diff --git a/scan/redhat.go b/scan/redhat.go index d12261d722..ae04188028 100644 --- a/scan/redhat.go +++ b/scan/redhat.go @@ -301,6 +301,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (CvePacksList, error) CveIDs []string } + // { packageName: changelog-lines } var rpm2changelog map[string]*string if !config.Conf.SSHExternal { allChangelog, err := o.getAllChangelog(packInfoList) @@ -460,7 +461,7 @@ func (o *redhat) parseYumCheckUpdateLine(line string) (models.PackageInfo, error if len(fields) != 2 { return models.PackageInfo{}, fmt.Errorf("Unknown format: %s", line) } - version := fields[0] + version := o.regexpReplace(fields[0], `^[0-9]+:`, "") release := fields[1] return models.PackageInfo{ Name: packName, @@ -499,7 +500,7 @@ func (o *redhat) regexpReplace(src string, pat string, rep string) string { } func (o *redhat) getChangelogCVELines(rpm2changelog map[string]*string, packInfo models.PackageInfo) string { - rpm := fmt.Sprintf("%s-%s-%s", packInfo.Name, o.regexpReplace(packInfo.NewVersion, `^[0-9]+:`, ""), packInfo.NewRelease) + rpm := fmt.Sprintf("%s-%s-%s", packInfo.Name, packInfo.NewVersion, packInfo.NewRelease) retLine := "" if rpm2changelog[rpm] != nil { lines := strings.Split(*rpm2changelog[rpm], "\n") @@ -527,15 +528,19 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err tmpline := "" var lines []string var prev, now bool + var err error for i := range orglines { if majorVersion == 5 { /* for CentOS5 (yum-util < 1.1.20) */ prev = false now = false if i > 0 { - prev, _ = o.isRpmPackageNameLine(orglines[i-1]) + prev, err = o.isRpmPackageNameLine(orglines[i-1]) + if err != nil { + return nil, err + } } - now, _ = o.isRpmPackageNameLine(orglines[i]) + now, err = o.isRpmPackageNameLine(orglines[i]) if prev && now { tmpline = fmt.Sprintf("%s, %s", tmpline, orglines[i]) continue @@ -561,7 +566,10 @@ func (o *redhat) parseAllChangelog(allChangelog string) (map[string]*string, err rpm2changelog := make(map[string]*string) writePointer := o.mkPstring() for _, line := range lines { - match, _ := o.isRpmPackageNameLine(line) + match, err := o.isRpmPackageNameLine(line) + if err != nil { + return nil, err + } if match { rpms := strings.Split(line, ",") pNewString := o.mkPstring() @@ -836,7 +844,20 @@ func (o *redhat) isHorizontalRule(line string) (bool, error) { } func (o *redhat) isRpmPackageNameLine(line string) (bool, error) { - return regexp.MatchString("^[^ ]+(i386|i486|i586|i686|k6|athlon|x86_64|noarch|ppc|alpha|sparc)", line) + s := strings.TrimPrefix(line, "ChangeLog for: ") + ss := strings.Split(s, ", ") + if len(ss) == 0 { + return false, nil + } + for _, s := range ss { + s = strings.TrimRight(s, " \r\n") + ok, err := regexp.MatchString( + `^[^ ]+\.(i386|i486|i586|i686|k6|athlon|x86_64|noarch|ppc|alpha|sparc)$`, s) + if !ok { + return false, err + } + } + return true, nil } // see test case diff --git a/scan/redhat_test.go b/scan/redhat_test.go index 6477af917c..24a4e785a2 100644 --- a/scan/redhat_test.go +++ b/scan/redhat_test.go @@ -328,6 +328,18 @@ func TestIsRpmPackageNameLine(t *testing.T) { " glibc-2.12-1.192.el6.x86_64", false, }, + { + "glibc-2.12-1.192.el6.x86_64, iproute-2.6.18-15.el5.i386", + true, + }, + { + "k6 hoge.i386", + false, + }, + { + "triathlon", + false, + }, } for i, tt := range tests { @@ -603,6 +615,7 @@ bash.x86_64 4.1.2-33.el6_7.1 updates Obsoleting Packages python-libs.i686 2.6.6-64.el6 rhui-REGION-rhel-server-releases python-ordereddict.noarch 1.1-3.el6ev installed +bind-utils.x86_64 30:9.3.6-25.P1.el5_11.8 updates ` r.Packages = []models.PackageInfo{ @@ -626,6 +639,11 @@ python-libs.i686 2.6.6-64.el6 rhui-REGION-rhel-server-releases Version: "1.0", Release: "1", }, + { + Name: "bind-utils", + Version: "1.0", + Release: "1", + }, } var tests = []struct { in string @@ -662,6 +680,13 @@ python-libs.i686 2.6.6-64.el6 rhui-REGION-rhel-server-releases NewVersion: "1.1", NewRelease: "3.el6ev", }, + { + Name: "bind-utils", + Version: "1.0", + Release: "1", + NewVersion: "9.3.6", + NewRelease: "25.P1.el5_11.8", + }, }, }, } @@ -689,18 +714,18 @@ func TestParseYumCheckUpdateLinesAmazon(t *testing.T) { 34 package(s) needed for security, out of 71 available bind-libs.x86_64 32:9.8.2-0.37.rc1.45.amzn1 amzn-main -java-1.7.0-openjdk.x86_64 1:1.7.0.95-2.6.4.0.65.amzn1 amzn-main +java-1.7.0-openjdk.x86_64 1.7.0.95-2.6.4.0.65.amzn1 amzn-main if-not-architecture 100-200 amzn-main ` r.Packages = []models.PackageInfo{ { Name: "bind-libs", - Version: "32:9.8.0", + Version: "9.8.0", Release: "0.33.rc1.45.amzn1", }, { Name: "java-1.7.0-openjdk", - Version: "1:1.7.0.0", + Version: "1.7.0.0", Release: "2.6.4.0.0.amzn1", }, { @@ -718,16 +743,16 @@ if-not-architecture 100-200 amzn-main models.PackageInfoList{ { Name: "bind-libs", - Version: "32:9.8.0", + Version: "9.8.0", Release: "0.33.rc1.45.amzn1", - NewVersion: "32:9.8.2", + NewVersion: "9.8.2", NewRelease: "0.37.rc1.45.amzn1", }, { Name: "java-1.7.0-openjdk", - Version: "1:1.7.0.0", + Version: "1.7.0.0", Release: "2.6.4.0.0.amzn1", - NewVersion: "1:1.7.0.95", + NewVersion: "1.7.0.95", NewRelease: "2.6.4.0.65.amzn1", }, { @@ -1029,7 +1054,16 @@ func TestGetChangelogCVELines(t *testing.T) { { models.PackageInfo{ Name: "dhclient", - NewVersion: "12:4.1.1", + NewVersion: "4.1.1", + NewRelease: "51.P1.el6", + }, + `- TESTSTRING CVE-1111-1111 +`, + }, + { + models.PackageInfo{ + Name: "dhcp-common", + NewVersion: "4.1.1", NewRelease: "51.P1.el6", }, `- TESTSTRING CVE-1111-1111 @@ -1085,7 +1119,7 @@ func TestGetChangelogCVELines(t *testing.T) { } changelog := r.getChangelogCVELines(rpm2changelog, tt.in) if tt.out != changelog { - t.Errorf("line: expected %s, actual %s", tt.out, changelog) + t.Errorf("line: expected %s, actual %s, tt: %#v", tt.out, changelog, tt) } } @@ -1137,7 +1171,19 @@ func TestGetChangelogCVELines(t *testing.T) { { models.PackageInfo{ Name: "bind-libs", - NewVersion: "30:9.3.6", + NewVersion: "9.3.6", + NewRelease: "25.P1.el5_11.8", + }, + `- Fix issue with patch for CVE-2016-1285 and CVE-2016-1286 found by test suite +- Fix CVE-2016-1285 and CVE-2016-1286 +- Fix CVE-2015-8704 +- Fix CVE-2015-8000 +`, + }, + { + models.PackageInfo{ + Name: "bind-utils", + NewVersion: "9.3.6", NewRelease: "25.P1.el5_11.8", }, `- Fix issue with patch for CVE-2016-1285 and CVE-2016-1286 found by test suite @@ -1156,7 +1202,7 @@ func TestGetChangelogCVELines(t *testing.T) { } changelog := r.getChangelogCVELines(rpm2changelog, tt.in) if tt.out != changelog { - t.Errorf("line: expected %s, actual %s", tt.out, changelog) + t.Errorf("line: expected %s, actual %s, tt: %#v", tt.out, changelog, tt) } } }