Skip to content

feat(RHEL): handle multiple fix streams#1232

Draft
willmurphyscode wants to merge 1 commit into
anchore:mainfrom
willmurphyscode:rhel-stream-handling
Draft

feat(RHEL): handle multiple fix streams#1232
willmurphyscode wants to merge 1 commit into
anchore:mainfrom
willmurphyscode:rhel-stream-handling

Conversation

@willmurphyscode

Copy link
Copy Markdown
Contributor

Previously, when there were multiple RHSAs that fixed the same RPM for the same RHEL major version, Vunnel would either collapse them into a complex boolean expression if possible (for example if upstream moved and EVR was enough to distinguish the versions) or else would collapse to the higher version to prevent false negatives.

Instead, emit an additional item in the JSON for each additional relevant advisory. Crucially, the highest EVR is still in the "version" field so that legacy consumers of the data won't know the change, but these additional advisories will enable new consumers to decide which RHSA is most applicable to their stream.

Note that this makes the 'elN_M' suffixes on RPM versions somewhat load bearing, since that is how stream information is reported through, but that convention seems very strong and well-established.

Previously, when there were multiple RHSAs that fixed the same RPM for
the same RHEL major version, Vunnel would either collapse them into a
complex boolean expression if possible (for example if upstream moved
and EVR was enough to distinguish the versions) or else would collapse
to the higher version to prevent false negatives.

Instead, emit an additional item in the JSON for each additional
relevant advisory. Crucially, the highest EVR is still in the "version"
field so that legacy consumers of the data won't know the change, but
these additional advisories will enable new consumers to decide which
RHSA is most applicable to their stream.

Note that this makes the 'elN_M' suffixes on RPM versions somewhat load
bearing, since that is how stream information is reported through, but
that convention seems very strong and well-established.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
"Description": "An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges.",
"FixedIn": [
{
"AdditionalAdvisoryFixes": [

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What populate additional if there's only the one?

# the canonical CVE-2024-8088 shape (already deduped + sorted ascending by base)
fixes = [_ar("0:3.9.18-3.el9_4.5"), _ar("0:3.9.19-8.el9")]
assert _build_vulnerable_range(fixes) == "< 0:3.9.18-3.el9_4.5 || >= 0:3.9.19, < 0:3.9.19-8.el9"
class TestSameBaseAdditionalAdvisoryFixes:

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure this has real data behind it - choose real examples.

"ID": "RHSA-2023:2260",
"Link": "https://access.redhat.com/errata/RHSA-2023:2260"
},
"Version": "0:1.18.4-6.el9"

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the vunnel side bucket these into RHEL minor versions ahead of time? Like just capturing the raw field in here and then letting grype bucket by it later maybe it should be a separate field.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something something package qualifiers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant