gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-05 20:40:16 -08:00
Code Issues Packages Projects Releases Wiki Activity

Add oracle linux support (#286)

Browse Source 
* Add oracle

* Add oracle

* Add golden json

* Add integration test

* Update go.{mod,sum}

* go mod tidy

* Use k8s/utils clock.Clock interface

* Fix Detect vulnerability oracle
This commit is contained in:
Masahiro Fujimura
2019-11-20 00:18:25 +09:00
committed by Teppei Fukuda
parent 438680f3e4
commit b345342369
10 changed files with 1284 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
go.mod
View File

@@ -5,7 +5,7 @@ go 1.13
require (
github.com/aquasecurity/fanal v0.0.0-20191104115841-1a8ced6845b7
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
github.com/aquasecurity/trivy-db v0.0.0-20191101193735-bb56553762c0
github.com/aquasecurity/trivy-db v0.0.0-20191119124754-552fbb6fff53
github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91
github.com/caarlos0/env/v6 v6.0.0
github.com/genuinetools/reg v0.16.0
@@ -17,10 +17,11 @@ require (
github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
github.com/stretchr/testify v1.4.0
github.com/urfave/cli v1.20.0
go.etcd.io/bbolt v1.3.3 // indirect
go.uber.org/multierr v1.4.0 // indirect
go.uber.org/zap v1.9.1
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421
golang.org/x/sys v0.0.0-20191020152052-9984515f0562 // indirect
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898
gopkg.in/cheggaaa/pb.v1 v1.0.28

28
go.sum
View File

@@ -28,8 +28,8 @@ github.com/aquasecurity/fanal v0.0.0-20191104115841-1a8ced6845b7/go.mod h1:dD1Ny
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4=
github.com/aquasecurity/trivy-db v0.0.0-20191101193735-bb56553762c0 h1:G6DzbsaARDzEuT3SdUdXw6GBH3RHhhkoaX1YQtwqYyI=
github.com/aquasecurity/trivy-db v0.0.0-20191101193735-bb56553762c0/go.mod h1:PCxSRIDg26j0v3NgjjFbA3BqrGVLSEu1Fb/n/0RzXzg=
github.com/aquasecurity/trivy-db v0.0.0-20191119124754-552fbb6fff53 h1:btY/EEIRVv2SewBP5bzFuTuI0JiTNQK65jUSkt3SV8Q=
github.com/aquasecurity/trivy-db v0.0.0-20191119124754-552fbb6fff53/go.mod h1:vYzX1UhX0o29E+/nuFJTgUJBM5UA7I/NftnbBcYyYRE=
github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=
@@ -125,6 +125,7 @@ github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASu
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -239,6 +240,7 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7z
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
github.com/shurcooL/httpfs v0.0.0-20181222201310-74dc9339e414/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
@@ -272,11 +274,19 @@ github.com/xanzy/ssh-agent v0.2.1 h1:TCbipTQL2JiiCprBWx9frJ2eJlCYT00NmctrHxVAr70
github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
go.etcd.io/bbolt v1.3.2 h1:Z/90sZLPOeCy2PwprqkFa25PdkusRzaj9P8zm/KNyvk=
go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/bbolt v1.3.3 h1:MUGmc65QhB3pIlaQ5bB4LwqSj6GIonVJXpZiaKNyaKk=
go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
go.uber.org/multierr v1.4.0 h1:f3WCSC2KzAcBXGATIxAB1E2XuCpNU255wNKZ505qi3E=
go.uber.org/multierr v1.4.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o=
go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -284,11 +294,16 @@ golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnf
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE=
golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529 h1:iMGN4xG0cnqj3t+zOM8wUB0BiPKHEwSxEZCvzcbZuvk=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -297,8 +312,10 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 h1:p9xBe/w/OzkeYVKm234g55gMdD1nSIooTir5kV11kfA=
golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -343,6 +360,10 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190503185657-3b6f9c0030f7/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5 h1:hKsoRgsbwY1NafxrwTs+k64bikrLBkAgPir1TNCj3Zs=
golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
@@ -370,6 +391,7 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
@@ -393,6 +415,8 @@ gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81
honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
k8s.io/utils v0.0.0-20191010214722-8d271d903fe4 h1:Gi+/O1saihwDqnlmC8Vhv1M5Sp4+rbOmK9TbsLn8ZEA=
k8s.io/utils v0.0.0-20191010214722-8d271d903fe4/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=

30
integration/tar_input_test.go
View File

@@ -301,6 +301,36 @@ func TestRun_WithTar(t *testing.T) {
},
golden: "testdata/amazon-2.json.golden",
},
{
name: "oracle 6 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/oraclelinux-6-slim.tar.gz",
},
golden: "testdata/oraclelinux-6-slim.json.golden",
},
{
name: "oracle 7 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/oraclelinux-7-slim.tar.gz",
},
golden: "testdata/oraclelinux-7-slim.json.golden",
},
{
name: "oracle 8 integration",
testArgs: args{
Version: "dev",
SkipUpdate: true,
Format: "json",
Input: "testdata/fixtures/oraclelinux-8-slim.tar.gz",
},
golden: "testdata/oraclelinux-8-slim.json.golden",
},
}
for _, c := range cases {

166
integration/testdata/oraclelinux-6-slim.json.golden vendored Normal file
View File

@@ -0,0 +1,166 @@
[
{
"Target": "testdata/fixtures/oraclelinux-6-slim.tar.gz (oracle 6.10)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-3855",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-3.0.1.el6_10.1",
"Title": "libssh2: Integer overflow in transport read resulting in out of bounds write",
"Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "CRITICAL",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
"http://www.openwall.com/lists/oss-security/2019/03/18/3",
"http://www.securityfocus.com/bid/107485",
"https://access.redhat.com/errata/RHSA-2019:0679",
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://seclists.org/bugtraq/2019/Mar/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3855.html"
]
},
{
"VulnerabilityID": "CVE-2019-3856",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-3.0.1.el6_10.1",
"Title": "libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write",
"Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"https://access.redhat.com/errata/RHSA-2019:0679",
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3856",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3856",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3856.html"
]
},
{
"VulnerabilityID": "CVE-2019-3857",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-3.0.1.el6_10.1",
"Title": "libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write",
"Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"https://access.redhat.com/errata/RHSA-2019:0679",
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3857",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3857",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3857.html"
]
},
{
"VulnerabilityID": "CVE-2019-3862",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-2.0.1.el6_7.1",
"Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
"Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
"http://www.openwall.com/lists/oss-security/2019/03/18/3",
"http://www.securityfocus.com/bid/107485",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3862",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://seclists.org/bugtraq/2019/Mar/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3862.html"
]
},
{
"VulnerabilityID": "CVE-2019-3863",
"PkgName": "libssh2",
"InstalledVersion": "1.4.2-2.el6_7.1",
"FixedVersion": "1.4.2-3.0.1.el6_10.1",
"Title": "libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes",
"Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"https://access.redhat.com/errata/RHSA-2019:0679",
"https://access.redhat.com/errata/RHSA-2019:1175",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3863",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3863",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3863.html"
]
},
{
"VulnerabilityID": "CVE-2019-1559",
"PkgName": "openssl",
"InstalledVersion": "1.0.1e-57.0.6.el6",
"FixedVersion": "1.0.1e-58.0.1.el6_10",
"Title": "openssl: 0-byte record padding oracle",
"Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html",
"http://www.securityfocus.com/bid/107174",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
"https://github.com/RUB-NDS/TLS-Padding-Oracles",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
"https://security.gentoo.org/glsa/201903-10",
"https://security.netapp.com/advisory/ntap-20190301-0001/",
"https://security.netapp.com/advisory/ntap-20190301-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",
"https://support.f5.com/csp/article/K18549143",
"https://usn.ubuntu.com/3899-1/",
"https://www.debian.org/security/2019/dsa-4400",
"https://www.openssl.org/news/secadv/20190226.txt",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.tenable.com/security/tns-2019-02",
"https://www.tenable.com/security/tns-2019-03"
]
}
]
}
]

859
integration/testdata/oraclelinux-7-slim.json.golden vendored Normal file
View File

@@ -0,0 +1,859 @@
[
{
"Target": "testdata/fixtures/oraclelinux-7-slim.tar.gz (oracle 7.6)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2018-16842",
"PkgName": "curl",
"InstalledVersion": "7.29.0-51.0.1.el7_6.3",
"FixedVersion": "7.29.0-54.0.1.el7",
"Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
"Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"Severity": "MEDIUM",
"References": [
"http://www.securitytracker.com/id/1042014",
"https://access.redhat.com/errata/RHSA-2019:2181",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842",
"https://curl.haxx.se/docs/CVE-2018-16842.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842",
"https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211",
"https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html",
"https://security.gentoo.org/glsa/201903-03",
"https://usn.ubuntu.com/3805-1/",
"https://usn.ubuntu.com/3805-2/",
"https://www.debian.org/security/2018/dsa-4331"
]
},
{
"VulnerabilityID": "CVE-2018-16402",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: Double-free due to double decompression of sections in crafted ELF causes crash",
"Description": "libelf/elf_end.c in elfutils 0.173 allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact because it tries to decompress twice.",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16402",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23528",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2018-16062",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getaranges.c:dwarf_getaranges() via crafted file",
"Description": "dwarf_getaranges in dwarf_getaranges.c in libdw in elfutils before 2018-08-18 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html",
"https://access.redhat.com/errata/RHSA-2019:2197",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16062",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23541",
"https://sourceware.org/git/?p=elfutils.git;a=commit;h=29e31978ba51c1051743a503ee325b5ebc03d7e9",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2018-16403",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: Heap-based buffer over-read in libdw/dwarf_getabbrev.c and libwd/dwarf_hasattr.c causes crash",
"Description": "libdw in elfutils 0.173 checks the end of the attributes list incorrectly in dwarf_getabbrev in dwarf_getabbrev.c and dwarf_hasattr in dwarf_hasattr.c, leading to a heap-based buffer over-read and an application crash.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00052.html",
"https://access.redhat.com/errata/RHSA-2019:2197",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16403",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23529",
"https://sourceware.org/git/?p=elfutils.git;a=commit;h=6983e59b727458a6c64d9659c85f08218bc4fcda",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2018-18310",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl",
"Description": "An invalid memory address dereference was discovered in dwfl_segment_report_module.c in libdwfl in elfutils through v0.174. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by consider_notes.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18310",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23752",
"https://sourceware.org/ml/elfutils-devel/2018-q4/msg00022.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2018-18520",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: eu-size cannot handle recursive ar files",
"Description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18520",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23787",
"https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2018-18521",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: Divide-by-zero in arlib_add_symbols function in arlib.c",
"Description": "Divide-by-zero vulnerabilities in the function arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers to cause a denial of service (application crash) with a crafted ELF file, as demonstrated by eu-ranlib, because a zero sh_entsize is mishandled.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18521",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=23786",
"https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2019-7149",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: heap-based buffer over-read in read_srclines in dwarf_getsrclines.c in libdw",
"Description": "A heap-based buffer over-read was discovered in the function read_srclines in dwarf_getsrclines.c in libdw in elfutils 0.175. A crafted input can cause segmentation faults, leading to denial-of-service, as demonstrated by eu-nm.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7149",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=24102",
"https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2019-7150",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: segmentation fault in elf64_xlatetom in libelf/elf32_xlatetom.c",
"Description": "An issue was discovered in elfutils 0.175. A segmentation fault can occur in the function elf64_xlatetom in libelf/elf32_xlatetom.c, due to dwfl_segment_report_module not checking whether the dyn data read from a core file is truncated. A crafted input can cause a program crash, leading to denial-of-service, as demonstrated by eu-stack.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7150",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=24103",
"https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2019-7664",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: out of bound write in elf_cvt_note in libelf/note_xlate.h",
"Description": "In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note in libelf/note_xlate.h because of an incorrect overflow check. Crafted elf input causes a segmentation fault, leading to denial of service (program crash).",
"Severity": "MEDIUM",
"References": [
"https://access.redhat.com/errata/RHSA-2019:2197",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7664",
"https://sourceware.org/bugzilla/show_bug.cgi?id=24084"
]
},
{
"VulnerabilityID": "CVE-2019-7665",
"PkgName": "elfutils-libelf",
"InstalledVersion": "0.172-2.el7",
"FixedVersion": "0.176-2.el7",
"Title": "elfutils: heap-based buffer over-read in function elf32_xlatetom in elf32_xlatetom.c",
"Description": "In elfutils 0.175, a heap-based buffer over-read was discovered in the function elf32_xlatetom in elf32_xlatetom.c in libelf. A crafted ELF input can cause a segmentation fault leading to denial of service (program crash) because ebl_core_note does not reject malformed core file notes.",
"Severity": "MEDIUM",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7665",
"https://lists.debian.org/debian-lts-announce/2019/02/msg00036.html",
"https://sourceware.org/bugzilla/show_bug.cgi?id=24089",
"https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html",
"https://usn.ubuntu.com/4012-1/"
]
},
{
"VulnerabilityID": "CVE-2016-10739",
"PkgName": "glibc",
"InstalledVersion": "2.17-260.0.17.el7_6.6",
"FixedVersion": "2.17-292.0.1.el7",
"Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
"Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
"http://www.securityfocus.com/bid/106672",
"https://access.redhat.com/errata/RHSA-2019:2118",
"https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
"https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
]
},
{
"VulnerabilityID": "CVE-2016-10739",
"PkgName": "glibc-common",
"InstalledVersion": "2.17-260.0.17.el7_6.6",
"FixedVersion": "2.17-292.0.1.el7",
"Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
"Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
"http://www.securityfocus.com/bid/106672",
"https://access.redhat.com/errata/RHSA-2019:2118",
"https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
"https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
]
},
{
"VulnerabilityID": "CVE-2018-16842",
"PkgName": "libcurl",
"InstalledVersion": "7.29.0-51.0.1.el7_6.3",
"FixedVersion": "7.29.0-54.0.1.el7",
"Title": "curl: Heap-based buffer over-read in the curl tool warning formatting",
"Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
"Severity": "MEDIUM",
"References": [
"http://www.securitytracker.com/id/1042014",
"https://access.redhat.com/errata/RHSA-2019:2181",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842",
"https://curl.haxx.se/docs/CVE-2018-16842.html",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16842",
"https://github.com/curl/curl/commit/d530e92f59ae9bb2d47066c3c460b25d2ffeb211",
"https://lists.debian.org/debian-lts-announce/2018/11/msg00005.html",
"https://security.gentoo.org/glsa/201903-03",
"https://usn.ubuntu.com/3805-1/",
"https://usn.ubuntu.com/3805-2/",
"https://www.debian.org/security/2018/dsa-4331"
]
},
{
"VulnerabilityID": "CVE-2019-3858",
"PkgName": "libssh2",
"InstalledVersion": "1.4.3-12.0.1.el7_6.3",
"FixedVersion": "1.8.0-3.el7",
"Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read",
"Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
"http://www.openwall.com/lists/oss-security/2019/03/18/3",
"http://www.securityfocus.com/bid/107485",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3858",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://seclists.org/bugtraq/2019/Mar/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3858.html"
]
},
{
"VulnerabilityID": "CVE-2019-3861",
"PkgName": "libssh2",
"InstalledVersion": "1.4.3-12.0.1.el7_6.3",
"FixedVersion": "1.8.0-3.el7",
"Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets",
"Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
"https://seclists.org/bugtraq/2019/Apr/25",
"https://security.netapp.com/advisory/ntap-20190327-0005/",
"https://www.debian.org/security/2019/dsa-4431",
"https://www.libssh2.org/CVE-2019-3861.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nspr",
"InstalledVersion": "4.19.0-1.el7_5",
"FixedVersion": "4.21.0-1.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nspr",
"InstalledVersion": "4.19.0-1.el7_5",
"FixedVersion": "4.21.0-1.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss-softokn",
"InstalledVersion": "3.36.0-5.0.1.el7_5",
"FixedVersion": "3.44.0-5.0.1.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss-softokn",
"InstalledVersion": "3.36.0-5.0.1.el7_5",
"FixedVersion": "3.44.0-5.0.1.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss-softokn-freebl",
"InstalledVersion": "3.36.0-5.0.1.el7_5",
"FixedVersion": "3.44.0-5.0.1.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss-softokn-freebl",
"InstalledVersion": "3.36.0-5.0.1.el7_5",
"FixedVersion": "3.44.0-5.0.1.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss-sysinit",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss-sysinit",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss-tools",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss-tools",
"InstalledVersion": "3.36.0-7.1.el7_6",
"FixedVersion": "3.44.0-4.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-12404",
"PkgName": "nss-util",
"InstalledVersion": "3.36.0-1.1.el7_6",
"FixedVersion": "3.44.0-3.el7",
"Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
"Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
"http://www.securityfocus.com/bid/107260",
"https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
]
},
{
"VulnerabilityID": "CVE-2018-0495",
"PkgName": "nss-util",
"InstalledVersion": "3.36.0-1.1.el7_6",
"FixedVersion": "3.44.0-3.el7",
"Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
"Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
"Severity": "LOW",
"References": [
"http://www.securitytracker.com/id/1041144",
"http://www.securitytracker.com/id/1041147",
"https://access.redhat.com/errata/RHSA-2018:3221",
"https://access.redhat.com/errata/RHSA-2018:3505",
"https://access.redhat.com/errata/RHSA-2019:1296",
"https://access.redhat.com/errata/RHSA-2019:1297",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
"https://dev.gnupg.org/T4011",
"https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
"https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
"https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
"https://usn.ubuntu.com/3689-1/",
"https://usn.ubuntu.com/3689-2/",
"https://usn.ubuntu.com/3692-1/",
"https://usn.ubuntu.com/3692-2/",
"https://usn.ubuntu.com/3850-1/",
"https://usn.ubuntu.com/3850-2/",
"https://www.debian.org/security/2018/dsa-4231",
"https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
]
},
{
"VulnerabilityID": "CVE-2018-0734",
"PkgName": "openssl-libs",
"InstalledVersion": "1:1.0.2k-16.0.1.el7_6.1",
"FixedVersion": "1:1.0.2k-19.0.1.el7",
"Title": "openssl: timing side channel attack in the DSA signature algorithm",
"Description": "The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html",
"http://www.securityfocus.com/bid/105758",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=43e6a58d4991a451daf4891ff05a48735df871ac",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7",
"https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"https://security.netapp.com/advisory/ntap-20181105-0002/",
"https://security.netapp.com/advisory/ntap-20190118-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",
"https://usn.ubuntu.com/3840-1/",
"https://www.debian.org/security/2018/dsa-4348",
"https://www.debian.org/security/2018/dsa-4355",
"https://www.openssl.org/news/secadv/20181030.txt",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"https://www.tenable.com/security/tns-2018-16",
"https://www.tenable.com/security/tns-2018-17"
]
},
{
"VulnerabilityID": "CVE-2019-1559",
"PkgName": "openssl-libs",
"InstalledVersion": "1:1.0.2k-16.0.1.el7_6.1",
"FixedVersion": "1:1.0.2k-19.0.1.el7",
"Title": "openssl: 0-byte record padding oracle",
"Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html",
"http://www.securityfocus.com/bid/107174",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
"https://github.com/RUB-NDS/TLS-Padding-Oracles",
"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
"https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
"https://security.gentoo.org/glsa/201903-10",
"https://security.netapp.com/advisory/ntap-20190301-0001/",
"https://security.netapp.com/advisory/ntap-20190301-0002/",
"https://security.netapp.com/advisory/ntap-20190423-0002/",
"https://support.f5.com/csp/article/K18549143",
"https://usn.ubuntu.com/3899-1/",
"https://www.debian.org/security/2019/dsa-4400",
"https://www.openssl.org/news/secadv/20190226.txt",
"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
"https://www.tenable.com/security/tns-2019-02",
"https://www.tenable.com/security/tns-2019-03"
]
},
{
"VulnerabilityID": "CVE-2019-5010",
"PkgName": "python",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
"Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
"https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
]
},
{
"VulnerabilityID": "CVE-2018-14647",
"PkgName": "python",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: Missing salt initialization in _elementtree.c module",
"Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
"Severity": "MEDIUM",
"References": [
"http://www.securityfocus.com/bid/105396",
"http://www.securitytracker.com/id/1041740",
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://access.redhat.com/errata/RHSA-2019:2030",
"https://bugs.python.org/issue34623",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/",
"https://usn.ubuntu.com/3817-1/",
"https://usn.ubuntu.com/3817-2/",
"https://www.debian.org/security/2018/dsa-4306",
"https://www.debian.org/security/2018/dsa-4307"
]
},
{
"VulnerabilityID": "CVE-2019-9740",
"PkgName": "python",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: CRLF injection via the query part of the url passed to urlopen()",
"Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
"Severity": "MEDIUM",
"References": [
"http://www.securityfocus.com/bid/107466",
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://bugs.python.org/issue36276",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"
]
},
{
"VulnerabilityID": "CVE-2019-9947",
"PkgName": "python",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: CRLF injection via the path part of the url passed to urlopen()",
"Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
"Severity": "MEDIUM",
"References": [
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://bugs.python.org/issue35906",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/",
"https://security.netapp.com/advisory/ntap-20190404-0004/"
]
},
{
"VulnerabilityID": "CVE-2019-9948",
"PkgName": "python",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
"Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
"http://www.securityfocus.com/bid/107549",
"https://bugs.python.org/issue35907",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948",
"https://github.com/python/cpython/pull/11842",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
"https://security.netapp.com/advisory/ntap-20190404-0004/"
]
},
{
"VulnerabilityID": "CVE-2019-5010",
"PkgName": "python-libs",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
"Description": "A null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
"Severity": "HIGH",
"References": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
"https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
]
},
{
"VulnerabilityID": "CVE-2018-14647",
"PkgName": "python-libs",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: Missing salt initialization in _elementtree.c module",
"Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
"Severity": "MEDIUM",
"References": [
"http://www.securityfocus.com/bid/105396",
"http://www.securitytracker.com/id/1041740",
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://access.redhat.com/errata/RHSA-2019:2030",
"https://bugs.python.org/issue34623",
"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/",
"https://usn.ubuntu.com/3817-1/",
"https://usn.ubuntu.com/3817-2/",
"https://www.debian.org/security/2018/dsa-4306",
"https://www.debian.org/security/2018/dsa-4307"
]
},
{
"VulnerabilityID": "CVE-2019-9740",
"PkgName": "python-libs",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: CRLF injection via the query part of the url passed to urlopen()",
"Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command.",
"Severity": "MEDIUM",
"References": [
"http://www.securityfocus.com/bid/107466",
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://bugs.python.org/issue36276",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/"
]
},
{
"VulnerabilityID": "CVE-2019-9947",
"PkgName": "python-libs",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: CRLF injection via the path part of the url passed to urlopen()",
"Description": "An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \\r\\n (specifically in the path component of a URL that lacks a ? character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue.",
"Severity": "MEDIUM",
"References": [
"https://access.redhat.com/errata/RHSA-2019:1260",
"https://bugs.python.org/issue35906",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9947",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/",
"https://security.netapp.com/advisory/ntap-20190404-0004/"
]
},
{
"VulnerabilityID": "CVE-2019-9948",
"PkgName": "python-libs",
"InstalledVersion": "2.7.5-80.0.1.el7_6",
"FixedVersion": "2.7.5-86.0.1.el7",
"Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
"Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
"Severity": "MEDIUM",
"References": [
"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
"http://www.securityfocus.com/bid/107549",
"https://bugs.python.org/issue35907",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948",
"https://github.com/python/cpython/pull/11842",
"https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
"https://security.netapp.com/advisory/ntap-20190404-0004/"
]
}
]
}
]

6
integration/testdata/oraclelinux-8-slim.json.golden vendored Normal file
View File

@@ -0,0 +1,6 @@
[
{
"Target": "testdata/fixtures/oraclelinux-8-slim.tar.gz (oracle 8.0)",
"Vulnerabilities": null
}
]

BIN
integration/testdata/trivy.db.gz vendored
View File

Binary file not shown.

94
pkg/scanner/ospkg/oracle/oracle.go Normal file
View File

@@ -0,0 +1,94 @@
package oracle
import (
"strings"
"time"
oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval"
version "github.com/knqyf263/go-rpm-version"
"golang.org/x/xerrors"
"github.com/aquasecurity/fanal/analyzer"
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/scanner/utils"
"github.com/aquasecurity/trivy/pkg/types"
"k8s.io/utils/clock"
)
var (
eolDates = map[string]time.Time{
// Source:
// https://www.oracle.com/a/ocom/docs/elsp-lifetime-069338.pdf
// https://community.oracle.com/docs/DOC-917964
"3": time.Date(2011, 12, 31, 23, 59, 59, 0, time.UTC),
"4": time.Date(2013, 12, 31, 23, 59, 59, 0, time.UTC),
"5": time.Date(2017, 12, 31, 23, 59, 59, 0, time.UTC),
"6": time.Date(2021, 3, 21, 23, 59, 59, 0, time.UTC),
"7": time.Date(2024, 7, 23, 23, 59, 59, 0, time.UTC),
"8": time.Date(2029, 7, 18, 23, 59, 59, 0, time.UTC),
}
)
type Scanner struct {
vs dbTypes.VulnSrc
clock clock.Clock
}
func NewScanner() *Scanner {
return &Scanner{
vs: oracleoval.NewVulnSrc(),
clock: clock.RealClock{},
}
}
func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
log.Logger.Info("Detecting Oracle Linux vulnerabilities...")
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
log.Logger.Debugf("Oracle Linux: os version: %s", osVer)
log.Logger.Debugf("Oracle Linux: the number of packages: %d", len(pkgs))
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
advisories, err := s.vs.Get(osVer, pkg.SrcName)
if err != nil {
return nil, xerrors.Errorf("failed to get Oracle Linux advisory: %w", err)
}
installed := utils.FormatVersion(pkg)
installedVersion := version.NewVersion(installed)
for _, adv := range advisories {
fixedVersion := version.NewVersion(adv.FixedVersion)
vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
PkgName: pkg.Name,
InstalledVersion: installed,
}
if installedVersion.LessThan(fixedVersion) {
vuln.FixedVersion = adv.FixedVersion
vulns = append(vulns, vuln)
}
}
}
return vulns, nil
}
func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
if strings.Count(osVer, ".") > 0 {
osVer = osVer[:strings.Index(osVer, ".")]
}
eol, ok := eolDates[osVer]
if !ok {
log.Logger.Warnf("This OS version is not on the EOL list: %s %s", osFamily, osVer)
return false
}
return s.clock.Now().Before(eol)
}

96
pkg/scanner/ospkg/oracle/oracle_test.go Normal file
View File

@@ -0,0 +1,96 @@
package oracle
import (
"os"
"testing"
"time"
oracleoval "github.com/aquasecurity/trivy-db/pkg/vulnsrc/oracle-oval"
"github.com/aquasecurity/trivy/pkg/log"
"k8s.io/utils/clock"
clocktesting "k8s.io/utils/clock/testing"
)
func TestMain(m *testing.M) {
log.InitLogger(false, false)
os.Exit(m.Run())
}
func TestScanner_IsSupportedVersion(t *testing.T) {
vectors := map[string]struct {
clock clock.Clock
osFamily string
osVersion string
expected bool
}{
"oracle3": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "3",
expected: false,
},
"oracle4": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "4",
expected: false,
},
"oracle5": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "5",
expected: false,
},
"oracle6": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "6",
expected: true,
},
"oracle7": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "7",
expected: true,
},
"oracle7.6": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "7.6",
expected: true,
},
"oracle8": {
clock: clocktesting.NewFakeClock(time.Date(2029, 7, 18, 23, 59, 58, 59, time.UTC)),
osFamily: "oracle",
osVersion: "8",
expected: true,
},
"oracle8-same-time": {
clock: clocktesting.NewFakeClock(time.Date(2029, 7, 18, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "8",
expected: false,
},
"unknown": {
clock: clocktesting.NewFakeClock(time.Date(2019, 5, 31, 23, 59, 59, 0, time.UTC)),
osFamily: "oracle",
osVersion: "unknown",
expected: false,
},
}
for testName, v := range vectors {
s := &Scanner{
vs: oracleoval.NewVulnSrc(),
clock: v.clock,
}
t.Run(testName, func(t *testing.T) {
actual := s.IsSupportedVersion(v.osFamily, v.osVersion)
if actual != v.expected {
t.Errorf("[%s] got %v, want %v", testName, actual, v.expected)
}
})
}
}

3
pkg/scanner/ospkg/scan.go
View File

@@ -17,6 +17,7 @@ import (
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/alpine"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/amazon"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/debian"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/oracle"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/redhat"
"github.com/aquasecurity/trivy/pkg/scanner/ospkg/ubuntu"
"github.com/aquasecurity/trivy/pkg/types"
@@ -47,6 +48,8 @@ func Scan(files extractor.FileMap) (string, string, []types.DetectedVulnerabilit
s = redhat.NewScanner()
case fos.Amazon:
s = amazon.NewScanner()
case fos.Oracle:
s = oracle.NewScanner()
default:
log.Logger.Warnf("unsupported os : %s", os.Family)
return "", "", nil, nil