From c28d2b3a66cbd468f567ed0b4ddce3157169707d Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Fri, 12 Aug 2016 15:31:44 -0400
Subject: [PATCH 1/3] namespace: add debug output

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 worker/detectors/namespace.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/worker/detectors/namespace.go b/worker/detectors/namespace.go
index 7d00cdfc97..e77ef23d69 100644
--- a/worker/detectors/namespace.go
+++ b/worker/detectors/namespace.go
@@ -21,6 +21,7 @@ import (
 	"sync"
 
 	"github.com/coreos/clair/database"
+	"github.com/coreos/pkg/capnslog"
 )
 
 // The NamespaceDetector interface defines a way to detect a Namespace from input data.
@@ -34,6 +35,8 @@ type NamespaceDetector interface {
 }
 
 var (
+	nlog = capnslog.NewPackageLogger("github.com/coreos/clair", "worker/detectors")
+
 	namespaceDetectorsLock sync.Mutex
 	namespaceDetectors     = make(map[string]NamespaceDetector)
 )
@@ -62,8 +65,9 @@ func RegisterNamespaceDetector(name string, f NamespaceDetector) {
 
 // DetectNamespace finds the OS of the layer by using every registered NamespaceDetector.
 func DetectNamespace(data map[string][]byte) *database.Namespace {
-	for _, detector := range namespaceDetectors {
+	for name, detector := range namespaceDetectors {
 		if namespace := detector.Detect(data); namespace != nil {
+			nlog.Debugf("detector: %q; namespace: %q\n", name, namespace.Name)
 			return namespace
 		}
 	}

From d88f7978213d1b21ea7c3bd4d1466f35dc2784e4 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Fri, 12 Aug 2016 15:32:12 -0400
Subject: [PATCH 2/3] osrelease-detector: avoid colliding with other detectors

Due to the detector registration and fact that their in a non-ordered
map, it is random whether the osrelease or redhatrelease detector would
hit. And likely resulted in alternately formatted namespace strings.

This change causes the osrelease to not detect when data has
centos-release or redhat-release, which is not _great_ because if the
redhatrelease detector is not compiled in, then that would not be a
fallback that the osrelease detector could rely on. :-\

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 worker/detectors/namespace/osrelease/osrelease.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/worker/detectors/namespace/osrelease/osrelease.go b/worker/detectors/namespace/osrelease/osrelease.go
index 118fb9fde3..b303962900 100644
--- a/worker/detectors/namespace/osrelease/osrelease.go
+++ b/worker/detectors/namespace/osrelease/osrelease.go
@@ -24,6 +24,8 @@ import (
 )
 
 var (
+	//log = capnslog.NewPackageLogger("github.com/coreos/clair", "worker/detectors/namespace/osrelease")
+
 	osReleaseOSRegexp      = regexp.MustCompile(`^ID=(.*)`)
 	osReleaseVersionRegexp = regexp.MustCompile(`^VERSION_ID=(.*)`)
 )
@@ -42,6 +44,12 @@ func init() {
 func (detector *OsReleaseNamespaceDetector) Detect(data map[string][]byte) *database.Namespace {
 	var OS, version string
 
+	for _, filePath := range detector.getExcludeFiles() {
+		if _, hasFile := data[filePath]; hasFile {
+			return nil
+		}
+	}
+
 	for _, filePath := range detector.GetRequiredFiles() {
 		f, hasFile := data[filePath]
 		if !hasFile {
@@ -74,3 +82,8 @@ func (detector *OsReleaseNamespaceDetector) Detect(data map[string][]byte) *data
 func (detector *OsReleaseNamespaceDetector) GetRequiredFiles() []string {
 	return []string{"etc/os-release", "usr/lib/os-release"}
 }
+
+// getExcludeFiles returns the list of files that are ought to exclude this detector from Detect()
+func (detector *OsReleaseNamespaceDetector) getExcludeFiles() []string {
+	return []string{"etc/redhat-release", "usr/lib/centos-release"}
+}

From ce8d31bbb323471bf2a69427e4a645b3ce8a25c1 Mon Sep 17 00:00:00 2001
From: Vincent Batts <vbatts@hashbangbash.com>
Date: Fri, 12 Aug 2016 15:35:32 -0400
Subject: [PATCH 3/3] redhatrelease: override match for RHEL hosts

Until https://github.com/coreos/clair/pull/193 is merged, having
vulnerabilities that are tagged both rhel and centos would duplicate in
the database or use a change that requires a migration.

But presently due to the fetcher logic, the rhel provided
vulnerabilities are labelled for centos, and then the namespace does not
match and therefore not tested against.

So until such a day that a vulnerability could have both rhel and centos
label, then hack this in. It'll accomplish the same during this interim.

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
---
 updater/fetchers/rhel/rhel.go                 |  1 +
 .../namespace/redhatrelease/redhatrelease.go  | 22 +++++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/updater/fetchers/rhel/rhel.go b/updater/fetchers/rhel/rhel.go
index 51f802d900..43d1d5fe15 100644
--- a/updater/fetchers/rhel/rhel.go
+++ b/updater/fetchers/rhel/rhel.go
@@ -291,6 +291,7 @@ func toFeatureVersions(criteria criteria) []database.FeatureVersion {
 		}
 
 		if osVersion >= firstConsideredRHEL {
+			// TODO(vbatts) this is where features need multiple labels ('centos' and 'rhel')
 			featureVersion.Feature.Namespace.Name = "centos" + ":" + strconv.Itoa(osVersion)
 		} else {
 			continue
diff --git a/worker/detectors/namespace/redhatrelease/redhatrelease.go b/worker/detectors/namespace/redhatrelease/redhatrelease.go
index a6569b07d5..91e236c757 100644
--- a/worker/detectors/namespace/redhatrelease/redhatrelease.go
+++ b/worker/detectors/namespace/redhatrelease/redhatrelease.go
@@ -20,9 +20,15 @@ import (
 
 	"github.com/coreos/clair/database"
 	"github.com/coreos/clair/worker/detectors"
+	"github.com/coreos/pkg/capnslog"
 )
 
-var redhatReleaseRegexp = regexp.MustCompile(`(?P<os>[^\s]*) (Linux release|release) (?P<version>[\d]+)`)
+var (
+	log = capnslog.NewPackageLogger("github.com/coreos/clair", "worker/detectors/namespace/redhatrelease")
+
+	centosReleaseRegexp = regexp.MustCompile(`(?P<os>[^\s]*) (Linux release|release) (?P<version>[\d]+)`)
+	redhatReleaseRegexp = regexp.MustCompile(`(?P<os>Red Hat Enterprise Linux) (Client release|Server release|Workstation release) (?P<version>[\d]+)`)
+)
 
 // RedhatReleaseNamespaceDetector implements NamespaceDetector and detects the OS from the
 // /etc/centos-release, /etc/redhat-release and /etc/system-release files.
@@ -31,6 +37,7 @@ var redhatReleaseRegexp = regexp.MustCompile(`(?P<os>[^\s]*) (Linux release|rele
 // eg. CentOS release 5.11 (Final)
 // eg. CentOS release 6.6 (Final)
 // eg. CentOS Linux release 7.1.1503 (Core)
+// eg. Red Hat Enterprise Linux Server release 7.2 (Maipo)
 type RedhatReleaseNamespaceDetector struct{}
 
 func init() {
@@ -44,10 +51,21 @@ func (detector *RedhatReleaseNamespaceDetector) Detect(data map[string][]byte) *
 			continue
 		}
 
-		r := redhatReleaseRegexp.FindStringSubmatch(string(f))
+		var r []string
+
+		// try for RHEL
+		r = redhatReleaseRegexp.FindStringSubmatch(string(f))
+		if len(r) == 4 {
+			// TODO(vbatts) this is a hack until https://github.com/coreos/clair/pull/193
+			return &database.Namespace{Name: "centos" + ":" + r[3]}
+		}
+
+		// then try centos first
+		r = centosReleaseRegexp.FindStringSubmatch(string(f))
 		if len(r) == 4 {
 			return &database.Namespace{Name: strings.ToLower(r[1]) + ":" + r[3]}
 		}
+
 	}
 
 	return nil