alma

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED

Author: RTann

alma/distributionscanner.go

@@ -0,0 +1,89 @@
+package alma
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"regexp"
+	"runtime/trace"
+	"strconv"
+
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/indexer"
+)
+
+const (
+	scannerName    = "alma"
+	scannerVersion = "1"
+	scannerKind    = "distribution"
+)
+
+var cpeRegexp = regexp.MustCompile(`CPE_NAME="cpe:/o:almalinux:almalinux:(\d+)::baseos"`)
+
+var (
+	_ indexer.DistributionScanner = (*DistributionScanner)(nil)
+	_ indexer.VersionedScanner    = (*DistributionScanner)(nil)
+)
+
+// DistributionScanner attempts to discover if a layer
+// displays characteristics of an alma distribution
+type DistributionScanner struct{}
+
+// Name implements scanner.VersionedScanner.
+func (*DistributionScanner) Name() string { return scannerName }
+
+// Version implements scanner.VersionedScanner.
+func (*DistributionScanner) Version() string { return scannerVersion }
+
+// Kind implements scanner.VersionedScanner.
+func (*DistributionScanner) Kind() string { return scannerKind }
+
+func (ds *DistributionScanner) Scan(ctx context.Context, l *claircore.Layer) ([]*claircore.Distribution, error) {
+	defer trace.StartRegion(ctx, "Scanner.Scan").End()
+	ctx = zlog.ContextWithValues(ctx,
+		"component", "alma/DistributionScanner.Scan",
+		"version", ds.Version(),
+		"layer", l.Hash.String())
+	zlog.Debug(ctx).Msg("start")
+	defer zlog.Debug(ctx).Msg("done")
+	sys, err := l.FS()
+	if err != nil {
+		return nil, fmt.Errorf("alma: unable to open layer: %w", err)
+	}
+	d, err := findDistribution(sys)
+	if err != nil {
+		return nil, fmt.Errorf("alma: unexpected error reading files: %w", err)
+	}
+	if d == nil {
+		zlog.Debug(ctx).Msg("didn't find etc/os-release")
+		return nil, nil
+	}
+	return []*claircore.Distribution{d}, nil
+}
+
+func findDistribution(sys fs.FS) (*claircore.Distribution, error) {
+	const osReleasePath = `etc/os-release`
+	b, err := fs.ReadFile(sys, osReleasePath)
+	switch {
+	case errors.Is(err, nil):
+	case errors.Is(err, fs.ErrNotExist):
+		return nil, nil
+	default:
+		return nil, fmt.Errorf("alma: unexpected error reading os-release file: %w", err)
+	}
+	ms := cpeRegexp.FindSubmatch(b)
+	if ms == nil {
+		return nil, nil
+	}
+	if len(ms) != 2 {
+		return nil, fmt.Errorf("alma: malformed os-release file: %q", b)
+	}
+	_, err = strconv.Atoi(string(ms[1]))
+	if err != nil {
+		return nil, fmt.Errorf("alma: unexpected error reading os-releasefile: %w", err)
+	}
+	return mkRelease(string(ms[1])), nil
+}

alma/matcher.go

@@ -0,0 +1,50 @@
+package alma
+
+import (
+	"context"
+
+	version "github.com/knqyf263/go-rpm-version"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+)
+
+type Matcher struct{}
+
+var _ driver.Matcher = (*Matcher)(nil)
+
+func (*Matcher) Name() string {
+	return "alma-matcher"
+}
+
+func (*Matcher) Filter(record *claircore.IndexRecord) bool {
+	return record.Distribution != nil && record.Distribution.DID == "alma"
+}
+
+// Query implements driver.Matcher
+func (*Matcher) Query() []driver.MatchConstraint {
+	return []driver.MatchConstraint{
+		driver.DistributionDID,
+		driver.DistributionName,
+		driver.DistributionVersion,
+	}
+}
+
+func (*Matcher) Vulnerable(_ context.Context, record *claircore.IndexRecord, vuln *claircore.Vulnerability) (bool, error) {
+	pkgVer := version.NewVersion(record.Package.Version)
+	var vulnVer version.Version
+	// Assume the vulnerability record we have is for the last known vulnerable
+	// version, so greater versions aren't vulnerable.
+	cmp := func(i int) bool { return i != version.GREATER }
+	// But if it's explicitly marked as a fixed-in version, it's only vulnerable
+	// if less than that version.
+	if vuln.FixedInVersion != "" {
+		vulnVer = version.NewVersion(vuln.FixedInVersion)
+		cmp = func(i int) bool { return i == version.LESS }
+	} else {
+		// If a vulnerability doesn't have FixedInVersion, assume it is unfixed.
+		vulnVer = version.NewVersion("65535:0")
+	}
+	// compare version and architecture
+	return cmp(pkgVer.Compare(vulnVer)) && vuln.ArchOperation.Cmp(record.Package.Arch, vuln.Package.Arch), nil
+}

alma/parser.go

@@ -0,0 +1,94 @@
+package alma
+
+import (
+	"context"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/quay/goval-parser/oval"
+	"github.com/quay/zlog"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/internal/xmlutil"
+	"github.com/quay/claircore/pkg/ovalutil"
+)
+
+// Parse implements [driver.Updater].
+//
+// Parse treats the data inside the provided io.ReadCloser as Red Hat
+// flavored OVAL XML. The distribution associated with vulnerabilities
+// is configured via the Updater. The repository associated with
+// vulnerabilies is based on the affected CPE list.
+func (u *Updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vulnerability, error) {
+	ctx = zlog.ContextWithValues(ctx, "component", "alma/Updater.Parse")
+	zlog.Info(ctx).Msg("starting parse")
+	defer r.Close()
+	root := oval.Root{}
+	dec := xml.NewDecoder(r)
+	dec.CharsetReader = xmlutil.CharsetReader
+	if err := dec.Decode(&root); err != nil {
+		return nil, fmt.Errorf("alma: unable to decode OVAL document: %w", err)
+	}
+	zlog.Debug(ctx).Msg("xml decoded")
+	protoVulns := func(def oval.Definition) ([]*claircore.Vulnerability, error) {
+		defType, err := ovalutil.GetAlmaDefinitionType(def)
+		if err != nil {
+			return nil, err
+		}
+		// Red Hat OVAL data include information about vulnerabilities,
+		// that actually don't affect the package in any way. Storing them
+		// would increase number of records in DB without adding any value.
+		if isSkippableDefinitionType(defType) {
+			return []*claircore.Vulnerability{}, nil
+		}
+
+		// Go look for the vuln name in the references, fallback to
+		// title if not found.
+		name := def.Title
+		if len(def.References) > 0 {
+			name = def.References[0].RefID
+		}
+
+		v := &claircore.Vulnerability{
+			Updater:            u.Name(),
+			Name:               name,
+			Description:        def.Description,
+			Issued:             def.Advisory.Issued.Date,
+			Links:              ovalutil.Links(def),
+			Severity:           def.Advisory.Severity,
+			NormalizedSeverity: NormalizeSeverity(def.Advisory.Severity),
+			Dist:               u.dist,
+		}
+		return []*claircore.Vulnerability{v}, nil
+	}
+	vulns, err := ovalutil.RPMDefsToVulns(ctx, &root, protoVulns)
+	if err != nil {
+		return nil, err
+	}
+	return vulns, nil
+}
+
+func isSkippableDefinitionType(defType ovalutil.DefinitionType) bool {
+	return defType == ovalutil.UnaffectedDefinition || defType == ovalutil.NoneDefinition
+}
+
+// NormalizeSeverity maps Red Hat severity strings to claircore's normalized
+// serverity levels.
+func NormalizeSeverity(severity string) claircore.Severity {
+	switch strings.ToLower(severity) {
+	case "none":
+		return claircore.Unknown
+	case "low":
+		return claircore.Low
+	case "moderate":
+		return claircore.Medium
+	case "important":
+		return claircore.High
+	case "critical":
+		return claircore.Critical
+	default:
+		return claircore.Unknown
+	}
+}

alma/release.go

@@ -0,0 +1,30 @@
+package alma
+
+import (
+	"sync"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/toolkit/types/cpe"
+)
+
+// RelMap memoizes the Distributions handed out by this package.
+//
+// Doing this is a cop-out to the previous approach of having a hard-coded set of structs.
+// In the case something is (mistakenly) doing pointer comparisons, this will make that work
+// but still allows us to have the list of distributions grow ad-hoc.
+var relMap sync.Map
+
+func mkRelease(r string) *claircore.Distribution {
+	v, ok := relMap.Load(r)
+	if !ok {
+		v, _ = relMap.LoadOrStore(r, &claircore.Distribution{
+			Name:       "AlmaLinux",
+			Version:    r,
+			VersionID:  r,
+			DID:        "alma",
+			PrettyName: "AlmaLinux " + r,
+			CPE:        cpe.MustUnbind("cpe:/o:almalinux:almalinux:" + r),
+		})
+	}
+	return v.(*claircore.Distribution)
+}

alma/updater.go

@@ -0,0 +1,65 @@
+package alma
+
+import (
+	"context"
+	"fmt"
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/libvuln/driver"
+	"github.com/quay/claircore/pkg/ovalutil"
+	"github.com/quay/zlog"
+	"net/http"
+	"net/url"
+	"strconv"
+)
+
+var (
+	_ driver.Updater      = (*Updater)(nil)
+	_ driver.Configurable = (*Updater)(nil)
+)
+
+// Updater fetches and parses RHEL-flavored OVAL databases.
+type Updater struct {
+	ovalutil.Fetcher // fetch method promoted via embed
+	dist             *claircore.Distribution
+	name             string
+}
+
+// UpdaterConfig is the configuration expected for any given updater.
+//
+// See also [ovalutil.FetcherConfig].
+type UpdaterConfig struct {
+	ovalutil.FetcherConfig
+	Release int `json:"release" yaml:"release"`
+}
+
+// NewUpdater returns an Updater.
+func NewUpdater(release int, uri string) (*Updater, error) {
+	u := &Updater{
+		name: fmt.Sprintf("alma-%d", release),
+		dist: mkRelease(strconv.Itoa(release)),
+	}
+	var err error
+	u.Fetcher.URL, err = url.Parse(uri)
+	if err != nil {
+		return nil, err
+	}
+	u.Fetcher.Compression = ovalutil.CompressionBzip2
+	return u, nil
+}
+
+// Configure implements [driver.Configurable].
+func (u *Updater) Configure(ctx context.Context, cf driver.ConfigUnmarshaler, c *http.Client) error {
+	ctx = zlog.ContextWithValues(ctx, "component", "rhel/Updater.Configure")
+	var cfg UpdaterConfig
+	if err := cf(&cfg); err != nil {
+		return err
+	}
+	if cfg.Release != 0 {
+		u.dist = mkRelease(strconv.Itoa(cfg.Release))
+	}
+
+	return u.Fetcher.Configure(ctx, cf, c)
+}
+
+// Name implements [driver.Updater].
+func (u *Updater) Name() string { return u.name }