fix(rhel): filter flatpak entries

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
anchore · Jan 5, 2024 · 8d38b72 · 8d38b72
1 parent 7d97d90
commit 8d38b72
Show file tree

Hide file tree

Showing 78 changed files with 1,524 additions and 31 deletions.
diff --git a/src/vunnel/providers/rhel/parser.py b/src/vunnel/providers/rhel/parser.py
@@ -610,7 +610,18 @@ def _parse_affected_release(self, cve_id: str, content) -> list[FixedIn]:  # noq
 
         return fixed_ins
 
-    def _parse_package_state(self, cve_id: str, fixed: list[FixedIn], content) -> list[FixedIn]:  # noqa: C901
+    def _parse_package_name_and_module(self, item: dict) -> tuple[str | None, str | None]:
+        package_name = item.get("package_name", None)
+        module = None
+
+        if package_name and "/" in package_name:
+            components = package_name.split("/")
+            package_name = components[1]
+            module = components[0]
+
+        return package_name, module
+
+    def _parse_package_state(self, cve_id: str, content) -> list[FixedIn]:  # noqa: C901
         affected: list[FixedIn] = []
         out_of_support: list[FixedIn] = []  # Track items out of support to be able to add them if others are affected
         pss = content.get("package_state", [])
@@ -628,18 +639,16 @@ def _parse_package_state(self, cve_id: str, fixed: list[FixedIn], content) -> li
                 if not platform or f"{namespace}:{platform}" in self.skip_namespaces:
                     continue
 
-                package_name = item.get("package_name", None)
-                module = None
-
-                if "/" in package_name:
-                    components = package_name.split("/")
-                    package_name = components[1]
-                    module = components[0]
+                package_name, module = self._parse_package_name_and_module(item)
 
                 if not package_name:
                     self.logger.debug(f"package state package_name missing for {cve_id} platform {platform}")
                     continue
 
+                if module and module.endswith(":flatpak"):
+                    self.logger.debug(f"skipping flatpak entry {package_name} for {cve_id} platform {platform}")
+                    continue
+
                 state = item.get("fix_state", None)
                 if state in ["Affected", "Fix deferred"]:
                     affected.append(
@@ -713,7 +722,7 @@ def _parse_cve(self, cve_id, content):  # noqa: C901, PLR0912, PLR0915
         results = []
         platform_artifacts = {}
         fins = self._parse_affected_release(cve_id, content)
-        nfins = self._parse_package_state(cve_id, fins, content)
+        nfins = self._parse_package_state(cve_id, content)
         platform_package_module_tuples = set()
 
         if fins or nfins:

diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2019-25059
@@ -0,0 +1,45 @@
+{
+  "threat_severity" : "Moderate",
+  "public_date" : "2022-04-25T00:00:00Z",
+  "bugzilla" : {
+    "description" : "Mishandling of .completefont (incomplete fix for CVE-2019-3839)",
+    "id" : "2078491",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2078491"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "7.8",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "status" : "draft"
+  },
+  "cwe" : "CWE-1173",
+  "details" : [ "Artifex Ghostscript through 9.26 mishandles .completefont. NOTE: this issue exists because of an incomplete fix for CVE-2019-3839." ],
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Not affected",
+    "package_name" : "ghostscript",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Not affected",
+    "package_name" : "ghostscript",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "ghostscript",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gimp:flatpak/ghostscript",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 9",
+    "fix_state" : "Will not fix",
+    "package_name" : "ghostscript",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
+  } ],
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-25059\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-25059" ],
+  "name" : "CVE-2019-25059",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16587
@@ -0,0 +1,42 @@
+{
+  "threat_severity" : "Low",
+  "public_date" : "2020-12-10T00:00:00Z",
+  "bugzilla" : {
+    "description" : "CVE-2020-16587 OpenEXR: A heap-based buffer overflow in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp could result in a DOS via a crafted EXR file",
+    "id" : "1929320",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1929320"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "5.5",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+    "status" : "draft"
+  },
+  "cwe" : "CWE-787",
+  "details" : [ "A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file." ],
+  "statement" : "This flaw is out of support scope for OpenEXR as shipped with Red Hat Enterprise Linux 6 and 7. For more information on Red Hat Enterprise Linux support scope, please see https://access.redhat.com/support/policy/updates/errata/ .",
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gimp:flatpak/OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  } ],
+  "upstream_fix" : "openexr 2.4.0",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16587\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16587\nhttps://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a" ],
+  "name" : "CVE-2020-16587",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2020-16588
@@ -0,0 +1,42 @@
+{
+  "threat_severity" : "Low",
+  "public_date" : "2020-12-10T00:00:00Z",
+  "bugzilla" : {
+    "description" : "CVE-2020-16588 OpenEXR: A Null Pointer Deference in generatePreview in makePreview.cpp could result in a DOS via a crafted EXR file",
+    "id" : "1929315",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1929315"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "5.5",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
+    "status" : "draft"
+  },
+  "cwe" : "CWE-476",
+  "details" : [ "A Null Pointer Deference issue exists in Academy Software Foundation OpenEXR 2.3.0 in generatePreview in makePreview.cpp that can cause a denial of service via a crafted EXR file." ],
+  "statement" : "This flaw does not affect Red Hat Enterprise Linux 8 because the vulnerable exrmakepreview program is not shipped.",
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gimp:flatpak/OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Not affected",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  } ],
+  "upstream_fix" : "openexr 2.4.0",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16588\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16588\nhttps://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f\nhttps://github.com/AcademySoftwareFoundation/openexr/issues/493" ],
+  "name" : "CVE-2020-16588",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20298
@@ -0,0 +1,41 @@
+{
+  "threat_severity" : "Low",
+  "public_date" : "2021-02-15T00:00:00Z",
+  "bugzilla" : {
+    "description" : "CVE-2021-20298 OpenEXR: Out-of-memory in B44Compressor",
+    "id" : "1939156",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1939156"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "7.5",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "status" : "draft"
+  },
+  "cwe" : "CWE-787",
+  "details" : [ "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability.", "A flaw was found in OpenEXR's B44Compressor. This flaw allows an attacker who can submit a crafted file to be processed by OpenEXR, to exhaust all memory accessible to the application. The highest threat from this vulnerability is to system availability." ],
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gimp:flatpak/OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  } ],
+  "upstream_fix" : "OpenEXR 3.0.0-beta",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20298\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20298" ],
+  "name" : "CVE-2021-20298",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2021-20299
@@ -0,0 +1,41 @@
+{
+  "threat_severity" : "Low",
+  "public_date" : "2021-02-15T00:00:00Z",
+  "bugzilla" : {
+    "description" : "CVE-2021-20299 OpenEXR: Null-dereference READ in Imf_2_5::Header::operator",
+    "id" : "1939154",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1939154"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "7.5",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+    "status" : "draft"
+  },
+  "cwe" : "CWE-476",
+  "details" : [ "A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability.", "A flaw was found in OpenEXR's Multipart input file functionality. A crafted multi-part input file with no actual parts can trigger a NULL pointer dereference. The highest threat from this vulnerability is to system availability." ],
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gimp:flatpak/OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "OpenEXR",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  } ],
+  "upstream_fix" : "OpenEXR 3.0.0-beta",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20299\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20299" ],
+  "name" : "CVE-2021-20299",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1921
@@ -0,0 +1,58 @@
+{
+  "threat_severity" : "Moderate",
+  "public_date" : "2022-05-17T00:00:00Z",
+  "bugzilla" : {
+    "description" : "Heap-based buffer overflow in the avi demuxer when handling certain AVI files",
+    "id" : "2130949",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130949"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "7.8",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "status" : "verified"
+  },
+  "cwe" : "CWE-190",
+  "details" : [ "Integer overflow in avidemux element in gst_avi_demux_invert function which allows a heap overwrite while parsing avi files. Potential for arbitrary code execution through heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the avi demuxer when processing a specially crafted AVI file. This vulnerability can result in application crash, memory corruption, and code execution." ],
+  "affected_release" : [ {
+    "product_name" : "Red Hat Enterprise Linux 9",
+    "release_date" : "2023-05-09T00:00:00Z",
+    "advisory" : "RHSA-2023:2260",
+    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
+    "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9"
+  } ],
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 9",
+    "fix_state" : "Affected",
+    "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
+  } ],
+  "upstream_fix" : "gstreamer-plugins-good 1.20.3",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1921\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1921\nhttps://gstreamer.freedesktop.org/security/sa-2022-0001.html" ],
+  "name" : "CVE-2022-1921",
+  "csaw" : false
+}
diff --git a/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922 b/tests/unit/providers/rhel/test-fixtures/input/cve/full/CVE-2022-1922
@@ -0,0 +1,58 @@
+{
+  "threat_severity" : "Moderate",
+  "public_date" : "2022-05-18T00:00:00Z",
+  "bugzilla" : {
+    "description" : "Potential heap overwrite in mkv demuxing using zlib decompression",
+    "id" : "2130955",
+    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130955"
+  },
+  "cvss3" : {
+    "cvss3_base_score" : "7.8",
+    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "status" : "verified"
+  },
+  "cwe" : "CWE-190",
+  "details" : [ "DOS / potential heap overwrite in mkv demuxing using zlib decompression. Integer overflow in matroskademux element in gst_matroska_decompress_data function which causes a segfault, or could cause a heap overwrite, depending on libc and OS. Depending on the libc used, and the underlying OS capabilities, it could be just a segfault or a heap overwrite. If the libc uses mmap for large chunks, and the OS supports mmap, then it is just a segfault (because the realloc before the integer overflow will use mremap to reduce the size of the chunk, and it will start to write to unmapped memory). However, if using a libc implementation that does not use mmap, or if the OS does not support mmap while using libc, then this could result in a heap overwrite.", "A flaw was found in GStreamer. An integer overflow can lead to a heap-based buffer overflow in the mkv demuxer when processing a specially crafted Matroska/WebM file using zlib decompression. This vulnerability can result in application crash, memory corruption, and code execution." ],
+  "affected_release" : [ {
+    "product_name" : "Red Hat Enterprise Linux 9",
+    "release_date" : "2023-05-09T00:00:00Z",
+    "advisory" : "RHSA-2023:2260",
+    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
+    "package" : "gstreamer1-plugins-good-0:1.18.4-6.el9"
+  } ],
+  "package_state" : [ {
+    "product_name" : "Red Hat Enterprise Linux 6",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 7",
+    "fix_state" : "Out of support scope",
+    "package_name" : "gstreamer-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 8",
+    "fix_state" : "Will not fix",
+    "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
+  }, {
+    "product_name" : "Red Hat Enterprise Linux 9",
+    "fix_state" : "Affected",
+    "package_name" : "libreoffice:flatpak/gstreamer1-plugins-good",
+    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
+  } ],
+  "upstream_fix" : "gstreamer-plugins-good 1.20.3",
+  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1922\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1922\nhttps://gstreamer.freedesktop.org/security/sa-2022-0002.html" ],
+  "name" : "CVE-2022-1922",
+  "csaw" : false
+}