Support Amazon Linux AMI Security Advisory (#9)

* Support Amazon Linux AMI Security Advisory

* Update gorequest

* amazon: Add some basic testcases for Update() method.

This commmit adds a seam for Update()
to dependency inject for testing purposes.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* Add more tests

* amazon_test: Fix another lint issue

Signed-off-by: Simarpreet Singh <simar@linux.com>

amazon/amazon.go

@@ -0,0 +1,216 @@
+package amazon
+
+import (
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"encoding/xml"
+	"fmt"
+	"log"
+	"net/url"
+	"os"
+	"path"
+	"path/filepath"
+
+	"github.com/aquasecurity/vuln-list-update/utils"
+	"golang.org/x/xerrors"
+	"gopkg.in/cheggaaa/pb.v1"
+)
+
+const (
+	retry = 3
+
+	amazonDir = "amazon"
+)
+
+var (
+	LinuxMirrorListURI = map[string]string{
+		"1": "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list",
+		"2": "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list",
+	}
+)
+
+// RepoMd has repomd data
+type RepoMd struct {
+	RepoList []Repo `xml:"data"`
+}
+
+// Repo has a repo data
+type Repo struct {
+	Type     string   `xml:"type,attr"`
+	Location Location `xml:"location"`
+}
+
+// Location has a location of repomd
+type Location struct {
+	Href string `xml:"href,attr"`
+}
+
+// UpdateInfo has a list of ALAS
+type UpdateInfo struct {
+	ALASList []ALAS `xml:"update"`
+}
+
+// ALAS has detailed data of ALAS
+type ALAS struct {
+	ID          string      `xml:"id" json:"id,omitempty"`
+	Title       string      `xml:"title" json:"title,omitempty"`
+	Issued      Date        `xml:"issued" json:"issued,omitempty"`
+	Updated     Date        `xml:"updated" json:"updated,omitempty"`
+	Severity    string      `xml:"severity" json:"severity,omitempty"`
+	Description string      `xml:"description" json:"description,omitempty"`
+	Packages    []Package   `xml:"pkglist>collection>package" json:"packages,omitempty"`
+	References  []Reference `xml:"references>reference" json:"references,omitempty"`
+	CveIDs      []string    `json:"cveids,omitempty"`
+}
+
+// Updated has updated at
+type Date struct {
+	Date string `xml:"date,attr" json:"date,omitempty"`
+}
+
+// Reference has reference information
+type Reference struct {
+	Href  string `xml:"href,attr" json:"href,omitempty"`
+	ID    string `xml:"id,attr" json:"id,omitempty"`
+	Title string `xml:"title,attr" json:"title,omitempty"`
+	Type  string `xml:"type,attr" json:"type,omitempty"`
+}
+
+// Package has affected package information
+type Package struct {
+	Name     string `xml:"name,attr" json:"name,omitempty"`
+	Epoch    string `xml:"epoch,attr" json:"epoch,omitempty"`
+	Version  string `xml:"version,attr" json:"version,omitempty"`
+	Release  string `xml:"release,attr" json:"release,omitempty"`
+	Arch     string `xml:"arch,attr" json:"arch,omitempty"`
+	Filename string `xml:"filename" json:"filename,omitempty"`
+}
+
+type Config struct {
+	LinuxMirrorListURI map[string]string
+	VulnListDir        string
+}
+
+func (ac Config) Update() error {
+	// version = 1 or 2
+	for version, amznURL := range ac.LinuxMirrorListURI {
+		log.Printf("Fetching security advisories of Amazon Linux %s...\n", version)
+		if err := ac.update(version, amznURL); err != nil {
+			return xerrors.Errorf("failed to update security advisories of Amazon Linux %s: %w", version, err)
+		}
+	}
+	return nil
+}
+
+func (ac Config) update(version, url string) error {
+	vulns, err := fetchUpdateInfoAmazonLinux(url)
+	if err != nil {
+		return xerrors.Errorf("failed to fetch security advisories from Amazon Linux Security Center: %w", err)
+	}
+
+	bar := pb.StartNew(len(vulns.ALASList))
+	for _, alas := range vulns.ALASList {
+		dir := filepath.Join(ac.VulnListDir, amazonDir, version)
+		if err = os.MkdirAll(dir, os.ModePerm); err != nil {
+			return xerrors.Errorf("failed to mkdir: %w", err)
+		}
+		filePath := filepath.Join(dir, fmt.Sprintf("%s.json", alas.ID))
+		if err = utils.Write(filePath, alas); err != nil {
+			return xerrors.Errorf("failed to write Amazon CVE details: %w", err)
+		}
+		bar.Increment()
+	}
+	bar.Finish()
+
+	return nil
+
+}
+
+func fetchUpdateInfoAmazonLinux(mirrorListURL string) (uinfo *UpdateInfo, err error) {
+	body, err := utils.FetchURL(mirrorListURL, "", retry)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to fetch mirror list files: %w", err)
+	}
+
+	var mirrors []string
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+	for scanner.Scan() {
+		mirrors = append(mirrors, scanner.Text())
+	}
+
+	for _, mirror := range mirrors {
+		u, err := url.Parse(mirror)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse mirror URL: %w")
+		}
+		originalPath := u.Path
+		u.Path = path.Join(u.Path, "/repodata/repomd.xml")
+
+		updateInfoPath, err := fetchUpdateInfoURL(u.String())
+		if err != nil {
+			log.Printf("Failed to fetch updateInfo URL: %s\n", err)
+			continue
+		}
+
+		u.Path = path.Join(originalPath, updateInfoPath)
+		uinfo, err := fetchUpdateInfo(u.String())
+		if err != nil {
+			log.Printf("Failed to fetch updateInfo: %s\n", err)
+			continue
+		}
+		return uinfo, nil
+	}
+	return nil, xerrors.New("Failed to fetch updateinfo")
+}
+
+func fetchUpdateInfoURL(mirror string) (updateInfoPath string, err error) {
+	res, err := utils.FetchURL(mirror, "", retry)
+	if err != nil {
+		return "", xerrors.Errorf("failed to fetch %s: %w", mirror, err)
+	}
+
+	var repoMd RepoMd
+	if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil {
+		return "", xerrors.Errorf("failed to decode repomd.xml: %w", err)
+	}
+
+	for _, repo := range repoMd.RepoList {
+		if repo.Type == "updateinfo" {
+			updateInfoPath = repo.Location.Href
+			fmt.Println(updateInfoPath)
+			break
+		}
+	}
+	if updateInfoPath == "" {
+		return "", xerrors.New("No updateinfo field in the repomd")
+	}
+	return updateInfoPath, nil
+}
+
+func fetchUpdateInfo(url string) (*UpdateInfo, error) {
+	res, err := utils.FetchURL(url, "", retry)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to fetch updateInfo: %w", err)
+	}
+	r, err := gzip.NewReader(bytes.NewBuffer(res))
+	if err != nil {
+		return nil, xerrors.Errorf("failed to decompress updateInfo: %w", err)
+	}
+	defer r.Close()
+
+	var updateInfo UpdateInfo
+	if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil {
+		return nil, err
+	}
+	for i, alas := range updateInfo.ALASList {
+		var cveIDs []string
+		for _, ref := range alas.References {
+			if ref.Type == "cve" {
+				cveIDs = append(cveIDs, ref.ID)
+			}
+		}
+		updateInfo.ALASList[i].CveIDs = cveIDs
+	}
+	return &updateInfo, nil
+}

amazon/amazon_test.go

@@ -0,0 +1,115 @@
+package amazon_test
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/vuln-list-update/amazon"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Update(t *testing.T) {
+	testCases := []struct {
+		name          string
+		version       string
+		xmlFileName   string
+		gzipFileName  string
+		expectedError error
+	}{
+		{
+			name:          "1 item",
+			version:       "1", // Amazon Linux 1
+			xmlFileName:   "testdata/fixtures/repomd_valid.xml",
+			gzipFileName:  "testdata/fixtures/updateinfo_1_item.xml.gz",
+			expectedError: nil,
+		},
+		{
+			name:          "2 items",
+			version:       "2", // Amazon Linux 2
+			xmlFileName:   "testdata/fixtures/repomd_valid.xml",
+			gzipFileName:  "testdata/fixtures/updateinfo_2_items.xml.gz",
+			expectedError: nil,
+		},
+		{
+			name:          "bad XML response",
+			version:       "1", // Amazon Linux 1
+			xmlFileName:   "testdata/fixtures/repomd_invalid.xml",
+			expectedError: xerrors.Errorf("failed to update security advisories of Amazon Linux 1: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
+		},
+		{
+			name:          "bad gzip data response",
+			version:       "2", // Amazon Linux 2
+			xmlFileName:   "testdata/fixtures/repomd_valid.xml",
+			gzipFileName:  "testdata/fixtures/updateinfo_invalid.xml.gz",
+			expectedError: xerrors.Errorf("failed to update security advisories of Amazon Linux 2: %w", errors.New("failed to fetch security advisories from Amazon Linux Security Center: Failed to fetch updateinfo")),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tsUpdateInfoURL := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				switch {
+				case strings.HasSuffix(r.URL.Path, "repomd.xml"):
+					repomd, _ := ioutil.ReadFile(tc.xmlFileName)
+					_, _ = w.Write(repomd)
+				case strings.Contains(r.URL.Path, "updateinfo.xml.gz"):
+					buf, _ := ioutil.ReadFile(tc.gzipFileName)
+					_, _ = w.Write(buf)
+				default:
+					assert.Fail(t, "bad URL requested: ", r.URL.Path, tc.name)
+				}
+			}))
+			defer tsUpdateInfoURL.Close()
+
+			tsMirrorListURL := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				_, _ = fmt.Fprintln(w, tsUpdateInfoURL.URL)
+			}))
+			defer tsMirrorListURL.Close()
+
+			dir, _ := ioutil.TempDir("", "amazon")
+			defer os.RemoveAll(dir)
+
+			ac := amazon.Config{
+				LinuxMirrorListURI: map[string]string{
+					tc.version: tsMirrorListURL.URL,
+				},
+				VulnListDir: dir,
+			}
+
+			switch {
+			case tc.expectedError != nil:
+				assert.Equal(t, tc.expectedError.Error(), ac.Update().Error(), tc.name)
+			default:
+				assert.NoError(t, ac.Update(), tc.name)
+			}
+
+			err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error {
+				if info.IsDir() {
+					return nil
+				}
+				filename := filepath.Base(path)
+				golden := filepath.Join("testdata", filename+".golden")
+
+				want, err := ioutil.ReadFile(golden)
+				assert.Nil(t, err, "failed to open the golden file")
+
+				got, err := ioutil.ReadFile(path)
+				assert.Nil(t, err, "failed to open the result file")
+
+				assert.Equal(t, string(want), string(got))
+
+				return nil
+			})
+			assert.Nil(t, err, "filepath walk error")
+		})
+	}
+}

amazon/testdata/ALAS2-2018-939.json.golden

@@ -0,0 +1,134 @@
+{
+  "id": "ALAS2-2018-939",
+  "title": "Amazon Linux 2 2017.12 - ALAS2-2018-939: critical priority package update for kernel",
+  "issued": {
+    "date": "2018-01-11 21:05"
+  },
+  "updated": {
+    "date": "2018-01-16 01:28"
+  },
+  "severity": "critical",
+  "description": "Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:\nCVE-2017-5754:\n\t1519781: \nCVE-2017-5754 hw: cpu: speculative execution permission faults handling\nAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.\n\nCVE-2017-5715:\n\tAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor\u0026#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.\n1519780: \nCVE-2017-5715 hw: cpu: speculative execution branch target injection\n",
+  "packages": [
+    {
+      "name": "kernel",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-headers",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-headers-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debuginfo-common-x86_64",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-debuginfo-common-x86_64-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "perf",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/perf-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "perf-debuginfo",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "python-perf",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/python-perf-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "python-perf-debuginfo",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/python-perf-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-tools",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-tools-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-tools-devel",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-tools-devel-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-tools-debuginfo",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-tools-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-devel",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-devel-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-debuginfo",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "x86_64",
+      "filename": "Packages/kernel-debuginfo-4.9.76-38.79.amzn2.x86_64.rpm"
+    },
+    {
+      "name": "kernel-doc",
+      "epoch": "0",
+      "version": "4.9.76",
+      "release": "38.79.amzn2",
+      "arch": "noarch",
+      "filename": "Packages/kernel-doc-4.9.76-38.79.amzn2.noarch.rpm"
+    }
+  ],
+  "references": [
+    {
+      "href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754",
+      "id": "CVE-2017-5754",
+      "type": "cve"
+    },
+    {
+      "href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715",
+      "id": "CVE-2017-5715",
+      "type": "cve"
+    }
+  ],
+  "cveids": [
+    "CVE-2017-5754",
+    "CVE-2017-5715"
+  ]
+}

amazon/testdata/ALAS2-2018-942.json.golden

@@ -0,0 +1,64 @@
+{
+  "id": "ALAS2-2018-942",
+  "title": "Amazon Linux 2 2017.12 - ALAS2-2018-942: important priority package update for qemu-kvm",
+  "issued": {
+    "date": "2018-02-07 18:49"
+  },
+  "updated": {
+    "date": "2018-02-08 21:46"
+  },
+  "severity": "important",
+  "description": "Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:\nCVE-2017-5715:\n\tAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor\u0026#039;s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.\n1519780: \nCVE-2017-5715 hw: cpu: speculative execution branch target injection\n",
+  "packages": [
+    {
+      "name": "qemu-kvm",
+      "epoch": "10",
+      "version": "1.5.3",
+      "release": "141.amzn2.5.3",
+      "arch": "x86_64",
+      "filename": "Packages/qemu-kvm-1.5.3-141.amzn2.5.3.x86_64.rpm"
+    },
+    {
+      "name": "qemu-img",
+      "epoch": "10",
+      "version": "1.5.3",
+      "release": "141.amzn2.5.3",
+      "arch": "x86_64",
+      "filename": "Packages/qemu-img-1.5.3-141.amzn2.5.3.x86_64.rpm"
+    },
+    {
+      "name": "qemu-kvm-common",
+      "epoch": "10",
+      "version": "1.5.3",
+      "release": "141.amzn2.5.3",
+      "arch": "x86_64",
+      "filename": "Packages/qemu-kvm-common-1.5.3-141.amzn2.5.3.x86_64.rpm"
+    },
+    {
+      "name": "qemu-kvm-tools",
+      "epoch": "10",
+      "version": "1.5.3",
+      "release": "141.amzn2.5.3",
+      "arch": "x86_64",
+      "filename": "Packages/qemu-kvm-tools-1.5.3-141.amzn2.5.3.x86_64.rpm"
+    },
+    {
+      "name": "qemu-kvm-debuginfo",
+      "epoch": "10",
+      "version": "1.5.3",
+      "release": "141.amzn2.5.3",
+      "arch": "x86_64",
+      "filename": "Packages/qemu-kvm-debuginfo-1.5.3-141.amzn2.5.3.x86_64.rpm"
+    }
+  ],
+  "references": [
+    {
+      "href": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715",
+      "id": "CVE-2017-5715",
+      "type": "cve"
+    }
+  ],
+  "cveids": [
+    "CVE-2017-5715"
+  ]
+}

amazon/testdata/fixtures/repomd_invalid.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
+</repomd>

amazon/testdata/fixtures/repomd_valid.xml

@@ -0,0 +1,56 @@
+<repomd xmlns="http://linux.duke.edu/metadata/repo">
+    <revision>1569972356</revision>
+    <data type="primary_db">
+        <checksum type="sha256">8508e3ed25587c08ec66683d13963e39f51a56f3450b5493516bf8421cd47bff</checksum>
+        <open-checksum type="sha256">396a9cbdb646ed3a1e7cb580c211c3403b7bf30fe5cc3b1d8b405f1027b78258</open-checksum>
+        <location href="repodata/primary.sqlite.gz" />
+        <timestamp>1569972344</timestamp>
+        <database_version>10</database_version>
+        <size>34874486</size>
+        <open-size>113115136</open-size>
+    </data>
+    <data type="group_gz">
+        <checksum type="sha256">292ba3f210d95fb15a968b84b97fab3789310f5752f5064d84a6c32f85d1a78d</checksum>
+        <open-checksum type="sha256">69110d76b72e33b949f5bb64d703747c443ef01e67df2becb00b1c9749bc2df8</open-checksum>
+        <location href="repodata/comps.xml.gz" />
+        <timestamp>1569972326</timestamp>
+        <database_version>10</database_version>
+        <size>2665</size>
+        <open-size>53915</open-size>
+    </data>
+    <data type="group">
+        <checksum type="sha256">69110d76b72e33b949f5bb64d703747c443ef01e67df2becb00b1c9749bc2df8</checksum>
+        <location href="repodata/comps.xml" />
+        <timestamp>1569972326</timestamp>
+        <database_version>10</database_version>
+        <size>53915</size>
+    </data>
+    <data type="updateinfo">
+        <checksum type="sha256">e6f569f8ed2246a6b06c0fef7cfd71560df02781327e31c38396ed358d591d48</checksum>
+        <open-checksum type="sha256">d00ca5a4fa4b40ea884c4510c76194c4b13da46fdf5863bcc81615efd7b1eafa</open-checksum>
+        <location href="repodata/updateinfo.xml.gz" />
+        <timestamp>1569972326</timestamp>
+        <database_version>10</database_version>
+        <size>146324</size>
+        <open-size>1494519</open-size>
+    </data>
+    <data type="other_db">
+        <checksum type="sha256">f4751307b3ec76d4f357981a5e862b735d309359b1b82df6047cb277e0e4cb1d</checksum>
+        <open-checksum type="sha256">7700a3225c49302a76d29712ccfe674966bf579438b7817d36e08ef337418c9f</open-checksum>
+        <location href="repodata/other.sqlite.gz" />
+        <timestamp>1569972356</timestamp>
+        <database_version>10</database_version>
+        <size>504</size>
+        <open-size>24576</open-size>
+    </data>
+    <data type="filelists_db">
+        <checksum type="sha256">c9221914c7d244c05f2f048b548a18f4d71409b3fa4bacef658e25b368142921</checksum>
+        <open-checksum type="sha256">b1d4a2f0c2f310411e49d489115db6cf234a334f622b5aa23b150834bf68cbf2</open-checksum>
+        <location href="repodata/filelists.sqlite.gz" />
+        <timestamp>1569972356</timestamp>
+        <database_version>10</database_version>
+        <size>31183664</size>
+        <open-size>130867200</open-size>
+    </data>
+</repomd>
+

go.mod

@@ -13,17 +13,16 @@ require (
 	github.com/mattn/go-colorable v0.1.1 // indirect
 	github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed
 	github.com/mattn/go-runewidth v0.0.4 // indirect
-	github.com/moul/http2curl v1.0.0 // indirect
-	github.com/parnurzeal/gorequest v0.2.15
+	github.com/parnurzeal/gorequest v0.2.16
 	github.com/pkg/errors v0.8.0 // indirect
 	github.com/simplereach/timeutils v1.2.0 // indirect
 	github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a // indirect
-	github.com/stretchr/objx v0.2.0 // indirect
-	github.com/stretchr/testify v1.3.0
+	github.com/stretchr/testify v1.4.0
 	golang.org/x/sys v0.0.0-20190412213103-97732733099d // indirect
 	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28
 	gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce // indirect
 	gopkg.in/yaml.v2 v2.2.2
+	moul.io/http2curl v1.0.0 // indirect
 )

go.sum

@@ -1,8 +1,7 @@
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f h1:8GDPb0tCY8LQ+OJ3dbHb5sA6YZWXFORQYZx5sdsTlMs=
 github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
 github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f h1:AUj1VoZUfhPhOPHULCQQDnGhRelpFWHMLhQVWDsS0v4=
@@ -30,10 +29,8 @@ github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed h1:fCWISZq4YN
 github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
 github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
-github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
-github.com/parnurzeal/gorequest v0.2.15 h1:oPjDCsF5IkD4gUk6vIgsxYNaSgvAnIh1EJeROn3HdJU=
-github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
+github.com/parnurzeal/gorequest v0.2.16 h1:T/5x+/4BT+nj+3eSknXmCTnEVGSzFzPGdpqmUVVZXHQ=
+github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
 github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -45,11 +42,10 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykE
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
@@ -72,3 +68,5 @@ gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce h1:xcEWjVhvbDy+nHP67nPDDpbYrY
 gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
+moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=

main.go

@@ -9,6 +9,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/aquasecurity/vuln-list-update/amazon"
+
 	"github.com/aquasecurity/vuln-list-update/alpine"
 
 	"github.com/aquasecurity/vuln-list-update/debian"
@@ -106,6 +108,15 @@ func run() error {
 			return xerrors.Errorf("error in Alpine update: %w", err)
 		}
 		commitMsg = "Alpine Issue Tracker"
+	case "amazon":
+		ac := amazon.Config{
+			LinuxMirrorListURI: amazon.LinuxMirrorListURI,
+			VulnListDir:        utils.VulnListDir(),
+		}
+		if err := ac.Update(); err != nil {
+			return xerrors.Errorf("error in Amazon update: %w", err)
+		}
+		commitMsg = "Amazon Linux Security Center"
 	default:
 		return xerrors.New("unknown target")
 	}

utils/utils.go

@@ -121,7 +121,7 @@ func randInt() int {
 func fetchURL(url, apikey string) ([]byte, error) {
 	req := gorequest.New().Get(url)
 	if apikey != "" {
-		req.Header["api-key"] = apikey
+		req.Header.Add("api-key", apikey)
 	}
 	resp, body, err := req.Type("text").EndBytes()
 	if err != nil {