220 lines
5.9 KiB
Go
220 lines
5.9 KiB
Go
package amazon
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"compress/gzip"
|
|
"encoding/xml"
|
|
"fmt"
|
|
"log"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
|
|
"github.com/aquasecurity/vuln-list-update/utils"
|
|
"golang.org/x/xerrors"
|
|
"gopkg.in/cheggaaa/pb.v1"
|
|
)
|
|
|
|
const (
|
|
retry = 3
|
|
|
|
amazonDir = "amazon"
|
|
)
|
|
|
|
var (
|
|
LinuxMirrorListURI = map[string]string{
|
|
"1": "http://repo.us-west-2.amazonaws.com/2018.03/updates/x86_64/mirror.list",
|
|
"2": "https://cdn.amazonlinux.com/2/core/latest/x86_64/mirror.list",
|
|
}
|
|
)
|
|
|
|
// RepoMd has repomd data
|
|
type RepoMd struct {
|
|
RepoList []Repo `xml:"data"`
|
|
}
|
|
|
|
// Repo has a repo data
|
|
type Repo struct {
|
|
Type string `xml:"type,attr"`
|
|
Location Location `xml:"location"`
|
|
}
|
|
|
|
// Location has a location of repomd
|
|
type Location struct {
|
|
Href string `xml:"href,attr"`
|
|
}
|
|
|
|
// UpdateInfo has a list of ALAS
|
|
type UpdateInfo struct {
|
|
ALASList []ALAS `xml:"update"`
|
|
}
|
|
|
|
// ALAS has detailed data of ALAS
|
|
type ALAS struct {
|
|
ID string `xml:"id" json:"id,omitempty"`
|
|
Title string `xml:"title" json:"title,omitempty"`
|
|
Issued Date `xml:"issued" json:"issued,omitempty"`
|
|
Updated Date `xml:"updated" json:"updated,omitempty"`
|
|
Severity string `xml:"severity" json:"severity,omitempty"`
|
|
Description string `xml:"description" json:"description,omitempty"`
|
|
Packages []Package `xml:"pkglist>collection>package" json:"packages,omitempty"`
|
|
References []Reference `xml:"references>reference" json:"references,omitempty"`
|
|
CveIDs []string `json:"cveids,omitempty"`
|
|
}
|
|
|
|
// Updated has updated at
|
|
type Date struct {
|
|
Date string `xml:"date,attr" json:"date,omitempty"`
|
|
}
|
|
|
|
// Reference has reference information
|
|
type Reference struct {
|
|
Href string `xml:"href,attr" json:"href,omitempty"`
|
|
ID string `xml:"id,attr" json:"id,omitempty"`
|
|
Title string `xml:"title,attr" json:"title,omitempty"`
|
|
Type string `xml:"type,attr" json:"type,omitempty"`
|
|
}
|
|
|
|
// Package has affected package information
|
|
type Package struct {
|
|
Name string `xml:"name,attr" json:"name,omitempty"`
|
|
Epoch string `xml:"epoch,attr" json:"epoch,omitempty"`
|
|
Version string `xml:"version,attr" json:"version,omitempty"`
|
|
Release string `xml:"release,attr" json:"release,omitempty"`
|
|
Arch string `xml:"arch,attr" json:"arch,omitempty"`
|
|
Filename string `xml:"filename" json:"filename,omitempty"`
|
|
}
|
|
|
|
type Config struct {
|
|
LinuxMirrorListURI map[string]string
|
|
VulnListDir string
|
|
}
|
|
|
|
func (ac Config) Update() error {
|
|
// version = 1 or 2
|
|
for version, amznURL := range ac.LinuxMirrorListURI {
|
|
log.Printf("Fetching security advisories of Amazon Linux %s...\n", version)
|
|
if err := ac.update(version, amznURL); err != nil {
|
|
return xerrors.Errorf("failed to update security advisories of Amazon Linux %s: %w", version, err)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (ac Config) update(version, url string) error {
|
|
dir := filepath.Join(ac.VulnListDir, amazonDir, version)
|
|
if err := os.RemoveAll(dir); err != nil {
|
|
return xerrors.Errorf("unable to remove amazon directory: %w", err)
|
|
}
|
|
if err := os.MkdirAll(dir, os.ModePerm); err != nil {
|
|
return xerrors.Errorf("failed to mkdir: %w", err)
|
|
}
|
|
|
|
vulns, err := fetchUpdateInfoAmazonLinux(url)
|
|
if err != nil {
|
|
return xerrors.Errorf("failed to fetch security advisories from Amazon Linux Security Center: %w", err)
|
|
}
|
|
|
|
bar := pb.StartNew(len(vulns.ALASList))
|
|
for _, alas := range vulns.ALASList {
|
|
filePath := filepath.Join(dir, fmt.Sprintf("%s.json", alas.ID))
|
|
if err = utils.Write(filePath, alas); err != nil {
|
|
return xerrors.Errorf("failed to write Amazon CVE details: %w", err)
|
|
}
|
|
bar.Increment()
|
|
}
|
|
bar.Finish()
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
func fetchUpdateInfoAmazonLinux(mirrorListURL string) (uinfo *UpdateInfo, err error) {
|
|
body, err := utils.FetchURL(mirrorListURL, "", retry)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to fetch mirror list files: %w", err)
|
|
}
|
|
|
|
var mirrors []string
|
|
scanner := bufio.NewScanner(bytes.NewReader(body))
|
|
for scanner.Scan() {
|
|
mirrors = append(mirrors, scanner.Text())
|
|
}
|
|
|
|
for _, mirror := range mirrors {
|
|
u, err := url.Parse(mirror)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to parse mirror URL: %w", err)
|
|
}
|
|
originalPath := u.Path
|
|
u.Path = path.Join(u.Path, "/repodata/repomd.xml")
|
|
|
|
updateInfoPath, err := fetchUpdateInfoURL(u.String())
|
|
if err != nil {
|
|
log.Printf("Failed to fetch updateInfo URL: %s\n", err)
|
|
continue
|
|
}
|
|
|
|
u.Path = path.Join(originalPath, updateInfoPath)
|
|
uinfo, err := fetchUpdateInfo(u.String())
|
|
if err != nil {
|
|
log.Printf("Failed to fetch updateInfo: %s\n", err)
|
|
continue
|
|
}
|
|
return uinfo, nil
|
|
}
|
|
return nil, xerrors.New("Failed to fetch updateinfo")
|
|
}
|
|
|
|
func fetchUpdateInfoURL(mirror string) (updateInfoPath string, err error) {
|
|
res, err := utils.FetchURL(mirror, "", retry)
|
|
if err != nil {
|
|
return "", xerrors.Errorf("failed to fetch %s: %w", mirror, err)
|
|
}
|
|
|
|
var repoMd RepoMd
|
|
if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil {
|
|
return "", xerrors.Errorf("failed to decode repomd.xml: %w", err)
|
|
}
|
|
|
|
for _, repo := range repoMd.RepoList {
|
|
if repo.Type == "updateinfo" {
|
|
updateInfoPath = repo.Location.Href
|
|
break
|
|
}
|
|
}
|
|
if updateInfoPath == "" {
|
|
return "", xerrors.New("No updateinfo field in the repomd")
|
|
}
|
|
return updateInfoPath, nil
|
|
}
|
|
|
|
func fetchUpdateInfo(url string) (*UpdateInfo, error) {
|
|
res, err := utils.FetchURL(url, "", retry)
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to fetch updateInfo: %w", err)
|
|
}
|
|
r, err := gzip.NewReader(bytes.NewBuffer(res))
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to decompress updateInfo: %w", err)
|
|
}
|
|
defer r.Close()
|
|
|
|
var updateInfo UpdateInfo
|
|
if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil {
|
|
return nil, err
|
|
}
|
|
for i, alas := range updateInfo.ALASList {
|
|
var cveIDs []string
|
|
for _, ref := range alas.References {
|
|
if ref.Type == "cve" {
|
|
cveIDs = append(cveIDs, ref.ID)
|
|
}
|
|
}
|
|
updateInfo.ALASList[i].CveIDs = cveIDs
|
|
}
|
|
return &updateInfo, nil
|
|
}
|