pepelyaevip/vuln-list-update
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

fix(alpine): handle security fixes (#35)

Browse Source 
* test(alpine): add a failing test

* fix(alpine): handle security fixes
This commit is contained in:
Teppei Fukuda 2020-06-29 20:54:35 +03:00 committed by GitHub
parent 478299d366
commit 95bdc43aeb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 95 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
alpine/alpine.go
View File

@ -190,6 +190,12 @@ func (c Config) buildAdvisories(secFixes map[string][]string, release string, pk
if strings.HasPrefix(id, "CVE_") {
id = strings.ReplaceAll(id, "_", "-")
}
// reject invalid vulnerability IDs
// e.g. CVE N/A
if !strings.Contains(id, "-") {
continue
}
advisory := Advisory{
VulnerabilityID: id,
Release: release,
@ -255,10 +261,10 @@ func (c Config) parseSecFixes(content string) (secFixes map[string][]string, err
//# 2.4.10-r0:
//# - CVE-2018-12086
//# - CVE-2018-18225
if strings.HasPrefix(line, "# secfixes:") {
if strings.HasPrefix(line, "# secfixes:") ||
strings.HasPrefix(strings.ToLower(line), "# security fixes:") {
// e.g. # secfixes:ss
line = line[:strings.Index(line, ":")+1]
secfixesStr := strings.TrimPrefix(line, "# ")
secfixesStr := "secfixes:"
for i+1 < len(lines) && strings.HasPrefix(lines[i+1], "# ") {
// Fix invalid yaml
tmp := strings.TrimLeft(lines[i+1], "#")

12
alpine/alpine_test.go
View File

@ -106,6 +106,15 @@ func TestParseSecFixes(t *testing.T) {
"2.6.6-r0": {"CVE-2019-5717", "CVE-2019-5718", "CVE-2019-5719", "CVE-2019-5721"},
},
},
{
file: "testdata/aports/main/libssh2/APKBUILD",
pkgVer: "1.9.0",
pkgRel: "1",
secFixes: map[string][]string{
"1.9.0-r1": {"CVE-2019-17498"},
"1.9.0-r0": {"CVE-2019-13115"},
},
},
}
for _, v := range vectors {
@ -237,6 +246,9 @@ func TestWalkApkBuild(t *testing.T) {
{FixedVersion: "3.0.19-r0", VulnerabilityID: "CVE-2019-11234", Release: "1.0.0", Package: "freeradius", Repository: "main"},
{FixedVersion: "3.0.19-r0", VulnerabilityID: "CVE-2019-11235", Release: "1.0.0", Package: "freeradius", Repository: "main"},
{FixedVersion: "1.9.0-r0", VulnerabilityID: "CVE-2019-13115", Release: "1.0.0", Package: "libssh2", Repository: "main"},
{FixedVersion: "1.9.0-r1", VulnerabilityID: "CVE-2019-17498", Release: "1.0.0", Package: "libssh2", Repository: "main"},
{FixedVersion: "1.7.3-r0", VulnerabilityID: "CVE-2019-9917", Release: "1.0.0", Package: "znc", Repository: "community"},
{FixedVersion: "1.7.1-r0", VulnerabilityID: "CVE-2018-14055", Release: "1.0.0", Package: "znc", Repository: "community"},
{FixedVersion: "1.7.1-r0", VulnerabilityID: "CVE-2018-14056", Release: "1.0.0", Package: "znc", Repository: "community"},

54
alpine/testdata/aports/main/libssh2/APKBUILD vendored Normal file
View File

@ -0,0 +1,54 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libssh2
pkgver=1.9.0
pkgrel=1
pkgdesc="library for accessing ssh1/ssh2 protocol servers"
url="https://libssh2.org/"
arch="all"
license="BSD-3-Clause"
makedepends="openssl-dev zlib-dev"
subpackages="$pkgname-dbg $pkgname-static $pkgname-dev $pkgname-doc"
source="http://www.libssh2.org/download/libssh2-$pkgver.tar.gz
CVE-2019-17498.patch
"
# security fixes:
# 1.9.0-r1:
# - CVE-2019-17498
# 1.9.0-r0:
# - CVE-2019-13115
build() {
cd "$builddir"
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
--localstatedir=/var
make
}
check() {
cd "$builddir"
make check
}
package() {
cd "$builddir"
make DESTDIR="$pkgdir" install
}
static() {
depends=""
pkgdesc="$pkgdesc (static library)"
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/*.a "$subpkgdir"/usr/lib
}
sha512sums="41a3ebcf84e32eab69b7411ffb0a3b6e6db71491c968602b17392cfe3490ef00239726ec28acb3d25bf0ed62700db7f4d0bb5a9175618f413865f40badca6e17 libssh2-1.9.0.tar.gz
fedd840ec8459409c80ef3984f3539e09c0730fb1a7ccc8034e3e03618590a5c0589b7dff132c813b148be9f5b784d3cd50830c502d419af77ce86e848297813 CVE-2019-17498.patch"

10
alpine/testdata/goldens/main/libssh2/CVE-2019-13115.json.golden vendored Normal file
View File

@ -0,0 +1,10 @@
{
"IssueID": 0,
"VulnerabilityID": "CVE-2019-13115",
"Release": "branch1",
"Package": "libssh2",
"Repository": "main",
"FixedVersion": "1.9.0-r0",
"Subject": "",
"Description": ""
}

10
alpine/testdata/goldens/main/libssh2/CVE-2019-17498.json.golden vendored Normal file
View File

@ -0,0 +1,10 @@
{
"IssueID": 0,
"VulnerabilityID": "CVE-2019-17498",
"Release": "branch1",
"Package": "libssh2",
"Repository": "main",
"FixedVersion": "1.9.0-r1",
"Subject": "",
"Description": ""
}