From 741fb82df5e2638ed4b7db6fae389af9b9a037e8 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 04:40:07 +0900 Subject: [PATCH 01/20] feat(fedora): fetch Everything updateinfo --- fedora/fedora.go | 387 +++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 1 + main.go | 7 + 3 files changed, 395 insertions(+) create mode 100644 fedora/fedora.go diff --git a/fedora/fedora.go b/fedora/fedora.go new file mode 100644 index 00000000..a4876613 --- /dev/null +++ b/fedora/fedora.go @@ -0,0 +1,387 @@ +package fedora + +import ( + "bytes" + "compress/bzip2" + "encoding/xml" + "fmt" + "io" + "log" + "net/url" + "os" + "path" + "path/filepath" + "strings" + + "github.com/aquasecurity/vuln-list-update/utils" + "github.com/cheggaaa/pb/v3" + "github.com/ulikunitz/xz" + "golang.org/x/xerrors" +) + +const ( + retry = 3 + + fedoraDir = "fedora" +) + +var ( + URIForamt = map[string]string{ + "fedora": "https://dl.fedoraproject.org/pub/fedora/linux/updates/%s/%s/%s/", + "epel7": "https://dl.fedoraproject.org/pub/epel/%s/%s/", + "epel": "https://dl.fedoraproject.org/pub/epel/%s/%s/%s/", + } + + defaultReleases = map[string][]string{ + "fedora": {"32", "33", "34", "35"}, + "epel": {"7", "8", "9"}, + } + defaultRepos = []string{"Everything", "Modular"} + defaultArches = []string{"x86_64", "aarch64"} + + pkgArchFilter = map[string][]string{ + "x86_64": {"noarch", "x86_64", "i686"}, + "aarch64": {"noarch", "aarch64"}, + } +) + +// RepoMd has repomd data +type RepoMd struct { + RepoList []Repo `xml:"data"` +} + +// Repo has a repo data +type Repo struct { + Type string `xml:"type,attr"` + Location Location `xml:"location"` +} + +// Location has a location of repomd +type Location struct { + Href string `xml:"href,attr"` +} + +// UpdateInfo has a list of Fedora Security Advisory +type UpdateInfo struct { + FSAList []FSA `xml:"update"` +} + +// FSA has detailed data of Fedora Security Advisory +type FSA struct { + ID string `xml:"id" json:"id,omitempty"` + Title string `xml:"title" json:"title,omitempty"` + Type string `xml:"type,attr" json:"type,omitempty"` + Issued Date `xml:"issued" json:"issued,omitempty"` + Updated Date `xml:"updated" json:"updated,omitempty"` + Severity string `xml:"severity" json:"severity,omitempty"` + Description string `xml:"description" json:"description,omitempty"` + Packages []Package `xml:"pkglist>collection>package" json:"packages,omitempty"` + Module Module `json:"module,omitempty"` + References []Reference `xml:"references>reference" json:"references,omitempty"` + CveIDs []string `json:"cveids,omitempty"` +} + +// Updated has updated at +type Date struct { + Date string `xml:"date,attr" json:"date,omitempty"` +} + +// Reference has reference information +type Reference struct { + Href string `xml:"href,attr" json:"href,omitempty"` + ID string `xml:"id,attr" json:"id,omitempty"` + Title string `xml:"title,attr" json:"title,omitempty"` + Type string `xml:"type,attr" json:"type,omitempty"` +} + +// Package has affected package information +type Package struct { + Name string `xml:"name,attr" json:"name,omitempty"` + Epoch string `xml:"epoch,attr" json:"epoch,omitempty"` + Version string `xml:"version,attr" json:"version,omitempty"` + Release string `xml:"release,attr" json:"release,omitempty"` + Arch string `xml:"arch,attr" json:"arch,omitempty"` + Filename string `xml:"filename" json:"filename,omitempty"` +} + +// Module has modular package information +type Module struct { + Stream string `json:"stream,omitempty"` + Name string `json:"name,omitempty"` + Version int64 `json:"version,omitempty"` + Arch string `json:"arch,omitempty"` + Context string `json:"context,omitempty"` +} + +type options struct { + urls map[string]string + dir string + retry int + releases map[string][]string + repos []string + arches []string +} + +type option func(*options) + +func WithURLs(urls map[string]string) option { + return func(opts *options) { opts.urls = urls } +} + +func WithDir(dir string) option { + return func(opts *options) { opts.dir = dir } +} + +func WithRetry(retry int) option { + return func(opts *options) { opts.retry = retry } +} + +func WithReleases(releases map[string][]string) option { + return func(opts *options) { opts.releases = releases } +} + +func WithRepos(repos []string) option { + return func(opts *options) { opts.repos = repos } +} + +func WithArches(arches []string) option { + return func(opts *options) { opts.arches = arches } +} + +type Config struct { + *options +} + +func NewConfig(opts ...option) Config { + o := &options{ + urls: URIForamt, + dir: filepath.Join(utils.VulnListDir(), fedoraDir), + retry: retry, + releases: defaultReleases, + repos: defaultRepos, + arches: defaultArches, + } + for _, opt := range opts { + opt(o) + } + + return Config{ + options: o, + } +} + +func (c Config) Update() error { + for mode, releases := range c.releases { + for _, release := range releases { + if mode == "epel" && release == "7" { + for _, arch := range c.arches { + log.Printf("Fetching Fedora Linux (%s) %s %s data...\n", mode, release, arch) + if err := c.update(mode, release, "", arch); err != nil { + return xerrors.Errorf("failed to update security advisories of Fedora Linux EPEL %s %s: %w", release, arch, err) + } + } + } else { + for _, repo := range c.repos { + for _, arch := range c.arches { + log.Printf("Fetching Fedora Linux (%s) %s %s %s data...\n", mode, release, repo, arch) + if err := c.update(mode, release, repo, arch); err != nil { + return xerrors.Errorf("failed to update security advisories of Fedora Linux EPEL %s %s %s: %w", release, repo, arch, err) + } + } + } + } + } + } + return nil +} + +func (c Config) update(mode, release, repo, arch string) error { + var dirPath string + var baseURL string + if mode == "epel" { + if release == "7" { + dirPath = filepath.Join(c.dir, mode, release, arch) + baseURL = fmt.Sprintf(c.urls["epel7"], release, arch) + } else { + dirPath = filepath.Join(c.dir, mode, release, repo, arch) + baseURL = fmt.Sprintf(c.urls["epel"], release, repo, arch) + } + } else { + dirPath = filepath.Join(c.dir, mode, release, repo, arch) + baseURL = fmt.Sprintf(c.urls["fedora"], release, repo, arch) + } + log.Printf("Remove Fedora Linux (%s) %s %s %s directory %s\n", mode, release, repo, arch, dirPath) + + if err := os.RemoveAll(dirPath); err != nil { + return xerrors.Errorf("failed to remove Fedora Linux (%s) %s %s %s directory: %w", mode, release, repo, arch, err) + } + if err := os.MkdirAll(dirPath, os.ModePerm); err != nil { + return xerrors.Errorf("failed to mkdir: %w", err) + } + + vulns, err := fetch(repo, arch, baseURL) + if err != nil { + return xerrors.Errorf("failed to fetch updateinfo: %w", err) + } + + bar := pb.StartNew(len(vulns.FSAList)) + for _, fsa := range vulns.FSAList { + filepath := filepath.Join(dirPath, fmt.Sprintf("%s.json", fsa.ID)) + if err := utils.Write(filepath, fsa); err != nil { + return xerrors.Errorf("failed to write Fedora CVE details: %w", err) + } + bar.Increment() + } + bar.Finish() + + return nil +} + +func fetch(repo, arch, baseURL string) (*UpdateInfo, error) { + if repo == "Modular" { + uinfo, err := fetchUpdateInfoModular(baseURL, arch) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo for Modular Package: %w", err) + } + return uinfo, nil + } + uinfo, err := fetchUpdateInfoEverything(baseURL, arch) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo for Everything Package: %w", err) + } + return uinfo, nil +} + +func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { + u, err := url.Parse(baseURL) + if err != nil { + return nil, xerrors.Errorf("failed to parse repomd URL: %w", err) + } + originalPath := u.Path + u.Path = path.Join(originalPath, "/repodata/repomd.xml") + + updateInfoPath, _, err := fetchRepomdData(u.String()) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo path from repomd.xml: %w", err) + } + + u.Path = path.Join(originalPath, updateInfoPath) + uinfo, err := fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) + } + + return uinfo, nil +} + +func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { + return &UpdateInfo{}, nil +} + +func fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { + res, err := utils.FetchURL(repomdURL, "", retry) + if err != nil { + return "", "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) + } + + var repoMd RepoMd + if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil { + return "", "", xerrors.Errorf("failed to decode repomd.xml: %w", err) + } + + for _, repo := range repoMd.RepoList { + if repo.Type == "updateinfo" { + updateInfoPath = repo.Location.Href + } else if repo.Type == "modules" { + modulesPath = repo.Location.Href + } + } + if updateInfoPath == "" { + return "", "", xerrors.New("No updateinfo field in the repomd") + } + return updateInfoPath, modulesPath, nil +} + +func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { + res, err := utils.FetchURL(url, "", retry) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateInfo: %w", err) + } + + var r io.Reader + switch compress { + case "xz": + r, err = xz.NewReader(bytes.NewBuffer(res)) + if err != nil { + return nil, xerrors.Errorf("failed to decompress updateInfo: %w", err) + } + case "bz2": + r = bzip2.NewReader(bytes.NewBuffer(res)) + } + + var updateInfo UpdateInfo + if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil { + return nil, err + } + fsaList := []FSA{} + for _, fsa := range updateInfo.FSAList { + if fsa.Type != "security" { + continue + } + + var pkgs []Package + for _, pkg := range fsa.Packages { + if utils.StringInSlice(pkg.Arch, pkgArchFilter[arch]) { + pkgs = append(pkgs, pkg) + } + } + fsa.Packages = pkgs + + var cveIDs []string + for _, ref := range fsa.References { + if strings.Contains(ref.Href, "CVE-") { + cveID, err := fetchCVEIDfromBugzilla(ref.Href) + if err != nil { + return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) + } + if cveID == "" { + log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s", ref.Href) + continue + } + cveIDs = append(cveIDs, cveID) + } + } + fsa.CveIDs = cveIDs + + fsaList = append(fsaList, fsa) + } + return &UpdateInfo{FSAList: fsaList}, nil +} + +type Bugzilla struct { + Bug struct { + Alias string `xml:"alias"` + } `xml:"bug"` +} + +func fetchCVEIDfromBugzilla(bugzillaURL string) (string, error) { + u, err := url.Parse(bugzillaURL) + if err != nil { + return "", xerrors.Errorf("failed to parse bugzilla URL: %w", err) + } + q := u.Query() + q.Set("ctype", "xml") + u.RawQuery = q.Encode() + + res, err := utils.FetchURL(u.String(), "", retry) + if err != nil { + return "", xerrors.Errorf("failed to fetch bugzilla xml: %w", err) + } + + var bugzilla Bugzilla + if err := xml.NewDecoder(bytes.NewReader(res)).Decode(&bugzilla); err != nil { + return "", xerrors.Errorf("failed to decode bugzilla xml: %w", err) + } + + return bugzilla.Bug.Alias, nil +} diff --git a/go.mod b/go.mod index ab0fe3f3..950148a8 100644 --- a/go.mod +++ b/go.mod @@ -18,6 +18,7 @@ require ( github.com/simplereach/timeutils v1.2.0 // indirect github.com/spf13/afero v1.8.0 github.com/stretchr/testify v1.7.0 + github.com/ulikunitz/xz v0.5.8 // indirect golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 golang.org/x/vuln v0.0.0-20211215213114-5e054cb3e47e golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 diff --git a/main.go b/main.go index 674c1828..56c23aa0 100644 --- a/main.go +++ b/main.go @@ -21,6 +21,7 @@ import ( arch_linux "github.com/aquasecurity/vuln-list-update/arch" "github.com/aquasecurity/vuln-list-update/cwe" "github.com/aquasecurity/vuln-list-update/debian/tracker" + "github.com/aquasecurity/vuln-list-update/fedora" "github.com/aquasecurity/vuln-list-update/ghsa" "github.com/aquasecurity/vuln-list-update/git" "github.com/aquasecurity/vuln-list-update/glad" @@ -112,6 +113,12 @@ func run() error { return xerrors.Errorf("Red Hat OVALv2 update error: %w", err) } commitMsg = "Red Hat OVAL v2" + case "fedora": + fc := fedora.NewConfig() + if err := fc.Update(); err != nil { + return xerrors.Errorf("Fedora update error: %w", err) + } + commitMsg = "Fedora Security Advisory" case "debian": dc := tracker.NewClient() if err := dc.Update(); err != nil { From b5bdc4f503c87e3ca7580cf86ab474a687e45dc1 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 08:59:32 +0900 Subject: [PATCH 02/20] feat(fedora): fetch Modular updateinfo --- fedora/fedora.go | 325 ++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 290 insertions(+), 35 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index a4876613..36a93c45 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -1,28 +1,36 @@ package fedora import ( + "bufio" "bytes" "compress/bzip2" + "compress/gzip" "encoding/xml" "fmt" "io" "log" + "net/http" "net/url" "os" "path" "path/filepath" + "regexp" "strings" + "time" "github.com/aquasecurity/vuln-list-update/utils" "github.com/cheggaaa/pb/v3" "github.com/ulikunitz/xz" "golang.org/x/xerrors" + "gopkg.in/yaml.v2" ) const ( - retry = 3 - - fedoraDir = "fedora" + concurrency = 10 + wait = 1 + retry = 3 + fedoraDir = "fedora" + dateFormat = "2006-01-02 15:04:05" ) var ( @@ -43,6 +51,9 @@ var ( "x86_64": {"noarch", "x86_64", "i686"}, "aarch64": {"noarch", "aarch64"}, } + + cveIDPattern = regexp.MustCompile(`(CVE-\d{4}-\d{4,})`) + bugzillaURL = "https://bugzilla.redhat.com/show_bug.cgi?ctype=xml&id=%s" ) // RepoMd has repomd data @@ -224,13 +235,29 @@ func (c Config) update(mode, release, repo, arch string) error { return xerrors.Errorf("failed to fetch updateinfo: %w", err) } - bar := pb.StartNew(len(vulns.FSAList)) + fsalistByYear := map[string][]FSA{} for _, fsa := range vulns.FSAList { - filepath := filepath.Join(dirPath, fmt.Sprintf("%s.json", fsa.ID)) - if err := utils.Write(filepath, fsa); err != nil { - return xerrors.Errorf("failed to write Fedora CVE details: %w", err) + t, err := time.Parse(dateFormat, fsa.Issued.Date) + if err != nil { + return xerrors.Errorf("failed to parse issued date: %w", err) + } + y := fmt.Sprintf("%d", t.Year()) + fsalistByYear[y] = append(fsalistByYear[y], fsa) + } + + log.Printf("Write Fedora Linux (%s) %s %s %s Errata \n", mode, release, repo, arch) + bar := pb.StartNew(len(vulns.FSAList)) + for year, fsalist := range fsalistByYear { + if err := os.Mkdir(filepath.Join(dirPath, year), os.ModePerm); err != nil { + return xerrors.Errorf("failed to mkdir: %w", err) + } + for _, fsa := range fsalist { + filepath := filepath.Join(dirPath, year, fmt.Sprintf("%s.json", fsa.ID)) + if err := utils.Write(filepath, fsa); err != nil { + return xerrors.Errorf("failed to write Fedora CVE details: %w", err) + } + bar.Increment() } - bar.Increment() } bar.Finish() @@ -255,7 +282,7 @@ func fetch(repo, arch, baseURL string) (*UpdateInfo, error) { func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { u, err := url.Parse(baseURL) if err != nil { - return nil, xerrors.Errorf("failed to parse repomd URL: %w", err) + return nil, xerrors.Errorf("failed to parse baseURL: %w", err) } originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") @@ -275,7 +302,43 @@ func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { } func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { - return &UpdateInfo{}, nil + u, err := url.Parse(baseURL) + if err != nil { + return nil, xerrors.Errorf("failed to parse baseURL: %w", err) + } + + resp, err := http.Get(u.String()) + if err != nil { + return nil, xerrors.Errorf("failed to get request modular page: %w", err) + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return &UpdateInfo{FSAList: []FSA{}}, nil + } + + originalPath := u.Path + u.Path = path.Join(originalPath, "/repodata/repomd.xml") + + updateInfoPath, modulesPath, err := fetchRepomdData(u.String()) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo, modules path from repomd.xml: %w", err) + } + + u.Path = path.Join(originalPath, modulesPath) + modules, err := fetchModules(u.String()) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) + } + + u.Path = path.Join(originalPath, updateInfoPath) + uinfo, err := fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) + } + + extractModulesToUpdateInfo(uinfo, modules) + + return uinfo, nil } func fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { @@ -321,7 +384,7 @@ func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { var updateInfo UpdateInfo if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil { - return nil, err + return nil, xerrors.Errorf("failed to decode updateinfo: %w", err) } fsaList := []FSA{} for _, fsa := range updateInfo.FSAList { @@ -337,51 +400,243 @@ func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { } fsa.Packages = pkgs - var cveIDs []string - for _, ref := range fsa.References { - if strings.Contains(ref.Href, "CVE-") { - cveID, err := fetchCVEIDfromBugzilla(ref.Href) - if err != nil { - return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) + cveIDs, err := fetchCVEIDs(fsa) + if err != nil { + return nil, xerrors.Errorf("failed to fetch CVE-IDs: %w", err) + } + fsa.CveIDs = cveIDs + + fsaList = append(fsaList, fsa) + } + return &UpdateInfo{FSAList: fsaList}, nil +} + +func fetchCVEIDs(fsa FSA) ([]string, error) { + cveIDMap := map[string]struct{}{} + for _, ref := range fsa.References { + if strings.Contains(ref.Title, "CVE-") { + if strings.Contains(ref.Title, "various flaws") { + if strings.Contains(ref.Title, "...") { + cveIDs, err := fetchCVEIDsfromBugzilla(ref.ID) + if err != nil { + return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) + } + if len(cveIDs) == 0 { + log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s\n", ref.Href) + continue + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} + } + } else { + cveIDs := cveIDPattern.FindAllString(ref.Title, -1) + if len(cveIDs) == 0 { + log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) + continue + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} + } } + } else { + cveID := cveIDPattern.FindString(ref.Title) if cveID == "" { - log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s", ref.Href) + log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) continue } - cveIDs = append(cveIDs, cveID) + cveIDMap[cveID] = struct{}{} } } - fsa.CveIDs = cveIDs + } + if len(cveIDMap) == 0 { + cveIDs := cveIDPattern.FindAllString(fsa.Description, -1) + if len(cveIDs) == 0 { + // log.Printf("failed to get CVE-ID from Description. errata(%s) does not contain the CVEID.\n", fsa.ID) + return []string{}, nil + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} + } + } - fsaList = append(fsaList, fsa) + cveIDs := []string{} + for cveID := range cveIDMap { + cveIDs = append(cveIDs, cveID) } - return &UpdateInfo{FSAList: fsaList}, nil + return cveIDs, nil } type Bugzilla struct { Bug struct { - Alias string `xml:"alias"` + Alias string `xml:"alias"` + Blocked []string `xml:"blocked"` } `xml:"bug"` } -func fetchCVEIDfromBugzilla(bugzillaURL string) (string, error) { - u, err := url.Parse(bugzillaURL) +func fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { + log.Printf("Fetching CVE-IDs using Bugzilla API. Root Bugzilla ID: %s\n", bugzillaID) + + url := fmt.Sprintf(bugzillaURL, bugzillaID) + res, err := utils.FetchURL(url, "", retry) + if err != nil { + return nil, xerrors.Errorf("failed to fetch bugzilla xml: %w", err) + } + + var root Bugzilla + if err := xml.NewDecoder(bytes.NewReader(res)).Decode(&root); err != nil { + return nil, xerrors.Errorf("failed to decode bugzilla xml: %w", err) + } + + if root.Bug.Alias != "" { + return []string{root.Bug.Alias}, nil + } + + urls := []string{} + for _, blocked := range root.Bug.Blocked { + urls = append(urls, fmt.Sprintf(bugzillaURL, blocked)) + } + xmlBytes, err := utils.FetchConcurrently(urls, concurrency, wait, retry) + if err != nil { + return nil, xerrors.Errorf("failed to fetch bugzilla xml: %w", err) + } + + cveIDs := []string{} + for _, xmlByte := range xmlBytes { + var b Bugzilla + if err := xml.NewDecoder(bytes.NewReader(xmlByte)).Decode(&b); err != nil { + return nil, xerrors.Errorf("failed to decode bugzilla xml: %w", err) + } + if b.Bug.Alias != "" { + cveIDs = append(cveIDs, b.Bug.Alias) + } + } + + return cveIDs, nil +} + +func fetchModules(url string) (map[string]ModuleInfo, error) { + res, err := utils.FetchURL(url, "", retry) if err != nil { - return "", xerrors.Errorf("failed to parse bugzilla URL: %w", err) + return nil, xerrors.Errorf("failed to fetch modules: %w", err) } - q := u.Query() - q.Set("ctype", "xml") - u.RawQuery = q.Encode() - res, err := utils.FetchURL(u.String(), "", retry) + r, err := gzip.NewReader(bytes.NewBuffer(res)) if err != nil { - return "", xerrors.Errorf("failed to fetch bugzilla xml: %w", err) + return nil, xerrors.Errorf("failed to decompress modules: %w", err) } - var bugzilla Bugzilla - if err := xml.NewDecoder(bytes.NewReader(res)).Decode(&bugzilla); err != nil { - return "", xerrors.Errorf("failed to decode bugzilla xml: %w", err) + modules := map[string]ModuleInfo{} + scanner := bufio.NewScanner(r) + var contents []string + for scanner.Scan() { + str := scanner.Text() + switch str { + case "---": + { + contents = []string{} + } + case "...": + { + var module ModuleInfo + err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module) + if _, ok := err.(*yaml.TypeError); err != nil && !ok { + return nil, xerrors.Errorf("failed to decode module info: %w", err) + } + modules[module.ConvertToUpdateInfoTitle()] = module + } + default: + { + contents = append(contents, str) + } + } + } + + return modules, nil +} + +type ModuleInfo struct { + Data struct { + Name string `yaml:"name"` + Stream string `yaml:"stream"` + Version int64 `yaml:"version"` + Context string `yaml:"context"` + Arch string `yaml:"arch"` + Artifacts struct { + Rpms []string `yaml:"rpms"` + } `yaml:"artifacts"` + } `yaml:"data"` +} + +func (m ModuleInfo) ConvertToUpdateInfoTitle() string { + return fmt.Sprintf("%s-%s-%d.%s", m.Data.Name, m.Data.Stream, m.Data.Version, m.Data.Context) +} + +func extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string]ModuleInfo) error { + for i, fsa := range uinfo.FSAList { + m, ok := modules[fsa.Title] + if !ok { + log.Printf("failed to get module info. title: %s\n", fsa.Title) + continue + } + + uinfo.FSAList[i].Module = Module{ + Stream: m.Data.Stream, + Name: m.Data.Name, + Version: m.Data.Version, + Arch: m.Data.Arch, + Context: m.Data.Context, + } + + pkgs := []Package{} + for _, filename := range m.Data.Artifacts.Rpms { + name, ver, rel, epoch, arch, err := splitFileName(filename) + if err != nil { + return xerrors.Errorf("failed to split rpm filename: %w", err) + } + pkgs = append(pkgs, Package{ + Name: name, + Epoch: epoch, + Version: ver, + Release: rel, + Arch: arch, + Filename: fmt.Sprintf("%s.rpm", filename), + }) + } + uinfo.FSAList[i].Packages = pkgs + } + return nil +} + +// splitFileName returns a name, version, release, epoch, arch +func splitFileName(filename string) (name, ver, rel, epoch, arch string, err error) { + filename = strings.TrimSuffix(filename, ".rpm") + + archIndex := strings.LastIndex(filename, ".") + if archIndex == -1 { + return "", "", "", "", "", xerrors.Errorf("failed to parse arch from filename: %s", filename) + } + arch = filename[archIndex+1:] + + relIndex := strings.LastIndex(filename[:archIndex], "-") + if relIndex == -1 { + return "", "", "", "", "", xerrors.Errorf("failed to parse release from filename: %s", filename) + } + rel = filename[relIndex+1 : archIndex] + + verIndex := strings.LastIndex(filename[:relIndex], "-") + if verIndex == -1 { + return "", "", "", "", "", xerrors.Errorf("failed to parse version from filename: %s", filename) + } + ver = filename[verIndex+1 : relIndex] + + epochIndex := strings.Index(ver, ":") + if epochIndex == -1 { + epoch = "0" + } else { + epoch = ver[:epochIndex] + ver = ver[epochIndex+1:] } - return bugzilla.Bug.Alias, nil + name = filename[:verIndex] + return name, ver, rel, epoch, arch, nil } From d791b387d80468890a8ed62c803d2243c02548e3 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 09:21:52 +0900 Subject: [PATCH 03/20] fix(fedora): fix lint err --- fedora/fedora.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 36a93c45..68e93053 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -336,7 +336,9 @@ func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } - extractModulesToUpdateInfo(uinfo, modules) + if err := extractModulesToUpdateInfo(uinfo, modules); err != nil { + return nil, xerrors.Errorf("failed to extract modules to updateinfo: %w", err) + } return uinfo, nil } From 00cdffccf9394aad827a0ec8de060160231ffa55 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 12:54:23 +0900 Subject: [PATCH 04/20] refactor(fedora): change fetchCVEIDs --- fedora/fedora.go | 46 +++++++++++++++++++++------------------------- 1 file changed, 21 insertions(+), 25 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 68e93053..2dcf27d3 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -417,36 +417,32 @@ func fetchCVEIDs(fsa FSA) ([]string, error) { cveIDMap := map[string]struct{}{} for _, ref := range fsa.References { if strings.Contains(ref.Title, "CVE-") { - if strings.Contains(ref.Title, "various flaws") { - if strings.Contains(ref.Title, "...") { - cveIDs, err := fetchCVEIDsfromBugzilla(ref.ID) + if strings.Contains(ref.Title, "various flaws") && strings.Contains(ref.Title, "...") { + cveIDs, err := fetchCVEIDsfromBugzilla(ref.ID) + if err != nil { + return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) + } + if len(cveIDs) == 0 { + log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s\n", ref.Href) + continue + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} + } + } else { + cveIDs := cveIDPattern.FindAllString(ref.Title, -1) + if strings.Count(ref.Title, "CVE-") != len(cveIDs) { + log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) + log.Println("Retry to get CVE-ID using Bugzilla API.") + var err error + cveIDs, err = fetchCVEIDsfromBugzilla(ref.ID) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) } - if len(cveIDs) == 0 { - log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s\n", ref.Href) - continue - } - for _, cveID := range cveIDs { - cveIDMap[cveID] = struct{}{} - } - } else { - cveIDs := cveIDPattern.FindAllString(ref.Title, -1) - if len(cveIDs) == 0 { - log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) - continue - } - for _, cveID := range cveIDs { - cveIDMap[cveID] = struct{}{} - } } - } else { - cveID := cveIDPattern.FindString(ref.Title) - if cveID == "" { - log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) - continue + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} } - cveIDMap[cveID] = struct{}{} } } } From 8d6bc6c5cd3c7f464115b3dcbecd363d435354c0 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 13:01:57 +0900 Subject: [PATCH 05/20] refactor(fedora): allow to change concurrency, wait, and retry --- fedora/fedora.go | 94 +++++++++++++++++++++++++++--------------------- 1 file changed, 53 insertions(+), 41 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 2dcf27d3..510c13d3 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -26,11 +26,11 @@ import ( ) const ( - concurrency = 10 - wait = 1 - retry = 3 - fedoraDir = "fedora" - dateFormat = "2006-01-02 15:04:05" + defaultConcurrency = 10 + defaultWait = 1 + defaultRetry = 3 + fedoraDir = "fedora" + dateFormat = "2006-01-02 15:04:05" ) var ( @@ -125,12 +125,14 @@ type Module struct { } type options struct { - urls map[string]string - dir string - retry int - releases map[string][]string - repos []string - arches []string + urls map[string]string + dir string + concurrency int + wait int + retry int + releases map[string][]string + repos []string + arches []string } type option func(*options) @@ -143,6 +145,14 @@ func WithDir(dir string) option { return func(opts *options) { opts.dir = dir } } +func WithConcurrency(concurrency int) option { + return func(opts *options) { opts.concurrency = concurrency } +} + +func WithWait(wait int) option { + return func(opts *options) { opts.wait = wait } +} + func WithRetry(retry int) option { return func(opts *options) { opts.retry = retry } } @@ -165,12 +175,14 @@ type Config struct { func NewConfig(opts ...option) Config { o := &options{ - urls: URIForamt, - dir: filepath.Join(utils.VulnListDir(), fedoraDir), - retry: retry, - releases: defaultReleases, - repos: defaultRepos, - arches: defaultArches, + urls: URIForamt, + dir: filepath.Join(utils.VulnListDir(), fedoraDir), + concurrency: defaultConcurrency, + wait: defaultWait, + retry: defaultRetry, + releases: defaultReleases, + repos: defaultRepos, + arches: defaultArches, } for _, opt := range opts { opt(o) @@ -230,7 +242,7 @@ func (c Config) update(mode, release, repo, arch string) error { return xerrors.Errorf("failed to mkdir: %w", err) } - vulns, err := fetch(repo, arch, baseURL) + vulns, err := c.fetch(repo, arch, baseURL) if err != nil { return xerrors.Errorf("failed to fetch updateinfo: %w", err) } @@ -264,22 +276,22 @@ func (c Config) update(mode, release, repo, arch string) error { return nil } -func fetch(repo, arch, baseURL string) (*UpdateInfo, error) { +func (c Config) fetch(repo, arch, baseURL string) (*UpdateInfo, error) { if repo == "Modular" { - uinfo, err := fetchUpdateInfoModular(baseURL, arch) + uinfo, err := c.fetchUpdateInfoModular(baseURL, arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo for Modular Package: %w", err) } return uinfo, nil } - uinfo, err := fetchUpdateInfoEverything(baseURL, arch) + uinfo, err := c.fetchUpdateInfoEverything(baseURL, arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo for Everything Package: %w", err) } return uinfo, nil } -func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { +func (c Config) fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { u, err := url.Parse(baseURL) if err != nil { return nil, xerrors.Errorf("failed to parse baseURL: %w", err) @@ -287,13 +299,13 @@ func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, _, err := fetchRepomdData(u.String()) + updateInfoPath, _, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo path from repomd.xml: %w", err) } u.Path = path.Join(originalPath, updateInfoPath) - uinfo, err := fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) + uinfo, err := c.fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } @@ -301,7 +313,7 @@ func fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, error) { return uinfo, nil } -func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { +func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { u, err := url.Parse(baseURL) if err != nil { return nil, xerrors.Errorf("failed to parse baseURL: %w", err) @@ -319,19 +331,19 @@ func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, modulesPath, err := fetchRepomdData(u.String()) + updateInfoPath, modulesPath, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo, modules path from repomd.xml: %w", err) } u.Path = path.Join(originalPath, modulesPath) - modules, err := fetchModules(u.String()) + modules, err := c.fetchModules(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } u.Path = path.Join(originalPath, updateInfoPath) - uinfo, err := fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) + uinfo, err := c.fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } @@ -343,8 +355,8 @@ func fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error) { return uinfo, nil } -func fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { - res, err := utils.FetchURL(repomdURL, "", retry) +func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { + res, err := utils.FetchURL(repomdURL, "", c.retry) if err != nil { return "", "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) } @@ -367,8 +379,8 @@ func fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err return updateInfoPath, modulesPath, nil } -func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { - res, err := utils.FetchURL(url, "", retry) +func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { + res, err := utils.FetchURL(url, "", c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch updateInfo: %w", err) } @@ -402,7 +414,7 @@ func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { } fsa.Packages = pkgs - cveIDs, err := fetchCVEIDs(fsa) + cveIDs, err := c.fetchCVEIDs(fsa) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-IDs: %w", err) } @@ -413,12 +425,12 @@ func fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { return &UpdateInfo{FSAList: fsaList}, nil } -func fetchCVEIDs(fsa FSA) ([]string, error) { +func (c Config) fetchCVEIDs(fsa FSA) ([]string, error) { cveIDMap := map[string]struct{}{} for _, ref := range fsa.References { if strings.Contains(ref.Title, "CVE-") { if strings.Contains(ref.Title, "various flaws") && strings.Contains(ref.Title, "...") { - cveIDs, err := fetchCVEIDsfromBugzilla(ref.ID) + cveIDs, err := c.fetchCVEIDsfromBugzilla(ref.ID) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) } @@ -435,7 +447,7 @@ func fetchCVEIDs(fsa FSA) ([]string, error) { log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) log.Println("Retry to get CVE-ID using Bugzilla API.") var err error - cveIDs, err = fetchCVEIDsfromBugzilla(ref.ID) + cveIDs, err = c.fetchCVEIDsfromBugzilla(ref.ID) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) } @@ -471,11 +483,11 @@ type Bugzilla struct { } `xml:"bug"` } -func fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { +func (c Config) fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { log.Printf("Fetching CVE-IDs using Bugzilla API. Root Bugzilla ID: %s\n", bugzillaID) url := fmt.Sprintf(bugzillaURL, bugzillaID) - res, err := utils.FetchURL(url, "", retry) + res, err := utils.FetchURL(url, "", c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch bugzilla xml: %w", err) } @@ -493,7 +505,7 @@ func fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { for _, blocked := range root.Bug.Blocked { urls = append(urls, fmt.Sprintf(bugzillaURL, blocked)) } - xmlBytes, err := utils.FetchConcurrently(urls, concurrency, wait, retry) + xmlBytes, err := utils.FetchConcurrently(urls, c.concurrency, c.wait, c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch bugzilla xml: %w", err) } @@ -512,8 +524,8 @@ func fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { return cveIDs, nil } -func fetchModules(url string) (map[string]ModuleInfo, error) { - res, err := utils.FetchURL(url, "", retry) +func (c Config) fetchModules(url string) (map[string]ModuleInfo, error) { + res, err := utils.FetchURL(url, "", c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch modules: %w", err) } From d2f88c48b62b2aa7c3d6bb371dd8dccf2a0e0405 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 17 Jan 2022 13:22:49 +0900 Subject: [PATCH 06/20] fix(fedora): fix filename --- fedora/fedora.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 510c13d3..30d67e62 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -609,7 +609,7 @@ func extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string]ModuleInfo Version: ver, Release: rel, Arch: arch, - Filename: fmt.Sprintf("%s.rpm", filename), + Filename: fmt.Sprintf("%s-%s-%s.%s.rpm", name, ver, rel, arch), }) } uinfo.FSAList[i].Packages = pkgs From 1fd637a45599a702f0e4058f8b022fc1c222e104 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Tue, 18 Jan 2022 17:20:13 +0900 Subject: [PATCH 07/20] fix(fedora): do not register if module.version is not 2 --- fedora/fedora.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 30d67e62..e4e803b9 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -548,11 +548,12 @@ func (c Config) fetchModules(url string) (map[string]ModuleInfo, error) { case "...": { var module ModuleInfo - err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module) - if _, ok := err.(*yaml.TypeError); err != nil && !ok { + if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { return nil, xerrors.Errorf("failed to decode module info: %w", err) } - modules[module.ConvertToUpdateInfoTitle()] = module + if module.Version == 2 { + modules[module.ConvertToUpdateInfoTitle()] = module + } } default: { @@ -565,7 +566,8 @@ func (c Config) fetchModules(url string) (map[string]ModuleInfo, error) { } type ModuleInfo struct { - Data struct { + Version int `yaml:"version"` + Data struct { Name string `yaml:"name"` Stream string `yaml:"stream"` Version int64 `yaml:"version"` From 4615767e1a96149ef2f1c74ee35efb47d23d0818 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Tue, 18 Jan 2022 23:06:35 +0900 Subject: [PATCH 08/20] chore(fedora): add fedora in workflow/update --- .github/workflows/update.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml index 09719415..c7ed8052 100644 --- a/.github/workflows/update.yml +++ b/.github/workflows/update.yml @@ -95,6 +95,10 @@ jobs: name: Rocky Linux Security Advisory run: ./vuln-list-update -target rocky + - if: always() + name: Fedora Security Advisory + run: ./vuln-list-update -target fedora + - if: always() name: CBL-Mariner Vulnerability Data run: ./vuln-list-update -target mariner From 5de58a9d5bd34cf618afd0b1c1389177aed1a438 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Wed, 19 Jan 2022 14:54:36 +0900 Subject: [PATCH 09/20] feat(fedora): add source package info --- fedora/fedora.go | 1 + 1 file changed, 1 insertion(+) diff --git a/fedora/fedora.go b/fedora/fedora.go index e4e803b9..259095a8 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -112,6 +112,7 @@ type Package struct { Version string `xml:"version,attr" json:"version,omitempty"` Release string `xml:"release,attr" json:"release,omitempty"` Arch string `xml:"arch,attr" json:"arch,omitempty"` + Src string `xml:"src,attr" json:"src,omitempty"` Filename string `xml:"filename" json:"filename,omitempty"` } From c158bd21bf693d0cbca5ddf6070162854961a66d Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Fri, 21 Jan 2022 16:12:38 +0900 Subject: [PATCH 10/20] feat(fedora): change the way to get moduleinfo --- fedora/fedora.go | 110 +++++++++++++++++++++++++++++------------------ 1 file changed, 68 insertions(+), 42 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 259095a8..3d5c6c09 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -4,7 +4,6 @@ import ( "bufio" "bytes" "compress/bzip2" - "compress/gzip" "encoding/xml" "fmt" "io" @@ -15,6 +14,7 @@ import ( "path" "path/filepath" "regexp" + "strconv" "strings" "time" @@ -54,6 +54,7 @@ var ( cveIDPattern = regexp.MustCompile(`(CVE-\d{4}-\d{4,})`) bugzillaURL = "https://bugzilla.redhat.com/show_bug.cgi?ctype=xml&id=%s" + moduleURL = "https://kojipkgs.fedoraproject.org//packages/%s/%s/%d.%s/files/module/modulemd.%s.txt" ) // RepoMd has repomd data @@ -300,7 +301,7 @@ func (c Config) fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, er originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, _, err := c.fetchRepomdData(u.String()) + updateInfoPath, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo path from repomd.xml: %w", err) } @@ -332,19 +333,18 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, modulesPath, err := c.fetchRepomdData(u.String()) + updateInfoPath, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo, modules path from repomd.xml: %w", err) } - u.Path = path.Join(originalPath, modulesPath) - modules, err := c.fetchModules(u.String()) + u.Path = path.Join(originalPath, updateInfoPath) + uinfo, err := c.fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } - u.Path = path.Join(originalPath, updateInfoPath) - uinfo, err := c.fetchUpdateInfo(u.String(), filepath.Ext(updateInfoPath)[1:], arch) + modules, err := c.fetchModules(uinfo, arch) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } @@ -356,28 +356,27 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error return uinfo, nil } -func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { +func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath string, err error) { res, err := utils.FetchURL(repomdURL, "", c.retry) if err != nil { - return "", "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) + return "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) } var repoMd RepoMd if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil { - return "", "", xerrors.Errorf("failed to decode repomd.xml: %w", err) + return "", xerrors.Errorf("failed to decode repomd.xml: %w", err) } for _, repo := range repoMd.RepoList { if repo.Type == "updateinfo" { updateInfoPath = repo.Location.Href - } else if repo.Type == "modules" { - modulesPath = repo.Location.Href + break } } if updateInfoPath == "" { - return "", "", xerrors.New("No updateinfo field in the repomd") + return "", xerrors.New("No updateinfo field in the repomd") } - return updateInfoPath, modulesPath, nil + return updateInfoPath, nil } func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { @@ -462,7 +461,6 @@ func (c Config) fetchCVEIDs(fsa FSA) ([]string, error) { if len(cveIDMap) == 0 { cveIDs := cveIDPattern.FindAllString(fsa.Description, -1) if len(cveIDs) == 0 { - // log.Printf("failed to get CVE-ID from Description. errata(%s) does not contain the CVEID.\n", fsa.ID) return []string{}, nil } for _, cveID := range cveIDs { @@ -525,40 +523,50 @@ func (c Config) fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { return cveIDs, nil } -func (c Config) fetchModules(url string) (map[string]ModuleInfo, error) { - res, err := utils.FetchURL(url, "", c.retry) - if err != nil { - return nil, xerrors.Errorf("failed to fetch modules: %w", err) +func (c Config) fetchModules(uinfo *UpdateInfo, arch string) (map[string]ModuleInfo, error) { + moduleURLs := []string{} + for _, advisory := range uinfo.FSAList { + module, err := parseModuleFromAdvisoryTitle(advisory.Title) + if err != nil { + return nil, xerrors.Errorf("failed to parse moduleinfo: %w", err) + } + moduleURLs = append(moduleURLs, fmt.Sprintf(moduleURL, module.Name, module.Stream, module.Version, module.Context, arch)) + } + if len(moduleURLs) == 0 { + return map[string]ModuleInfo{}, nil } - r, err := gzip.NewReader(bytes.NewBuffer(res)) + log.Printf("Fetching ModuleInfo from Build System Info...") + reps, err := utils.FetchConcurrently(moduleURLs, c.concurrency, c.wait, c.retry) if err != nil { - return nil, xerrors.Errorf("failed to decompress modules: %w", err) + return nil, xerrors.Errorf("failed to fetch moduleinfo: %w", err) } modules := map[string]ModuleInfo{} - scanner := bufio.NewScanner(r) - var contents []string - for scanner.Scan() { - str := scanner.Text() - switch str { - case "---": - { - contents = []string{} - } - case "...": - { - var module ModuleInfo - if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { - return nil, xerrors.Errorf("failed to decode module info: %w", err) + for _, res := range reps { + scanner := bufio.NewScanner(bytes.NewReader(res)) + var contents []string + for scanner.Scan() { + str := scanner.Text() + switch str { + case "---": + { + contents = []string{} } - if module.Version == 2 { - modules[module.ConvertToUpdateInfoTitle()] = module + case "...": + { + var module ModuleInfo + if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { + return nil, xerrors.Errorf("failed to decode module info: %w", err) + } + if module.Version == 2 { + modules[module.convertToUpdateInfoTitle()] = module + } + } + default: + { + contents = append(contents, str) } - } - default: - { - contents = append(contents, str) } } } @@ -566,6 +574,24 @@ func (c Config) fetchModules(url string) (map[string]ModuleInfo, error) { return modules, nil } +func parseModuleFromAdvisoryTitle(title string) (Module, error) { + ss := strings.Split(title, "-") + name, stream := ss[0], ss[1] + ss = strings.Split(ss[2], ".") + ver, err := strconv.ParseInt(ss[0], 10, 64) + if err != nil { + return Module{}, xerrors.Errorf("failed to parse version of moduleinfo from title(%s) of advisory: %w", title, err) + } + ctx := ss[1] + + return Module{ + Name: name, + Stream: stream, + Version: ver, + Context: ctx, + }, nil +} + type ModuleInfo struct { Version int `yaml:"version"` Data struct { @@ -580,7 +606,7 @@ type ModuleInfo struct { } `yaml:"data"` } -func (m ModuleInfo) ConvertToUpdateInfoTitle() string { +func (m ModuleInfo) convertToUpdateInfoTitle() string { return fmt.Sprintf("%s-%s-%d.%s", m.Data.Name, m.Data.Stream, m.Data.Version, m.Data.Context) } From d3a533f401ceef771583eae1d78fd34da606fc73 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Fri, 21 Jan 2022 21:08:01 +0900 Subject: [PATCH 11/20] chore(fedora): add tests --- fedora/fedora.go | 76 ++--- fedora/fedora_test.go | 123 +++++++ .../fixtures/epel7/bugzilla/1684012.xml | 120 +++++++ .../fixtures/epel7/bugzilla/1684014.xml | 194 +++++++++++ .../pub/epel/7/x86_64/repodata/repomd.xml | 85 +++++ .../epel/7/x86_64/repodata/updateinfo.xml.bz2 | Bin 0 -> 1322 bytes .../8/Everything/x86_64/repodata/repomd.xml | 85 +++++ .../x86_64/repodata/updateinfo.xml.bz2 | Bin 0 -> 1310 bytes .../fixtures/fedora35/bugzilla/1934558.xml | 124 +++++++ .../fixtures/fedora35/bugzilla/1934559.xml | 230 +++++++++++++ .../fixtures/fedora35/bugzilla/1939939.xml | 140 ++++++++ .../fixtures/fedora35/bugzilla/2016089.xml | 168 ++++++++++ .../fixtures/fedora35/bugzilla/2016090.xml | 168 ++++++++++ .../fixtures/fedora35/bugzilla/2016142.xml | 230 +++++++++++++ .../fixtures/fedora35/bugzilla/2035949.xml | 203 ++++++++++++ .../modulemd.x_86_64.txt | 72 ++++ .../modulemd.x_86_64.txt | 101 ++++++ .../35/Everything/x86_64/repodata/repomd.xml | 141 ++++++++ .../x86_64/repodata/updateinfo.xml.xz | Bin 0 -> 1732 bytes .../35/Modular/x86_64/repodata/repomd.xml | 84 +++++ .../Modular/x86_64/repodata/updateinfo.xml.xz | Bin 0 -> 2176 bytes .../2020/FEDORA-EPEL-2020-2c80eb66b5.json | 244 ++++++++++++++ .../golden/2021/FEDORA-2021-15d2f70a07.json | 87 +++++ .../golden/2021/FEDORA-2021-5ffabdc080.json | 120 +++++++ .../golden/2021/FEDORA-2021-c6f471ce0f.json | 54 +++ .../2021/FEDORA-EPEL-2021-f89c59b568.json | 100 ++++++ .../2021/FEDORA-MODULAR-2021-217f84c072.json | 185 +++++++++++ .../2022/FEDORA-MODULAR-2022-a627320247.json | 310 ++++++++++++++++++ 28 files changed, 3393 insertions(+), 51 deletions(-) create mode 100644 fedora/fedora_test.go create mode 100644 fedora/testdata/fixtures/epel7/bugzilla/1684012.xml create mode 100644 fedora/testdata/fixtures/epel7/bugzilla/1684014.xml create mode 100644 fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/repomd.xml create mode 100644 fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/updateinfo.xml.bz2 create mode 100644 fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/repomd.xml create mode 100644 fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/updateinfo.xml.bz2 create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/1934558.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/1934559.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/1939939.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/2016089.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/2016090.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/2016142.xml create mode 100644 fedora/testdata/fixtures/fedora35/bugzilla/2035949.xml create mode 100644 fedora/testdata/fixtures/fedora35/packages/mysql/8.0/3520211031142409.f27b74a8/modulemd.x_86_64.txt create mode 100644 fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt create mode 100644 fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/repomd.xml create mode 100644 fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/updateinfo.xml.xz create mode 100644 fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/repomd.xml create mode 100644 fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/updateinfo.xml.xz create mode 100644 fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json create mode 100644 fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json create mode 100644 fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json create mode 100644 fedora/testdata/golden/2021/FEDORA-2021-c6f471ce0f.json create mode 100644 fedora/testdata/golden/2021/FEDORA-EPEL-2021-f89c59b568.json create mode 100644 fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json create mode 100644 fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json diff --git a/fedora/fedora.go b/fedora/fedora.go index 3d5c6c09..da7990f5 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -16,7 +16,6 @@ import ( "regexp" "strconv" "strings" - "time" "github.com/aquasecurity/vuln-list-update/utils" "github.com/cheggaaa/pb/v3" @@ -34,10 +33,12 @@ const ( ) var ( - URIForamt = map[string]string{ - "fedora": "https://dl.fedoraproject.org/pub/fedora/linux/updates/%s/%s/%s/", - "epel7": "https://dl.fedoraproject.org/pub/epel/%s/%s/", - "epel": "https://dl.fedoraproject.org/pub/epel/%s/%s/%s/", + urlFormat = map[string]string{ + "fedora": "https://dl.fedoraproject.org/pub/fedora/linux/updates/%s/%s/%s/", + "epel7": "https://dl.fedoraproject.org/pub/epel/%s/%s/", + "epel": "https://dl.fedoraproject.org/pub/epel/%s/%s/%s/", + "bugzilla": "https://bugzilla.redhat.com/show_bug.cgi?ctype=xml&id=%s", + "moduleinfo": "https://kojipkgs.fedoraproject.org/packages/%s/%s/%d.%s/files/module/modulemd.%s.txt", } defaultReleases = map[string][]string{ @@ -53,8 +54,6 @@ var ( } cveIDPattern = regexp.MustCompile(`(CVE-\d{4}-\d{4,})`) - bugzillaURL = "https://bugzilla.redhat.com/show_bug.cgi?ctype=xml&id=%s" - moduleURL = "https://kojipkgs.fedoraproject.org//packages/%s/%s/%d.%s/files/module/modulemd.%s.txt" ) // RepoMd has repomd data @@ -139,36 +138,17 @@ type options struct { type option func(*options) -func WithURLs(urls map[string]string) option { - return func(opts *options) { opts.urls = urls } -} - -func WithDir(dir string) option { - return func(opts *options) { opts.dir = dir } -} - -func WithConcurrency(concurrency int) option { - return func(opts *options) { opts.concurrency = concurrency } -} - -func WithWait(wait int) option { - return func(opts *options) { opts.wait = wait } -} - -func WithRetry(retry int) option { - return func(opts *options) { opts.retry = retry } -} - -func WithReleases(releases map[string][]string) option { - return func(opts *options) { opts.releases = releases } -} - -func WithRepos(repos []string) option { - return func(opts *options) { opts.repos = repos } -} - -func WithArches(arches []string) option { - return func(opts *options) { opts.arches = arches } +func With(urls map[string]string, dir string, concurrency, wait, retry int, releases map[string][]string, repos, arches []string) option { + return func(opts *options) { + opts.urls = urls + opts.dir = dir + opts.concurrency = concurrency + opts.wait = wait + opts.retry = retry + opts.releases = releases + opts.repos = repos + opts.arches = arches + } } type Config struct { @@ -177,7 +157,7 @@ type Config struct { func NewConfig(opts ...option) Config { o := &options{ - urls: URIForamt, + urls: urlFormat, dir: filepath.Join(utils.VulnListDir(), fedoraDir), concurrency: defaultConcurrency, wait: defaultWait, @@ -251,11 +231,8 @@ func (c Config) update(mode, release, repo, arch string) error { fsalistByYear := map[string][]FSA{} for _, fsa := range vulns.FSAList { - t, err := time.Parse(dateFormat, fsa.Issued.Date) - if err != nil { - return xerrors.Errorf("failed to parse issued date: %w", err) - } - y := fmt.Sprintf("%d", t.Year()) + ss := strings.Split(fsa.ID, "-") + y := ss[len(ss)-2] fsalistByYear[y] = append(fsalistByYear[y], fsa) } @@ -485,7 +462,7 @@ type Bugzilla struct { func (c Config) fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { log.Printf("Fetching CVE-IDs using Bugzilla API. Root Bugzilla ID: %s\n", bugzillaID) - url := fmt.Sprintf(bugzillaURL, bugzillaID) + url := fmt.Sprintf(c.urls["bugzilla"], bugzillaID) res, err := utils.FetchURL(url, "", c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch bugzilla xml: %w", err) @@ -502,7 +479,7 @@ func (c Config) fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { urls := []string{} for _, blocked := range root.Bug.Blocked { - urls = append(urls, fmt.Sprintf(bugzillaURL, blocked)) + urls = append(urls, fmt.Sprintf(c.urls["bugzilla"], blocked)) } xmlBytes, err := utils.FetchConcurrently(urls, c.concurrency, c.wait, c.retry) if err != nil { @@ -530,7 +507,7 @@ func (c Config) fetchModules(uinfo *UpdateInfo, arch string) (map[string]ModuleI if err != nil { return nil, xerrors.Errorf("failed to parse moduleinfo: %w", err) } - moduleURLs = append(moduleURLs, fmt.Sprintf(moduleURL, module.Name, module.Stream, module.Version, module.Context, arch)) + moduleURLs = append(moduleURLs, fmt.Sprintf(c.urls["moduleinfo"], module.Name, module.Stream, module.Version, module.Context, arch)) } if len(moduleURLs) == 0 { return map[string]ModuleInfo{}, nil @@ -559,9 +536,7 @@ func (c Config) fetchModules(uinfo *UpdateInfo, arch string) (map[string]ModuleI if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { return nil, xerrors.Errorf("failed to decode module info: %w", err) } - if module.Version == 2 { - modules[module.convertToUpdateInfoTitle()] = module - } + modules[module.convertToUpdateInfoTitle()] = module } default: { @@ -593,8 +568,7 @@ func parseModuleFromAdvisoryTitle(title string) (Module, error) { } type ModuleInfo struct { - Version int `yaml:"version"` - Data struct { + Data struct { Name string `yaml:"name"` Stream string `yaml:"stream"` Version int64 `yaml:"version"` diff --git a/fedora/fedora_test.go b/fedora/fedora_test.go new file mode 100644 index 00000000..86ff4d84 --- /dev/null +++ b/fedora/fedora_test.go @@ -0,0 +1,123 @@ +package fedora_test + +import ( + "encoding/json" + "fmt" + "net/http" + "net/http/httptest" + "os" + "path/filepath" + "reflect" + "testing" + + "github.com/aquasecurity/vuln-list-update/fedora" + "github.com/kylelemons/godebug/pretty" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func Test_Update(t *testing.T) { + type args struct { + mode string + uinfoURLPath string + release []string + repos []string + arches []string + } + tests := []struct { + name string + rootDir string + args args + expectedError error + }{ + { + name: "fedora 35", + rootDir: "testdata/fixtures/fedora35", + args: args{ + mode: "fedora", + uinfoURLPath: "/pub/fedora/linux/updates/%s/%s/%s/", + release: []string{"35"}, + repos: []string{"Everything", "Modular"}, + arches: []string{"x86_64"}, + }, + expectedError: nil, + }, + { + name: "epel 7", + rootDir: "testdata/fixtures/epel7", + args: args{ + mode: "epel", + uinfoURLPath: "/pub/epel/%s/%s/", + release: []string{"7"}, + repos: []string{}, + arches: []string{"x86_64"}, + }, + expectedError: nil, + }, + { + name: "epel 8", + rootDir: "testdata/fixtures/epel8", + args: args{ + mode: "epel", + uinfoURLPath: "/pub/epel/%s/%s/%s/", + release: []string{"8"}, + repos: []string{"Everything"}, + arches: []string{"x86_64"}, + }, + expectedError: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mux := http.NewServeMux() + mux.Handle("/pub/", http.FileServer(http.Dir(tt.rootDir))) + mux.Handle("/packages/", http.FileServer(http.Dir(tt.rootDir))) + mux.HandleFunc("/show_bug.cgi", func(rw http.ResponseWriter, r *http.Request) { + bugzillaID := r.URL.Query().Get("id") + r.URL.Path = fmt.Sprintf("%s.xml", bugzillaID) + r.URL.RawQuery = "" + http.FileServer(http.Dir(filepath.Join(tt.rootDir, "bugzilla"))).ServeHTTP(rw, r) + }) + tsServerURL := httptest.NewServer(mux) + defer tsServerURL.Close() + + dir := t.TempDir() + fd := fedora.NewConfig(fedora.With(map[string]string{tt.args.mode: tsServerURL.URL + tt.args.uinfoURLPath, "bugzilla": tsServerURL.URL + "/show_bug.cgi?ctype=xml&id=%s", "moduleinfo": tsServerURL.URL + "/packages/%s/%s/%d.%s/files/module/modulemd.%s.txt"}, dir, 1, 0, 0, map[string][]string{tt.args.mode: tt.args.release}, tt.args.repos, tt.args.arches)) + if err := fd.Update(); tt.expectedError != nil { + require.Error(t, err) + assert.Contains(t, err.Error(), tt.expectedError.Error()) + return + } + + err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { + if errfp != nil { + return errfp + } + if info.IsDir() { + return nil + } + + dir, file := filepath.Split(path) + b, err := os.ReadFile(filepath.Join("testdata", "golden", filepath.Base(dir), file)) + assert.NoError(t, err, "failed to open the golden file") + var want fedora.FSA + err = json.Unmarshal(b, &want) + assert.NoError(t, err, "failed to unmarshal json") + + b, err = os.ReadFile(path) + assert.NoError(t, err, "failed to open the result file") + var got fedora.FSA + err = json.Unmarshal(b, &got) + assert.NoError(t, err, "failed to unmarshal json") + + if !reflect.DeepEqual(got, want) { + t.Errorf("[%s]\n diff: %s", tt.name, pretty.Compare(got, want)) + } + + return nil + }) + assert.Nil(t, err, "filepath walk error") + }) + } +} diff --git a/fedora/testdata/fixtures/epel7/bugzilla/1684012.xml b/fedora/testdata/fixtures/epel7/bugzilla/1684012.xml new file mode 100644 index 00000000..919bad9e --- /dev/null +++ b/fedora/testdata/fixtures/epel7/bugzilla/1684012.xml @@ -0,0 +1,120 @@ + + + + + + 1684012 + CVE-2019-9027 + 2019-02-28 09:34:35 +0000 + CVE-2019-9027 matio: heap-based buffer overflow in function ReadNextCell() in mat5.c + 2019-11-28 13:39:35 +0000 + 1 + 1 + 3 + Other + Security Response + vulnerability + unspecified + All + Linux + CLOSED + UPSTREAM + + + + + Security + low + low + --- + 1684013 + + + 1684014 + + 1 + darunesh + security-response-team + c.david86 + + + kwizart + + + lupinix.fedora + + + + + If docs needed, set a value + + --- + + + 2019-06-10 10:49:24 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 12500308 + 0 + darunesh + 2019-02-28 09:34:35 +0000 + An issue was discovered in libmatio.a in matio (aka MAT File I/O Library) 1.5.13. There is a heap-based buffer overflow problem in the function ReadNextCell() in mat5.c. + +References: +https://github.com/tbeu/matio/issues/103 +https://github.com/TeamSeri0us/pocs/tree/master/matio + + 12500313 + 1 + darunesh + 2019-02-28 09:34:56 +0000 + Created matio tracking bugs for this issue: + +Affects: fedora-all [bug 1684013] + + 12500317 + 2 + darunesh + 2019-02-28 09:35:18 +0000 + Created matio tracking bugs for this issue: + +Affects: epel-all [bug 1684014] + + 12825865 + 3 + prodsec-dev + 2019-06-10 10:49:24 +0000 + This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/epel7/bugzilla/1684014.xml b/fedora/testdata/fixtures/epel7/bugzilla/1684014.xml new file mode 100644 index 00000000..47404501 --- /dev/null +++ b/fedora/testdata/fixtures/epel7/bugzilla/1684014.xml @@ -0,0 +1,194 @@ + + + + + + 1684014 + + 2019-02-28 09:35:12 +0000 + matio: CVE-2019-02-9027 matio: heap-based buffer overflow in function ReadNextCell() in mat5.c [epel-all] + 2020-08-11 00:29:30 +0000 + 1 + 1 + 2 + Fedora + Fedora EPEL + matio + epel7 + Unspecified + Unspecified + CLOSED + ERRATA + + + + + Security, SecurityTracking + low + low + --- + + 1684012 + 1 + darunesh + lupinix.fedora + c.david86 + + + kwizart + + + lupinix.fedora + + extras-qa + + matio-1.5.17-3.el7 + No Doc Update + + --- + + + 2020-08-11 00:29:30 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 12500314 + 0 + darunesh + 2019-02-28 09:35:12 +0000 + +This is an automatically created tracking bug! It was created to ensure +that one or more security vulnerabilities are fixed in affected versions +of epel-all. + +For comments that are specific to the vulnerability please use bugs filed +against the "Security Response" product referenced in the "Blocks" field. + +For more information see: +http://fedoraproject.org/wiki/Security/TrackingBugs + +When submitting as an update, use the fedpkg template provided in the next +comment(s). This will include the bug IDs of this tracking bug as well as +the relevant top-level CVE bugs. + +Please also mention the CVE IDs being fixed in the RPM changelog and the +fedpkg commit message. + +NOTE: this issue affects multiple supported versions of Fedora EPEL. While +only one tracking bug has been filed, please correct all affected versions +at the same time. If you need to fix the versions independent of each +other, you may clone this bug as appropriate. + + 12500316 + 1 + darunesh + 2019-02-28 09:35:13 +0000 + Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=low + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=1684012,1684014 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new + + 14119686 + 2 + updates + 2020-07-17 19:03:21 +0000 + FEDORA-EPEL-2020-2c80eb66b5 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2c80eb66b5 + + 14120064 + 3 + updates + 2020-07-18 00:23:34 +0000 + FEDORA-EPEL-2020-2c80eb66b5 has been pushed to the Fedora EPEL 7 testing repository. + +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2c80eb66b5 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 14122322 + 4 + updates + 2020-07-20 10:53:37 +0000 + FEDORA-EPEL-2020-2c80eb66b5 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2c80eb66b5 + + 14124825 + 5 + updates + 2020-07-21 00:42:21 +0000 + FEDORA-EPEL-2020-2c80eb66b5 has been pushed to the Fedora EPEL 7 testing repository. + +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2c80eb66b5 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 14193173 + 6 + updates + 2020-08-11 00:29:30 +0000 + FEDORA-EPEL-2020-2c80eb66b5 has been pushed to the Fedora EPEL 7 stable repository. +If problem still persists, please make note of it in this bug report. + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/repomd.xml b/fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/repomd.xml new file mode 100644 index 00000000..a833f773 --- /dev/null +++ b/fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/repomd.xml @@ -0,0 +1,85 @@ + + + 1642646805 + + 9046245b40e9fee30feb670a07029f67b3269118e5c6bc98e7b334260e3b3909 + a8bfa0cacccb48c9d2c14770f48f6f3ab34477c6468035da8a047f22c99309ad + + 1642646788 + 4076694 + 31026112 + + + a84bf8b2c5ebf75ad3c4345c5effad3523cb95f815def3f87cd24f64e7cc2ff4 + f4a36d89878d093f6637f95d28c7ed746010d20dc5f601183750c68cb1541f78 + + 1642646788 + 12258398 + 173091457 + + + b4aec7c0e18247840683e610efb4d193c7d5f1cf4053fbf552b67e1197cacc92 + 9f693b826e868ef4a9f6657aba527c59e5e3b5ce47c8461e604b28a6de571897 + + 1642646788 + 2550495 + 22662406 + + + 7fad98e5d92a3421bb04aeba83c33ebb2548e8d5d954f58ed1b7d8fd1c3fea4d + 08e6d540fc4613d90308d0db46c8e1b97c12f85b56f72c7128117cd86a9bf990 + + 1642646792 + 7326515 + 31174656 + 10 + + + 2f5d59f685b78e243923dea3bb8aa4893b15a98e13c85b3ded52a5be763226a1 + 24d459b7552101e07008a22ce742a96fd2812a634c0b7dc808b6cb93490a4ddc + + 1642646796 + 12438044 + 76288000 + 10 + + + 8b51c39d3870684e359bd4a61772e4bd538ec38a1cbd7d63324fcb6e7db3ed30 + 26f3dc573cb4f57f75866062fedb1c784b04860f5f0059a5fa605bbcd7e0c743 + + 1642646791 + 3516649 + 19034112 + 10 + + + 6fdc8759341bcdc6f5dabd7cc7c7c6226178416be2d19445f8233fd52fe960fd + + 1642646618 + 399908 + + + b4c0fb5c9dbb817c77e50fd8fb6b67e3d5a781d95a95a4b3fdcfa131df424cc4 + 6fdc8759341bcdc6f5dabd7cc7c7c6226178416be2d19445f8233fd52fe960fd + + 1642646788 + 98573 + 399908 + + + b552f0a4d60511ad135fe9a79e539f1c667fb38a9fffd21564d6bd0482839408 + 629f9b20b7589265199f1639f84706802492a9d65076a45664f614e13f33301a + + 1642646805 + 1567 + 6430 + + + 568c961b089ea7a04b5f348d38ad955baa14c731b765a20c2b729b9ccefa98e4 + b42bbbc29596cba4d446313b22c85abec856aa92938c0ec4c3a91eb622c65864 + + 1642647194 + 1098668 + 19740633 + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/updateinfo.xml.bz2 b/fedora/testdata/fixtures/epel7/pub/epel/7/x86_64/repodata/updateinfo.xml.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..50e460f323e0752edb2ecf9be7b99a9d8d9586c1 GIT binary patch literal 1322 zcmV+_1=adOT4*^jL0KkKSyKnb4FCqwUw~B*P-p-5?`Pi%zyIIxU3|nO=?LwC43%yb>QVtVzushQ1Ra)Zed(__)Febi zSuH_PSnC*I%=ucgd;kG8zDNOigb0W^OnS?4wJAOylI*A|S+Nm7*tA4aA|%2Ba&4L< z(HJW1-`tKet132@-glo?c#tLZZ~Jf2U>KN^5)u+gB!q;7kpTn^qmyLhK{Wu#0U!ks z13hlh&~zFJ8DuTC6tJ+RC54q`w%cJ#C50(C;2UOu1`x!OP97d+Dypj6Rc)&ATFf<6 zSk|j6hZ1O#N!$R}0PPq&o>;&>&hD%BiC zc#{gl=qnUQj-g+?lO%i*U`Rymyt6AL9dbGO`r?(WEua{nl$(q^w%P+%V9`reD8!L< z3#izzFP~NQ6M8a`r$7M!1l0`$0yUryEl6{YTvt%17r+}?g(krP|lyWHw7+q4ny_!A&kf4LR? zMS4DHtvK}pr?hY_qOHvZd5VA>y?#pZfRKZ^+AE&^VH0(J*?yD|mku+Zj>lpc$WYt} z`AAl6B+ym`Z$)hH&u@8ptsn?3719xVfeHqZ31N){FTX7iqN`x6XXoe@o+L&$1cCuF z=>)6^GfOHf5dgMLD)V#Vd;kTUjBDQ5fDjUcL^h0}C0N4O_assk> zXdrrPn64Fu9k767QPwMw4q#1A@$}cgSN_^7qQ`Xwd4+Z3%poPRQa}r2R-9C}L8ai#&7Xs`!l z)u?8TO1PG-maWGwMNH@h?d-;-s_!N%p3+;QGgtsbD&&Pg2oZB^rVD=`AN9y59%F@aplwU#i%Hvk%T%gTDSN?FhgEp!b9a%U`V z&5s+*RbvZ}ToVB?+%iG6+F^zo8SGWifM&2PE)~D11_<9;XOs%WYrw;xS0xQlMqmOE g4Z^o0kd0BaboNU*lo1BC;D6%oNT&)C3Sjubpp}n5IRF3v literal 0 HcmV?d00001 diff --git a/fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/repomd.xml b/fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/repomd.xml new file mode 100644 index 00000000..b2a128ab --- /dev/null +++ b/fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/repomd.xml @@ -0,0 +1,85 @@ + + + 1642679622 + + aca34109799590df8e0740c4daddc3e9dc9031c230dcb6101fda6d0961b39b54 + 0f4f236020609220899aa2ea2c4cce91c68f847d70c871a95ff1d2674dc989ce + + 1642679601 + 2495274 + 19402183 + + + 4a909004ea5a6e2c045c42f935ebb9c04daf9057a39282e35be66ddb7ad9a828 + b1363bbca08d91648f66b8a778becdcaa4d2ee1d44c739aa82c610b9d2058f7d + + 1642679601 + 8075024 + 108533775 + + + 5e527b538903151c5ce2f5b7aa98b9d79688717da83a80b8f31577662b784dc7 + 585760a186e560556d2731707a59a80b9c4e6109c9a93a799319f21194f319de + + 1642679601 + 1410213 + 14303129 + + + bca807b23fa8bacad31f5cb33517f6df0391e1207ed0ef9f21f7e077f1d67188 + 2a1e279296136aaa53c16f769b501d7651cf291e9dc152053dda2aaab8e81e86 + + 1642679610 + 3720648 + 20156416 + 10 + + + 895141d8a0336f5056005b5d1a75116f7945de46851a5da06df472719e76de13 + b79e5f138aedb0dbf0121d1bdba4c722af2baf140c5872ff02cd3d55b97b0dc9 + + 1642679617 + 7508484 + 52166656 + 10 + + + 539a60d8acd27be8f101be92c1364c5754b76535c5b5d760f0074487807680e0 + 005519126e60d85035f8c16b4b0b5f01efa7fe6654ff6feecda0561eace7dfa8 + + 1642679605 + 1491372 + 12042240 + 10 + + + 539393bab0eff5060bc8022e7da8cc18d4c10ecdbbcf4441bd4933527a7d4112 + + 1642679446 + 128177 + + + 9b2098c9eea476e1f0d8b6f9260bfb2cdbbf1066d2b4d66e6f39a71ef26fd6fc + 539393bab0eff5060bc8022e7da8cc18d4c10ecdbbcf4441bd4933527a7d4112 + + 1642679601 + 24860 + 128177 + + + 9511ac0b51d43b2642d1e4e5927931d74b28adb18c59034c0823d54b8936c9bb + 49858af752832301dab05eacf5cfa4a27d214f429cb50c8b3bf43e6eacf22286 + + 1642679622 + 2360 + 10983 + + + 8ca1de5cad9a1e4de5fc5c6dc45860ff14307af126c5b396fe2b284fff2f9b6c + fa5f18ad56aaa757d25aa6d39e01293e4999dc52b45e3565d3aa43080c2d184e + + 1642680247 + 873562 + 22956441 + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/updateinfo.xml.bz2 b/fedora/testdata/fixtures/epel8/pub/epel/8/Everything/x86_64/repodata/updateinfo.xml.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..2128b9b7ee561273be9ec2c7f1b6a2bf85187de9 GIT binary patch literal 1310 zcmV+(1>yQaT4*^jL0KkKS+V(!m;eR1-+)yRP-p-5@8;hMzyIIxU>K!626Q_INR#yDr(TzP!{M^P=jeE4{pKiN{w0-DK&y?Dwcne--R zVnKSQUUMr11%cv72Qti!#YH`ydL{s9p@h{vN|u5k>Ps%jA`w1A#Zn9qG7K~VY9^%x zu>Cd8nn*$n9OpK3oc`XOe5Zf*5e>S3@T5&aI@94@<#_WMm!vdBMzx?S5z$!23MvjL z01l7<6$dk;*=Qpk6h1sbwNS1{ZZSI$K=o!PNLm_!1J)^FHAoYvEZ4Uglbnf4M5QlG zPI4@X5i$sriAqJ2oa!mqBcM~%GaD;kq{+@ir6N+7!|oyahs1$N3P@7u%u*|L(we0c zSf}z6W|7hm)KVsy3VRL0_685H!*8?_wu*C-A{h#h7t*E80RnehNIPwa??b4C7FGfT z3Q$y}qALW~5h2Kscd{-nnILwWL-^lQYw1rU zp(#W}L_`Rxs;a8k6kV_=zmCOK5V#}?qo`9L)y@h0Y~WjYYFY{C3^CwPgLsXe>uKTJ z=@h*Eg+F3ld`WBYFR#c_3zZ^a14ySproQqOAix*Dx`{DPA<`)^m_kHv*CeP06?&Un&n#VvtI6tc<3&MPw8qDq$bhqmAQ`|YU^e*YgK`2E7CZL&OWdx@8YwtZ$8 z`24N$<9C){L8Yj&1q4E41}c|7P)h)9 zK7;H5^6w9A@GF5L9YP<0Pq*Y^7`b~YsOezBNJ$A65VRJes=$#|U`VR6OA7G|fK`ED zTgj`ix0)0}l3@VeNZ=DxsH6&H3Sd$1!qB)VcaRHMV1gS(KQS~FAxBUQjBwFlH-(83 zVN|eFfw%Mzc&4L}%otZt&>&JlQ4E3tB|B^sh9E+coF$Nf06YY4KMIpOYIj}HGSI)= zd=W{B<_>2NK$s39qz?Au%#fz5OUC!E0DS}+MI=K}b7)N8yf=z|HHu7TDa2DgK)^t3 z+z=@)K&K~AP#)3&B%m6@P2>ZuBpjbej&ccyfKN`Bcq#n>foZ6`98yO>r5u1^Z!oZ! z%xi~QrjS#dz~#I_J?4NYc&D}%$Z7*ZhX7M(roupEVsRAixVTe|LPC*KNpT=Rw?X%~ zp=d!B6bJ?a6nTXzDVF&Pe^7-+)DLi{E~4`RscC2r0CkFNc)o#8*PS{QAYu!jSTL(2 zBjKUFRMM$#gOG?@)D7l!3xyNYlD=-?W=<-VlS74?IxJ*;oQ+7;5 UK@gcE%mFC7k}1N3g^$d1z%j-%Jpcdz literal 0 HcmV?d00001 diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/1934558.xml b/fedora/testdata/fixtures/fedora35/bugzilla/1934558.xml new file mode 100644 index 00000000..17f10735 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/1934558.xml @@ -0,0 +1,124 @@ + + + + + + 1934558 + + 2021-03-03 13:39:19 +0000 + squid: out-of-bounds read in WCCP protocol + 2021-03-19 09:41:25 +0000 + 1 + 1 + 3 + Other + Security Response + vulnerability + unspecified + All + Linux + CLOSED + DUPLICATE + 1939939 + + + + Security + low + low + --- + 1934560 + + + 1934559 + 1934571 + 1 + mkaplan + security-response-team + anon.amish + + + code + + + jonathansteffan + + + luhliari + + + mcascell + + + + + If docs needed, set a value + + --- + + + 2021-03-19 09:41:25 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 14837189 + 0 + mkaplan + 2021-03-03 13:39:19 +0000 + The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the "nobody" user. + + 14837195 + 2 + mkaplan + 2021-03-03 13:40:03 +0000 + Created squid tracking bugs for this issue: + +Affects: fedora-all [bug 1934559] + + 14851777 + 4 + mcascell + 2021-03-08 15:37:21 +0000 + External References: + +https://www.zerodayinitiative.com/advisories/ZDI-21-157/ + + 14887754 + 5 + mcascell + 2021-03-19 09:41:25 +0000 + + +*** This bug has been marked as a duplicate of bug 1939939 *** + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/1934559.xml b/fedora/testdata/fixtures/fedora35/bugzilla/1934559.xml new file mode 100644 index 00000000..07b42de8 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/1934559.xml @@ -0,0 +1,230 @@ + + + + + + 1934559 + + 2021-03-03 13:39:36 +0000 + squid: out-of-bounds read in WCCP protocol [fedora-all] + 2021-10-29 22:59:37 +0000 + 1 + 1 + 2 + Fedora + Fedora + squid + 33 + Unspecified + Unspecified + CLOSED + ERRATA + + + + + Security, SecurityTracking + low + low + --- + + 1934558 + 1 + mkaplan + luhliari + anon.amish + + + code + + + jonathansteffan + + + luhliari + + extras-qa + + squid-5.2-1.fc33 squid-5.2-1.fc34 squid-5.2-1.fc35 + No Doc Update + + --- + + + 2021-10-13 20:26:06 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 14837191 + 0 + mkaplan + 2021-03-03 13:39:36 +0000 + +This is an automatically created tracking bug! It was created to ensure +that one or more security vulnerabilities are fixed in affected versions +of fedora-all. + +For comments that are specific to the vulnerability please use bugs filed +against the "Security Response" product referenced in the "Blocks" field. + +For more information see: +http://fedoraproject.org/wiki/Security/TrackingBugs + +When submitting as an update, use the fedpkg template provided in the next +comment(s). This will include the bug IDs of this tracking bug as well as +the relevant top-level CVE bugs. + +Please also mention the CVE IDs being fixed in the RPM changelog and the +fedpkg commit message. + +NOTE: this issue affects multiple supported versions of Fedora. While only +one tracking bug has been filed, please correct all affected versions at +the same time. If you need to fix the versions independent of each other, +you may clone this bug as appropriate. + + 14837192 + 1 + mkaplan + 2021-03-03 13:39:45 +0000 + Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. + +===== + +# bugfix, security, enhancement, newpackage (required) +type=security + +# low, medium, high, urgent (required) +severity=low + +# testing, stable +request=testing + +# Bug numbers: 1234,9876 +bugs=1934558,1934559 + +# Description of your update +notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds +autokarma=True +stable_karma=3 +unstable_karma=-3 + +# Automatically close bugs when this marked as stable +close_bugs=True + +# Suggest that users restart after update +suggest_reboot=False + +====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new + + 15556902 + 2 + updates + 2021-10-05 23:15:06 +0000 + FEDORA-2021-15d2f70a07 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-15d2f70a07 + + 15556903 + 3 + updates + 2021-10-05 23:15:08 +0000 + FEDORA-2021-de5e6c60c2 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-de5e6c60c2 + + 15556905 + 4 + updates + 2021-10-05 23:15:11 +0000 + FEDORA-2021-4d2e7691ca has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-4d2e7691ca + + 15559817 + 5 + updates + 2021-10-06 16:52:03 +0000 + FEDORA-2021-4d2e7691ca has been pushed to the Fedora 33 testing repository. +Soon you'll be able to install the update with the following command: +`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-4d2e7691ca` +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-4d2e7691ca + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 15559897 + 6 + updates + 2021-10-06 17:13:38 +0000 + FEDORA-2021-de5e6c60c2 has been pushed to the Fedora 34 testing repository. +Soon you'll be able to install the update with the following command: +`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-de5e6c60c2` +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-de5e6c60c2 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 15562961 + 7 + updates + 2021-10-07 15:53:33 +0000 + FEDORA-2021-15d2f70a07 has been pushed to the Fedora 35 testing repository. +Soon you'll be able to install the update with the following command: +`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-15d2f70a07` +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-15d2f70a07 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 15580823 + 8 + updates + 2021-10-13 20:26:06 +0000 + FEDORA-2021-4d2e7691ca has been pushed to the Fedora 33 stable repository. +If problem still persists, please make note of it in this bug report. + + 15580837 + 9 + updates + 2021-10-13 20:28:37 +0000 + FEDORA-2021-de5e6c60c2 has been pushed to the Fedora 34 stable repository. +If problem still persists, please make note of it in this bug report. + + 15629220 + 10 + updates + 2021-10-29 22:59:37 +0000 + FEDORA-2021-15d2f70a07 has been pushed to the Fedora 35 stable repository. +If problem still persists, please make note of it in this bug report. + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/1939939.xml b/fedora/testdata/fixtures/fedora35/bugzilla/1939939.xml new file mode 100644 index 00000000..394584b3 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/1939939.xml @@ -0,0 +1,140 @@ + + + + + + 1939939 + CVE-2021-28116 + 2021-03-17 10:28:46 +0000 + CVE-2021-28116 squid: out-of-bounds read in WCCP protocol data may lead to information disclosure + 2021-10-11 22:27:54 +0000 + 1 + 1 + 3 + Other + Security Response + vulnerability + unspecified + All + Linux + NEW + + + + + + Security + medium + medium + --- + 1941505 + + + 1941506 + + + 1939940 + 1934571 + 1 + mrehak + security-response-team + anon.amish + + + code + + + icesalov + + + jonathansteffan + + + jorton + + + lilhuang + + + luhliari + + + mkaplan + + + yjog + + + yozone + + + + + If docs needed, set a value + A flaw was found in squid. An out-of-bounds read in the WCCP protocol can be leveraged as part of a chain for remote code execution leading to an information disclosure. The highest threat from this vulnerability is to data confidentiality. + --- + + + + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 14879868 + 0 + mrehak + 2021-03-17 10:28:46 +0000 + In some configurations, squid allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody. + + 14879877 + 1 + mrehak + 2021-03-17 10:29:37 +0000 + Created squid tracking bugs for this issue: + +Affects: fedora-all [bug 1939940] + + 14887711 + 2 + mcascell + 2021-03-19 09:28:58 +0000 + External References: + +https://www.zerodayinitiative.com/advisories/ZDI-21-157/ + + 14887755 + 3 + mcascell + 2021-03-19 09:41:24 +0000 + *** Bug 1934558 has been marked as a duplicate of this bug. *** + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/2016089.xml b/fedora/testdata/fixtures/fedora35/bugzilla/2016089.xml new file mode 100644 index 00000000..06329fe7 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/2016089.xml @@ -0,0 +1,168 @@ + + + + + + 2016089 + CVE-2021-2478 + 2021-10-20 18:38:31 +0000 + CVE-2021-2478 mysql: Server: DML unspecified vulnerability (CPU Oct 2021) + 2021-10-28 20:32:33 +0000 + 1 + 1 + 3 + Other + Security Response + vulnerability + unspecified + All + Linux + NEW + + + + + + Security + medium + medium + --- + 2018324 + + + 2018325 + + + 2018326 + + + 2016141 + + + 2016142 + 2016154 + 1 + gsuckevi + security-response-team + damien.ciabrini + + + databases-maint + + + dbecker + + + dciabrin + + + hhorak + + + jjoyce + + + jorton + + + jschluet + + + lhh + + + ljavorsk + + + lpeer + + + mbayer + + + mburns + + + mkocka + + + mmuzila + + + mschorm + + + sclewis + + + slinaber + + + SpikeFedora + + + + mysql 8.0.27 + If docs needed, set a value + + --- + + + + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 15604558 + 0 + gsuckevi + 2021-10-20 18:38:31 +0000 + Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. + +External References: + +http://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL + + 15604667 + 1 + gsuckevi + 2021-10-20 18:52:11 +0000 + Created community-mysql tracking bugs for this issue: + +Affects: fedora-all [bug 2016141] + + +Created mysql:8.0/community-mysql tracking bugs for this issue: + +Affects: fedora-all [bug 2016142] + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/2016090.xml b/fedora/testdata/fixtures/fedora35/bugzilla/2016090.xml new file mode 100644 index 00000000..92159cf1 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/2016090.xml @@ -0,0 +1,168 @@ + + + + + + 2016090 + CVE-2021-2479 + 2021-10-20 18:38:36 +0000 + CVE-2021-2479 mysql: Server: DML unspecified vulnerability (CPU Oct 2021) + 2021-10-28 20:32:42 +0000 + 1 + 1 + 3 + Other + Security Response + vulnerability + unspecified + All + Linux + NEW + + + + + + Security + medium + medium + --- + 2018324 + + + 2018325 + + + 2018326 + + + 2016141 + + + 2016142 + 2016154 + 1 + gsuckevi + security-response-team + damien.ciabrini + + + databases-maint + + + dbecker + + + dciabrin + + + hhorak + + + jjoyce + + + jorton + + + jschluet + + + lhh + + + ljavorsk + + + lpeer + + + mbayer + + + mburns + + + mkocka + + + mmuzila + + + mschorm + + + sclewis + + + slinaber + + + SpikeFedora + + + + mysql 8.0.27 + If docs needed, set a value + + --- + + + + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 15604560 + 0 + gsuckevi + 2021-10-20 18:38:36 +0000 + Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. + +External References: + +http://www.oracle.com/security-alerts/cpuoct2021.html#AppendixMSQL + + 15604656 + 1 + gsuckevi + 2021-10-20 18:50:32 +0000 + Created community-mysql tracking bugs for this issue: + +Affects: fedora-all [bug 2016141] + + +Created mysql:8.0/community-mysql tracking bugs for this issue: + +Affects: fedora-all [bug 2016142] + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/2016142.xml b/fedora/testdata/fixtures/fedora35/bugzilla/2016142.xml new file mode 100644 index 00000000..940ff33b --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/2016142.xml @@ -0,0 +1,230 @@ + + + + + + 2016142 + + 2021-10-20 18:49:11 +0000 + CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 ... mysql:8.0/community-mysql: various flaws [fedora-all] + 2021-11-10 00:48:53 +0000 + 1 + 1 + 2 + Fedora + Fedora + community-mysql + 34 + Unspecified + Unspecified + CLOSED + ERRATA + + + + + Security, SecurityTracking + high + medium + --- + + 2016089 + + + 2016090 + + + + 1 + gsuckevi + mschorm + hhorak + + + ljavorsk + + + mmuzila + + + mschorm + + extras-qa + + + No Doc Update + + --- + + + 2021-11-09 00:21:48 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 15604648 + 0 + gsuckevi + 2021-10-20 18:49:11 +0000 + +This is an automatically created tracking bug! It was created to ensure +that one or more security vulnerabilities are fixed in affected versions +of fedora-all. + +For comments that are specific to the vulnerability please use bugs filed +against the "Security Response" product referenced in the "Blocks" field. + +For more information see: +http://fedoraproject.org/wiki/Security/TrackingBugs + +When submitting as an update, use the fedpkg template provided in the next +comment(s). This will include the bug IDs of this tracking bug as well as +the relevant top-level CVE bugs. + +Please also mention the CVE IDs being fixed in the RPM changelog and the +fedpkg commit message. + +NOTE: this issue affects multiple supported versions of Fedora. While only +one tracking bug has been filed, please correct all affected versions at +the same time. If you need to fix the versions independent of each other, +you may clone this bug as appropriate. + + + 15604649 + 1 + gsuckevi + 2021-10-20 18:49:13 +0000 + Use the following template to for the 'fedpkg update' request to submit an +update for this issue as it contains the top-level parent bug(s) as well as +this tracking bug. This will ensure that all associated bugs get updated +when new packages are pushed to stable. ===== + +# bugfix, security, enhancement, newpackage (required) type=security + +# low, medium, high, urgent (required) severity=high + +# testing, stable request=testing + +# Bug numbers: 1234,9876 bugs=2016088,2016089,2016090,2016091,2016092,2016093,2016094,2016095,2016096,2016097,2016098,2016099,2016100,2016101,2016104,2016105,2016106,2016107,2016108,2016109,2016110,2016111,2016112,2016113,2016114,2016116,2016117,2016118,2016119,2016120,2016121,2016122,2016124,2016126,2016127,2016128,2016129,2016130,2016131,2016132,2016133,2016134,2016135,2016137,2016138,2016142 + +# Description of your update notes=Security fix for [PUT CVEs HERE] + +# Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 + +# Automatically close bugs when this marked as stable close_bugs=True + +# Suggest that users restart after update suggest_reboot=False ====== + +Additionally, you may opt to use the bodhi web interface to submit updates: + +https://bodhi.fedoraproject.org/updates/new + + + 15631117 + 2 + updates + 2021-10-31 17:53:07 +0000 + FEDORA-MODULAR-2021-aba3bac39d has been submitted as an update to Fedora 33 Modular. https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-aba3bac39d + + + 15631118 + 3 + updates + 2021-10-31 17:53:07 +0000 + FEDORA-MODULAR-2021-217f84c072 has been submitted as an update to Fedora 35 Modular. https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072 + + + 15631451 + 4 + updates + 2021-11-01 00:21:36 +0000 + FEDORA-MODULAR-2021-217f84c072 has been pushed to the Fedora 35 Modular testing repository. + +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-217f84c072 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + + 15631454 + 5 + updates + 2021-11-01 00:26:32 +0000 + FEDORA-MODULAR-2021-aba3bac39d has been pushed to the Fedora 33 Modular testing repository. + +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-aba3bac39d + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + + 15631455 + 6 + updates + 2021-11-01 00:29:18 +0000 + FEDORA-MODULAR-2021-2292d9e442 has been pushed to the Fedora 34 Modular testing repository. + +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2021-2292d9e442 + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + + 15662966 + 7 + updates + 2021-11-09 00:21:48 +0000 + FEDORA-MODULAR-2021-217f84c072 has been pushed to the Fedora 35 Modular stable repository. +If problem still persists, please make note of it in this bug report. + + + 15663097 + 8 + updates + 2021-11-09 00:23:13 +0000 + FEDORA-MODULAR-2021-aba3bac39d has been pushed to the Fedora 33 Modular stable repository. +If problem still persists, please make note of it in this bug report. + + + 15663199 + 9 + updates + 2021-11-09 00:24:19 +0000 + FEDORA-MODULAR-2021-2292d9e442 has been pushed to the Fedora 34 Modular stable repository. +If problem still persists, please make note of it in this bug report. + + + 15671186 + 10 + updates + 2021-11-10 00:48:53 +0000 + FEDORA-MODULAR-2021-217f84c072 has been pushed to the Fedora 35 Modular stable repository. +If problem still persists, please make note of it in this bug report. + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/bugzilla/2035949.xml b/fedora/testdata/fixtures/fedora35/bugzilla/2035949.xml new file mode 100644 index 00000000..64389279 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/bugzilla/2035949.xml @@ -0,0 +1,203 @@ + + + + + + 2035949 + + 2021-12-28 18:52:04 +0000 + log4j-2.17.1 is available + 2022-01-06 01:11:38 +0000 + 1 + 1 + 2 + Fedora + Fedora + log4j + rawhide + Unspecified + Unspecified + CLOSED + ERRATA + + + + + FutureFeature, Triaged + unspecified + unspecified + --- + + + 1 + upstream-release-monitoring + paul.wouters + dbhole + + + devrim + + + java-sig-commits + + + mizdebsk + + + paul.wouters + + extras-qa + + log4j-2.17.1-1.fc34 log4j-2.17.1-1.fc35 + --- + + --- + + + 2022-01-06 00:51:24 + --- + --- + --- + --- + + + --- + --- + + --- + + + + + + + --- + + 0 + + + + + + + + oldest_to_newest + + 15802218 + 0 + upstream-release-monitoring + 2021-12-28 18:52:04 +0000 + Latest upstream release: 2.17.1 +Current version/release in rawhide: 2.17.0-1.fc36 +URL: http://www.apache.org/dist/logging/log4j + +Please consult the package updates policy before you issue an update to a stable branch: https://docs.fedoraproject.org/en-US/fesco/Updates_Policy/ + + +More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring + + +Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. + + +Based on the information from Anitya: https://release-monitoring.org/project/1836/ + + 15802219 + 1 + 1848115 + upstream-release-monitoring + 2021-12-28 18:52:12 +0000 + Created attachment 1848115 +Update to 2.17.1 (#2035949) + + 15802220 + 2 + upstream-release-monitoring + 2021-12-28 18:56:03 +0000 + the-new-hotness/release-monitoring.org's scratch build of log4j-2.17.1-1.fc34.src.rpm for rawhide completed http://koji.fedoraproject.org/koji/taskinfo?taskID=80578862 + + 15802289 + 3 + updates + 2021-12-28 21:42:56 +0000 + FEDORA-2021-c6f471ce0f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c6f471ce0f + + 15802299 + 4 + updates + 2021-12-28 22:19:49 +0000 + FEDORA-2021-1bd9151bab has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-1bd9151bab + + 15802369 + 5 + updates + 2021-12-29 01:04:02 +0000 + FEDORA-2021-1bd9151bab has been pushed to the Fedora 34 testing repository. +Soon you'll be able to install the update with the following command: +`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-1bd9151bab` +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-1bd9151bab + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 15802391 + 6 + updates + 2021-12-29 01:12:48 +0000 + FEDORA-2021-c6f471ce0f has been pushed to the Fedora 35 testing repository. +Soon you'll be able to install the update with the following command: +`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c6f471ce0f` +You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c6f471ce0f + +See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. + + 15815086 + 7 + updates + 2022-01-06 00:51:24 +0000 + FEDORA-2021-1bd9151bab has been pushed to the Fedora 34 stable repository. +If problem still persists, please make note of it in this bug report. + + 15815129 + 8 + updates + 2022-01-06 01:11:38 +0000 + FEDORA-2021-c6f471ce0f has been pushed to the Fedora 35 stable repository. +If problem still persists, please make note of it in this bug report. + + + + 1848115 + 2021-12-28 18:52:12 +0000 + 2021-12-28 18:52:12 +0000 + Update to 2.17.1 (#2035949) + 0001-Update-to-2.17.1-2035949.patch + text/plain + 981 + upstream-release-monitoring + + RnJvbSA4MzY3Y2EyN2MxYjRlMGEwMjMzMzk2NjdmZWYyYzgzZmM3Zjc3MWNkIE1vbiBTZXAgMTcg +MDA6MDA6MDAgMjAwMQpGcm9tOiBGZWRvcmEgUmVsZWFzZSBNb25pdG9yaW5nIDxyZWxlYXNlLW1v +bml0b3JpbmdAZmVkb3JhcHJvamVjdC5vcmc+CkRhdGU6IFR1ZSwgMjggRGVjIDIwMjEgMTg6NTI6 +MTEgKzAwMDAKU3ViamVjdDogW1BBVENIXSBVcGRhdGUgdG8gMi4xNy4xICgjMjAzNTk0OSkKCi0t +LQogbG9nNGouc3BlYyB8IDUgKysrKy0KIDEgZmlsZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKyks +IDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9sb2c0ai5zcGVjIGIvbG9nNGouc3BlYwppbmRl +eCBmNGJhM2ZjLi5hMDYxZDMyIDEwMDY0NAotLS0gYS9sb2c0ai5zcGVjCisrKyBiL2xvZzRqLnNw +ZWMKQEAgLTEsNyArMSw3IEBACiAlYmNvbmRfd2l0aG91dCAganBfbWluaW1hbAogCiBOYW1lOiAg +ICAgICAgICAgbG9nNGoKLVZlcnNpb246ICAgICAgICAyLjE3LjAKK1ZlcnNpb246ICAgICAgICAy +LjE3LjEKIFJlbGVhc2U6ICAgICAgICAxJXs/ZGlzdH0KIFN1bW1hcnk6ICAgICAgICBKYXZhIGxv +Z2dpbmcgcGFja2FnZQogQnVpbGRBcmNoOiAgICAgIG5vYXJjaApAQCAtMjg0LDYgKzI4NCw5IEBA +IHJtIC1yIGxvZzRqLTEuMi1hcGkvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2xvZzRqL29yL2pt +cwogCiAKICVjaGFuZ2Vsb2cKKyogVHVlIERlYyAyOCAyMDIxIEZlZG9yYSBSZWxlYXNlIE1vbml0 +b3JpbmcgPHJlbGVhc2UtbW9uaXRvcmluZ0BmZWRvcmFwcm9qZWN0Lm9yZz4gLSAyLjE3LjEtMQor +LSBVcGRhdGUgdG8gMi4xNy4xICgjMjAzNTk0OSkKKwogKiBTYXQgRGVjIDE4IDIwMjEgUGF1bCBX +b3V0ZXJzIDxwYXVsLndvdXRlcnNAYWl2ZW4uaW8+IC0gMi4xNy4wLTEKIC0gVXBkYXRlIGxvZzRq +IHRvIDIuMTcuMCBmb3IgQ1ZFLTIwMjEtNDUxMDUgRGVuaWFsIG9mIFNlcnZpY2UgYXR0YWNrCiAK +LS0gCjIuMzEuMQoK + + + + + + + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/packages/mysql/8.0/3520211031142409.f27b74a8/modulemd.x_86_64.txt b/fedora/testdata/fixtures/fedora35/packages/mysql/8.0/3520211031142409.f27b74a8/modulemd.x_86_64.txt new file mode 100644 index 00000000..408eb55f --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/packages/mysql/8.0/3520211031142409.f27b74a8/modulemd.x_86_64.txt @@ -0,0 +1,72 @@ +--- +document: modulemd +version: 2 +data: + name: mysql + stream: "8.0" + version: 3520211031142409 + context: f27b74a8 + arch: x86_64 + summary: MySQL Module + description: >- + MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server + implementation consisting of a server daemon (mysqld) and many different client + programs and libraries. The base package contains the standard MySQL client programs + and generic MySQL files. + license: + module: + - MIT + content: + - GPLv2 with exceptions and LGPLv2 and BSD + xmd: {} + dependencies: + - buildrequires: + platform: [f35] + requires: + platform: [f35] + profiles: + client: + description: Client. + rpms: + - community-mysql + devel: + description: Devel package. + rpms: + - community-mysql-devel + server: + description: Base server. + rpms: + - community-mysql-server + api: + rpms: + - community-mysql + - community-mysql-server + buildopts: + rpms: + macros: > + %runselftest 0 + + %check_testsuite 1 + components: + rpms: + community-mysql: + rationale: The main component. + ref: 81249e56 + arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] + artifacts: + rpms: + - community-mysql-0:8.0.27-1.module_f35+13269+c9322734.src + - community-mysql-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-common-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-debuginfo-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-debugsource-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-devel-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-devel-debuginfo-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-errmsg-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-libs-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-libs-debuginfo-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-server-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-server-debuginfo-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-test-0:8.0.27-1.module_f35+13269+c9322734.x86_64 + - community-mysql-test-debuginfo-0:8.0.27-1.module_f35+13269+c9322734.x86_64 +... diff --git a/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt b/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt new file mode 100644 index 00000000..42ae7397 --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt @@ -0,0 +1,101 @@ +--- +document: modulemd +version: 2 +data: + name: nodejs + stream: "12" + version: 3520220113124632 + context: f27b74a8 + arch: x86_64 + summary: Javascript runtime + description: >- + Node.js is a platform built on Chrome''s JavaScript runtime for easily building + fast, scalable network applications. Node.js uses an event-driven, non-blocking + I/O model that makes it lightweight and efficient, perfect for data-intensive + real-time applications that run across distributed devices. + license: + module: + - MIT + content: + - MIT + - MIT and ASL 2.0 and ISC and BSD + - MIT and BSD and ISC + xmd: {} + dependencies: + - buildrequires: + platform: [f35] + requires: + platform: [f35] + references: + community: http://nodejs.org + documentation: http://nodejs.org/en/docs + tracker: https://github.com/nodejs/node/issues + profiles: + default: + rpms: + - nodejs + - npm + development: + rpms: + - nodejs + - nodejs-devel + - npm + minimal: + rpms: + - nodejs + api: + rpms: + - nodejs + - nodejs-devel + - npm + components: + rpms: + c-ares: + rationale: Required for DNS support + ref: rawhide + arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] + libuv: + rationale: Platform abstraction layer for Node.js + ref: 1 + arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] + nghttp2: + rationale: Needed for HTTP2 support + ref: rawhide + arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] + nodejs: + rationale: Javascript runtime and npm package manager. + ref: 12 + buildorder: 10 + arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] + artifacts: + rpms: + - c-ares-0:1.17.2-1.module_f35+12821+0ca3efb5.src + - c-ares-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 + - c-ares-debuginfo-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 + - c-ares-debugsource-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 + - c-ares-devel-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 + - libnghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - libnghttp2-debuginfo-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - libnghttp2-devel-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - libuv-1:1.43.0-2.module_f35+13659+5e1a357e.src + - libuv-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 + - libuv-debuginfo-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 + - libuv-debugsource-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 + - libuv-devel-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 + - libuv-static-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 + - nghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.src + - nghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - nghttp2-debuginfo-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - nghttp2-debugsource-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-1:12.22.9-1.module_f35+13659+5e1a357e.src + - nodejs-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-debuginfo-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-debugsource-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-devel-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-docs-1:12.22.9-1.module_f35+13659+5e1a357e.noarch + - nodejs-full-i18n-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-libs-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - nodejs-libs-debuginfo-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 + - npm-1:6.14.15-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64 + - v8-devel-2:7.8.279.23-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64 +... diff --git a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/repomd.xml b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/repomd.xml new file mode 100644 index 00000000..7098c42a --- /dev/null +++ b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/repomd.xml @@ -0,0 +1,141 @@ + + + 1642646054 + + 5046f3d1a5ce19c5f710f4d54ac851171bfa88a08462faa1ec6ee083c480f620 + a18354e57209837436518201a60127d532888eaca316dde30bcb3877e66f2194 + + 1642645871 + 3580171 + 36619307 + + + 5d221a6834ab9bea5486d42806309090e2f2cd7fb13b5ac2dd21c895aaaa8e53 + de2173dedcf78a85b1d1dc6818f9830402b0ef28d857d9a5d276c833e7dc7747 + + 1642645871 + 19746880 + 282983426 + + + 25a592259221522153ea69f527f913428515e1ba5622841c613533c03ebbe83d + d3771b0a2e4056133fc9f8578e583b3974686dab01005f94d1a9645f29786522 + + 1642645871 + 1827873 + 26636133 + + + 5054aa3637fa16aa2fb872e877e9c1fb2a4bf5d9f14c810bf70863ed6032c183 + cd7a6178aec18e26bee20808f377d908b8af2ed7b88270d06cffc7cd542c8a3d + + 1642645879 + 7745096 + 37715968 + 10 + + + 8e9b0a587206851414d0b837555ef9e282c5185046e0aafaed0c78f5b994558a + 325d6fbf3e44bdb9caf8ef1df077e90df2f3ddf359b195b3dcfded7706fbf479 + + 1642645887 + 18173862 + 122699776 + 10 + + + 5a7cf7784bae64deee1efd15c0f4572f557fbc0c4d0f41a6d7fbe0202a86df85 + 55b5506e61c7f3d3934fab617dbd9759ac138fe08d44e19e8994486a15517543 + + 1642645878 + 3160272 + 22859776 + 10 + + + a075db8dc38d6fd254f9bd87e3ae5627b988bebb1681569f98f9bc4d85ad7559 + a18354e57209837436518201a60127d532888eaca316dde30bcb3877e66f2194 + 77ab40d660924ae46efe2cfd3f2f6aad912e575b58e4ed5c106760883bd2743c + + 1642645871 + 3597376 + 36619307 + 80601 + + + ca999b8defd8eab2ae16761c680d2924da380156e179fde0dee9b6aae89c82fb + de2173dedcf78a85b1d1dc6818f9830402b0ef28d857d9a5d276c833e7dc7747 + a5f0819e3d2f203d2bcee1c486cd76fda86311f2567b0764def1bb13017dcdb1 + + 1642645871 + 16838264 + 282983426 + 81439 + + + ff280d92fdb3deda0c2421c6ba52ac737269556c5449b2adfca3548a920d35f2 + d3771b0a2e4056133fc9f8578e583b3974686dab01005f94d1a9645f29786522 + 5c87762fed32353701cc59806f0d92dc69fb87714a51cd93b5306e2312cdede9 + + 1642645871 + 1839257 + 26636133 + 80335 + + + 813de6fd9086e93e921499eb8de1d3bbd441d3b66329e20144c7f5f1371b2d90 + + 1642645477 + 1751762 + + + 542692920a858c8d48f07e9f30afc0fa3606d4eec5e955a9f5ee6ff4af9bd5fd + + 1642645871 + 431892 + + + 969e34a7f66db6d46ad2823080fad383390eb08bee373e96f419eea80c388925 + 542692920a858c8d48f07e9f30afc0fa3606d4eec5e955a9f5ee6ff4af9bd5fd + b4407e38d7facf7cfffd55adefef61a2b604b22760d1bf8da8f2e1606fecc2da + + 1642645889 + 475927 + 431892 + 1220 + + + 3ffd33a8c8d1ce47a78b0dc68e9ce71bf18e8210aed16f69c5518d81e03c2e9d + 4389fe25b55fdc2cbe1484706c7411f3905e3bf5fd60beca162d2741e32f19a3 + + 1642646054 + 18859 + 99093 + + + cd3ff74b3ae2e94383b47470858c0469764c950a94d70e44c7919d8c73f008e7 + 4389fe25b55fdc2cbe1484706c7411f3905e3bf5fd60beca162d2741e32f19a3 + + 1642646054 + 61725 + 99093 + + + b6ef546647cc1eec21179c13bfbaf5dbbb173614651af918b40686b167258bf9 + 6bbec35a31434be1a20f1532f0f4008e42971017b198e6c35ade7f169464ee3a + + 1642689621 + 1298680 + 27924820 + + + 74eedf622edc6d3be165c62d0c35ef9a3b99a88338974bb3511f2368b78577e1 + 6bbec35a31434be1a20f1532f0f4008e42971017b198e6c35ade7f169464ee3a + 6da0f528d25d6dd4543eb47a3a15e377bcc57b07f3026a54a881c4fc5d8eec57 + + 1642689625 + 1606369 + 27924820 + 8531 + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/updateinfo.xml.xz b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Everything/x86_64/repodata/updateinfo.xml.xz new file mode 100644 index 0000000000000000000000000000000000000000..f86c21b1d75b3e08d16dd3da330192821ee222fb GIT binary patch literal 1732 zcmV;#20QuvH+ooF000E$*0e?f03iVu0001VFXf})I-drDT>u^r%ZCxz&SsGhgC5HL zdo$F3>9^V_F?JZEE)^a5ymM%pF!2-{0ypF2e0-F-Cb^?$mkjIIqM2Pqu-` zU868LX`3Qr#|N-3Na@i5-G}9t@(QW`{6hH-KTFj?yzJylqdC=vFfw}pG%EHj$;D){ z$%{d|Vo~g{N_66}#x^0M1}=(4<5YBWxoqKZNUK{Y7osDcMHk!7)q*ueK!(Ibi&w`+ zM?uFNF6otWdmSe%JFuZKPLWc%xlA~Fl~Q7Flo?J~$C*L5PtvL#tM|m|hLO+zOkEMg z=UtDqK{foH5veoh)m1;^tP2XFv7F}~K!4K>YzlU~+pKIF4$OKWdCoX!klh^o7syo} z=*#p`H5Pe?6fTu7D_w65!`=Qv;xGH&3Q9(S`3HGDU3d?^U^*0-lrKK5Q;ur7g1Rjz zhzhg=mG3C+4L8AI!sXuh{GcQwWW%Yk{P5zD9udWa9^rv0Kzip*WNF_E;h3wuDh7;b zz@tD@UrNObSyz8E+K?@w)7{1=h~&c6eae(ifoT?D-O9bY!-uL6q5&0^j;QBUaUcH8|D1F= z@j_2?KpEIn+}G>J-L;$gb1;mC#zK= zZ>~|HMT(D@wCFXyzM-c(`fy+I)}%y*HQwJC$_|Ug=jh5B+!Pyq{X6nQ{Ei#X*MV~j zU@<$9om7dM(@9Qm z8rGPcVaPV5uTRD|u-S;16^K&~L*&V@0772ae(W#1uW8cAh3bX3+Co$CXZYEpIBJ%> zYULG^A7zCxC z6mVdxgzAZJk4%2H^?#dFKFR$d)!fy7@PDw-{HM+cZBrjbcU64LyQLfLljL#8YuqYeM%HkLq}@e zv488sx$M508Mf=3osQ1@p=ts;Zss#ai28l`U%(Xytd_CHWN5bH!{d zy5Sx)?XDBgT9(LCs8-;iQ(^rzOB->^U3PJ(mVWnI|Kfxg19JmBTbzk-pWEg8qz*2& zgz%1DC@RP`;JJ1msYaHuN-~p42C!!9LW4wD-LMY1vL4b + + 1642733004 + + f37bc6f3a31f62514fd1abfa9317bfce8533e2f03b26a7e00e3550c3c84e9b84 + a1ec0184871e22fa3f0ba180f02e58a9d492e581eb7dc92a63ac80c3fe8ebf46 + + 1642733004 + 305912 + 3407814 + + + 198961f2785e1f7ea187db2532e974a8cfefe3a7f1a1d341bc75efceb39638fd + b8ca81ab7567733bd99c4aec777f8d6e500723b0ed6b49789998c97c5a6d08bb + + 1642733004 + 2256028 + 30128643 + + + 2ebb4ee3a2cbbb26e5f69f9a8a2840e317060f66a409be02e171f97daa9c73fb + 66abb00a5d76af1248ee2f4634af96b10615420d50b1129b812c0bb7c861e0cc + + 1642733004 + 150357 + 2818159 + + + bae981ee5a5ab5dc45e1170d2367f6e2354a1001507e299dc695981f5dd4c6fc + a1ec0184871e22fa3f0ba180f02e58a9d492e581eb7dc92a63ac80c3fe8ebf46 + ebbe24ba710107696e924f4b437fbb63797b2c405b2284974cae7e08d53db239 + + 1642733004 + 573369 + 3407814 + 25814 + + + a141ae92a61821ac59bf9501893bd84d7785399160dcc426ed8dac6bf8d4832c + b8ca81ab7567733bd99c4aec777f8d6e500723b0ed6b49789998c97c5a6d08bb + acdd511a67e6f35bd269054f5a5ac8eb5e58271989947e01fede16b4ef9e7f88 + + 1642733004 + 2380192 + 30128643 + 25889 + + + ccb0776d46bc303530739ab5fae984aed539f1725d03cc2e910518c2902dac6a + 66abb00a5d76af1248ee2f4634af96b10615420d50b1129b812c0bb7c861e0cc + 5a962868250c21a78169a57ca4d38b32c2c3383f30e2b22673896631997bb36b + + 1642733004 + 612957 + 2818159 + 25787 + + + 2b21df5b61d71cd0e659df336d7ae2fef620e063ac8712b032f255e0c2e644f1 + 8f8581ac548f3af589b240d087c11c99789c099612e132512c1b7fd7429caf84 + + 1642733004 + 32302 + 305758 + + + 1d50678710e81963bc958b871f1af579d91d5a63cfa47f8d53e4422b9ffcad22 + 2e2e421fcf6ea96e72964d40a2b44ed37f744d7cb12f9338bca7f326c8374c60 + + 1642733022 + 3248 + 14310 + + + 508c214ed5aa72ab50a817ec08ea6c034ef4b6aeb1cd408e6e34e15cac66473a + 2e2e421fcf6ea96e72964d40a2b44ed37f744d7cb12f9338bca7f326c8374c60 + 1a8e2364b84fbb0e3f3b9783d1ab9588c52753e07d6382af11dd53885215c3ba + + 1642733022 + 4182 + 14310 + 135 + + \ No newline at end of file diff --git a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/updateinfo.xml.xz b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/updateinfo.xml.xz new file mode 100644 index 0000000000000000000000000000000000000000..a1b8cbc164a04cfa2ae93ccac21455d30eb38098 GIT binary patch literal 2176 zcmV-`2!HqeH+ooF000E$*0e?f03iVu0001VFXf})7-a}QT>u^r%ZCxz&SsGhgC5HL zdo$F3>9^V_F?JZEE)^a5ymM%pF!2-{0ypF2e0-F-Cb^?$mkjIIqM2Pqu-` zU868LX`3Qr#|N-3Na@i5-G}9t@$9r=O)#s>jg_|Xn1pT>Sj-}XK@-kS2_Lbb0Lmch zEz34X7T#v$C8I-dJ|Lk#Z(X~_1kC~`%jf3;PiR=hp8QKYGxlz&mWx)~=G8o%gyyouMc(E`>Efdt%yBJ#sG zIIvAtdP#@zzO&3;nf8Bq*8uJVVGy!X#Wy#PD#zuWW9zSV)elW5x=5gAe7|Z?L1qCH zQ%nXbZZ_jq<8q`^yiBVVb#!vqJdiq)K-}tDp>lEf!7t=>z3I8f;iksPgSqFqihk6D zo6Y<#d3FCNjpD`^GU+^Sz!tB7P&Dx(r_V)o_tf9m6F)KJ!rD8l?ewI$rj5>6Hke7I z7s3HUn@VFJbinsL-R+LSTfKN-)}_@CFoeYp2xYHz?AyRu}# z3zWsi17xJ}Gxx8NI_w6dsJ21gLzxIrhHT!HJT!OXH)>tPWIK6;pXNLiFZV9oj==Gv zk3g0@wH{EBtp2}TB$on;b5pt7Q$Gp@M2xi6FQ~1jb@PTa$wkuj0oNy3b>=HYdZ~^t zy)sv$%6QU{OriII5!-S+zkeNY{7Ute*`-zPT7zlxMN?&?W|7yB(uhFw&EA|M!bgON zXmvc-{3oYW%kv#-3j%OtQHTShgPC_k;Q$a9_Ow{K6W7jIjad|<1rHSn44`6V;q-i3 zKkFw`1Bl3P+70YYO>d&850Q-nS(&cGx`S3yr~t8}ve#E{^atc5QA+kK=#OOF0X%Bb zSDZB4T`=a7jeXZVivdp^BWrq?=XXTcLMkUHIouLaXQsOGMjeD*s79WuMC%07DIOyt zGFVj8LcFqbi)?L^i$=~x?+ta<=Tj9)($zj-Y{Oq~Z-AzIgu4%I@qYXlu5YnjQM1^e zbyFzYeOKI#g3|8E=D`V5Mn<#LK(8;)5<^@JLurkA9gZ|*n)lk}j_j{uU>rnP#nEvk1 zMr}odUbULF&7I23ozaH6b|K5v6fT``86w6}N`)mW9H$ziO*Df|BkxhuWe#e+g47tN za(r2xWciTIH7L`fyB<$K!-ArVy2dwx&dA4V0i}#wYQrY=#jYx4gR$1nTA!A|_n4-G zcrzJcV~QVpBl0xV!Ed}9PUjNh1co|_9vah=%l960kjuk8-B&bJnXyOdvzF&+Ty(iI zg5ZA+znRCy&qI`6hVH9#cmW}0`Ar;7%1ycwqzCULDnyCMDkvNI-th4Tjbjgy#6&ad z-6k8J^TEvFk29iljC@>BE6~Ot&s76`Ws{{S!Wq_}RSr|c(E+;!ZNJxoh!^`}z3q)` zLz6NhfhnG)iWXV~I*Lz>yC2mMIuMs<$sdqEJ^Gs!o9gVS`ka__4+|FS5Yz?qn5_j# zoH$Yfh_;StK3uyFQHg=Hh8}J@h41TOa8lCRJ} zjYj)BEj*7~KU-#O@<#L7tRYSp5%|F% zN$02sK~bQbl-BV^u5rxD{Bp%OV`2XNfu>Yq6wd_gVijhfmR`e~QMq;lM8WPplKnQU zp&PIF1T$c@%%V1G0-wcDTf4lRFASwd$6)MZ@f4^=KG~@vHdi0xYBIMFDik^#C#)kxyVIYR5@rxk_&(sZ9R(eNL1aX7S>+cqz zut8FkiiChF9@bFh%QwO1YIt(xtReU_OMszH1!%e-Ft4QDlHsiXN3uGXa;TQ~|;Y zzzBMiWlY|hqG*6!YpGr^wBLRVs$`0BPVZ+{`>QD%28JcBHtzVjcCIyRLQ534v2 zR~-TmxiNY_utE3T@thTwv;Y8MO+3Ghw#4E90oxGfFaQ9@R5J{*#Ao{g000001X)@o C5-Xqp literal 0 HcmV?d00001 diff --git a/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json b/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json new file mode 100644 index 00000000..e2136928 --- /dev/null +++ b/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json @@ -0,0 +1,244 @@ +{ + "id": "FEDORA-EPEL-2020-2c80eb66b5", + "title": "libASL-0.1.7-6.el7 matio-1.5.17-3.el7 openmeeg-2.4-0.4.rc4.el7", + "type": "security", + "issued": { + "date": "2020-08-11 00:29:02" + }, + "updated": { + "date": "2020-07-20 10:53:15" + }, + "severity": "Low", + "description": "Update to 1.5.17 fixing several CVEs (see bugs), rebuilt depending packages libASL and openmeeg (soversion bump)\n", + "packages": [ + { + "name": "libASL", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "libASL-bin", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-bin-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-bin-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "libASL-devel", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-devel-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-devel-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "libASL-doc", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-doc-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-doc-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "libASL-examples", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-examples-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-examples-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "libASL-debuginfo", + "epoch": "0", + "version": "0.1.7", + "release": "6.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/l/libASL-debuginfo-0.1.7-6.el7.x86_64.rpm", + "filename": "libASL-debuginfo-0.1.7-6.el7.x86_64.rpm" + }, + { + "name": "matio", + "epoch": "0", + "version": "1.5.17", + "release": "3.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/m/matio-1.5.17-3.el7.x86_64.rpm", + "filename": "matio-1.5.17-3.el7.x86_64.rpm" + }, + { + "name": "matio-devel", + "epoch": "0", + "version": "1.5.17", + "release": "3.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/m/matio-devel-1.5.17-3.el7.x86_64.rpm", + "filename": "matio-devel-1.5.17-3.el7.x86_64.rpm" + }, + { + "name": "matio-debuginfo", + "epoch": "0", + "version": "1.5.17", + "release": "3.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/m/matio-debuginfo-1.5.17-3.el7.x86_64.rpm", + "filename": "matio-debuginfo-1.5.17-3.el7.x86_64.rpm" + }, + { + "name": "openmeeg", + "epoch": "0", + "version": "2.4", + "release": "0.4.rc4.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/o/openmeeg-2.4-0.4.rc4.el7.x86_64.rpm", + "filename": "openmeeg-2.4-0.4.rc4.el7.x86_64.rpm" + }, + { + "name": "openmeeg-devel", + "epoch": "0", + "version": "2.4", + "release": "0.4.rc4.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/o/openmeeg-devel-2.4-0.4.rc4.el7.x86_64.rpm", + "filename": "openmeeg-devel-2.4-0.4.rc4.el7.x86_64.rpm" + }, + { + "name": "python2-openmeeg", + "epoch": "0", + "version": "2.4", + "release": "0.4.rc4.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/p/python2-openmeeg-2.4-0.4.rc4.el7.x86_64.rpm", + "filename": "python2-openmeeg-2.4-0.4.rc4.el7.x86_64.rpm" + }, + { + "name": "openmeeg-doc", + "epoch": "0", + "version": "2.4", + "release": "0.4.rc4.el7", + "arch": "noarch", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/i386/o/openmeeg-doc-2.4-0.4.rc4.el7.noarch.rpm", + "filename": "openmeeg-doc-2.4-0.4.rc4.el7.noarch.rpm" + }, + { + "name": "openmeeg-debuginfo", + "epoch": "0", + "version": "2.4", + "release": "0.4.rc4.el7", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/7/x86_64/o/openmeeg-debuginfo-2.4-0.4.rc4.el7.x86_64.rpm", + "filename": "openmeeg-debuginfo-2.4-0.4.rc4.el7.x86_64.rpm" + } + ], + "module": {}, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683942", + "id": "1683942", + "title": "CVE-2019-9033 matio: stack-based buffer over-read in function ReadNextCell() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683947", + "id": "1683947", + "title": "CVE-2019-9034 matio: stack-based buffer over-read for a memcpy in function ReadNextCell() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683986", + "id": "1683986", + "title": "CVE-2019-9035 matio: stack-based buffer over-read in function ReadNextStructField() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683990", + "id": "1683990", + "title": "CVE-2019-9036 matio: heap-based buffer overflow in function ReadNextFunctionHandle() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683993", + "id": "1683993", + "title": "CVE-2019-9037 matio: buffer over-read in function Mat_VarPrint() in mat.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684002", + "id": "1684002", + "title": "CVE-2019-9038 matio: out-of-bounds read with SEGV in function ReadNextCell() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684009", + "id": "1684009", + "title": "CVE-2019-9026 matio: heap-based buffer overflow in function InflateVarName() in inflate.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684014", + "id": "1684014", + "title": "matio: CVE-2019-02-9027 matio: heap-based buffer overflow in function ReadNextCell() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684017", + "id": "1684017", + "title": "CVE-2019-9028 matio: stack-based buffer over-read in the function InflateDimensions() in inflate.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684020", + "id": "1684020", + "title": "CVE-2019-9029 matio: out-of-bounds read with SEGV in function Mat_VarReadNextInfo5() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684025", + "id": "1684025", + "title": "CVE-2019-9030 matio: stack-based buffer over-read in Mat_VarReadNextInfo5() in mat5.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684041", + "id": "1684041", + "title": "CVE-2019-9032 matio: out-of-bounds write in function Mat_VarFree() in mat.c resulting in SEGV [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1685379", + "id": "1685379", + "title": "CVE-2019-9031 matio: null pointer dereference in function Mat_VarFree() in mat.c [epel-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1728478", + "id": "1728478", + "title": "CVE-2019-13107 matio: multiple interger overflow in mat.c, mat4.c, mat5.c, mat73.c and matvar_struct.c [epel-all]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2019-13107", + "CVE-2019-9026", + "CVE-2019-9027", + "CVE-2019-9028", + "CVE-2019-9029", + "CVE-2019-9030", + "CVE-2019-9031", + "CVE-2019-9032", + "CVE-2019-9033", + "CVE-2019-9034", + "CVE-2019-9035", + "CVE-2019-9036", + "CVE-2019-9037", + "CVE-2019-9038" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json b/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json new file mode 100644 index 00000000..aec9ab2b --- /dev/null +++ b/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json @@ -0,0 +1,87 @@ +{ + "id": "FEDORA-2021-15d2f70a07", + "title": "squid-5.2-1.fc35", + "type": "security", + "issued": { + "date": "2021-10-29 22:48:33" + }, + "updated": { + "date": "2021-10-05 23:15:00" + }, + "severity": "Important", + "description": "- version update to 5.2\n- security update", + "packages": [ + { + "name": "squid-debuginfo", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-debuginfo-5.2-1.fc35.i686.rpm", + "filename": "squid-debuginfo-5.2-1.fc35.i686.rpm" + }, + { + "name": "squid", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-5.2-1.fc35.i686.rpm", + "filename": "squid-5.2-1.fc35.i686.rpm" + }, + { + "name": "squid-debugsource", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-debugsource-5.2-1.fc35.i686.rpm", + "filename": "squid-debugsource-5.2-1.fc35.i686.rpm" + }, + { + "name": "squid-debuginfo", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/s/squid-debuginfo-5.2-1.fc35.x86_64.rpm", + "filename": "squid-debuginfo-5.2-1.fc35.x86_64.rpm" + }, + { + "name": "squid-debugsource", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/s/squid-debugsource-5.2-1.fc35.x86_64.rpm", + "filename": "squid-debugsource-5.2-1.fc35.x86_64.rpm" + }, + { + "name": "squid", + "epoch": "7", + "version": "5.2", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/s/squid-5.2-1.fc35.x86_64.rpm", + "filename": "squid-5.2-1.fc35.x86_64.rpm" + } + ], + "module": {}, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1934559", + "id": "1934559", + "title": "squid: out-of-bounds read in WCCP protocol [fedora-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2010686", + "id": "2010686", + "title": "CVE-2021-41611 squid: improper certificate validation [fedora-all]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2021-41611" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json b/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json new file mode 100644 index 00000000..3f8bf61c --- /dev/null +++ b/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json @@ -0,0 +1,120 @@ +{ + "id": "FEDORA-2021-5ffabdc080", + "title": "chromium-94.0.4606.81-1.fc35", + "type": "security", + "issued": { + "date": "2021-10-29 22:48:33" + }, + "updated": { + "date": "2021-10-14 14:40:18" + }, + "severity": "Important", + "description": "Update to 94.0.4606.81. Built with is_official_build=true, which disables all sorts of debugging check functions that upstream turned on in 94. These debugging checks were failing and causing the program to crash in ... fun ways.\n\nIt also fixes the usual pile of security issues, most notably:\nCVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980", + "packages": [ + { + "name": "chromium-headless", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-headless-94.0.4606.81-1.fc35.i686.rpm", + "filename": "chromium-headless-94.0.4606.81-1.fc35.i686.rpm" + }, + { + "name": "chromium", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-94.0.4606.81-1.fc35.i686.rpm", + "filename": "chromium-94.0.4606.81-1.fc35.i686.rpm" + }, + { + "name": "chrome-remote-desktop", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chrome-remote-desktop-94.0.4606.81-1.fc35.i686.rpm", + "filename": "chrome-remote-desktop-94.0.4606.81-1.fc35.i686.rpm" + }, + { + "name": "chromium-common", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-common-94.0.4606.81-1.fc35.i686.rpm", + "filename": "chromium-common-94.0.4606.81-1.fc35.i686.rpm" + }, + { + "name": "chromedriver", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "i686", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromedriver-94.0.4606.81-1.fc35.i686.rpm", + "filename": "chromedriver-94.0.4606.81-1.fc35.i686.rpm" + }, + { + "name": "chromium-headless", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/chromium-headless-94.0.4606.81-1.fc35.x86_64.rpm", + "filename": "chromium-headless-94.0.4606.81-1.fc35.x86_64.rpm" + }, + { + "name": "chrome-remote-desktop", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/chrome-remote-desktop-94.0.4606.81-1.fc35.x86_64.rpm", + "filename": "chrome-remote-desktop-94.0.4606.81-1.fc35.x86_64.rpm" + }, + { + "name": "chromedriver", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/chromedriver-94.0.4606.81-1.fc35.x86_64.rpm", + "filename": "chromedriver-94.0.4606.81-1.fc35.x86_64.rpm" + }, + { + "name": "chromium-common", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/chromium-common-94.0.4606.81-1.fc35.x86_64.rpm", + "filename": "chromium-common-94.0.4606.81-1.fc35.x86_64.rpm" + }, + { + "name": "chromium", + "epoch": "0", + "version": "94.0.4606.81", + "release": "1.fc35", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/x86_64/c/chromium-94.0.4606.81-1.fc35.x86_64.rpm", + "filename": "chromium-94.0.4606.81-1.fc35.x86_64.rpm" + } + ], + "module": {}, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2012664", + "id": "2012664", + "title": "CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 chromium: various flaws [fedora-all]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2021-37977", + "CVE-2021-37978", + "CVE-2021-37979", + "CVE-2021-37980" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-2021-c6f471ce0f.json b/fedora/testdata/golden/2021/FEDORA-2021-c6f471ce0f.json new file mode 100644 index 00000000..d3c6489b --- /dev/null +++ b/fedora/testdata/golden/2021/FEDORA-2021-c6f471ce0f.json @@ -0,0 +1,54 @@ +{ + "id": "FEDORA-2021-c6f471ce0f", + "title": "log4j-2.17.1-1.fc35", + "type": "security", + "issued": { + "date": "2022-01-06 01:10:57" + }, + "updated": { + "date": "2021-12-28 21:42:52" + }, + "severity": "Low", + "description": "Update log4j to 2.17.1 for CVE-2021-44832 RCE via JDBC Appender (when attacker controls config)", + "packages": [ + { + "name": "log4j-jcl", + "epoch": "0", + "version": "2.17.1", + "release": "1.fc35", + "arch": "noarch", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/l/log4j-jcl-2.17.1-1.fc35.noarch.rpm", + "filename": "log4j-jcl-2.17.1-1.fc35.noarch.rpm" + }, + { + "name": "log4j-slf4j", + "epoch": "0", + "version": "2.17.1", + "release": "1.fc35", + "arch": "noarch", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/l/log4j-slf4j-2.17.1-1.fc35.noarch.rpm", + "filename": "log4j-slf4j-2.17.1-1.fc35.noarch.rpm" + }, + { + "name": "log4j", + "epoch": "0", + "version": "2.17.1", + "release": "1.fc35", + "arch": "noarch", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/l/log4j-2.17.1-1.fc35.noarch.rpm", + "filename": "log4j-2.17.1-1.fc35.noarch.rpm" + } + ], + "module": {}, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2035949", + "id": "2035949", + "title": "log4j-2.17.1 is available", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2021-44832" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-EPEL-2021-f89c59b568.json b/fedora/testdata/golden/2021/FEDORA-EPEL-2021-f89c59b568.json new file mode 100644 index 00000000..4931b2c3 --- /dev/null +++ b/fedora/testdata/golden/2021/FEDORA-EPEL-2021-f89c59b568.json @@ -0,0 +1,100 @@ +{ + "id": "FEDORA-EPEL-2021-f89c59b568", + "title": "botan2-2.12.1-4.el8", + "type": "security", + "issued": { + "date": "2021-11-15 05:07:11" + }, + "updated": { + "date": "2021-11-07 13:12:57" + }, + "severity": "Moderate", + "description": "Security fix for CVE-2021-24115 (low severity) and CVE-2021-40529 (medium)", + "packages": [ + { + "name": "botan2-doc", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "noarch", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/i386/b/botan2-doc-2.12.1-4.el8.noarch.rpm", + "filename": "botan2-doc-2.12.1-4.el8.noarch.rpm" + }, + { + "name": "botan2", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/x86_64/b/botan2-2.12.1-4.el8.x86_64.rpm", + "filename": "botan2-2.12.1-4.el8.x86_64.rpm" + }, + { + "name": "botan2-devel", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/x86_64/b/botan2-devel-2.12.1-4.el8.x86_64.rpm", + "filename": "botan2-devel-2.12.1-4.el8.x86_64.rpm" + }, + { + "name": "python3-botan2", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/x86_64/p/python3-botan2-2.12.1-4.el8.x86_64.rpm", + "filename": "python3-botan2-2.12.1-4.el8.x86_64.rpm" + }, + { + "name": "botan2-debugsource", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/x86_64/b/botan2-debugsource-2.12.1-4.el8.x86_64.rpm", + "filename": "botan2-debugsource-2.12.1-4.el8.x86_64.rpm" + }, + { + "name": "botan2-debuginfo", + "epoch": "0", + "version": "2.12.1", + "release": "4.el8", + "arch": "x86_64", + "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/8/x86_64/b/botan2-debuginfo-2.12.1-4.el8.x86_64.rpm", + "filename": "botan2-debuginfo-2.12.1-4.el8.x86_64.rpm" + } + ], + "module": {}, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1934453", + "id": "1934453", + "title": "CVE-2021-24115 botan: constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex).", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1934458", + "id": "1934458", + "title": "CVE-2021-24115 botan2: botan: constant-time computations are not used for certain decoding and encoding operations (base32, base58, base64, and hex). [epel-8]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2002825", + "id": "2002825", + "title": "CVE-2021-40529 botan: ElGamal implementation allows plaintext recovery", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2002829", + "id": "2002829", + "title": "CVE-2021-40529 botan2: botan: ElGamal implementation allows plaintext recovery [epel-8]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2021-24115", + "CVE-2021-40529" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json b/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json new file mode 100644 index 00000000..4866cfb6 --- /dev/null +++ b/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json @@ -0,0 +1,185 @@ +{ + "id": "FEDORA-MODULAR-2021-217f84c072", + "title": "mysql-8.0-3520211031142409.f27b74a8", + "type": "security", + "issued": { + "date": "2021-11-10 00:48:52" + }, + "updated": { + "date": "2021-10-31 17:53:03" + }, + "severity": "Moderate", + "description": "**MySQL 8.0.27**\n\nRelease notes:\n\n https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-27.html", + "packages": [ + { + "name": "community-mysql", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "src", + "filename": "community-mysql-8.0.27-1.module_f35+13269+c9322734.src.rpm" + }, + { + "name": "community-mysql", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-common", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-common-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-debuginfo", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-debuginfo-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-debugsource", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-debugsource-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-devel", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-devel-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-devel-debuginfo", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-devel-debuginfo-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-errmsg", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-errmsg-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-libs", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-libs-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-libs-debuginfo", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-libs-debuginfo-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-server", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-server-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-server-debuginfo", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-server-debuginfo-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-test", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-test-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + }, + { + "name": "community-mysql-test-debuginfo", + "epoch": "0", + "version": "8.0.27", + "release": "1.module_f35+13269+c9322734", + "arch": "x86_64", + "filename": "community-mysql-test-debuginfo-8.0.27-1.module_f35+13269+c9322734.x86_64.rpm" + } + ], + "module": { + "stream": "8.0", + "name": "mysql", + "version": 3520211031142409, + "arch": "x86_64", + "context": "f27b74a8" + }, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2016142", + "id": "2016142", + "title": "CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 ... mysql:8.0/community-mysql: various flaws [fedora-all]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2021-2478", + "CVE-2021-2479", + "CVE-2021-2481", + "CVE-2021-35546", + "CVE-2021-35575", + "CVE-2021-35577", + "CVE-2021-35591", + "CVE-2021-35596", + "CVE-2021-35597", + "CVE-2021-35602", + "CVE-2021-35604", + "CVE-2021-35607", + "CVE-2021-35608", + "CVE-2021-35610", + "CVE-2021-35612", + "CVE-2021-35622", + "CVE-2021-35623", + "CVE-2021-35624", + "CVE-2021-35625", + "CVE-2021-35626", + "CVE-2021-35627", + "CVE-2021-35628", + "CVE-2021-35630", + "CVE-2021-35631", + "CVE-2021-35632", + "CVE-2021-35633", + "CVE-2021-35634", + "CVE-2021-35635", + "CVE-2021-35636", + "CVE-2021-35637", + "CVE-2021-35638", + "CVE-2021-35639", + "CVE-2021-35640", + "CVE-2021-35641", + "CVE-2021-35642", + "CVE-2021-35643", + "CVE-2021-35644", + "CVE-2021-35645", + "CVE-2021-35646", + "CVE-2021-35647", + "CVE-2021-35648" + ] + } \ No newline at end of file diff --git a/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json b/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json new file mode 100644 index 00000000..55e10a81 --- /dev/null +++ b/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json @@ -0,0 +1,310 @@ +{ + "id": "FEDORA-MODULAR-2022-a627320247", + "title": "nodejs-12-3520220113124632.f27b74a8", + "type": "security", + "issued": { + "date": "2022-01-14 01:06:46" + }, + "updated": { + "date": "2022-01-14 20:51:56" + }, + "severity": "Moderate", + "description": "## 2022-01-10, Version 12.22.9 'Erbium' (LTS), @richardlau\n\nThis is a security release.\n\n### Notable changes\n\n#### Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)\n\nAccepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.\n\nVersions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option.\n\nMore details will be available at [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531) after publication.\n\n#### Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)\n\nNode.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.\n\nVersions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option.\n\nMore details will be available at [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532) after publication.\n\n#### Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)\n\nNode.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.\n\nAffected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.\n\nMore details will be available at [CVE-2021-44533](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533) after publication.\n\n#### Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)\n\nDue to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.\n\nVersions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.\n\nMore details will be available at [CVE-2022-21824](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824) after publication.\n\nThanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.\n\n## 2021-12-16, Version 12.22.8 'Erbium' (LTS), @richardlau\n\n### Notable Changes\n\nThis release contains a c-ares update to fix a regression introduced in\nNode.js 12.22.5 resolving CNAME records containing underscores\n[#39780](https://github.com/nodejs/node/issues/39780).\n\nRoot certificates have been updated to those from Mozilla's Network\nSecurity Services 3.71 [#40281](https://github.com/nodejs/node/pull/40280).\n", + "packages": [ + { + "name": "c-ares", + "epoch": "0", + "version": "1.17.2", + "release": "1.module_f35+12821+0ca3efb5", + "arch": "src", + "filename": "c-ares-1.17.2-1.module_f35+12821+0ca3efb5.src.rpm" + }, + { + "name": "c-ares", + "epoch": "0", + "version": "1.17.2", + "release": "1.module_f35+12821+0ca3efb5", + "arch": "x86_64", + "filename": "c-ares-1.17.2-1.module_f35+12821+0ca3efb5.x86_64.rpm" + }, + { + "name": "c-ares-debuginfo", + "epoch": "0", + "version": "1.17.2", + "release": "1.module_f35+12821+0ca3efb5", + "arch": "x86_64", + "filename": "c-ares-debuginfo-1.17.2-1.module_f35+12821+0ca3efb5.x86_64.rpm" + }, + { + "name": "c-ares-debugsource", + "epoch": "0", + "version": "1.17.2", + "release": "1.module_f35+12821+0ca3efb5", + "arch": "x86_64", + "filename": "c-ares-debugsource-1.17.2-1.module_f35+12821+0ca3efb5.x86_64.rpm" + }, + { + "name": "c-ares-devel", + "epoch": "0", + "version": "1.17.2", + "release": "1.module_f35+12821+0ca3efb5", + "arch": "x86_64", + "filename": "c-ares-devel-1.17.2-1.module_f35+12821+0ca3efb5.x86_64.rpm" + }, + { + "name": "libnghttp2", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libnghttp2-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libnghttp2-debuginfo", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libnghttp2-debuginfo-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libnghttp2-devel", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libnghttp2-devel-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libuv", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "src", + "filename": "libuv-1.43.0-2.module_f35+13659+5e1a357e.src.rpm" + }, + { + "name": "libuv", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libuv-1.43.0-2.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libuv-debuginfo", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libuv-debuginfo-1.43.0-2.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libuv-debugsource", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libuv-debugsource-1.43.0-2.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libuv-devel", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libuv-devel-1.43.0-2.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "libuv-static", + "epoch": "1", + "version": "1.43.0", + "release": "2.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "libuv-static-1.43.0-2.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nghttp2", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "src", + "filename": "nghttp2-1.46.0-1.module_f35+13659+5e1a357e.src.rpm" + }, + { + "name": "nghttp2", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nghttp2-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nghttp2-debuginfo", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nghttp2-debuginfo-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nghttp2-debugsource", + "epoch": "0", + "version": "1.46.0", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nghttp2-debugsource-1.46.0-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "src", + "filename": "nodejs-12.22.9-1.module_f35+13659+5e1a357e.src.rpm" + }, + { + "name": "nodejs", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-debuginfo", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-debuginfo-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-debugsource", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-debugsource-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-devel", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-devel-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-docs", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "noarch", + "filename": "nodejs-docs-12.22.9-1.module_f35+13659+5e1a357e.noarch.rpm" + }, + { + "name": "nodejs-full-i18n", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-full-i18n-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-libs", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-libs-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "nodejs-libs-debuginfo", + "epoch": "1", + "version": "12.22.9", + "release": "1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "nodejs-libs-debuginfo-12.22.9-1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "npm", + "epoch": "1", + "version": "6.14.15", + "release": "1.12.22.9.1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "npm-6.14.15-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64.rpm" + }, + { + "name": "v8-devel", + "epoch": "2", + "version": "7.8.279.23", + "release": "1.12.22.9.1.module_f35+13659+5e1a357e", + "arch": "x86_64", + "filename": "v8-devel-7.8.279.23-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64.rpm" + } + ], + "module": { + "stream": "12", + "name": "nodejs", + "version": 3520220113124632, + "arch": "x86_64", + "context": "f27b74a8" + }, + "references": [ + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040839", + "id": "2040839", + "title": "CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040842", + "id": "2040842", + "title": "CVE-2021-44531 nodejs:12/nodejs: Improper handling of URI Subject Alternative Names [fedora-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040846", + "id": "2040846", + "title": "CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040847", + "id": "2040847", + "title": "CVE-2021-44532 nodejs:12/nodejs: Certificate Verification Bypass via String Injection [fedora-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856", + "id": "2040856", + "title": "CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040858", + "id": "2040858", + "title": "CVE-2021-44533 nodejs:12/nodejs: Incorrect handling of certificate subject and issuer fields [fedora-all]", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862", + "id": "2040862", + "title": "CVE-2022-21824 nodejs: Prototype pollution via console.table properties", + "type": "bugzilla" + }, + { + "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040864", + "id": "2040864", + "title": "CVE-2022-21824 nodejs:12/nodejs: Prototype pollution via console.table properties [fedora-all]", + "type": "bugzilla" + } + ], + "cveids": [ + "CVE-2022-21824", + "CVE-2021-44531", + "CVE-2021-44532", + "CVE-2021-44533" + ] + } \ No newline at end of file From d78ca15e14685d860b1fb4266640b9b250792b34 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Fri, 21 Jan 2022 21:32:33 +0900 Subject: [PATCH 12/20] chore(fedora): fix lint error --- fedora/fedora.go | 1 - 1 file changed, 1 deletion(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index da7990f5..b0ff4dd6 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -29,7 +29,6 @@ const ( defaultWait = 1 defaultRetry = 3 fedoraDir = "fedora" - dateFormat = "2006-01-02 15:04:05" ) var ( From 58bb0cedc9b69075a075db9e19011b52d89fc44c Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Fri, 21 Jan 2022 23:56:39 +0900 Subject: [PATCH 13/20] refactor(fedora): change early-return, shallow nest --- fedora/fedora.go | 60 +++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 31 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index b0ff4dd6..671ab999 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -332,7 +332,7 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error return uinfo, nil } -func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath string, err error) { +func (c Config) fetchRepomdData(repomdURL string) (string, error) { res, err := utils.FetchURL(repomdURL, "", c.retry) if err != nil { return "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) @@ -345,14 +345,10 @@ func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath string, err er for _, repo := range repoMd.RepoList { if repo.Type == "updateinfo" { - updateInfoPath = repo.Location.Href - break + return repo.Location.Href, nil } } - if updateInfoPath == "" { - return "", xerrors.New("No updateinfo field in the repomd") - } - return updateInfoPath, nil + return "", xerrors.New("No updateinfo field in the repomd") } func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { @@ -404,33 +400,35 @@ func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) func (c Config) fetchCVEIDs(fsa FSA) ([]string, error) { cveIDMap := map[string]struct{}{} for _, ref := range fsa.References { - if strings.Contains(ref.Title, "CVE-") { - if strings.Contains(ref.Title, "various flaws") && strings.Contains(ref.Title, "...") { - cveIDs, err := c.fetchCVEIDsfromBugzilla(ref.ID) + if !strings.Contains(ref.Title, "CVE-") { + continue + } + + if strings.Contains(ref.Title, "various flaws") && strings.Contains(ref.Title, "...") { + cveIDs, err := c.fetchCVEIDsfromBugzilla(ref.ID) + if err != nil { + return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) + } + if len(cveIDs) == 0 { + log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s\n", ref.Href) + continue + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} + } + } else { + cveIDs := cveIDPattern.FindAllString(ref.Title, -1) + if strings.Count(ref.Title, "CVE-") != len(cveIDs) { + log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) + log.Println("Retry to get CVE-ID using Bugzilla API.") + var err error + cveIDs, err = c.fetchCVEIDsfromBugzilla(ref.ID) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) } - if len(cveIDs) == 0 { - log.Printf("failed to fetch CVE-ID from Bugzilla XML alias elements. bugzilla url: %s\n", ref.Href) - continue - } - for _, cveID := range cveIDs { - cveIDMap[cveID] = struct{}{} - } - } else { - cveIDs := cveIDPattern.FindAllString(ref.Title, -1) - if strings.Count(ref.Title, "CVE-") != len(cveIDs) { - log.Printf("failed to fetch CVE-ID from Reference Title. bugzilla ID: %s, title: %s\n", ref.ID, ref.Title) - log.Println("Retry to get CVE-ID using Bugzilla API.") - var err error - cveIDs, err = c.fetchCVEIDsfromBugzilla(ref.ID) - if err != nil { - return nil, xerrors.Errorf("failed to fetch CVE-ID from Bugzilla: %w", err) - } - } - for _, cveID := range cveIDs { - cveIDMap[cveID] = struct{}{} - } + } + for _, cveID := range cveIDs { + cveIDMap[cveID] = struct{}{} } } } From a6460aa06eca767896b25bc0a191ae88602c9ee8 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 24 Jan 2022 22:42:02 +0900 Subject: [PATCH 14/20] feat(fedora): use both YAML and URL for module info --- fedora/fedora.go | 231 +++++++++++------- fedora/fedora_test.go | 58 +++-- .../modulemd.x_86_64.txt | 101 -------- .../Modular/x86_64/repodata/modules.yaml.gz | Bin 0 -> 1050 bytes .../35/Modular/x86_64/repodata/repomd.xml | 2 +- .../2020/FEDORA-EPEL-2020-2c80eb66b5.json | 93 +------ .../2021/FEDORA-MODULAR-2021-217f84c072.json | 43 +--- .../2022/FEDORA-MODULAR-2022-a627320247.json | 28 +-- 8 files changed, 187 insertions(+), 369 deletions(-) delete mode 100644 fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt create mode 100644 fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/modules.yaml.gz diff --git a/fedora/fedora.go b/fedora/fedora.go index 671ab999..b9c1c523 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -4,6 +4,7 @@ import ( "bufio" "bytes" "compress/bzip2" + "compress/gzip" "encoding/xml" "fmt" "io" @@ -277,7 +278,7 @@ func (c Config) fetchUpdateInfoEverything(baseURL, arch string) (*UpdateInfo, er originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, err := c.fetchRepomdData(u.String()) + updateInfoPath, _, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo path from repomd.xml: %w", err) } @@ -309,7 +310,7 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error originalPath := u.Path u.Path = path.Join(originalPath, "/repodata/repomd.xml") - updateInfoPath, err := c.fetchRepomdData(u.String()) + updateInfoPath, modulesPath, err := c.fetchRepomdData(u.String()) if err != nil { return nil, xerrors.Errorf("failed to fetch updateinfo, modules path from repomd.xml: %w", err) } @@ -320,35 +321,45 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) } - modules, err := c.fetchModules(uinfo, arch) - if err != nil { - return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) + modules := map[string]ModuleInfo{} + if modulesPath != "" { + u.Path = path.Join(originalPath, modulesPath) + modules, err = c.fetchModulesFromYaml(u.String()) + if err != nil { + return nil, xerrors.Errorf("failed to fetch updateinfo data: %w", err) + } } - if err := extractModulesToUpdateInfo(uinfo, modules); err != nil { + if err := c.extractModulesToUpdateInfo(uinfo, modules, arch); err != nil { return nil, xerrors.Errorf("failed to extract modules to updateinfo: %w", err) } return uinfo, nil } -func (c Config) fetchRepomdData(repomdURL string) (string, error) { +func (c Config) fetchRepomdData(repomdURL string) (updateInfoPath, modulesPath string, err error) { res, err := utils.FetchURL(repomdURL, "", c.retry) if err != nil { - return "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) + return "", "", xerrors.Errorf("failed to fetch %s: %w", repomdURL, err) } var repoMd RepoMd if err := xml.NewDecoder(bytes.NewBuffer(res)).Decode(&repoMd); err != nil { - return "", xerrors.Errorf("failed to decode repomd.xml: %w", err) + return "", "", xerrors.Errorf("failed to decode repomd.xml: %w", err) } for _, repo := range repoMd.RepoList { if repo.Type == "updateinfo" { - return repo.Location.Href, nil + updateInfoPath = repo.Location.Href + } + if repo.Type == "modules" { + modulesPath = repo.Location.Href } } - return "", xerrors.New("No updateinfo field in the repomd") + if updateInfoPath == "" { + return "", "", xerrors.New("failed to find updateinfo path from repomd.xml: no updateinfo field in the repomd") + } + return updateInfoPath, modulesPath, nil } func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) { @@ -497,20 +508,26 @@ func (c Config) fetchCVEIDsfromBugzilla(bugzillaID string) ([]string, error) { return cveIDs, nil } -func (c Config) fetchModules(uinfo *UpdateInfo, arch string) (map[string]ModuleInfo, error) { - moduleURLs := []string{} - for _, advisory := range uinfo.FSAList { - module, err := parseModuleFromAdvisoryTitle(advisory.Title) - if err != nil { - return nil, xerrors.Errorf("failed to parse moduleinfo: %w", err) - } - moduleURLs = append(moduleURLs, fmt.Sprintf(c.urls["moduleinfo"], module.Name, module.Stream, module.Version, module.Context, arch)) +func (c Config) fetchModulesFromYaml(modulesURL string) (map[string]ModuleInfo, error) { + res, err := utils.FetchURL(modulesURL, "", c.retry) + if err != nil { + return nil, xerrors.Errorf("failed to fetch modules: %w", err) + } + + r, err := gzip.NewReader(bytes.NewBuffer(res)) + if err != nil { + return nil, xerrors.Errorf("failed to decompress modules: %w", err) } - if len(moduleURLs) == 0 { - return map[string]ModuleInfo{}, nil + + modules, err := parseModulemd(r) + if err != nil { + return nil, xerrors.Errorf("failed to parse modulemd: %w", err) } + return modules, nil +} - log.Printf("Fetching ModuleInfo from Build System Info...") +func (c Config) fetchModulesFromKoji(moduleURLs []string) (map[string]ModuleInfo, error) { + log.Printf("Fetching ModuleInfo from Fedora Build System Info...") reps, err := utils.FetchConcurrently(moduleURLs, c.concurrency, c.wait, c.retry) if err != nil { return nil, xerrors.Errorf("failed to fetch moduleinfo: %w", err) @@ -518,54 +535,50 @@ func (c Config) fetchModules(uinfo *UpdateInfo, arch string) (map[string]ModuleI modules := map[string]ModuleInfo{} for _, res := range reps { - scanner := bufio.NewScanner(bytes.NewReader(res)) - var contents []string - for scanner.Scan() { - str := scanner.Text() - switch str { - case "---": - { - contents = []string{} + ms, err := parseModulemd(bytes.NewReader(res)) + if err != nil { + return nil, xerrors.Errorf("failed to parse modulemd: %w", err) + } + for title, minfo := range ms { + modules[title] = minfo + } + } + return modules, nil +} + +func parseModulemd(modulemdReader io.Reader) (map[string]ModuleInfo, error) { + modules := map[string]ModuleInfo{} + scanner := bufio.NewScanner(modulemdReader) + var contents []string + for scanner.Scan() { + str := scanner.Text() + switch str { + case "---": + { + contents = []string{} + } + case "...": + { + var module ModuleInfo + if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { + return nil, xerrors.Errorf("failed to decode module info: %w", err) } - case "...": - { - var module ModuleInfo - if err := yaml.NewDecoder(strings.NewReader(strings.Join(contents, "\n"))).Decode(&module); err != nil { - return nil, xerrors.Errorf("failed to decode module info: %w", err) - } + if module.Version == 2 { modules[module.convertToUpdateInfoTitle()] = module } - default: - { - contents = append(contents, str) - } + } + default: + { + contents = append(contents, str) } } } - return modules, nil } -func parseModuleFromAdvisoryTitle(title string) (Module, error) { - ss := strings.Split(title, "-") - name, stream := ss[0], ss[1] - ss = strings.Split(ss[2], ".") - ver, err := strconv.ParseInt(ss[0], 10, 64) - if err != nil { - return Module{}, xerrors.Errorf("failed to parse version of moduleinfo from title(%s) of advisory: %w", title, err) - } - ctx := ss[1] - - return Module{ - Name: name, - Stream: stream, - Version: ver, - Context: ctx, - }, nil -} - type ModuleInfo struct { - Data struct { + Version int `yaml:"version"` + Data struct { Name string `yaml:"name"` Stream string `yaml:"stream"` Version int64 `yaml:"version"` @@ -581,39 +594,89 @@ func (m ModuleInfo) convertToUpdateInfoTitle() string { return fmt.Sprintf("%s-%s-%d.%s", m.Data.Name, m.Data.Stream, m.Data.Version, m.Data.Context) } -func extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string]ModuleInfo) error { +func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string]ModuleInfo, fetchArch string) error { + missingModuleIdxs := []int{} + missingModuleURLs := []string{} for i, fsa := range uinfo.FSAList { - m, ok := modules[fsa.Title] + minfo, ok := modules[fsa.Title] if !ok { - log.Printf("failed to get module info. title: %s\n", fsa.Title) + m, err := parseModuleFromAdvisoryTitle(fsa.Title) + if err != nil { + return xerrors.Errorf("failed to parse module from advisory title: %w", err) + } + missingModuleIdxs = append(missingModuleIdxs, i) + minfoURL := fmt.Sprintf(urlFormat["moduleinfo"], m.Name, m.Stream, m.Version, m.Context, fetchArch) + missingModuleURLs = append(missingModuleURLs, minfoURL) continue } + extractModuleToAdvisory(&uinfo.FSAList[i], minfo) + } + + if len(missingModuleURLs) == 0 { + return nil + } + + missingModules, err := c.fetchModulesFromKoji(missingModuleURLs) + if err != nil { + return xerrors.Errorf("failed to fetch module info from fedora buildsystem: %w", err) + } - uinfo.FSAList[i].Module = Module{ - Stream: m.Data.Stream, - Name: m.Data.Name, - Version: m.Data.Version, - Arch: m.Data.Arch, - Context: m.Data.Context, + for _, idx := range missingModuleIdxs { + minfo, ok := missingModules[uinfo.FSAList[idx].Title] + if !ok { + log.Printf("failed to get module info. title: %s\n", uinfo.FSAList[idx].Title) + continue } + extractModuleToAdvisory(&uinfo.FSAList[idx], minfo) + } - pkgs := []Package{} - for _, filename := range m.Data.Artifacts.Rpms { - name, ver, rel, epoch, arch, err := splitFileName(filename) - if err != nil { - return xerrors.Errorf("failed to split rpm filename: %w", err) - } - pkgs = append(pkgs, Package{ - Name: name, - Epoch: epoch, - Version: ver, - Release: rel, - Arch: arch, - Filename: fmt.Sprintf("%s-%s-%s.%s.rpm", name, ver, rel, arch), - }) + return nil +} + +func parseModuleFromAdvisoryTitle(title string) (Module, error) { + ss := strings.Split(title, "-") + name, stream := ss[0], ss[1] + ss = strings.Split(ss[2], ".") + ver, err := strconv.ParseInt(ss[0], 10, 64) + if err != nil { + return Module{}, xerrors.Errorf("failed to parse version of moduleinfo from title(%s) of advisory: %w", title, err) + } + ctx := ss[1] + + return Module{ + Name: name, + Stream: stream, + Version: ver, + Context: ctx, + }, nil +} + +func extractModuleToAdvisory(advisory *FSA, minfo ModuleInfo) error { + advisory.Module = Module{ + Stream: minfo.Data.Stream, + Name: minfo.Data.Name, + Version: minfo.Data.Version, + Arch: minfo.Data.Arch, + Context: minfo.Data.Context, + } + + pkgs := []Package{} + for _, filename := range minfo.Data.Artifacts.Rpms { + name, ver, rel, epoch, arch, err := splitFileName(filename) + if err != nil { + return xerrors.Errorf("failed to split rpm filename: %w", err) } - uinfo.FSAList[i].Packages = pkgs + pkgs = append(pkgs, Package{ + Name: name, + Epoch: epoch, + Version: ver, + Release: rel, + Arch: arch, + Filename: fmt.Sprintf("%s-%s-%s.%s.rpm", name, ver, rel, arch), + }) } + advisory.Packages = pkgs + return nil } diff --git a/fedora/fedora_test.go b/fedora/fedora_test.go index 86ff4d84..1bab3ea8 100644 --- a/fedora/fedora_test.go +++ b/fedora/fedora_test.go @@ -8,6 +8,7 @@ import ( "os" "path/filepath" "reflect" + "sort" "testing" "github.com/aquasecurity/vuln-list-update/fedora" @@ -18,11 +19,11 @@ import ( func Test_Update(t *testing.T) { type args struct { - mode string - uinfoURLPath string - release []string - repos []string - arches []string + mode string + urlPath map[string]string + release []string + repos []string + arches []string } tests := []struct { name string @@ -34,11 +35,11 @@ func Test_Update(t *testing.T) { name: "fedora 35", rootDir: "testdata/fixtures/fedora35", args: args{ - mode: "fedora", - uinfoURLPath: "/pub/fedora/linux/updates/%s/%s/%s/", - release: []string{"35"}, - repos: []string{"Everything", "Modular"}, - arches: []string{"x86_64"}, + mode: "fedora", + urlPath: map[string]string{"fedora": "/pub/fedora/linux/updates/%s/%s/%s/"}, + release: []string{"35"}, + repos: []string{"Everything", "Modular"}, + arches: []string{"x86_64"}, }, expectedError: nil, }, @@ -46,11 +47,11 @@ func Test_Update(t *testing.T) { name: "epel 7", rootDir: "testdata/fixtures/epel7", args: args{ - mode: "epel", - uinfoURLPath: "/pub/epel/%s/%s/", - release: []string{"7"}, - repos: []string{}, - arches: []string{"x86_64"}, + mode: "epel", + urlPath: map[string]string{"epel7": "/pub/epel/%s/%s/"}, + release: []string{"7"}, + repos: []string{}, + arches: []string{"x86_64"}, }, expectedError: nil, }, @@ -58,11 +59,11 @@ func Test_Update(t *testing.T) { name: "epel 8", rootDir: "testdata/fixtures/epel8", args: args{ - mode: "epel", - uinfoURLPath: "/pub/epel/%s/%s/%s/", - release: []string{"8"}, - repos: []string{"Everything"}, - arches: []string{"x86_64"}, + mode: "epel", + urlPath: map[string]string{"epel": "/pub/epel/%s/%s/%s/"}, + release: []string{"8"}, + repos: []string{"Everything"}, + arches: []string{"x86_64"}, }, expectedError: nil, }, @@ -82,15 +83,24 @@ func Test_Update(t *testing.T) { tsServerURL := httptest.NewServer(mux) defer tsServerURL.Close() + url := map[string]string{} + for key, path := range tt.args.urlPath { + url[key] = tsServerURL.URL + path + } + url["bugzilla"] = tsServerURL.URL + "/show_bug.cgi?ctype=xml&id=%s" + url["moduleinfo"] = tsServerURL.URL + "/packages/%s/%s/%d.%s/files/module/modulemd.%s.txt" + dir := t.TempDir() - fd := fedora.NewConfig(fedora.With(map[string]string{tt.args.mode: tsServerURL.URL + tt.args.uinfoURLPath, "bugzilla": tsServerURL.URL + "/show_bug.cgi?ctype=xml&id=%s", "moduleinfo": tsServerURL.URL + "/packages/%s/%s/%d.%s/files/module/modulemd.%s.txt"}, dir, 1, 0, 0, map[string][]string{tt.args.mode: tt.args.release}, tt.args.repos, tt.args.arches)) - if err := fd.Update(); tt.expectedError != nil { + fd := fedora.NewConfig(fedora.With(url, dir, 1, 0, 0, map[string][]string{tt.args.mode: tt.args.release}, tt.args.repos, tt.args.arches)) + err := fd.Update() + if tt.expectedError != nil { require.Error(t, err) assert.Contains(t, err.Error(), tt.expectedError.Error()) return } + assert.NoError(t, err) - err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { + err = filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { if errfp != nil { return errfp } @@ -104,12 +114,14 @@ func Test_Update(t *testing.T) { var want fedora.FSA err = json.Unmarshal(b, &want) assert.NoError(t, err, "failed to unmarshal json") + sort.Slice(want.CveIDs, func(i, j int) bool { return want.CveIDs[i] < want.CveIDs[j] }) b, err = os.ReadFile(path) assert.NoError(t, err, "failed to open the result file") var got fedora.FSA err = json.Unmarshal(b, &got) assert.NoError(t, err, "failed to unmarshal json") + sort.Slice(got.CveIDs, func(i, j int) bool { return got.CveIDs[i] < got.CveIDs[j] }) if !reflect.DeepEqual(got, want) { t.Errorf("[%s]\n diff: %s", tt.name, pretty.Compare(got, want)) diff --git a/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt b/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt deleted file mode 100644 index 42ae7397..00000000 --- a/fedora/testdata/fixtures/fedora35/packages/nodejs/12/3520220113124632.f27b74a8/modulemd.x_86_64.txt +++ /dev/null @@ -1,101 +0,0 @@ ---- -document: modulemd -version: 2 -data: - name: nodejs - stream: "12" - version: 3520220113124632 - context: f27b74a8 - arch: x86_64 - summary: Javascript runtime - description: >- - Node.js is a platform built on Chrome''s JavaScript runtime for easily building - fast, scalable network applications. Node.js uses an event-driven, non-blocking - I/O model that makes it lightweight and efficient, perfect for data-intensive - real-time applications that run across distributed devices. - license: - module: - - MIT - content: - - MIT - - MIT and ASL 2.0 and ISC and BSD - - MIT and BSD and ISC - xmd: {} - dependencies: - - buildrequires: - platform: [f35] - requires: - platform: [f35] - references: - community: http://nodejs.org - documentation: http://nodejs.org/en/docs - tracker: https://github.com/nodejs/node/issues - profiles: - default: - rpms: - - nodejs - - npm - development: - rpms: - - nodejs - - nodejs-devel - - npm - minimal: - rpms: - - nodejs - api: - rpms: - - nodejs - - nodejs-devel - - npm - components: - rpms: - c-ares: - rationale: Required for DNS support - ref: rawhide - arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] - libuv: - rationale: Platform abstraction layer for Node.js - ref: 1 - arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] - nghttp2: - rationale: Needed for HTTP2 support - ref: rawhide - arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] - nodejs: - rationale: Javascript runtime and npm package manager. - ref: 12 - buildorder: 10 - arches: [aarch64, armv7hl, i686, ppc64le, s390x, x86_64] - artifacts: - rpms: - - c-ares-0:1.17.2-1.module_f35+12821+0ca3efb5.src - - c-ares-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 - - c-ares-debuginfo-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 - - c-ares-debugsource-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 - - c-ares-devel-0:1.17.2-1.module_f35+12821+0ca3efb5.x86_64 - - libnghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - libnghttp2-debuginfo-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - libnghttp2-devel-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - libuv-1:1.43.0-2.module_f35+13659+5e1a357e.src - - libuv-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 - - libuv-debuginfo-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 - - libuv-debugsource-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 - - libuv-devel-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 - - libuv-static-1:1.43.0-2.module_f35+13659+5e1a357e.x86_64 - - nghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.src - - nghttp2-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - nghttp2-debuginfo-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - nghttp2-debugsource-0:1.46.0-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-1:12.22.9-1.module_f35+13659+5e1a357e.src - - nodejs-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-debuginfo-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-debugsource-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-devel-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-docs-1:12.22.9-1.module_f35+13659+5e1a357e.noarch - - nodejs-full-i18n-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-libs-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - nodejs-libs-debuginfo-1:12.22.9-1.module_f35+13659+5e1a357e.x86_64 - - npm-1:6.14.15-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64 - - v8-devel-2:7.8.279.23-1.12.22.9.1.module_f35+13659+5e1a357e.x86_64 -... diff --git a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/modules.yaml.gz b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/modules.yaml.gz new file mode 100644 index 0000000000000000000000000000000000000000..1660dd5262c9751644953aa6bb97756d26f78408 GIT binary patch literal 1050 zcmV+#1m*i5iwFpnrtVXYyiDiO>g5i5WV|X5PR7}ELx&%+18;z zyL)JgHeEEiErJCtjcjiCp^}u7py+?^h>}0!HnAP_5>dl>Z-z5(C?|@dUSaZDf%X|u zrl=*TA}XNdwe+sH0_%j)8A*Bt_dM&7&M70>6!6`(22lzqGQ#3y7N;ytSRCU*YoL_&qNDk3(_)*nG*`PxId6fhjC@Gg2YlTChGP~p%rhA# zY?KZe?&U^%ctZM;P3DskpQ4T1e3_A_Y5FZ4HEgv~+&*XI7rx>yx1#dI*4hgNxLZJL z3ITqI!bxs05&GQ`;Rq*{)DSa%tPbL=M8 z(&GsU&#iHe6arf$=Cy|c3%C+FIEr`#AQ!Zf>7*9c5&7-611 zG!EhiP=ZD7wNGx8sHW;)DrpC7YS&N^y>U!Zc06jn-7o5H2`2*P2&7t2y z_+>q(7^Q=R$3Qq&gL^Td-Q=yax0TwQB-&0^_gbkAvjS-Z2UTUP-}*wC zA>eT-3fLH%I|K>ISKh4BQ6DX8HCf6&5$QC=L8|g}BmqZyIE$b9-F0){5l9@4)zNgm ztgjP3cTLNi4I=q7*pOg%1MDZ4yjNO!(TIy3P3#7s=&JPd-Q5@VztpL1_R)M^-qvB_ zQ46HPN#P5?3s2+2(t~QT&3hPrV~b|2lK4H6=GKc6yY@nZQK!Ku&JvnTD2o!>UV-26 z`nXEilqFYj&WBLW$JE*U4Akb6wgW6+UN3|$&4m=s)Ha7pNN`@yfa9cestn*!O5+3Y zFdfgX#*pygcmn?l-mk+2H0xuWOi{0*q`?gl$NmGi?fnU$Bf+*OzKEe~{P`SB!Olgy z=G&N`0Y6DI+lrqrwfE539>>nWoygLDAhBkQGDc@_J^CrIV*&T{b_vH;ac8r1nmZSd zzq#HB*QWVI?8D1i%19(reL)H+|4Vui;FmR|QV2_FGNQ>CVI2W|Gr?-w^?_v*I;Ctf UqilE@5&o0-5Ak$BbHok+0P?*D(*OVf literal 0 HcmV?d00001 diff --git a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/repomd.xml b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/repomd.xml index cd42a6b6..496d1433 100644 --- a/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/repomd.xml +++ b/fedora/testdata/fixtures/fedora35/pub/fedora/linux/updates/35/Modular/x86_64/repodata/repomd.xml @@ -58,7 +58,7 @@ 2b21df5b61d71cd0e659df336d7ae2fef620e063ac8712b032f255e0c2e644f1 8f8581ac548f3af589b240d087c11c99789c099612e132512c1b7fd7429caf84 - + 1642733004 32302 305758 diff --git a/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json b/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json index e2136928..90ac266c 100644 --- a/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json +++ b/fedora/testdata/golden/2020/FEDORA-EPEL-2020-2c80eb66b5.json @@ -140,105 +140,14 @@ ], "module": {}, "references": [ - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683942", - "id": "1683942", - "title": "CVE-2019-9033 matio: stack-based buffer over-read in function ReadNextCell() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683947", - "id": "1683947", - "title": "CVE-2019-9034 matio: stack-based buffer over-read for a memcpy in function ReadNextCell() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683986", - "id": "1683986", - "title": "CVE-2019-9035 matio: stack-based buffer over-read in function ReadNextStructField() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683990", - "id": "1683990", - "title": "CVE-2019-9036 matio: heap-based buffer overflow in function ReadNextFunctionHandle() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1683993", - "id": "1683993", - "title": "CVE-2019-9037 matio: buffer over-read in function Mat_VarPrint() in mat.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684002", - "id": "1684002", - "title": "CVE-2019-9038 matio: out-of-bounds read with SEGV in function ReadNextCell() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684009", - "id": "1684009", - "title": "CVE-2019-9026 matio: heap-based buffer overflow in function InflateVarName() in inflate.c [epel-all]", - "type": "bugzilla" - }, { "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684014", "id": "1684014", "title": "matio: CVE-2019-02-9027 matio: heap-based buffer overflow in function ReadNextCell() in mat5.c [epel-all]", "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684017", - "id": "1684017", - "title": "CVE-2019-9028 matio: stack-based buffer over-read in the function InflateDimensions() in inflate.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684020", - "id": "1684020", - "title": "CVE-2019-9029 matio: out-of-bounds read with SEGV in function Mat_VarReadNextInfo5() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684025", - "id": "1684025", - "title": "CVE-2019-9030 matio: stack-based buffer over-read in Mat_VarReadNextInfo5() in mat5.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1684041", - "id": "1684041", - "title": "CVE-2019-9032 matio: out-of-bounds write in function Mat_VarFree() in mat.c resulting in SEGV [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1685379", - "id": "1685379", - "title": "CVE-2019-9031 matio: null pointer dereference in function Mat_VarFree() in mat.c [epel-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=1728478", - "id": "1728478", - "title": "CVE-2019-13107 matio: multiple interger overflow in mat.c, mat4.c, mat5.c, mat73.c and matvar_struct.c [epel-all]", - "type": "bugzilla" } ], "cveids": [ - "CVE-2019-13107", - "CVE-2019-9026", - "CVE-2019-9027", - "CVE-2019-9028", - "CVE-2019-9029", - "CVE-2019-9030", - "CVE-2019-9031", - "CVE-2019-9032", - "CVE-2019-9033", - "CVE-2019-9034", - "CVE-2019-9035", - "CVE-2019-9036", - "CVE-2019-9037", - "CVE-2019-9038" + "CVE-2019-9027" ] } \ No newline at end of file diff --git a/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json b/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json index 4866cfb6..7148dff0 100644 --- a/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json +++ b/fedora/testdata/golden/2021/FEDORA-MODULAR-2021-217f84c072.json @@ -135,51 +135,12 @@ { "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2016142", "id": "2016142", - "title": "CVE-2021-2478 CVE-2021-2479 CVE-2021-2481 CVE-2021-35546 CVE-2021-35575 CVE-2021-35577 CVE-2021-35591 CVE-2021-35596 CVE-2021-35597 CVE-2021-35602 CVE-2021-35604 CVE-2021-35607 CVE-2021-35608 ... mysql:8.0/community-mysql: various flaws [fedora-all]", + "title": "CVE-2021-2478 CVE-2021-2479 ... mysql:8.0/community-mysql: various flaws [fedora-all]", "type": "bugzilla" } ], "cveids": [ "CVE-2021-2478", - "CVE-2021-2479", - "CVE-2021-2481", - "CVE-2021-35546", - "CVE-2021-35575", - "CVE-2021-35577", - "CVE-2021-35591", - "CVE-2021-35596", - "CVE-2021-35597", - "CVE-2021-35602", - "CVE-2021-35604", - "CVE-2021-35607", - "CVE-2021-35608", - "CVE-2021-35610", - "CVE-2021-35612", - "CVE-2021-35622", - "CVE-2021-35623", - "CVE-2021-35624", - "CVE-2021-35625", - "CVE-2021-35626", - "CVE-2021-35627", - "CVE-2021-35628", - "CVE-2021-35630", - "CVE-2021-35631", - "CVE-2021-35632", - "CVE-2021-35633", - "CVE-2021-35634", - "CVE-2021-35635", - "CVE-2021-35636", - "CVE-2021-35637", - "CVE-2021-35638", - "CVE-2021-35639", - "CVE-2021-35640", - "CVE-2021-35641", - "CVE-2021-35642", - "CVE-2021-35643", - "CVE-2021-35644", - "CVE-2021-35645", - "CVE-2021-35646", - "CVE-2021-35647", - "CVE-2021-35648" + "CVE-2021-2479" ] } \ No newline at end of file diff --git a/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json b/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json index 55e10a81..a2d89f7d 100644 --- a/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json +++ b/fedora/testdata/golden/2022/FEDORA-MODULAR-2022-a627320247.json @@ -275,36 +275,10 @@ "id": "2040847", "title": "CVE-2021-44532 nodejs:12/nodejs: Certificate Verification Bypass via String Injection [fedora-all]", "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040856", - "id": "2040856", - "title": "CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040858", - "id": "2040858", - "title": "CVE-2021-44533 nodejs:12/nodejs: Incorrect handling of certificate subject and issuer fields [fedora-all]", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040862", - "id": "2040862", - "title": "CVE-2022-21824 nodejs: Prototype pollution via console.table properties", - "type": "bugzilla" - }, - { - "href": "https://bugzilla.redhat.com/show_bug.cgi?id=2040864", - "id": "2040864", - "title": "CVE-2022-21824 nodejs:12/nodejs: Prototype pollution via console.table properties [fedora-all]", - "type": "bugzilla" } ], "cveids": [ - "CVE-2022-21824", "CVE-2021-44531", - "CVE-2021-44532", - "CVE-2021-44533" + "CVE-2021-44532" ] } \ No newline at end of file From bac4bc5469bd14a8f38e6813e560e13063382371 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 24 Jan 2022 22:42:39 +0900 Subject: [PATCH 15/20] fix: check Update() error --- alma/alma_test.go | 10 ++- rocky/rocky_test.go | 8 +- .../x86_64/os/repodata}/repomd.xml | 0 .../x86_64/os/repodata}/updateinfo.xml.gz | Bin .../x86_64/os/repodata}/repomd.xml | 0 .../extras/x86_64/os/repodata/repomd.xml | 69 ++++++++++++++++++ .../x86_64/os/repodata}/repomd.xml | 0 .../x86_64/os/repodata}/repomd.xml | 0 .../x86_64/os/repodata}/updateinfo.xml.gz | Bin 9 files changed, 81 insertions(+), 6 deletions(-) rename rocky/testdata/fixtures/happy/{ => BaseOS/x86_64/os/repodata}/repomd.xml (100%) rename rocky/testdata/fixtures/happy/{ => BaseOS/x86_64/os/repodata}/updateinfo.xml.gz (100%) rename rocky/testdata/fixtures/no_updateinfo_field/{ => BaseOS/x86_64/os/repodata}/repomd.xml (100%) create mode 100644 rocky/testdata/fixtures/no_updateinfo_field/extras/x86_64/os/repodata/repomd.xml rename rocky/testdata/fixtures/repomd_invalid/{ => BaseOS/x86_64/os/repodata}/repomd.xml (100%) rename rocky/testdata/fixtures/updateinfo_invalid/{ => BaseOS/x86_64/os/repodata}/repomd.xml (100%) rename rocky/testdata/fixtures/updateinfo_invalid/{ => BaseOS/x86_64/os/repodata}/updateinfo.xml.gz (100%) diff --git a/alma/alma_test.go b/alma/alma_test.go index b8d78caf..8744d4f6 100644 --- a/alma/alma_test.go +++ b/alma/alma_test.go @@ -54,14 +54,18 @@ func TestUpdate(t *testing.T) { dir := t.TempDir() ac := alma.NewConfig(alma.WithURLs(map[string]string{tt.version: ts.URL}), alma.WithDir(dir), alma.WithRetry(0)) - - if err := ac.Update(); tt.expectedError != nil { + err := ac.Update() + if tt.expectedError != nil { require.Error(t, err) assert.Contains(t, err.Error(), tt.expectedError.Error()) return } + assert.NoError(t, err) - err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { + err = filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { + if errfp != nil { + return errfp + } if info.IsDir() { return nil } diff --git a/rocky/rocky_test.go b/rocky/rocky_test.go index 706d67c3..e36fa9c7 100644 --- a/rocky/rocky_test.go +++ b/rocky/rocky_test.go @@ -54,18 +54,20 @@ func Test_Update(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - tsUpdateInfoURL := httptest.NewServer(http.StripPrefix("/pub/rocky/8/BaseOS/x86_64/os/repodata/", http.FileServer(http.Dir(tt.rootDir)))) + tsUpdateInfoURL := httptest.NewServer(http.StripPrefix("/pub/rocky/8/", http.FileServer(http.Dir(tt.rootDir)))) defer tsUpdateInfoURL.Close() dir := t.TempDir() rc := rocky.NewConfig(rocky.With(tsUpdateInfoURL.URL+"/pub/rocky/%s/%s/%s/os/", dir, 0, []string{"8"}, tt.repository, []string{"x86_64"})) - if err := rc.Update(); tt.expectedError != nil { + err := rc.Update() + if tt.expectedError != nil { require.Error(t, err) assert.Contains(t, err.Error(), tt.expectedError.Error()) return } + assert.NoError(t, err) - err := filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { + err = filepath.Walk(dir, func(path string, info os.FileInfo, errfp error) error { if errfp != nil { return errfp } diff --git a/rocky/testdata/fixtures/happy/repomd.xml b/rocky/testdata/fixtures/happy/BaseOS/x86_64/os/repodata/repomd.xml similarity index 100% rename from rocky/testdata/fixtures/happy/repomd.xml rename to rocky/testdata/fixtures/happy/BaseOS/x86_64/os/repodata/repomd.xml diff --git a/rocky/testdata/fixtures/happy/updateinfo.xml.gz b/rocky/testdata/fixtures/happy/BaseOS/x86_64/os/repodata/updateinfo.xml.gz similarity index 100% rename from rocky/testdata/fixtures/happy/updateinfo.xml.gz rename to rocky/testdata/fixtures/happy/BaseOS/x86_64/os/repodata/updateinfo.xml.gz diff --git a/rocky/testdata/fixtures/no_updateinfo_field/repomd.xml b/rocky/testdata/fixtures/no_updateinfo_field/BaseOS/x86_64/os/repodata/repomd.xml similarity index 100% rename from rocky/testdata/fixtures/no_updateinfo_field/repomd.xml rename to rocky/testdata/fixtures/no_updateinfo_field/BaseOS/x86_64/os/repodata/repomd.xml diff --git a/rocky/testdata/fixtures/no_updateinfo_field/extras/x86_64/os/repodata/repomd.xml b/rocky/testdata/fixtures/no_updateinfo_field/extras/x86_64/os/repodata/repomd.xml new file mode 100644 index 00000000..8b4483c4 --- /dev/null +++ b/rocky/testdata/fixtures/no_updateinfo_field/extras/x86_64/os/repodata/repomd.xml @@ -0,0 +1,69 @@ + + + 8.4 + + Rocky Linux 8 + + + 9d25370cf8f2bdf046145fa51ef3d0229ecc6862cbe35281a70184cc39089f54 + 554780b39c8a31f3b92eb2356f38099bd6135834c51542c8ffb889aa6d37c1a0 + + 1632166291 + 4136440 + 29944727 + + + 3f9875964fcb58abd0c3b88ae317450d124020d81e873f1db05c695e84fc1c3b + 483a4f0494e31ae0d100714ddae8eab680c408ff354979636d7bec849c1b6e4d + + 1632166291 + 3284862 + 45704869 + + + 201204bd642f240caaa2d8cd8b8fcf0bf0071fdf7ba67c68b79c209163995057 + ab9351e393e2f08997754411263a7b51114209668d453a62ad998981789c091d + + 1632166291 + 621783 + 6152523 + + + 2e35bd95b02d3bf3d99b82f3bbb6b0381f55b671226771d9d7db975b5d0f205b + b1af8fb023566905067e07bfcffed71ce73ebc6e4ed0af2a010ac7ea6bbfbefa + + 1632166306 + 3599636 + 34222080 + + + 06510a9c700387c4c670654f6440386d6e91e0628116492a4a38228f67ec4d61 + 19df9e2e5a6e66214ddf95569d50ce1c73cfed99c109e453b043a68b8609fd95 + + 1632166298 + 2665240 + 24879104 + + + dddb998b6aca861c3b0724e13ee6f99a74e516b659299ec47c682a08f414cf25 + 46d0a6ae8562e93c729361fa1b28ccf10d26bed3d9d2ff1e464ff807b6201688 + + 1632166293 + 423132 + 6062080 + + + 5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152 + + 1632166276 + 297208 + + + 32e04847f7cc2872db5ac9e92ea540ef2a7999d1c2be0c8c3d47a359b3e2d613 + 5eedac6f334681aa51e154d77025db287c33ce1491b14368be9b477ff8208152 + + 1632166291 + 56668 + 297208 + + \ No newline at end of file diff --git a/rocky/testdata/fixtures/repomd_invalid/repomd.xml b/rocky/testdata/fixtures/repomd_invalid/BaseOS/x86_64/os/repodata/repomd.xml similarity index 100% rename from rocky/testdata/fixtures/repomd_invalid/repomd.xml rename to rocky/testdata/fixtures/repomd_invalid/BaseOS/x86_64/os/repodata/repomd.xml diff --git a/rocky/testdata/fixtures/updateinfo_invalid/repomd.xml b/rocky/testdata/fixtures/updateinfo_invalid/BaseOS/x86_64/os/repodata/repomd.xml similarity index 100% rename from rocky/testdata/fixtures/updateinfo_invalid/repomd.xml rename to rocky/testdata/fixtures/updateinfo_invalid/BaseOS/x86_64/os/repodata/repomd.xml diff --git a/rocky/testdata/fixtures/updateinfo_invalid/updateinfo.xml.gz b/rocky/testdata/fixtures/updateinfo_invalid/BaseOS/x86_64/os/repodata/updateinfo.xml.gz similarity index 100% rename from rocky/testdata/fixtures/updateinfo_invalid/updateinfo.xml.gz rename to rocky/testdata/fixtures/updateinfo_invalid/BaseOS/x86_64/os/repodata/updateinfo.xml.gz From 245ac47cb54b4a222ea50af614bce1e08f54ca3c Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 24 Jan 2022 23:00:14 +0900 Subject: [PATCH 16/20] refactor(fedora): reduce branch --- fedora/fedora.go | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index b9c1c523..068ff5d1 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -178,20 +178,14 @@ func NewConfig(opts ...option) Config { func (c Config) Update() error { for mode, releases := range c.releases { for _, release := range releases { - if mode == "epel" && release == "7" { + for _, repo := range c.repos { for _, arch := range c.arches { - log.Printf("Fetching Fedora Linux (%s) %s %s data...\n", mode, release, arch) - if err := c.update(mode, release, "", arch); err != nil { - return xerrors.Errorf("failed to update security advisories of Fedora Linux EPEL %s %s: %w", release, arch, err) + if mode == "epel" && release == "7" { + repo = "" } - } - } else { - for _, repo := range c.repos { - for _, arch := range c.arches { - log.Printf("Fetching Fedora Linux (%s) %s %s %s data...\n", mode, release, repo, arch) - if err := c.update(mode, release, repo, arch); err != nil { - return xerrors.Errorf("failed to update security advisories of Fedora Linux EPEL %s %s %s: %w", release, repo, arch, err) - } + log.Printf("Fetching Fedora Linux (%s) %s %s %s data...\n", mode, release, repo, arch) + if err := c.update(mode, release, repo, arch); err != nil { + return xerrors.Errorf("failed to update security advisories of Fedora/EPEL %s %s %s: %w", release, repo, arch, err) } } } From 6f2379c29d41535496689c7278254f3ee6a20e81 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 24 Jan 2022 23:04:59 +0900 Subject: [PATCH 17/20] fix(fedora): fix lint error --- fedora/fedora.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 068ff5d1..6db5d40c 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -603,7 +603,9 @@ func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string missingModuleURLs = append(missingModuleURLs, minfoURL) continue } - extractModuleToAdvisory(&uinfo.FSAList[i], minfo) + if err := extractModuleToAdvisory(&uinfo.FSAList[i], minfo); err != nil { + return xerrors.Errorf("failed to extract module to advisory: %w", err) + } } if len(missingModuleURLs) == 0 { @@ -621,7 +623,9 @@ func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string log.Printf("failed to get module info. title: %s\n", uinfo.FSAList[idx].Title) continue } - extractModuleToAdvisory(&uinfo.FSAList[idx], minfo) + if err := extractModuleToAdvisory(&uinfo.FSAList[idx], minfo); err != nil { + return xerrors.Errorf("failed to extract module to advisory: %w", err) + } } return nil From dcee4c6eee1cd105033f67b2eb695fb0bd687db3 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 31 Jan 2022 07:28:29 +0900 Subject: [PATCH 18/20] chore(fedora): rename variable --- fedora/fedora.go | 68 +++++++++++++++++++++---------------------- fedora/fedora_test.go | 4 +-- 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index 6db5d40c..b293e1b8 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -72,13 +72,13 @@ type Location struct { Href string `xml:"href,attr"` } -// UpdateInfo has a list of Fedora Security Advisory +// UpdateInfo has a list of Fedora Advisory type UpdateInfo struct { - FSAList []FSA `xml:"update"` + Advisories []Advisory `xml:"update"` } -// FSA has detailed data of Fedora Security Advisory -type FSA struct { +// Advisory has detailed data of Fedora Security Advisory +type Advisory struct { ID string `xml:"id" json:"id,omitempty"` Title string `xml:"title" json:"title,omitempty"` Type string `xml:"type,attr" json:"type,omitempty"` @@ -223,22 +223,22 @@ func (c Config) update(mode, release, repo, arch string) error { return xerrors.Errorf("failed to fetch updateinfo: %w", err) } - fsalistByYear := map[string][]FSA{} - for _, fsa := range vulns.FSAList { - ss := strings.Split(fsa.ID, "-") + advlistByYear := map[string][]Advisory{} + for _, adv := range vulns.Advisories { + ss := strings.Split(adv.ID, "-") y := ss[len(ss)-2] - fsalistByYear[y] = append(fsalistByYear[y], fsa) + advlistByYear[y] = append(advlistByYear[y], adv) } log.Printf("Write Fedora Linux (%s) %s %s %s Errata \n", mode, release, repo, arch) - bar := pb.StartNew(len(vulns.FSAList)) - for year, fsalist := range fsalistByYear { + bar := pb.StartNew(len(vulns.Advisories)) + for year, advlist := range advlistByYear { if err := os.Mkdir(filepath.Join(dirPath, year), os.ModePerm); err != nil { return xerrors.Errorf("failed to mkdir: %w", err) } - for _, fsa := range fsalist { - filepath := filepath.Join(dirPath, year, fmt.Sprintf("%s.json", fsa.ID)) - if err := utils.Write(filepath, fsa); err != nil { + for _, adv := range advlist { + filepath := filepath.Join(dirPath, year, fmt.Sprintf("%s.json", adv.ID)) + if err := utils.Write(filepath, adv); err != nil { return xerrors.Errorf("failed to write Fedora CVE details: %w", err) } bar.Increment() @@ -298,7 +298,7 @@ func (c Config) fetchUpdateInfoModular(baseURL, arch string) (*UpdateInfo, error } defer resp.Body.Close() if resp.StatusCode != http.StatusOK { - return &UpdateInfo{FSAList: []FSA{}}, nil + return &UpdateInfo{Advisories: []Advisory{}}, nil } originalPath := u.Path @@ -377,34 +377,34 @@ func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) if err := xml.NewDecoder(r).Decode(&updateInfo); err != nil { return nil, xerrors.Errorf("failed to decode updateinfo: %w", err) } - fsaList := []FSA{} - for _, fsa := range updateInfo.FSAList { - if fsa.Type != "security" { + advList := []Advisory{} + for _, adv := range updateInfo.Advisories { + if adv.Type != "security" { continue } var pkgs []Package - for _, pkg := range fsa.Packages { + for _, pkg := range adv.Packages { if utils.StringInSlice(pkg.Arch, pkgArchFilter[arch]) { pkgs = append(pkgs, pkg) } } - fsa.Packages = pkgs + adv.Packages = pkgs - cveIDs, err := c.fetchCVEIDs(fsa) + cveIDs, err := c.fetchCVEIDs(adv) if err != nil { return nil, xerrors.Errorf("failed to fetch CVE-IDs: %w", err) } - fsa.CveIDs = cveIDs + adv.CveIDs = cveIDs - fsaList = append(fsaList, fsa) + advList = append(advList, adv) } - return &UpdateInfo{FSAList: fsaList}, nil + return &UpdateInfo{Advisories: advList}, nil } -func (c Config) fetchCVEIDs(fsa FSA) ([]string, error) { +func (c Config) fetchCVEIDs(adv Advisory) ([]string, error) { cveIDMap := map[string]struct{}{} - for _, ref := range fsa.References { + for _, ref := range adv.References { if !strings.Contains(ref.Title, "CVE-") { continue } @@ -438,7 +438,7 @@ func (c Config) fetchCVEIDs(fsa FSA) ([]string, error) { } } if len(cveIDMap) == 0 { - cveIDs := cveIDPattern.FindAllString(fsa.Description, -1) + cveIDs := cveIDPattern.FindAllString(adv.Description, -1) if len(cveIDs) == 0 { return []string{}, nil } @@ -591,10 +591,10 @@ func (m ModuleInfo) convertToUpdateInfoTitle() string { func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string]ModuleInfo, fetchArch string) error { missingModuleIdxs := []int{} missingModuleURLs := []string{} - for i, fsa := range uinfo.FSAList { - minfo, ok := modules[fsa.Title] + for i, adv := range uinfo.Advisories { + minfo, ok := modules[adv.Title] if !ok { - m, err := parseModuleFromAdvisoryTitle(fsa.Title) + m, err := parseModuleFromAdvisoryTitle(adv.Title) if err != nil { return xerrors.Errorf("failed to parse module from advisory title: %w", err) } @@ -603,7 +603,7 @@ func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string missingModuleURLs = append(missingModuleURLs, minfoURL) continue } - if err := extractModuleToAdvisory(&uinfo.FSAList[i], minfo); err != nil { + if err := extractModuleToAdvisory(&uinfo.Advisories[i], minfo); err != nil { return xerrors.Errorf("failed to extract module to advisory: %w", err) } } @@ -618,12 +618,12 @@ func (c Config) extractModulesToUpdateInfo(uinfo *UpdateInfo, modules map[string } for _, idx := range missingModuleIdxs { - minfo, ok := missingModules[uinfo.FSAList[idx].Title] + minfo, ok := missingModules[uinfo.Advisories[idx].Title] if !ok { - log.Printf("failed to get module info. title: %s\n", uinfo.FSAList[idx].Title) + log.Printf("failed to get module info. title: %s\n", uinfo.Advisories[idx].Title) continue } - if err := extractModuleToAdvisory(&uinfo.FSAList[idx], minfo); err != nil { + if err := extractModuleToAdvisory(&uinfo.Advisories[idx], minfo); err != nil { return xerrors.Errorf("failed to extract module to advisory: %w", err) } } @@ -649,7 +649,7 @@ func parseModuleFromAdvisoryTitle(title string) (Module, error) { }, nil } -func extractModuleToAdvisory(advisory *FSA, minfo ModuleInfo) error { +func extractModuleToAdvisory(advisory *Advisory, minfo ModuleInfo) error { advisory.Module = Module{ Stream: minfo.Data.Stream, Name: minfo.Data.Name, diff --git a/fedora/fedora_test.go b/fedora/fedora_test.go index 1bab3ea8..f937ad86 100644 --- a/fedora/fedora_test.go +++ b/fedora/fedora_test.go @@ -111,14 +111,14 @@ func Test_Update(t *testing.T) { dir, file := filepath.Split(path) b, err := os.ReadFile(filepath.Join("testdata", "golden", filepath.Base(dir), file)) assert.NoError(t, err, "failed to open the golden file") - var want fedora.FSA + var want fedora.Advisory err = json.Unmarshal(b, &want) assert.NoError(t, err, "failed to unmarshal json") sort.Slice(want.CveIDs, func(i, j int) bool { return want.CveIDs[i] < want.CveIDs[j] }) b, err = os.ReadFile(path) assert.NoError(t, err, "failed to open the result file") - var got fedora.FSA + var got fedora.Advisory err = json.Unmarshal(b, &got) assert.NoError(t, err, "failed to unmarshal json") sort.Slice(got.CveIDs, func(i, j int) bool { return got.CveIDs[i] < got.CveIDs[j] }) From 5a2c840c810473d6daa134af6309e4ceae533c3d Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 31 Jan 2022 07:29:20 +0900 Subject: [PATCH 19/20] chore: go mod tidy --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 950148a8..2387ffc7 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/simplereach/timeutils v1.2.0 // indirect github.com/spf13/afero v1.8.0 github.com/stretchr/testify v1.7.0 - github.com/ulikunitz/xz v0.5.8 // indirect + github.com/ulikunitz/xz v0.5.8 golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 golang.org/x/vuln v0.0.0-20211215213114-5e054cb3e47e golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 From 225dcec568e94ff165e4b2a6dd753e8f7ae8ce58 Mon Sep 17 00:00:00 2001 From: MaineK00n Date: Mon, 31 Jan 2022 08:43:56 +0900 Subject: [PATCH 20/20] chore(fedora): update pkg arch filter --- fedora/fedora.go | 7 +-- .../golden/2021/FEDORA-2021-15d2f70a07.json | 27 ----------- .../golden/2021/FEDORA-2021-5ffabdc080.json | 45 ------------------- 3 files changed, 1 insertion(+), 78 deletions(-) diff --git a/fedora/fedora.go b/fedora/fedora.go index b293e1b8..492b81cf 100644 --- a/fedora/fedora.go +++ b/fedora/fedora.go @@ -48,11 +48,6 @@ var ( defaultRepos = []string{"Everything", "Modular"} defaultArches = []string{"x86_64", "aarch64"} - pkgArchFilter = map[string][]string{ - "x86_64": {"noarch", "x86_64", "i686"}, - "aarch64": {"noarch", "aarch64"}, - } - cveIDPattern = regexp.MustCompile(`(CVE-\d{4}-\d{4,})`) ) @@ -385,7 +380,7 @@ func (c Config) fetchUpdateInfo(url, compress, arch string) (*UpdateInfo, error) var pkgs []Package for _, pkg := range adv.Packages { - if utils.StringInSlice(pkg.Arch, pkgArchFilter[arch]) { + if utils.StringInSlice(pkg.Arch, []string{"noarch", arch}) { pkgs = append(pkgs, pkg) } } diff --git a/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json b/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json index aec9ab2b..494ff9a9 100644 --- a/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json +++ b/fedora/testdata/golden/2021/FEDORA-2021-15d2f70a07.json @@ -11,33 +11,6 @@ "severity": "Important", "description": "- version update to 5.2\n- security update", "packages": [ - { - "name": "squid-debuginfo", - "epoch": "7", - "version": "5.2", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-debuginfo-5.2-1.fc35.i686.rpm", - "filename": "squid-debuginfo-5.2-1.fc35.i686.rpm" - }, - { - "name": "squid", - "epoch": "7", - "version": "5.2", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-5.2-1.fc35.i686.rpm", - "filename": "squid-5.2-1.fc35.i686.rpm" - }, - { - "name": "squid-debugsource", - "epoch": "7", - "version": "5.2", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/s/squid-debugsource-5.2-1.fc35.i686.rpm", - "filename": "squid-debugsource-5.2-1.fc35.i686.rpm" - }, { "name": "squid-debuginfo", "epoch": "7", diff --git a/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json b/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json index 3f8bf61c..c7f6cdb7 100644 --- a/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json +++ b/fedora/testdata/golden/2021/FEDORA-2021-5ffabdc080.json @@ -11,51 +11,6 @@ "severity": "Important", "description": "Update to 94.0.4606.81. Built with is_official_build=true, which disables all sorts of debugging check functions that upstream turned on in 94. These debugging checks were failing and causing the program to crash in ... fun ways.\n\nIt also fixes the usual pile of security issues, most notably:\nCVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977 CVE-2021-37978 CVE-2021-37979 CVE-2021-37980", "packages": [ - { - "name": "chromium-headless", - "epoch": "0", - "version": "94.0.4606.81", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-headless-94.0.4606.81-1.fc35.i686.rpm", - "filename": "chromium-headless-94.0.4606.81-1.fc35.i686.rpm" - }, - { - "name": "chromium", - "epoch": "0", - "version": "94.0.4606.81", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-94.0.4606.81-1.fc35.i686.rpm", - "filename": "chromium-94.0.4606.81-1.fc35.i686.rpm" - }, - { - "name": "chrome-remote-desktop", - "epoch": "0", - "version": "94.0.4606.81", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chrome-remote-desktop-94.0.4606.81-1.fc35.i686.rpm", - "filename": "chrome-remote-desktop-94.0.4606.81-1.fc35.i686.rpm" - }, - { - "name": "chromium-common", - "epoch": "0", - "version": "94.0.4606.81", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromium-common-94.0.4606.81-1.fc35.i686.rpm", - "filename": "chromium-common-94.0.4606.81-1.fc35.i686.rpm" - }, - { - "name": "chromedriver", - "epoch": "0", - "version": "94.0.4606.81", - "release": "1.fc35", - "arch": "i686", - "src": "https://download.fedoraproject.org/pub/fedora/linux/updates/35/i386/c/chromedriver-94.0.4606.81-1.fc35.i686.rpm", - "filename": "chromedriver-94.0.4606.81-1.fc35.i686.rpm" - }, { "name": "chromium-headless", "epoch": "0",