Skip to content

Commit

Permalink
[WIP]Use repoquery for no sudo and avoid unintended line feed of yum …
Browse files Browse the repository at this point in the history 
…or rpm. #444
  • Loading branch information
@kotakanbe
kotakanbe committed Jun 27, 2017
1 parent 98ab9db commit 5b9e641
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 21 deletions.
1 change: 0 additions & 1 deletion .travis.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
language: go

go:
- 1.7
- 1.8

1 change: 1 addition & 0 deletions commands/scan.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func (*ScanCmd) Usage() string {
[-cachedb-path=/path/to/cache.db]
[-ssh-native-insecure]
[-containers-only]
[-package-list-only]
[-skip-broken]
[-http-proxy=http://192.168.0.1:8080]
[-ask-key-password]
Expand Down
49 changes: 29 additions & 20 deletions scan/redhat.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,14 +147,14 @@ func (o *redhat) checkIfSudoNoPasswd() error {
if majorVersion < 6 {
cmds = []cmd{
{"yum --color=never repolist", zero},
{"yum --color=never check-update", []int{0, 100}},
// {"yum --color=never check-update", []int{0, 100}},
{"yum --color=never list-security --security", zero},
{"yum --color=never info-security", zero},
}
} else {
cmds = []cmd{
{"yum --color=never repolist", zero},
{"yum --color=never check-update", []int{0, 100}},
// {"yum --color=never check-update", []int{0, 100}},
{"yum --color=never --security updateinfo list updates", zero},
{"yum --color=never --security updateinfo updates", zero},
}
Expand Down Expand Up @@ -250,6 +250,7 @@ func (o *redhat) scanPackages() error {
}

func (o *redhat) scanInstalledPackages() (installed []models.Package, err error) {
//TODO repoqueryに変更する
cmd := "rpm -qa --queryformat '%{NAME}\t%{EPOCHNUM}\t%{VERSION}\t%{RELEASE}\n'"
r := o.exec(cmd, noSudo)
if r.isSuccess() {
Expand Down Expand Up @@ -305,6 +306,8 @@ func (o *redhat) scanVulnInfos() (models.VulnInfos, error) {

// For CentOS
func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (models.VulnInfos, error) {

//TODO change to repolist
cmd := "LANGUAGE=en_US.UTF-8 yum --color=never %s check-update"
if o.getServerInfo().Enablerepo != "" {
cmd = fmt.Sprintf(cmd, "--enablerepo="+o.getServerInfo().Enablerepo)
Expand Down Expand Up @@ -334,6 +337,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumCheckUpdate() (models.VulnInfos, er
CveIDs []string
}

// TODO repolistでやるべきか
allChangelog, err := o.getAllChangelog(packages)
if err != nil {
o.log.Errorf("Failed to getAllchangelog. err: %s", err)
Expand Down Expand Up @@ -480,28 +484,24 @@ func (o *redhat) parseYumCheckUpdateLines(stdout string) (models.Packages, error

func (o *redhat) parseYumCheckUpdateLine(line string) (models.Package, error) {
fields := strings.Fields(line)
if len(fields) < 3 {
return models.Package{}, fmt.Errorf("Unknown format: %s", line)
if len(fields) < 5 {
return nil, fmt.Errorf("Unknown format: %s", line)
}
splitted := strings.Split(fields[0], ".")
packName := ""
if len(splitted) == 1 {
packName = fields[0]

ver := ""
epoch := fields[1]
if epoch == "0" {
ver = fields[2]
} else {
packName = strings.Join(strings.Split(fields[0], ".")[0:(len(splitted)-1)], ".")
ver = fmt.Sprintf("%s:%s", fields[1], fields[2])
}

verfields := strings.Split(fields[1], "-")
if len(verfields) != 2 {
return models.Package{}, fmt.Errorf("Unknown format: %s", line)
}
release := verfields[1]
repos := strings.Join(fields[2:len(fields)], " ")
repos := strings.Join(fields[4:len(fields)], " ")

return models.Package{
Name: packName,
NewVersion: verfields[0],
NewRelease: release,
Name: fields[0],
NewVersion: ver,
NewRelease: fields[3],
Repository: repos,
}, nil
}
Expand Down Expand Up @@ -666,6 +666,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos,
"yum updateinfo is not suppported on CentOS")
}

//TODO repoqueryだとこれがいらない可能性あり sudo
cmd := "yum --color=never repolist"
r := o.exec(util.PrependProxyEnv(cmd), o.sudo())
if !r.isSuccess() {
Expand All @@ -678,6 +679,7 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos,
return nil, fmt.Errorf("Not implemented yet: %s, err: %s", o.Distro, err)
}

//TODO repoqueryだとこれがいらない可能性あり sudo
if (o.Distro.Family == config.RedHat || o.Distro.Family == config.Oracle) && major == 5 {
cmd = "yum --color=never list-security --security"
} else {
Expand All @@ -690,8 +692,15 @@ func (o *redhat) scanUnsecurePackagesUsingYumPluginSecurity() (models.VulnInfos,
advIDPackNamesList, err := o.parseYumUpdateinfoListAvailable(r.Stdout)

// get package name, version, rel to be upgrade.
cmd = "LANGUAGE=en_US.UTF-8 yum --color=never check-update"
r = o.exec(util.PrependProxyEnv(cmd), o.sudo())
cmd = `repoquery --all --pkgnarrow=updates --qf="%{name} %{epoch} %{version} %{release} %{repo}" %s`
if o.getServerInfo().Enablerepo != "" {
//TODO enablerepo should be split by space
//TODO config is comma separated
cmd = fmt.Sprintf(cmd, "--enablerepo="+o.getServerInfo().Enablerepo)
} else {
cmd = fmt.Sprintf(cmd, "")
}
r = o.exec(util.PrependProxyEnv(cmd), noSudo)
if !r.isSuccess(0, 100) {
//returns an exit code of 100 if there are available updates.
return nil, fmt.Errorf("Failed to SSH: %s", r)
Expand Down
3 changes: 3 additions & 0 deletions scan/redhat_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -877,6 +877,9 @@ if-not-architecture 100-200 amzn-main
}
}

// func TestParseYumCheckUpdateLine(t *testing.T) {
// }

func TestParseYumUpdateinfoListAvailable(t *testing.T) {
r := newRedhat(config.ServerInfo{})
rhelStdout := `RHSA-2015:2315 Moderate/Sec. NetworkManager-1:1.0.6-27.el7.x86_64
Expand Down

0 comments on commit 5b9e641

Please sign in to comment.