fix(rocky): fix Scan in Rocky Linux (future-architect#1266)

* fix(rocky): fix OVAL scan in Rocky Linux * chore: add FreeBSD13 EOL, fix future-architect#1245 * chore(rocky): add Rocky Linux EOL tests * feat(rocky): implement with reference to CentOS * feat(raspbian): add Raspbian to Server mode * feat(rocky): support gost scan * fix(rocky): rocky support lessThan * chore: update doc and comment
Stoicmehedi · Jul 7, 2021 · 0bf1241 · 0bf1241
1 parent 0ea4d58
commit 0bf1241
Show file tree

Hide file tree

Showing 17 changed files with 577 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ Vuls is a tool created to solve the problems listed above. It has the following
 
 [Supports major Linux/FreeBSD](https://vuls.io/docs/en/supported-os.html)
 
-- Alpine, Amazon Linux, CentOS, Debian, Oracle Linux, Raspbian, RHEL, SUSE Enterprise Linux, and Ubuntu
+- Alpine, Amazon Linux, CentOS, Rocky Linux, Debian, Oracle Linux, Raspbian, RHEL, SUSE Enterprise Linux, and Ubuntu
 - FreeBSD
 - Cloud, on-premise, Running Docker Container
 
@@ -100,15 +100,15 @@ Vuls is a tool created to solve the problems listed above. It has the following
 
 - Scan without root privilege, no dependencies
 - Almost no load on the scan target server
-- Offline mode scan with no internet access. (CentOS, Debian, Oracle Linux, Red Hat, and Ubuntu)
+- Offline mode scan with no internet access. (CentOS, Rocky Linux, Debian, Oracle Linux, Red Hat, and Ubuntu)
 
 [Fast Root Scan](https://vuls.io/docs/en/architecture-fast-root-scan.html)
 
 - Scan with root privilege
 - Almost no load on the scan target server
-- Detect processes affected by update using yum-ps (Amazon Linux, CentOS, Oracle Linux, and RedHat)
+- Detect processes affected by update using yum-ps (Amazon Linux, CentOS, Rocky Linux, Oracle Linux, and RedHat)
 - Detect processes which updated before but not restarting yet using checkrestart of debian-goodies (Debian and Ubuntu)
-- Offline mode scan with no internet access. (CentOS, Debian, Oracle Linux, Red Hat, and Ubuntu)
+- Offline mode scan with no internet access. (CentOS, Rocky Linux, Debian, Oracle Linux, Red Hat, and Ubuntu)
 
 ### [Remote, Local scan mode, Server mode](https://vuls.io/docs/en/architecture-remote-local.html)
 

diff --git a/config/config.go b/config/config.go
@@ -230,7 +230,7 @@ type ServerInfo struct {
 	GitHubRepos        map[string]GitHubConf       `toml:"githubs" json:"githubs,omitempty"` // key: owner/repo
 	UUIDs              map[string]string           `toml:"uuids,omitempty" json:"uuids,omitempty"`
 	Memo               string                      `toml:"memo,omitempty" json:"memo,omitempty"`
-	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, RHEL, Amazon
+	Enablerepo         []string                    `toml:"enablerepo,omitempty" json:"enablerepo,omitempty"` // For CentOS, Rocky, RHEL, Amazon
 	Optional           map[string]interface{}      `toml:"optional,omitempty" json:"optional,omitempty"`     // Optional key-value set that will be outputted to JSON
 	Lockfiles          []string                    `toml:"lockfiles,omitempty" json:"lockfiles,omitempty"`   // ie) path/to/package-lock.json
 	FindLock           bool                        `toml:"findLock,omitempty" json:"findLock,omitempty"`

diff --git a/config/os.go b/config/os.go
@@ -75,6 +75,10 @@ func GetEOL(family, release string) (eol EOL, found bool) {
 			"7": {StandardSupportUntil: time.Date(2024, 6, 30, 23, 59, 59, 0, time.UTC)},
 			"8": {StandardSupportUntil: time.Date(2021, 12, 31, 23, 59, 59, 0, time.UTC)},
 		}[major(release)]
+	case constant.Rocky:
+		eol, found = map[string]EOL{
+			"8": {StandardSupportUntil: time.Date(2029, 5, 31, 23, 59, 59, 0, time.UTC)},
+		}[major(release)]
 	case constant.Oracle:
 		eol, found = map[string]EOL{
 			// Source:
@@ -179,6 +183,7 @@ func GetEOL(family, release string) (eol EOL, found bool) {
 			"10": {Ended: true},
 			"11": {StandardSupportUntil: time.Date(2021, 9, 30, 23, 59, 59, 0, time.UTC)},
 			"12": {StandardSupportUntil: time.Date(2024, 6, 30, 23, 59, 59, 0, time.UTC)},
+			"13": {StandardSupportUntil: time.Date(2026, 1, 31, 23, 59, 59, 0, time.UTC)},
 		}[major(release)]
 	}
 	return

diff --git a/config/os_test.go b/config/os_test.go
@@ -111,6 +111,31 @@ func TestEOL_IsStandardSupportEnded(t *testing.T) {
 			extEnded: false,
 			found:    false,
 		},
+		// Rocky
+		{
+			name:     "Rocky Linux 8 supported",
+			fields:   fields{family: Rocky, release: "8"},
+			now:      time.Date(2021, 7, 2, 23, 59, 59, 0, time.UTC),
+			stdEnded: false,
+			extEnded: false,
+			found:    true,
+		},
+		{
+			name:     "Rocky Linux 8 EOL",
+			fields:   fields{family: Rocky, release: "8"},
+			now:      time.Date(2026, 2, 1, 0, 0, 0, 0, time.UTC),
+			stdEnded: false,
+			extEnded: false,
+			found:    true,
+		},
+		{
+			name:     "Rocky Linux 9 Not Found",
+			fields:   fields{family: Rocky, release: "9"},
+			now:      time.Date(2021, 7, 2, 23, 59, 59, 0, time.UTC),
+			stdEnded: false,
+			extEnded: false,
+			found:    false,
+		},
 		//Oracle
 		{
 			name:     "Oracle Linux 7 supported",
@@ -308,6 +333,14 @@ func TestEOL_IsStandardSupportEnded(t *testing.T) {
 			extEnded: false,
 			found:    true,
 		},
+		{
+			name:     "freebsd 13 supported",
+			fields:   fields{family: FreeBSD, release: "13"},
+			now:      time.Date(2021, 7, 2, 23, 59, 59, 0, time.UTC),
+			stdEnded: false,
+			extEnded: false,
+			found:    true,
+		},
 		{
 			name:     "freebsd 10 eol",
 			fields:   fields{family: FreeBSD, release: "10"},

diff --git a/constant/constant.go b/constant/constant.go
@@ -18,7 +18,7 @@ const (
 	CentOS = "centos"
 
 	// Rocky is
-	Rocky = "Rocky"
+	Rocky = "rocky"
 
 	// Fedora is
 	// Fedora = "fedora"

diff --git a/gost/gost.go b/gost/gost.go
@@ -65,7 +65,7 @@ func NewClient(cnf config.GostConf, family string) (Client, error) {
 	driver := DBDriver{DB: db, Cnf: &cnf}
 
 	switch family {
-	case constant.RedHat, constant.CentOS:
+	case constant.RedHat, constant.CentOS, constant.Rocky:
 		return RedHat{Base{DBDriver: driver}}, nil
 	case constant.Debian, constant.Raspbian:
 		return Debian{Base{DBDriver: driver}}, nil

diff --git a/models/cvecontents.go b/models/cvecontents.go
@@ -233,7 +233,7 @@ func NewCveContentType(name string) CveContentType {
 		return Nvd
 	case "jvn":
 		return Jvn
-	case "redhat", "centos":
+	case "redhat", "centos", "rocky":
 		return RedHat
 	case "oracle":
 		return Oracle

diff --git a/models/scanresults_test.go b/models/scanresults_test.go
@@ -56,6 +56,11 @@ func TestIsDisplayUpdatableNum(t *testing.T) {
 			family:   constant.CentOS,
 			expected: true,
 		},
+		{
+			mode:     []byte{config.Fast},
+			family:   constant.Rocky,
+			expected: true,
+		},
 		{
 			mode:     []byte{config.Fast},
 			family:   constant.Amazon,

diff --git a/oval/redhat.go b/oval/redhat.go
@@ -14,7 +14,7 @@ import (
 	ovalmodels "github.com/kotakanbe/goval-dictionary/models"
 )
 
-// RedHatBase is the base struct for RedHat and CentOS
+// RedHatBase is the base struct for RedHat, CentOS and Rocky
 type RedHatBase struct {
 	Base
 }
@@ -155,7 +155,7 @@ func (o RedHatBase) update(r *models.ScanResult, defPacks defPacks) (nCVEs int)
 func (o RedHatBase) convertToDistroAdvisory(def *ovalmodels.Definition) *models.DistroAdvisory {
 	advisoryID := def.Title
 	switch o.family {
-	case constant.RedHat, constant.CentOS, constant.Oracle:
+	case constant.RedHat, constant.CentOS, constant.Rocky, constant.Oracle:
 		if def.Title != "" {
 			ss := strings.Fields(def.Title)
 			advisoryID = strings.TrimSuffix(ss[0], ":")
@@ -322,3 +322,21 @@ func NewAmazon(cnf config.VulnDictInterface) Amazon {
 		},
 	}
 }
+
+// Rocky is the interface for RedhatBase OVAL
+type Rocky struct {
+	// Base
+	RedHatBase
+}
+
+// NewRocky creates OVAL client for Rocky Linux
+func NewRocky(cnf config.VulnDictInterface) Rocky {
+	return Rocky{
+		RedHatBase{
+			Base{
+				family: constant.Rocky,
+				Cnf:    cnf,
+			},
+		},
+	}
+}
diff --git a/oval/util.go b/oval/util.go
@@ -337,7 +337,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 
 		if running.Release != "" {
 			switch family {
-			case constant.RedHat, constant.CentOS, constant.Oracle:
+			case constant.RedHat, constant.CentOS, constant.Rocky, constant.Oracle:
 				// For kernel related packages, ignore OVAL information with different major versions
 				if _, ok := kernelRelatedPackNames[ovalPack.Name]; ok {
 					if util.Major(ovalPack.Version) != util.Major(running.Release) {
@@ -377,7 +377,7 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family string, ru
 				return true, false, ovalPack.Version, nil
 			}
 
-			// But CentOS can't judge whether fixed or unfixed.
+			// But CentOS/Rocky can't judge whether fixed or unfixed.
 			// Because fixed state in RHEL OVAL is different.
 			// So, it have to be judged version comparison.
 
@@ -435,20 +435,21 @@ func lessThan(family, newVer string, packInOVAL ovalmodels.Package) (bool, error
 		return vera.LessThan(verb), nil
 
 	case constant.RedHat,
-		constant.CentOS:
-		vera := rpmver.NewVersion(centOSVersionToRHEL(newVer))
-		verb := rpmver.NewVersion(centOSVersionToRHEL(packInOVAL.Version))
+		constant.CentOS,
+		constant.Rocky:
+		vera := rpmver.NewVersion(rhelDownStreamOSVersionToRHEL(newVer))
+		verb := rpmver.NewVersion(rhelDownStreamOSVersionToRHEL(packInOVAL.Version))
 		return vera.LessThan(verb), nil
 
 	default:
 		return false, xerrors.Errorf("Not implemented yet: %s", family)
 	}
 }
 
-var centosVerPattern = regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.centos)?`)
+var rhelDownStreamOSVerPattern = regexp.MustCompile(`\.[es]l(\d+)(?:_\d+)?(?:\.(centos|rocky))?`)
 
-func centOSVersionToRHEL(ver string) string {
-	return centosVerPattern.ReplaceAllString(ver, ".el$1")
+func rhelDownStreamOSVersionToRHEL(ver string) string {
+	return rhelDownStreamOSVerPattern.ReplaceAllString(ver, ".el$1")
 }
 
 // NewOVALClient returns a client for OVAL database
@@ -461,8 +462,9 @@ func NewOVALClient(family string, cnf config.GovalDictConf) (Client, error) {
 	case constant.RedHat:
 		return NewRedhat(&cnf), nil
 	case constant.CentOS:
-		//use RedHat's OVAL
 		return NewCentOS(&cnf), nil
+	case constant.Rocky:
+		return NewRocky(&cnf), nil
 	case constant.Oracle:
 		return NewOracle(&cnf), nil
 	case constant.SUSEEnterpriseServer:
@@ -485,17 +487,14 @@ func NewOVALClient(family string, cnf config.GovalDictConf) (Client, error) {
 }
 
 // GetFamilyInOval returns the OS family name in OVAL
-// For example, CentOS uses Red Hat's OVAL, so return 'redhat'
+// For example, CentOS/Rocky uses Red Hat's OVAL, so return 'redhat'
 func GetFamilyInOval(familyInScanResult string) (string, error) {
 	switch familyInScanResult {
 	case constant.Debian, constant.Raspbian:
 		return constant.Debian, nil
 	case constant.Ubuntu:
 		return constant.Ubuntu, nil
-	case constant.RedHat:
-		return constant.RedHat, nil
-	case constant.CentOS:
-		//use RedHat's OVAL
+	case constant.RedHat, constant.CentOS, constant.Rocky:
 		return constant.RedHat, nil
 	case constant.Oracle:
 		return constant.Oracle, nil