fix(RedHat): compare severity when merging advisories (#313)

Co-authored-by: knqyf263 <[email protected]>

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli v1.22.13
 	go.etcd.io/bbolt v1.3.7
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/text v0.9.0
 	golang.org/x/vuln v0.0.0-20211221130724-9d39a965865f
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1

go.sum

@@ -77,6 +77,8 @@ go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

pkg/vulnsrc/redhat-oval/redhat-oval.go

@@ -8,16 +8,17 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"sort"
 	"strings"
 
-	"github.com/aquasecurity/trivy-db/pkg/utils/ints"
-
 	bolt "go.etcd.io/bbolt"
+	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/utils"
+	"github.com/aquasecurity/trivy-db/pkg/utils/ints"
 	ustrings "github.com/aquasecurity/trivy-db/pkg/utils/strings"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 )
@@ -146,7 +147,8 @@ func (vs VulnSrc) mergeAdvisories(advisories map[bucket]Advisory, defs map[bucke
 			found := false
 			for i := range old.Entries {
 				// New advisory should contain a single fixed version and list of arches.
-				if old.Entries[i].FixedVersion == def.Entry.FixedVersion && old.Entries[i].State == def.Entry.State && archesEqual(old.Entries[i].Arches, def.Entry.Arches) {
+				if old.Entries[i].FixedVersion == def.Entry.FixedVersion && old.Entries[i].State == def.Entry.State &&
+					slices.Equal(old.Entries[i].Arches, def.Entry.Arches) && slices.Equal(old.Entries[i].Cves, def.Entry.Cves) {
 					found = true
 					old.Entries[i].AffectedCPEList = ustrings.Merge(old.Entries[i].AffectedCPEList, def.Entry.AffectedCPEList)
 				}
@@ -347,6 +349,9 @@ func parseDefinitions(advisories []redhatOVAL, tests map[string]rpmInfoTest, uni
 					Severity: severityFromImpact(cve.Impact),
 				})
 			}
+			sort.Slice(cveEntries, func(i, j int) bool {
+				return cveEntries[i].ID < cveEntries[j].ID
+			})
 
 			if rhsaID != "" { // For patched vulnerabilities
 				bkt := bucket{
@@ -415,6 +420,7 @@ func walkCriterion(cri criteria, tests map[string]rpmInfoTest) (string, []pkg) {
 		var arches []string
 		if t.Arch != "" {
 			arches = strings.Split(t.Arch, "|") // affected arches are merged with '|'(e.g. 'aarch64|ppc64le|x86_64')
+			sort.Strings(arches)
 		}
 
 		packages = append(packages, pkg{
@@ -473,15 +479,3 @@ func severityFromImpact(sev string) types.Severity {
 	}
 	return types.SeverityUnknown
 }
-
-func archesEqual(a, b []string) bool {
-	if len(a) != len(b) {
-		return false
-	}
-	for i := range a {
-		if a[i] != b[i] {
-			return false
-		}
-	}
-	return true
-}

pkg/vulnsrc/redhat-oval/redhat-oval_test.go

@@ -210,6 +210,231 @@ func TestVulnSrc_Update(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path with different severity for different platforms",
+			dir:  filepath.Join("testdata", "different-severity"),
+			wantValues: []vulnsrctest.WantValues{
+				{
+					Key: []string{"data-source", "Red Hat"},
+					Value: types.DataSource{
+						ID:   vulnerability.RedHatOVAL,
+						Name: "Red Hat OVAL v2",
+						URL:  "https://www.redhat.com/security/data/oval/v2/",
+					},
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "0"},
+					Value: "cpe:/a:redhat:enterprise_linux:8",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "1"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::appstream",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "2"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::crb",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "3"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::highavailability",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "4"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::nfv",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "5"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::realtime",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "6"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::resilientstorage",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "7"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::sap",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "8"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::sap_hana",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "9"},
+					Value: "cpe:/a:redhat:enterprise_linux:8::supplementary",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "10"},
+					Value: "cpe:/a:redhat:rhel_extras:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "11"},
+					Value: "cpe:/a:redhat:rhel_extras_oracle_java:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "12"},
+					Value: "cpe:/a:redhat:rhel_extras_rt:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "13"},
+					Value: "cpe:/a:redhat:rhel_extras_sap:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "14"},
+					Value: "cpe:/a:redhat:rhel_extras_sap_hana:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "15"},
+					Value: "cpe:/o:redhat:enterprise_linux:7",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "16"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::client",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "17"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::computenode",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "18"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::container",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "19"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::containers",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "20"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::server",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "cpe", "21"},
+					Value: "cpe:/o:redhat:enterprise_linux:7::workstation",
+				},
+				{
+					Key:   []string{"Red Hat CPE", "repository", "rhel-8-for-x86_64-baseos-rpms"},
+					Value: []int{23},
+				},
+				{
+					Key:   []string{"Red Hat CPE", "nvr", "3scale-amp-apicast-gateway-container-1.11-1-x86_64"},
+					Value: []int{20},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-21674", "Red Hat", "bsdcpio"},
+					Value: redhat.Advisory{
+						Entries: []redhat.Entry{
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityMedium,
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-21674", "Red Hat", "bsdtar"},
+					Value: redhat.Advisory{
+						Entries: []redhat.Entry{
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityMedium,
+									},
+								},
+							},
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 22, 23},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityLow,
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-21674", "Red Hat", "libarchive"},
+					Value: redhat.Advisory{
+						Entries: []redhat.Entry{
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityMedium,
+									},
+								},
+							},
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 22, 23},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityLow,
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-21674", "Red Hat", "libarchive-debugsource"},
+					Value: redhat.Advisory{
+						Entries: []redhat.Entry{
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 22, 23},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityLow,
+									},
+								},
+							},
+						},
+					},
+				},
+				{
+					Key: []string{"advisory-detail", "CVE-2020-21674", "Red Hat", "libarchive-devel"},
+					Value: redhat.Advisory{
+						Entries: []redhat.Entry{
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityMedium,
+									},
+								},
+							},
+							{
+								FixedVersion:       "",
+								AffectedCPEIndices: []int{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 22, 23},
+								Cves: []redhat.CveEntry{
+									{
+										ID:       "",
+										Severity: types.SeverityLow,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "no definitions dir",
 			dir:  filepath.Join("testdata", "no-definitions"),