feat(slemicro): enable SUSE Linux Enterprise Micro

aquasecurity/trivy#7221 Signed-off-by: Marcus Meissner <[email protected]>
msmeissn · Jul 25, 2024 · 6c23931 · 6c23931
1 parent d23a6ca
commit 6c23931
Show file tree

Hide file tree

Showing 3 changed files with 229 additions and 6 deletions.
diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf.go
@@ -23,12 +23,14 @@ type Distribution int
 
 const (
 	SUSEEnterpriseLinux Distribution = iota
+	SUSEEnterpriseLinuxMicro
 	OpenSUSE
 	OpenSUSETumbleweed
 
-	platformOpenSUSELeapFormat       = "openSUSE Leap %s"
-	platformOpenSUSETumbleweedFormat = "openSUSE Tumbleweed"
-	platformSUSELinuxFormat          = "SUSE Linux Enterprise %s"
+	platformOpenSUSELeapFormat             = "openSUSE Leap %s"
+	platformOpenSUSETumbleweedFormat       = "openSUSE Tumbleweed"
+	platformSUSELinuxFormat                = "SUSE Linux Enterprise %s"
+	platformSUSELinuxEnterpriseMicroFormat = "SUSE Linux Enterprise Micro %s"
 )
 
 var (
@@ -68,7 +70,7 @@ func (vs VulnSrc) Update(dir string) error {
 
 	rootDir := filepath.Join(dir, "vuln-list", suseDir)
 	switch vs.dist {
-	case SUSEEnterpriseLinux:
+	case SUSEEnterpriseLinux, SUSEEnterpriseLinuxMicro:
 		rootDir = filepath.Join(rootDir, "suse")
 	case OpenSUSE, OpenSUSETumbleweed:
 		rootDir = filepath.Join(rootDir, "opensuse")
@@ -207,9 +209,22 @@ func getOSVersion(platformName string) string {
 		}
 		return fmt.Sprintf(platformOpenSUSELeapFormat, ss[2])
 	}
+	if strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
+		// SUSE Linux Enterprise Micro 5.3
+		ss := strings.Split(platformName, " ")
+		if len(ss) < 5 {
+			log.Printf("invalid version: %s", platformName)
+			return ""
+		}
+		if _, err := version.Parse(ss[4]); err != nil {
+			log.Printf("invalid version: %s, err: %s", platformName, err)
+			return ""
+		}
+		return fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, ss[4])
+	}
 	if strings.Contains(platformName, "SUSE Linux Enterprise") {
 		// e.g. SUSE Linux Enterprise Storage 7, SUSE Linux Enterprise Micro 5.1
-		if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") || strings.HasPrefix(platformName, "SUSE Linux Enterprise Micro") {
+		if strings.HasPrefix(platformName, "SUSE Linux Enterprise Storage") {
 			return ""
 		}
 
@@ -282,6 +297,8 @@ func splitPkgName(pkgName string) (string, string) {
 func (vs VulnSrc) Get(version string, pkgName string) ([]types.Advisory, error) {
 	var bucket string
 	switch vs.dist {
+	case SUSEEnterpriseLinuxMicro:
+		bucket = fmt.Sprintf(platformSUSELinuxEnterpriseMicroFormat, version)
 	case SUSEEnterpriseLinux:
 		bucket = fmt.Sprintf(platformSUSELinuxFormat, version)
 	case OpenSUSE:

diff --git a/pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go b/pkg/vulnsrc/suse-cvrf/suse-cvrf_test.go
@@ -193,6 +193,56 @@ func TestVulnSrc_Update(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path with SLE Micro CVRF including SUSE Linux Enterprise Micro",
+			dir:  filepath.Join("testdata", "happy", "SUSE Linux Enterprise Micro"),
+			dist: SUSEEnterpriseLinuxMicro,
+			wantValues: []vulnsrctest.WantValues{
+				{
+					Key: []string{"data-source", "SUSE Linux Enterprise Micro 5.3"},
+					Value: types.DataSource{
+						ID:   vulnerability.SuseCVRF,
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "gnutls"},
+
+					Value: types.Advisory{
+						FixedVersion: "3.7.3-150400.8.1",
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "SUSE-SU-2024:2546-1", "SUSE Linux Enterprise Micro 5.3", "libgnutls30"},
+					Value: types.Advisory{
+						FixedVersion: "3.7.3-150400.8.1",
+					},
+				},
+				{
+					Key: []string{"vulnerability-detail", "SUSE-SU-2024:2546-1", "suse-cvrf"},
+					Value: types.VulnerabilityDetail{
+						Title:       "Security update for gnutls",
+						Description: "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n  chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n  ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
+						References: []string{
+							"https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
+							"https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
+							"https://www.suse.com/support/security/rating/",
+							"https://bugzilla.suse.com/1221242",
+							"https://bugzilla.suse.com/1221746",
+							"https://bugzilla.suse.com/1221747",
+							"https://www.suse.com/security/cve/CVE-2024-28834/",
+							"https://www.suse.com/security/cve/CVE-2024-28835/",
+						},
+						Severity: types.SeverityMedium,
+					},
+				},
+				{
+					Key:   []string{"vulnerability-id", "SUSE-SU-2024:2546-1"},
+					Value: map[string]interface{}{},
+				},
+			},
+		},
 		{
 			name:    "sad path (dir doesn't exist)",
 			dir:     filepath.Join("testdata", "badPath"),
@@ -594,7 +644,7 @@ func TestGetOSVersion(t *testing.T) {
 		},
 		{
 			inputPlatformName:    "SUSE Linux Enterprise Micro 5.1",
-			expectedPlatformName: "",
+			expectedPlatformName: "SUSE Linux Enterprise Micro 5.1",
 		},
 	}
 	for _, tc := range testCases {

diff --git a/...tdata/happy/SUSE Linux Enterprise Micro/vuln-list/cvrf/suse/suse/SUSE-SU-2024-2546-1.json b/...tdata/happy/SUSE Linux Enterprise Micro/vuln-list/cvrf/suse/suse/SUSE-SU-2024-2546-1.json
@@ -0,0 +1,156 @@
+{
+  "Title": "Security update for gnutls",
+  "Tracking": {
+    "ID": "SUSE-SU-2024:2546-1",
+    "Status": "Final",
+    "Version": "1",
+    "InitialReleaseDate": "2024-07-17T12:44:32Z",
+    "CurrentReleaseDate": "2024-07-17T12:44:32Z",
+    "RevisionHistory": [
+      {
+        "Number": "1",
+        "Date": "2024-07-17T12:44:32Z",
+        "Description": "current"
+      }
+    ]
+  },
+  "Notes": [
+    {
+      "Text": "Security update for gnutls",
+      "Title": "Topic",
+      "Type": "Summary"
+    },
+    {
+      "Text": "This update for gnutls fixes the following issues:\n\n- CVE-2024-28835: Fixed a certtool crash when verifying a certificate\n  chain (bsc#1221747).\n- CVE-2024-28834: Fixed a side-channel attack in the deterministic\n  ECDSA (bsc#1221746).\n\nOther fixes:\n\n- Fixed a memory leak when using the entropy collector (bsc#1221242).\n",
+      "Title": "Details",
+      "Type": "General"
+    },
+    {
+      "Text": "The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
+      "Title": "Terms of Use",
+      "Type": "Legal Disclaimer"
+    },
+    {
+      "Text": "SUSE-2024-2546,SUSE-SLE-Micro-5.3-2024-2546",
+      "Title": "Patchnames",
+      "Type": "Details"
+    }
+  ],
+  "ProductTree": {
+    "Relationships": [
+      {
+        "ProductReference": "gnutls-3.7.3-150400.8.1",
+        "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+        "RelationType": "Default Component Of"
+      },
+      {
+        "ProductReference": "libgnutls30-3.7.3-150400.8.1",
+        "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+        "RelationType": "Default Component Of"
+      },
+      {
+        "ProductReference": "libgnutls30-hmac-3.7.3-150400.8.1",
+        "RelatesToProductReference": "SUSE Linux Enterprise Micro 5.3",
+        "RelationType": "Default Component Of"
+      }
+    ]
+  },
+  "References": [
+    {
+      "URL": "https://www.suse.com/support/update/announcement/2024/suse-su-20242546-1/",
+      "Description": "Link for SUSE-SU-2024:2546-1"
+    },
+    {
+      "URL": "https://lists.suse.com/pipermail/sle-security-updates/2024-July/018994.html",
+      "Description": "E-Mail link for SUSE-SU-2024:2546-1"
+    },
+    {
+      "URL": "https://www.suse.com/support/security/rating/",
+      "Description": "SUSE Security Ratings"
+    },
+    {
+      "URL": "https://bugzilla.suse.com/1221242",
+      "Description": "SUSE Bug 1221242"
+    },
+    {
+      "URL": "https://bugzilla.suse.com/1221746",
+      "Description": "SUSE Bug 1221746"
+    },
+    {
+      "URL": "https://bugzilla.suse.com/1221747",
+      "Description": "SUSE Bug 1221747"
+    },
+    {
+      "URL": "https://www.suse.com/security/cve/CVE-2024-28834/",
+      "Description": "SUSE CVE CVE-2024-28834 page"
+    },
+    {
+      "URL": "https://www.suse.com/security/cve/CVE-2024-28835/",
+      "Description": "SUSE CVE CVE-2024-28835 page"
+    }
+  ],
+  "Vulnerabilities": [
+    {
+      "CVE": "CVE-2024-28834",
+      "Description": "A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.",
+      "Threats": [
+        {
+          "Type": "Impact",
+          "Severity": "moderate"
+        }
+      ],
+      "References": [
+        {
+          "URL": "https://www.suse.com/security/cve/CVE-2024-28834.html",
+          "Description": "CVE-2024-28834"
+        },
+        {
+          "URL": "https://bugzilla.suse.com/1221746",
+          "Description": "SUSE Bug 1221746"
+        }
+      ],
+      "ProductStatuses": [
+        {
+          "Type": "Fixed",
+          "ProductID": [
+            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
+            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
+            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
+          ]
+        }
+      ],
+      "CVSSScoreSets": {}
+    },
+    {
+      "CVE": "CVE-2024-28835",
+      "Description": "A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the \"certtool --verify-chain\" command.",
+      "Threats": [
+        {
+          "Type": "Impact",
+          "Severity": "moderate"
+        }
+      ],
+      "References": [
+        {
+          "URL": "https://www.suse.com/security/cve/CVE-2024-28835.html",
+          "Description": "CVE-2024-28835"
+        },
+        {
+          "URL": "https://bugzilla.suse.com/1221747",
+          "Description": "SUSE Bug 1221747"
+        }
+      ],
+      "ProductStatuses": [
+        {
+          "Type": "Fixed",
+          "ProductID": [
+            "SUSE Linux Enterprise Micro 5.3:gnutls-3.7.3-150400.8.1",
+            "SUSE Linux Enterprise Micro 5.3:libgnutls30-3.7.3-150400.8.1",
+            "SUSE Linux Enterprise Micro 5.3:libgnutls30-hmac-3.7.3-150400.8.1"
+          ]
+        }
+      ],
+      "CVSSScoreSets": {}
+    }
+  ]
+}