willmurphyscode
commented
1 month ago Hi @msmeissn thanks very much for the PR!
In order to merge this, we'll also need to improve Vunnel's parsing of the SUSE OVAL XML. Specifically, because the Vunnel provider was written to parse OVAL XML that only described fixed vulnerabilities, so Vunnel currently makes bad assumptions about the shape of the criteria sub-trees under the definition nodes.
What I'd like to understand is this: do you all have limits on the shape of criteria trees that are emitted? The data structure looks like it can represent fairly arbitrary boolean conditions (SUSE enterprise more than 15 and (python < 3.12 or perl > 5.1)) or something. But I don't think that you actually write arbitrary boolean expression trees here.
I think the data is structured like this:
(OR
(AND (SLES versions for package group A) (package versions for package group A))
(AND (SLES versions for package group B) (package versions of package group B))
)Is that right? For example, from the Suse 15 "affected" XML, I see:
Definition Title: CVE-2009-2625
Criteria:
OR:
AND:
OR:
SUSE Linux Enterprise Server 15 SP1-LTSS is installed (sles-ltss-release version equals 15.1)
SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
OR:
python is affected (python version greater than 0:0-0)
python-curses is affected (python-curses version greater than 0:0-0)
python-gdbm is affected (python-gdbm version greater than 0:0-0)
python-tk is affected (python-tk version greater than 0:0-0)
AND:
OR:
SUSE Enterprise Storage 6 is installed (ses-release version equals 6)
SUSE Linux Enterprise Desktop 15 is installed (sled-release version equals 15)
SUSE Linux Enterprise Desktop 15 SP1 is installed (sled-release version equals 15.1)
SUSE Linux Enterprise High Performance Computing 15 is installed (SLE_HPC-release version equals 15)
SUSE Linux Enterprise High Performance Computing 15 SP1 is installed (SLE_HPC-release version equals 15.1)
SUSE Linux Enterprise Module for Basesystem 15 is installed (sle-module-basesystem-release version equals 15)
SUSE Linux Enterprise Module for Basesystem 15 SP1 is installed (sle-module-basesystem-release version equals 15.1)
SUSE Linux Enterprise Server 15 is installed (sles-release version equals 15)
SUSE Linux Enterprise Server 15 SP1 is installed (sles-release version equals 15.1)
SUSE Linux Enterprise Server for SAP Applications 15 is installed (SLES_SAP-release version equals 15)
SUSE Linux Enterprise Server for SAP Applications 15 SP1 is installed (SLES_SAP-release version equals 15.1)
SUSE Manager Proxy 4.0 is installed (SUSE-Manager-Proxy-release version equals 4.0)
SUSE Manager Retail Branch Server 4.0 is installed (suse-manager-server-release version equals 4.0)
SUSE Manager Server 4.0 is installed (SUSE-Manager-Server-release version equals 4.0)
OR:
expat-2.2.5-1.140 is installed (expat version less than 0:2.2.5-1.140)
libexpat-devel-2.2.5-1.140 is installed (libexpat-devel version less than 0:2.2.5-1.140)
libexpat1-2.2.5-1.140 is installed (libexpat1 version less than 0:2.2.5-1.140)
libexpat1-32bit-2.2.5-1.140 is installed (libexpat1-32bit version less than 0:2.2.5-1.140)Are there other shapes we should plan to handle?
…affected + unfixed"
See https://www.suse.com/support/security/oval/