Beispiel #1
0
func addDefinition(o *scribe.Document, prefix string, pkgname string, dist string, cve cveEntry) {
	// Don't create a definition for anything that is not in our release
	// list.
	reldefid := getReleaseDefinition(dist)
	if reldefid == "" {
		return
	}

	// Create an object definition for the package
	objid := fmt.Sprintf("%v-object", prefix)
	obj := scribe.Object{}
	obj.Object = objid
	obj.Package.Name = pkgname

	// Create a test
	testid := fmt.Sprintf("%v-test", prefix)
	test := scribe.Test{}
	test.TestID = testid
	test.Object = obj.Object
	test.EVR.Value = cve.pkgMap[pkgname][dist]
	test.EVR.Operation = "<"
	disttestref := fmt.Sprintf("reldef-%v-test", dist)
	test.If = append(test.If, disttestref)

	o.Tests = append(o.Tests, test)
	o.Objects = append(o.Objects, obj)
}
Beispiel #2
0
func amazonGetReleaseTest(doc *scribe.Document, vuln Vulnerability) (string, error) {
	reltestname := fmt.Sprintf("test-release-%v-%v", vuln.OS, vuln.Release)
	relobjname := "obj-release-amazonsystemrelease"
	// See if we have a release definition for this already, if not
	// add it
	for _, x := range doc.Tests {
		if x.TestID == reltestname {
			return reltestname, nil
		}
	}

	found := false
	for _, x := range doc.Objects {
		if x.Object == relobjname {
			found = true
			break
		}
	}
	if !found {
		obj := scribe.Object{}
		obj.Object = relobjname
		obj.FileContent.Path = "/etc"
		obj.FileContent.File = "^system-release$"
		obj.FileContent.Expression = amazon_expression
		doc.Objects = append(doc.Objects, obj)
	}

	test := scribe.Test{}
	test.TestID = reltestname
	test.Object = relobjname
	test.Regexp.Value = "Amazon Linux AMI release"
	doc.Tests = append(doc.Tests, test)

	return test.TestID, nil
}
Beispiel #3
0
func redhatGetReleaseTest(doc *scribe.Document, vuln Vulnerability) (string, error) {
	reltestname := fmt.Sprintf("test-release-%v-%v", vuln.OS, vuln.Release)
	relobjname := "obj-release-redhatrelease"
	// See if we have a release definition for this already, if not
	// add it
	for _, x := range doc.Tests {
		if x.TestID == reltestname {
			return reltestname, nil
		}
	}

	found := false
	for _, x := range doc.Objects {
		if x.Object == relobjname {
			found = true
			break
		}
	}
	if !found {
		obj := scribe.Object{}
		obj.Object = relobjname
		obj.FileContent.Path = "/etc"
		obj.FileContent.File = "^redhat-release$"
		if vuln.OS == "redhat" {
			obj.FileContent.Expression = rhl_expression
		} else {
			obj.FileContent.Expression = centos_expression
		}
		doc.Objects = append(doc.Objects, obj)
	}

	mvalue := ""
	for _, x := range RedHatReleases {
		if x.Name == vuln.Release {
			mvalue = x.Version
			break
		}
	}
	if mvalue == "" {
		return "", fmt.Errorf("unknown redhat/centos release %v", vuln.Release)
	}
	test := scribe.Test{}
	test.TestID = reltestname
	test.Object = relobjname
	test.EMatch.Value = mvalue
	doc.Tests = append(doc.Tests, test)

	return test.TestID, nil
}
Beispiel #4
0
func addReleaseDefinition(o *scribe.Document, rinfo *releaseInformation) {
	identifier := fmt.Sprintf("reldef-%v", rinfo.identifier)
	rinfo.defid = identifier

	obj := scribe.Object{}
	obj.Object = identifier + "-object"
	obj.FileContent.Path = "/etc"
	obj.FileContent.File = "^lsb-release$"
	obj.FileContent.Expression = "DISTRIB_RELEASE=(\\d{1,2}\\.\\d{1,2})"

	test := scribe.Test{}
	test.TestID = identifier + "-test"
	test.Object = obj.Object
	test.EMatch.Value = rinfo.lsbmatch

	o.Tests = append(o.Tests, test)
	o.Objects = append(o.Objects, obj)
}
Beispiel #5
0
func addReleaseDefinition(o *scribe.Document, rinfo *releaseInformation) {
	identifier := fmt.Sprintf("reldef-%v", rinfo.identifier)
	rinfo.defid = identifier

	obj := scribe.Object{}
	obj.Object = identifier + "-object"
	obj.FileContent.Path = rinfo.profile.fdir
	obj.FileContent.File = rinfo.profile.fname
	obj.FileContent.Expression = rinfo.profile.expression

	test := scribe.Test{}
	test.TestID = identifier + "-test"
	test.Object = obj.Object
	test.EMatch.Value = rinfo.lsbmatch

	o.Tests = append(o.Tests, test)
	o.Objects = append(o.Objects, obj)
}
Beispiel #6
0
func addTest(doc *scribe.Document, vuln Vulnerability) error {
	// Get the release definition for the test, if it's missing from
	// the document it will be added
	reltestid, err := getReleaseTest(doc, vuln)
	if err != nil {
		return err
	}

	// See if we already have an object definition for the package, if
	// not add it
	objid := ""
	for _, x := range doc.Objects {
		if x.Package.Name == vuln.Package {
			objid = x.Object
			break
		}
	}
	if objid == "" {
		objid = fmt.Sprintf("obj-package-%v", vuln.Package)
		obj := scribe.Object{}
		obj.Object = objid
		obj.Package.Name, obj.Package.CollectMatch = getReleasePackage(vuln)
		doc.Objects = append(doc.Objects, obj)
	}

	test := scribe.Test{}
	testidstr, err := getTestID(vuln)
	if err != nil {
		return err
	}
	// Build a more descriptive name for this test to override the test ID
	// in command output
	test.TestName = fmt.Sprintf("test-%v-%v-%v-%v", vuln.OS, vuln.Release, vuln.Package, testcntr)
	test.TestID = testidstr
	test.Description = vuln.Metadata.Description
	test.Object = objid
	test.EVR.Value = vuln.Version
	test.EVR.Operation = "<"
	test.If = append(test.If, reltestid)
	// Include all listed CVEs as a tag in the test
	cvelist := scribe.TestTag{Key: "cve"}
	var cveval string
	for _, x := range vuln.Metadata.CVE {
		if cveval != "" {
			cveval += ","
		}
		cveval += x
	}
	cvelist.Value = cveval
	test.Tags = append(test.Tags, cvelist)
	// Include CVSS if available
	if vuln.Metadata.CVSS != "" {
		test.Tags = append(test.Tags, scribe.TestTag{Key: "cvss", Value: vuln.Metadata.CVSS})
	}
	if vuln.Metadata.Category != "" {
		test.Tags = append(test.Tags, scribe.TestTag{Key: "category", Value: vuln.Metadata.Category})
	}
	doc.Tests = append(doc.Tests, test)
	testcntr++

	return nil
}