fix(detect/oracle): handle ksplice advisories (#2003)

future-architect · Aug 13, 2024 · 6425193 · 6425193
1 parent f14ca86
commit 6425193
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/oval/util.go b/oval/util.go
@@ -406,8 +406,8 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
 			continue
 		}
 
-		// /~https://github.com/aquasecurity/trivy/pull/745
-		if strings.Contains(req.versionRelease, ".ksplice1.") != strings.Contains(ovalPack.Version, ".ksplice1.") {
+		// /~https://github.com/aquasecurity/trivy/blob/08cc14bd2171afdc1973c6d614dd0d1fb82b7623/pkg/detector/ospkg/oracle/oracle.go#L72-L77
+		if family == constant.Oracle && extractOracleKsplice(ovalPack.Version) != extractOracleKsplice(req.versionRelease) {
 			continue
 		}
 
@@ -591,6 +591,15 @@ func rhelRebuildOSVersionToRHEL(ver string) string {
 	return rhelRebuildOSVerPattern.ReplaceAllString(ver, ".el$1")
 }
 
+func extractOracleKsplice(v string) string {
+	for _, s := range strings.Split(v, ".") {
+		if strings.HasPrefix(s, "ksplice") {
+			return s
+		}
+	}
+	return ""
+}
+
 // NewOVALClient returns a client for OVAL database
 func NewOVALClient(family string, cnf config.GovalDictConf, o logging.LogOpts) (Client, error) {
 	if err := ovallog.SetLogger(o.LogToFile, o.LogDir, o.Debug, o.LogJSON); err != nil {

diff --git a/oval/util_test.go b/oval/util_test.go
@@ -1887,6 +1887,48 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected: true,
 			fixedIn:  "2:2.17-106.0.1.ksplice1.el7_2.4",
 		},
+		// .ksplice2.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice2.el7_2.4",
+							Arch:    "x86_64",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-107",
+					arch:           "x86_64",
+				},
+			},
+			affected: false,
+		},
+		// in: .ksplice1. , req: .ksplice2.
+		{
+			in: in{
+				family: constant.Oracle,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:    "nginx",
+							Version: "2:2.17-106.0.1.ksplice1.el7_2.4",
+							Arch:    "x86_64",
+						},
+					},
+				},
+				req: request{
+					packName:       "nginx",
+					versionRelease: "2:2.17-105.0.1.ksplice2.el7_2.4",
+					arch:           "x86_64",
+				},
+			},
+			affected: false,
+		},
 		// same arch
 		{
 			in: in{