fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)

* chore(deps): update ext4-filesystem parser for parse multi block extents * test(vm): update integration-vm test fixtures * test(vm): add gzip decompresser for sparse file * test(vm): add mage command update golden file for vm integration test * chore(magefile): [WIP] change test repository * Revert "chore(magefile): [WIP] change test repository" This reverts commit c015c8892f. * fix(test): update fixtures and golden file * fix(test): revert fixVersion and PkgID
2025-12-12 15:50:15 -08:00 · 2023-06-19 01:41:55 +09:00
parent c29197ab7d
commit 4d9b444499
10 changed files with 132 additions and 166 deletions
--- a/go.mod
+++ b/go.mod
@@ -62,7 +62,7 @@ require (
 	github.com/mailru/easyjson v0.7.7
 	github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
 	github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3
-	github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1
+	github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
 	github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
--- a/go.sum
+++ b/go.sum
@@ -1256,8 +1256,8 @@ github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac h1:QyRucnGOLHJ
 github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac/go.mod h1:J7Vb0sf0JzOhT0uHTeCqO6dqP/ELVcQvQ6yQ/56ZRGw=
 github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3 h1:CCX8exCYIPHrMKba1KDhM37PxC3/amBUZXH8yoJOAMQ=
 github.com/masahiro331/go-ebs-file v0.0.0-20221225061409-5ef263bb2cc3/go.mod h1:5NOkqebMwu8UiOTSjwqam1Ykdr7fci52TVE2xDQnIiM=
-github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1 h1:GBZZSY8xEoAf76ZOlxqKi/OMufpZnTxpTf7ectT1eNM=
-github.com/masahiro331/go-ext4-filesystem v0.0.0-20221225060520-c150f5eacfe1/go.mod h1:X08d9nmB+eg7Gj2XWAOkiG8lbMFbgGXPsDKEvkFwyF8=
+github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1 h1:jQ0px48V+wp35FSimlg9e/bB8XSrBz0SxPLbnYCq6/4=
+github.com/masahiro331/go-ext4-filesystem v0.0.0-20230612143131-27ccd485b7a1/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ=
 github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08 h1:AevUBW4cc99rAF8q8vmddIP8qd/0J5s/UyltGbp66dg=
 github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08/go.mod h1:JOkBRrE1HvgTyjk6diFtNGgr8XJMtIfiBzkL5krqzVk=
 github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd h1:Y30EzvuoVp97b0unb/GOFXzBUKRXZXUN2e0wYmvC+ic=
--- a/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden
+++ b/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden
@@ -25,40 +25,41 @@
      "Type": "amazon",
      "Vulnerabilities": [
        {
-          "VulnerabilityID": "CVE-2022-21233",
-          "PkgID": "microcode_ctl@2.1-47.amzn2.0.12.x86_64",
-          "PkgName": "microcode_ctl",
-          "InstalledVersion": "2:2.1-47.amzn2.0.12",
-          "FixedVersion": "2:2.1-47.amzn2.0.13",
+          "VulnerabilityID": "CVE-2022-38177",
+          "PkgID": "bind-export-libs@9.11.4-26.P2.amzn2.5.2.x86_64",
+          "PkgName": "bind-export-libs",
+          "InstalledVersion": "32:9.11.4-26.P2.amzn2.5.2",
+          "FixedVersion": "99:9.11.4-26.P2.amzn2.13",
          "Layer": {},
          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-21233",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-38177",
          "DataSource": {
            "ID": "amazon",
            "Name": "Amazon Linux Security Center",
            "URL": "https://alas.aws.amazon.com/"
          },
-          "Title": "hw: cpu: Intel: Stale Data Read from legacy xAPIC vulnerability",
-          "Description": "Improper isolation of shared resources in some Intel(R) Processors may allow",
+          "Title": "bind: memory leak in ECDSA DNSSEC verification code",
+          "Description": "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.",
          "Severity": "MEDIUM",
          "CVSS": {
            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-              "V3Score": 5.5
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
+              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
-              "V3Score": 6
+              "V3Score": 7.5
            }
          },
          "References": [
-            "https://access.redhat.com/security/cve/CVE-2022-21233",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233",
-            "https://security.netapp.com/advisory/ntap-20220923-0002/",
-            "https://ubuntu.com/security/notices/USN-5612-1"
+            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
+            "https://access.redhat.com/errata/RHSA-2022:6763",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json",
+            "https://access.redhat.com/security/cve/CVE-2022-38177"
          ],
-          "PublishedDate": "2022-08-18T20:15:00Z",
-          "LastModifiedDate": "2022-09-23T15:15:00Z"
+          "PublishedDate": "2022-09-21T11:15:00Z",
+          "LastModifiedDate": "2022-09-21T11:15:00Z"
        }
      ]
    }
--- a/integration/testdata/fixtures/db/amazon.yaml
+++ b/integration/testdata/fixtures/db/amazon.yaml
@@ -18,8 +18,8 @@
        - key: CVE-2019-5481
          value:
            FixedVersion: 7.61.1-12.amzn2.0.1
-    - bucket: microcode_ctl
+    - bucket: bind-export-libs
      pairs:
-        - key: CVE-2022-21233
+        - key: CVE-2022-38177
          value:
-            FixedVersion: 2:2.1-47.amzn2.0.13
+            FixedVersion: 99:9.11.4-26.P2.amzn2.13
--- a/integration/testdata/fixtures/db/ubuntu.yaml
+++ b/integration/testdata/fixtures/db/ubuntu.yaml
@@ -14,8 +14,7 @@
            FixedVersion: 1.44.1-1ubuntu1.2
 - bucket: ubuntu 22.04
  pairs:
-    - bucket: bind9
+    - bucket: bash
      pairs:
-        - key: CVE-2022-2795
-          value:
-            FixedVersion: 1:9.18.1-1ubuntu1.2
+        - key: CVE-2022-3715
+          value: {}
--- a/integration/testdata/fixtures/db/vulnerability.yaml
+++ b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -1,55 +1,51 @@
 - bucket: vulnerability
  pairs:
-  - key: CVE-2022-21233
+  - key: CVE-2022-38177
    value:
-      Title: "hw: cpu: Intel: Stale Data Read from legacy xAPIC vulnerability"
-      Description: "Improper isolation of shared resources in some Intel(R) Processors may allow"
-      Severity: MEDIUM
+      Title: "bind: memory leak in ECDSA DNSSEC verification code"
+      Description: "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources."
+      Severity: HIGH
      CVSS:
        nvd:
-          V3Score: 5.5
-          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
-        redhat:
-          V3Score: 6.0
+          V3Score: 7.5
          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"
-      LastModifiedDate: "2022-09-23T15:15:00Z"
-      PublishedDate: "2022-08-18T20:15:00Z"
+        redhat:
+          V3Score: 7.5
+          V3Vector: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N"
+      LastModifiedDate: "2022-09-21T11:15:00Z"
+      PublishedDate: "2022-09-21T11:15:00Z"
      References:
-        - "https://access.redhat.com/security/cve/CVE-2022-21233"
-        - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21233"
-        - "https://security.netapp.com/advisory/ntap-20220923-0002/"
-        - "https://ubuntu.com/security/notices/USN-5612-1"
+        - "http://www.openwall.com/lists/oss-security/2022/09/21/3"
+        - "https://access.redhat.com/errata/RHSA-2022:6763"
+        - "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38177.json"
+        - "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-38178.json"
+        - "https://access.redhat.com/security/cve/CVE-2022-38177"
      VendorSeverity:
        arch-linux: 2
        nvd: 2
        redhat: 2
        ubuntu: 2
-  - key: CVE-2022-2795
+  - key: CVE-2022-3715
    value:
-      Title: "bind: processing large delegations may severely degrade resolver performance"
-      Severity: HIGH
-      Description: By flooding the target resolver with queries exploiting this flaw an attacker
+      Title: a heap-buffer-overflow in valid_parameter_transform
+      Severity: LOW
+      Description: A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.
      CVSS:
        nvd:
-          V3Score: 7.5
-          V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+          V3Score: 7.8
+          V3Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        redhat:
-          V3Score: 5.3
-          V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+          V3Score: 6.6
+          V3Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
      CweIDs:
-        - CWE-400
-      LastModifiedDate: 2022-10-06T20:15:00Z
-      PublishedDate: 2022-09-21T11:15:00Z
+        - CWE-787
+      LastModifiedDate: 2023-02-24T18:38:00Z
+      PublishedDate: 2023-01-05T15:15:00Z
      References:
-        - http://www.openwall.com/lists/oss-security/2022/09/21/3
-        - https://access.redhat.com/security/cve/CVE-2022-2795
-        - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795
-        - https://kb.isc.org/docs/cve-2022-2795
-        - https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html
-        - https://nvd.nist.gov/vuln/detail/CVE-2022-2795
-        - https://ubuntu.com/security/notices/USN-5626-1
-        - https://ubuntu.com/security/notices/USN-5626-2
-        - https://www.debian.org/security/2022/dsa-5235
+        - https://access.redhat.com/errata/RHSA-2023:0340
+        - https://access.redhat.com/security/cve/CVE-2022-3715
+        - https://bugzilla.redhat.com/2126720
+        - https://bugzilla.redhat.com/show_bug.cgi?id=2126720
      VendorSeverity:
        cbl-mariner: 3.0
        nvd: 3.0
--- a/integration/testdata/ubuntu-gp2-x86-vm.json.golden
+++ b/integration/testdata/ubuntu-gp2-x86-vm.json.golden
@@ -25,121 +25,37 @@
      "Type": "ubuntu",
      "Vulnerabilities": [
        {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-dnsutils@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-dnsutils",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
+          "VulnerabilityID": "CVE-2022-3715",
+          "PkgID": "bash@5.1-6ubuntu1",
+          "PkgName": "bash",
+          "InstalledVersion": "5.1-6ubuntu1",
          "Layer": {},
          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-3715",
+          "Title": "a heap-buffer-overflow in valid_parameter_transform",
+          "Description": "A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.",
          "Severity": "HIGH",
          "CweIDs": [
-            "CWE-400"
+            "CWE-787"
          ],
          "CVSS": {
            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
+              "V3Score": 7.8
            },
            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
+              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
+              "V3Score": 6.6
            }
          },
          "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
+            "https://access.redhat.com/errata/RHSA-2023:0340",
+            "https://access.redhat.com/security/cve/CVE-2022-3715",
+            "https://bugzilla.redhat.com/2126720",
+            "https://bugzilla.redhat.com/show_bug.cgi?id=2126720"
          ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-host@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-host",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
-          "Layer": {},
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
-          ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
-        },
-        {
-          "VulnerabilityID": "CVE-2022-2795",
-          "PkgID": "bind9-libs@1:9.18.1-1ubuntu1.1",
-          "PkgName": "bind9-libs",
-          "InstalledVersion": "1:9.18.1-1ubuntu1.1",
-          "FixedVersion": "1:9.18.1-1ubuntu1.2",
-          "Layer": {},
-          "SeveritySource": "nvd",
-          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-2795",
-          "Title": "bind: processing large delegations may severely degrade resolver performance",
-          "Description": "By flooding the target resolver with queries exploiting this flaw an attacker",
-          "Severity": "HIGH",
-          "CweIDs": [
-            "CWE-400"
-          ],
-          "CVSS": {
-            "nvd": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-              "V3Score": 7.5
-            },
-            "redhat": {
-              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
-              "V3Score": 5.3
-            }
-          },
-          "References": [
-            "http://www.openwall.com/lists/oss-security/2022/09/21/3",
-            "https://access.redhat.com/security/cve/CVE-2022-2795",
-            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2795",
-            "https://kb.isc.org/docs/cve-2022-2795",
-            "https://lists.debian.org/debian-lts-announce/2022/10/msg00007.html",
-            "https://nvd.nist.gov/vuln/detail/CVE-2022-2795",
-            "https://ubuntu.com/security/notices/USN-5626-1",
-            "https://ubuntu.com/security/notices/USN-5626-2",
-            "https://www.debian.org/security/2022/dsa-5235"
-          ],
-          "PublishedDate": "2022-09-21T11:15:00Z",
-          "LastModifiedDate": "2022-10-06T20:15:00Z"
+          "PublishedDate": "2023-01-05T15:15:00Z",
+          "LastModifiedDate": "2023-02-24T18:38:00Z"
        }
      ]
    }
--- a/integration/vm_test.go
+++ b/integration/vm_test.go
@@ -91,7 +91,7 @@ func TestVM(t *testing.T) {
 			// Set up the output file
 			outputFile := filepath.Join(tmpDir, "output.json")
 			if *update {
-				outputFile = tt.golden
+				outputFile = filepath.Join(currentDir, tt.golden)
 			}

 			// Get the absolute path of the golden file
@@ -100,7 +100,7 @@ func TestVM(t *testing.T) {

 			// Decompress the gzipped image file
 			imagePath := filepath.Join(tmpDir, imageFile)
-			testutil.DecompressGzip(t, tt.args.input, imagePath)
+			testutil.DecompressSparseGzip(t, tt.args.input, imagePath)

 			// Change the current working directory so that targets in the result could be the same as golden files.
 			err = os.Chdir(tmpDir)
--- a/internal/testutil/gzip.go
+++ b/internal/testutil/gzip.go
@@ -1,6 +1,7 @@
 package testutil

 import (
+	"bytes"
 	"compress/gzip"
 	"io"
 	"os"
@@ -9,7 +10,10 @@ import (
 	"github.com/stretchr/testify/require"
 )

-const max = int64(10) << 30 // 10GB
+const (
+	max       = int64(10) << 30 // 10GB
+	blockSize = 4096
+)

 func DecompressGzip(t *testing.T, src, dst string) {
 	w, err := os.Create(dst)
@@ -26,3 +30,48 @@ func DecompressGzip(t *testing.T, src, dst string) {
 	_, err = io.CopyN(w, gr, max)
 	require.ErrorIs(t, err, io.EOF)
 }
+
+// DecompressSparseGzip decompresses a sparse gzip file for virtual machine image.
+func DecompressSparseGzip(t *testing.T, src, dst string) {
+	w, err := os.Create(dst)
+	require.NoError(t, err)
+	defer w.Close()
+
+	f, err := os.Open(src)
+	require.NoError(t, err)
+	defer f.Close()
+
+	gr, err := gzip.NewReader(f)
+	require.NoError(t, err)
+
+	buf := make([]byte, blockSize)
+	var size int
+	var written int64
+	for {
+		n, err := gr.Read(buf)
+		if n == 0 && err != nil {
+			if err == io.EOF {
+				break
+			}
+			require.NoError(t, err)
+		}
+
+		size += n
+		err = w.Truncate(int64(size))
+		require.NoError(t, err)
+
+		if !bytes.Equal(buf[:n], make([]byte, n)) {
+			wn, err := w.WriteAt(buf[:n], int64(size-n))
+			if err != nil {
+				if err == io.EOF {
+					break
+				}
+				require.NoError(t, err)
+			}
+			written += int64(wn)
+			if written > max {
+				require.Fail(t, "written size exceeds max")
+			}
+		}
+	}
+}
--- a/magefiles/magefile.go
+++ b/magefiles/magefile.go
@@ -272,6 +272,11 @@ func (t Test) VM() error {
 	return sh.RunWithV(ENV, "go", "test", "-v", "-tags=vm_integration", "./integration/...")
 }

+// UpdateVMGolden updates golden files for integration tests
+func (Test) UpdateVMGolden() error {
+	return sh.RunWithV(ENV, "go", "test", "-v", "-tags=vm_integration", "./integration/...", "-update")
+}
+
 // Lint runs linters
 func Lint() error {
 	mg.Deps(Tool{}.GolangciLint)