Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch from the "fixed + not affected" OVAL file to the "fixed + not … #635

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Switch from the "fixed + not affected" OVAL file to the "fixed + not … #635

wants to merge 4 commits into from

Conversation

msmeissn
Copy link

…affected + unfixed"

See https://www.suse.com/support/security/oval/

@willmurphyscode willmurphyscode added the run-pr-quality-gate Triggers running of quality gate on PRs label Jul 22, 2024
@willmurphyscode willmurphyscode self-assigned this Jul 22, 2024
@willmurphyscode
Copy link
Contributor

Hi @msmeissn thanks very much for the PR!

In order to merge this, we'll also need to improve Vunnel's parsing of the SUSE OVAL XML. Specifically, because the Vunnel provider was written to parse OVAL XML that only described fixed vulnerabilities, so Vunnel currently makes bad assumptions about the shape of the criteria sub-trees under the definition nodes.

What I'd like to understand is this: do you all have limits on the shape of criteria trees that are emitted? The data structure looks like it can represent fairly arbitrary boolean conditions (SUSE enterprise more than 15 and (python < 3.12 or perl > 5.1)) or something. But I don't think that you actually write arbitrary boolean expression trees here.

I think the data is structured like this:

(OR
   (AND (SLES versions for package group A) (package versions for package group A))
   (AND (SLES versions for package group B) (package versions of package group B))
)

Is that right? For example, from the Suse 15 "affected" XML, I see:

Definition Title: CVE-2009-2625
Criteria:
OR:
    AND:
      OR:
        SUSE Linux Enterprise Server 15 SP1-LTSS is installed (sles-ltss-release version equals 15.1)
        SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
      OR:
        python is affected (python version greater than 0:0-0)
        python-curses is affected (python-curses version greater than 0:0-0)
        python-gdbm is affected (python-gdbm version greater than 0:0-0)
        python-tk is affected (python-tk version greater than 0:0-0)
    AND:
      OR:
        SUSE Enterprise Storage 6 is installed (ses-release version equals 6)
        SUSE Linux Enterprise Desktop 15 is installed (sled-release version equals 15)
        SUSE Linux Enterprise Desktop 15 SP1 is installed (sled-release version equals 15.1)
        SUSE Linux Enterprise High Performance Computing 15 is installed (SLE_HPC-release version equals 15)
        SUSE Linux Enterprise High Performance Computing 15 SP1 is installed (SLE_HPC-release version equals 15.1)
        SUSE Linux Enterprise Module for Basesystem 15 is installed (sle-module-basesystem-release version equals 15)
        SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed (sle-module-basesystem-release version equals 15.1)
        SUSE Linux Enterprise Server 15 is installed (sles-release version equals 15)
        SUSE Linux Enterprise Server 15 SP1 is installed (sles-release version equals 15.1)
        SUSE Linux Enterprise Server for SAP Applications 15 is installed (SLES_SAP-release version equals 15)
        SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
        SUSE Manager Proxy 4.0 is installed (SUSE-Manager-Proxy-release version equals 4.0)
        SUSE Manager Retail Branch Server 4.0 is installed (suse-manager-server-release version equals 4.0)
        SUSE Manager Server 4.0 is installed (SUSE-Manager-Server-release version equals 4.0)
      OR:
        expat-2.2.5-1.140 is installed (expat version less than 0:2.2.5-1.140)
        libexpat-devel-2.2.5-1.140 is installed (libexpat-devel version less than 0:2.2.5-1.140)
        libexpat1-2.2.5-1.140 is installed (libexpat1 version less than 0:2.2.5-1.140)
        libexpat1-32bit-2.2.5-1.140 is installed (libexpat1-32bit version less than 0:2.2.5-1.140)

Are there other shapes we should plan to handle?

@willmurphyscode willmurphyscode mentioned this pull request Jul 31, 2024
Closed
@willmurphyscode
Merge branch 'main' of github.com:anchore/vunnel into msmeissn/main
aa19d37
@willmurphyscode
fix: special case "greater than version zero" test
6efb539 
Vulnerability criteria in the SLES parser that have an RPM version of
"0:0-0" and an operator of "greater than" mean that any version of the
package is vulnerable (because all packages have a version greater than
zero). Therefore, emit a FixedIn with version of "None" in this case, to
tell grype DB that there is no fix for this package yet.

Signed-off-by: Will Murphy <[email protected]>
willmurphyscode
willmurphyscode reviewed Aug 7, 2024
View reviewed changes
src/vunnel/providers/sles/parser.py
@@ -142,6 +142,10 @@ def _get_name_and_version_from_test(

name = name_obj.name
version = version_obj.value
if version_obj.operation == "greater than" and version_obj.value == "0:0-0":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assumption here is this: That packages that are vulnerable in a given version of SLES, if they are affected and no patch is available, are considered vulnerable if present.

In other words, saying "PackageA is vulnerable" is always either: "All versions of PackagA are vulnerable" or saying, "PackageA is vulnerable until version 0:1.23", and we never say something like, "PackageA is vulnerable for versions greater than 0:1.23 and less than 0:2.0" or something.

Is this assumption valid @BenoitGui or @msmeissn ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems valid for me, but @msmeissn should confirm this assumption since he is the author of the code 👍

@willmurphyscode
Copy link
Contributor

Note for next steps: This results in a fair number of new findings, so the next step is to label some vulnerabilities in vulnerability match labels, e.g.:

   TOOL PARTITION                 PACKAGE                      VULNERABILITY   LABEL      COMMENTARY
   grype[custom-db]@v0.79.4 ONLY  [email protected]           CVE-2016-10228  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]           CVE-2021-37750  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2021-37600  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2021-37600  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]         CVE-2021-43618  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2020-24370  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2020-24371  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2021-37600  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]           CVE-2019-20838  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]     CVE-2018-10880  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]  CVE-2021-37600  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2019-20386  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]         CVE-2019-20386  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]       CVE-2021-37600  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]       CVE-2021-3516   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]       CVE-2021-3517   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]       CVE-2021-3518   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]       CVE-2021-3537   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]   CVE-2018-20573  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]   CVE-2018-20574  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]   CVE-2019-6285   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]   CVE-2019-6292   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]      CVE-2018-6913   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]  CVE-2019-11328  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]  CVE-2020-8025   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]         CVE-2018-10880  (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]           CVE-2017-7501   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]           CVE-2021-3421   (unknown)
   grype[custom-db]@v0.79.4 ONLY  [email protected]     CVE-2021-37600  (unknown)

(I plan to do this work - just writing down the next step for my own planning)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willmurphyscode willmurphyscode willmurphyscode left review comments

@BenoitGui BenoitGui BenoitGui left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@willmurphyscode willmurphyscode

Labels
run-pr-quality-gate Triggers running of quality gate on PRs
Projects
OSS
Status: Stalled
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@msmeissn @willmurphyscode @BenoitGui