Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the parsing logic of FreeBSD pkg-audit #1334

Merged
merged 5 commits into from
Dec 24, 2021
Merged

Fix the parsing logic of FreeBSD pkg-audit #1334

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4dce603
fix scanUnsecurePackages for FreeBSD pkg audit output change
Nov 16, 2021
9384aba
Add test case TestParseBlock for FreeBSD pkg audit output change
Nov 16, 2021
6027b0b
Fix for no CVE in a block
Nov 17, 2021
e3d3cc2
fix(scan): parse logic of pkg-audit
kotakanbe Nov 19, 2021
65a7840
fix
kotakanbe Nov 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 16 additions & 13 deletions scanner/freebsd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package scanner

import (
"bufio"
"fmt"
"net"
"strings"

Expand Down Expand Up @@ -207,7 +209,7 @@ func (o *bsd) scanUnsecurePackages() (models.VulnInfos, error) {
blocks := o.splitIntoBlocks(r.Stdout)
for _, b := range blocks {
name, cveIDs, vulnID := o.parseBlock(b)
if len(cveIDs) == 0 {
if name == "" || len(cveIDs) == 0 {
continue
}
pack, found := o.Packages[name]
Expand Down Expand Up @@ -331,20 +333,21 @@ type pkgAuditResult struct {
}

func (o *bsd) splitIntoBlocks(stdout string) (blocks []string) {
lines := strings.Split(stdout, "\n")
block := []string{}
for _, l := range lines {
if len(strings.TrimSpace(l)) == 0 {
if 0 < len(block) {
blocks = append(blocks, strings.Join(block, "\n"))
block = []string{}
}
scanner := bufio.NewScanner(strings.NewReader(stdout))
for scanner.Scan() {
line := strings.TrimSpace(scanner.Text())
if strings.HasSuffix(line, " is vulnerable:") {
blocks = append(blocks, line)
continue
}
block = append(block, strings.TrimSpace(l))
}
if 0 < len(block) {
blocks = append(blocks, strings.Join(block, "\n"))

if len(blocks) == 0 {
continue
}

last := blocks[len(blocks)-1]
last = fmt.Sprintf("%s\n%s", last, line)
blocks[len(blocks)-1] = last
}
return
}
Expand Down
88 changes: 74 additions & 14 deletions scanner/freebsd_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,30 +107,57 @@ func TestSplitIntoBlocks(t *testing.T) {
expected []string
}{
{
`
block1
`vulnxml file up-to-date
bind95-9.6.3.2.ESV.R10_2 is vulnerable:
bind -- denial of service vulnerability
CVE: CVE-2014-8680
CVE: CVE-2014-8500
WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html

block2
block2
block2
go-1.17.1,1 is vulnerable:
go -- multiple vulnerabilities
CVE: CVE-2021-41772
CVE: CVE-2021-41771
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html

block3
block3`,
go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
CVE: CVE-2021-38297
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html

Packages that depend on go:

2 problem(s) in 1 installed package(s) found.`,
[]string{
`block1`,
"block2\nblock2\nblock2",
"block3\nblock3",
},
`bind95-9.6.3.2.ESV.R10_2 is vulnerable:
bind -- denial of service vulnerability
CVE: CVE-2014-8680
CVE: CVE-2014-8500
WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html
`,
`go-1.17.1,1 is vulnerable:
go -- multiple vulnerabilities
CVE: CVE-2021-41772
CVE: CVE-2021-41771
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html

go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
CVE: CVE-2021-38297
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html

Packages that depend on go:

2 problem(s) in 1 installed package(s) found.`},
},
}

d := newBsd(config.ServerInfo{})
for _, tt := range tests {
actual := d.splitIntoBlocks(tt.in)
if !reflect.DeepEqual(tt.expected, actual) {
e := pp.Sprintf("%v", tt.expected)
a := pp.Sprintf("%v", actual)
t.Errorf("expected %s, actual %s", e, a)
pp.ColoringEnabled = false
t.Errorf("expected %s\n, actual %s",
pp.Sprintf("%s", tt.expected),
pp.Sprintf("%s", actual))
}
}

Expand Down Expand Up @@ -179,6 +206,39 @@ WWW: https://vuxml.FreeBSD.org/freebsd/ab3e98d9-8175-11e4-907d-d050992ecde8.html
cveIDs: []string{},
vulnID: "",
},
{
in: `vulnxml file up-to-date
libxml2-2.9.10 is vulnerable:
libxml -- multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9.html`,
name: "libxml2",
cveIDs: []string{},
vulnID: "f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9",
},
{
in: `go-1.17.1,1 is vulnerable:
go -- multiple vulnerabilities
CVE: CVE-2021-41772
CVE: CVE-2021-41771
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html`,
name: "go",
cveIDs: []string{"CVE-2021-41772", "CVE-2021-41771"},
vulnID: "930def19-3e05-11ec-9ba8-002324b2fba8",
},
{
in: `go-1.17.1,1 is vulnerable:
go -- multiple vulnerabilities
CVE: CVE-2021-41772
CVE: CVE-2021-41771
WWW: https://vuxml.FreeBSD.org/freebsd/930def19-3e05-11ec-9ba8-002324b2fba8.html

go -- misc/wasm, cmd/link: do not let command line arguments overwrite global data
CVE: CVE-2021-38297
WWW: https://vuxml.FreeBSD.org/freebsd/4fce9635-28c0-11ec-9ba8-002324b2fba8.html`,
name: "go",
cveIDs: []string{"CVE-2021-41772", "CVE-2021-41771", "CVE-2021-38297"},
vulnID: "4fce9635-28c0-11ec-9ba8-002324b2fba8",
},
}

d := newBsd(config.ServerInfo{})
Expand Down