Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: grype_db #344 missing CVE/Package associations #650

Merged
merged 2 commits into from
Aug 6, 2024
Merged

fix: grype_db #344 missing CVE/Package associations #650

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f1c461d
fix: grype_db #344 missing CVE/Package associations
Aug 2, 2024
f4292c5
chore: add unit tests for SLES parser fix
willmurphyscode Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/vunnel/providers/sles/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,7 +323,12 @@ def _transform_oval_vulnerabilities(cls, major_version: str, parsed_dict: dict)
if release_version not in version_release_feed:
version_release_feed[release_version] = defaultdict(Vulnerability)

version_release_feed[release_version][release_name] = feed_obj
if release_name not in version_release_feed[release_version]:
version_release_feed[release_version][release_name] = feed_obj
else:
old_feed_obj = version_release_feed[release_version][release_name]
feed_obj.FixedIn.extend(old_feed_obj.FixedIn)
version_release_feed[release_version][release_name] = feed_obj

# resolve multiple normalized entries per version
results.extend(cls._release_resolver(version_release_feed, vulnerability_obj.name))
Expand Down
125 changes: 125 additions & 0 deletions tests/unit/providers/sles/test-fixtures/snapshots/sles:15/cve-2010-1323.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
{
"identifier": "sles:15/cve-2010-1323",
"item": {
"Vulnerability": {
"CVSS": [
{
"base_metrics": {
"base_score": 3.7,
"base_severity": "Low",
"exploitability_score": 2.2,
"impact_score": 1.4
},
"status": "N/A",
"vector_string": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
],
"Description": "MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checks\n ums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain\n checksums that (1) are unkeyed or (2) use RC4 keys.",
"FixedIn": [
{
"Module": "",
"Name": "krb5-plugin-kdb-ldap",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-server",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-32bit",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-client",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-devel",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-plugin-preauth-otp",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
},
{
"Module": "",
"Name": "krb5-plugin-preauth-pkinit",
"NamespaceName": "sles:15",
"VendorAdvisory": {
"AdvisorySummary": [],
"NoAdvisory": false
},
"Version": "0:1.15.2-4.25",
"VersionFormat": "rpm",
"VulnerableRange": null
}
],
"Link": "https://www.suse.com/security/cve/CVE-2010-1323",
"Metadata": {},
"Name": "CVE-2010-1323",
"NamespaceName": "sles:15",
"Severity": "Medium"
}
},
"schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/os/schema-1.0.0.json"
}
172 changes: 172 additions & 0 deletions tests/unit/providers/sles/test-fixtures/suse_truncated.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,77 @@
</criteria>
</criteria>
</definition>
<definition id="oval:org.opensuse.security:def:20101323" version="1" class="vulnerability">
<metadata>
<title>CVE-2010-1323</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Desktop 15</platform>
<platform>SUSE Linux Enterprise High Performance Computing 15</platform>
<platform>SUSE Linux Enterprise Module for Basesystem 15</platform>
<platform>SUSE Linux Enterprise Module for Server Applications 15</platform>
<platform>SUSE Linux Enterprise Server 15</platform>
<platform>SUSE Linux Enterprise Server for SAP Applications 15</platform>
</affected>
<reference source="CVE" ref_id="Mitre CVE-2010-1323" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323"></reference>
<reference source="SUSE CVE" ref_id="SUSE CVE-2010-1323" ref_url="https://www.suse.com/security/cve/CVE-2010-1323"></reference>
<reference source="SUSE-SU" ref_id="SUSE-SR:2010:023" ref_url="https://lists.opensuse.org/archives/list/[email protected]/thread/JM6O73UJO5HWG5
RGIFFSFKGTDNFSGYWB/#JM6O73UJO5HWG5RGIFFSFKGTDNFSGYWB"></reference>
<reference source="SUSE-SU" ref_id="SUSE-SR:2010:024" ref_url="https://lists.opensuse.org/archives/list/[email protected]/thread/QQHP7MDAGKGRMV
UG64TKDHFDLMRIRJQG/#QQHP7MDAGKGRMVUG64TKDHFDLMRIRJQG"></reference>
<reference source="SUSE-SU" ref_id="TID7008287" ref_url="https://www.suse.com/support/kb/doc/?id=7008287"></reference>
<description>&#xA; MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checks
ums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain
checksums that (1) are unkeyed or (2) use RC4 keys.&#xA; </description>
<advisory>
<severity>Moderate</severity>
<cve cwe="" impact="" href="https://www.suse.com/security/cve/CVE-2010-1323/" public="">CVE-2010-1323 at SUSE</cve>
<cve cvss3="3.7/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" cwe="" impact="low" href="https://nvd.nist.gov/vuln/detail/CVE-2010-1323" public="">CVE-2010-1323
at NVD</cve>
<bugzilla id="" href="https://bugzilla.suse.com/650650">SUSE bug 650650</bugzilla>
<affected_cpe_list>
<cpe>cpe:/o:suse:sle-module-basesystem:15</cpe>
<cpe>cpe:/o:suse:sle-module-server-applications:15</cpe>
<cpe>cpe:/o:suse:sle_hpc:15</cpe>
<cpe>cpe:/o:suse:sled:15</cpe>
<cpe>cpe:/o:suse:sles:15</cpe>
<cpe>cpe:/o:suse:sles_sap:15</cpe>
</affected_cpe_list>
<issued date="2021-04-30"></issued>
<updated date="2024-07-31"></updated>
</advisory>
</metadata>
<criteria operator="OR">
<criteria operator="AND">
<criteria operator="OR">
<criterion test_ref="oval:org.opensuse.security:tst:2009669873" comment="SUSE Linux Enterprise Desktop 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009669871" comment="SUSE Linux Enterprise High Performance Computing 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009223735" comment="SUSE Linux Enterprise Module for Basesystem 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009242640" comment="SUSE Linux Enterprise Server 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009276218" comment="SUSE Linux Enterprise Server for SAP Applications 15 is installed"></criterion>
</criteria>
<criteria operator="OR">
<criterion test_ref="oval:org.opensuse.security:tst:2009480345" comment="krb5-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009480346" comment="krb5-32bit-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009480347" comment="krb5-client-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009480348" comment="krb5-devel-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009480349" comment="krb5-plugin-preauth-otp-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009480350" comment="krb5-plugin-preauth-pkinit-1.15.2-4.25 is installed"></criterion>
</criteria>
</criteria>
<criteria operator="AND">
<criteria operator="OR">
<criterion test_ref="oval:org.opensuse.security:tst:2009669871" comment="SUSE Linux Enterprise High Performance Computing 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009228795" comment="SUSE Linux Enterprise Module for Server Applications 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009242640" comment="SUSE Linux Enterprise Server 15 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009276218" comment="SUSE Linux Enterprise Server for SAP Applications 15 is installed"></criterion>
</criteria>
<criteria operator="OR">
<criterion test_ref="oval:org.opensuse.security:tst:2009488167" comment="krb5-plugin-kdb-ldap-1.15.2-4.25 is installed"></criterion>
<criterion test_ref="oval:org.opensuse.security:tst:2009488168" comment="krb5-server-1.15.2-4.25 is installed"></criterion>
</criteria>
</criteria>
</criteria>
</definition>
</definitions>
<tests>
<rpminfo_test id="oval:org.opensuse.security:tst:2009302033" version="1" comment="sles-ltss-release is ==15" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
Expand All @@ -253,6 +324,62 @@
<object object_ref="oval:org.opensuse.security:obj:2009030416"/>
<state state_ref="oval:org.opensuse.security:ste:2009118764"/>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009276218" comment="SLES_SAP-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009047546"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009669873" comment="sled-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031917"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009669871" comment="SLE_HPC-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009051714"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009242640" comment="sles-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009030884"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009223735" comment="sle-module-basesystem-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009042619"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009228795" comment="sle-module-server-applications-release is ==15" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009046430"></object>
<state state_ref="oval:org.opensuse.security:ste:2009061809"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480345" comment="krb5 is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031044"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480346" comment="krb5-32bit is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031038"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480347" comment="krb5-client is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031041"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480348" comment="krb5-devel is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031478"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480349" comment="krb5-plugin-preauth-otp is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009038448"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009480350" comment="krb5-plugin-preauth-pkinit is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009033580"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009488167" comment="krb5-plugin-kdb-ldap is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009033579"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
<rpminfo_test id="oval:org.opensuse.security:tst:2009488168" comment="krb5-server is &lt;1.15.2-4.25" check="at least one" version="1">
<object object_ref="oval:org.opensuse.security:obj:2009031042"></object>
<state state_ref="oval:org.opensuse.security:ste:2009111500"></state>
</rpminfo_test>
</tests>
<objects>
<rpminfo_object id="oval:org.opensuse.security:obj:2009049560" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
Expand All @@ -264,6 +391,48 @@
<rpminfo_object id="oval:org.opensuse.security:obj:2009030416" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name>kernel-default</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009051714" version="1">
<name>SLE_HPC-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009030884" version="1">
<name>sles-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009047546" version="1">
<name>SLES_SAP-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031917" version="1">
<name>sled-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009042619" version="1">
<name>sle-module-basesystem-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009046430" version="1">
<name>sle-module-server-applications-release</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031044" version="1">
<name>krb5</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031038" version="1">
<name>krb5-32bit</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031041" version="1">
<name>krb5-client</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031478" version="1">
<name>krb5-devel</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009038448" version="1">
<name>krb5-plugin-preauth-otp</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009033580" version="1">
<name>krb5-plugin-preauth-pkinit</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009033579" version="1">
<name>krb5-plugin-kdb-ldap</name>
</rpminfo_object>
<rpminfo_object id="oval:org.opensuse.security:obj:2009031042" version="1">
<name>krb5-server</name>
</rpminfo_object>
</objects>
<state>
<rpminfo_state id="oval:org.opensuse.security:ste:2009061809" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
Expand All @@ -280,5 +449,8 @@
<arch datatype="string" operation="pattern match">(aarch64|ppc64le|s390x|x86_64)</arch>
<evr datatype="evr_string" operation="less than">0:4.12.14-197.89.2</evr>
</rpminfo_state>
<rpminfo_state id="oval:org.opensuse.security:ste:2009111500" version="1">
<evr operation="6">0:1.15.2-4.25</evr>
</rpminfo_state>
</state>
</oval_definitions>
Loading
Loading