feat(detector/vuls2): amazon linux by vuls2 (#2441)

* feat(detector/vuls2): amazon linux by vuls2

* remove goval-dictionary related code

* remove ovalDict from config and code

* update integration

Author: shino

.github/dependabot.yml

@@ -47,7 +47,6 @@ updates:
           - "github.com/vulsio/go-kev"
           - "github.com/vulsio/go-msfdb"
           - "github.com/vulsio/gost"
-          - "github.com/vulsio/goval-dictionary"
       trivy:
         patterns:
           - "github.com/aquasecurity/trivy"
@@ -65,7 +64,6 @@ updates:
           - "github.com/vulsio/go-kev"
           - "github.com/vulsio/go-msfdb"
           - "github.com/vulsio/gost"
-          - "github.com/vulsio/goval-dictionary"
           - "github.com/aquasecurity/trivy"
           - "github.com/aquasecurity/trivy-db"
           - "github.com/aquasecurity/trivy-java-db"

config/config.go

@@ -39,7 +39,6 @@ type Config struct {
 
 	// report
 	CveDict    GoCveDictConf  `json:"cveDict,omitzero"`
-	OvalDict   GovalDictConf  `json:"ovalDict,omitzero"`
 	Gost       GostConf       `json:"gost,omitzero"`
 	Exploit    ExploitConf    `json:"exploit,omitzero"`
 	Metasploit MetasploitConf `json:"metasploit,omitzero"`
@@ -190,7 +189,6 @@ func (c *Config) ValidateOnReport() bool {
 
 	for _, cnf := range []VulnDictInterface{
 		&Conf.CveDict,
-		&Conf.OvalDict,
 		&Conf.Gost,
 		&Conf.Exploit,
 		&Conf.Metasploit,

config/tomlloader.go

@@ -39,7 +39,6 @@ func (c TOMLLoader) Load(pathToToml string) error {
 
 	for _, cnf := range []VulnDictInterface{
 		&Conf.CveDict,
-		&Conf.OvalDict,
 		&Conf.Gost,
 		&Conf.Exploit,
 		&Conf.Metasploit,

config/vulnDictConf.go

@@ -146,33 +146,6 @@ func (cnf VulnDict) CheckHTTPHealth() error {
 	return nil
 }
 
-// GovalDictConf is goval-dictionary config
-type GovalDictConf struct {
-	VulnDict
-}
-
-const govalType = "OVALDB_TYPE"
-const govalURL = "OVALDB_URL"
-const govalPATH = "OVALDB_SQLITE3_PATH"
-
-// Init set options with the following priority.
-// 1. Environment variable
-// 2. config.toml
-func (cnf *GovalDictConf) Init() {
-	cnf.Name = "ovalDict"
-	if os.Getenv(govalType) != "" {
-		cnf.Type = os.Getenv(govalType)
-	}
-	if os.Getenv(govalURL) != "" {
-		cnf.URL = os.Getenv(govalURL)
-	}
-	if os.Getenv(govalPATH) != "" {
-		cnf.SQLite3Path = os.Getenv(govalPATH)
-	}
-	cnf.setDefault("oval.sqlite3")
-	cnf.DebugSQL = Conf.DebugSQL
-}
-
 // ExploitConf is exploit config
 type ExploitConf struct {
 	VulnDict

detector/detector.go

@@ -20,7 +20,6 @@ import (
 	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
-	"github.com/future-architect/vuls/oval"
 	"github.com/future-architect/vuls/reporter"
 	"github.com/future-architect/vuls/util"
 	cvemodels "github.com/vulsio/go-cve-dictionary/models"
@@ -51,7 +50,7 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 			return nil, xerrors.Errorf("Failed to fill with Library dependency: %w", err)
 		}
 
-		if err := DetectPkgCves(&r, config.Conf.OvalDict, config.Conf.Gost, config.Conf.Vuls2, config.Conf.LogOpts, config.Conf.NoProgress); err != nil {
+		if err := DetectPkgCves(&r, config.Conf.Gost, config.Conf.Vuls2, config.Conf.LogOpts, config.Conf.NoProgress); err != nil {
 			return nil, xerrors.Errorf("Failed to detect Pkg CVE: %w", err)
 		}
 
@@ -318,19 +317,14 @@ func Detect(rs []models.ScanResult, dir string) ([]models.ScanResult, error) {
 }
 
 // DetectPkgCves detects OS pkg cves
-// pass 3 configs
-func DetectPkgCves(r *models.ScanResult, ovalCnf config.GovalDictConf, gostCnf config.GostConf, vuls2Conf config.Vuls2Conf, logOpts logging.LogOpts, noProgress bool) error {
+func DetectPkgCves(r *models.ScanResult, gostCnf config.GostConf, vuls2Conf config.Vuls2Conf, logOpts logging.LogOpts, noProgress bool) error {
 	if isPkgCvesDetactable(r) {
 		switch r.Family {
-		case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Ubuntu,
+		case constant.RedHat, constant.CentOS, constant.Fedora, constant.Alma, constant.Rocky, constant.Oracle, constant.Alpine, constant.Amazon, constant.Ubuntu,
 			constant.OpenSUSE, constant.OpenSUSELeap, constant.SUSEEnterpriseServer, constant.SUSEEnterpriseDesktop:
 			if err := vuls2.Detect(r, vuls2Conf, noProgress); err != nil {
 				return xerrors.Errorf("Failed to detect CVE with Vuls2: %w", err)
 			}
-		case constant.Amazon:
-			if err := detectPkgsCvesWithOval(ovalCnf, r, logOpts); err != nil {
-				return xerrors.Errorf("Failed to detect CVE with OVAL: %w", err)
-			}
 		case constant.Debian, constant.Raspbian, constant.Windows:
 			// gost(Debian Security Tracker) does not support Package for Raspbian, so skip it.
 			if r.Family == constant.Raspbian {
@@ -375,27 +369,27 @@ func DetectPkgCves(r *models.ScanResult, ovalCnf config.GovalDictConf, gostCnf c
 	return nil
 }
 
-// isPkgCvesDetactable checks whether CVEs is detactable with gost and oval from the result
+// isPkgCvesDetactable checks whether CVEs is detactable with gost and vuls2 from the result
 func isPkgCvesDetactable(r *models.ScanResult) bool {
 	switch r.Family {
 	case constant.FreeBSD, constant.MacOSX, constant.MacOSXServer, constant.MacOS, constant.MacOSServer, constant.ServerTypePseudo:
-		logging.Log.Infof("%s type. Skip OVAL, gost and vuls2 detection", r.Family)
+		logging.Log.Infof("%s type. Skip gost and vuls2 detection", r.Family)
 		return false
 	case constant.Windows:
 		return true
 	default:
 		if r.ScannedVia == "trivy" {
-			logging.Log.Infof("r.ScannedVia is trivy. Skip OVAL, gost and vuls2 detection")
+			logging.Log.Infof("r.ScannedVia is trivy. Skip gost and vuls2 detection")
 			return false
 		}
 
 		if r.Release == "" {
-			logging.Log.Infof("r.Release is empty. Skip OVAL, gost and vuls2 detection")
+			logging.Log.Infof("r.Release is empty. Skip gost and vuls2 detection")
 			return false
 		}
 
 		if len(r.Packages)+len(r.SrcPackages) == 0 {
-			logging.Log.Infof("Number of packages is 0. Skip OVAL, gost and vuls2 detection")
+			logging.Log.Infof("Number of packages is 0. Skip gost and vuls2 detection")
 			return false
 		}
 		return true
@@ -538,43 +532,6 @@ func fillCertAlerts(cvedetail *cvemodels.CveDetail) (dict models.AlertDict) {
 	return dict
 }
 
-func detectPkgsCvesWithOval(cnf config.GovalDictConf, r *models.ScanResult, logOpts logging.LogOpts) error {
-	client, err := oval.NewOVALClient(r.Family, cnf, logOpts)
-	if err != nil {
-		return xerrors.Errorf("Failed to new OVAL client. err: %w", err)
-	}
-	defer func() {
-		if err := client.CloseDB(); err != nil {
-			logging.Log.Errorf("Failed to close the OVAL DB. err: %+v", err)
-		}
-	}()
-
-	logging.Log.Debugf("Check if oval fetched: %s %s", r.Family, r.Release)
-	ok, err := client.CheckIfOvalFetched(r.Family, r.Release)
-	if err != nil {
-		return xerrors.Errorf("Failed to check if oval fetched: %w", err)
-	}
-	if !ok {
-		return xerrors.Errorf("OVAL entries of %s %s are not found. Fetch OVAL before reporting. For details, see `https://github.com/vulsio/goval-dictionary#usage`", r.Family, r.Release)
-	}
-
-	logging.Log.Debugf("Check if oval fresh: %s %s", r.Family, r.Release)
-	_, err = client.CheckIfOvalFresh(r.Family, r.Release)
-	if err != nil {
-		return xerrors.Errorf("Failed to check if oval fresh: %w", err)
-	}
-
-	logging.Log.Debugf("Fill with oval: %s %s", r.Family, r.Release)
-	nCVEs, err := client.FillWithOval(r)
-	if err != nil {
-		return xerrors.Errorf("Failed to fill with oval: %w", err)
-	}
-
-	logging.Log.Infof("%s: %d CVEs are detected with OVAL", r.FormatServerName(), nCVEs)
-
-	return nil
-}
-
 func detectPkgsCvesWithGost(cnf config.GostConf, r *models.ScanResult, logOpts logging.LogOpts) error {
 	client, err := gost.NewGostClient(cnf, r.Family, logOpts)
 	if err != nil {

detector/util.go

@@ -17,7 +17,6 @@ import (
 	"github.com/future-architect/vuls/gost"
 	"github.com/future-architect/vuls/logging"
 	"github.com/future-architect/vuls/models"
-	"github.com/future-architect/vuls/oval"
 	"golang.org/x/xerrors"
 )
 
@@ -264,7 +263,7 @@ func loadOneServerScanResult(jsonFile string) (*models.ScanResult, error) {
 }
 
 // ValidateDBs checks if the databases are accessible and can be closed properly
-func ValidateDBs(cveConf config.GoCveDictConf, ovalConf config.GovalDictConf, gostConf config.GostConf, exploitConf config.ExploitConf, metasploitConf config.MetasploitConf, kevulnConf config.KEVulnConf, ctiConf config.CtiConf, logOpts logging.LogOpts) error {
+func ValidateDBs(cveConf config.GoCveDictConf, gostConf config.GostConf, exploitConf config.ExploitConf, metasploitConf config.MetasploitConf, kevulnConf config.KEVulnConf, ctiConf config.CtiConf, logOpts logging.LogOpts) error {
 	cvec, err := newGoCveDictClient(&cveConf, logOpts)
 	if err != nil {
 		return xerrors.Errorf("Failed to new CVE client. err: %w", err)
@@ -273,14 +272,6 @@ func ValidateDBs(cveConf config.GoCveDictConf, ovalConf config.GovalDictConf, go
 		return xerrors.Errorf("Failed to close CVE DB. err: %w", err)
 	}
 
-	ovalc, err := oval.NewOVALClient(constant.ServerTypePseudo, ovalConf, logOpts)
-	if err != nil {
-		return xerrors.Errorf("Failed to new OVAL client. err: %w", err)
-	}
-	if err := ovalc.CloseDB(); err != nil {
-		return xerrors.Errorf("Failed to close OVAL DB. err: %w", err)
-	}
-
 	gostc, err := gost.NewGostClient(gostConf, constant.ServerTypePseudo, logOpts)
 	if err != nil {
 		return xerrors.Errorf("Failed to new gost client. err: %w", err)

detector/vuls2/vendor.go

@@ -498,6 +498,23 @@ func advisoryReference(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID, da mo
 			Source: "SUSE",
 			RefID:  da.AdvisoryID,
 		}, nil
+	case ecosystemTypes.EcosystemTypeAmazon:
+		return models.Reference{
+			Link: func() string {
+				switch {
+				case strings.HasPrefix(da.AdvisoryID, "ALAS2023"):
+					return fmt.Sprintf("https://alas.aws.amazon.com/AL2023/ALAS%s.html", strings.TrimPrefix(da.AdvisoryID, "ALAS2023"))
+				case strings.HasPrefix(da.AdvisoryID, "ALAS2022"):
+					return fmt.Sprintf("https://alas.aws.amazon.com/AL2022/ALAS%s.html", strings.TrimPrefix(da.AdvisoryID, "ALAS2022"))
+				case strings.HasPrefix(da.AdvisoryID, "ALAS2"):
+					return fmt.Sprintf("https://alas.aws.amazon.com/AL2/ALAS%s.html", strings.TrimPrefix(da.AdvisoryID, "ALAS2"))
+				default:
+					return fmt.Sprintf("https://alas.aws.amazon.com/ALAS%s.html", strings.TrimPrefix(da.AdvisoryID, "ALAS"))
+				}
+			}(),
+			Source: "AMAZON",
+			RefID:  da.AdvisoryID,
+		}, nil
 	default:
 		return models.Reference{}, xerrors.Errorf("unsupported family: %s", et)
 	}
@@ -511,6 +528,8 @@ func cveContentSourceLink(ccType models.CveContentType, v vulnerabilityTypes.Vul
 		return fmt.Sprintf("https://linux.oracle.com/cve/%s.html", v.Content.ID)
 	case models.Alpine:
 		return fmt.Sprintf("https://security.alpinelinux.org/vuln/%s", v.Content.ID)
+	case models.Amazon:
+		return fmt.Sprintf("https://explore.alas.aws.amazon.com/%s.html", v.Content.ID)
 	case models.Ubuntu, models.UbuntuAPI:
 		return fmt.Sprintf("https://ubuntu.com/security/%s", v.Content.ID)
 	case models.Nvd:
@@ -846,7 +865,7 @@ func toVuls0Confidence(e ecosystemTypes.Ecosystem, s sourceTypes.SourceID) model
 			DetectionMethod: models.DetectionMethod("EPELMatch"),
 			SortOrder:       1,
 		}
-	case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine,
+	case ecosystemTypes.EcosystemTypeRedHat, ecosystemTypes.EcosystemTypeFedora, ecosystemTypes.EcosystemTypeAlma, ecosystemTypes.EcosystemTypeRocky, ecosystemTypes.EcosystemTypeOracle, ecosystemTypes.EcosystemTypeAlpine, ecosystemTypes.EcosystemTypeAmazon,
 		ecosystemTypes.EcosystemTypeSUSELinuxEnterprise, ecosystemTypes.EcosystemTypeOpenSUSE, ecosystemTypes.EcosystemTypeOpenSUSELeap, ecosystemTypes.EcosystemTypeOpenSUSETumbleweed:
 		return models.OvalMatch
 	case ecosystemTypes.EcosystemTypeUbuntu:

go.mod

@@ -57,7 +57,6 @@ require (
 	github.com/vulsio/go-kev v0.4.4
 	github.com/vulsio/go-msfdb v0.4.4
 	github.com/vulsio/gost v0.7.2
-	github.com/vulsio/goval-dictionary v0.15.1
 	go.etcd.io/bbolt v1.4.3
 	golang.org/x/oauth2 v0.35.0
 	golang.org/x/sync v0.19.0
@@ -233,6 +232,7 @@ require (
 	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
+	github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88 // indirect
 	github.com/kevinburke/ssh_config v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect

go.sum

@@ -898,8 +898,6 @@ github.com/vulsio/go-msfdb v0.4.4 h1:fcuuRuNwnUU1Z9ISBinWrbkWFPJrHluuNcUOpF9GkUM
 github.com/vulsio/go-msfdb v0.4.4/go.mod h1:9EOtT+xusFgeNG11D6EKpsM2Fijs7YhTxW3iBD5RDoQ=
 github.com/vulsio/gost v0.7.2 h1:COYQ7Y8mi+YK1CDdRyaXgwocP7ZrnCNkJ8jxFe1roPE=
 github.com/vulsio/gost v0.7.2/go.mod h1:DswLTXFo0CUQie9aI1JKhrJTbWM4jgEhmEHALsSKyTs=
-github.com/vulsio/goval-dictionary v0.15.1 h1:FgEp3LWeOJZ/UxSGUDhFGdd5CVDN1mRu9SvSscpk2IE=
-github.com/vulsio/goval-dictionary v0.15.1/go.mod h1:qAHEBdYTFqdAMyc49ZRlJANN3dmTa4m66Ao0hl94hkA=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=