fix(oracle): handle advisories contain ksplice versions (#1209)

afdesk · web-flow · commit 9d617777d56f · 2021-09-05T11:29:13.000+03:00
* fix(oracle): handle advisories contain ksplice versions Improve a handling of advisories contain ksplice versions: * when one of them doesn't have ksplice, we'll also skip it * extract kspliceX and compare it with kspliceY in advisories * if kspliceX and kspliceY are different, we will skip the advisory. Fixes #1205 * fix(oracle): handle advisories contain ksplice versions simplify code and remove duplicated tests Fixes #1205 * run go fmt
diff --git a/pkg/detector/ospkg/oracle/oracle.go b/pkg/detector/ospkg/oracle/oracle.go
@@ -44,6 +44,16 @@ func NewScanner() *Scanner {
 	}
 }
 
+func extractKsplice(v string) string {
+	subs := strings.Split(strings.ToLower(v), ".")
+	for _, s := range subs {
+		if strings.HasPrefix(s, "ksplice") {
+			return s
+		}
+	}
+	return ""
+}
+
 // Detect scans and return vulnerability in Oracle scanner
 func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Oracle Linux vulnerabilities...")
@@ -65,10 +75,13 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 		installed := utils.FormatVersion(pkg)
 		installedVersion := version.NewVersion(installed)
 		for _, adv := range advisories {
-			// Skip if only one of them contains .ksplice1.
-			if strings.Contains(adv.FixedVersion, ".ksplice1.") != strings.Contains(pkg.Release, ".ksplice1.") {
+			// when one of them doesn't have ksplice, we'll also skip it
+			// extract kspliceX and compare it with kspliceY in advisories
+			// if kspliceX and kspliceY are different, we will skip the advisory
+			if extractKsplice(adv.FixedVersion) != extractKsplice(pkg.Release) {
 				continue
 			}
+
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
diff --git a/pkg/detector/ospkg/oracle/oracle_test.go b/pkg/detector/ospkg/oracle/oracle_test.go
@@ -151,6 +151,27 @@ func TestScanner_Detect(t *testing.T) {
 			},
 			want: nil,
 		},
+		{
+			name:     "the installed version has ksplice2",
+			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
+			args: args{
+				osVer: "7",
+				pkgs: []ftypes.Package{
+					{
+						Name:       "glibc",
+						Epoch:      2,
+						Version:    "2.28",
+						Release:    "151.0.1.ksplice2.el8",
+						Arch:       "x86_64",
+						SrcEpoch:   2,
+						SrcName:    "glibc",
+						SrcVersion: "2.28",
+						SrcRelease: "151.0.1.ksplice2.el8",
+					},
+				},
+			},
+			want: nil,
+		},
 		{
 			name:     "with ksplice",
 			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
