Skip to content

Commit 11b9ae2

Browse files
committed
oracle: omit ksplice-related vulnerabilities
Signed-off-by: Brad Lugo <[email protected]>
1 parent 7ac73e5 commit 11b9ae2

File tree

2 files changed

+45
-1
lines changed

2 files changed

+45
-1
lines changed

oracle/parser.go

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import (
1212
"github.com/quay/claircore"
1313
"github.com/quay/claircore/internal/xmlutil"
1414
"github.com/quay/claircore/libvuln/driver"
15+
"github.com/quay/claircore/pkg/cpe"
1516
"github.com/quay/claircore/pkg/ovalutil"
1617
)
1718

@@ -71,6 +72,49 @@ func (u *Updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vuln
7172
if len(vs) == 0 {
7273
return nil, fmt.Errorf("could not determine dist")
7374
}
75+
76+
// Check if the vulnerability only affects a userspace_ksplice package.
77+
// These errata should never be applied to a container since ksplice
78+
// userspace packages are not supported to be run within a container.
79+
// If we couldn't find a CPE list, make sure to include the
80+
// vulnerability. We'd rather have false positives for
81+
// userspace_ksplice packages than have false negatives for
82+
// *everything*.
83+
isOnlyKsplice := len(def.Advisory.AffectedCPEList) > 0
84+
// If there's at least one ksplice CPE and not all the affected CPEs
85+
// are ksplice related, this will cause false positives we can catch.
86+
// This should rarely happen. The most common case for this is if one
87+
// of the CPEs wasn't parseable.
88+
atLeastOneKsplice := false
89+
for _, affected := range def.Advisory.AffectedCPEList {
90+
wfn, err := cpe.Unbind(affected)
91+
if err != nil {
92+
// Found a CPE but could not parse it. Let's break out of these
93+
// checks and signal that these vulnerabilities should be
94+
// added to the list, but that there may be false positives.
95+
zlog.Warn(ctx).Str("cpe", affected).Msg("could not parse CPE")
96+
isOnlyKsplice = false
97+
atLeastOneKsplice = true
98+
break
99+
}
100+
if wfn.Attr[cpe.Edition].V == "userspace_ksplice" {
101+
atLeastOneKsplice = true
102+
} else {
103+
isOnlyKsplice = false
104+
}
105+
}
106+
107+
if isOnlyKsplice {
108+
zlog.Debug(ctx).Msg("skipping ksplice vulnerabilities")
109+
return nil, nil
110+
}
111+
112+
if atLeastOneKsplice {
113+
zlog.Warn(ctx).
114+
Str("def_title", def.Title).
115+
Msg("potential false positives: vulnerability has at least one unskippable ksplice match")
116+
}
117+
74118
return vs, nil
75119
}
76120
vulns, err := ovalutil.RPMDefsToVulns(ctx, &root, protoVulns)

oracle/parser_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ func TestParse(t *testing.T) {
2525
t.Fatal(err)
2626
}
2727
t.Logf("found %d vulnerabilities", len(vs))
28-
if got, want := len(vs), 6065; got != want {
28+
if got, want := len(vs), 6021; got != want {
2929
t.Fatalf("got: %d vulnerabilities, want: %d vulnerabilities", got, want)
3030
}
3131
}

0 commit comments

Comments
 (0)