Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rpm module vulnerability matching #156

Merged
merged 6 commits into from
Apr 17, 2020
Merged

Rpm module vulnerability matching #156

merged 6 commits into from
Apr 17, 2020

Conversation

Allda
Copy link
Collaborator

@Allda Allda commented Apr 9, 2020

This pull request contains support for modular rpm vulnerability matching.

Modular rpm is a special type of rpm package which needs to be handled in a different way from normal rpms. Oval contains module metadata that determines the affected module + stream. Module metadata is stored in a vuln table and queried using new MatchConstraint.

ldelossa
ldelossa suggested changes Apr 9, 2020
View reviewed changes
libvuln/migrations/migration1.go Show resolved Hide resolved
pkg/ovalutil/rpm.go Outdated Show resolved Hide resolved
pkg/ovalutil/rpm.go Outdated Show resolved Hide resolved
@Allda
Parse rpm modules from oval files
e083648 
Module name and stream is parsed from oval files and associated with
appropriate rpm packages. Module information is stored in vuln database
table.
@Allda
Add package module to MatchConstraint
75024ba 
New PackageModule is added to MatchConstraint. This constraint queries
vulnerability with matching module name.

When package is not part of a module it can be vulnerable only to
non-modular vulnerabilities.
@Allda
Add PackageModule constrain to rhel matcher
43cd345 
Rhel matcher now supports rpm module vulnerability. Only package vulnerabilities
within same module will be reported.

Other non-modular rpms will not be affected by this change because
non-modular rpms contains empty module.
@Allda
Create module regex only once
997b855 
Module regex is created only once at a beginning.
@Allda
Add package_module to vuln index
d0111f3 
package_module is used to query vulnerability.
@Allda
Use Package cache in oval parser
b4f4194 
Cache key contains package and module name. The cache reduce size of
oval data.
@ldelossa ldelossa merged commit 86dec42 into quay:master Apr 17, 2020
@Allda Allda mentioned this pull request Aug 10, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ldelossa ldelossa ldelossa approved these changes

@alecmerdler alecmerdler Awaiting requested review from alecmerdler

@hdonnay hdonnay Awaiting requested review from hdonnay

@jzelinskie jzelinskie Awaiting requested review from jzelinskie

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Allda @ldelossa