pepelyaevip/vuln-list-update
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

feat(amazon): add amazon linux 2022 (#166)

Browse Source 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
DmitriyLewen 2022-07-04 13:35:10 +06:00 committed by GitHub
parent 8de30988bd
commit 93a59be88c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 555 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
amazon/amazon.go
View File

@ -11,8 +11,10 @@ import (
"os"
"path"
"path/filepath"
"sort"
"github.com/aquasecurity/vuln-list-update/utils"
"golang.org/x/net/html/charset"
"golang.org/x/xerrors"
"gopkg.in/cheggaaa/pb.v1"
)
@ -20,81 +22,60 @@ import (
const (
retry = 3
amazonDir = "amazon"
amazonDir = "amazon"
al2022ReleasemdURI = "https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/releasemd.xml"
al2022MirrorListURIFormat = "https://al2022-repos-us-east-1-9761ab97.s3.dualstack.us-east-1.amazonaws.com/core/mirrors/%s/x86_64/mirror.list"
)
var (
LinuxMirrorListURI = map[string]string{
mirrorListURI = map[string]string{
"1": "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list",
"2": "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list",
}
)
// RepoMd has repomd data
type RepoMd struct {
RepoList []Repo `xml:"data"`
}
// Repo has a repo data
type Repo struct {
Type string `xml:"type,attr"`
Location Location `xml:"location"`
}
// Location has a location of repomd
type Location struct {
Href string `xml:"href,attr"`
}
// UpdateInfo has a list of ALAS
type UpdateInfo struct {
ALASList []ALAS `xml:"update"`
}
// ALAS has detailed data of ALAS
type ALAS struct {
ID string `xml:"id" json:"id,omitempty"`
Title string `xml:"title" json:"title,omitempty"`
Issued Date `xml:"issued" json:"issued,omitempty"`
Updated Date `xml:"updated" json:"updated,omitempty"`
Severity string `xml:"severity" json:"severity,omitempty"`
Description string `xml:"description" json:"description,omitempty"`
Packages []Package `xml:"pkglist>collection>package" json:"packages,omitempty"`
References []Reference `xml:"references>reference" json:"references,omitempty"`
CveIDs []string `json:"cveids,omitempty"`
}
// Updated has updated at
type Date struct {
Date string `xml:"date,attr" json:"date,omitempty"`
}
// Reference has reference information
type Reference struct {
Href string `xml:"href,attr" json:"href,omitempty"`
ID string `xml:"id,attr" json:"id,omitempty"`
Title string `xml:"title,attr" json:"title,omitempty"`
Type string `xml:"type,attr" json:"type,omitempty"`
}
// Package has affected package information
type Package struct {
Name string `xml:"name,attr" json:"name,omitempty"`
Epoch string `xml:"epoch,attr" json:"epoch,omitempty"`
Version string `xml:"version,attr" json:"version,omitempty"`
Release string `xml:"release,attr" json:"release,omitempty"`
Arch string `xml:"arch,attr" json:"arch,omitempty"`
Filename string `xml:"filename" json:"filename,omitempty"`
}
type Config struct {
LinuxMirrorListURI map[string]string
VulnListDir string
mirrorListURI map[string]string
vulnListDir string
al2022ReleasemdURI string
al2022MirrorListURIFormat string
}
type option func(*Config)
// With takes some internal values for testing
func With(mirrorListURI map[string]string, vulnListDir, al2022ReleasemdURI, al2022MirrorListURIFormat string) option {
return func(opts *Config) {
opts.mirrorListURI = mirrorListURI
opts.vulnListDir = vulnListDir
opts.al2022ReleasemdURI = al2022ReleasemdURI
opts.al2022MirrorListURIFormat = al2022MirrorListURIFormat
}
}
func NewConfig(opts ...option) *Config {
config := &Config{
mirrorListURI: mirrorListURI,
vulnListDir: utils.VulnListDir(),
al2022MirrorListURIFormat: al2022MirrorListURIFormat,
al2022ReleasemdURI: al2022ReleasemdURI,
}
for _, opt := range opts {
opt(config)
}
return config
}
func (ac Config) Update() error {
// version = 1 or 2
for version, amznURL := range ac.LinuxMirrorListURI {
mirrorList2022, err := fetchAmazonLinux2022MirrorList(ac.al2022ReleasemdURI, ac.al2022MirrorListURIFormat)
if err != nil {
return xerrors.Errorf("failed to fetch mirror list of Amazon Linux 2022: %w", err)
}
ac.mirrorListURI["2022"] = mirrorList2022
for version, amznURL := range ac.mirrorListURI {
log.Printf("Fetching security advisories of Amazon Linux %s...\n", version)
if err := ac.update(version, amznURL); err != nil {
return xerrors.Errorf("failed to update security advisories of Amazon Linux %s: %w", version, err)
@ -104,7 +85,7 @@ func (ac Config) Update() error {
}
func (ac Config) update(version, url string) error {
dir := filepath.Join(ac.VulnListDir, amazonDir, version)
dir := filepath.Join(ac.vulnListDir, amazonDir, version)
if err := os.RemoveAll(dir); err != nil {
return xerrors.Errorf("unable to remove amazon directory: %w", err)
}
@ -217,3 +198,33 @@ func fetchUpdateInfo(url string) (*UpdateInfo, error) {
}
return &updateInfo, nil
}
func fetchAmazonLinux2022MirrorList(url, format string) (string, error) {
res, err := utils.FetchURL(url, "", retry)
if err != nil {
return "", xerrors.Errorf("Failed to fetch releasemd.xml for AL2022. url: %s, err: %w", al2022ReleasemdURI, err)
}
var root Root
// releasemd file has typo: encoding="utf8" instead of "utf-8"
// https://stackoverflow.com/a/32224438
decoder := xml.NewDecoder(bytes.NewBuffer(res))
decoder.CharsetReader = charset.NewReaderLabel
if err := decoder.Decode(&root); err != nil {
return "", xerrors.Errorf("failed to decode releasemd.xml: %w", err)
}
var versions []string
for _, release := range root.Releases.Release {
versions = append(versions, release.Version)
}
if len(versions) == 0 {
return "", xerrors.Errorf("list of Amazon Linux releases is empty")
}
// latest release contains all recommendations from previous releases
// version format like "2022.0.20220531"
sort.Strings(versions)
return fmt.Sprintf(format, versions[len(versions)-1]), nil
}

121
amazon/amazon_test.go
View File

@ -3,7 +3,6 @@ package amazon_test
import (
"errors"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"os"
@ -11,108 +10,108 @@ import (
"strings"
"testing"
"github.com/stretchr/testify/require"
"golang.org/x/xerrors"
"github.com/aquasecurity/vuln-list-update/amazon"
"github.com/stretchr/testify/assert"
)
func Test_Update(t *testing.T) {
func TestConfig_Update(t *testing.T) {
testCases := []struct {
name string
version string
xmlFileName string
gzipFileName string
expectedError error
name string
repomdXmlFileName string
releasemdXmlFileName string
gzipFileNames map[string]string
wantErr error
}{
{
name: "1 item",
version: "1", // Amazon Linux 1
xmlFileName: "testdata/fixtures/repomd_valid.xml",
gzipFileName: "testdata/fixtures/updateinfo_1_item.xml.gz",
expectedError: nil,
name: "happy path",
repomdXmlFileName: "testdata/fixtures/repomd_valid.xml",
releasemdXmlFileName: "testdata/fixtures/releasemd_valid.xml",
gzipFileNames: map[string]string{
"1": "testdata/fixtures/updateinfo_1_item.xml.gz",
"2": "testdata/fixtures/updateinfo_2_items.xml.gz",
"2022": "testdata/fixtures/updateinfo_AL2022.xml.gz",
},
wantErr: nil,
},
{
name: "2 items",
version: "2", // Amazon Linux 2
xmlFileName: "testdata/fixtures/repomd_valid.xml",
gzipFileName: "testdata/fixtures/updateinfo_2_items.xml.gz",
expectedError: nil,
name: "bad repomd XML response",
repomdXmlFileName: "testdata/fixtures/repomd_invalid.xml",
releasemdXmlFileName: "testdata/fixtures/releasemd_valid.xml",
wantErr: xerrors.Errorf("failed to update security advisories of Amazon Linux 2022: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
},
{
name: "bad XML response",
version: "1", // Amazon Linux 1
xmlFileName: "testdata/fixtures/repomd_invalid.xml",
expectedError: xerrors.Errorf("failed to update security advisories of Amazon Linux 1: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
name: "bad releasemd XML response",
releasemdXmlFileName: "testdata/fixtures/releasemd_invalid.xml",
wantErr: xerrors.Errorf("failed to fetch mirror list of Amazon Linux 2022: list of Amazon Linux releases is empty"),
},
{
name: "bad gzip data response",
version: "2", // Amazon Linux 2
xmlFileName: "testdata/fixtures/repomd_valid.xml",
gzipFileName: "testdata/fixtures/updateinfo_invalid.xml.gz",
expectedError: xerrors.Errorf("failed to update security advisories of Amazon Linux 2: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
name: "bad gzip data response",
repomdXmlFileName: "testdata/fixtures/repomd_valid.xml",
releasemdXmlFileName: "testdata/fixtures/releasemd_valid.xml",
gzipFileNames: map[string]string{
"1": "testdata/fixtures/updateinfo_invalid.xml.gz",
},
wantErr: xerrors.Errorf("failed to update security advisories of Amazon Linux 1: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
tsUpdateInfoURL := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case strings.HasSuffix(r.URL.Path, "repomd.xml"):
repomd, _ := ioutil.ReadFile(tc.xmlFileName)
case strings.HasSuffix(r.URL.Path, "/releasemd.xml"):
buf, _ := os.ReadFile(tc.releasemdXmlFileName)
_, _ = w.Write(buf)
case strings.HasPrefix(r.URL.Path, "/2022/2022"):
// Check if the latest release is properly taken
assert.Equal(t, r.URL.Path, "/2022/2022.0.20220531/mirror.list")
fallthrough
case strings.HasSuffix(r.URL.Path, "/mirror.list"):
fmt.Println(r.URL.Path)
_, _ = fmt.Fprintf(w, "http://%s/%s", r.Host, getVersionFromURL(r.URL.Path))
case strings.HasSuffix(r.URL.Path, "/repomd.xml"):
repomd, _ := os.ReadFile(tc.repomdXmlFileName)
_, _ = w.Write(repomd)
case strings.Contains(r.URL.Path, "updateinfo.xml.gz"):
buf, _ := ioutil.ReadFile(tc.gzipFileName)
buf, _ := os.ReadFile(tc.gzipFileNames[getVersionFromURL(r.URL.Path)])
_, _ = w.Write(buf)
default:
assert.Fail(t, "bad URL requested: ", r.URL.Path, tc.name)
}
}))
defer tsUpdateInfoURL.Close()
defer ts.Close()
tsMirrorListURL := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
_, _ = fmt.Fprintln(w, tsUpdateInfoURL.URL)
}))
defer tsMirrorListURL.Close()
tmpDir := t.TempDir()
dir, _ := ioutil.TempDir("", "amazon")
defer os.RemoveAll(dir)
amazonDir := filepath.Join(dir, "amazon", tc.version)
err := os.MkdirAll(amazonDir, 0777)
require.NoError(t, err)
// this file must be removed
err = ioutil.WriteFile(filepath.Join(amazonDir, "dummy.json"), []byte(`dummy`), 0666)
require.NoError(t, err, "failed to create a dummy file")
ac := amazon.Config{
LinuxMirrorListURI: map[string]string{
tc.version: tsMirrorListURL.URL,
},
VulnListDir: dir,
mirrorList := map[string]string{}
for key := range tc.gzipFileNames {
if key != "2022" { // only for AL 1 and AL 2. AL 2022 gets mirror list from releasemd.xml
mirrorList[key] = fmt.Sprintf("%s/%s/mirror.list", ts.URL, key)
}
}
ac := amazon.NewConfig(amazon.With(mirrorList, tmpDir, ts.URL+"/releasemd.xml", ts.URL+"/2022/%s/mirror.list"))
switch {
case tc.expectedError != nil:
assert.Equal(t, tc.expectedError.Error(), ac.Update().Error(), tc.name)
case tc.wantErr != nil:
assert.Equal(t, tc.wantErr.Error(), ac.Update().Error(), tc.name)
default:
assert.NoError(t, ac.Update(), tc.name)
}
err = filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error {
err := filepath.Walk(tmpDir, func(path string, info os.FileInfo, errfp error) error {
if info.IsDir() {
return nil
}
filename := filepath.Base(path)
golden := filepath.Join("testdata", filename+".golden")
want, err := ioutil.ReadFile(golden)
want, err := os.ReadFile(golden)
assert.NoError(t, err, "failed to open the golden file")
got, err := ioutil.ReadFile(path)
got, err := os.ReadFile(path)
assert.NoError(t, err, "failed to open the result file")
assert.Equal(t, string(want), string(got))
@ -123,3 +122,9 @@ func Test_Update(t *testing.T) {
})
}
}
// urlPath like '/2022/repodata/repomd.xml'
func getVersionFromURL(urlPath string) string {
v := strings.Split(urlPath, "/")
return v[1]
}

298
amazon/testdata/ALAS2022-2021-001.json.golden vendored Normal file
View File

@ -0,0 +1,298 @@
{
"id": "ALAS2022-2021-001",
"title": "Amazon Linux 2022 - ALAS2022-2021-001: medium priority package update for vim",
"issued": {
"date": "2021-10-26 02:25"
},
"updated": {
"date": "2021-10-27 00:24"
},
"severity": "medium",
"description": "Package updates are available for Amazon Linux 2022 that fix the following vulnerabilities:\nCVE-2021-3875:\n\tThere's an out-of-bounds read flaw in Vim's ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability.\n2014661: CVE-2021-3875 vim: heap-based buffer overflow\n\nCVE-2021-3872:\n\tAn out-of-bounds write flaw was found in vim's drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.\n2016056: CVE-2021-3872 vim: heap-based buffer overflow in win_redr_status() drawscreen.c\n\nCVE-2021-3796:\n\tA use-after-free vulnerability in vim could allow an attacker to input a specially crafted file leading to memory corruption and a potentially exploitable crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n2004728: CVE-2021-3796 vim: use-after-free in nv_replace() in normal.c\n\nCVE-2021-3778:\n\tA flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n2004621: CVE-2021-3778 vim: heap-based buffer overflow in utf_ptr2char() in mbyte.c\n",
"packages": [
{
"name": "vim-X11-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-X11-debuginfo-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-common-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-common-debuginfo-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-debugsource",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-debugsource-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-default-editor",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "noarch",
"filename": "Packages/vim-default-editor-8.2.3512-1.amzn2022.noarch.rpm"
},
{
"name": "vim-minimal",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-minimal-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-debuginfo-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-minimal-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-minimal-debuginfo-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-enhanced",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-enhanced-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-filesystem",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "noarch",
"filename": "Packages/vim-filesystem-8.2.3512-1.amzn2022.noarch.rpm"
},
{
"name": "vim-enhanced-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-enhanced-debuginfo-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-X11",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-X11-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-common",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "x86_64",
"filename": "Packages/vim-common-8.2.3512-1.amzn2022.x86_64.rpm"
},
{
"name": "vim-enhanced-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-enhanced-debuginfo-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-X11-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-X11-debuginfo-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-debugsource",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-debugsource-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-common",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-common-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-X11",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-X11-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-enhanced",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-enhanced-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-minimal-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-minimal-debuginfo-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-minimal",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-minimal-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-debuginfo-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-common-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "i686",
"filename": "Packages/vim-common-debuginfo-8.2.3512-1.amzn2022.i686.rpm"
},
{
"name": "vim-X11-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-X11-debuginfo-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-common-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-common-debuginfo-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-debuginfo-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-enhanced-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-enhanced-debuginfo-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-enhanced",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-enhanced-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-minimal",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-minimal-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-X11",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-X11-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-minimal-debuginfo",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-minimal-debuginfo-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-debugsource",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-debugsource-8.2.3512-1.amzn2022.aarch64.rpm"
},
{
"name": "vim-common",
"epoch": "2",
"version": "8.2.3512",
"release": "1.amzn2022",
"arch": "aarch64",
"filename": "Packages/vim-common-8.2.3512-1.amzn2022.aarch64.rpm"
}
],
"references": [
{
"href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3778",
"id": "CVE-2021-3778",
"type": "cve"
},
{
"href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3796",
"id": "CVE-2021-3796",
"type": "cve"
},
{
"href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3872",
"id": "CVE-2021-3872",
"type": "cve"
},
{
"href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3875",
"id": "CVE-2021-3875",
"type": "cve"
}
],
"cveids": [
"CVE-2021-3778",
"CVE-2021-3796",
"CVE-2021-3872",
"CVE-2021-3875"
]
}

3
amazon/testdata/fixtures/releasemd_invalid.xml vendored Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="utf8"?>
<root>
</root>

41
amazon/testdata/fixtures/releasemd_valid.xml vendored Normal file
View File

@ -0,0 +1,41 @@
<?xml version="1.0" encoding="utf8"?>
<root>
<releases>
<release version="2022.0.20220518">
<update>
<name>2022.0.20220531</name>
<version_string>2022.0.20220531</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
</release>
<release version="2022.0.20220531">
<update>
<name>2022.0.20220628</name>
<version_string>2022.0.20220628</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
</release>
</releases>
<release version="2022.0.20220419">
<update>
<name>2022.0.20220504</name>
<version_string>2022.0.20220504</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
<update>
<name>2022.0.20220518</name>
<version_string>2022.0.20220518</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
<update>
<name>2022.0.20220531</name>
<version_string>2022.0.20220531</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
<update>
<name>2022.0.20220628</name>
<version_string>2022.0.20220628</version_string>
<release_notes>https://aws.amazon.com</release_notes>
</update>
</release>
</root>

BIN
amazon/testdata/fixtures/updateinfo_AL2022.xml.gz vendored Normal file
View File

Binary file not shown.

71
amazon/types.go Normal file
View File

@ -0,0 +1,71 @@
package amazon
// RepoMd has repomd data
type RepoMd struct {
RepoList []Repo `xml:"data"`
}
// Repo has a repo data
type Repo struct {
Type string `xml:"type,attr"`
Location Location `xml:"location"`
}
// Location has a location of repomd
type Location struct {
Href string `xml:"href,attr"`
}
// UpdateInfo has a list of ALAS
type UpdateInfo struct {
ALASList []ALAS `xml:"update"`
}
// ALAS has detailed data of ALAS
type ALAS struct {
ID string `xml:"id" json:"id,omitempty"`
Title string `xml:"title" json:"title,omitempty"`
Issued Date `xml:"issued" json:"issued,omitempty"`
Updated Date `xml:"updated" json:"updated,omitempty"`
Severity string `xml:"severity" json:"severity,omitempty"`
Description string `xml:"description" json:"description,omitempty"`
Packages []Package `xml:"pkglist>collection>package" json:"packages,omitempty"`
References []Reference `xml:"references>reference" json:"references,omitempty"`
CveIDs []string `json:"cveids,omitempty"`
}
// Updated has updated at
type Date struct {
Date string `xml:"date,attr" json:"date,omitempty"`
}
// Reference has reference information
type Reference struct {
Href string `xml:"href,attr" json:"href,omitempty"`
ID string `xml:"id,attr" json:"id,omitempty"`
Title string `xml:"title,attr" json:"title,omitempty"`
Type string `xml:"type,attr" json:"type,omitempty"`
}
// Package has affected package information
type Package struct {
Name string `xml:"name,attr" json:"name,omitempty"`
Epoch string `xml:"epoch,attr" json:"epoch,omitempty"`
Version string `xml:"version,attr" json:"version,omitempty"`
Release string `xml:"release,attr" json:"release,omitempty"`
Arch string `xml:"arch,attr" json:"arch,omitempty"`
Filename string `xml:"filename" json:"filename,omitempty"`
}
// Root has list of releases
type Root struct {
Releases Releases `xml:"releases"`
}
type Releases struct {
Release []Release `xml:"release"`
}
type Release struct {
Version string `xml:"version,attr"`
}

2
go.mod
View File

@ -16,6 +16,7 @@ require (
github.com/spf13/afero v1.8.2
github.com/stretchr/testify v1.7.5
golang.org/x/exp v0.0.0-20220321124402-2d6d886f8a82
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f
golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1
golang.org/x/vuln v0.0.0-20211215213114-5e054cb3e47e
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
@ -62,7 +63,6 @@ require (
github.com/ulikunitz/xz v0.5.8 // indirect
go.opencensus.io v0.23.0 // indirect
golang.org/x/mod v0.6.0-dev.0.20211013180041-c96bc1413d57 // indirect
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
golang.org/x/text v0.3.7 // indirect

8
main.go
View File

@ -4,13 +4,14 @@ import (
"context"
"flag"
"fmt"
"github.com/aquasecurity/vuln-list-update/kevc"
"log"
"os"
"strconv"
"strings"
"time"
"github.com/aquasecurity/vuln-list-update/kevc"
githubql "github.com/shurcooL/githubv4"
"golang.org/x/oauth2"
"golang.org/x/xerrors"
@ -139,10 +140,7 @@ func run() error {
}
commitMsg = "Alpine Secfixes Tracker"
case "amazon":
ac := amazon.Config{
LinuxMirrorListURI: amazon.LinuxMirrorListURI,
VulnListDir: utils.VulnListDir(),
}
ac := amazon.NewConfig()
if err := ac.Update(); err != nil {
return xerrors.Errorf("Amazon Linux update error: %w", err)
}