Open msmeissn opened 1 month ago
Hi @msmeissn thanks very much for the PR!
In order to merge this, we'll also need to improve Vunnel's parsing of the SUSE OVAL XML. Specifically, because the Vunnel provider was written to parse OVAL XML that only described fixed vulnerabilities, so Vunnel currently makes bad assumptions about the shape of the criteria
sub-trees under the definition
nodes.
What I'd like to understand is this: do you all have limits on the shape of criteria trees that are emitted? The data structure looks like it can represent fairly arbitrary boolean conditions (SUSE enterprise more than 15 and (python < 3.12 or perl > 5.1)) or something. But I don't think that you actually write arbitrary boolean expression trees here.
I think the data is structured like this:
(OR
(AND (SLES versions for package group A) (package versions for package group A))
(AND (SLES versions for package group B) (package versions of package group B))
)
Is that right? For example, from the Suse 15 "affected" XML, I see:
Definition Title: CVE-2009-2625
Criteria:
OR:
AND:
OR:
SUSE Linux Enterprise Server 15 SP1-LTSS is installed (sles-ltss-release version equals 15.1)
SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
OR:
python is affected (python version greater than 0:0-0)
python-curses is affected (python-curses version greater than 0:0-0)
python-gdbm is affected (python-gdbm version greater than 0:0-0)
python-tk is affected (python-tk version greater than 0:0-0)
AND:
OR:
SUSE Enterprise Storage 6 is installed (ses-release version equals 6)
SUSE Linux Enterprise Desktop 15 is installed (sled-release version equals 15)
SUSE Linux Enterprise Desktop 15 SP1 is installed (sled-release version equals 15.1)
SUSE Linux Enterprise High Performance Computing 15 is installed (SLE_HPC-release version equals 15)
SUSE Linux Enterprise High Performance Computing 15 SP1 is installed (SLE_HPC-release version equals 15.1)
SUSE Linux Enterprise Module for Basesystem 15 is installed (sle-module-basesystem-release version equals 15)
SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed (sle-module-basesystem-release version equals 15.1)
SUSE Linux Enterprise Server 15 is installed (sles-release version equals 15)
SUSE Linux Enterprise Server 15 SP1 is installed (sles-release version equals 15.1)
SUSE Linux Enterprise Server for SAP Applications 15 is installed (SLES_SAP-release version equals 15)
SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
SUSE Manager Proxy 4.0 is installed (SUSE-Manager-Proxy-release version equals 4.0)
SUSE Manager Retail Branch Server 4.0 is installed (suse-manager-server-release version equals 4.0)
SUSE Manager Server 4.0 is installed (SUSE-Manager-Server-release version equals 4.0)
OR:
expat-2.2.5-1.140 is installed (expat version less than 0:2.2.5-1.140)
libexpat-devel-2.2.5-1.140 is installed (libexpat-devel version less than 0:2.2.5-1.140)
libexpat1-2.2.5-1.140 is installed (libexpat1 version less than 0:2.2.5-1.140)
libexpat1-32bit-2.2.5-1.140 is installed (libexpat1-32bit version less than 0:2.2.5-1.140)
Are there other shapes we should plan to handle?
Note for next steps: This results in a fair number of new findings, so the next step is to label some vulnerabilities in vulnerability match labels, e.g.:
TOOL PARTITION PACKAGE VULNERABILITY LABEL COMMENTARY
grype[custom-db]@v0.79.4 ONLY glibc@2.26-13.56.1 CVE-2016-10228 (unknown)
grype[custom-db]@v0.79.4 ONLY krb5@1.16.3-3.18.1 CVE-2021-37750 (unknown)
grype[custom-db]@v0.79.4 ONLY libblkid1@2.33.1-4.13.1 CVE-2021-37600 (unknown)
grype[custom-db]@v0.79.4 ONLY libfdisk1@2.33.1-4.13.1 CVE-2021-37600 (unknown)
grype[custom-db]@v0.79.4 ONLY libgmp10@6.1.2-4.6.1 CVE-2021-43618 (unknown)
grype[custom-db]@v0.79.4 ONLY liblua5_3-5@5.3.4-3.3.2 CVE-2020-24370 (unknown)
grype[custom-db]@v0.79.4 ONLY liblua5_3-5@5.3.4-3.3.2 CVE-2020-24371 (unknown)
grype[custom-db]@v0.79.4 ONLY libmount1@2.33.1-4.13.1 CVE-2021-37600 (unknown)
grype[custom-db]@v0.79.4 ONLY libpcre1@8.41-4.20 CVE-2019-20838 (unknown)
grype[custom-db]@v0.79.4 ONLY libprocps7@3.3.15-7.19.1 CVE-2018-10880 (unknown)
grype[custom-db]@v0.79.4 ONLY libsmartcols1@2.33.1-4.13.1 CVE-2021-37600 (unknown)
grype[custom-db]@v0.79.4 ONLY libsystemd0@234-24.82.1 CVE-2019-20386 (unknown)
grype[custom-db]@v0.79.4 ONLY libudev1@234-24.82.1 CVE-2019-20386 (unknown)
grype[custom-db]@v0.79.4 ONLY libuuid1@2.33.1-4.13.1 CVE-2021-37600 (unknown)
grype[custom-db]@v0.79.4 ONLY libxml2-2@2.9.7-3.34.1 CVE-2021-3516 (unknown)
grype[custom-db]@v0.79.4 ONLY libxml2-2@2.9.7-3.34.1 CVE-2021-3517 (unknown)
grype[custom-db]@v0.79.4 ONLY libxml2-2@2.9.7-3.34.1 CVE-2021-3518 (unknown)
grype[custom-db]@v0.79.4 ONLY libxml2-2@2.9.7-3.34.1 CVE-2021-3537 (unknown)
grype[custom-db]@v0.79.4 ONLY libyaml-cpp0_6@0.6.1-4.2.1 CVE-2018-20573 (unknown)
grype[custom-db]@v0.79.4 ONLY libyaml-cpp0_6@0.6.1-4.2.1 CVE-2018-20574 (unknown)
grype[custom-db]@v0.79.4 ONLY libyaml-cpp0_6@0.6.1-4.2.1 CVE-2019-6285 (unknown)
grype[custom-db]@v0.79.4 ONLY libyaml-cpp0_6@0.6.1-4.2.1 CVE-2019-6292 (unknown)
grype[custom-db]@v0.79.4 ONLY perl-base@5.26.1-7.12.1 CVE-2018-6913 (unknown)
grype[custom-db]@v0.79.4 ONLY permissions@20181116-9.38.1 CVE-2019-11328 (unknown)
grype[custom-db]@v0.79.4 ONLY permissions@20181116-9.38.1 CVE-2020-8025 (unknown)
grype[custom-db]@v0.79.4 ONLY procps@3.3.15-7.19.1 CVE-2018-10880 (unknown)
grype[custom-db]@v0.79.4 ONLY rpm@4.14.1-10.19.8 CVE-2017-7501 (unknown)
grype[custom-db]@v0.79.4 ONLY rpm@4.14.1-10.19.8 CVE-2021-3421 (unknown)
grype[custom-db]@v0.79.4 ONLY util-linux@2.33.1-4.13.1 CVE-2021-37600 (unknown)
(I plan to do this work - just writing down the next step for my own planning)
…affected + unfixed"
See https://www.suse.com/support/security/oval/