quay · liangchenye · May 16, 2016 · May 20, 2016 · May 24, 2016 · Jul 12, 2016
diff --git a/api/v1/README.md b/api/v1/README.md
@@ -144,7 +144,7 @@ Server: clair
             "Description": "The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the \"--date=TZ=\"123\"345\" @1\" string to the touch or date command.",
             "Link": "https://security-tracker.debian.org/tracker/CVE-2014-9471",
             "Severity": "Low",
-            "FixedBy": "9.23-5"
+            "FixedBy": ">= 9.23-5"
           }
         ]
       }
@@ -289,7 +289,7 @@ POST http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities HTTP/1.1
             {
                 "Name": "coreutils",
                 "NamespaceName": "debian:8",
-                "Version": "8.23-1"
+                "FixedInVersions": ">= 8.23-1"
             }
         ]
     }
@@ -322,7 +322,7 @@ Server: clair
             {
                 "Name": "coreutils",
                 "NamespaceName": "debian:8",
-                "Version": "8.23-1"
+                "FixedInVersions": ">= 8.23-1"
             }
         ]
     }
@@ -373,7 +373,7 @@ Server: clair
             {
                 "Name": "coreutils",
                 "NamespaceName": "debian:8",
-                "Version": "8.23-1"
+                "FixedInVersions": ">= 8.23-1"
             }
         ]
     }
@@ -592,7 +592,7 @@ Server: clair
           {
             "Name": "grep",
             "NamespaceName": "debian:8",
-            "Version": "2.25"
+            "FixedInVersions": ">= 2.25"
           }
         ]
       },

diff --git a/api/v1/models.go b/api/v1/models.go
@@ -77,7 +77,7 @@ func LayerFromDatabaseModel(dbLayer database.Layer, withFeatures, withVulnerabil
 					Metadata:      dbVuln.Metadata,
 				}
 
-				if dbVuln.FixedBy != types.MaxVersion {
+				if dbVuln.FixedBy.String() != types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MaxVersion).String() {
 					vuln.FixedBy = dbVuln.FixedBy.String()
 				}
 				feature.Vulnerabilities = append(feature.Vulnerabilities, vuln)
@@ -154,31 +154,32 @@ type Feature struct {
 	Name            string          `json:"Name,omitempty"`
 	NamespaceName   string          `json:"NamespaceName,omitempty"`
 	Version         string          `json:"Version,omitempty"`
+	FixedInVersions string          `json:"FixedInVersions,omitempty"`
 	Vulnerabilities []Vulnerability `json:"Vulnerabilities,omitempty"`
 	AddedBy         string          `json:"AddedBy,omitempty"`
 }
 
 func FeatureFromDatabaseModel(dbFeatureVersion database.FeatureVersion) Feature {
-	versionStr := dbFeatureVersion.Version.String()
-	if versionStr == types.MaxVersion.String() {
-		versionStr = "None"
+	fixedInVersionsStr := dbFeatureVersion.FixedInVersions.String()
+	if fixedInVersionsStr == types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MaxVersion).String() {
+		fixedInVersionsStr = "None"
 	}
 
 	return Feature{
-		Name:          dbFeatureVersion.Feature.Name,
-		NamespaceName: dbFeatureVersion.Feature.Namespace.Name,
-		Version:       versionStr,
-		AddedBy:       dbFeatureVersion.AddedBy.Name,
+		Name:            dbFeatureVersion.Feature.Name,
+		NamespaceName:   dbFeatureVersion.Feature.Namespace.Name,
+		FixedInVersions: fixedInVersionsStr,
+		AddedBy:         dbFeatureVersion.AddedBy.Name,
 	}
 }
 
 func (f Feature) DatabaseModel() (database.FeatureVersion, error) {
-	var version types.Version
-	if f.Version == "None" {
-		version = types.MaxVersion
+	var fivs types.FixedInVersions
+	if f.FixedInVersions == "None" {
+		fivs = types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MaxVersion)
 	} else {
 		var err error
-		version, err = types.NewVersion(f.Version)
+		fivs, err = types.NewFixedInVersions(f.FixedInVersions)
 		if err != nil {
 			return database.FeatureVersion{}, err
 		}
@@ -189,7 +190,7 @@ func (f Feature) DatabaseModel() (database.FeatureVersion, error) {
 			Name:      f.Name,
 			Namespace: database.Namespace{Name: f.NamespaceName},
 		},
-		Version: version,
+		FixedInVersions: fivs,
 	}, nil
 }
 

diff --git a/cmd/clair/main.go b/cmd/clair/main.go
@@ -29,6 +29,7 @@ import (
 	_ "github.com/coreos/clair/notifier/notifiers"
 
 	_ "github.com/coreos/clair/updater/fetchers/debian"
+	_ "github.com/coreos/clair/updater/fetchers/nodejs"
 	_ "github.com/coreos/clair/updater/fetchers/rhel"
 	_ "github.com/coreos/clair/updater/fetchers/ubuntu"
 	_ "github.com/coreos/clair/updater/metadata_fetchers/nvd"
@@ -37,10 +38,12 @@ import (
 	_ "github.com/coreos/clair/worker/detectors/data/docker"
 
 	_ "github.com/coreos/clair/worker/detectors/feature/dpkg"
+	_ "github.com/coreos/clair/worker/detectors/feature/npm"
 	_ "github.com/coreos/clair/worker/detectors/feature/rpm"
 
 	_ "github.com/coreos/clair/worker/detectors/namespace/aptsources"
 	_ "github.com/coreos/clair/worker/detectors/namespace/lsbrelease"
+	_ "github.com/coreos/clair/worker/detectors/namespace/nodejs"
 	_ "github.com/coreos/clair/worker/detectors/namespace/osrelease"
 	_ "github.com/coreos/clair/worker/detectors/namespace/redhatrelease"
 

diff --git a/database/models.go b/database/models.go
@@ -53,9 +53,10 @@ type Feature struct {
 type FeatureVersion struct {
 	Model
 
-	Feature    Feature
-	Version    types.Version
-	AffectedBy []Vulnerability
+	Feature         Feature
+	Version         types.Version
+	FixedInVersions types.FixedInVersions
+	AffectedBy      []Vulnerability
 
 	// For output purposes. Only make sense when the feature version is in the context of an image.
 	AddedBy Layer
@@ -78,7 +79,7 @@ type Vulnerability struct {
 
 	// For output purposes. Only make sense when the vulnerability
 	// is already about a specific Feature/FeatureVersion.
-	FixedBy types.Version `json:",omitempty"`
+	FixedBy types.FixedInVersions `json:",omitempty"`
 }
 
 type MetadataMap map[string]interface{}

diff --git a/database/pgsql/complex_test.go b/database/pgsql/complex_test.go
@@ -85,8 +85,8 @@ func TestRaceAffects(t *testing.T) {
 			Namespace: feature.Namespace,
 			FixedIn: []database.FeatureVersion{
 				{
-					Feature: feature,
-					Version: types.NewVersionUnsafe(strconv.Itoa(version)),
+					Feature:         feature,
+					FixedInVersions: types.NewFixedInVersionsUnsafe(">=" + strconv.Itoa(version)),
 				},
 			},
 			Severity: types.Unknown,
@@ -149,7 +149,9 @@ func TestRaceAffects(t *testing.T) {
 		// Get expected affects.
 		for i := numVulnerabilities; i > featureVersionVersion; i-- {
 			for _, vulnerability := range vulnerabilities[i] {
-				expectedAffectedNames = append(expectedAffectedNames, vulnerability.Name)
+				if vulnerability.FixedIn[0].FixedInVersions.Affected(featureVersion.Version) {
+					expectedAffectedNames = append(expectedAffectedNames, vulnerability.Name)
+				}
 			}
 		}
 

diff --git a/database/pgsql/feature.go b/database/pgsql/feature.go
@@ -194,7 +194,7 @@ func (pgSQL *pgSQL) insertFeatureVersions(featureVersions []database.FeatureVers
 type vulnerabilityAffectsFeatureVersion struct {
 	vulnerabilityID int
 	fixedInID       int
-	fixedInVersion  types.Version
+	fixedInVersions types.FixedInVersions
 }
 
 func linkFeatureVersionToVulnerabilities(tx *sql.Tx, featureVersion database.FeatureVersion) error {
@@ -210,14 +210,12 @@ func linkFeatureVersionToVulnerabilities(tx *sql.Tx, featureVersion database.Fea
 	for rows.Next() {
 		var affect vulnerabilityAffectsFeatureVersion
 
-		err := rows.Scan(&affect.fixedInID, &affect.vulnerabilityID, &affect.fixedInVersion)
+		err := rows.Scan(&affect.fixedInID, &affect.vulnerabilityID, &affect.fixedInVersions)
 		if err != nil {
 			return handleError("searchVulnerabilityFixedInFeature.Scan()", err)
 		}
 
-		if featureVersion.Version.Compare(affect.fixedInVersion) < 0 {
-			// The version of the FeatureVersion we are inserting is lower than the fixed version on this
-			// Vulnerability, thus, this FeatureVersion is affected by it.
+		if affect.fixedInVersions.Affected(featureVersion.Version) {
 			affects = append(affects, affect)
 		}
 	}

diff --git a/database/pgsql/layer_test.go b/database/pgsql/layer_test.go
@@ -93,7 +93,7 @@ func TestFindLayer(t *testing.T) {
 					assert.Equal(t, types.High, featureVersion.AffectedBy[0].Severity)
 					assert.Equal(t, "A vulnerability affecting OpenSSL < 2.0 on Debian 7.0", featureVersion.AffectedBy[0].Description)
 					assert.Equal(t, "http://google.com/#q=CVE-OPENSSL-1-DEB7", featureVersion.AffectedBy[0].Link)
-					assert.Equal(t, types.NewVersionUnsafe("2.0"), featureVersion.AffectedBy[0].FixedBy)
+					assert.Equal(t, types.NewFixedInVersionsUnsafe(">= 2.0").String(), featureVersion.AffectedBy[0].FixedBy.String())
 				}
 			default:
 				t.Errorf("unexpected package %s for layer-1", featureVersion.Feature.Name)

diff --git a/database/pgsql/notification_test.go b/database/pgsql/notification_test.go
@@ -104,8 +104,8 @@ func TestNotification(t *testing.T) {
 		Severity:    "Unknown",
 		FixedIn: []database.FeatureVersion{
 			{
-				Feature: f1,
-				Version: types.NewVersionUnsafe("1.0"),
+				Feature:         f1,
+				FixedInVersions: types.NewFixedInVersionsUnsafe(">= 1.0"),
 			},
 		},
 	}
@@ -164,12 +164,12 @@ func TestNotification(t *testing.T) {
 	v1b.Severity = types.High
 	v1b.FixedIn = []database.FeatureVersion{
 		{
-			Feature: f1,
-			Version: types.MinVersion,
+			Feature:         f1,
+			FixedInVersions: types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MinVersion),
 		},
 		{
-			Feature: f2,
-			Version: types.MaxVersion,
+			Feature:         f2,
+			FixedInVersions: types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MaxVersion),
 		},
 	}
 

diff --git a/database/pgsql/testdata/data.sql b/database/pgsql/testdata/data.sql
@@ -48,8 +48,8 @@ INSERT INTO vulnerability (id, namespace_id, name, description, link, severity)
   (2, 1, 'CVE-NOPE', 'A vulnerability affecting nothing', '', 'Unknown');
 
 INSERT INTO vulnerability_fixedin_feature (id, vulnerability_id, feature_id, version) VALUES
-  (1, 1, 2, '2.0'),
-  (2, 1, 4, '1.9-abc');
+  (1, 1, 2, '>= 2.0'),
+  (2, 1, 4, '>= 1.9-abc');
 
 INSERT INTO vulnerability_affects_featureversion (id, vulnerability_id, featureversion_id, fixedin_id) VALUES
   (1, 1, 2, 1); -- CVE-OPENSSL-1-DEB7 affects Debian:7 OpenSSL 1.0

diff --git a/database/pgsql/vulnerability.go b/database/pgsql/vulnerability.go
@@ -140,11 +140,11 @@ func scanVulnerability(queryer Queryer, queryName string, vulnerabilityRow *sql.
 
 	for rows.Next() {
 		var featureVersionID zero.Int
-		var featureVersionVersion zero.String
+		var featureVersionFixedInVersions zero.String
 		var featureVersionFeatureName zero.String
 
 		err := rows.Scan(
-			&featureVersionVersion,
+			&featureVersionFixedInVersions,
 			&featureVersionID,
 			&featureVersionFeatureName,
 		)
@@ -163,7 +163,7 @@ func scanVulnerability(queryer Queryer, queryName string, vulnerabilityRow *sql.
 					Namespace: vulnerability.Namespace,
 					Name:      featureVersionFeatureName.String,
 				},
-				Version: types.NewVersionUnsafe(featureVersionVersion.String),
+				FixedInVersions: types.NewFixedInVersionsUnsafe(featureVersionFixedInVersions.String),
 			}
 			vulnerability.FixedIn = append(vulnerability.FixedIn, featureVersion)
 		}
@@ -274,7 +274,7 @@ func (pgSQL *pgSQL) insertVulnerability(vulnerability database.Vulnerability, on
 		// for diffing existing vulnerabilities.
 		var fixedIn []database.FeatureVersion
 		for _, fv := range vulnerability.FixedIn {
-			if fv.Version != types.MinVersion {
+			if fv.FixedInVersions.String() != types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MinVersion).String() {
 				fixedIn = append(fixedIn, fv)
 			}
 		}
@@ -350,7 +350,7 @@ func applyFixedInDiff(currentList, diff []database.FeatureVersion) ([]database.F
 	different := false
 
 	for _, name := range addedNames {
-		if diffMap[name].Version == types.MinVersion {
+		if diffMap[name].FixedInVersions.String() == types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MinVersion).String() {
 			// MinVersion only makes sense when a Feature is already fixed in some version,
 			// in which case we would be in the "inBothNames".
 			continue
@@ -363,7 +363,7 @@ func applyFixedInDiff(currentList, diff []database.FeatureVersion) ([]database.F
 	for _, name := range inBothNames {
 		fv := diffMap[name]
 
-		if fv.Version == types.MinVersion {
+		if fv.FixedInVersions.String() == types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MinVersion).String() {
 			// MinVersion means that the Feature doesn't affect the Vulnerability anymore.
 			delete(currentMap, name)
 			different = true
@@ -438,15 +438,15 @@ func (pgSQL *pgSQL) insertVulnerabilityFixedInFeatureVersions(tx *sql.Tx, vulner
 		err = tx.QueryRow(
 			insertVulnerabilityFixedInFeature,
 			vulnerabilityID, fv.Feature.ID,
-			&fv.Version,
+			&fv.FixedInVersions,
 		).Scan(&fixedInID)
 
 		if err != nil {
 			return handleError("insertVulnerabilityFixedInFeature", err)
 		}
 
 		// Insert Vulnerability_Affects_FeatureVersion.
-		err = linkVulnerabilityToFeatureVersions(tx, fixedInID, vulnerabilityID, fv.Feature.ID, fv.Version)
+		err = linkVulnerabilityToFeatureVersions(tx, fixedInID, vulnerabilityID, fv.Feature.ID, fv.FixedInVersions)
 		if err != nil {
 			return err
 		}
@@ -455,7 +455,7 @@ func (pgSQL *pgSQL) insertVulnerabilityFixedInFeatureVersions(tx *sql.Tx, vulner
 	return nil
 }
 
-func linkVulnerabilityToFeatureVersions(tx *sql.Tx, fixedInID, vulnerabilityID, featureID int, fixedInVersion types.Version) error {
+func linkVulnerabilityToFeatureVersions(tx *sql.Tx, fixedInID, vulnerabilityID, featureID int, fixedInVersions types.FixedInVersions) error {
 	// Find every FeatureVersions of the Feature that the vulnerability affects.
 	// TODO(Quentin-M): LIMIT
 	rows, err := tx.Query(searchFeatureVersionByFeature, featureID)
@@ -472,10 +472,7 @@ func linkVulnerabilityToFeatureVersions(tx *sql.Tx, fixedInID, vulnerabilityID,
 		if err != nil {
 			return handleError("searchFeatureVersionByFeature.Scan()", err)
 		}
-
-		if affected.Version.Compare(fixedInVersion) < 0 {
-			// The version of the FeatureVersion is lower than the fixed version of this vulnerability,
-			// thus, this FeatureVersion is affected by it.
+		if fixedInVersions.Affected(affected.Version) {
 			affecteds = append(affecteds, affected)
 		}
 	}
@@ -527,7 +524,7 @@ func (pgSQL *pgSQL) DeleteVulnerabilityFix(vulnerabilityNamespace, vulnerability
 						Name: vulnerabilityNamespace,
 					},
 				},
-				Version: types.MinVersion,
+				FixedInVersions: types.NewFixedInVersionsFromOV(types.OpGreaterEqual, types.MinVersion),
 			},
 		},
 	}