ovalutil: collect further links

[Kieran-Muller]

Background

Package: https://github.com/quay/claircore/blob/main/pkg/ovalutil/links.go

It would appear there is an opportunity to get further vulnerability information from the Oval files returned from ubuntu and other sources.

There is extra links that can be extracted from the advisory.cve href. In the current case, the only link that would be extracted here would be https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190. As no def.Advisory.Refs exists, sadly the link in the <cve/> element is not extracted.

Example definition.

<definition class="vulnerability" id="oval:com.ubuntu.focal:def:2022361900000000" version="1">
    <metadata>
        <title>CVE-2022-36190 on Ubuntu 20.04 LTS (focal) - medium.</title>
        <description>GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.</description>
        <affected family="unix">
            <platform>Ubuntu 20.04 LTS</platform>
        </affected>
        <reference source="CVE" ref_id="CVE-2022-36190" ref_url="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36190" />
        <advisory>
            <severity>Medium</severity>
            <rights>Copyright (C) 2022 Canonical Ltd.</rights>
            <public_date>2022-08-17 15:15:00 UTC</public_date>
            <cve href="https://ubuntu.com/security/CVE-2022-36190" severity="medium" public="20220817" cvss_score="9.8" cvss_vector="CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H">CVE-2022-36190</cve>
        </advisory>
    </metadata>
    <criteria>
        <extend_definition definition_ref="oval:com.ubuntu.focal:def:100" comment="Ubuntu 20.04 LTS (focal) is installed." applicability_check="true" />
        <criterion test_ref="oval:com.ubuntu.focal:tst:201810001000000000" comment="gpac package in focal is affected and may need fixing." />
    </criteria>
</definition>

Solution

Proposed solution would be to leverage the information in the <cve/> element to get further links for all distros that parse an Oval XML files so long as the oval.Definition contains the CVE as an accessible field.

It looks like it does support the CVE field goval-parser Advisory type with the current Cves []Cve 'xml:"cve"'.

type Advisory struct {
    XMLName         xml.Name       `xml:"advisory"`
    Severity        string         `xml:"severity"`
    Cves            []Cve          `xml:"cve"`
    Bugzillas       []Bugzilla     `xml:"bugzilla"`
    AffectedCPEList []string       `xml:"affected_cpe_list>cpe"`
    Refs            []Ref          `xml:"ref"` // Ubuntu Only
    Bugs            []Bug          `xml:"bug"` // Ubuntu Only
    PublicDate      Date           `xml:"public_date"`
    Issued          Date           `xml:"issued"`
    Updated         Date           `xml:"updated"`
    Affected        AffectedStatus `xml:"affected"` // Red Hat Only
}

[Kieran-Muller]

Raised a PR for review https://github.com/quay/claircore/pull/1023

[Kieran-Muller]

Perhaps it would be worth updating goval-parser with some fresher data for the tests? The current set of xml files seem fairly old and the current oval xml for ubuntu has been update slightly to no longer use the <ref> element and use the <cve> element.

I'd be happy to make some updates if the team thinks it would be appropriate.

[crozzy]

Perhaps it would be worth updating goval-parser with some fresher data for the tests? The current set of xml files seem fairly old and the current oval xml for ubuntu has been update slightly to no longer use the element and use the element.

I'd be happy to make some updates if the team thinks it would be appropriate.

Probably worth updating, feel free to update the test files and open a PR, thanks!

[Kieran-Muller]

@crozzy I've riased a PR to add update ubuntu data, not urgent. https://github.com/quay/goval-parser/pull/13