feat(scanner/redhat): each package has modularitylabel (#1381)

models/packages.go

@@ -82,6 +82,7 @@ type Package struct {
 	NewRelease       string               `json:"newRelease"`
 	Arch             string               `json:"arch"`
 	Repository       string               `json:"repository"`
+	ModularityLabel  string               `json:"modularitylabel"`
 	Changelog        *Changelog           `json:"changelog,omitempty"`
 	AffectedProcs    []AffectedProcess    `json:",omitempty"`
 	NeedRestartProcs []NeedRestartProcess `json:",omitempty"`

oval/util.go

@@ -154,6 +154,7 @@ func getDefsByPackNameViaHTTP(r *models.ScanResult, url string) (relatedDefs ova
 				isSrcPack:         false,
 				arch:              pack.Arch,
 				repository:        pack.Repository,
+				modularityLabel:   pack.ModularityLabel,
 			}
 			if ovalFamily == constant.Amazon && ovalRelease == "2" && req.repository == "" {
 				req.repository = "amzn2-core"
@@ -321,6 +322,7 @@ func getDefsByPackNameFromOvalDB(r *models.ScanResult, driver ovaldb.DB) (relate
 			newVersionRelease: pack.FormatNewVer(),
 			arch:              pack.Arch,
 			repository:        pack.Repository,
+			modularityLabel:   pack.ModularityLabel,
 			isSrcPack:         false,
 		}
 		if ovalFamily == constant.Amazon && ovalRelease == "2" && req.repository == "" {
@@ -410,34 +412,48 @@ func isOvalDefAffected(def ovalmodels.Definition, req request, family, release s
 		}
 
 		// There is a modular package and a non-modular package with the same name. (e.g. fedora 35 community-mysql)
-		var modularityNameStreamLabel string
+		var modularityLabel string
 		if ovalPack.ModularityLabel == "" {
 			if modularVersionPattern.MatchString(req.versionRelease) {
 				continue
 			}
 		} else {
-			// expect ovalPack.ModularityLabel e.g. RedHat: nginx:1.16, Fedora: mysql:8.0:3520211031142409:f27b74a8
 			if !modularVersionPattern.MatchString(req.versionRelease) {
 				continue
 			}
 
+			// expect ovalPack.ModularityLabel e.g. RedHat: nginx:1.16, Fedora: mysql:8.0:3520211031142409:f27b74a8
 			ss := strings.Split(ovalPack.ModularityLabel, ":")
 			if len(ss) < 2 {
 				logging.Log.Warnf("Invalid modularitylabel format in oval package. Maybe it is necessary to fix modularitylabel of goval-dictionary. expected: ${name}:${stream}(:${version}:${context}:${arch}), actual: %s", ovalPack.ModularityLabel)
 				continue
 			}
-			modularityNameStreamLabel = fmt.Sprintf("%s:%s", ss[0], ss[1])
-			if !slices.Contains(enabledMods, modularityNameStreamLabel) {
-				continue
+			modularityLabel = fmt.Sprintf("%s:%s", ss[0], ss[1])
+
+			if req.modularityLabel != "" {
+				ss := strings.Split(req.modularityLabel, ":")
+				if len(ss) < 2 {
+					logging.Log.Warnf("Invalid modularitylabel format in request package. expected: ${name}:${stream}(:${version}:${context}:${arch}), actual: %s", req.modularityLabel)
+					continue
+				}
+				reqModularityLabel := fmt.Sprintf("%s:%s", ss[0], ss[1])
+
+				if reqModularityLabel != modularityLabel {
+					continue
+				}
+			} else {
+				if !slices.Contains(enabledMods, modularityLabel) {
+					continue
+				}
 			}
 		}
 
 		if ovalPack.NotFixedYet {
 			switch family {
 			case constant.RedHat, constant.CentOS, constant.Alma, constant.Rocky:
 				n := req.packName
-				if modularityNameStreamLabel != "" {
-					n = fmt.Sprintf("%s/%s", modularityNameStreamLabel, req.packName)
+				if modularityLabel != "" {
+					n = fmt.Sprintf("%s/%s", modularityLabel, req.packName)
 				}
 				for _, r := range def.Advisory.AffectedResolution {
 					if slices.ContainsFunc(r.Components, func(c ovalmodels.Component) bool { return c.Component == n }) {

oval/util_test.go

@@ -1573,6 +1573,29 @@ func TestIsOvalDefAffected(t *testing.T) {
 			notFixedYet: false,
 			fixedIn:     "1.16.1-1.module+el8.3.0+8844+e5e7039f.1",
 		},
+		{
+			in: in{
+				family: constant.RedHat,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "nginx",
+							Version:         "1.16.1-1.module+el8.3.0+8844+e5e7039f.1",
+							NotFixedYet:     false,
+							ModularityLabel: "nginx:1.16",
+						},
+					},
+				},
+				req: request{
+					packName:        "nginx",
+					versionRelease:  "1.16.0-1.module+el8.3.0+8844+e5e7039f.1",
+					modularityLabel: "nginx:1.16:version:context",
+				},
+			},
+			affected:    true,
+			notFixedYet: false,
+			fixedIn:     "1.16.1-1.module+el8.3.0+8844+e5e7039f.1",
+		},
 		// dnf module 2
 		{
 			in: in{
@@ -1598,6 +1621,28 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		{
+			in: in{
+				family: constant.RedHat,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "nginx",
+							Version:         "1.16.1-1.module+el8.3.0+8844+e5e7039f.1",
+							NotFixedYet:     false,
+							ModularityLabel: "nginx:1.16",
+						},
+					},
+				},
+				req: request{
+					packName:        "nginx",
+					versionRelease:  "1.16.2-1.module+el8.3.0+8844+e5e7039f.1",
+					modularityLabel: "nginx:1.16:version:context",
+				},
+			},
+			affected:    false,
+			notFixedYet: false,
+		},
 		// dnf module 3
 		{
 			in: in{
@@ -1623,6 +1668,28 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		{
+			in: in{
+				family: constant.RedHat,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "nginx",
+							Version:         "1.16.1-1.module+el8.3.0+8844+e5e7039f.1",
+							NotFixedYet:     false,
+							ModularityLabel: "nginx:1.16",
+						},
+					},
+				},
+				req: request{
+					packName:        "nginx",
+					versionRelease:  "1.16.0-1.module+el8.3.0+8844+e5e7039f.1",
+					modularityLabel: "nginx:1.14:version:context",
+				},
+			},
+			affected:    false,
+			notFixedYet: false,
+		},
 		// dnf module 4 (long modularitylabel)
 		{
 			in: in{
@@ -1651,6 +1718,31 @@ func TestIsOvalDefAffected(t *testing.T) {
 			notFixedYet: false,
 			fixedIn:     "0:8.0.27-1.module_f35+13269+c9322734",
 		},
+		{
+			in: in{
+				family: constant.Fedora,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "community-mysql",
+							Version:         "0:8.0.27-1.module_f35+13269+c9322734",
+							Arch:            "x86_64",
+							NotFixedYet:     false,
+							ModularityLabel: "mysql:8.0:3520211031142409:f27b74a8",
+						},
+					},
+				},
+				req: request{
+					packName:        "community-mysql",
+					arch:            "x86_64",
+					versionRelease:  "8.0.26-1.module_f35+12627+b26747dd",
+					modularityLabel: "mysql:8.0:version:context",
+				},
+			},
+			affected:    true,
+			notFixedYet: false,
+			fixedIn:     "0:8.0.27-1.module_f35+13269+c9322734",
+		},
 		// dnf module 5 (req is non-modular package, oval is modular package)
 		{
 			in: in{
@@ -1678,6 +1770,29 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		{
+			in: in{
+				family: constant.Fedora,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "community-mysql",
+							Version:         "0:8.0.27-1.module_f35+13269+c9322734",
+							Arch:            "x86_64",
+							NotFixedYet:     false,
+							ModularityLabel: "mysql:8.0:3520211031142409:f27b74a8",
+						},
+					},
+				},
+				req: request{
+					packName:       "community-mysql",
+					arch:           "x86_64",
+					versionRelease: "8.0.26-1.fc35",
+				},
+			},
+			affected:    false,
+			notFixedYet: false,
+		},
 		// dnf module 6 (req is modular package, oval is non-modular package)
 		{
 			in: in{
@@ -1705,6 +1820,30 @@ func TestIsOvalDefAffected(t *testing.T) {
 			affected:    false,
 			notFixedYet: false,
 		},
+		{
+			in: in{
+				family: constant.Fedora,
+				def: ovalmodels.Definition{
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "community-mysql",
+							Version:         "0:8.0.27-1.fc35",
+							Arch:            "x86_64",
+							NotFixedYet:     false,
+							ModularityLabel: "",
+						},
+					},
+				},
+				req: request{
+					packName:        "community-mysql",
+					arch:            "x86_64",
+					versionRelease:  "8.0.26-1.module_f35+12627+b26747dd",
+					modularityLabel: "mysql:8.0:3520211031142409:f27b74a8",
+				},
+			},
+			affected:    false,
+			notFixedYet: false,
+		},
 		// .ksplice1.
 		{
 			in: in{
@@ -2146,6 +2285,43 @@ func TestIsOvalDefAffected(t *testing.T) {
 			fixState:    "Affected",
 			fixedIn:     "",
 		},
+		{
+			in: in{
+				family:  constant.RedHat,
+				release: "8",
+				def: ovalmodels.Definition{
+					Advisory: ovalmodels.Advisory{
+						AffectedResolution: []ovalmodels.Resolution{
+							{
+								State: "Affected",
+								Components: []ovalmodels.Component{
+									{
+										Component: "nodejs:20/nodejs",
+									},
+								},
+							},
+						},
+					},
+					AffectedPacks: []ovalmodels.Package{
+						{
+							Name:            "nodejs",
+							NotFixedYet:     true,
+							ModularityLabel: "nodejs:20",
+						},
+					},
+				},
+				req: request{
+					packName:        "nodejs",
+					versionRelease:  "1:20.11.1-1.module+el8.9.0+21380+12032667",
+					modularityLabel: "nodejs:20:version:context",
+					arch:            "x86_64",
+				},
+			},
+			affected:    true,
+			notFixedYet: true,
+			fixState:    "Affected",
+			fixedIn:     "",
+		},
 	}
 
 	for i, tt := range tests {

scanner/base.go

@@ -92,9 +92,6 @@ type osPackages struct {
 	// installed source packages (Debian based only)
 	SrcPackages models.SrcPackages
 
-	// enabled dnf modules or packages
-	EnabledDnfModules []string
-
 	// Detected Vulnerabilities Key: CVE-ID
 	VulnInfos models.VulnInfos
 
@@ -545,7 +542,6 @@ func (l *base) convertToModel() models.ScanResult {
 		RunningKernel:     l.Kernel,
 		Packages:          l.Packages,
 		SrcPackages:       l.SrcPackages,
-		EnabledDnfModules: l.EnabledDnfModules,
 		WordPressPackages: l.WordPress,
 		LibraryScanners:   l.LibraryScanners,
 		WindowsKB:         l.windowsKB,