Add Red Hat Oval v2 vulnerability plugin #1024
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allda
requested review from
hdonnay,
jzelinskie,
KeyboardNerd,
ldelossa and
Quentin-M
as code owners
|
Can one of the admins verify this patch? |
Updates can return only one value using FlagKey and FlagValue. This is limited in some cases when updaters want to store more than one value. This commit enables to return map with more than one key + value. Signed-off-by: Ales Raszka <araszka@redhat.com>
* CLAIR-262: add oval v2 class for parsing oval manifest, tests * removed unused import * CLAIR-263: updated oval v2 class to check oval manifest for only new advisories, added tests * CLAIR-263: updated struct names, cleanup in oval v2 class for checking oval manifest for new advisories, added comments, additional tests * CLAIR-264: added parse utilities for cpe names and rpm names, tests * CLAIR-264: added module namespace parsing, tests, cleanup * CLAIR-269: added package filtering by arch, tests * WIP: refactored oval2 plugin and tests, based on changes required for rpm parsing and efficient ordering of assessments for whether a given advisory is already processed * WIP: additional refactor for oval2 plugin and tests, fix nvra parsing and db lookups for already-processed, refactored manifest entry processing to iterate processing by document instead of all at once * fix refactor issue: restore rewire for vuln namespace * fix refactor issue: add check for empty lookup date, update test to cover that case * WIP: refactor, cleanup, and fixes related to most recent PR review notes * WIP: additional refactor/cleanup from PR review * ensure redhat package is enabled by default for make deploy-local * updated logging for redhat package * cleanup comments, clarify logging in redhat package * updated logging in redhat package, cleanup, moved db key/val date write to post-gather loop, fixed struct xml attribute ref * added check to prevent advisories with severity "none" from being stored to database, updated tests * cleanup: removed trailing whitespace * use all cpe entries from affected_cpe_list (previously was intentionally excluding the first entry) * updated supported arch check to support pattern-based arch lists * removed no longer used function (ParseCpeStructFromAffectedCpeList) * removed no longer used function (ParseCpeName) * cleanup - removed redundant variable usage in GatherUnprocessedAdvisories * cleanup - removed redundant second parse for already-parsed package list * updated feature creation for module namespaces, to create a feature for each namespace * removed no longer used function (ConstructVulnerabilityNames) * removed no longer used function (IsRmpArchSupported) * updated supported arch check to use regexp matcher * refactored updater to use map of flags instead of just one flag (FlagName+FlagValue) - redhat package uses ovalv2, needs multiple flags to update multiple key/value processing status markers - updated existing vulnsrc impls to use the flag map * cleanup - removed no longer used functions, related tests * updated dependencies in go.sum to point to public repo * add separate flag for last advisory date * added support for checking definition class, test; only process patch definitions * removed redundant entries from supported definition types * cleanup, add check for non-empty parsed nvra data * cleanup, lint-related formatting/comments * fixed errors in go.mod, go.sum from rebase conflicts Signed-off-by: Ales Raszka <araszka@redhat.com>
…tion tests (quay#23) * CLOUDWF-160: externalize base url for oval v2 data, to support fake api provider in integration tests * cwf129: add check to skip duplicate packages, corresponding test, additional logging * cwf129: additional checks to skip duplicate vulnerability data (filter out duplicate vuln data which appears across multiple oval docs), updated logging levels * cwf129: additional checks to skip duplicate vulnerability data (filter out duplicate vuln data which appears across multiple oval docs), organized logging into logical groups, added tests * cwf129: cleanup (formatting) * cwf129: updated check for relevant criteria to include module criteria, removed unnecessary len() check from cpe name parsing * cwf129: updated cpe parse to exclude empty names, added test, test data * cwf129: cleanup (formatting) * cwf129: cleanup - removed plugin-local log level assignment * cwf129: updated dup vulnerability identification strategy to ensure any non-duplicate features of same-named vulnerabilities are merged rather than skipped, added tests * CWF-129: fixed scoping for vulnerabilities accumulator so that vulns and packages are properly assessed across advisories, added test case and test data * CWF-129: refactored vulnerabilities accumulator and features merge strategy to avoid using global variables, updated tests Signed-off-by: Ales Raszka <araszka@redhat.com>
Rhel vulnerability scanner was replaced by Red Hat's oval v2 scanner. Oval 2 covers Red Hat's portfolio including RHEL. The commit also fixes bugs in ubuntu scanner. Signed-off-by: Ales Raszka <araszka@redhat.com>
ldelossa
approved these changes
Aug 3, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Red Hat recently introduced a new Oval v2 security data stream. The stream contains wider Red Hat's portfolio including RHEL and other products. The new plugin consumes Pulp manifest and based on that it fetches individual oval files. This PR also removes old rhel oval v1 plugin.