From 7e0f4d2ed4c178f24e7f9e6ea4703965ccce8cd4 Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Tue, 10 Sep 2024 17:33:27 +0400 Subject: [PATCH] Revert "feat: Expose Ubuntu fix status for downstream consumption" (#438) --- pkg/types/status.go | 5 +- pkg/types/types.go | 6 +-- .../vuln-list/ubuntu/CVE-2020-1234.json | 15 +++--- pkg/vulnsrc/ubuntu/ubuntu.go | 20 +------- pkg/vulnsrc/ubuntu/ubuntu_test.go | 49 ------------------- 5 files changed, 13 insertions(+), 82 deletions(-) diff --git a/pkg/types/status.go b/pkg/types/status.go index c1385840..98bc856a 100644 --- a/pkg/types/status.go +++ b/pkg/types/status.go @@ -11,9 +11,6 @@ var ( // // In addition to them, Red Hat has "will_not_fix" and "fix_deferred". // cf. https://access.redhat.com/blogs/product-security/posts/2066793 - // - // In addition to them, Ubuntu has "DNE", "ignored", "needed", "pending" - // https://askubuntu.com/a/1509706 Statuses = []string{ "unknown", "not_affected", @@ -32,7 +29,7 @@ const ( StatusAffected StatusFixed StatusUnderInvestigation - StatusWillNotFix + StatusWillNotFix // Red Hat specific StatusFixDeferred StatusEndOfLife ) diff --git a/pkg/types/types.go b/pkg/types/types.go index 713a819d..d43a2319 100644 --- a/pkg/types/types.go +++ b/pkg/types/types.go @@ -106,9 +106,9 @@ type Advisory struct { Arches []string `json:",omitempty"` - // Status is used to provide the status when a status is known and supported by the data source (e.g. "Will not fix"). - // When a patch is available, the status will be empty since the status is obviously "Fixed". - Status Status `json:",omitempty"` + // It is filled only when FixedVersion is empty since it is obvious the state is "Fixed" when FixedVersion is not empty. + // e.g. Will not fix and Affected + Status Status `json:"-"` // Trivy DB has "vulnerability" bucket and severities are usually stored in the bucket per a vulnerability ID. // In some cases, the advisory may have multiple severities depending on the packages. diff --git a/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json b/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json index 5cf13b45..36c3d1bf 100644 --- a/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json +++ b/pkg/vulnsrc/ubuntu/testdata/vuln-list/ubuntu/CVE-2020-1234.json @@ -19,13 +19,12 @@ "bionic": { "Status": "released", "Note": "1.2.3" + }, + "focal": { + "Status": "needs-triage", + "Note": "" } - }, - "wpa": { - "bionic": { - "Status": "deferred" - } - }, - "UpstreamLinks": {} - } + } + }, + "UpstreamLinks": {} } \ No newline at end of file diff --git a/pkg/vulnsrc/ubuntu/ubuntu.go b/pkg/vulnsrc/ubuntu/ubuntu.go index 4aad259c..69089e6a 100644 --- a/pkg/vulnsrc/ubuntu/ubuntu.go +++ b/pkg/vulnsrc/ubuntu/ubuntu.go @@ -23,7 +23,7 @@ const ( ) var ( - targetStatuses = []string{"needed", "pending", "deferred", "released"} + targetStatuses = []string{"needed", "deferred", "released"} UbuntuReleasesMapping = map[string]string{ "precise": "12.04", "quantal": "12.10", @@ -170,12 +170,8 @@ func defaultPut(dbc db.Operation, tx *bolt.Tx, advisory interface{}) error { } adv := types.Advisory{} - normalisedStatus := StatusFromUbuntuStatus(status.Status) - if normalisedStatus == types.StatusFixed { + if status.Status == "released" { adv.FixedVersion = status.Note - } else { - // Store the status only if it's unfixed - adv.Status = normalisedStatus } if err := dbc.PutAdvisoryDetail(tx, cve.Candidate, pkgName, []string{platformName}, adv); err != nil { return xerrors.Errorf("failed to save Ubuntu advisory: %w", err) @@ -217,15 +213,3 @@ func SeverityFromPriority(priority string) types.Severity { return types.SeverityUnknown } } - -// StatusFromUbuntuStatus normalises Ubuntu status into common Trivy Types -func StatusFromUbuntuStatus(status string) types.Status { - switch status { - case "needed", "pending", "deferred": - return types.StatusFixDeferred - case "released": - return types.StatusFixed - default: - return types.StatusUnknown - } -} diff --git a/pkg/vulnsrc/ubuntu/ubuntu_test.go b/pkg/vulnsrc/ubuntu/ubuntu_test.go index 154a414b..9d304770 100644 --- a/pkg/vulnsrc/ubuntu/ubuntu_test.go +++ b/pkg/vulnsrc/ubuntu/ubuntu_test.go @@ -3,8 +3,6 @@ package ubuntu_test import ( "testing" - "github.com/stretchr/testify/assert" - "github.com/aquasecurity/trivy-db/pkg/types" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ubuntu" "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability" @@ -37,12 +35,6 @@ func TestVulnSrc_Update(t *testing.T) { FixedVersion: "1.2.3", }, }, - { - Key: []string{"advisory-detail", "CVE-2020-1234", "ubuntu 18.04", "wpa"}, - Value: types.Advisory{ - Status: types.StatusFixDeferred, - }, - }, { Key: []string{"vulnerability-detail", "CVE-2020-1234", "ubuntu"}, Value: types.VulnerabilityDetail{ @@ -68,44 +60,3 @@ func TestVulnSrc_Update(t *testing.T) { }) } } - -func TestUbuntuStatusFromStatus(t *testing.T) { - tests := []struct { - name string - status string - expected types.Status - }{ - { - name: "deferred", - status: "deferred", - expected: types.StatusFixDeferred, - }, - { - name: "needed", - status: "needed", - expected: types.StatusFixDeferred, - }, - { - name: "pending", - status: "pending", - expected: types.StatusFixDeferred, - }, - { - name: "released", - status: "released", - expected: types.StatusFixed, - }, - { - name: "unknown", - status: "unknown", - expected: types.StatusUnknown, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - actual := ubuntu.StatusFromUbuntuStatus(test.status) - assert.Equal(t, test.expected, actual) - }) - } -}