Skip to content

oracle: omit ksplice-related vulnerabilities #1511

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

oracle: omit ksplice-related vulnerabilities #1511

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6f51806
oracle: update testdata
BradLugo Apr 8, 2025
8356378
oracle: omit ksplice-related vulnerabilities
BradLugo Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions oracle/parser.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/quay/claircore"
"github.com/quay/claircore/internal/xmlutil"
"github.com/quay/claircore/libvuln/driver"
"github.com/quay/claircore/pkg/cpe"
"github.com/quay/claircore/pkg/ovalutil"
)

Expand Down Expand Up @@ -71,6 +72,50 @@ func (u *Updater) Parse(ctx context.Context, r io.ReadCloser) ([]*claircore.Vuln
if len(vs) == 0 {
return nil, fmt.Errorf("could not determine dist")
}

// Check if the vulnerability only affects a userspace_ksplice package.
// These errata should never be applied to a container since ksplice
// userspace packages are not supported to be run within a container.
// If there's at least one ksplice CPE and not all the affected CPEs
// are ksplice related, this will cause false positives we can catch.
// This should rarely happen; the most common case for this is if one
// of the CPEs wasn't parseable.
kspliceCPEs := 0
cpes := len(def.Advisory.AffectedCPEList)
for _, affected := range def.Advisory.AffectedCPEList {
wfn, err := cpe.Unbind(affected)
if err != nil {
// Found a CPE but could not parse it. Log a warning and return
// successfully.
zlog.Warn(ctx).
Str("def_title", def.Title).
Str("cpe", affected).
Msg("could not parse CPE: there may be a false positive match with a userspace_ksplice package")
return vs, nil
}
if wfn.Attr[cpe.Edition].V == "userspace_ksplice" {
kspliceCPEs++
}
}

switch diff := cpes - kspliceCPEs; {
case kspliceCPEs == 0:
// Continue if there are no ksplice CPEs.
case cpes == 0:
zlog.Warn(ctx).
Str("def_title", def.Title).
Msg("potential false positives: couldn't find CPEs to check for ksplice packages")
case diff == 0:
zlog.Debug(ctx).Msg("skipping userspace_ksplice vulnerabilities")
return nil, nil
case diff > 0:
zlog.Warn(ctx).
Str("def_title", def.Title).
Msg("potential false positives: OVAL may have a userspace_ksplice CPE which could not be skipped")
default:
panic("programmer error")
}

return vs, nil
}
vulns, err := ovalutil.RPMDefsToVulns(ctx, &root, protoVulns)
Expand Down
Loading
Loading