rhel: deprecate updater in favor of VEX updater

.github/workflows/golang-image.yml

@@ -19,14 +19,27 @@ env:
   QUAY_USER: projectquay+claircore_github
 
 jobs:
+  versions:
+    if: ${{ github.repository == 'quay/claircore' }}
+    name: Check available go versions
+    runs-on: 'ubuntu-latest'
+    outputs:
+      versions: ${{ steps.versions.outputs.versions }}
+    steps:
+      - id: versions
+        run: |
+          curl -sL 'https://golang.org/dl/?mode=json' |
+            jq -rc 'map(.version|sub("go(?<maj>1\\.[0-9]+)\\.[0-9]+$";"\(.maj)"))|@text "versions=\(.)"' >> $GITHUB_OUTPUT
+
   golang-image:
     if: ${{ github.repository == 'quay/claircore' }}
+    needs: versions
     name: Build and publish golang image
     runs-on: 'ubuntu-latest'
     strategy:
       fail-fast: false
       matrix:
-        go: ['1.18', '1.19', '1.20', '1.21', '1.22']
+        go: ${{ fromJSON(needs.versions.outputs.versions) }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/main.yml

@@ -69,8 +69,8 @@ jobs:
       fail-fast: false
       matrix:
         go:
-          - '1.22'
-          - '1.21'
+          - 'stable'
+          - 'oldstable'
     steps:
       - name: Check for Previous Run
         id: previous
@@ -115,7 +115,7 @@ jobs:
           steps.previous.outputs.cache-hit != 'true' &&
           success() &&
           strategy.job-index == 0
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           directory: ${{ runner.temp }}
           override_branch: ${{ github.ref_name }}

.github/workflows/prepare-release.yml

@@ -27,7 +27,7 @@ jobs:
           git fetch --tags origin refs/notes/changelog:refs/notes/changelog
           .github/scripts/changelog-update "${{ github.event.inputs.tag }}"
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           title: "${{ github.event.inputs.tag }} Changelog Bump"
           body: "This is an automated changelog commit."

.github/workflows/update-clair.yml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           add-paths: go.mod,go.sum
           token: ${{ steps.generate_token.outputs.token }}

CHANGELOG.md

@@ -1,3 +1,55 @@
+<a name="v1.5.33"></a>
+## [v1.5.33] - 2024-11-08
+[v1.5.33]: https://github.com/quay/claircore/compare/v1.5.32...v1.5.33
+
+- suse: dynamic distribution discovery
+  <details>
+  Previously Suse distributions were static/predefined in the code, the
+  lack of updates to those definitions had allowed the Suse support lapse.
+  This change adds dynamic support for two Suse distro flavors:
+  suse.linux.enterprise.server and opensuse.leap.
+  </details>
+
+<a name="v1.5.32"></a>
+## [v1.5.32] - 2024-10-04
+[v1.5.32]: https://github.com/quay/claircore/compare/v1.5.31...v1.5.32
+
+Nothing interesting happened this release.
+
+<a name="v1.5.31"></a>
+## [v1.5.31] - 2024-09-16
+[v1.5.31]: https://github.com/quay/claircore/compare/v1.5.30...v1.5.31
+
+Nothing interesting happened this release.
+
+<a name="v1.5.30"></a>
+## [v1.5.30] - 2024-09-06
+[v1.5.30]: https://github.com/quay/claircore/compare/v1.5.29...v1.5.30
+
+Nothing interesting happened this release.
+
+<a name="v1.5.29"></a>
+## [v1.5.29] - 2024-08-21
+[v1.5.29]: https://github.com/quay/claircore/compare/v1.5.28...v1.5.29
+
+- rhel: move IgnoreUnpatched config key from updater to matcher
+  <details>
+  Previously the IgnoreUnpatched config key was a part of the RHEL
+  updater and would dictate whether or not the updater would ingest
+  unpatched vulnerabilities. This change moves that key to the RHEL
+  matcher and dictates whether the matcher should check for a
+  fixed_in_version when querying potential vulnerabilities. This makes the
+  config option more usable at the expense of DB size.
+  </details>
+
+- rhel: add csaf/vex updater
+  <details>
+  Replace the RHEL OVAL updater with a CSAF/VEX updater for Red Hat
+  security data. Update the matching logic to deal with CPE patterns
+  coming from the VEX files. Remove RHEL updater and add a migration to
+  delete Red Hat OVAL data from the database.
+  </details>
+
 <a name="v1.5.28"></a>
 ## [v1.5.28] - 2024-05-13
 [v1.5.28]: https://github.com/quay/claircore/compare/v1.5.27...v1.5.28

README.md

@@ -1,31 +1,26 @@
 ![](https://github.com/quay/claircore/workflows/CI/badge.svg)
-# ClairCore
+# Claircore
 
-ClairCore provides a set of go modules which handle scanning container layers for installed packages and reporting any discovered vulnerabilities.  
-ClairCore is designed to be embedded into a service wrapper.  
+Claircore provides a set of go modules which handle scanning container layers for installed packages and reporting any discovered vulnerabilities.
+Claircore is designed to be embedded into a service wrapper.
 
-For a full overview see: [ClairCore Book](https://quay.github.io/claircore)
+For a full overview see: [Claircore Book](https://quay.github.io/claircore)
 
-# Local development and testing
+# Testing
 
-The following targets start and stop a local development environment  
-```
-make local-dev-up
-make local-dev-down
-```
-
-If you modify libvuln or libindex code the following make targets will restart the services with your changes  
-```
-make libindexhttp-restart
-make libvulnhttp-restart
+The following make target runs unit tests which do not require a database or local development environment.
+```sh
+make unit
+# or make unit-v for verbose output
 ```
 
-With the local development environment up the following make target runs all tests including integration  
-```
+With the local development environment up the following make target runs all tests including integration.
+```sh
 make integration
+# or integration-v for verbose output
 ```
 
-The following make target runs unit tests which do not require a database or local development environment  
-```
-make unit
+With the local development environment up the following make target runs all tests including integration with full benchmark results.
+```sh
+make bench
 ```

alpine/parser.go

@@ -3,7 +3,6 @@ package alpine
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"io"
 
 	"github.com/quay/zlog"
@@ -13,7 +12,7 @@ import (
 )
 
 const (
-	cveURLPrefix = "https://www.cve.org/CVERecord?id=%s"
+	cveURLPrefix = "https://security.alpinelinux.org/vuln/"
 )
 
 var _ driver.Parser = (*updater)(nil)
@@ -59,7 +58,7 @@ func unpackSecFixes(partial claircore.Vulnerability, secFixes map[string][]strin
 			v := partial
 			v.Name = id
 			v.FixedInVersion = fixedIn
-			v.Links = fmt.Sprintf(cveURLPrefix, id)
+			v.Links = cveURLPrefix + id
 			out = append(out, &v)
 		}
 	}

alpine/parser_test.go

@@ -18,7 +18,7 @@ var dist310 = stableRelease{3, 10}.Distribution()
 var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	{
 		Name:               "CVE-2018-20187",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2018-20187",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2018-20187",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "2.9.0-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -30,7 +30,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2018-12435",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2018-12435",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2018-12435",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "2.7.0-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -42,7 +42,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2018-9860",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2018-9860",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2018-9860",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "2.6.0-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -54,7 +54,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2018-9127",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2018-9127",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2018-9127",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "2.5.0-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -66,7 +66,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2019-9929",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2019-9929",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2019-9929",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "3.12.2-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -78,7 +78,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2017-6949",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2017-6949",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2017-6949",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "4.12.0-r3",
 		NormalizedSeverity: claircore.Unknown,
@@ -90,7 +90,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2017-9334",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2017-9334",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2017-9334",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "4.12.0-r2",
 		NormalizedSeverity: claircore.Unknown,
@@ -102,7 +102,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2016-6830",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2016-6830",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2016-6830",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "4.11.1-r0",
 		NormalizedSeverity: claircore.Unknown,
@@ -114,7 +114,7 @@ var v3_10CommunityTruncatedVulns = []*claircore.Vulnerability{
 	},
 	{
 		Name:               "CVE-2016-6831",
-		Links:              "https://www.cve.org/CVERecord?id=CVE-2016-6831",
+		Links:              "https://security.alpinelinux.org/vuln/CVE-2016-6831",
 		Updater:            "alpine-community-v3.10-updater",
 		FixedInVersion:     "4.11.1-r0",
 		NormalizedSeverity: claircore.Unknown,

datastore/postgres/get.go

@@ -36,6 +36,11 @@ var (
 	)
 )
 
+type recordQuery struct {
+	record *claircore.IndexRecord
+	query  string
+}
+
 // Get implements vulnstore.Vulnerability.
 func (s *MatcherStore) Get(ctx context.Context, records []*claircore.IndexRecord, opts datastore.GetOpts) (map[string][]*claircore.Vulnerability, error) {
 	ctx = zlog.ContextWithValues(ctx, "component", "internal/vulnstore/postgres/Get")
@@ -46,6 +51,8 @@ func (s *MatcherStore) Get(ctx context.Context, records []*claircore.IndexRecord
 	defer tx.Rollback(ctx)
 	// start a batch
 	batch := &pgx.Batch{}
+	resCache := map[string]pgx.Rows{}
+	rqs := []*recordQuery{}
 	for _, record := range records {
 		query, err := buildGetQuery(record, &opts)
 		if err != nil {
@@ -56,8 +63,13 @@ func (s *MatcherStore) Get(ctx context.Context, records []*claircore.IndexRecord
 				Msg("could not build query for record")
 			continue
 		}
+		rqs = append(rqs, &recordQuery{query: query, record: record})
+		if _, ok := resCache[query]; ok {
+			continue
+		}
 		// queue the select query
 		batch.Queue(query)
+		resCache[query] = nil
 	}
 	// send the batch
 
@@ -70,11 +82,18 @@ func (s *MatcherStore) Get(ctx context.Context, records []*claircore.IndexRecord
 	// gather all the returned vulns for each queued select statement
 	results := make(map[string][]*claircore.Vulnerability)
 	vulnSet := make(map[string]map[string]struct{})
-	for _, record := range records {
-		rows, err := res.Query()
-		if err != nil {
-			res.Close()
-			return nil, err
+	for _, rq := range rqs {
+		rows, ok := resCache[rq.query]
+		if !ok {
+			return nil, fmt.Errorf("unexpected vulnerability query: %s", rq.query)
+		}
+		if rows == nil {
+			rows, err = res.Query()
+			if err != nil {
+				res.Close()
+				return nil, err
+			}
+			resCache[rq.query] = rows
 		}
 
 		// unpack all returned rows into claircore.Vulnerability structs
@@ -121,7 +140,7 @@ func (s *MatcherStore) Get(ctx context.Context, records []*claircore.IndexRecord
 				return nil, fmt.Errorf("failed to scan vulnerability: %v", err)
 			}
 
-			rid := record.Package.ID
+			rid := rq.record.Package.ID
 			if _, ok := vulnSet[rid]; !ok {
 				vulnSet[rid] = make(map[string]struct{})
 			}

datastore/postgres/migrations/matcher/13-delete-rhel-oval.sql

@@ -0,0 +1,4 @@
+-- The rhel-vex updater will now be responsible for RHEL advisories so we have
+-- to delete the existing rhel vulnerabilities.
+DELETE FROM update_operation WHERE updater ~ 'RHEL[5-9]-*';
+DELETE FROM vuln where updater ~ 'RHEL[5-9]-*';

datastore/postgres/migrations/matcher/14-delete-rhcc-vulns.sql

@@ -0,0 +1,4 @@
+-- The rhel-vex updater will now be responsible for RHCC advisories so we have
+-- to delete the existing RHCC vulnerabilities.
+DELETE FROM update_operation WHERE updater = 'rhel-container-updater';
+DELETE FROM vuln where updater = 'rhel-container-updater';

datastore/postgres/migrations/migrations.go

@@ -108,4 +108,12 @@ var MatcherMigrations = []migrate.Migration{
 		ID: 12,
 		Up: runFile("matcher/12-add-latest_update_operation-index.sql"),
 	},
+	{
+		ID: 13,
+		Up: runFile("matcher/13-delete-rhel-oval.sql"),
+	},
+	{
+		ID: 14,
+		Up: runFile("matcher/14-delete-rhcc-vulns.sql"),
+	},
 }

datastore/postgres/querybuilder.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/doug-martin/goqu/v8"
 	_ "github.com/doug-martin/goqu/v8/dialect/postgres"
+	"github.com/doug-martin/goqu/v8/exp"
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/datastore"
@@ -70,6 +71,10 @@ func buildGetQuery(record *claircore.IndexRecord, opts *datastore.GetOpts) (stri
 			ex = goqu.Ex{"dist_arch": record.Distribution.Arch}
 		case driver.RepositoryName:
 			ex = goqu.Ex{"repo_name": record.Repository.Name}
+		case driver.RepositoryKey:
+			ex = goqu.Ex{"repo_key": record.Repository.Key}
+		case driver.HasFixedInVersion:
+			ex = goqu.Ex{"fixed_in_version": goqu.Op{exp.NeqOp.String(): ""}}
 		default:
 			return "", fmt.Errorf("was provided unknown matcher: %v", m)
 		}