From 06c5b73d961ca3504e6ff9ddc64b4abb8fe798b9 Mon Sep 17 00:00:00 2001 From: Kota Kanbe Date: Fri, 7 Apr 2017 15:18:54 +0900 Subject: [PATCH] Support RHEL OVAL --- .gitignore | 2 + example.go | 4 +- oval/types.go | 22 +++- testfile/com.redhat.rhba-20070331.xml | 163 ++++++++++++++++++++++++++ 4 files changed, 187 insertions(+), 4 deletions(-) create mode 100644 testfile/com.redhat.rhba-20070331.xml diff --git a/.gitignore b/.gitignore index ae602ed..5b250d8 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ _testmain.go cisco-oval main + +goval-parser diff --git a/example.go b/example.go index fcd1e65..d6906e5 100644 --- a/example.go +++ b/example.go @@ -26,12 +26,12 @@ func main() { } // readOval : Read OVAL definitions from file -func readOval(file string) (*oval.OVALDefinitions, error) { +func readOval(file string) (*oval.Root, error) { str, err := ioutil.ReadFile(file) if err != nil { return nil, fmt.Errorf("Can't open file: %s", err) } - oval := &oval.OVALDefinitions{} + oval := &oval.Root{} err = xml.Unmarshal([]byte(str), oval) if err != nil { return nil, fmt.Errorf("Can't parse XML: %s", err) diff --git a/oval/types.go b/oval/types.go index da1e445..0f3729e 100644 --- a/oval/types.go +++ b/oval/types.go @@ -2,8 +2,8 @@ package oval import "encoding/xml" -// OVALDefinitions : root object -type OVALDefinitions struct { +// Root : root object +type Root struct { XMLName xml.Name `xml:"oval_definitions"` Generator Generator `xml:"generator"` Definitions Definitions `xml:"definitions"` @@ -36,6 +36,7 @@ type Definition struct { Affecteds []Affected `xml:"metadata>affected"` References []Reference `xml:"metadata>reference"` Description string `xml:"metadata>description"` + Advisory Advisory `xml:"metadata>advisory"` Criteria Criteria `xml:"criteria"` } @@ -70,6 +71,23 @@ type Reference struct { RefURL string `xml:"ref_url,attr"` } +// Advisory : >definitions>definition>metadata>advisory +type Advisory struct { + XMLName xml.Name `xml:"advisory"` + Severity string `xml:"severity"` + CveID string `xml:"cve"` + Bugzilla Bugzilla `xml:"bugzilla"` + AffectedCPEList []string `xml:"affected_cpe_list>cpe"` +} + +// Bugzilla : >definitions>definition>metadata>advisory>bugzilla +type Bugzilla struct { + XMLName xml.Name `xml:"bugzilla"` + ID string `xml:"id,attr"` + URL string `xml:"href,attr"` + Title string `xml:",chardata"` +} + // Tests : >tests type Tests struct { XMLName xml.Name `xml:"tests"` diff --git a/testfile/com.redhat.rhba-20070331.xml b/testfile/com.redhat.rhba-20070331.xml new file mode 100644 index 0000000..77099e5 --- /dev/null +++ b/testfile/com.redhat.rhba-20070331.xml @@ -0,0 +1,163 @@ + + + + + Red Hat Errata System + 5.10.1 + 2016-11-18T05:41:16 + + + + + + RHBA-2007:0331: conga bug fix update (None) + + Red Hat Enterprise Linux 5 + + + + + The Conga package is a web-based administration tool for remote cluster and +storage management. + +This erratum applies the following bug fixes: + +- The borrowed Zope packages used by Conga have been patched to eliminate +a possibility of XSS attack. +- Passwords are no longer sent back from the server in cleartext for use as +input values. +- A form error was fixed so that Conga no longer allows for cluster +names of over 15 characters. +- An error wherein clusters and systems could not be deleted from the +manage systems interface has been addressed. +- Entering an incorrect password for a system no longer generates an +Unbound Local Reference exception. +- Luci failover domain forms are no longer empty +- The fence_xvm string in cluster.conf for virtual cluster fencing has been +corrected. +- The advanced options parameters section has been fixed. +- A bug where virtual services were unable for configuration has been +addressed. +- kmod-gfs-xen is now installed when necessary. +- The 'enable shared storage support' checkbox is now cleared when a +configuration error is encountered. +- When configuring an outer physical cluster, it is no longer necessary to +add the fence_xvmd tag manually. + +Users of Conga are advised to upgrade to these updated packages, which +apply these fixes. + + + + + None + Copyright 2007 Red Hat, Inc. + + + CVE-2007-0240 + CVE-2007-1462 + CVE-2007-1462 security alert - passwords sent back from server as input value + CVE-2007-0240 Conga includes version of Zope that is vulnerable to a XSS attack + Conga allows creation/rename of clusters with name greater than 15 characters + Cluster cannot be deleted (from 'Manage Systems') - but no error results + Entering bad password when creating a new cluster = UnboundLocalError: local variable 'e' referenced before assignment + luci failover domain forms are missing/empty + fence_xvm is incorrectly listed as "xmv" in virtual cluster + Advanced options parameters settings don't do anything + Unable to configure a virtual service + kmod-gfs-xen not installed with Conga install + 'enable shared storage' option cleared whenever there is a configuration error + Must manually edit cluster.conf on the dom0 cluster to add "<fence_xvmd/>" + + cpe:/a:redhat:rhel_cluster:5 + cpe:/a:redhat:test:5 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + conga + + + luci + + + redhat-release + + + ricci + + + + + + + 5326810137017186 + + + ^5[^\d] + + + 0:0.9.2-6.el5 + + + + +