feat(photon-oval): add Photon OS OVAL vulnerability source#645
Draft
DmitriyLewen wants to merge 9 commits intoaquasecurity:mainfrom
Draft
feat(photon-oval): add Photon OS OVAL vulnerability source#645DmitriyLewen wants to merge 9 commits intoaquasecurity:mainfrom
DmitriyLewen wants to merge 9 commits intoaquasecurity:mainfrom
Conversation
Implements pkg/vulnsrc/photon-oval — a new vulnerability source that
consumes photon-oval/{version}/{PHSA-ID}.json files produced by
vuln-list-update (see aquasecurity/vuln-list-update#408).
- Walk photon-oval/**/*.json; extract OS version from path segment
- Parse affected packages from OVAL Criteria tree by matching
"{pkg} is earlier than 0:{ver}" criterion comments
- Store per-CVE advisory details, vulnerability details, and IDs
in BoltDB using the existing Photon bucket
- Map OVAL severity (Critical/Important/Moderate/Low) to db.Severity
- Register PhotonOVAL source in vulnsrc.All and vulnerability.AllSourceIDs
- TestVulnSrc_Update: happy path covering two OS versions (4.0, 5.0), sad paths for missing directory and malformed JSON - TestVulnSrc_Get: happy path, no-match, and unmarshal error cases - Testdata: PHSA-2023-5001 (Photon 5.0, libcap, Important), PHSA-2023-4001 (Photon 4.0, curl, Moderate), bad JSON fixture
…update format
Rename PHSA-YYYY-NNNN.json → PHSA-YYYY-{osVer}-{advisory_number}.json
to match the naming scheme produced by vuln-list-update
(see aquasecurity/vuln-list-update#408).
…dorID The PHSA advisory ID (e.g. "PHSA-2023-5.0-20") is derived from the JSON filename, which is constructed by vuln-list-update when converting OVAL XML to JSON (see aquasecurity/vuln-list-update#408). Store it in Advisory.VendorIDs so that Trivy can surface the original advisory reference.
…ith photon source
Introduce ecosystem.PhotonOVAL and bucket.NewPhotonOVAL producing bucket
names "Photon OS OVAL {ver}", separate from photon's "Photon OS {ver}".
This prevents advisory-detail and data-source key collisions when both
sources run together.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new vulnerability source
photon-ovalthat consumes Photon OS OVALadvisory files (
photon-oval/{version}/{PHSA-ID}.json) produced byvuln-list-update (see aquasecurity/vuln-list-update#408).
What's new
pkg/vulnsrc/photon-oval/— newVulnSrcimplementation:photon-oval/**/*.json, extracts OS version from the path segment(
"{pkg} is earlier than 0:{ver}"criterion comments)using the existing Photon bucket
db.Severityvulnsrc.Allandvulnerability.AllSourceIDsNotes
photonsource — no existing logic touchedRelated
Test plan
go test ./pkg/vulnsrc/photon-oval/...passesgo build ./...passes