patchable>
<advisory_id>7700</advisory_id>
<severity>Medium</severity>
<description>CVE-2022-21309 affecting package mysql 8.0.24. No patch is available currently.</description>
</metadata>
<criteria operator="AND">
<criterion comment="Package mysql is installed with version 8.0.24 or earlier" test_ref="oval:com.microsoft.cbl-mariner:tst:1643374850000854"/>
</criteria>
</definition>
</definitions>
<tests>
<linux-def:rpminfo_test check="at least one" comment="Package unzip is installed with version 6.0 or earlier" id="oval:com.microsoft.cbl-mariner:tst:1643374850000269" version="1643374850">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374850000123"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374850000124"/>
</linux-def:rpminfo_test>
<linux-def:rpminfo_test check="at least one" comment="Package wireshark is installed with version 3.4.4 or earlier" id="oval:com.microsoft.cbl-mariner:tst:1643374850000435" version="1643374850">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374850000429"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374850000031"/>
</linux-def:rpminfo_test>
<linux-def:rpminfo_test check="at least one" comment="Package mysql is installed with version 8.0.24 or earlier" id="oval:com.microsoft.cbl-mariner:tst:1643374850000854" version="1643374850">
<linux-def:object object_ref="oval:com.microsoft.cbl-mariner:obj:1643374850000669"/>
<linux-def:state state_ref="oval:com.microsoft.cbl-mariner:ste:1643374850000670"/>
</linux-def:rpminfo_test>
</tests>
<objects>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374850000123" version="1643374850">
<linux-def:name>unzip</linux-def:name>
</linux-def:rpminfo_object>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374850000429" version="1643374850">
<linux-def:name>wireshark</linux-def:name>
</linux-def:rpminfo_object>
<linux-def:rpminfo_object id="oval:com.microsoft.cbl-mariner:obj:1643374850000669" version="1643374850">
<linux-def:name>mysql</linux-def:name>
</linux-def:rpminfo_object>
</objects>
<states>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374850000031" version="1643374850">
<linux-def:evr datatype="evr_string" operation="less than or equal">0:3.4.4-2.cm1</linux-def:evr>
</linux-def:rpminfo_state>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374850000124" version="1643374850">
<linux-def:evr datatype="evr_string" operation="less than or equal">0:6.0-19.cm1</linux-def:evr>
</linux-def:rpminfo_state>
<linux-def:rpminfo_state id="oval:com.microsoft.cbl-mariner:ste:1643374850000670" version="1643374850">
<linux-def:evr datatype="evr_string" operation="less than or equal">0:8.0.24-1.cm1</linux-def:evr>
</linux-def:rpminfo_state>
</states>
</oval_definitions>

1
mariner/testdata/sad/cbl-mariner-1.0-oval.xml vendored Normal file
View File

@ -0,0 +1 @@
<oval_definitions xmlns

114
mariner/types.go Normal file
View File

@ -0,0 +1,114 @@
package mariner
import "encoding/xml"
type OvalDefinitions struct {
XMLName xml.Name `xml:"oval_definitions" json:",omitempty"`
Xmlns string `xml:"xmlns,attr" json:",omitempty"`
Oval string `xml:"oval,attr" json:",omitempty"`
LinuxDef string `xml:"linux-def,attr" json:",omitempty"`
Xsi string `xml:"xsi,attr" json:",omitempty"`
SchemaLocation string `xml:"schemaLocation,attr" json:",omitempty"`
Generator Generator `xml:"generator" json:",omitempty"`
Definitions Definitions `xml:"definitions" json:",omitempty"`
Tests Tests `xml:"tests" json:",omitempty"`
Objects Objects `xml:"objects" json:",omitempty"`
States States `xml:"states" json:",omitempty"`
}
type Generator struct {
ProductName string `xml:"product_name" json:",omitempty"`
ProductVersion string `xml:"product_version" json:",omitempty"`
SchemaVersion string `xml:"schema_version" json:",omitempty"`
Timestamp string `xml:"timestamp" json:",omitempty"`
ContentVersion string `xml:"content_version" json:",omitempty"`
}
type Metadata struct {
Title string `xml:"title" json:",omitempty"`
Affected Affected `xml:"affected" json:",omitempty"`
Reference Reference `xml:"reference" json:",omitempty"`
Patchable string `xml:"patchable" json:",omitempty"`
AdvisoryDate string `xml:"advisory_date" json:",omitempty"`
AdvisoryID string `xml:"advisory_id" json:",omitempty"`
Severity string `xml:"severity" json:",omitempty"`
Description string `xml:"description" json:",omitempty"`
}
type Reference struct {
RefID string `xml:"ref_id,attr" json:",omitempty"`
RefURL string `xml:"ref_url,attr" json:",omitempty"`
Source string `xml:"source,attr" json:",omitempty"`
}
type Affected struct {
Family string `xml:"family,attr" json:",omitempty"`
Platform string `xml:"platform" json:",omitempty"`
}
type Definition struct {
Class string `xml:"class,attr" json:",omitempty"`
ID string `xml:"id,attr" json:",omitempty"`
Version string `xml:"version,attr" json:",omitempty"`
Metadata Metadata `xml:"metadata" json:",omitempty"`
Criteria Criteria `xml:"criteria" json:",omitempty"`
}
type Criteria struct {
Operator string `xml:"operator,attr" json:",omitempty"`
Criterion Criterion `xml:"criterion" json:",omitempty"`
}
type Criterion struct {
Comment string `xml:"comment,attr" json:",omitempty"`
TestRef string `xml:"test_ref,attr" json:",omitempty"`
}
type Definitions struct {
Definition []Definition `xml:"definition" json:",omitempty"`
}
type Tests struct {
RpminfoTests []RpminfoTest `xml:"rpminfo_test" json:",omitempty"`
}
type RpminfoTest struct {
Check string `xml:"check,attr" json:",omitempty"`
Comment string `xml:"comment,attr" json:",omitempty"`
ID string `xml:"id,attr" json:",omitempty"`
Version string `xml:"version,attr" json:",omitempty"`
Object Object `xml:"object" json:",omitempty"`
State State `xml:"state" json:",omitempty"`
}
type State struct {
StateRef string `xml:"state_ref,attr" json:",omitempty"`
}
type Object struct {
ObjectRef string `xml:"object_ref,attr" json:",omitempty"`
}
type Objects struct {
RpminfoObjects []RpminfoObject `xml:"rpminfo_object" json:",omitempty"`
}
type RpminfoObject struct {
ID string `xml:"id,attr" json:",omitempty"`
Version string `xml:"version,attr" json:",omitempty"`
Name string `xml:"name" json:",omitempty"`
}
type States struct {
RpminfoState []RpminfoState `xml:"rpminfo_state" json:",omitempty"`
}
type RpminfoState struct {
ID string `xml:"id,attr" json:",omitempty"`
Version string `xml:"version,attr" json:",omitempty"`
Evr Evr `xml:"evr" json:",omitempty"`
}
type Evr struct {
Text string `xml:",chardata" json:",omitempty"`
Datatype string `xml:"datatype,attr" json:",omitempty"`
Operation string `xml:"operation,attr" json:",omitempty"`
}