feat(oracle): add flavors support (#7858)

2025-12-12 15:50:15 -08:00 · 2024-11-20 16:25:30 +06:00
parent 9988147b8b
commit b9b383eb27
7 changed files with 74 additions and 20 deletions
--- a/docs/docs/coverage/os/oracle.md
+++ b/docs/docs/coverage/os/oracle.md
@@ -28,6 +28,19 @@ See [here](../../scanner/vulnerability.md#data-sources).
 ### Fixed Version
 Trivy takes fixed versions from [Oracle security advisories][alerts].

+#### Flavors
+Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
+
+| Flavor  |                Format                | Example                                              |
+|:-------:|:------------------------------------:|------------------------------------------------------|
+| normal  | version without `fips` and `ksplice` | 3.6.16-4.el8                                         |
+|  fips   |               `*_fips`               | 10:3.6.16-4.0.1.el8_fips                             |
+| ksplice |            `*.ksplice*.*`            | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |
+
+
+For example Trivy finds [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) only for the `normal` and `fips` flavors. 
+For the `ksplice` flavor, [CVE-2021-33560](https://linux.oracle.com/cve/CVE-2021-33560.html) will be skipped.
+
 ### Severity
 Trivy determines vulnerability severity based on the severity metric provided in [Oracle security advisories][alerts].
 For example, the security patch for [CVE-2023-0464][CVE-2023-0464] is provided as [ELSA-2023-2645][ELSA-2023-2645].
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20240730042311-4642e94c7fc8
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.3.0
-	github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1
+	github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc
 	github.com/aws/aws-sdk-go-v2 v1.32.4
--- a/go.sum
+++ b/go.sum
@@ -355,8 +355,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.3.0 h1:Z4+wxxApNSJOLcmGPWQ9cS3NGmT/yTaPCTMavIeuVEQ=
 github.com/aquasecurity/trivy-checks v1.3.0/go.mod h1:WDo8IKyW4FvA69uKYmamSIy3RosCOiBuA1Kfxuigiy0=
-github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 h1:G0gnacAORRUqz2Tm5MqivSpldY2GZ74ijhJcMsae+sA=
-github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1/go.mod h1:PYkSRx4dlgFATEt+okGwibvbxVEtqsOdH+vX/saACYE=
+github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45 h1:ljinbg7JTQvdnzuRsPYS6btA51SyGYWKCQInxSIwbRw=
+github.com/aquasecurity/trivy-db v0.0.0-20241120092622-333d808d7e45/go.mod h1:Lg2avQhFy5qeGA0eMysI/61REVvWpEltverCarGc3l0=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.6.7-0.20241101182546-89bffc3932bc h1:/mFBYIK9RY+L8s1CIbQbJ5B3v0YmoDSu5eAzavvMa+Y=
--- a/integration/testdata/fixtures/db/oracle.yaml
+++ b/integration/testdata/fixtures/db/oracle.yaml
@@ -4,7 +4,11 @@
      pairs:
        - key: CVE-2019-3823
          value:
-            FixedVersion: 7.61.1-11.el8
+            FixedVersion: "7.61.1-11.el8"
+            Entries:
+              - FixedVersion: "7.61.1-11.el8"
        - key: CVE-2019-5436
          value:
-            FixedVersion: 7.61.1-12.el8
+            FixedVersion: "7.61.1-12.el8"
+            Entries:
+              - FixedVersion: "7.61.1-12.el8"
--- a/pkg/detector/ospkg/oracle/oracle.go
+++ b/pkg/detector/ospkg/oracle/oracle.go
@@ -2,7 +2,6 @@ package oracle

 import (
 	"context"
-	"strings"
 	"time"

 	version "github.com/knqyf263/go-rpm-version"
@@ -43,16 +42,6 @@ func NewScanner() *Scanner {
 	}
 }

-func extractKsplice(v string) string {
-	subs := strings.Split(strings.ToLower(v), ".")
-	for _, s := range subs {
-		if strings.HasPrefix(s, "ksplice") {
-			return s
-		}
-	}
-	return ""
-}
-
 // Detect scans and return vulnerability in Oracle scanner
 func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	osVer = osver.Major(osVer)
@@ -69,10 +58,9 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 		installed := utils.FormatVersion(pkg)
 		installedVersion := version.NewVersion(installed)
 		for _, adv := range advisories {
-			// when one of them doesn't have ksplice, we'll also skip it
-			// extract kspliceX and compare it with kspliceY in advisories
-			// if kspliceX and kspliceY are different, we will skip the advisory
-			if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) {
+			// We need to use only advisories from the same flavor as the package flavors.
+			// See more in https://github.com/aquasecurity/trivy/issues/1967
+			if oracleoval.PackageFlavor(adv.FixedVersion) != oracleoval.PackageFlavor(pkg.Release) {
 				continue
 			}

--- a/pkg/detector/ospkg/oracle/oracle_test.go
+++ b/pkg/detector/ospkg/oracle/oracle_test.go
@@ -221,6 +221,42 @@ func TestScanner_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "with fips",
+			fixtures: []string{
+				"testdata/fixtures/oracle7.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "gnutls",
+						Epoch:      10,
+						Version:    "3.6.15",
+						Release:    "4.0.1.el8_fips",
+						Arch:       "x86_64",
+						SrcEpoch:   2,
+						SrcName:    "gnutls",
+						SrcVersion: "3.6.15",
+						SrcRelease: "4.0.1.el8_fips",
+					},
+				},
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2021-20232",
+					PkgName:          "gnutls",
+					InstalledVersion: "10:3.6.15-4.0.1.el8_fips",
+					FixedVersion:     "10:3.6.16-4.0.1.el8_fips",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.OracleOVAL,
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
+				},
+			},
+		},
 		{
 			name: "malformed",
 			fixtures: []string{
--- a/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
+++ b/pkg/detector/ospkg/oracle/testdata/fixtures/oracle7.yaml
@@ -5,8 +5,21 @@
        - key: CVE-2020-8177
          value:
            FixedVersion: "7.29.0-59.0.1.el7_9.1"
+            Entries:
+              - FixedVersion: "7.29.0-59.0.1.el7_9.1"
    - bucket: glibc
      pairs:
        - key: CVE-2017-1000364
          value:
            FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+            Entries:
+              - FixedVersion: "2:2.17-157.ksplice1.el7_3.4"
+    - bucket: gnutls
+      pairs:
+        - key: CVE-2021-20232
+          value:
+            FixedVersion: "3.6.16-4.el8"
+            Entries:
+              - FixedVersion: "10:3.6.16-4.0.1.el8_fips"
+              - FixedVersion: "3.6.16-4.el8"
+