Skip to content

Commit

Permalink
feat(slemicro): allow SLE Micro
Browse files Browse the repository at this point in the history
aquasecurity/trivy#7221

Signed-off-by: Marcus Meissner <[email protected]>
  • Loading branch information
msmeissn committed Jul 25, 2024
1 parent d23a6ca commit 25d5c63
Show file tree
Hide file tree
Showing 3 changed files with 229 additions and 6 deletions.
27 changes: 22 additions & 5 deletions pkg/vulnsrc/suse-cvrf/suse-cvrf.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,14 @@ type Distribution int

const (
SUSEEnterpriseLinux Distribution = iota
SUSEEnterpriseLinuxMicro
OpenSUSE
OpenSUSETumbleweed

platformOpenSUSELeapFormat = "openSUSE Leap %s"
platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
platformOpenSUSELeapFormat = "openSUSE Leap %s"
platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
platformSUSELinuxFormat = "SUSE Linux Enterprise %s"
platformSUSELinuxEnterpriseMicroFormat = "SUSE Linux Enterprise Micro %s"
)

var (
Expand Down Expand Up @@ -68,7 +70,7 @@ func (vs VulnSrc) Update(dir string) error {

rootDir := filepath.Join(dir, "vuln-list", suseDir)
switch vs.dist {
case SUSEEnterpriseLinux:
case SUSEEnterpriseLinux, SUSEEnterpriseLinuxMicro:
rootDir = filepath.Join(rootDir, "suse")
case OpenSUSE, OpenSUSETumbleweed:
rootDir = filepath.Join(rootDir, "opensuse")
Expand Down Expand Up @@ -207,9 +209,22 @@ func getOSVersion(platformName string) string {
}
return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2])
}
if strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
// SUSE Linux Enterprise Micro 5.3
ss := strings.Split(platformName, " ")
if len(ss) < 5 {
log.Printf("invalid version: %s", platformName)
return ""
}
if _, err := version.Parse(ss[4]); err != nil {
log.Printf("invalid version: %s, err: %s", platformName, err)
return ""
}
return fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, ss[4])
}
if strings.Contains(platformName, "SUSE Linux Enterprise") {
// e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1
if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") || strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") {
return ""
}

Expand Down Expand Up @@ -282,6 +297,8 @@ func splitPkgName(pkgName string) (string, string) {
func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error) {
var bucket string
switch vs.dist {
case SUSEEnterpriseLinuxMicro:
bucket = fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, version)
case SUSEEnterpriseLinux:
bucket = fmt.Sprintf(platformSUSELinuxFormat, version)
case OpenSUSE:
Expand Down
52 changes: 51 additions & 1 deletion pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,56 @@ func TestVulnSrc_Update(t *testing.T) {
},
},
},
{
name: "happy path with SLE Micro CVRF including SUSE Linux Enterprise Micro",
dir: filepath.Join("testdata", "happy", "SUSE Linux Enterprise Micro"),
dist: SUSEEnterpriseLinuxMicro,
wantValues: []vulnsrctest.WantValues{
{
Key: []string{"data-source", "SUSE Linux Enterprise Micro 5.3"},
Value: types.DataSource{
ID: vulnerability.SuseCVRF,
Name: "SUSE CVRF",
URL: "https://ftp.suse.com/pub/projects/security/cvrf/",
},
},
{
Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "gnutls"},

Value: types.Advisory{
FixedVersion: "3.7.3-150400.8.1",
},
},
{
Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "libgnutls30"},
Value: types.Advisory{
FixedVersion: "3.7.3-150400.8.1",
},
},
{
Key: []string{"vulnerability-detail", "SUSE-SU-2024:2546-1", "suse-cvrf"},
Value: types.VulnerabilityDetail{
Title: "Security update for gnutls",
Description: "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
References: []string{
"https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
"https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
"https://www.suse.com/support/security/rating/",
"https://bugzilla.suse.com/1221242",
"https://bugzilla.suse.com/1221746",
"https://bugzilla.suse.com/1221747",
"https://www.suse.com/security/cve/CVE-2024-28834/",
"https://www.suse.com/security/cve/CVE-2024-28835/",
},
Severity: types.SeverityMedium,
},
},
{
Key: []string{"vulnerability-id", "SUSE-SU-2024:2546-1"},
Value: map[string]interface{}{},
},
},
},
{
name: "sad path (dir doesn't exist)",
dir: filepath.Join("testdata", "badPath"),
Expand Down Expand Up @@ -594,7 +644,7 @@ func TestGetOSVersion(t *testing.T) {
},
{
inputPlatformName: "SUSE Linux Enterprise Micro 5.1",
expectedPlatformName: "",
expectedPlatformName: "SUSE Linux Enterprise Micro 5.1",
},
}
for _, tc := range testCases {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
{
"Title": "Security update for gnutls",
"Tracking": {
"ID": "SUSE-SU-2024:2546-1",
"Status": "Final",
"Version": "1",
"InitialReleaseDate": "2024-07-17T12:44:32Z",
"CurrentReleaseDate": "2024-07-17T12:44:32Z",
"RevisionHistory": [
{
"Number": "1",
"Date": "2024-07-17T12:44:32Z",
"Description": "current"
}
]
},
"Notes": [
{
"Text": "Security update for gnutls",
"Title": "Topic",
"Type": "Summary"
},
{
"Text": "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
"Title": "Details",
"Type": "General"
},
{
"Text": "The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"Title": "Terms of Use",
"Type": "Legal Disclaimer"
},
{
"Text": "SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546",
"Title": "Patchnames",
"Type": "Details"
}
],
"ProductTree": {
"Relationships": [
{
"ProductReference": "gnutls-3.7.3-150400.8.1",
"RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
"RelationType": "Default Component Of"
},
{
"ProductReference": "libgnutls30-3.7.3-150400.8.1",
"RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
"RelationType": "Default Component Of"
},
{
"ProductReference": "libgnutls30-hmac-3.7.3-150400.8.1",
"RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
"RelationType": "Default Component Of"
}
]
},
"References": [
{
"URL": "https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
"Description": "Link for SUSE-SU-2024:2546-1"
},
{
"URL": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
"Description": "E-Mail link for SUSE-SU-2024:2546-1"
},
{
"URL": "https://www.suse.com/support/security/rating/",
"Description": "SUSE Security Ratings"
},
{
"URL": "https://bugzilla.suse.com/1221242",
"Description": "SUSE Bug 1221242"
},
{
"URL": "https://bugzilla.suse.com/1221746",
"Description": "SUSE Bug 1221746"
},
{
"URL": "https://bugzilla.suse.com/1221747",
"Description": "SUSE Bug 1221747"
},
{
"URL": "https://www.suse.com/security/cve/CVE-2024-28834/",
"Description": "SUSE CVE CVE-2024-28834 page"
},
{
"URL": "https://www.suse.com/security/cve/CVE-2024-28835/",
"Description": "SUSE CVE CVE-2024-28835 page"
}
],
"Vulnerabilities": [
{
"CVE": "CVE-2024-28834",
"Description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.",
"Threats": [
{
"Type": "Impact",
"Severity": "moderate"
}
],
"References": [
{
"URL": "https://www.suse.com/security/cve/CVE-2024-28834.html",
"Description": "CVE-2024-28834"
},
{
"URL": "https://bugzilla.suse.com/1221746",
"Description": "SUSE Bug 1221746"
}
],
"ProductStatuses": [
{
"Type": "Fixed",
"ProductID": [
"SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
"SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
"SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
]
}
],
"CVSSScoreSets": {}
},
{
"CVE": "CVE-2024-28835",
"Description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.",
"Threats": [
{
"Type": "Impact",
"Severity": "moderate"
}
],
"References": [
{
"URL": "https://www.suse.com/security/cve/CVE-2024-28835.html",
"Description": "CVE-2024-28835"
},
{
"URL": "https://bugzilla.suse.com/1221747",
"Description": "SUSE Bug 1221747"
}
],
"ProductStatuses": [
{
"Type": "Fixed",
"ProductID": [
"SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
"SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
"SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
]
}
],
"CVSSScoreSets": {}
}
]
}

0 comments on commit 25d5c63

Please sign in to comment.