nosudo on CentOS and Fetch Changelogs on Amazon, RHEL (#448)

* Use repoquery for no sudo and avoid unintended line feed of yum or rpm. #444 * Change data type of enablerepo in config.toml. string to array * Fetch yum changelogs at once then grep CVE-IDs * Fix changelog parse logic and Update Gopkg
future-architect · Jul 18, 2017 · a0bafbd · a0bafbd
1 parent 02b939b
commit a0bafbd
Show file tree

Hide file tree

Showing 16 changed files with 913 additions and 885 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,5 @@
 language: go
 
 go:
-  - 1.7
   - 1.8
 
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -1,36 +1,86 @@
 
-[[constraint]]
-  branch = "master"
-  name = "github.com/Azure/azure-storage-go"
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
 
 [[constraint]]
-  branch = "master"
   name = "github.com/BurntSushi/toml"
+  version = "0.3.0"
+
+[[constraint]]
+  name = "github.com/asaskevich/govalidator"
+  version = "6.0.0"
+
+[[constraint]]
+  name = "github.com/boltdb/bolt"
+  version = "1.3.1"
+
+[[constraint]]
+  name = "github.com/cenkalti/backoff"
+  version = "1.0.0"
 
 [[constraint]]
   branch = "master"
-  name = "github.com/sirupsen/logrus"
+  name = "github.com/google/subcommands"
 
 [[constraint]]
-  name = "github.com/aws/aws-sdk-go"
-  revision = "5b341290c488aa6bd76b335d819b4a68516ec3ab"
+  branch = "master"
+  name = "github.com/gosuri/uitable"
 
 [[constraint]]
   branch = "master"
+  name = "github.com/howeyc/gopass"
+
+[[constraint]]
   name = "github.com/jroimartin/gocui"
+  version = "0.3.0"
 
 [[constraint]]
   branch = "master"
   name = "github.com/k0kubun/pp"
 
 [[constraint]]
   branch = "master"
-  name = "github.com/kotakanbe/go-cve-dictionary"
+  name = "github.com/knqyf263/go-deb-version"
 
 [[constraint]]
   branch = "master"
-  name = "github.com/kotakanbe/goval-dictionary"
+  name = "github.com/knqyf263/go-rpm-version"
+
+[[constraint]]
+  name = "github.com/kotakanbe/go-pingscanner"
+  version = "0.1.0"
 
 [[constraint]]
   branch = "master"
   name = "github.com/kotakanbe/logrus-prefixed-formatter"
+
+[[constraint]]
+  name = "github.com/parnurzeal/gorequest"
+  version = "0.2.15"
+
+[[constraint]]
+  name = "github.com/rifflock/lfshook"
+  version = "1.7.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/sirupsen/logrus"
diff --git a/README.md b/README.md
@@ -803,12 +803,12 @@ In order to scan, the following dependencies are required, so you need to instal
 |:-------------|-------------------:|:-------------|
 | Ubuntu       |          12, 14, 16| -            |
 | Debian       |                7, 8| aptitude     |
-| CentOS       |                6, 7| yum-plugin-changelog |
-| Amazon       |                All | -            |
-| RHEL         |                  5 | yum-security |
-| RHEL         |               6, 7 | -            |
-| Oracle Linux |                  5 | yum-security |
-| Oracle Linux |               6, 7 | -            |
+| CentOS       |                6, 7| yum-plugin-changelog, yum-utils |
+| Amazon       |                All | -            | TODO yum-utils?, yum-plugin-changelog
+| RHEL         |                  5 | yum-security | TODO yum-utils?
+| RHEL         |               6, 7 | -            | TODO yum-utils?
+| Oracle Linux |                  5 | yum-security | TODO yum-utils?
+| Oracle Linux |               6, 7 | -            |TODO yum-utils?  
 | FreeBSD      |                 10 | -            |
 | Raspbian     |     Wheezy, Jessie | -            |
 

diff --git a/commands/scan.go b/commands/scan.go
@@ -67,6 +67,7 @@ func (*ScanCmd) Usage() string {
 		[-cachedb-path=/path/to/cache.db]
 		[-ssh-native-insecure]
 		[-containers-only]
+		[-package-list-only]
 		[-skip-broken]
 		[-http-proxy=http://192.168.0.1:8080]
 		[-ask-key-password]

diff --git a/config/config.go b/config/config.go
@@ -418,7 +418,7 @@ type ServerInfo struct {
 	Optional [][]interface{}
 
 	// For CentOS, RHEL, Amazon
-	Enablerepo string
+	Enablerepo []string
 
 	// used internal
 	LogMsgAnsiColor string // DebugLog Color

diff --git a/config/tomlloader.go b/config/tomlloader.go
@@ -20,7 +20,6 @@ package config
 import (
 	"fmt"
 	"os"
-	"strings"
 
 	"github.com/BurntSushi/toml"
 	"github.com/future-architect/vuls/contrib/owasp-dependency-check/parser"
@@ -164,7 +163,7 @@ func (c TOMLLoader) Load(pathToToml, keyPass string) error {
 			s.Enablerepo = d.Enablerepo
 		}
 		if len(s.Enablerepo) != 0 {
-			for _, repo := range strings.Split(s.Enablerepo, ",") {
+			for _, repo := range s.Enablerepo {
 				switch repo {
 				case "base", "updates":
 					// nop

diff --git a/models/models.go b/models/models.go
@@ -18,4 +18,4 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 package models
 
 // JSONVersion is JSON Version
-const JSONVersion = "0.3.0"
+const JSONVersion = 2
diff --git a/models/packages.go b/models/packages.go
@@ -42,6 +42,7 @@ func (ps Packages) MergeNewVersion(as Packages) {
 		if pack, ok := ps[a.Name]; ok {
 			pack.NewVersion = a.NewVersion
 			pack.NewRelease = a.NewRelease
+			pack.Repository = a.Repository
 			ps[a.Name] = pack
 		}
 	}
@@ -79,13 +80,24 @@ func (ps Packages) FormatUpdatablePacksSummary() string {
 	return fmt.Sprintf("%d updatable packages", nUpdatable)
 }
 
+// FindOne search a element by name-newver-newrel-arch
+func (ps Packages) FindOne(f func(Package) bool) (string, Package, bool) {
+	for key, p := range ps {
+		if f(p) {
+			return key, p, true
+		}
+	}
+	return "", Package{}, false
+}
+
 // Package has installed packages.
 type Package struct {
 	Name        string
 	Version     string
 	Release     string
 	NewVersion  string
 	NewRelease  string
+	Arch        string
 	Repository  string
 	Changelog   Changelog
 	NotFixedYet bool // Ubuntu OVAL Only
@@ -145,8 +157,8 @@ func (p Package) FormatChangelog() string {
 }
 
 // Changelog has contents of changelog and how to get it.
-// Method: modesl.detectionMethodStr
+// Method: models.detectionMethodStr
 type Changelog struct {
 	Contents string
-	Method   string
+	Method   DetectionMethod
 }
diff --git a/models/scanresults.go b/models/scanresults.go
@@ -32,7 +32,7 @@ type ScanResults []ScanResult
 // ScanResult has the result of scanned CVE information.
 type ScanResult struct {
 	ScannedAt   time.Time
-	JSONVersion string
+	JSONVersion int
 	Lang        string
 	ServerName  string // TOML Section key
 	Family      string